Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Beta This is a new resource

Series: HHS Cloud Infrastructure as a Service Security Audits

Announced on  | Last Modified on  | Series Number: W-00-24-42041
Status
Active
Agency
Administration for Children and Families, Centers for Medicare and Medicaid Services, Office of the Secretary

OBJECTIVE

Federal agencies are increasingly adopting cloud computing services to address information technology needs. During FY 2020, HHS reported that more than 21 percent of its systems were in the cloud. In view of the increase in cloud adoption across HHS, we are concerned that HHS may not be aware of all cybersecurity risks associated with its Infrastructure as a Service (IaaS) cloud environments. The Federal Risk and Authorization Management Program and National Institute of Standards and Technology requirements establish that agencies protect any Federal information that is collected, maintained, and processed by cloud service platforms. We will perform a series of audits to assess the security of the HHS OpDivs' cloud IaaS configurations and test whether attack vectors exist that adversaries could leverage to access HHS data. We will determine whether HHS OpDivs have properly identified and inventoried their IaaS cloud assets. In addition, we will determine whether HHS and OpDivs have implemented effective cybersecurity controls for their cloud IaaS environments in accordance with Federal and HHS security requirements and guidelines.

There are 3 projects in this series.

Project titles will remain unpublished until projects are complete and reports are posted.

ACTIVE PROJECTS IN THIS SERIES (1)

Project A-18-23-07004 Announced on Jun 5, 2023

COMPLETED PROJECTS IN THIS SERIES (2)

HHS OS Cloud Cybersecurity Audit

Project A-18-22-08018 Completed on July 17, 2024

ACF Cloud Cybersecurity Audit

Project A-18-22-08020 Completed on March 28, 2024

TIMELINE

  • October 18, 2021
    Series Number W-00-24-42041 Assigned
  • October 18, 2021
    Project Announced

    HHS OS Cloud Cybersecurity Audit - A-18-22-08018

  • January 31, 2022
    Project Announced

    ACF Cloud Cybersecurity Audit - A-18-22-08020

  • June 5, 2023
    Project Announced

    Project A-18-23-07004

  • March 28, 2024
    Project Complete - A-18-22-08020

    ACF Cloud Cybersecurity Audit has been marked as complete. This audit resulted in 5 recommendations.

  • July 17, 2024
    Project Complete - A-18-22-08018

    HHS OS Cloud Cybersecurity Audit has been marked as complete. This audit resulted in 4 recommendations.

  • Today
    1 Audit In-Progress
  • Est FY2026
    Estimated Fiscal Year for Series Completion

2 REPORT PUBLISHED

HHS Office of the Secretary Needs to Improve Key Security Controls to Better Protect Certain Cloud Information Systems (A-18-22-08018)

24-A-18-088.01 to OS - Open Unimplemented
Update expected on 02/06/2026
We recommend that the HHS Office of the Secretary develop a procedure to ensure cloud system inventories are accurate and completed in accordance with HHS security requirements.

24-A-18-088.02 to OS - Closed Implemented
Closed on 10/01/2024
We recommend that the HHS Office of the Secretary remediate the 12 control findings in accordance with NIST SP 800-53.

24-A-18-088.03 to OS - Open Unimplemented
Update expected on 09/07/2025
We recommend that the HHS Office of the Secretary implement a strategy that includes leveraging cloud security assessment tools that identify misconfigurations and other control weaknesses in its cloud services, and remediate weak controls in a timely manner.

24-A-18-088.04 to OS - Open Unimplemented
Update expected on 08/26/2025
We recommend that the HHS Office of the Secretary develop and implement a policy and process to ensure qualified staff are assigned as System Security Officers for its cloud systems.

View in Recommendation Tracker

Administration for Children and Families Data Hosted in Certain Cloud Information Systems May Be at a High Risk of Compromise (A-18-22-08020)

24-A-18-057.01 to ACF - Open Unimplemented
Update expected on 11/09/2025
We recommend ACF update and maintain a complete and accurate inventory of information systems hosted in the cloud.

24-A-18-057.02 to ACF - Open Unimplemented
Update expected on 11/09/2025
We reccomend ACF remediate the 19 security control findings in accordance with NIST SP 800-53.

24-A-18-057.03 to ACF - Open Unimplemented
Update expected on 11/09/2025
We recommend ACF update its cloud security procedures to include detailed steps for operational staff to effectively implement cloud security baselines in accordance with HHS requirements.

24-A-18-057.04 to ACF - Closed Implemented
Closed on 05/09/2025
We reccomend ACF leverage cloud security assessment tools to identify misconfigurations and weak cybersecurity controls in its cloud infrastructure.

24-A-18-057.05 to ACF - Closed Implemented
Closed on 05/09/2025
We recommend ACF conduct testing of its cloud information systems that includes the emulation of an adversary's tactics and techniques on a defined reoccurring basis.

View in Recommendation Tracker
Work Plan Type
Office of Audit Services
HHS Agencies
Office of the Secretary Administration for Children and Families Centers for Medicare and Medicaid Services
Issue Areas
Departmental Operational Issues
Target Groups
-
Financial Groups
Other Funding