The Department of Health and Human Services’ (HHS) FISMA (Federal Information Security Modernization Act) audit for fiscal year 2018, released today by HHS’ Office of the Inspector General (OIG), shows the agency improved its performance in the “Identify” and “Protect” areas of the framework, while holding steady in other areas.
The audit found that while HHS’ information security program as a whole is “not effective,” the agency notched improvements since the FISMA audit from FY2017. The report ranks agency implementation against the National Institute of Standards and Technology (NIST) Cybersecurity Framework. HHS received:
- Consistently implemented on Identify, up from defined in FY17
- Consistently implemented on Protect, up from defined in FY17
- Defined on Detect, unchanged from FY17
- Defined on Respond, down from FY17
- Defined on Recover, unchanged from FY17
“This year’s assessment demonstrates the improvements in both the Identify and Protect function areas from previous years while the Respond function area maturity rating was lowered from FY 17,” the report states.
On Identify, where HHS improved, the department saw its operational divisions with better implementation of the department’s risk management program. While standards were not always followed, all agencies within HHS had strategies in place and in alignment with enterprise-level guidance. The audit recommended that HHS work to enhance its risk management strategy to integrate threat modeling and reporting tools, and issue guidance to ensure tools are implemented for integration of risk management programs. The agency’s CIO Office concurred with both recommendations.
Protect was another area of improvement for the department. On configuration management, implementation continued to have some gaps, but on identity and access management, the audit found the department has a defined program, and operating divisions are mostly on track with their implementations. On data protection and privacy, HHS has a defined privacy program with operating divisions tailoring the approach to their agency, although policies had not been updated in the last two years with some outdated aspects. Finally, on security training, HHS established content for operating division training programs, although some gaps still exist.
The one area of regression for the department was on the Detect aspect of the NIST Cybersecurity Framework. While the strategy for information security continuous monitoring (ISCM) at the enterprise level remained unchanged from FY17, the department did not know the effectiveness of the tools implemented. One operating division had systems with expired ATOs, and one operating division did not perform security control requirements within the required three years.
“Since HHS and its [operating divisions] reviewed are not consistently implementing its ISCM program, the ISCM program is at the Defined maturity level,” the audit states.