National Institutes of Health Grant Program Cybersecurity Requirements Need Improvement

Date Issued

Monday, September 19, 2022

Submitting OIG

Department of Health & Human Services OIG

Other Participating OIGs

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Components

National Institutes of Health

Report Number

A-18-20-06300

Report Type

Audit

Location

MD,
United States

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 5 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
22-A-18-099.01	No	$0	$0
CLA recommends that the National Institutes of Health management implement the recommendations below to enhance cybersecurity controls over its grant program. 1. Assess its grant award programs to determine which grants should require additional cybersecurity protections due to research potentially including sensitive and confidential data or NIH intellectual property or both.
22-A-18-099.02	No	$0	$0
2. Based on results of NIH's risk assessment of grant applicants, include in the funding opportunity announcements or grant terms and conditions or both the cybersecurity controls that should be implemented.
22-A-18-099.03	No	$0	$0
3. Strengthen the NIHGPS to establish clear and measurable standards for cybersecurity protections.
22-A-18-099.04	No	$0	$0
4. Strengthen its pre-award process to identify and address how cybersecurity risk will be assessed.
22-A-18-099.05	No	$0	$0
5. Strengthen its post-award process to confirm that cybersecurity protections have been implemented to adequately safeguard sensitive and confidential data.