HHS' information security program was deemed "not effective" for fiscal year 2021 in an audit conducted by the department's Office of Inspector General, consistent with the determinations for fiscal years 2018, 2019 and 2020.
The audit report, released April 25, said HHS failed to meet the “managed and measurable” maturity level for four function areas: identify, protect, detect and recover. The report noted particular weaknesses surrounding risk management and contingency planning.
Here are four recommendations the OIG provided in its report:
- HHS should continue implementing automated copy data software to achieve a centralized view of risks across the department.
- HHS' information security continuous monitoring strategy should be updated to include more specific objectives, including target dates for ISCM deployment across all HHS operating divisions.
- HHS should conduct an enterprise risk assessment over known control weaknesses and document appropriate responses.
- HHS should develop a process to monitor information system contingency plans so they are maintained and integrated with other continuity requirements by information systems.