This is the accessible text file for GAO report number GAO-06-267 entitled 'Information Security: Department of Health and Human Services Needs to Fully Implement Its Program' which was released on March 23, 2006. This text file was formatted by the U.S. Government Accountability Office (GAO) to be accessible to users with visual impairments, as part of a longer term project to improve GAO products' accessibility. Every attempt has been made to maintain the structural and data integrity of the original printed product. Accessibility features, such as text descriptions of tables, consecutively numbered footnotes placed at the end of the file, and the text of agency comment letters, are provided but may not exactly duplicate the presentation or format of the printed version. The portable document format (PDF) file is an exact electronic replica of the printed version. We welcome your feedback. Please E-mail your comments regarding the contents or accessibility features of this document to Webmaster@gao.gov. This is a work of the U.S. government and is not subject to copyright protection in the United States. It may be reproduced and distributed in its entirety without further permission from GAO. Because this work may contain copyrighted images or other material, permission from the copyright holder may be necessary if you wish to reproduce this material separately. Report to the Chairman, Committee on Finance, U.S. Senate: February 2006: Information Security: Department of Health and Human Services Needs to Fully Implement Its Program: GAO-06-267: GAO Highlights: Highlights of GAO-06-267, a report to the Chairman, Committee on Finance, U.S. Senate: Why GAO Did This Study: The Department of Health and Human Services (HHS) is the nation’s largest health insurer and the largest grant-making agency in the federal government. HHS programs impact all Americans, whether through direct services, scientific advances, or information that helps them choose medical care, medicine, or even food. For example, the Centers for Medicare & Medicaid Services (CMS), a major operating division within HHS, is responsible for the Medicare and Medicaid programs that provide care to about one in every four Americans. In carrying out their responsibilities, both HHS and CMS rely extensively on networked information systems containing sensitive medical and financial information. GAO was asked to assess the effectiveness of HHS’s information security program, with emphasis on CMS, in protecting the confidentiality, integrity, and availability of its information and information systems. What GAO Found: HHS and CMS have significant weaknesses in controls designed to protect the confidentiality, integrity, and availability of their sensitive information and information systems. HHS computer networks and systems have numerous electronic access control vulnerabilities related to network management, user accounts and passwords, user rights and file permissions, and auditing and monitoring of security-related events. In addition, weaknesses exist in other types of controls designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software. All of these weaknesses increase the risk that unauthorized individuals can gain access to HHS information systems and inadvertently or deliberately disclose, modify, or destroy the sensitive data that the department relies on to deliver its vital services. A key reason for these control weaknesses is that the department has not yet fully implemented a departmentwide information security program. While HHS has laid the foundation for such a program by developing and documenting policies and procedures, the department has not yet fully implemented key elements of its information security program at all of its operating divisions. Specifically, HHS and its operating divisions have not fully implemented elements related to (1) risk assessments, (2) policies and procedures, (3) security plans, (4) security awareness and training, (5) tests and evaluations of control effectiveness, (6) remedial actions, (7) incident handling, and (8) continuity of operations plans. Until HHS fully implements a comprehensive information security program, security controls may remain inadequate; responsibilities may be unclear, misunderstood, and improperly implemented; and controls may be inconsistently applied. Such conditions may lead to insufficient protection of sensitive or critical resources and disproportionately high expenditures for controls over low-risk resources. What GAO Recommends: GAO recommends that the Secretary of HHS direct the Chief Information Officer to take steps to fully implement key elements of the department’s information security program at all operating divisions. In commenting on a draft of this report, HHS supported GAO’s emphasis on improvements to its security program, but did not believe the report sufficiently reflected progress made. www.gao.gov/cgi-bin/getrpt?GAO-06-267. To view the full product, including the scope and methodology, click on the link above. For more information, contact Gregory C. Wilshusen at (202) 512-6244 or Wilshuseng@gao.gov. [End of section] Contents: Letter: Results in Brief: Background: Weak Controls and Incomplete Implementation Compromise Effectiveness of HHS's Information Security Program: Conclusions: Recommendations for Executive Action: Agency Comments and Our Evaluation: Appendixes: Appendix I: Objective, Scope, and Methodology: Appendix II: Comments from the Department of Health and Human Services: Appendix III: HHS Operating Divisions: Appendix IV: GAO Contact and Staff Acknowledgments: Table: Table 1: Reported Incidents among HHS Operating Divisions: Figure: Figure 1: HHS Fiscal Year 2005 Budget: Abbreviations: CMS: Centers for Medicare & Medicaid Services: FISMA: Federal Information Security Management Act: HHS: Department of Health and Human Services: NIST: National Institute of Standards and Technology: OIG: Office of the Inspector General: OMB: Office of Management and Budget: Letter February 24, 2006: The Honorable Charles E. Grassley: Chairman: Committee on Finance: United States Senate: Dear Mr. Chairman: The Department of Health and Human Services (HHS) is the nation's largest health insurer and the largest grant-making agency in the federal government. The department protects and promotes the health and well-being of all Americans and provides world leadership in biomedical and public health sciences. The programs of the department impact all Americans, whether through direct services, scientific advances, or information that helps them choose medical care, medicine, or even food. For example, the Centers for Medicare & Medicaid Services (CMS), a major operating division within HHS responsible for the Medicare and Medicaid programs, oversees the nation's largest health insurance programs, which provide care to about one in every four Americans. HHS relies on automated information systems and interconnected networks to process and pay medical claims; conduct medical research; manage its wide spectrum of health, disease prevention, and food and safety programs; and support its departmentwide financial and management functions. Effective information security controls are essential for ensuring that information technology resources are adequately protected from inadvertent or deliberate misuse, fraudulent use, or destruction. Interruptions in HHS's financial and information management systems could have a significant adverse affect on the health, welfare, and mental well-being of millions of American citizens who depend on its services. At your request, we assessed the effectiveness of the HHS information security program, particularly at CMS, in protecting the confidentiality, integrity, and availability of its information and information systems. To accomplish this objective, we evaluated the effectiveness of HHS's information security controls, and whether HHS had developed, documented, and implemented a departmentwide information security program consistent with federal laws and policies. To supplement our work, we analyzed 74 information security-related reports issued during 2004 and 2005 by HHS, its Office of the Inspector General (OIG), and independent auditors. This review was performed from June through December 2005 in accordance with generally accepted government auditing standards. For further information about our objective, scope, and methodology, refer to appendix I. Results in Brief: Significant weaknesses in information security controls at HHS and at CMS in particular put at risk the confidentiality, integrity, and availability of their sensitive information and information systems. HHS has not consistently implemented effective electronic access controls designed to prevent, limit, and detect unauthorized access to sensitive financial and medical information at its operating divisions and contractor-owned facilities. Numerous electronic access control vulnerabilities related to network management, user accounts and passwords, user rights and file permissions, and auditing and monitoring of security-related events exist in its computer networks and systems. In addition, weaknesses exist in controls designed to physically secure computer resources, conduct suitable background investigations, segregate duties appropriately, and prevent unauthorized changes to application software. These weaknesses increase the risk that unauthorized individuals can gain access to HHS information systems and inadvertently or deliberately disclose, modify, or destroy the sensitive medical and financial data that the department relies on to deliver its vital services. A key reason for these weaknesses is that the department has not yet fully implemented its information security program. HHS has laid the foundation for an effective information security program by developing written policies and guiding procedures that designate responsibility for implementation throughout the department. However, it has not yet fully implemented key elements of the program. Specifically, its operating divisions have not fully implemented elements related to (1) risk assessments, (2) policies and procedures, (3) security plans, (4) security awareness and training, (5) tests and evaluations of control effectiveness, (6) remedial actions, (7) incident handling, and (8) continuity of operations plans. Without a fully implemented program, security controls may remain inadequate or inconsistently applied and responsibilities may be unclear, misunderstood, or improperly implemented. This may lead to insufficient protection of sensitive or critical resources, and disproportionately high expenditures on controls over low-risk resources. In reports by the HHS OIG and other independent auditors, specific recommendations were made to the department to remedy identified information security control weaknesses. In this report, we are recommending that the Secretary of Health and Human Services direct the HHS Chief Information Officer (CIO) to take steps to ensure full implementation of its information security program across all HHS operating divisions. In commenting on a draft of this report, HHS supported our emphasis on improvements needed in key information security program elements, but did not believe that the report sufficiently reflected the progress that the department has made in addressing information security. We acknowledge in the report that HHS has made progress in correcting its information security control weaknesses and has begun to implement the foundation for an effective information security program. HHS also provided specific technical comments, which we have incorporated, as appropriate, in the report. Background: HHS is the federal government's principal agency responsible for protecting the health of all Americans and providing essential human services, especially for those who are least able to help themselves. The department manages more than 300 programs covering a wide spectrum of activities that include health and social science research, disease prevention, food and drug safety, health information technology, health insurance for elderly and disabled Americans (Medicare), health insurance for low-income people (Medicaid), and comprehensive health services for Native Americans. Other services provided by the department include financial assistance to low-income families, pre- school education programs such as Head Start, child abuse and domestic violence programs, substance abuse treatment and prevention programs, and programs to help older Americans, such as providing home-delivered meals. HHS has 14 operating divisions (see app. III for a description of each division) to manage its programs and administered more grant dollars than all other federal agencies combined. HHS employs about 67,000 employees and is responsible for managing a fiscal year 2005 budget of approximately $581 billion. Each year HHS handles more than a billion health care claims, supports over 38,000 research projects focusing on