Recommendations Tracker

HHS should commit to creating and implementing a Cybersecurity Maturity Migration Strategy to advance the cybersecurity program from its current maturity state to an effective state across HHS. This strategy should include the following. Perform a risk assessment and identify the optimal maturity level that achieves cost-effective security based on your missions and risks faced, risk appetite, and risk tolerance level. Identify gaps between the current state at each OPDIV and the criteria required to reach the optimal level across HHS' enterprise-wide cybersecurity program and develop security controls to implement effective security. Ensure the requirements for all metrics is Consistently Implemented or higher are achieved. Articulate roles and shared responsibilities needed to meet the requirements for effective maturity, including whether requirements are to be implemented through centralized, federated, or hybrid controls.

The Information Security and Privacy Policy (IS2P) is HHS' primary policy document governing cybersecurity which is pending a rewrite to address the upcoming requirements in NIST 800-53 revision 5. When this update occurs to the IS2P, HHS should specify required cybersecurity control maturity levels in addition to identifying the selection of NIST controls; describe HHS' Cybersecurity Shared Responsibility Model, including the key roles under centralized, federated and hybrid strategies for control implementation; include responsibilities of the OCIO, the OPDIVs, and third-party stakeholders (including contractors); and communicate that a Managed and Measurable or the optimal maturity level, based on HHS's risk assessment, be required to be deemed “Effective".

We recommend that the HHS OCIO work with the OPDIVs to ensure that the OPDIVs cybersecurity management create and implement a patch management strategy to ensure that patches are installed timely as required by HHS and Federal requirements.

We recommend that the HHS OCIO work with the OPDIVs to identify roles of stakeholders to ensure proper identification of responsibilities in a shared responsibility environment.

We recommend that the HHS OCIO work with the OPDIVs to implement the enterprise-wide configuration management plan, working with system owners to align system configuration management plans with the enterprise plan.

We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs create and implement a process to require privileged users to sign a privileged user rules of behavior agreement for all systems prior to provisioning privileged access to those systems.

We recommend that the HHS OCIO work with the OPDIVs to ensure that all ODPIVs ensure implementation of strong authentication mechanisms for privileged and non-privileged users to all OPDIV systems using multifactor PIV credentials, NIST 800-63 Identity Assurance Level 3/Authenticator Assurance Level 3/Federated Assurance Level 3 credential or other strong authentication for non-privileged and privileged users.

We recommend that the HHS OCIO work with the OPDIVs to ensure that all PIAs are reviewed, approved and signed by the appropriate HHS personnel at a minimum within three (3) years of the last PIA approval date.

We recommend that the HHS OCIO work with the ODPIVs ensure that role-based training is obtained for all users with significant security responsibilities before granting access to the system and annually thereafter.

We recommend that the HHS OCIO work with the OPDIVs to ensure that they plan and execute resource staffing such that ATOs are kept up to date without a lapse of authorization.

We recommend that the HHS OCIO work with the OPDIVs to ensure that they plan and execute resource staffing such that SCAs are kept up to date as needed to support the ATO process.

We recommend that the HHS OCIO work with the OPDIV to implement threat profiling techniques within the defined framework that helps management understand where the OPDIV's high-value assets are located, who could be interested in taking control of them, and what attack vectors and under which scenarios they would likely be used to exploit vulnerabilities to succeed in their pursuits.

We recommend that the HHS OCIO work with the OPDIVs to monitor and validate each OPDIV's implementation progress, which should include periodically sampling HHS systems to ensure the effectiveness of contingency plans, including adequate testing based on system categorization.