HHS should perform an enterprise risk assessment over known control weaknesses (e.g., Authority to Operate, incomplete OpDiv provided system inventories, lack of OpDiv adherence to HHS information security policies) due to their federated environment and document an appropriate risk response (e.g., accept, avoid, mitigate, share, or transfer).