An OIG audit of the HHS security program found it was "not effective", as it failed to meet the managed and measurable maturity level for all five FISMA reporting metric. (Photo credit: "U.S. Department of Health and Human Services" by WEBN-TV is marked with CC BY-ND 2.0.)

The Department of Health and Human Services’ Office of the Inspector General has again deemed the HHS’ information security program “not effective," under the Federal Information Security Modernization Act (FISMA) metrics. The findings are consistent with past audits from OIG and the Government Accountability Office that also deemed HHS’ security as ineffective.

OIG’s determination was based on HHS not meeting the "managed and measurable" maturity level for five out of five of the identify, protect, detect, and recover function elements required by Department of Homeland Security guidance and FISMA.

“Supply chain risk management was only assessed at the domain level and not factored into the conclusion of the function or overall effectiveness of HHS information security program for FY 2021 in accordance with the IG FISMA Reporting Metrics guidance,” according to the report.

“Risk Management is not yet at a maturity level of managed and measurable, therefore our overall assessment of this function was 'not effective,'" it added.

The performance audit was conducted by EY in compliance with FISMA and government auditing standards, using The NIST Cybersecurity Framework as a guideline. The HHS cybersecurity program operates with a shared responsibility model, acknowledging HHS, operating divisions, and contractors are all critical to risk management.

OIG assessed HHS' maturity for its supply chain risk management, information security continuous monitoring, and continency planning at level two, or defined. Its risk management, configuration management, identity and access management, data protection and privacy, security training, and incident response at maturity level 3, or consistently implemented.

Specifically, OIG determined that progress hasn’t been achieved in some metric areas “due to a lack of implementation of information security continuous monitoring efforts across the operating divisions. The elements are crucial for providing the HHS CIO and department CIOs with reliable data and metrics to make informed risk management decisions.

HHS partially implemented a continuous diagnostics and mitigation strategy in 2021, which provided visibility into some assets and greater awareness of some vulnerabilities and certain threats that relied on the use of RSA Archer and Splunk. 

Further, while HHS created an enterprise-level information security continuous monitoring strategy across its operating divisions, HHS has not denied roadmaps, key performance indicators, or benchmarks for the implementation of this strategy or other documentation. 

Leadership recognizes these limitations and noted their primary goal is to support its divisions with the implementation of monitoring tools recommended by DHS. HHS implemented those tools across multiple divisions last year and intends to continue implementing the tools across HHS.

Although OIG notes these efforts have “made great strides” in addressing challenges and progress of these tools and processes, the agency hasn’t created a definitive schedule to fully implement the program across all divisions, which has caused “inconsistent” implementation of the program.

Without a complete CDM program, HHS might not be able “to identify cybersecurity risks on an ongoing basis, use CDM information to prioritize the risks based on potential impacts, and then mitigate the most significant vulnerabilities first.”

The latest audit joins a host of other OIG and Government Accountability Office reports over the years, which have consistently found issues with HHS’ cybersecurity measures.

Audits from 2018 and 2019, showed the agency needed to bolster its security controls to more effectively detect and prevent cyberattacks. Weaknesses were also identified in its identity and access management, security training, and incident response, among other risks.

In its 2019 audit, an independently performed pen test revealed vulnerabilities in access controls, configuration management, data input controls, and software patching. HHS has consistently defended its efforts, marking continued efforts taken by the agency to improve its overall cyber posture. 

To strengthen the cybersecurity program, OIG recommended HHS continue to implement its automated CDM solution and update the ISCM strategy with a more specific roadmap that should include target dates for deployment across the HHS. The agency should also perform an enterprise risk assessment of known weaknesses and create an appropriate risk response. 

Lastly, OIG recommended HHS develop a process for monitoring its contingency plans to ensure they’re developed, maintained, and integrated with other continuity requirements. HHS agreed with OIG’s findings and outlined the actions it intends to take to address the identified risks and weaknesses.