diseases, provides funding to treat more than 650,000 persons with serious substance abuse or mental health problems, and serves more than 900,000 pre-school children. The Centers for Medicare & Medicaid Services (CMS) is an HHS operating division responsible for administering two major health programs. It administers the Medicare program, the nation's largest health insurance program, which covers more than 42 million Americans. This program was enacted to extend affordable health insurance coverage to the elderly and was later expanded to cover the disabled. In partnership with the states, CMS also administers Medicaid, a means-tested health care program for low-income Americans. Medicaid is the primary source of health care for a large population of medically vulnerable Americans, including poor families, the disabled, and persons with developmental disabilities requiring long-term care. In coordination with the Medicaid program, the State Children's Health Insurance Program provides health care coverage for children. CMS employs about 4,900 employees and has a fiscal year 2005 budget of approximately $480 billion or 83 percent of the HHS budget, as shown in figure 1. Figure 1: HHS Fiscal Year 2005 Budget: [See PDF for image] [End of figure] HHS relies extensively on computerized systems to support its mission critical operations and store the sensitive information it collects. It uses these systems to support the department's financial and management functions, maintain sensitive employee personnel information, and process financial and medical data for millions of health care recipients. Its local and wide area networks interconnect these systems. In addition, HHS relies on contractor-owned systems to process departmental information and support its mission. For fiscal year 2005, HHS planned to spend nearly $5 billion on information technology--more than any other federal agency except the Department of Defense. A significant amount of these funds will be spent to facilitate the processing and payment of Medicare claims processed by CMS or its Medicare contractors. Information system controls are a critical consideration for any organization that depends on computerized systems and networks to carry out its mission or business. Without proper safeguards, there is risk that individuals and groups with malicious intent may intrude into inadequately protected systems and use this access to obtain sensitive information, commit fraud, disrupt operations, or launch attacks against other computer systems and networks. In December 2002, Congress enacted the Federal Information Security Management Act of 2002 (FISMA)[Footnote 1] to strengthen security of information and information systems within federal agencies. FISMA requires each agency to develop, document, and implement an agencywide information security program to provide information security for the information and systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source. In addition, FISMA provides that the Secretary of HHS is responsible for, among other things, (1) providing information security protections commensurate with the risk and magnitude of the harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of the agency's information systems and information; (2) ensuring that senior agency officials provide information security for the information and information systems that support the operations and assets under their control; and (3) delegating to the agency CIO the authority to ensure compliance with the requirements imposed on the agency under the act. HHS's CIO is responsible for developing, promoting, and coordinating the departmentwide information security program; developing, promulgating, and enforcing department information resource management policies, standards, and guidelines; and appointing the HHS chief information security officer. Each operating division, including CMS, is responsible for complying with the requirements of FISMA and departmentwide security-related policies, procedures, and standards; reporting on the effectiveness of its information security program; and ensuring that information systems operated by or on its behalf by contractors provide adequate risk-based security safeguards. Weak Controls and Incomplete Implementation Compromise Effectiveness of HHS's Information Security Program: HHS and CMS in particular have significant weaknesses in electronic access controls and other information system controls designed to protect the confidentiality, integrity, and availability of information and information systems. A key reason for these weaknesses is that the department has not yet fully implemented a departmentwide information security program. As a result, HHS's medical and financial information systems are vulnerable to unauthorized access, use, modification, and destruction that could disrupt the department's operations. Electronic Access Controls Are Inadequate: A basic management objective for any organization is to protect the resources that support its critical operations from unauthorized access. Organizations accomplish this objective by designing and implementing electronic controls that are intended to prevent, limit, and detect unauthorized access to computing resources, programs, and information. Inadequate electronic access controls diminish the reliability of computerized information and increase the risk of unauthorized disclosure, modification, and destruction of sensitive information and disruption of service. Electronic access controls include those related to network management, user accounts and passwords, user rights and file permissions, and auditing and monitoring of security-related events. Our analysis of reports issued by the OIG and independent auditors disclosed that HHS did not consistently implement effective electronic access controls in each of these areas. Network Management: Networks are collections of interconnected computer systems and devices that allow individuals to share resources such as computer programs and information. Because sensitive programs and information are stored on or transmitted along networks, effectively securing networks is essential to protecting computing resources and data from unauthorized access, manipulation, and use. Organizations secure their networks, in part, by installing and configuring network devices that permit authorized network service requests, deny unauthorized requests, and limit the services that are available on the network. Devices used to secure networks include (1) firewalls that prevent unauthorized access to the network, (2) routers that filter and forward data along the network, (3) switches that forward information among segments of a network, and (4) servers that host applications and data. Network services consist of protocols for transmitting data between network devices. Insecurely configured network services and devices, including those without current software patches, can make a system vulnerable to internal or external threats, such as denial-of-service attacks.[Footnote 2] Because networks often include both external and internal access points for electronic information assets, failure to adequately secure these access points increases the risk of unauthorized disclosure and modification of sensitive information or disruption of service. HHS policy requires that all incoming and outgoing connections from departmental systems and networks to the Internet, intranets,[Footnote 3] and extranets[Footnote 4] be made through a firewall and that effective technical controls be implemented to protect computing resources connected to the network. Our analysis found that HHS did not consistently configure network services and devices securely to prevent unauthorized access to and ensure the integrity of computer systems operating on its networks. The reports we reviewed identified weaknesses in the way that HHS operating divisions and contractors restricted network access, managed antivirus software, configured network devices, and protected information traversing the HHS networks. For example, * System administrative access was not always adequately restricted, and unnecessary services were available on several network devices, increasing the risk that unauthorized individuals could gain access to the operating system. * Antivirus software was not always installed or up-to-date on the operating divisions' and contractors' workstations, increasing the risk that viruses could infect HHS systems and potentially disable or disrupt system operations. * Key network devices were not securely configured to prevent unauthorized individuals from gaining access to sensitive system configuration files and router access control lists. These weaknesses could allow an external attacker to circumvent network controls and thereby gain unauthorized access to the internal network. * HHS did not encrypt certain information traversing its networks. Instead, it used clear text protocols that make network traffic susceptible to eavesdropping. * HHS's operating divisions and contractors did not consistently patch their computer systems and network devices in a timely manner. For example, the OIG reported that approximately 25 percent (287 of 1,129) of the systems tested at one operating division did not have up-to-date patches installed on them. Thirty of the machines tested were missing nine or more software patches that had been rated as critical by the vendor. At another operating division, over 90 high-risk software patch management vulnerabilities were outstanding from June 1999 through April 2005. Failure to keep system patches up-to-date could lead to denial-of-service attacks or to individuals gaining unauthorized access to network resources. According to the HHS chief information security officer, a patch management subcommittee was formed to address this issue and has formulated and published an approach to the department's patch management problems. User Accounts and Passwords: A computer system must be able to identify and differentiate among users so that activities on the system can be linked to specific individuals. When an organization assigns unique user accounts to specific users, the system is able to distinguish one user from another--a process called identification. The system must also establish the validity of a user's claimed identity by requesting some kind of information, such as a password, that is known only by the user--a process known as authentication. The combination of identification and authentication--such as user account and password combinations--provides the basis for establishing individual accountability and for controlling access to the system. Accordingly, agencies (1) establish password parameters, such as number of characters, type of characters, and the frequency with which users should change their passwords, in order to strengthen the effectiveness of passwords for authenticating the identity of users; (2) require encryption for passwords to prevent their disclosure to unauthorized individuals; and (3) implement procedures to control the use of user accounts. HHS policy requires that all operating divisions implement and enforce logical password controls for all departmental systems and networks. Our analysis of reported weaknesses showed that HHS did not adequately control user accounts and passwords to ensure that only authorized individuals were granted access to its systems. For example, the department and its contractors did not always implement strong passwords--using vendor-default or easy to guess passwords. Additionally, * One CMS Medicare contractor set passwords to never expire for 28 service accounts with powerful administrative privileges. As a result, an unauthorized individual could use a compromised user identification and password for an indefinite period to gain unauthorized access to server resources. * Firewall administrators for another CMS Medicare contractor used a shared administrative account. As a result, the actions taken by these individuals cannot be traced back to the responsible individual. * The minimum password length on one operating division's local area network was set to zero. Consequently, users could create short passwords. Short passwords tend to be easier to guess or crack than longer passwords. In addition, passwords on this local area network were not required to be changed at initial logon. Such weaknesses increase the risk that passwords may be disclosed to unauthorized users and used to gain access to the system. They also diminish the effectiveness of these controls for attributing system activity to individuals. As a result, HHS may not be able to hold these users individually accountable for system activity. User Rights and File Permissions: The concept of "least privilege" is a basic underlying principle for securing computer systems and data. It means that users are granted only those access privileges needed to perform their official duties. To restrict legitimate users' access to only those programs