– The Department of Health and Human Services needs to fully develop its cybersecurity risk management strategy to include key elements from NIST guidance, according to a Government Accountability Office report.
GAO audited the cybersecurity risk management programs of 23 federal agencies to determine the establishment of key elements, the challenges these agencies faced in developing and implementing the program, and the steps the Office of Management and Budget and Homeland Security have taken to meet their responsibilities around these programs and the challenges agencies face.
The watchdog reviewed the polices and procedures and compared them to federal cybersecurity risk management practices and interviewed responsible agency officials. For HHS, its chief information officer is tasked as risk executive, responsible for the risk management framework tasks outlined in NIST.
According to the audit, there were several key issues in HHS risk management strategy. To start, HHS was one of 13 other federal agencies that did not address the need for an…