HHS Information Security Program Rated Not Effective for FY24
A review of the U.S. Department of Health and Human Services (HHS) to assess compliance with the Federal Information Security Modernization Act of 2014 (FISMA) for Financial Year 2024 has revealed the HHS information security program is not effective, as was the case with last year’s HHS Office of Inspector General (HHS-OIG) review.
The review assessed maturity levels across the five functions of the Cybersecurity Framework – Identify, Protect, Detect, Respond, and Recover, with the level of maturity given one of 5 scores: Level 1 (Ad hoc); Level 2 (Defined); level 3 (Consistently Implemented); level 4 (Managed and Measurable); and Level 5 (Optimized).
To receive an effective rating, the HHS must achieve a level 4 rating of Managed and Measurable across all five of the functions of the Cybersecurity Framework. The HHS was assessed on core metrics and supplemental metrics across 10 IG FISMA Domains, but only achieved the Managed and Measurable level in two of those Domains – Risk Management and Information Security Continuous Monitoring, with an overall maturity rating for the core and supplemental metrics of Consistently Implemented, hence the determination of a rating of Not Effective across all of the IG FISMA domains.
HHS-OIG made six recommendations to the HHS to strengthen its enterprise-wide cybersecurity program, including the recommendation to focus on the Identify, Protect, and Respond functions.
HHS OIG Exclusions List
What You Need To Know
Get The 6 Essentials Checklist For Compliance Officers
A link to your download will be sent to your email address
Your Privacy Respected
HIPAA Journal Privacy Policy
The six recommendations were:
- Update its enterprise architecture system inventory and software/hardware asset inventories to include the information systems and components that are active on the HHS network.
- Complete implementation of a cybersecurity risk management strategy to assess and respond to identified risks; watch for new risks; monitor risks and confirm implementation.
- Require OpDivs to incorporate analyses of security impacts of significant changes prior to implementation to measure its impacts on the organizations’ security and enterprise architecture and confirm implementation.
- Require OpDivs to implement an effective SCRM program that meets the defined standards across HHS and confirm implementation is consistent with established standards.
- Require OpDivs to establish oversight of background investigations performed for employees and contractors with logical access across the agency and perform continuous monitoring for new and existing users
- Confirm that OpDivs’ policies require monitoring of privileged user accounts for both logging and activity reviews, in an automated manner.
The HHS concurred with all but one of the recommendations – The complete implementation of a cybersecurity risk management strategy. The HHS did not concur because OpDiv Chief Information Officers (CIOs) are responsible for implementing their own cybersecurity risk management strategies.
