Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2022

View Report

Date Issued

Tuesday, May 9, 2023

Submitting OIG

Department of Health & Human Services OIG

Other Participating OIGs

Department of Health & Human Services OIG

Agencies Reviewed/Investigated

Department of Health & Human Services

Components

Office of the Secretary

Report Number

A-18-22-11200

Report Type

Audit

Location

DC,
United States

Number of Recommendations

Questioned Costs

Funds for Better Use

Open Recommendations

This report has 11 open recommendations.

Recommendation Number	Significant Recommendation	Recommended Questioned Costs	Recommended Funds for Better Use
23-A-18-069.01	No	$0	$0
To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS continue to work with the OpDivs to implement automated CDM solutions to increase awareness and improve mitigation efforts across all of HHS.
23-A-18-069.04	No	$0	$0
To strengthen HHS' enterprise-wide cybersecurity program, based on our reviews across the Department, we recommend that HHS confirm that the OpDivs contingency plan testing is being performed within the timeframe required by HHS policy.
23-A-18-069.05	No	$0	$0
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement the capability to deny access to mobile devices, such as smartphones and tablets, from connecting to the network if the device's software is outdated.
23-A-18-069.07	No	$0	$0
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs complete its discovery of all information systems and maintain an up- to-date inventory of systems, software, and licenses.
23-A-18-069.08	No	$0	$0
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs complete its discovery of all information systems and maintain an up- to-date inventory of systems, software, and licenses.
23-A-18-069.10	No	$0	$0
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDiv's SCRM policies and procedures are being consistently implemented across the organization and ensure their execution.
23-A-18-069.11	No	$0	$0
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs finalize and implement draft policies and procedures to include the review of suppliers or contractors for risks to the organization's systems and system components.
23-A-18-069.14	No	$0	$0
We recommend that the HHS OCIO work with the OpDivs to ensure that all OpDivs implement the requirement to resolve high and critical vulnerabilities within 30 and 15 days respectively and create POA&Ms to monitor and resolve the weakness in a timely manner.
23-A-18-069.16	No	$0	$0
We recommend that the HHS OCIO work with the OpDivs to ensure that secure configuration settings are being maintained as defined by existing policy.
23-A-18-069.17	No	$0	$0
We recommend that the HHS OCIO work with the OpDivs to ensure that all operational systems have multifactor or an alternative strong authentication mechanism (PIV or an Identity Assurance Level (IAL)3/Authenticator Assurance Level (AAL) 3 credential) for both privileged and non-privileged users.
23-A-18-069.21	No	$0	$0
We recommend that the HHS OCIO work with the OpDivs to ensure that policies and procedures for identity and access management are being consistently implemented and proper safeguards (i.e., logging, monitoring, review of privileged user activity) are developed across the Department to ensure their execution.