Beta This is a new resource - your feedback will help us improve it. Learn More.
Recommendations Tracker
HHS-OIG provides independent and objective oversight that promotes economy, efficiency, and effectiveness in HHS programs and operations. To drive this positive change, we produce reports and identify recommendations for improvement. We have developed this public-facing page for tracking all of our open recommendations.
Use the “Top Unimplemented” View below to read OIG’s Top Unimplemented Recommendations—a subset that we think, if implemented, would have the most impact (learn more). Notable differences from our previous Top Unimplemented Recommendations report include:
- The list is comprised of individual recommendations from OIG reports, not rolled up by topic.
- No arbitrary cap is imposed on the number of recommendations included.
- Status updates as recommendations are implemented.
Summary of All Recommendations
Updated Monthly · Last updated on November 15, 2024
1,306
Unimplemented
recommendations
2,698
Implemented and Closed
recommendations since FY 2017
Views
OIG Recommendations Grouped by Report
Showing 1–1 of 1 reports, containing 26 recommendations
Sorted by latest release date
-
Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2023
24-A-18-086.01Refine their enterprise architecture system inventory and software/hardware asset inventories to ensure the inclusion of the information systems and components active on the HHS network. HHS should utilize these inventories to monitor assets continuously and identify and remediate vulnerabilities timely to better manage the risks to these assets.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.02We recommend that HHS require OpDivs to implement a cybersecurity risk management strategy to assess and respond to identified risks within the agency, watch for new risks, and monitor risks and confirm implementation. The strategy should define a standardized process to accept and monitor risks that cannot be adequately mitigated.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.03We recommend that HHS confirm that all organization-wide and system-level risk assessments have been completed in an accurate and timely manner and include data points such as the threat vectors, likelihood, and tolerance level. This will help with the ability to address risks at the organization consistently and promptly.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.04We recommend that HHS require OpDivs to implement an effective SCRM program that meets the defined standards across HHS and confirm implementation is consistent with established standard. HHS should ensure that all OpDivs are appropriately assessing vendors and submitting data points to assist with tracking and monitoring components on the network.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.05We recommend that HHS require OpDivs to assess and inventory privileged user accounts across the agency by an established due date and confirm completion. HHS should confirm that OpDivs policies are defined to require privileged user account monitoring in both logging and activity reviews, preferably at an automated level.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.06We recommend that the HHS OCIO monitor and confirm that the OpDivs conduct an annual review of the System Security & Privacy Plan and annually perform risk assessments for all operational systems, according to organizational policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.07We recommend that the HHS OCIO monitor and confirm that the OpDivs appropriately track software license information and maintain an accessible, up-to-date inventory for all its software licenses.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.08We recommend that the HHS OCIO monitor and confirm that the OpDivs perform the SAR and ATO in accordance with the organization's policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.09We recommend that the HHS OCIO monitor and confirm that the OpDivs utilize automated solutions to provide a portfolio view of cybersecurity risk at the organization is consistently implemented in accordance with NIST standards.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.10We recommend that the HHS OCIO confirm OpDivs define and implement an OpDiv level supply chain risk management strategy based on HHS departmental policy and NIST standards.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.11We recommend that the HHS OCIO ensure that OpDivs' vulnerabilities are tracked and remediated in a timely manner and create POA&Ms for any vulnerabilities in accordance with the organization's policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.12We recommend that the HHS OCIO ensure that all OpDivs' baseline configurations are documented and tracked for each system in the OpDiv.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.13We recommend that the HHS OCIO ensure that all OpDivs' TIC 3.0 program use cases are reviewed for relevance and capabilities that are new to the latest revision of the TIC guidance are consistently implemented in accordance with HHS Policy for the Implementation of TIC and OMB M-19-26.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.14We recommend that the HHS OCIO ensure that all OpDivs acquire the resources to fully implement MFA or an alternative strong authentication and implement multi-factor authentication or an alternative strong authentication for both privileged and non-privileged users on all operational systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.15We recommend that the HHS OCIO ensure that all OpDivs provision, manage, and review privileged user accounts for operational systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.16We recommend that the HHS OCIO ensure that all OpDivs are properly implementing remote session timeouts of 30 minutes (or less) for operating systems.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.17We recommend that the HHS OCIO ensure that all OpDivs consistently implement access policies and procedures in accordance with the organization's Risk Management Safeguards policy across the organization.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.18We recommend that the HHS OCIO ensure that all OpDivs' operational systems have an approved and up-to-date PIA in accordance with the HHS Policy of Privacy Impact Assessment.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.19We recommend that the HHS OCIO ensure that all OpDivs implement data encryption methods to protect data determined to be PII or sensitive by the systems and enhanced network defenses in accordance with NIST standards.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.20We recommend that the HHS OCIO require and confirm that all OpDivs have a process in place to evaluate their workforce gaps. Furthermore, confirm that all OpDivs are implementing a compliant security training strategy as defined by overarching HHS policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.21We recommend that the HHS OCIO ensure that all OpDivs are inheriting and consistently implementing policies and procedures defined by HHS department level policy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.22We recommend that the HHS OCIO continuously monitor to ensure that all OpDivs inherit and consistently implement policies or procedures to govern their incident response strategy.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.23We recommend that the HHS OCIO continuously monitor to ensure that all OpDivs define common threat vector taxonomy for classifying incidents and its processes for detecting, analyzing, and prioritizing incidents in accordance with NIST standards, USCERT Federal Incident Notification Guidelines and OMB guidance across the organization.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.24We recommend that the HHS OCIO work with the OpDivs to require and confirm that all OpDivs' operational systems have a complete and up-to-date BIA.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.25We recommend that the HHS OCIO work with the OpDivs to require and confirm that all OpDivs' operational systems conduct Contingency Plan testing and exercises as required by their risk rating. Any testing and exercises conducted should be followed with after-action reports as necessary.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Not Yet Due
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No
24-A-18-086.26We recommend that the HHS OCIO work with the OpDivs to confirm that all OpDivs' policies and procedures covering Contingency Plan testing are in accordance with policy requirements by Departmental policy, NIST standards, and OMB guidance.- Status
- Open Unimplemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Next Update Expected
- 12/25/2024
- Legislative Related
- No