HHS Information Security Program ‘Not Effective’ According to Audit

The Department of Health and Human Services performed an audit for the HHS’ Office of Inspector General (OIG) to evaluate adherence to the Federal Information Security Modernization Act of 2014 (FISMA) for the 2021 fiscal year. It has rated the security program of the agency as ‘not effective’, just like in fiscal years 2018, 2019, and 2020. Five of the 12 operating divisions of the HHS were subjected to an audit, though OIG didn’t mention which five divisions were selected.

To be given an effective rating, the HHS needs to get to the ‘Managed and Measurable’ maturity level for the function areas of Identify, Protect, Detect, Respond, and Recover. This is a requirement by the FY 2021 Inspector General FISMA Reporting Metrics and the DHS guidance.

It is stated in the OIG report that the HHS is still making adjustments to boost the maturity of its company-wide cybersecurity program and that it is working towards more sustainable cybersecurity in all FISMA domains.

The HHS security program fortified the maturity of controls for a number of  FISMA metrics, though there was no progress in certain areas because full enforcement of Information Security Continuous Monitoring (ISCM) efforts is lacking in its operating divisions. This is crucial as reliable information and metrics are needed in order to make good risk management judgments.

The HHS has partly imposed its Continuous Diagnostics and Mitigation (CDM) method, which has enhanced insight into certain assets, and consciousness of vulnerabilities and threat data is better by using RSA Archer and Splunk. There is the progress made in the implementation of a complete department-wide CDM program to make sure non-stop tracking of HHS networks and systems, give an accurate report of the status of operating divisions, and progress to handle and enforce methods that fight risk, prioritize concerns utilizing tested risk criteria, and enhance its cybersecurity response functions.

The HHS has improved its enforcement of CDM tools and procedures but doesn’t have a specific timetable for completely enforcing the CDM program throughout all operating divisions.  Unless the HHS completely follows its CDM technique, the HHS cannot possibly identify cybersecurity risks on a continuous basis, highlight efforts to deal with risks according to their probable effects and mitigate the most serious vulnerabilities first.

OIG has given a number of recommendations for enhancing the maturity of the HHS information security program. The HHS ought to continue implementing an automated CDM solution to have a centralized, company-wide oversight of risks throughout HHS. The ISCM strategy must be updated to have a more accurate roadmap, having target dates particular for ISCM deployment throughout the HHS operating divisions. A company risk evaluation of identified control weaknesses must be done and a proper risk response ought to be recorded, and the HHS should create a process to keep track of information system contingency plans to make sure they are created, maintained, and incorporated with other continuity criteria by IT systems.

The HHS agreed with all the recommendations of OIG.