OIG: HHS' Info Security Program Still Rated 'Not Effective'Latest FISMA Compliance Audit Finds a Variety of Issues
Auditors have once again rated the Department of Health and Human Services' information security program as "not effective," citing several areas of weaknesses, including issues related to risk management, information security continuous monitoring and contingency planning.
The findings are included in a HHS Office of Inspector General report issued last week based on an audit conducted last year by Ernst & Young LLP, which reviewed the department's compliance with the Federal Information Security Modernization Act of 2014 during fiscal 2021.
For instance, in the fiscal 2020 FISMA compliance audit - as in the recent audit in 2021 - HHS' contingency planning was rated as "not effective" in part due to issues related to certain HHS operating divisions.
In its latest report, OIG says the overall "not effective" determination was made based on HHS not meeting the "managed and measurable" maturity level for the "identify, protect, detect, and recover" function areas as required by Department of Homeland Security guidance and the fiscal year 2021 Inspector General FISMA Reporting Metrics.
OIG says that the auditors in their evaluation of HHS reviewed applicable federal laws, regulations and guidance and assessed the status of current HHS security program at both the department level and at five of HHS' 12 operating divisions. The audited HHS units were not identified in the OIG report.
The HHS cybersecurity program follows a shared responsibility model that recognizes that the department, the HHS operating division and contractors are critical to risk management, OIG says.
Risk Management Weaknesses
OIG in its report says the goal of the FISMA "identify" function is to develop the organizational understanding to manage cybersecurity risk to systems, assets, data and capabilities.
"This area is the foundation that allows an agency to focus and prioritize its efforts with its risk management strategy and business needs," the report says. "Within this function, there are two domains, risk management and supply chain risk management, for evaluation within the inspector general metrics."
HHS' risk management "is not yet at a maturity level of 'managed and measurable', therefore our overall assessment of this function was 'not effective,'” OIG says.
On the other hand, in accordance with the inspector general's fiscal 2021 FISMA reporting metrics guidance, supply chain risk management was only assessed at the domain level and not factored into the conclusion of the overall effectiveness of HHS information security program for fiscal 2021, OIG says.
In assessing the risk management of HHS operating divisions, the auditors found various weaknesses. For instance, at one operating division, a system security plan was not completed. At another, security assessment reports were not completed.
Continuous Diagnostics and Mitigation
The report also says that HHS has not achieved needed progress in some FISMA metric areas due to a lack of full implementation of information security continuous monitoring, or ISCM, efforts across HHS operating divisions.
"These efforts are critical to provide the HHS CIO and operating division CIOs reliable data and metrics for multiple FISMA domains to make informed risk management decisions," the report says.
HHS' "partial implementation" of a continuous diagnostics and mitigation, or CDM, strategy provided visibility into some assets, awareness into some vulnerabilities and certain threat information through the use of RSA Archer and Splunk, the report says.
"HHS has created an enterprise-level ISCM strategy for operating divisions to assist with the implementation of CDM tools. However, HHS has not defined road maps, key performance indicators, or benchmarks for CDM implementation within this strategy or other documentation. … This has led to inconsistent ISCM across operating divisions and a lower maturity at the HHS enterprise," the report says.
"Without a fully implemented CDM program, HHS may not be able to identify cybersecurity risks on an ongoing basis, use CDM information to prioritize the risks based on potential impacts, and then mitigate the most significant vulnerabilities first."
As was also the case in fiscal 2020, OIG assessed HHS' contingency planning in fiscal 2021 as being "not effective."
Among the findings, auditors identified two HHS operating divisions that had expired contingency plan tests for some systems. In addition, systems in one operating division did not have evidence to support implementation of system backup and storage, the report says.
"Operating division management [should] ensure that all systems are implementing information system backup and storage as documented in HHS policies and procedures," OIG says. "Additionally, management should require that evidence is retained to document backup and storage procedures."
Despite the "not effective" rating, OIG says HHS is continuing to implement changes to strengthen the maturity of its enterprisewide cybersecurity program.
"Progress continues to be made to sustain cybersecurity maturity across all FISMA domains. HHS is aware of opportunities to strengthen the department's overall information security program, which would help ensure that all operating divisions are consistently implementing and in line with the requirements across their security programs," the report says.
Still, based on the audit findings, OIG made several recommendations to strengthen HHS' enterprisewide cybersecurity program. They are:
- Continue implementation of an automated CDM solution that provides a centralized, enterprisewide view of risks across all of HHS.
- Update the ISCM strategy to include a more specific road map, including target dates for ISCM deployment across the HHS enterprise.
- Perform an enterprise risk assessment over known control weaknesses - including authority to operate, incomplete operating divisions provided system inventories, and lack of operating division adherence to HHS information security policies due to their federated environment. Then, document an appropriate risk response.
- Develop a process to monitor information system contingency plans to ensure they are developed, maintained and integrated with other continuity requirements by information systems.
OIG says that after it issued its draft report to HHS, OIG consolidated three of its enterprisewide recommendations into one recommendation for HHS to conduct an enterprisewide risk assessment over the known control weaknesses spotlighted in its final report.
HHS concurred with all of the OIG recommendations and described actions it has taken or plans to take to address them, the report says.
HHS did not immediately respond to Information Security Media Group's request for comment on the OIG report.
Jon Moore, chief risk officer at privacy and security consultancy Clearwater, says he thinks the OIG report "understates" the challenge associated with a federated information security governance model under which HHS operates.
"The auditors point to the challenge of the shared security model of HHS, operating divisions and contractors, but it is even more complex than that as there are different organizations and system owners within the operating divisions that are responsible for the security of systems and who are outside the direct chain of command of the CIO and CISO," he says.
"The report puts the responsibility for fixing security issues on the CIO or CISO, but they may have limited ability to direct remediation or hold anyone accountable for its completion."
Some experts note that the issues identified in HHS' information security program and compliance with FISMA are similar to challenges faced by the healthcare sector at large.
"Over the last couple of years, we have seen a decrease in investment in risk management, particularly by hospitals," he says, adding that it is likely due to a variety of factors, including the financial impact of COVID-19 shutdowns and specific changes in the requirements for cyber liability insurance coverage.
Contingency planning is also a common weakness seen in the healthcare industry, but that is changing quickly, in large part in response to concerns about ransomware and the ability to recover, according to Moore.
"The larger and more complex an organization is from an IT perspective, the more likely one is to find gaps such as those identified in the report."