Getty Images

OIG: Evaluation of FISMA Shows HHS Security Program “Not Effective”

Consistent with government audits from recent years, OIG’s FISMA compliance audit of 2021 once again found HHS’ security program ineffective.

The Office of Inspector General (OIG) called HHS’ security program “not effective” in an audit of Federal Information Security Modernization Act (FISMA) requirements for fiscal year 2021. The determination was consistent with fiscal year 2020, 2019, and 2018 FISMA audits.

FISMA requires Inspectors General to perform annual evaluations of their agency’s information security programs. HHS OIG engaged the services of Ernst & Young LLP (EY) to conduct the audit. Auditors revied federal laws and regulations and assessed information security program policies across multiple operating divisions.

The auditors deemed HHS’s information security program “not effective” based on HHS failing to meet the “managed and measurable” maturity level for four function areas: identify, protect, detect, and recover.

“However, HHS continues to implement changes to strengthen the maturity of its enterprise-wide cybersecurity program,” the report stated.

“Progress continues to be made to sustain cybersecurity maturity across all FISMA domains. HHS is aware of opportunities to strengthen the Department’s overall information security program which would help ensure that all [operating divisions] are consistently implementing and in line with the requirements across their security programs.”

The audit found a trend of risk management and contingency planning weaknesses, which were consistent with 2020 findings.

For the first time, the auditors evaluated supply chain risk management (SCRM) along with traditional risk management in the “identify” function.

“Supply Chain Risk Management (SCRM) involves activities that pertain to managing cyber supply chain risk exposures, threats, and vulnerabilities throughout the supply chain and developing risk response strategies to the risk presented by the supplier, the supplied products and services or the supply chain,” the report explained.

OIG found that HHS had defined SCRM strategies, but the domain was not considered in determining the overall effectiveness of HHS’ program.

OIG provided the following recommendations to HHS based on its findings:

  1. Continue implementation of an automated CDM solution that provides a centralized, enterprise-wide view of risks across all of HHS.
  2. Update the ISCM strategy to include a more specific roadmap; including target dates, for ISCM deployment across the HHS enterprise.
  3. HHS should perform an enterprise risk assessment over known control weaknesses (e.g., Authority to Operate, incomplete OpDiv provided system inventories, lack of OpDiv adherence to HHS information security policies) due to their federated environment and document an appropriate risk response (e.g., accept, avoid, mitigate, share, or transfer).
  4. Develop a process to monitor information system contingency plans to ensure they are developed, maintained, and integrated with other continuity requirements by information systems.

HHS concurred with the recommendations and described plans it had made to address them. Above all, OIG urged HHS to conduct an enterprise-wide risk assessment over known control weaknesses.

Next Steps

Dig Deeper on Cybersecurity strategies