HHS closes FISMA gaps, but cyber risks remain

gold shield on top of computer code

The Department of Health and Human Services Inspector General released an audit by Ernst & Young that found HHS and its components had made progress implementing cybersecurity protections to conform to Federal Information Security Modernization Act standards, but that the agency has ample room for improvement.

The auditors found HHS hasn't fully implemented a department-wide continuous monitoring program that shows how it operating divisions address threats, implement strategies and report on cybersecurity metrics.  The report recommends additional work on vulnerability management, software assurance, information management, patch management, license management, event management, malware detection, asset management and network management.

The report also said HHS operating divisions did not consistently review, remediate or address risks from vulnerabilities found in configuration baseline compliance and vulnerability scans done through Security Content Automation Protocol tools.

Auditors found that three divisions were fielding IT systems with expired authority to operate certificates. More generally, the report found that all operating divisions need to do a better job of making sure hardware and software inventories are up to date.

The report noted that the five operating divisions failed to consistently implement account management procedures for shared accounts and personnel. Additionally, there were weaknesses found in controls of contactor systems. Two of the five HHS divisions did not maintain a complete inventory of contractor systems, and some external systems that maintained network connections with HHS systems did not have appropriate security documentation.

Taken together, the weaknesses "could potentially compromise the confidentiality, integrity, and availability of HHS’ sensitive information and information systems," the report warned.

The HHS OCIO has partially or fully concurred with all the recommendations, according to the report.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Federal 100 Awards
    Federal 100 logo

    Nominations for the 2021 Fed 100 are now being accepted

    The deadline for submissions is Dec. 31.

  • Government Innovation Awards
    Government Innovation Awards - https://governmentinnovationawards.com

    Congratulations to the 2020 Rising Stars

    These early-career leaders already are having an outsized impact on government IT.

Stay Connected