Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Beta This is a new resource

Series: Review of HHS's Compliance with the Federal Information Security Modernization Act of 2014 (FISMA)

Announced on  | Last Modified on  | Series Number: SRS-A-25-009
Status
Active
Agency
Office of the Secretary

OBJECTIVE

The Federal Information Security Modernization Act of 2014 (FISMA) and OMB Circular A-130, "Managing Information as a Strategic Resource," require that agencies and their contractors maintain programs that provide adequate security for all information collected, processed, transmitted, stored, and/or disseminated in general support systems and major applications. FISMA requires each agency's inspector general to conduct an annual, independent evaluation to determine the effectiveness of the information security program and practices of an agency. We will review HHS's and selected HHS operating divisions' compliance with FISMA. The purpose of this audit is to determine whether HHS's overall information technology security program and practices were effective as they relate to Federal information security requirements.

There are 2 projects in this series.

Project titles will remain unpublished until projects are complete and reports are posted.

ACTIVE PROJECTS IN THIS SERIES (1)

Project OAS-25-18-041 Announced on Jan 7, 2025

COMPLETED PROJECTS IN THIS SERIES (1)

Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024

Project A-18-24-11200 Completed on November 15, 2024

TIMELINE

  • February 1, 2024
    Series Number SRS-A-25-009 Assigned
  • February 1, 2024
    Project Announced

    Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 - A-18-24-11200

  • November 15, 2024
    Project Complete - A-18-24-11200

    Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 has been marked as complete. This audit resulted in 6 recommendations.

  • January 7, 2025
    Project Announced

    Project OAS-25-18-041

  • Today
    1 Audit In-Progress
  • Est FY2026
    Estimated Fiscal Year for Series Completion

1 REPORT PUBLISHED

Review of the Department of Health and Human Services’ Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024 (A-18-24-11200)

25-A-18-014.01 to OS - Open Unimplemented
Update expected on 11/27/2025
We recommend that HHS update its enterprise architecture system inventory and software/hardware asset inventories to include the information systems and components that are active on the HHS network. HHS should utilize the inventories to continuously monitor assets and identify and remediate vulnerabilities timely to better manage the risks to these assets.

25-A-18-014.02 to OS - Closed Implemented
Closed on 05/27/2025
We recommend that HHS complete implementation of a cybersecurity risk management strategy to assess and respond to identified risks within the agency and identified across OpDivs, watch for new risks, and monitor risks and confirm implementation. The strategy should define a standardized process to accept and monitor risks that cannot be adequately mitigated.

25-A-18-014.03 to OS - Open Unimplemented
Update expected on 11/27/2025
We recommend that HHS require OpDivs incorporate analyses of security impacts of significant changes prior to implementation to measure its impacts to the organizations' security and enterprise architecture and confirm implementation.

25-A-18-014.04 to OS - Open Unimplemented
Update expected on 11/27/2025
We recommend that HHS require OpDivs to implement an effective SCRM program that meets the defined standards across HHS and confirm implementation is consistent with established standard. This should include requiring OpDivs to assess vendors and submit said monitoring results to HHS to assist with tracking and monitoring components on the network.

25-A-18-014.05 to OS - Open Unimplemented
Update expected on 11/27/2025
We recommend that HHS require OpDivs to establish oversight of background investigations performed for employees and contractors with logical access across the agency and perform continuous monitoring for new and existing users to ensure OpDivs are aware of the investigation status of their users.

25-A-18-014.06 to OS - Closed Implemented
Closed on 06/17/2025
We recommend that HHS confirm that OpDivs' policies require monitoring of privileged user accounts for both logging and activity reviews, in an automated manner.

View in Recommendation Tracker
Work Plan Type
Office of Audit Services
HHS Agencies
Office of the Secretary
Issue Areas
Information Technology and Cybersecurity
Target Groups
-
Financial Groups
-