HHS closes FISMA gaps, but cyber risks remain

gold shield on top of computer code

The Department of Health and Human Services Inspector General released an audit by Ernst & Young that found HHS and its components had made progress implementing cybersecurity protections to conform to Federal Information Security Modernization Act standards, but that the agency has ample room for improvement.

The auditors found HHS hasn't fully implemented a department-wide continuous monitoring program that shows how it operating divisions address threats, implement strategies and report on cybersecurity metrics.  The report recommends additional work on vulnerability management, software assurance, information management, patch management, license management, event management, malware detection, asset management and network management.

The report also said HHS operating divisions did not consistently review, remediate or address risks from vulnerabilities found in configuration baseline compliance and vulnerability scans done through Security Content Automation Protocol tools.

Auditors found that three divisions were fielding IT systems with expired authority to operate certificates. More generally, the report found that all operating divisions need to do a better job of making sure hardware and software inventories are up to date.

The report noted that the five operating divisions failed to consistently implement account management procedures for shared accounts and personnel. Additionally, there were weaknesses found in controls of contactor systems. Two of the five HHS divisions did not maintain a complete inventory of contractor systems, and some external systems that maintained network connections with HHS systems did not have appropriate security documentation.

Taken together, the weaknesses "could potentially compromise the confidentiality, integrity, and availability of HHS’ sensitive information and information systems," the report warned.

The HHS OCIO has partially or fully concurred with all the recommendations, according to the report.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Veterans Affairs
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    VA health record go-live pushed back to July

    The Department of Veterans Affairs is delaying a planned initial deployment of its $16 billion electronic health record project by four months, but is promising added functionality at the go-live date.

  • Workforce
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    Esper says he didn't seek the authority to gut DOD unions

    Defense Secretary Mark Esper told lawmakers he was waiting for a staff analysis of a recent presidential memo before deciding whether to leverage new authority.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.