Illinois MMIS and E&E System Had Adequate Security Controls in Place, but Some Improvements Are Needed

Date Issued

Thursday, August 15, 2024

Submitting OIG

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Report Number

A-18-22-09009

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

Open Recommendations

This report has 3 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
24-A-18-097.01	No	$0	$0
We recommend that the Illinois Department of Healthcare and Family Services remediate the four security control findings identified by OIG.
24-A-18-097.02	No	$0	$0
We recommend that the Illinois Department of Healthcare and Family Services develop and implement flaw remediation policies and procedures for effectively identifying vulnerabilities, prioritizing them based on potential impact and exploitability, and remediating them within a defined timeframe as required by NIST SP 800-53, SI-2, Flaw Remediation, or other standards governing security of Federal systems and information.
24-A-18-097.03	No	$0	$0
We recommend that the Illinois Department of Healthcare and Family Services enhance its testing procedures to include performing more robust technical testing of web-facing systems and emulation of an adversary's tactics and techniques on a defined reoccurring basis, in order to better assess the effectiveness of NIST SP 800-53 controls.