HHS tightens FISMA compliance, but risks remain
- By Amanda Ziadeh
- Mar 09, 2016
While the Department of Health and Human Services has made progress in compliance with the Federal Information Security Modernization Act, an audit released by the HHS Office of Inspector General found that the department has ample opportunities to further improve its security program.
Auditors found the agency has not fully implemented a department-wide continuous monitoring program that shows how its operating divisions implement strategies and report on cybersecurity metrics, according to an article on FCW, a sister site to GCN.
The IG report also identified operating divisions that were using IT systems with expired authority to operate certificates and some that were failing to regularly implement account management procedures for shared accounts and new, transferred or terminated personnel. Other areas of weakness included lack of incident response and reporting procedures, incomplete inventories of contractor systems, failure of remote access policies, incomplete contingency planning documentation and ineffective contractor oversight.
The report’s recommendations suggest further work on vulnerability management, software assurance, information management, license management, malware detection and network management.
Amanda Ziadeh is a former reporter/producer for GCN.