GAO audit finds HHS information security program ‘not effective’ | SC Media

GAO audit finds HHS information security program ‘not effective’

April 9, 2021

The Government Accountability Office found that the Department of Health and Human Services’ information security program is “not effective” based on the standards set by the Federal Information Security Modernization Act of 2014, according to HealthITSecurity.

Auditors from Ernst & Young, who evaluated the HHS program against applicable regulations, federal laws and guidance, found an improvement in the agency’s performance for the implementation of data exfiltration systems, configuration management controls and ongoing Authorization to Operate monitoring.

However, HHS was found to be lacking in the implementation of information security continuous monitoring across operating divisions, which provides the agency with reliable information for better decision making. The auditors identified key areas that the program was ineffective, including its identity, protect, detect, respond and recover function areas; contingency planning; and FISMA metric implementation.

GAO recommended for HHS to commit to implementing the previous HHS risk assessment results, continue improving its information security controls and cybersecurity program, and address deficiencies in its current maturity levels against the agency’s defined effective maturity for each of its cybersecurity framework’s function area.

Jill Aitoro

SC Media Editor in Chief Jill Aitoro has 20 years of experience editing and reporting on technology, business and policy. She also serves as editorial director at SC Media’s parent company, CyberRisk Alliance. Prior to joining CRA, she worked at Sightline Media as editor of Defense News and executive editor of the Business-to-Government Group. She previously worked at Washington Business Journal and Nextgov, covering federal technology, contracting and policy, as well as CMP Media’s VARBusiness and CRN and Penton Media’s iSeries News.

prestitial ad