GAO Audit Finds HHS Information Security Program “Not Effective”

April 09, 2021 - An evaluation of the Department of Health and Human Services against Federal Information Security Modernization Act of 2014 (FISMA) principles found the agency’s information security program “not effective,” due to several maturity deficiencies, according to the Government Accountability Office.

Under FISMA, Inspectors General are required to perform an annual, independent review of agency information security programs and practices, to determine overall effectiveness. For the HHS audit, Ernst & Young conducted a review of HHS compliance as of September 30, 2020 against FISMA reporting metrics.

The auditors reviewed the program against applicable federal laws, regulations, and guidance to gain an understanding of the HHS security program, as well as five of its operating divisions. The team also assessed standards and guidance issued by HHS management and prescribed performance standards. Interviews were also conducted with personnel.

The goal was to determine whether HHS overall security program and practices met federal information security requirements.

The auditors found HHS improved in their performance for consistent implementation of data exfiltration systems, ongoing Authorization to Operate monitoring, and configuration management controls for baseline security standards and patch management.

But progress in other areas hasn’t been achieved due to a lack of implementation of information security continuous monitoring (ISCM) across the operating divisions. These efforts are critical to providing the agency with reliable data and metrics for better informed risks management decisions.

Further, though HHS created an enterprise-level ISCM strategy for its operating divisions to implement CDM tools, it has not defined roadmaps, key performance indicators, or benchmarks for CDM implementation.

The auditors found through the examination that the program was ineffective in three key areas.

First, HHS did not meet a managed and measurable maturity level across identity, protect, detect, respond, and recover function areas. The auditors also found deficiencies in these key security areas.

The auditors also found deficiencies with the maturity levels for consistent implementation for some FISMA metrics at both HHS and the selected operating divisions. The report also showed that weaknesses continued to persist in the agency’s contingency planning, “which was the only domain assessed with a maturity level of ‘defined’ in FY 2019 and again in FY 2020.”

“However, HHS continues to implement changes to strengthen the maturity of its enterprise-wide cybersecurity program,” according to the report. “Progress continues to be made to sustain cybersecurity maturity across all FISMA domains.”

“Also notable were increased maturation of data protection and privacy and information systems continuous monitoring,” they added. “We identified opportunities where HHS can strengthen its overall information security program.”

GAO made several recommendations for HHS to continue strengthening its cybersecurity program and information security controls.

The agency should also commit to implement the results of a previous HHS risk assessment into its formal cybersecurity maturity migration strategy; doing so would allow HHS to improve the maturity of the program to a more effective level.

GAO also recommended HHS address gaps in its current maturity levels against its HHS-defined effective maturity for each function area of its cybersecurity framework. HHS should also clearly articulate and implement the roles and shared responsibilities for effective maturity.

Those definitions should include whether requirements are to be implemented through centralized, federated, or hybrid controls. Specific recommendations were provided to each specific operating division, as well.

HHS should also develop better oversight processes and procedures for managing IT system configurations to ensure the processes are developed and tailored to the environment of the operating divisions.

Those policies and procedures should be formalized to ensure that all personnel are assigned risk designation and appropriately screened before being granted access to OpDiv systems. 

“The Department recognizes limitations associated with the security governance, risk and compliance tool roll-out and has established that their main goal is to support the operating divisions in their implementation of the CDM tools that are prescribed by DHS,” according to the report. 

“[HHS] established a monthly ISCM/CDM Working Group, where lessons learned inform implementation and improvements to its ISCM program,” it added.

The agency concurred with 11 of the GAO recommendations and did not concur with two others. HHS provided technical comments, which GAO also addressed. GAO officials said they “maintain that our findings and recommendations are accurate and valid.”

The GAO report is the latest audit to find HHS’ security program needs improvement. An August 2019 review by the Office of Management and Budget against the FISMA standard deemed the program not effective, primarily because it lacked a measurable security level.

An earlier GAO report found HHS failed to implement many previous GAO recommendations, including four high priority recommendations for its health IT and cybersecurity measures. Around the same period, the Office of the Inspector General again deemed HHS security program ineffective.