OMB Audit Confirms HHS Information Security Program is “Not Effective”

The Office of Management and Budget (OMB) has submitted its annual report to Congress on the state of cybersecurity in federal agencies, as required by the Federal Information Security Modernization Act of 2014 (FISMA).

For the report, OMB assessed 4 of the 12 operating divisions of the Department of Health and Human Services (HHS) to assess compliance with FISMA and determined the HHS security program was ‘not effective.’ The agency had not achieved a Managed and Measurable level of maturity for the Identify, Protect, Detect, Respond and Recover functional areas.

The HHS was determined to be managing risk in the ‘Detect’ functional area but was at risk in the other four functional areas.

The HHS has been working on improving its security posture and progress has been made, but there is still a long way to go. OMB found major weaknesses in multiple areas, including identity and access management, risk management, contingency planning, and incident response.

OMB notes that since the HHS is operating in a federated environment, there are many challenges in achieving a ‘Managed and Measurable’ maturity level across all operating divisions.

While vulnerabilities exist in multiple areas, OMB determined that the HHS was aware of opportunities to strengthen its security program and ensure that its policies and procedures are implemented at all operating divisions across all areas of its security program.

The HHS is also working closely with the Department of Homeland Security and is implementing a Department-wide Continuous Diagnostics and Mitigation (CDM) program to ensure its networks and systems are constantly monitored, and progress toward addressing and implementing its security strategies is documented and reports are sent to DHS.

OMB explained that in order to achieve a Managed and Measurable maturity level, the HHS must ensure its CDM program is fully implemented. For the HHS that is likely to present many challenges.

“HHS also needs to continue to build towards a working model where all the functional areas interact with each other in real-time and provide holistic and coordinated responses to security events,” wrote OMB. “This will help to strengthen all aspects of its information security program in order for HHS to achieve its mission through an effective and coordinated information security program.”

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.