HHS closes FISMA gaps, but cyber risks remain

gold shield on top of computer code

The Department of Health and Human Services Inspector General released an audit by Ernst & Young that found HHS and its components had made progress implementing cybersecurity protections to conform to Federal Information Security Modernization Act standards, but that the agency has ample room for improvement.

The auditors found HHS hasn't fully implemented a department-wide continuous monitoring program that shows how it operating divisions address threats, implement strategies and report on cybersecurity metrics.  The report recommends additional work on vulnerability management, software assurance, information management, patch management, license management, event management, malware detection, asset management and network management.

The report also said HHS operating divisions did not consistently review, remediate or address risks from vulnerabilities found in configuration baseline compliance and vulnerability scans done through Security Content Automation Protocol tools.

Auditors found that three divisions were fielding IT systems with expired authority to operate certificates. More generally, the report found that all operating divisions need to do a better job of making sure hardware and software inventories are up to date.

The report noted that the five operating divisions failed to consistently implement account management procedures for shared accounts and personnel. Additionally, there were weaknesses found in controls of contactor systems. Two of the five HHS divisions did not maintain a complete inventory of contractor systems, and some external systems that maintained network connections with HHS systems did not have appropriate security documentation.

Taken together, the weaknesses "could potentially compromise the confidentiality, integrity, and availability of HHS’ sensitive information and information systems," the report warned.

The HHS OCIO has partially or fully concurred with all the recommendations, according to the report.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected