HHS closes FISMA gaps, but cyber risks remain

gold shield on top of computer code

The Department of Health and Human Services Inspector General released an audit by Ernst & Young that found HHS and its components had made progress implementing cybersecurity protections to conform to Federal Information Security Modernization Act standards, but that the agency has ample room for improvement.

The auditors found HHS hasn't fully implemented a department-wide continuous monitoring program that shows how it operating divisions address threats, implement strategies and report on cybersecurity metrics.  The report recommends additional work on vulnerability management, software assurance, information management, patch management, license management, event management, malware detection, asset management and network management.

The report also said HHS operating divisions did not consistently review, remediate or address risks from vulnerabilities found in configuration baseline compliance and vulnerability scans done through Security Content Automation Protocol tools.

Auditors found that three divisions were fielding IT systems with expired authority to operate certificates. More generally, the report found that all operating divisions need to do a better job of making sure hardware and software inventories are up to date.

The report noted that the five operating divisions failed to consistently implement account management procedures for shared accounts and personnel. Additionally, there were weaknesses found in controls of contactor systems. Two of the five HHS divisions did not maintain a complete inventory of contractor systems, and some external systems that maintained network connections with HHS systems did not have appropriate security documentation.

Taken together, the weaknesses "could potentially compromise the confidentiality, integrity, and availability of HHS’ sensitive information and information systems," the report warned.

The HHS OCIO has partially or fully concurred with all the recommendations, according to the report.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at mrockwell@fcw.com or follow him on Twitter at @MRockwell4.


  • Contracting
    8 prototypes of the border walls as tweeted by CBP San Diego

    DHS contractors face protests – on the streets

    Tech companies are facing protests internally from workers and externally from activists about doing for government amid controversial policies like "zero tolerance" for illegal immigration.

  • Workforce
    By Mark Van Scyoc Royalty-free stock photo ID: 285175268

    At OPM, Weichert pushes direct hire, pay agent changes

    Margaret Weichert, now acting director of the Office of Personnel Management, is clearing agencies to make direct hires in IT, cyber and other tech fields and is changing pay for specialized occupations.

  • Cloud
    Shutterstock ID ID: 222190471 By wk1003mike

    IBM protests JEDI cloud deal

    As the deadline to submit bids on the Pentagon's $10 billion, 10-year warfighter cloud deal draws near, IBM announced a legal protest.

Stay Connected

FCW Update

Sign up for our newsletter.

I agree to this site's Privacy Policy.