Skip to main content
U.S. flag

An official website of the United States government

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Secure .gov websites use HTTPS
A lock ( ) or https:// means you’ve safely connected to the .gov website. Share sensitive information only on official, secure websites.

Beta This is a new resource

Reporting of Security Incidents by HHS Contracted Service Providers

Announced on  | Last Modified on  | Project Number: A-18-22-06100
Status
Completed
Agency
Office of the Secretary

OBJECTIVE

In accordance with the Federal Information Security Management Act and OMB Circular A-130, Federal agencies are required to ensure external service providers that are processing, storing, or transmitting Federal information or operating information systems on behalf of the Federal Government meet the same security requirements as Federal agencies. These requirements include policies and procedures for detecting and reporting security incidents. We will conduct an audit to evaluate the effectiveness of controls at selected HHS divisions to ensure service providers are identifying and reporting cybersecurity incidents. The purpose of this audit is to determine whether HHS has effective controls that ensure service providers identify and report cybersecurity incidents in a timely manner.

TIMELINE

REPORT PUBLISHED

Deficiencies With Incorporating Required Cybersecurity Language in HHS Contracts and Timeliness of Contractor Incident Reporting (A-18-22-06100)
  • Four of the 14 HHS ICT service contractors that we reviewed reported a total of 10 cybersecurity incidents to HHS; however, 2 of those contractors each failed to report an incident to HHS within the 1-hour timeframe stipulated by their contracts.
  • Eight of the 14 HHS ICT service contracts that we reviewed—which were awarded by two HHS agencies— did not include required security language regarding the reporting of all suspected or confirmed cybersecurity incidents and breaches. The remaining six contracts—including four awarded by the third HHS agency—included the required security language.

25-A-18-122.01 to OS - Open Unimplemented
Update expected on 03/21/2026
We recommend that the Department of Health and Human Services Office of the Chief Information Officer require OpDivs to modify any ICT service contracts that lack required security language, including the required language as stated in the HHS Policy for Information Technology Procurements – Security and Privacy Language.

25-A-18-122.02 to OS - Open Unimplemented
Update expected on 03/21/2026
We recommend that the Department of Health and Human Services Office of the Chief Information Officer implement a verification step in the procurement process to confirm that all ICT service contracts include the required security language pertaining to incident reporting before awarding the contracts.

View in Recommendation Tracker
Work Plan Type
Office of Audit Services
HHS Agencies
Office of the Secretary
Issue Areas
Information Technology and Cybersecurity
Target Groups
-
Financial Groups
Other Funding