Skip to main content
U.S. flag

An official website of the United States government

Dot gov

The .gov means it's official.
Federal government websites often end in .gov or .mil. Before sharing sensitive information, make sure you're on a federal government site.


The site is secure.
The https:// ensures that you are connecting to the official website and that any information you provide is encrypted and transmitted securely.

Review of the Department of Health and Human Services' Compliance with the Federal Information Security Modernization Act of 2014 for Fiscal Year 2017

Overall, the Department has made improvements and continues to implement changes to strengthen its enterprise-wide information security program including adhering to security training procedures and updating policies and procedures. Further, the Department continues to work towards implementing a Department-wide Continuous Diagnostics and Mitigation program, coordinating with the Department of Homeland Security.

While the Department continue to improve its information security program, opportunities to strengthen the overall information security program were identified, which should allow the Department to achieve a higher level of maturity for its information security program. We continued to identify weaknesses in the following areas: risk management, configuration management, identity and access management, security training, information security continuous monitoring, incident response, and contingency planning.

The Department should further strengthen its information security program. We made a series of recommendations to enhance information security controls to the Department and specific controls for the operating divisions. The Department concurred with all of our recommendations and described actions it has taken and plans to take to implement them.

Filed under: General Departmental