. home.aspx



HHS Comes Up Short in Web Application, Network Security, says OIG

March 13, 2019 / Fred Donovan

Eight HHS operating divisions were tested for web application and network security and found wanting, according to a recently released OIG report. The HHS divisions came up short in configuration management, access control, data input controls, and software patching. To identify the vulnerabilities, OIG contracted with Defense Point Security to conduct penetration testing during FY 2016 and FY 2017. “Our objectives were to determine whether security controls were effective in preventing certain cyberattacks, the likely level of sophistication an attacker needs to compromise systems or data, and HHS OPDIVs’ [operating divisions] ability to detect attacks and respond appropriately,” explained OIG. The agency auditor shared with senior-level HHS IT management personnel the results of the testing, information about HHS’s cybersecurity posture, and recommendations to plug the vulnerabilities. OIG did not public share the recommendations. In addition, the office provi...