The Government Accountability Office found 11 federal agencies, including HHS, has yet to develop its cybersecurity risk management to include key elements from NIST guidance.
The Department of Health and Human Services needs to fully develop its cybersecurity risk management strategy to include key elements from NIST guidance, according to a Government Accountability Office report.
GAO audited the cybersecurity risk management programs of 23 federal agencies to determine the establishment of key elements, the challenges these agencies faced in developing and implementing the program, and the steps the Office of Management and Budget and Homeland Security have taken to meet their responsibilities around these programs and the challenges agencies face.
The watchdog reviewed the polices and procedures and compared them to federal cybersecurity risk management practices and interviewed responsible agency officials. For HHS, its chief information officer is tasked as risk executive, responsible for the risk management framework tasks outlined in NIST.
According to the audit, there were several key issues in HHS risk management strategy. To start, HHS was one of 13 other federal agencies that did not address the need for an organization-wide risk assessment of cyber risks to be conducted and updated as part of its strategy.
In fact, GAO found only half of the audited federal agencies have developed an agency-wide cybersecurity risk assessment process.
The HHS CIO told GAO that they use a wide range of dashboards, scorecards, and reports from various sources to monitor risk and acknowledge that they, indeed, had not developed an agency-wide cybersecurity risk assessment based on aggregated data from across the department.
However, HHS officials did note that they intended to enhance their risk visibility and reporting across the department as part of the implementation of their new security, governance, risk, and compliance tool. Further, HHS added that they anticipate increased network visibility with improved implementation of DHS’ continuous diagnostics and mitigation program.
GAO also found HHS and six other agencies, such as the Departments of Energy and NASA, have not developed an agency-wide cybersecurity risk management strategy.
HHS acknowledged they had not developed the strategy, but said it was due to the “federated nature of the agency or difficulty in establishing an agency-wide understanding of risk tolerance, among other factors, such as working on the process for establishing risk thresholds/triggers (escalation, management/leadership involvement/trade-offs) as part of deploying a centralized, comprehensive risk management, reporting, and tracking tool.”
“The process includes establishing criteria and weights for risk scoring within the tool and defining risk tolerance as they gather more information,” HHS noted in the report.
But HHS officials said that they were considering or intending to develop the strategy in the future. They also agreed that HHS policies lack identified elements from NIST and either will consider or will update those policies.
“Without ensuring that their policies include all key risk management activities, the agencies may not be taking the foundational steps needed to effectively identify and prioritize activities to mitigate cybersecurity risks that could result in the loss of sensitive data or compromise of agency systems,” GAO officials wrote.
Lastly, GAO found HHS had not established an approach to coordinating between cybersecurity and enterprise risk management and lacked an ERM governance structure and or did not provide evidence of a coordination process between the governance structure and the cybersecurity risk executive.
“Due to the federated nature of the agency and the broad spectrum of its missions and business functions, there is often a disconnect between security and operational personnel,” HHS’s Acting Deputy CISO told GAO.
“As an example… operating divisions that are research or academics focused will require increased information sharing and flexibility, but this often conflicts with cybersecurity concepts and processes,” they added.
A lack of a centralized NIST document or road map that ties of its documents together from a cybersecurity standpoint was also named as the reason behind the disjointed processes. Further, NIST guidance “provides limited direction for producing specific metrics and checklists in support of laws, policies, directives, instructions, and standards.”
Even still, GAO made several recommendations to HHS to bolster its risk management processes. To start, HHS needs to develop a cybersecurity risk management strategy that include key NIST elements and update HHS’ policies to require an organization-wide cybersecurity risk assessment and use those assessments to inform security control tailoring.
HHS should also establish a process for conducting an organization-wide cybersecurity risk assessment and establish and document a process for coordination between cybersecurity risk management and enterprise risk management functions.
GAO said HHS concurred with three of the four recommendations, including the need for a strengthen risk assessment strategy, establishing the agency-wide policy, and documenting coordination. HHS also told GAO it has plans to address the three recommendations.
HHS stressed that “while these policy statements require adherence to NIST and OMB standards for selecting security controls and require a rationale for tailoring decisions, they do not specifically require the use of risk assessments to inform the tailoring of security controls.”
GAO countered their argument by reminding HHS that “as NIST states, organizations apply the tailoring process to align the controls more closely with the specific conditions within the organization and should use risk assessments to inform and guide the tailoring process for organizational information systems and environments of operation.”
“Making this requirement explicit in policy would help HHS ensure that it is applying the appropriate set of controls to its systems,” GAO officials wrote. “Thus, we maintain that our recommendation is still warranted.”
This is just the GAO audit report to chastise the security program at HHS and follows a damning Senate report that outlines years of inadequate security. The most recent GAO audit named the Centers for Medicaid and Medicare Services’ systems the third-most critical legacy federal system.
Another GAO report found CMS also uses the vulnerable knowledge-based verification on its systems, which is prohibited by NIST. In April, the watchdog revealed HHS has 42 priority recommendations that have yet to be addressed. In response, Sen. Chuck Grassley, R-Iowa, sent a letter to the agency demanding answers into why these issues have not yet been addressed.
Date: August 07, 2019