The Government Accountability Office found that the Department of Health and Human Services’ information security program is “not effective” based on the standards set by the Federal Information Security Modernization Act of 2014, according to HealthITSecurity.

Auditors from Ernst & Young, who evaluated the HHS program against applicable regulations, federal laws and guidance, found an improvement in the agency’s performance for the implementation of data exfiltration systems, configuration management controls and ongoing Authorization to Operate monitoring.

However, HHS was found to be lacking in the implementation of information security continuous monitoring across operating divisions, which provides the agency with reliable information for better decision making. The auditors identified key areas that the program was ineffective, including its identity, protect, detect, respond and recover function areas; contingency planning; and FISMA metric implementation.

GAO recommended for HHS to commit to implementing the previous HHS risk assessment results, continue improving its information security controls and cybersecurity program, and address deficiencies in its current maturity levels against the agency’s defined effective maturity for each of its cybersecurity framework’s function area.