The information security program of the United States’ Department of Health and Human Services (HHS) has been deemed ineffective for a fourth consecutive year.
Audits conducted for the HHS’ Office of Inspector General (OIG) to assess compliance with the Federal Information Security Modernization Act of 2014 (FISMA) in the fiscal years 2018, 2019, 2020 and 2021 have all resulted in the program receiving a ‘not effective’ rating.
The results of the most recent audit, published in April 2022, were conducted at five of the HHS’ 12 operating divisions, although the OIG did not specify which five divisions were audited.
Explaining why the program had once again been rated ‘not effective,’ the OIG report stated: “This determination was made based on HHS not meeting the ‘Managed and Measurable’ maturity level for the Identify, Protect, Detect, Respond, and Recover function areas as required by DHS guidance and the FY 2021 Inspector General FISMA Reporting Metrics.”
Despite the department’s failure to meet the required rating level for five of the five function areas, the OIG acknowledged that the department was aware of ways in which it could improve its cybersecurity and that efforts were being made by the department towards achieving a mature cybersecurity posture.
“HHS continues to implement changes to strengthen the maturity of its enterprise-wide cybersecurity program. Progress continues to be made to sustain cybersecurity maturity across all FISMA domains,” note the OIG,
“HHS is aware of opportunities to strengthen the Department’s overall information security program which would help ensure that all OpDivs are consistently implementing and in line with the requirements across their security programs.”
The OIG found that in the fiscal year 2021, the HHS had failed to fully implement a continuous diagnostics and mitigation (CDM) strategy and that the department had no definitive schedule to realize the CDM program across all its operational divisions (OpDivs).
“Without a fully implemented CDM program, HHS may not be able to identify cybersecurity risks on an ongoing basis, use CDM information to prioritize the risks based on potential impacts, and then mitigate the most significant vulnerabilities first,” warned the OIG.