noodls browser compatibility check

The security settings of your browser are blocking the execution of scripts.

To use noodls, javascript support must be enabled. Please change your browser's security settings to enable javascript.

If you have changed your browser's security settings, you can click here.

related announcements

News

Wayne State University

For Boston Red Sox dietitian Alex Moses, Wayne State was a home run
Stephanie I. Bice

Bice and Jacobs Introduce the Workforce Education and Partnership Act
Maria Elvira Salazar

Rep. Salazar Signs Discharge Petition to Advance TPS Protections for[...]

International News

OIG - Office of Inspector General

03/24/2026 | Press release | Distributed by Public on 03/25/2026 07:35

Review of the Department of Health and Human Services’ Compliance With the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025

Report Materials

Why OIG Did This Audit

The Federal Information Security Modernization Act of 2014 (FISMA) requires Inspectors General to perform an annual independent evaluation of their agency's information security programs and practices to determine the effectiveness of those programs and practices. OIG engaged Ernst & Young LLP (EY) to conduct this audit.
EY conducted a performance audit of HHS's compliance with FISMA as of July 31, 2025, based upon the 2025 FISMA reporting metrics.
The audit examined whether HHS's overall information security program and practices were effective as they relate to Federal information security requirements and included systems from five HHS divisions.

What OIG Found

For FY 2025, EY rated HHS's information security program "Not Effective" for the sixth consecutive year. To be considered "Effective," an agency must achieve at least a "Managed and Measurable" maturity level.

In FY 2025, HHS did not achieve a "Managed and Measurable" rating for either the Core or Supplemental Inspector General metrics in any of the six cybersecurity function areas: Govern, Identify, Protect, Detect, Respond, and Recover. Specifically, the overall maturity level for Core metrics was assessed as "Consistently Implemented," while the Supplemental metrics were rated "Ad Hoc." Together, these ratings fall below the "Managed and Measurable" level, resulting in an overall determination of "Not Effective."

What OIG Recommends

Based on the audit, EY made ten recommendations to HHS to strengthen its information security program through improved oversight of the Operating and Staff Divisions' (Divisions) implementation of Federal information security requirements for an effective FISMA program.

HHS concurred with seven recommendations and detailed steps it has taken and plans to take in response to the recommendations. HHS did not concur with three recommendations.

Report Type

Audit

HHS Agencies

Office of the Secretary

Issue Areas

Departmental Operational Issues OIG Statutory Authority and Regulatory Matters

Target Groups

Financial Groups

Other Funding

Notice

This report may be subject to section 5274 of the National Defense Authorization Act Fiscal Year 2023, 117 Pub. L. 263.

OIG - Office of Inspector General published this content on March 24, 2026, and is solely responsible for the information contained herein. Distributed via Public Technologies (PUBT), unedited and unaltered, on March 25, 2026 at 13:35 UTC. If you believe the information included in the content is inaccurate or outdated and requires editing or removal, please contact us at [email protected]

Back

View original format