and files that they need to do their work, organizations establish access rights and permissions. "User rights" are allowable actions that can be assigned to users or to groups of users. File and directory permissions are rules that are associated with a particular file or directory and regulate which users can access them and the extent of that access. To avoid unintentionally giving users unnecessary access to sensitive files and directories, an organization must give careful consideration to its assignment of rights and permissions. HHS policy requires that access privileges be granted to users at the minimum level required to perform their job-related duties. Our analysis of OIG reports showed that HHS granted access rights and permissions that gave some users more access to departmental information and medical systems than they needed to perform their jobs. For example, the following vulnerabilities were identified: * All users could access world-readable start up scripts and files on several Medicare contractor systems. A malicious user could use this information to increase their system privileges. * Members of the "Everyone" group were granted access to sensitive Windows directories, files, and registry settings, even though some did not have a legitimate business need for this access. * Twenty-two groups or users without a legitimate need could access and update mainframe production data at one CMS Medicare contractor facility. * Six of 15 employees reviewed at one operating division retained access privileges to the local area network after their separation from the department. Inappropriate access to sensitive files and directories provides opportunities for individuals to circumvent security controls to deliberately or inadvertently read, modify, or delete critical or sensitive information and computer programs. Auditing and Monitoring of Security-Related Events: To establish individual accountability, monitor compliance with security policies, and investigate security violations, it is crucial to determine what, when, and by whom specific actions have been taken on a system. Organizations accomplish this by implementing system or security software that provides an audit trail that they can use to determine the source of a transaction or attempted transaction and to monitor users' activities. The way in which organizations configure system or security software determines the nature and extent of information that can be provided by the audit trail. To be effective, organizations should configure their software to collect and maintain audit trails that are sufficient to track security-related events. HHS policy requires that audit logging be enabled for all departmental systems and networks so that security-related events--the manipulation, modification, or deletion of data--can be monitored and analyzed for unauthorized activity. HHS has not consistently audited and monitored security-related system activity on their systems. For example, the OIG reported that logging on some UNIX systems was either disabled or configured to overwrite these events, firewall and router logs were not routinely monitored, and procedures for classifying and investigating security-related events had not been documented at several HHS operating divisions and CMS Medicare contractors. As a result, if a system was modified or disrupted, the department's ability to trace or recreate events could be diminished. In addition, these weaknesses could allow unauthorized access to go undetected. In response to weaknesses identified in electronic access controls, the HHS chief information security officer indicated that significant progress has been made in correcting these weaknesses and that preliminary results of fiscal year 2005 audits, by independent auditors, show a reduction in the number of weaknesses. In addition, the independent auditor of HHS's financial statements for fiscal year 2005 reported that HHS had made significant progress in strengthening system controls, although it continued to identify general controls issues that represent significant deficiencies in the design and operation of electronic access controls. Other Information System Controls Are Ineffective: In addition to electronic access controls, other important controls should be in place to ensure the confidentiality, integrity, and availability of an organization's information and systems. These controls include policies, procedures, and techniques to physically secure computer resources, conduct appropriate background investigations, provide sufficient segregation of duties, and prevent unauthorized changes to application software. Our analysis of reports issued by the OIG and independent auditors disclosed significant weaknesses in each of these areas. These weaknesses increase the risk that unauthorized individuals can gain access to HHS information systems and inadvertently or deliberately disclose, modify, or destroy the sensitive medical and financial data that the department relies on to deliver its vital services. Physical Security: Physical security controls are important for protecting computer facilities and resources from espionage, sabotage, damage, and theft. These controls restrict physical access to computer resources, usually by limiting access to the buildings and rooms in which the resources are housed and by periodically reviewing the access granted, in order to ensure that access continues to be appropriate. HHS policy requires that physical access to rooms, work areas and spaces, and facilities containing departmental systems, networks, and data be limited to authorized personnel; controls be in place for deterring, detecting, monitoring, restricting, and regulating access to sensitive areas at all times; and controls be commensurate with the level of risk and sufficient to safeguard these resources against possible loss, theft, destruction, accidental damage, hazardous conditions, fire, malicious actions, and natural disasters. Our analysis showed that HHS did not effectively implement physical controls as the following examples illustrate: * One CMS Medicare contractor used a privately owned vehicle and an unlocked container to transport approximately 25,000 Medicare check payments over a 1-year period. * Four hundred forty individuals were granted unrestricted access to an entire data center, including a sensitive area within the data center- -although their jobs functions did not require them to have such access. * Surveillance cameras used for monitoring a facility were not functioning, leading to blind spots in the data center's perimeter security. * Three individuals with access to an operating division's data center did not have management approval for such access. These weaknesses in physical security increase the risk that unauthorized individuals could gain access to sensitive computing resources and data and inadvertently or deliberately misuse or destroy them. Background Investigations: According to Office of Management and Budget (OMB) Circular A- 130,[Footnote 5] it has long been recognized that the greatest harm to computing resources has been done by authorized individuals engaged in improper activities--whether intentionally or accidentally. Personnel security controls (such as screening individuals in positions of trust) are particularly important where the risk and magnitude of potential harm is high. The National Institute of Standards and Technology (NIST) guidelines suggest that agencies determine the sensitivity of particular positions, based on such factors as the type and degree of harm that the individual could cause by misusing the computer system and on more traditional factors, such as access to classified information and fiduciary responsibilities. Background investigations help an organization to determine whether a particular individual is suitable for a given position by attempting to ascertain the person's trustworthiness and appropriateness for the position. The exact type of screening that takes place depends on the sensitivity of the position and any applicable regulations by which the agency is bound. HHS policy requires that all information security employees and contractor personnel be designated with position-sensitivity levels that are commensurate with the responsibilities and risks associated with their position. In addition, it requires suitability background investigations to be completed and favorably adjudicated for all personnel assigned to these positions prior to allowing them access to sensitive HHS systems and networks. Our analysis of prior reports showed that background investigations were not always performed. For example, 13 CMS Medicare contractors had weaknesses in their background investigation policies and procedures. Six of the contractors reviewed were not adhering to established policies, while the remaining seven were not performing background investigations in a consistent manner. In addition, one operating division was unable to provide the background investigation status for any of the 49 contractor personnel working at its data center or for any of the 28 contractor personnel supporting one of its general support systems. Additionally, background investigations at three operating divisions were considered inadequate because they were not performed at the appropriate sensitivity level. Granting people access to sensitive data without appropriate background investigations increases the risk that unsuitable individuals could gain access to sensitive information, use it inappropriately, or destroy it. Segregation of Duties: Segregation of duties refers to the policies, procedures, and organizational structure that help ensure that no single individual can independently control all key aspects of a process or computer-related operation and thereby gain unauthorized access to assets or records. Often segregation of duties is achieved by dividing responsibilities among two or more individuals or organizational groups. This diminishes the likelihood that errors and wrongful acts will go undetected, because the activities of one individual or group will serve as a check on the activities of the other. Inadequate segregation of duties increases the risk that erroneous or fraudulent transactions could be processed, improper program changes be implemented, and computer resources could be damaged or destroyed. HHS policy requires operating divisions to ensure that responsibilities with a security impact be shared among multiple staff by enforcing the concept of separation of duties, which requires that individuals do not have control of the entirety of a critical process. Our analysis of OIG reports showed that HHS did not always sufficiently segregate computer functions. For example, some software developers had full access to both development and production software libraries. To illustrate, UNIX developers at one facility used a shared user account to promote development changes into the production environment. In another instance, two individuals with full access to development source code also had update capabilities to production libraries. Consequently, increased risk exists that these individuals could introduce software errors into production or perform unauthorized system activities without being detected. Application Change Controls: It is important to ensure that only authorized and fully tested application programs are placed into operation. To ensure that changes to application programs are necessary, work as intended, and do not result in the loss of data or program integrity, such changes should be documented, authorized, tested, and independently reviewed. In addition, test procedures should be established to ensure that only authorized changes are made to the application's program code. HHS policy requires that operating divisions establish, implement, and enforce change management and configuration management controls on all departmental systems and networks that process, store, or communicate sensitive information. However, our analysis showed that HHS did not always document or control changes to application programs as the following examples demonstrate: * Authorization forms did not exist for each of the 21 application control changes reviewed at one Medicare contractor facility. In addition, change control procedures were out-of-date and did not reflect current process and practice. * Testing documentation at one operating division was not maintained for 4 of 15 change requests reviewed. Without adequately documented or controlled application change control procedures, changes may be implemented that are not authorized, tested, or approved. Further, the lack of adequate controls place HHS at greater risk that software supporting its missions will not produce reliable data or effectively meet its business needs. In response to weaknesses identified in other information security controls, the HHS chief information security officer indicated that significant progress has been made in correcting these