The Organ Procurement and Transplantation Network IT System's Cybersecurity Controls Were Partially Effective and Improvements Are Needed

Date Issued

Monday, December 2, 2024

Submitting OIG

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Report Number

A-18-22-03400

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

Open Recommendations

This report has 3 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
25-A-18-022.01	No	$0	$0
We recommend that the Health Resources and Services Administration require the OPTN IT system contractor to remediate the 22 vulnerabilities identified and verify that the 22 vulnerabilities identified were remediated.
25-A-18-022.02	No	$0	$0
We recommend that the Health Resources and Services Administration require the OPTN IT system contractor to improve network monitoring by implementing NIST SP 800-53, Revision 5, for the OPTN IT system, to include data loss prevention technology to prevent unauthorized exfiltration of information (Control SC-7(10)) and red-team exercises to simulate attempts by adversaries to compromise organizational systems (Control CA-8(2)).
25-A-18-022.03	No	$0	$0
We recommend that the Health Resources and Services Administration implement procedures to help ensure that the OPTN IT system contractor maintains compliance with federally required cybersecurity controls policies and standards on a continuing basis.