HHS FISMA Compliance Report: Not Effective, 10 Recommendations Made

HHS OIG Reports & Publications

Published March 24th, 2026

Detected March 25th, 2026

Summary

The HHS Office of Inspector General (OIG) has released a report rating HHS's compliance with the Federal Information Security Modernization Act (FISMA) for Fiscal Year 2025 as 'Not Effective' for the sixth consecutive year. The report details ten recommendations to improve HHS's information security program.

View original document View source feed page

What changed

The HHS OIG report, issued on March 24, 2026, found that the Department of Health and Human Services (HHS) failed to achieve an 'Effective' rating for its information security program under FISMA for FY 2025. This marks the sixth consecutive year of this finding, with the audit rating HHS's overall maturity level below the required 'Managed and Measurable' standard for both Core and Supplemental Inspector General metrics across all six cybersecurity function areas.

The audit, conducted by Ernst & Young LLP, identified deficiencies in HHS's information security practices and made ten recommendations to strengthen its program. While HHS concurred with seven recommendations, it disagreed with three. The report highlights the ongoing challenges HHS faces in maintaining effective cybersecurity practices and emphasizes the need for improved oversight and implementation of federal information security requirements.

What to do next

Review the ten recommendations made by EY in the HHS FISMA compliance report.
Assess HHS's concurrence and planned actions for the seven recommendations agreed upon.
Monitor HHS's progress in addressing the recommendations to improve FISMA compliance.

Source document (simplified)

Review of the Department of Health and Human Services’ Compliance With the Federal Information Security Modernization Act of 2014 for Fiscal Year 2025

Issued on

03/24/2026

| Posted on

03/25/2026

| Report number: OAS-25-18-041

Report Materials

Why OIG Did This Audit

The Federal Information Security Modernization Act of 2014 (FISMA) requires Inspectors General to perform an annual independent evaluation of their agency’s information security programs and practices to determine the effectiveness of those programs and practices. OIG engaged Ernst & Young LLP (EY) to conduct this audit.
EY conducted a performance audit of HHS’s compliance with FISMA as of July 31, 2025, based upon the 2025 FISMA reporting metrics.
The audit examined whether HHS’s overall information security program and practices were effective as they relate to Federal information security requirements and included systems from five HHS divisions.

What OIG Found

For FY 2025, EY rated HHS’s information security program “Not Effective” for the sixth consecutive year. To be considered “Effective,” an agency must achieve at least a “Managed and Measurable” maturity level.

In FY 2025, HHS did not achieve a “Managed and Measurable” rating for either the Core or Supplemental Inspector General metrics in any of the six cybersecurity function areas: Govern, Identify, Protect, Detect, Respond, and Recover. Specifically, the overall maturity level for Core metrics was assessed as “Consistently Implemented,” while the Supplemental metrics were rated “Ad Hoc.” Together, these ratings fall below the “Managed and Measurable” level, resulting in an overall determination of “Not Effective.”

What OIG Recommends

Based on the audit, EY made ten recommendations to HHS to strengthen its information security program through improved oversight of the Operating and Staff Divisions’ (Divisions) implementation of Federal information security requirements for an effective FISMA program.

HHS concurred with seven recommendations and detailed steps it has taken and plans to take in response to the recommendations. HHS did not concur with three recommendations.

Report Type Audit HHS Agencies Office of the Secretary Issue Areas Departmental Operational Issues OIG Statutory Authority and Regulatory Matters Target Groups – Financial Groups Other Funding