weaknesses and that preliminary results of fiscal year 2005 audits, by independent auditors, show a reduction in the number of weaknesses. In addition, the independent auditor of HHS's financial statements for fiscal year 2005 reported that HHS had made significant progress in strengthening system controls, although it continued to identify general controls issues that represent significant deficiencies in the design and operation of key controls such as physical access, system software, and application development and program change controls. Information Security Program Is Not Yet Fully Implemented: A key reason for the information security weaknesses identified at HHS was that the department had not yet fully implemented its information security program. A departmentwide security program provides a framework and continuing cycle of activity for managing risk, developing security policies, assigning responsibilities, and monitoring the adequacy of the entity's computer-related controls. Without such a program, security controls may be inadequate; responsibilities may be unclear, misunderstood, and improperly implemented; and controls may be inconsistently applied. Such conditions may lead to insufficient protection of sensitive or critical resources and disproportionately high expenditures for controls over low-risk resources. FISMA[Footnote 6] requires each agency to develop, document, and implement an information security program that includes the following key elements: * periodic assessments of the risk and the magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems; * policies and procedures that (1) are risk-based, (2) cost-effectively reduce risks, (3) ensure that information security is addressed throughout the life cycle of each system, and (4) ensure compliance with applicable requirements; * plans for providing adequate information security for networks, facilities, and systems; * security awareness training to inform personnel--including contractors and other users of information systems--of information security risks and of their responsibilities in complying with agency policies and procedures; * at least annual testing and evaluation of the effectiveness of information security policies, procedures, and practices relating to management, operational, and technical controls of every information system identified in the agency's inventory; * a process for planning, implementing, evaluating, and documenting remedial action to address any deficiencies in its information security policies, procedures, or practices; * procedures for detecting, reporting, and responding to security incidents; and: * plans and procedures to ensure continuity of operations for information systems that support the operations and assets of the agency. FISMA also requires each agency to (1) annually report to OMB, selected congressional committees, and the Comptroller General on the adequacy of information security policies, procedures, and practices and compliance with requirements, and (2) its OIG or independent external auditor perform an independent annual evaluation of the agency's information security program and practices. HHS has begun to implement the foundation for an effective information security program through its Secure One initiative by developing and documenting policies and procedures that designate implementation responsibilities. For example, HHS information security program provides baseline security policies and standards for the department. Operating divisions are required to comply with departmental standards or develop specific standards that exceed them. In addition, HHS uses an automated security management tool to collect, analyze, and report FISMA data. Similarly, CMS has made progress in developing and documenting its information security policies and procedures. Although HHS has made progress in developing and documenting a departmentwide information security program, it has not fully implemented the following key elements: risk assessments, policies and procedures, system security planning, security and awareness training, periodic testing and evaluation of controls, remedial action plans, incident handling, and continuity of operations. These weaknesses limit HHS's ability to protect the confidentiality, integrity, and availability of its information and information systems. Risk Assessments: Identifying and assessing information security risks are essential to determining what controls are required. By increasing awareness of risks, these assessments can generate support for the policies and controls that are adopted. OMB Circular A-130, appendix III, prescribes that risk be reassessed when significant changes are made to computerized systems--or at least every 3 years, as does HHS policy. Consistent with NIST guidance, HHS requires that risk assessments characterize the system, identify information sensitivity and threats, determine the risk level of those threats and corresponding vulnerabilities, and analyze the potential business impact of exploited vulnerabilities. HHS's performance in conducting risk assessments has varied across the department. Our review of 10 CMS risk assessments found that they generally complied with applicable federal and departmental guidance. By contrast, two of the three Office of the Secretary risk assessments reviewed did not fully address key elements. For example, the risk assessments did not identify threat sources, threat actions, or risk levels, as described in NIST SP 800-30.[Footnote 7] Nor did they detail whether or not a business impact analysis had been completed. HHS's OIG also identified weaknesses in the department's risk assessments. In its 2005 FISMA evaluation, the OIG reported that risk assessments had not been performed on two major systems--one at the Administration for Children and Families, and one at the Administration on Aging. In response to these weaknesses identified in the department's information security program, the HHS chief information security officer stated that risk assessments are currently being tracked using the department's FISMA data management tool, which compiles information security management data for monitoring and review. All operating divisions are required to enter their FISMA data into this automated tool so that it can be reviewed and validated by the Secure One program staff. The combination of this tool and feedback from the Secure One program is designed to improve the completion rate and quality of risk assessments. The lack of or incomplete risk assessments could result in HHS's systems having inadequate or inappropriate security controls that might not address those systems' true risk, and result in costly efforts to subsequently implement effective controls. Policies and Procedures: Another key task in implementing an effective information security program is to develop and document risk-based policies, procedures, and technical standards that govern security over an agency's computing environment. If properly implemented, policies and procedures should help to cost-effectively reduce the risk of unauthorized access, modification, and destruction of information and systems. Technical security standards should provide consistent implementing guidance for each computing environment. Because security policies are the primary mechanism by which management communicates its views and requirements, it is important to develop and document them. FISMA requires each agency to develop minimally acceptable system configuration requirements and ensure compliance with them. Systems with secure configurations have less vulnerabilities and are better able to thwart network attacks. HHS has not developed departmentwide policies regarding minimally acceptable configuration requirements. According to HHS's chief information security officer, HHS has neither developed nor documented such configuration requirements for its operating systems. The OIG reported in its fiscal year 2005 FISMA evaluation that these requirements were being maintained at the operating division level. In addition, the OIG found that three of the six operating divisions had not implemented minimum acceptable configuration requirements for their operating systems. Without departmentwide policies for developing minimally acceptable configuration requirements for its information systems, HHS may not be able to cost-effectively reduce information security risks to an acceptable level. Security Plans: The objective of system security planning is to improve the protection of information technology resources. A system security plan is to provide a complete and up-to-date overview of the system's security requirements and describe the controls that are in place or planned to meet those requirements. FISMA requires that agency information security programs include subordinate plans for providing adequate information security for networks, facilities, and systems or groups of information systems, as appropriate. OMB Circular A-130 specifies that agencies develop and implement system security plans for major applications and for general support systems and that these plans address policies and procedures for providing management, operational, and technical controls. According to NIST, security plans should include existing or planned security controls, the individual responsible for the security of the system, a description of the system and its interconnected environment, and rules of behavior. HHS policy requires all of its operating divisions to develop and document system security plans for all departmental systems and networks in accordance with NIST guidance[Footnote 8] and to update such plans at least once every 3 years or when significant changes occur to the system. Our review found that HHS and CMS system security plans generally complied with applicable federal and departmental guidance. We examined seven plans and determined that they were up-to-date, addressed existing controls, identified responsible security personnel, described the system and its interconnections, and included rules of behavior. However, our analysis of OIG reports found that security plans had not been completed for two major systems--one at the Administration for Children and Families, and one at the Administration on Aging. Until its operating divisions complete security plans for all systems, HHS cannot ensure that appropriate controls are in place to protect its systems and critical information. Awareness and Security Training: Computer intrusions and security breakdowns often occur because computer users fail to take appropriate security measures. For this reason, it is vital that employees and contractors who use computer resources in their day-to-day operations be made aware of the importance and sensitivity of the information they handle, as well as the business and legal reasons for maintaining its confidentiality, integrity, and availability. FISMA requires that an information security program promote awareness and provide training for users (federal employees and contractors) so that they can understand the system security risks and their role in implementing related policies and controls to mitigate those risks. HHS policy requires the establishment of an annual security awareness training program for all employees and contractors. In the event that a security breach occurs, amply trained security personnel are vital to a timely and appropriate response. Depending on an employee's specific security role, specialized training could include training in incident detection response, physical security, or firewall configuration. FISMA requires agency chief information officers to ensure that personnel with significant information security responsibilities receive specialized security training. HHS policy also require specialized security education and awareness training for all individuals with significant security responsibilities. Although the department has made progress in security awareness training, the department had not provided adequate security training to employees with significant security related responsibilities. In fiscal year 2005, HHS reported that 98 percent of its employees, including contractors, had received security awareness training. However, it reported that 32 percent of its employees with significant security related responsibilities had not received specialized security training. Conversely, CMS reported that 100 percent of its employees with significant security related responsibilities had received such training. Without sufficiently trained security personnel, security lapses are more likely to occur and could contribute to information security weaknesses at HHS. Tests and Evaluations: Another key element of an information security program is testing and evaluating system controls to ensure that they are appropriate, effective, and comply with policies. An effective program of ongoing tests and evaluations can be used to identify and correct information security weaknesses. This type of oversight demonstrates management's commitment to the security program, reminds employees of their roles and responsibilities, and identifies and mitigates areas of noncompliance and ineffectiveness. Although control tests may encourage compliance with security policies, the full benefits of testing are not achieved unless the test results are analyzed by security specialists and business managers and used as a means of identifying new problem areas, reassessing the appropriateness of existing controls, and identifying the need for new controls. FISMA requires that agencies test and evaluate the information security controls of their systems, and that the frequency of such tests be based on risk, but occur no less than annually. HHS requires systems and networks that contain sensitive or mission critical information to undergo vulnerability scanning and/or penetration testing to identify security threats at least annually or when significant changes are made to the system or network. HHS also requires that a self-assessment be conducted of all departmental systems and networks at least annually in accordance with NIST SP 800-26.