HHS OIG Rated the HHS Information Security Program as ‘Not Effective’

The Department of Health and Human Services Office of Inspector General has publicized the results of its yearly assessment of the HHS information security programs and practices, in accordance with the requirements of the Federal Information Security Modernization Act of 2014 (FISMA). It was confirmed that the HHS information security program hasn’t yet attained the degree of maturity to be regarded as effective.

The third-party review was performed on behalf of the HHS’ OIG by Ernst & Young (EY) to find out conformity to FISMA reporting metrics and to evaluate if the total security program of the HHS achieved the necessary information security requirements.

The HHS was evaluated with the Identify, Protect, Detect, Respond, and Recover functional areas of the Cybersecurity Framework throughout the FISMA domains: Risk management, identity and access management, configuration management, data protection and privacy, information security continuous monitoring (ISCM), security training, contingency planning, and incident response.

There are five maturity levels for information security:

  • Level 1 (Ad hoc policies)
  • Level 2 (Defined)
  • Level 3 (Consistently Implemented)
  • Level 4 (Managed and Measurable)
  • Level 5 (Optimized policies)

An information security policy must get to Level 4 for it to be regarded as effective.

Until September 30, 2020, the HHS had made improvements from the prior audit and had carried out a number of modifications to reinforce the maturity of its enterprise-wide cybersecurity program. There were enhancements throughout all FISMA domains, which include greater maturation of data security and privacy and constant tracking of information programs.

Nevertheless, the HHS received a “not effective” score because of the inability to obtain the Level 4 maturity level in at least one of the five functional areas: Identify, Protect, Detect, Respond, and Recover. The review showed there were inadequacies inside the Identify, Protect, and Respond functional parts and the level of maturity was under Consistently Implemented for some FISMA metric questions, each at the HHS entire and at chosen Contingency Planning operating divisions (OpDivs).

The HHS got Defined (Level 2) for 17 FISMA metrics and Consistently Implemented (Level 3) for 42 FISMA metrics however had not reached Managed and Measurable (level 4) in at least one of the IG FISMA metrics. There was no modification in any of the FISMA metrics out of the audit in FY19, though the review showed improvement had been done in a number of individual IG FISMA metrics, like the steady implementation of information exfiltration systems, ongoing Authorization to Operate (ATO) checking, and configuration management controls. There is no progress in other areas because of the insufficient data security continuous monitoring throughout the different HHS operating divisions, which is necessary for offering dependable information for making risk management decisions.

A number of suggestions were created to reinforce the HHS’ enterprise-wide cybersecurity program. The HHS agreed with 11 out of the 13 suggestions.