Beta This is a new resource - your feedback will help us improve it. Learn More.
Recommendations Tracker
HHS-OIG provides independent and objective oversight that promotes economy, efficiency, and effectiveness in HHS programs and operations. To drive this positive change, we produce reports and identify recommendations for improvement. We have developed this public-facing page for tracking all of our open recommendations.
Use the “Top Unimplemented” View below to read OIG’s Top Unimplemented Recommendations—a subset that we think, if implemented, would have the most impact (learn more). Notable differences from our previous Top Unimplemented Recommendations report include:
- The list is comprised of individual recommendations from OIG reports, not rolled up by topic.
- No arbitrary cap is imposed on the number of recommendations included.
- Status updates as recommendations are implemented.
Summary of All Recommendations
Updated Monthly · Last updated on May 15, 2025
1,185
Unimplemented
recommendations
2,961
Implemented and Closed
recommendations since FY 2017
Views
OIG Recommendations Grouped by Report
Showing 1–1 of 1 reports, containing 17 recommendations
Sorted by latest release date
-
Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2020
21-A-18-076.01We recommend that HHS: Communicate to all stakeholders the roles and shared responsibilities that must be implemented to meet the requirements for an "effective" level of security in the context of the maturity model, including whether such requirements are to be implemented through centralized, federated, or hybrid controls. This should also include the responsibilities of the OCIO, the OpDivs, and third-party stakeholders (including contractors).- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.02Continue implementation of an automated CDM solution that provides a centralized, enterprise-wide view of risks across the organization.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.03Develop oversight process and procedures to ensure comprehensive policies and procedures for managing the configurations of information systems are developed and tailored to the OpDivs environment.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.04Formalize policies, procedures, and processes for ensuring that all personnel are assigned risk designations and appropriately screened prior to being granted access to OpDiv systems.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.05Update the ISCM strategy to include a roadmap for complete deployment across all HHS OpDivs, and key performance indicators and benchmarks to facilitate the implementation of CDM toolsets across all OpDivs.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.06Increase focus on monitoring the status of ATO expirations across all OpDivs and ensuring that ATOs are reauthorized prior to their expiration dates.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.07Conduct an assessment of privileged IT staff to identify users with significant cybersecurity responsibilities and ensure they complete specialized role-based training.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.08Develop a process to ensure information system contingency plans are developed, maintained, and integrated with other continuity requirements by information systems.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.09We recommend that the HHS OCIO work with the OpDivs to develop a formal risk management strategy to establish, communicate, and implement its risk management controls, including for supply chain risk management. Additionally, within the Risk Management Strategy, the OpDiv should document procedures to ensure that all system owners have implemented processes and methodologies for categorizing risk, developing a risk profile, assessing risk, risk acceptance/tolerance levels, responding to risk, and monitoring risk.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.10Update their configuration change control policy to (1) more accurately define the types of changes that require a SIA to be performed, and (2) for all unplanned and major changes as defined, perform the SIA and retain the resulting documentation in accordance with the OpDiv document retention requirements.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.11We recommend that the HHS OCIO work with the OpDivs to establish oversight procedures for contractor owned systems to ensure change control activities and record retention procedures are being implemented appropriately across all systems.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.12Ensure that appropriate segregation of duties requirements is enforced for change control activities across all systems.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.13We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs conduct periodic review and adjustment of privileged user accounts and permissions as required by OpDiv policy is being implemented consistently across all systems within the established time period. Additionally, the OpDiv should ensure that privileged user account activities are logged and periodically reviewed.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/23/2022
- Legislative Related
- No
21-A-18-076.14Perform appropriate system user onboarding procedures and that appropriate records retention policies and procedures are in place and operating effectively. Although contractor management is responsible for performing the control, OpDiv management should have an oversight procedure in place to ensure that all contract requirements are being performed.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.15Implement oversight of contractor system procedures to ensure that periodic user access reviews are performed and that privileged user account activities are logged and periodically reviewed. In addition, management should implement a review process for the monitoring activities by the Computer Security Incident Response Center (CSIRC) and DCIO Ops over government-owned systems with the OpDiv portfolio.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No
21-A-18-076.16We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs complete an update of the Security Training Policy to incorporate current federal standards including an assessment of the skills, knowledge, and abilities of its workforce to provide tailored awareness and specialized security training within the function areas of Identify, Protect, Detect, Respond, and Recover.- Status
- Closed Implemented
- Responsible Agency
- OS
- Response
- Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 11/23/2022
- Legislative Related
- No
21-A-18-076.17We recommend that the HHS OCIO work with its OpDivs to improve the incident evaluation process for determining whether an incident is major in accordance with the full OMB definition contained in the OMB FISMA guidance. This process should include a documented adjudication process that assesses the perceived or actual impact of the American people's public confidence in US Government systems, their civil liberties, or their public health and safety from the knowledge of the incident as noted in the OMB guidance.- Status
- Closed Unimplemented
- Responsible Agency
- OS
- Response
- Non-Concur
- Potential Savings
- -
- Last Update Received
- -
- Closed Date
- 06/21/2022
- Legislative Related
- No