[Footnote 9] Consistent with FISMA provisions and HHS guidance, CMS policy also requires periodic testing and evaluation of its information systems' security controls. Although HHS has initiatives under way to improve its testing and evaluation of controls, it has not fully implemented an ongoing program of tests and evaluations. Our analysis of the OIG's fiscal year 2005 FISMA report found that several operating divisions had not tested and evaluated security controls for all their systems. For example, three systems at three different operating divisions had not undergone system testing and evaluation. At another operating division, system tests and evaluations for three of its six major applications had not been completed. Without comprehensive tests and evaluations of security controls, HHS cannot be assured that employees and contractors are complying with established policies or those policies and controls are appropriate and working as intended. Remedial Actions: Remedial action plans, also known as plans of actions and milestones, can assist agencies in identifying, assessing, prioritizing, and monitoring progress in correcting security weaknesses in information systems. According to OMB Circular A-123, agencies should take timely and effective action to correct deficiencies that they have identified through a variety of information sources. To accomplish this, remedial action plans should be developed for each deficiency, and progress should be tracked for each. In compliance with OMB policy, HHS requires the capture of all information security program and system control weaknesses that require mitigation in remedial action plans. In addition, HHS has provided information security managers and system owners guidance for developing, maintaining, and reporting their remedial action plans. Our review of OIG reports on selected operating divisions identified shortcomings in the HHS remedial action process. For example, the remedial action plans for three operating divisions did not include weaknesses previously identified in the operating divisions' risk assessments, OIG audits, or other independent audits. Moreover, the remedial action plans for four operating divisions contained overdue corrective action items and lacked key corrective action information, such as the risk level assigned to weaknesses, resources needed to remedy the weaknesses, and adequate support to demonstrate closed weaknesses. Our review of CMS remedial action plans yielded similar results. Specifically, we found 20 percent of the corrective actions did not identify the resources needed to correct those weaknesses. Without a sound remediation process, HHS cannot be assured that weaknesses in its information security program will be efficiently and effectively corrected. Incident Handling: Even strong controls may not block all intrusions and misuse, but organizations can reduce the risks associated with such events if they take steps to promptly detect and respond to them before significant damage is done. In addition, analyzing security incidents allows organizations to gain a better understanding of the threats to their information and the costs of their security-related problems. Such analyses can pinpoint vulnerabilities that need to be eliminated so that they will not be exploited again. Incident reports can be used to provide valuable input for risk assessments, help in prioritizing security improvement efforts, and illustrate risks and related trends for senior management. FISMA requires that agency information security programs include procedures for detecting and reporting security incidents. To ensure effective handling of incidents, HHS policy requires the establishment and maintenance of an incident response capability that includes preparation, identification, containment, eradication, recovery, and follow-up capabilities. HHS operating divisions did not always employ adequate incident detection capabilities. Our analysis of OIG reports found, for example, that 13 CMS Medicare contractors had weaknesses in their intrusion detection policies and procedures. Five of the contractors did not have intrusion detection systems in place, while six were cited for either not reporting incidents in accordance with FISMA guidance or not reporting incidents to CMS. The remaining two contractors exhibited weaknesses in their incident monitoring process and procedures. Finally, one operating division used router and firewall logs for troubleshooting instead of for intrusion detection. The wide disparity in the reporting of security incidents[Footnote 10] and events[Footnote 11] at HHS and its operating divisions also raises concern. For example, the Food and Drug Administration reported over 16 million events while the Centers for Medicare & Medicaid Services and the Centers for Disease Control and Prevention combined reported less than 1,600, as indicated in table 1. Table 1: Reported Incidents among HHS Operating Divisions: September 2005 Event Summary: Operating division: Food and Drug Administration; Number of events: 16,515,911; Number of incidents: 1. Operating division: National Institutes of Health; Number of events: 1,142,424; Number of incidents: 0. Operating division: Health Resources and Services Administration; Number of events: 348,346; Number of incidents: 0. Operating division: Office of the Secretary; Number of events: 162,197; Number of incidents: 1. Operating division: Indian Health Service; Number of events: 79,911; Number of incidents: 2. Operating division: Program Support Center; Number of events: 9,125; Number of incidents: 0. Operating division: Office of the Inspector General; Number of events: 8,839; Number of incidents: 0. Operating division: Agency for Healthcare Research and Quality; Number of events: 1,682; Number of incidents: 0. Operating division: Administration for Children and Families; Number of events: 1,560; Number of incidents: 0. Operating division: Centers for Disease Control and Prevention; Number of events: 1,074; Number of incidents: 0. Operating division: Centers for Medicare & Medicaid Services; Number of events: 429; Number of incidents: 1. Operating division: Administration on Aging; Number of events: 244; Number of incidents: 0. Operating division: Substance Abuse and Mental Health Services Administration; Number of events: 0; Number of incidents: 0. Source: HHS. Notes: Incidents were reported to the U.S. Computer Emergency Response Team. No data were available for the Agency for Toxic Substances and Disease Registry. [End of table] HHS operating divisions collectively reported over 18 million events during September 2005 but less than 10 incidents. We did not attempt to assess the accuracy of the reported events and incidents. However, the disparity in the number of reported events among the operating divisions of relatively similar size raises concerns. This disparity may be an indication of inconsistency among criteria settings and configuration requirements for the respective intrusion detection systems. The reporting disparities may also be influenced by the type and location of the intrusion detection systems. For example, an intrusion detection system located behind a firewall detects fewer events than one located on the perimeter in front of a firewall because of the firewall's ability to block certain network traffic. Intrusion detection systems' visibility to the Internet also increases the potential exposure to security events. Without consistent detection and reporting, HHS cannot be assured that it is handling incidents in an effective manner. Continuity of Operations: Continuity of operations controls can enable systems to be recovered quickly and effectively following a service disruption or disaster. Such controls include plans and procedures designed to protect information resources and minimize the risk of unplanned interruptions, along with a plan to recover critical operations should interruptions occur. These controls should be designed to ensure that when unexpected events occur, key operations continue without interruption or are promptly resumed, and critical and sensitive data are protected. They should also be tested annually or as significant changes are made. It is important that these plans be clearly documented, communicated to potentially affected staff, and updated to reflect current operations. Consistent with federal guidance, HHS policy requires operating divisions to identify, prioritize, and document disaster recovery planning requirements for all critical departmental systems, networks, data, and facilities. CMS's information security policy complies with the departmentwide policy. CMS's Information Security Handbook provides additional guidance as to what key elements should be included in contingency plans. These elements are further detailed in its guidance to CMS contractors. HHS has various efforts underway to address continuity of operations. In its fiscal year 2005 FISMA report, the OIG noted the elimination of the department's significant deficiency relating to contingency planning and disaster recovery. However, shortcomings in continuity of operations still exist. In its FISMA report to OMB for fiscal year 2005, HHS reported that 19.2 percent of its FISMA inventoried systems (34 out of 177) did not have tested contingency plans. Furthermore, the OIG also identified deficiencies in continuity of operations plans developed at HHS's operating divisions. For example, * contingency plans for four major applications at one operating division were not application specific, but were actually the same plan originally developed for the server recovery; * contingency plans did not exist for the local area networks of four operating divisions; * another operating division did not prioritize the recovery of its systems in the divisionwide contingency plan; and: * inadequate documentation existed to determine whether testing had been performed for one of another division's contingency plans. As a result of these weaknesses, the department has limited assurance that operating divisions will be able to protect critical and sensitive information and information systems and resume operations promptly when unexpected events or unplanned interruptions occur. If continuity of operations controls are inadequate, even a relatively minor interruption could result in significant adverse impact on HHS operating divisions' ability to recover and resume operations. Conclusions: Given the size and significance of HHS's information technology investments, and the sensitivity of the medical, personal, and financial data it maintains through these investments, it is imperative that the department develops strong information security controls and implements a comprehensive information security program. While HHS has made progress toward developing and documenting a departmentwide information security program, significant weaknesses in information security controls could lead to the unauthorized disclosure, modification, or destruction of the sensitive data that HHS relies on to accomplish its vital mission. A key reason for these weaknesses is that HHS has not yet fully implemented a departmentwide information security program that can establish and maintain effective controls. Full implementation of such a program would provide for periodically assessing risks, establishing appropriate policies and procedures, developing and implementing security plans, promoting security awareness training, testing and evaluating the effectiveness of controls, implementing corrective actions, responding to incidents, and ensuring continuity of operations. Implementing such a program across all operating divisions requires effective management oversight and monitoring, especially at a department as diverse as HHS. Until HHS strengthens information security controls and fully implements its information