The Department of Health and Human Services has agreed to continue implementing continuous monitoring of its systems, after an Ernst & Young audit released April 25 found its information security program “not effective”.
HHS is working with the Department of Homeland Security to implement automated Continuous Diagnostics and Mitigation (CDM) tools that feed risk information to an RSA Archer solution for an enterprise-wide picture.
Ernst & Young (EY) found HHS’s information security program ineffective in September, following an analysis of Federal Information Security Modernization Act (FISMA) metrics, because its Information Security Continuous Monitoring (ISCM) strategy was only partially implemented — providing limited visibility into assets and awareness of vulnerabilities and threats.
“Four [operational divisions] have completed transition to Archer, with an additional eight OpDivs in progress for transition,” reads the HHS Office of the Chief Information Officer’s response. “The full deployment timeline is dependent on OpDiv and HHS funding resource availability.”
HHS is further working with the Cybersecurity and Infrastructure Security Agency‘s CDM program to implement the CDM Dashboard 2, based on Elastic’s data analysis solution, by the end of fiscal 2022 to collect asset, infrastructure, user and protection data from OpDivs.
While HHS established a monthly ISCM/CDM Working Group, its ISCM strategy for OpDivs lacks roadmaps, key performance indicators or benchmarks.
“Without a fully implemented CDM program, HHS may not be able to identify cybersecurity risks on an ongoing basis, use CDM information to prioritize the risks based on potential impacts, and then mitigate the most significant vulnerabilities first,” reads EY’s report.
As such, EY recommended OCIO update the ISCM strategy with target deployment dates.
EY audited the security programs of five of HHS’s 12 OpDivs, on behalf of its Office of Inspector General, and found the department sustained FISMA maturity and continues to strengthen enterprise cybersecurity.
Still EY recommended OCIO conduct an enterprise risk assessment of known weaknesses: authority to operate, incomplete system inventories across OpDivs, lack of adherence to information security policies, and documenting risk response.
EY further recommended OCIO develop a process to monitor information system contingency plans and commit to including pilot results of its risk assessment in a formal Cybersecurity Maturity Migration Strategy.
“Roles and shared responsibilities should be articulated and implemented to meet the requirements for effective maturity, including whether requirements are to be implemented using centralized federated, or hybrid controls,” reads the report.