OMB Audit Report Finds the HHS Information Security Program as Ineffective

The Office of Management and Budget (OMB) sent in its yearly audit report to Congress about the status of federal agencies’ cybersecurity, as demanded by the Federal Information Security Modernization Act of 2014 (FISMA).

OMB evaluated 4 of the 12 Department of Health and Human Services (HHS) operating divisions to determine their compliance with FISMA. OMB found the security program of the HHS as ineffective. The agency hadn’t reached a Managed and Measurable level of maturity with regard to the functional areas of Identify, Protect, Detect, Respond and Recover.

The HHS decided to handle risk in the functional area of ‘Detect’ but was vulnerable in the other 4 functional areas.

The HHS has been trying to improve its security posture, which is progressing, but there remains much to go. OMB discovered major weak spots in several areas, such as in identity and access management, contingency preparation, risk management, and breach response.

OMB remarks that because the HHS is functioning in a federated setting, there are a lot of difficulties in attaining a ‘Managed and Measurable’ level of maturity through all operating divisions.

While there are weaknesses in several areas, OMB confirmed that HHS knew the opportunities to reinforce its security program and make sure that policies and procedures are applied in the security program of all operating divisions.

The HHS is likewise working with the Department of Homeland Security and is using a Department-wide Continuous Diagnostics and Mitigation (CDM) plan to constantly monitor its networks and systems as well as document the progress of handling and employing its security techniques and send the reports to DHS.

OMB mentioned that so as to reach a Managed and Measurable level of maturity, the HHS needs to make sure that its CDM program is completely implemented. This is likely to have a lot of challenges for the HHS. HHS likewise must keep on building towards a running model wherein all the functional areas have real-time connection to each other and give holistic and synchronized reactions to security incidents. This is going to reinforce all facets of its data security program to ensure that HHS could fulfill its mission by means of an efficient and coordinated facts security program.