Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2024

Date Issued

Friday, November 15, 2024

Submitting OIG

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Report Number

A-18-24-11200

Report Type

Audit

Agency Wide

Yes

Number of Recommendations

Questioned Costs

Funds for Better Use

Report updated under NDAA 5274

External Link

https://oig.hhs.gov/reports/all/2024/review-of-the-department-of-health-and-hum…

Open Recommendations

This report has 6 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
25-A-18-014.01	No	$0	$0
We recommend that HHS update its enterprise architecture system inventory and software/hardware asset inventories to include the information systems and components that are active on the HHS network. HHS should utilize the inventories to continuously monitor assets and identify and remediate vulnerabilities timely to better manage the risks to these assets.
25-A-18-014.02	No	$0	$0
We recommend that HHS complete implementation of a cybersecurity risk management strategy to assess and respond to identified risks within the agency and identified across OpDivs, watch for new risks, and monitor risks and confirm implementation. The strategy should define a standardized process to accept and monitor risks that cannot be adequately mitigated.
25-A-18-014.03	No	$0	$0
We recommend that HHS require OpDivs incorporate analyses of security impacts of significant changes prior to implementation to measure its impacts to the organizations' security and enterprise architecture and confirm implementation.
25-A-18-014.04	No	$0	$0
We recommend that HHS require OpDivs to implement an effective SCRM program that meets the defined standards across HHS and confirm implementation is consistent with established standard. This should include requiring OpDivs to assess vendors and submit said monitoring results to HHS to assist with tracking and monitoring components on the network.
25-A-18-014.05	No	$0	$0
We recommend that HHS require OpDivs to establish oversight of background investigations performed for employees and contractors with logical access across the agency and perform continuous monitoring for new and existing users to ensure OpDivs are aware of the investigation status of their users.
25-A-18-014.06	No	$0	$0
We recommend that HHS confirm that OpDivs' policies require monitoring of privileged user accounts for both logging and activity reviews, in an automated manner.