security program, it will have limited assurance that its operations and assets are adequately protected. Recommendations for Executive Action: To help HHS fully implement its departmentwide information security program, we recommend that the Secretary of HHS direct the Chief Information Officer to develop and implement policies and procedures to ensure the establishment of minimum acceptable configuration requirements. In addition, we recommend that the Secretary direct the Chief Information Officer to take the following seven steps to ensure that operating divisions: * develop comprehensive risk assessments that address key elements; * complete system security plans for all systems; * provide specialized training to all individuals with significant security responsibilities; * conduct tests and evaluations of the effectiveness of controls on operational systems, and document results; * review remedial action plans to ensure that they address all previously identified weaknesses and key corrective action information; * implement intrusion detection systems and configure them to use consistent criteria for the detection and reporting of security incidents and events; and: * develop and test continuity of operations plans for all of their systems. Agency Comments and Our Evaluation: The Department of Health and Human Services's Inspector General transmitted the department's written comments on a draft of this report (reprinted in app. II). In these comments, HHS supported our emphasis on improvements needed in key information security program elements, but stated that our report did not appropriately reflect the progress that the department has made in addressing information security. Specifically, HHS expressed concerns that our evaluation approach did not provide an accurate or complete appraisal of the department's information security program, in that the report does not mention the department's defense-in-depth strategy or accomplishment of two major goals--the department's campaign to mitigate its deficiency pertaining to contingency planning and reduce its number of reportable conditions by 25 percent. According to HHS, it employs a defense-in-depth strategy to ensure threats are effectively addressed and mitigated. We acknowledge HHS's statement on its defense-in-depth strategy, but note that the significant control weaknesses identified in this report and by independent auditors indicate that this strategy is not fully working as intended. With regard to the two major goals, we have revised the report to reflect the elimination of the contingency planning deficiency. Regarding the department's reduction in: the number of reportable conditions, in its report on internal controls,[Footnote 12] the OIG's independent auditor reported progress made in strengthening security controls; however, it still reported weaknesses in several information security areas, including the entitywide security program, access controls, application development and program change controls, system software, and service continuity. HHS also noted that our report did not mention recent improvements or progress made in information security until a brief statement in the conclusion of the report, and that the report was predicated on findings originally documented by the HHS OIG in fiscal year 2005. However, throughout the report we acknowledge HHS's improvements and progress made in correcting information security weaknesses and have added additional statements based on these comments. In addition, as noted in our scope and methodology, our evaluation included the most recent reports issued at the time of our review. In its comments, HHS also expressed concern over our use of the word "significant" to describe the reported weaknesses. In their most recent report on internal controls, the OIG's independent auditor reported information security as a "reportable condition"[Footnote 13] at the department. The auditors concluded that "the cumulative effect of these weaknesses represents significant deficiencies in the overall design and operation of internal controls." Based on the findings in our report, the definition of "reportable condition," and the comments of the independent auditors, we believe the use of the word "significant" is appropriate to describe these weaknesses. HHS also took exception to our conclusion that it had not fully implemented a departmentwide information security program, and stated that our findings instead indicate that the full integration or maturity of the program has not been achieved. FISMA requires that agencies develop, document, and implement an information security program. As stated in our report, we acknowledged that HHS has made progress in developing and documenting its program. However, elements of the program have not been fully or consistently implemented. For example, three systems at three different operating divisions had not undergone system testing and evaluation. As a result, we believe that the use of the phrase "not fully implemented" is appropriate for describing HHS's shortcomings in its information security program. Additionally, the department stated that our assessment of its security program was based on a small percentage of HHS systems. However, as noted in our scope and methodology, we selected applications and general support systems because they support HHS's departmentwide financial reporting and communications, or Medicare payment and communication functions at CMS and its contractors--operations that are critical to the department. These included the Medicare Claims Processing Systems that processed over one billion claims and $294 billion in claims payments in 2004; the CMS Communication Network that provides connectivity between CMS and its business-related entities; and the HHS Enterprise Services Network that provides a shared network backbone for several HHS operating divisions. The department also noted that our statement that HHS had not developed departmentwide policies regarding minimally acceptable configuration requirements was inaccurate. In its comments, HHS states that "plans are in place" to standardize implementation in fiscal year 2006 and that the divisional chief information security officers formed a subcommittee to develop configuration standards. Although these are positive efforts, we believe that such statements support our conclusion that such policies have not yet been developed. In addition, the department noted that we did not acknowledge progress made relating to contingency planning. HHS stated that it had completed and tested contingency plans for 100 percent of its high-risk FISMA systems. However, the HHS OIG did not concur with this statement, reporting that one of the seven high-risk systems that they evaluated did not have tested contingency plans. As mentioned previously, the department also stated that we did not acknowledge the elimination of their sole existing significant deficiency relating to contingency planning and disaster recovery. We have revised the report to reflect the elimination of this deficiency. Finally, the department noted additional improvements specific to CMS that were not included in our report. The department cited the elimination of a long standing CMS material weakness in Medicare electronic access controls. However, this material weakness was downgraded to a reportable condition, indicating that significant deficiencies still exist. The department also stated that we did not acknowledge significant progress in FISMA compliance made by its fiscal intermediaries and carriers and that they provided these results to the HHS OIG in early December 2005. However, these reports were not available for release to us at that time. Additionally, the department stated that we did not acknowledge CMS's significant achievements in meeting it statutory responsibilities under FISMA, as reported by the HHS OIG. We acknowledge in the report that HHS, which includes CMS, has begun to implement the foundation for an effective information security program. While the HHS OIG FISMA report cited some achievements made by CMS, the HHS OIG also noted 28 exceptions in the CMS information security program. HHS also provided specific technical comments, which we have incorporated, as appropriate, in the report. As agreed with your office, unless you publicly announce the contents of this report earlier, we plan no further distribution until 30 days from the report date. At that time we will send copies of this report to the Secretary of Health and Human Services. We will also make copies available to others upon request. In addition, this report will be available at no charge on the GAO Web site at [Hyperlink, http://www.gao.gov]. If you have any questions regarding this report, please contact me at (202) 512-6244 or by e-mail at [Hyperlink, wilshuseng@gao.gov]. Contact points for our Offices of Congressional Relations and Public Affairs may be found on the last page of this report. Key contributors to this report are listed in appendix IV. Sincerely yours, Signed by: Gregory C. Wilshusen: Director, Information Security Issues: [End of section] Appendixes: Appendix I: Objective, Scope, and Methodology: The objective of our review was to assess the effectiveness of the HHS information security program, particularly at CMS, in protecting the confidentiality, integrity, and availability of its information and information systems. To accomplish this objective, we evaluated the effectiveness of HHS's information security controls, and whether HHS had developed, documented, and implemented a departmentwide information security program consistent with federal laws and policies. To evaluate the effectiveness of HHS's information security controls, we examined 74 management and audit reports pertaining to information security practices and controls at 13 operating divisions issued by the department, its Office of the Inspector General (OIG), and independent auditors during 2004 and 2005. These reports identified information security control weaknesses at HHS, the operating divisions, and contractor-owned facilities, which we then classified according to the general control categories specified in our Federal Information System Controls Audit Manual (FISCAM).[Footnote 14] Further, these reports contained specific recommendations to the department to remedy identified information security control weaknesses. To evaluate whether HHS had developed and documented a departmentwide information security program consistent with federal laws and policies, we examined related documents, such as policies and procedures, handbooks, various types of security-related reports, and HHS's information systems inventory. We assessed whether its program was consistent with the requirements of FISMA, as well as applicable Office of Management and Budget policies and National Institute of Standards and Technology guidance related to risk assessments, risk-based policies and procedures, information security plans, security awareness training, testing and evaluating security controls, remedial action plans, handling security incidents, and continuity of operations for information systems. We also held discussions with CMS and contractor officials responsible for information security management and with the HHS Inspector General staff regarding any related prior, ongoing, or planned work in these areas. To evaluate whether HHS had implemented an information security program consistent with federal laws and policies, we focused our review on CMS--the operating division with the largest budget in the department- -as well as the Office of the Secretary, an operating division with a departmentwide perspective. We compared their documented practices and controls to the departmentwide information security program as well as applicable FISMA requirements, OMB policy, and NIST guidance. To determine how well the operating divisions were implementing their own policies and procedures, we evaluated available risk assessments, security plans, security and awareness training, system tests and evaluations, remedial actions, and continuity of operations for the following major applications and general support systems: * Automated Financial Statement System--a system to collect operating divisions' financial statement data to generate the departmentwide year- end and quarterly statements. * Information Collection Review and Approval System--a web-based database application used by HHS, the Securities and Exchange Commission and OMB to help federal agencies electronically administer and manage its information collection clearance responsibilities under the Paperwork Reduction Act. * HHS's Enterprise Services Network--the enterprise network for the department. It is comprised of a combination of very high performance network services provided by a public communications carrier. * Medicare Claims Processing Systems--a CMS contractor operated group of systems used to process Medicare claims--including inpatient hospital care, nursing