OMB Finds the HHS Information Security Program as Ineffective

The Office of Management and Budget (OMB) submitted its annual audit report to Congress concerning the cybersecurity status of federal agencies, as ordered by the Federal Information Security Modernization Act of 2014 (FISMA).

OMB examined 4 out of 12 Department of Health and Human Services (HHS) operating departments to find out if they are compliant with FISMA. OMB determined that the security system of HHS is ineffective. It lacks a Managed and Measurable degree of maturity when it comes to five functional areas — Identify, Protect, Detect, Respond and Recover.

The HHS resolved to deal with the risks in the ‘Detect’ functional area but remain insecure in the other four.

The HHS is striving to strengthen its security posture. Though there’s been an improvement, there is still much to work on. OMB found weak spots in a number of areas, including in identity and access management, contingency planning, risk control, and breach response.

OMB commented that because the HHS is operating in a federated setup, it faces a lot of difficulties in achieving a ‘Managed and Measurable’ level of maturity in all operating departments.

Although there are weak points in a few areas, OMB is certain that HHS is aware of the opportunities to strengthen its security system and ensure that recommended security policies and procedures are implemented in all operating divisions.

The HHS is moreover working together with the Department of Homeland Security and is applying a Department-wide Continuous Diagnostics and Mitigation (CDM) plan to regularly keep track of its networks and systems and report the progress of managing and using the security strategies to DHS.

OMB stated that to be able to achieve a Managed and Measurable degree of maturity, the HHS ought to make certain that its CDM program is entirely enforced. This is going to be a big challenge for the HHS. In addition, HHS should continue building a working model in which all the functional areas have a real connection to one another and provide whole and coordinated responses to security occurrences. This will support all aspects of its data security system to make certain that HHS could accomplish its mission through a reliable and synchronized facts security system.

About Christine Garcia 1304 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at