HealthcareCISO

An evaluation of the Department of Health and Human Services against Federal Information Security Modernization Act of 2014 (FISMA) principles found the agency’s information security program “not effective,” due to several maturity deficiencies, according to the Government Accountability Office.

Under FISMA, Inspectors General are required to perform an annual, independent review of agency information security programs and practices, to determine overall effectiveness. For the HHS audit, Ernst & Young conducted a review of HHS compliance as of September 30, 2020 against FISMA reporting metrics.

The auditors reviewed the program against applicable federal laws, regulations, and guidance to gain an understanding of the HHS security program, as well as five of its operating divisions. The team also assessed standards and guidance issued by HHS management and prescribed performance standards. Interviews were also conducted with personnel.

The goal was to determine...