facilities, home health care, and other health care services. * CMS communications network--a private network that provides connectivity between CMS and its business-related entities that provide Medicare services. We selected these applications and systems because they support either (1) HHS's enterprisewide financial reporting and communication functions, or (2) CMS's and its contractors' Medicare payments and communication functions. We performed our work at HHS headquarters in Washington, D.C., and the CMS Central Office, located in Baltimore, Maryland. This review was performed from June through December 2005 in accordance with generally accepted government auditing standards. [End of section] Appendix II: Comments from the Department of Health and Human Services: DEPARTMENT OF HEALTH & HUMAN SERVICES: Office of Inspector General: Washington, D.C. 20201: FEB 14 2006: Mr. Gregory C. Wilshusen: Director, Information Security Issues: U.S. Government Accountability Office: Washington, DC 20548: Dear Mr. Wilshusen: Enclosed are the Department's comments on the U.S. Government Accountability Office's (GAO) draft report entitled, "INFORMATION SECURITY: Department of Health and Human Services Needs to Fully Implement Its Program" (GAO-06-267). These comments represent the tentative position of the Department and are subject to reevaluation when the final version of this report is received. The Department provided several technical comments directly to your staff. The Department appreciates the opportunity to comment on this draft report before its publication. Sincerely, Signed by: Daniel R. Levinson: Inspector General: Enclosure: The Office of Inspector General (OIG) is transmitting the Department's response to this draft report in our capacity as the Department's designated focal point and coordinator for U.S. Government Accountability Office reports. OIG has not conducted an independent assessment of these comments and therefore expresses no opinion on them. COMMENTS OF THE DEPARTMENT OF HEALTH AND HUMAN SERVICES ON THE U.S. GOVERNMENT ACCOUNTABILITY OFFICE'S DRAFT REPORT ENTITLED, "INFORMATION SECURITY: DEPARTMENT (IF HEALTH AND HUMAN SERVICES NEEDS TO FULIN IMPLEMENT ITS PROGRAM" (GAO-06-267): The Department of Health and Human Services (HHS) appreciates the opportunity to comment on the draft report. We appreciate the efforts GAO undertook to examine HHS's information security program. The comments that follow represent HHS's responses to the draft report. The evaluation approach utilized by GAO does not provide an accurate or complete appraisal of the HHS enterprise-wide information security program. The GAO "Results in Brief" section and the majority of the remaining document focus exclusively on security control weaknesses that could place the confidentiality, integrity, and availability of sensitive information and information systems at risk. Yet, there is no mention of HHS's defense-in-depth strategy which is employed throughout the enterprise and results in layering of safeguards to ensure threats to confidentiality, integrity, and availability are effectively addressed and mitigated, thereby reducing the probability of single points of failure. Nor is there recognition of the ambitious campaign HHS launched in fiscal year (FY) 2005 to accomplish two major goals - address and mitigate its sole existing significant deficiency pertaining to contingency planning and disaster recovery and reduce its number of reportable conditions by 25 percent. In fact, HHS exceeded this goal, eliminating its sole significant deficiency and reducing the number of reportable conditions by 57 percent from FY 2004 to FY 2005. These accomplishments were documented in the FY 2005 Office of Inspector General (OIG) Federal Information Security Management Act (FISMA) Executive Summary, but not recorded in this draft GAO report. We request that these successes be noted in the GAO report. There is no mention of HHS's information security improvements or progress until the brief statement in the conclusion of the report. The majority of the GAO report is predicated on the findings originally documented by HHS OIG in FY 2005, (between January and June 2005) and is representative of activities carried out in support of the information security program throughout 2004 and 2005. This GAO assessment is scheduled for publication in February 2006, but will not reflect at least seven additional months of progress and maturity in HHS's security posture. Please consider including the additional points and evidence provided in this draft GAO assessment response as confirmation of further strides made in support of HHS's information security program implementation in the months following the FY 2005 OIG evaluation. The frequent use of the word "significant" to describe control weaknesses documented throughout this GAO assessment evokes a negative connotation that is not reflective of the progress or current state of HHS's information security program. In light of HHS's successful elimination of its sole significant deficiency, HHS requests the removal of the word "significant" to describe the depth of control weaknesses in this assessment. Alternatively, we recommend use of "noteworthy" or "important" to describe these weaknesses. HHS, consistent with the National Institute of Standards and Technology (KIST), defines implementation as observed consistency with policies and procedures. Evidence of general compliance with policy and procedures exists at the enterprise and OPDIV levels. In 2003, HHS formally established the foundation of its information security program to ensure the confidentiality, integrity, and availability of the information it collects, stores, and processes to meet its strategic missions on behalf of the American citizenry. Since 2003, the HHS information security program has continued to evolve, resulting in standard, repeatable security processes disseminated throughout its 14 Operating Divisions (OPDIVs). HHS, as acknowledged in the FY 2005 OIG FISMA Executive Summary, issued an overarching information security policy, an information security program handbook, and numerous guides. HHS initiated a variety of analysis and oversight activities, continuously monitoring and improving current security practices. The observations in this GAO assessment identify information security areas in which improvements can be made but, when considered collectively, do not equate to HHS having "not fully implemented a Department wide information security program." [NOTE 1] Instead, these findings indicate that full integration, or maturity, has not yet been achieved. Integration represents a level of growth beyond implementation in which HHS tests security practices and controls for compliance and mitigates the results of these tests to demonstrate continued improvement. HHS, through its increasing oversight activities, strives towards such integration. Therefore, HHS agrees that full integration has not yet been achieved, but requests that the implementation of the security program be recognized in this report. The HHS information security program addresses each of the key elements required by FISMA. HHS assesses risk periodically; disseminates necessary policies and procedures; develops security plans; delivers security awareness and training; tests and evaluates system controls at least annually; detects, responds to and reports incidents; plans continuity of operations; and maintains reliable monitoring and reporting capabilities. This programmatic structure, as mandated by law and proven in practice, led to the development of sound security practices and continuous improvement in HHS's overall security posture. On page 17, the GAO assessment implies that the HHS information security program is not "well-designed." The program, however, adheres to law and is acknowledged in the FY 2005 OIG FISMA Executive Summary as a program intended to "improve the Department's overall IT security posture, ensure adequate enterprise-wide security standards, support integration of IT security into lines of business, and promote an environment in which employee actions reflect the importance of IT security." [NOTE 2] HHS requests that the terms "well-designed" and "fully implemented" be revised to read "fully integrated" to more accurately describe the HHS information security program posture. NOTES: [1] Report GAO-06-267, Department of Health and Human Services Needs to Fully Implement Its Program, page 6. [2] FY 2005 OIG Annual FISMA Executive Summary, page 10. The HHS Information Security Program Policy, signed by the HHS Chief Information Officer (CIO) and released to the HHS OPDIVs on January 26, 2004, articulates the roles and responsibilities for each category of security personnel and addresses each information program area required by FISMA. Compliance with this policy is mandatory. HHS developed an information security program handbook to complement this overarching security policy and to recommend procedures for implementation of policy stipulations. Therefore, the statement on page 19 asserting that "Operating divisions are expected to comply with departmental standards or develop specific standards that exceed them" is not accurate and should be revised. As stated on page v of the Information Security Program Policy, "compliance with this document is mandatory. It is HHS policy that Department personnel abide by or exceed the requirements outlined in this document." HHS requests that the word "expected" be replaced with "required" to reinforce the stringency of HHS's policy compliance. In some instances, determinations were made regarding enterprise-wide weaknesses based on small percentages of HHS FISMA systems. Documentation pertaining to six or fewer percent of HHS's total FISMA systems is not evidence of incomplete implementation of an enterprise- wide security program. Nor does it indicate systematic problems in HHS's certification and accreditation (C&A) processes. The GAO assessment references four OPDIV risk assessments that lacked information or had not been completed. These four systems' risk assessments represent only two percent of HHS's 177 total FISMA systems. Two incomplete security plans were cited to constitute an overarching system security plan finding, although these two plans represent a mere one percent of the 177 HHS's FISMA systems. The GAO assessment identified six OPDIV systems for which annual system security control tests and evaluations were not completed, equaling only three percent of HHS's FISMA systems. The FY 2005 OIG FISMA findings document that 83.3 percent of the OPDIV system sample reviewed had completed C&A packages, including satisfactory risk assessments, system security plans, and annual security control tests and evaluations. In addition, in FY 2005, OIG deemed the Department's C&A process "satisfactory" for the first time. We believe that the statistics cited above more accurately reflect the current state of HHS's information security and that the related GAO findings should be excluded from the report. The HHS Information Security Program Policy documents the following policy pertaining to change management and configuration management controls, "3.6 Change Management Control: Establish, implement, and enforce change management and configuration management controls on all Departmental systems and networks that process, store, or communicate sensitive information, to include the preparation of configuration control plans for all Departmental systems and networks." [NOTE 3] The GAO assessment, on page 21, stating "HHS has not developed Department wide policies regarding minimally acceptable configuration requirements" is inaccurate and should be revised. Plans are in place to standardize, monitor, and enforce the extent of implementation according to OMB standards in FY 2006. OPDIV Chief Information Security Officers (CISO) also formed a configuration management subcommittee to develop configuration standards specific to the most predominant operating systems in the HHS security environment. NOTE: [3] HHS Information Security Program Policy, January 26, 2004, page 18. HHS, as noted in the FY 2005 OIG FISMA Executive Summary and above, "initiated procedures that resulted in the elimination of a previously identified significant deficiency." The Department established and completed contingency plans and performance testing at system levels, thereby eliminating this deficiency, related to Department level contingency planning and disaster recovery. HHS's role as the lead agency for public health services - including prevention, surveillance, laboratory services, and personal health services - made the elimination of this significant deficiency vital. Additionally, HHS completed and tested contingency plans for 100 percent of its high-risk FISMA systems, or those systems that would result in a catastrophic loss of confidentiality, integrity, and availability should their security be compromised. These accomplishments and their significance