Administration for Children and Families Data Hosted in Certain Cloud Information Systems May Be at a High Risk of Compromise

Date Issued

Tuesday, April 23, 2024

Submitting OIG

Department of Health & Human Services OIG

Other Participating OIGs

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Components

Administration for Children and Families

Report Number

A-18-22-08020

Report Type

Audit

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
24-A-18-057.01	No	$0	$0
We recommend ACF update and maintain a complete and accurate inventory of information systems hosted in the cloud.
24-A-18-057.02	No	$0	$0
We reccomend ACF remediate the 19 security control findings in accordance with NIST SP 800-53.
24-A-18-057.03	No	$0	$0
We recommend ACF update its cloud security procedures to include detailed steps for operational staff to effectively implement cloud security baselines in accordance with HHS requirements.
24-A-18-057.04	No	$0	$0
We reccomend ACF leverage cloud security assessment tools to identify misconfigurations and weakcybersecurity controls in its cloud infrastructure.
24-A-18-057.05	No	$0	$0
We recommend ACF conduct testing of its cloud information systems that includes the emulation of anadversary's tactics and techniques on a defined reoccurring basis.