Skip to main content

The Information Security and Privacy Policy (IS2P) is HHS’ primary policy document governing cybersecurity which is pending a rewrite to address the upcoming requirements in NIST 800-53 revision 5. When this update occurs to the IS2P, HHS should: - Specify required cybersecurity control maturity levels in addition to identifying the selection of NIST controls. - Describe HHS’ Cybersecurity Shared Responsibility Model, including the key roles under centralized, federated and hybrid strategies for control implementation. Include responsibilities of the OCIO, the OPDIVs, and third-party stakeholders (including contractors). - Communicate that a Managed and Measurable or the optimal maturity level, based on HHS’s risk assessment, be required to be deemed “Effective”.

Questioned Costs
$0
Funds for Better Use
$0
Recommendation Status
Open
Source UUID
20-A-18-084-268665
Report
Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2019
Recommendation Number
268665
Significant Recommendation
No
Migration Source
http://oversight-d7.lndo.site/node/279593
http://oversight-d7.lndo.site/node/279593/edit
https://www.oversight.gov/node/279593
https://www.oversight.gov/node/279593/edit