to the overall HHS mission should be noted in the GAO assessment. In addition to our comments pertaining to the HHS enterprise-wide information security program, there are three additional points pertaining to the Centers for Medicare & Medicaid Services (CMS): In FY 2005, CMS initiated an aggressive initiative to rid itself of a material weakness attributable to Medicare Electronic Data Processing (EDP) based on Federal Information System Controls Audit Manual (FISCAM) audits performed in FY 2004. Our progress toward this goal was tracked monthly as a part of the HHS Risk Management and Financial Oversight Committee. The Medicare Claims Processing System (MCPS) was the primary focus of the GAO review. The FY 2005 Report of the Independent Auditors on Internal Control, also focused primarily on the MCPS, found that CMS had made improvements in its entity-wide security program, systems software, and service continuity planning and testing. There was a significant 63 percent reduction in high-risk findings in FY 2005 over FY 2004. The progress was such that the long-standing material weakness in Medicare EDP controls based on FISCAM was eliminated. The progress noted in the FY 2005 Report of the Independent Auditors on Internal Control was provided and discussed with the GAO auditors. In FY 2005, CMS also made significant progress in its compliance with the requirements of FISMA. Under section 912 of the Medicare Prescription Drug, Improvement, and Modernization Act of 2003 CMS is required to evaluate our fiscal intermediaries and carriers for compliance with FISMA. Similar to the FISCAM findings, GAO based its conclusions, at least in part, on evaluations that were a year old. Again, CMS made significant strides in FY 2005. In fact, the FY 2005 evaluation results, provided to OIG in early December 2005, and offered to GAO, reflect a 70 percent reduction in high-risk findings over FY 2004, with significant improvement in the areas of Policies and Procedures, Systems Security Plans, Incident Handling, and Continuity of Operations. The FY 2005 OIG report of CMS's FISMA compliance also noted that CMS had made "significant achievements in meeting its statutory responsibilities under FISMA." Accomplishments in security policy, contingency plans, and training were cited by OIG. Again, this documented improvement in CMS' FISMA compliance was not acknowledged in the GAO report, although the report was made available. In summary, HHS is proud of its information security program and the progress it has made over the last fiscal year, specifically in its improved satisfaction of FISMA requirements. HHS proactively measures and tests compliance with information security policies, processes, Federal standards, and requirements. Testing indicates consistent improvements throughout the enterprise, but given such rigorous and aggressive testing, there will invariably be findings. HHS's emphasizes risk management and the strong remediation of discrepancies once identified. HHS places great importance on achieved progress and positive results. The Department utilizes such successes to build momentum within the program itself. HHS's proactive approach to security program implementation and management resulted in a substantial reduction in findings and risks, both at odds with the GAO report. We regret the GAO report did not consider the more recent data available. HHS supports the GAO's emphasis on improvements in the eight areas of FISMA, since continuous improvement in system security exemplified through the system development lifecycle is a must for all government agencies. HHS endeavors to farther improve its information security program, staying in step with existing and emerging Federal requirements and industry best practices. [End of section] Appendix III: HHS Operating Divisions: Administration for Children and Families--responsible for some 60 programs that promote the economic and social well being of children, families and communities. Administration on Aging--supports a nationwide network providing services to the elderly, especially to enable them to remain independent. Agency for Healthcare Research and Quality--supports research on health care systems, health care quality and cost issues, access to health care, and effectiveness of medical treatments. It provides evidence- based information on health care outcomes and quality of care. Agency for Toxic Substances and Disease Registry--responsible for preventing exposure to hazardous substances from waste sites on the U.S. Environmental Protection Agency's National Priorities List and develops toxicological profiles of chemicals at these sites. Centers for Disease Control and Prevention--provides a system of health surveillance to monitor and prevent disease outbreaks, implements disease prevention strategies, and maintains national health statistics. The centers also provide for immunization services, workplace safety, and environmental disease prevention. In addition, the centers guard against international disease transmission, with personnel stationed in more than 25 foreign countries. Centers for Medicare & Medicaid Services--administers the Medicare and Medicaid programs, which provide health care to about one in every four Americans. Medicare provides health insurance for more than 42.1 million elderly and disabled Americans. Medicaid, a joint federal-state program, provides health coverage for some 44.7 million low-income persons, including 21.9 million children, and nursing home coverage for low-income elderly. CMS also administers the State Children's Health Insurance Program that covers more than 4.2 million children. Food and Drug Administration--responsible for assuring the safety of foods and cosmetics, and the safety and efficacy of pharmaceuticals, biological products, and medical devices--products that represent almost 25 cents of every dollar in U.S. consumer spending. Health Resources and Services Administration--provides access to essential health care services for people who are low-income, uninsured or who live in rural areas or urban neighborhoods where health care is scarce. The agency helps prepare the nation's health care system and providers to respond to bioterrorism and other public health emergencies, maintains the National Health Service Corps, and helps build the health care workforce through training and education programs. Indian Health Service--provides health services to 1.6 million American Indians and Alaska Natives of more than 550 federally recognized tribes. The Indian health system includes 49 hospitals, 247 health centers, 348 health stations, satellite clinics, residential substance abuse treatment centers, Alaska Native village clinics, and 34 urban Indian health programs. National Institutes of Health--a medical research organization, supporting over 38,000 research projects nationwide in diseases including cancer, Alzheimer's, diabetes, arthritis, heart ailments, and AIDS. Office of Inspector General--The OIG is responsible for protecting the integrity of HHS programs, as well as the health and welfare of the beneficiaries of those programs. It is also responsible for reporting program and management problems and recommendations to correct them to both the Secretary of HHS and to Congress. The OIG's duties are carried out through a nationwide network of audits, investigations, inspections, and other mission-related functions performed by OIG components. Office of the Secretary--provides counsel to the secretary on such issues as public affairs, legislation, budget, technology, and finance. Program Support Center--The Program Support Center was created in 1995 to provide a wide range of administrative support within the Department of Health and Human Services, allowing the department operating divisions to concentrate on their core functional and operational objectives. Substance Abuse and Mental Health Services Administration--works to improve the quality and availability of substance abuse prevention, addiction treatment, and mental health services. [End of section] Appendix IV: GAO Contact and Staff Acknowledgments: GAO Contact: Gregory C. Wilshusen (202) 512-6244: Acknowledgments: In addition to the person named above, Idris Adjerid, Larry Crosland, Jeffrey Knott, Carol Langelier, Ronald Parker, Amos Tevelow, and William Thompson made key contributions to this report. (310559): FOOTNOTES [1] Title III, E-Government Act of 2002, P.L. 107-347 (Dec. 17, 2002). [2] A denial-of-service attack is an attack on a network that sends a flood of useless traffic that prevents legitimate use of the network. [3] An intranet is a private network that is contained within an enterprise. It may consist of many interlinked local area networks and also use leased lines in the wide area network. [4] An extranet is a private network that uses Internet technology and the public telecommunication system to securely share part of an organization's information or operations with suppliers, vendors, partners, customers, or other businesses. [5] Office of Management and Budget, Circular A-130, appendix III, Security of Federal Automated Information Resources (Nov. 28, 2000). [6] FISMA requires each agency to develop, document, and implement an agencywide information security program to provide information security for the information and systems that support the operations and assets of the agency, including those operated or maintained by contractors or others on behalf of the agency, using a risk-based approach to information security management. 44 USC § 3544(b). [7] NIST Special Publication 800-30, Risk Management Guide for Information Technology Systems, July 2002. [8] NIST Special Publication 800-18, Guide for Developing Security Plans for Information Technology Systems, December 1998. [9] NIST Special Publication 800-26, Security Self-Assessment Guide for Information Technology Services, July 2002. [10] HHS defines a security incident as the violation of an explicit or implied security policy in a computing or telecommunications system or network. [11] HHS defines an event as a notable occurrence in a network or system. [12] Included in HHS's Fiscal Year 2005 Performance and Accountability Report, section III. [13] The American Institute of Certified Public Accountants' standards define "reportable conditions" as significant deficiencies in the design or operation of internal control that could adversely affect the entity's ability to record, process, summarize, and report financial data consistent with the assertions of management in the financial statements. [14] GAO/AIMD-12.19.6 (Washington, D.C.: January 1999). FISCAM contains guidance for reviewing information system controls that affect the security of computerized data. GAO's Mission: The Government Accountability Office, the investigative arm of Congress, exists to support Congress in meeting its constitutional responsibilities and to help improve the performance and accountability of the federal government for the American people. GAO examines the use of public funds; evaluates federal programs and policies; and provides analyses, recommendations, and other assistance to help Congress make informed oversight, policy, and funding decisions. GAO's commitment to good government is reflected in its core values of accountability, integrity, and reliability. Obtaining Copies of GAO Reports and Testimony: The fastest and easiest way to obtain copies of GAO documents at no cost is through the Internet. GAO's Web site ( www.gao.gov ) contains abstracts and full-text files of current reports and testimony and an expanding archive of older products. The Web site features a search engine to help you locate documents using key words and phrases. You can print these documents in their entirety, including charts and other graphics. Each day, GAO issues a list of newly released reports, testimony, and correspondence. GAO posts this list, known as "Today's Reports," on its Web site daily. The list contains links to the full-text document files. To have GAO e-mail this list to you every afternoon, go to www.gao.gov and select "Subscribe to e-mail alerts" under the "Order GAO Products" heading. Order by Mail or Phone: The first copy of each printed report is free. Additional copies are $2 each. A check or money order should be made out to the Superintendent of Documents. GAO also accepts VISA and Mastercard. Orders for 100 or more copies mailed to a single address are discounted 25 percent. Orders should be sent to: U.S. Government Accountability Office 441 G Street NW, Room LM Washington, D.C. 20548: To order by Phone: Voice: (202) 512-6000: TDD: (202) 512-2537: Fax: (202) 512-6061: To Report Fraud, Waste, and Abuse in Federal Programs: Contact: Web site: www.gao.gov/fraudnet/fraudnet.htm E-mail: fraudnet@gao.gov Automated answering system: (800) 424-5454 or (202) 512-7470: Public Affairs: Jeff Nelligan, managing director, NelliganJ@gao.gov (202) 512-4800 U.S. Government Accountability Office, 441 G Street NW, Room 7149 Washington, D.C. 20548: