“The Department of Health and Human Services has agreed to continue implementing continuous monitoring of its systems, after an Ernst & Young audit released April 25 found its information security program ‘not effective’.”
“HHS is working with the Department of Homeland Security to implement automated Continuous Diagnostics and Mitigation (CDM) tools that feed risk information to an RSA Archer solution for an enterprise-wide picture.”
“Ernst & Young (EY) found HHS’s information security program ineffective in September, following an analysis of Federal Information Security Modernization Act (FISMA) metrics, because its Information Security Continuous Monitoring (ISCM) strategy was only partially implemented — providing limited visibility into assets and awareness of vulnerabilities and threats.”
“’Four [operational divisions] have completed transition to Archer, with an additional eight OpDivs in progress for transition,’ reads the HHS Office of the Chief Information Officer’s response. ‘The full deployment timeline is dependent on OpDiv and HHS funding resource availability.'”
“HHS is further working with the Cybersecurity and Infrastructure Security Agency‘s CDM program to implement the CDM Dashboard 2, based on Elastic’s data analysis solution, by the end of fiscal 2022 to collect asset, infrastructure, user and protection data from OpDivs.”
“While HHS established a monthly ISCM/CDM Working Group, its ISCM strategy for OpDivs lacks roadmaps, key performance indicators or benchmarks…” Read the full article here.
Source: HHS commits to continuous monitoring, after information security found ‘not effective’ – By Dave Nyczepir, May 6, 2022. FedScoop.
