FY 2021 Annual Performance Plan and Report - Goal 5 Objective 3

Topics on this page: Goal 5. Objective 3 | Objective 5.3 Table of Related Performance Measures

Goal 5. Objective 3: Optimize information technology investments to improve process efficiency and enable innovation to advance program mission goals

HHS information technology investments help achieve the Department’s mission by acquiring and managing the technology infrastructure and systems for its health care and human services programs and mission-support programs.  From externally facing websites like HHS.gov to internal applications that manage programs and resources, HHS needs information technology solutions to be modernized, secure, and responsive to customer demands.  The Department’s current modernization investments include cloud computing, data center consolidation and improvements, information technology portfolio reviews, shared services, and a digital strategy that makes it easier to access information using HHS websites and tools.  In addition, HHS is working to increase partnerships with industry, academia, and other organizations to leverage their technology expertise as well.

The Office of the Secretary leads this objective. All divisions contribute to the achievement of this objective. HHS believes performance toward this objective is progressing. The narrative below provides a brief summary of progress made and achievements or challenges, as well as plans to improve or maintain performance.

Objective 5.3 Table of Related Performance Measures

Increase the percentage of systems with an Authority to Operate (ATO) (Lead Agency - ASA; Measure ID - 3.3)

An ATO authorizes a particular information system to connect to or operate within the HHS network for a specified period of time. Prior to issuing an ATO, HHS reviews the system to ensure that it will not compromise network data or cause technical support problems. The HHS Office of Information Security has identified the organizations and systems which are not in compliance with ATO requirements and is diligently working with OpDiv cybersecurity programs and system owners to ensure ATOs are issued for those systems. The HHS cybersecurity program is making investments in technologies to proactively identify, detect and remediate malicious activity on the HHS network while investing in resources to accelerate the implementation of the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) program.  The release of resources from DHS to HHS for these purposes was delayed due to the partial government shutdown. This delayed HHS’s ability to implement the automation that was planned for this effort, given DHS was shut down during this period. In addition, HHS implemented new training sessions, guidelines, and outreach, and invested in a Transformation project that streamlined the ATO process. The project concluded near the end of the year, and the resulting improvements are expected to be evident in 2020.  The application of greater automation to cybersecurity practices across the enterprise and working closely with cybersecurity personnel throughout the Department to provide effective cybersecurity training will continue to reduce the number of non-compliant systems without a valid ATO. In FY 2020, HHS will also continue to implement changes to strengthen its enterprise wide information security program. HHS will work with the OpDivs to enhance enterprise risk management strategy and to integrate governance functions for information security, strategic planning and reviews, internal control activities, and applicable mission/business areas. This measure links directly to measure 3.4.

Improve the score to an "A" in each of the Federal Information Technology Acquisition Reform Act (FITARA) related Scorecard Metrics, per GAO and the House Oversight and Government Reform Committee (Lead Agency - ASA; Measure ID - 3.4)

FITARA established standards for buying and managing computer technology. The FITARA scorecard reports agency progress towards IT modernization. Scorecard results demonstrate the connection of technology capability to agency leadership and the agency’s ability to use technology to drive change. The scorecard reports progress on a biannual basis. The FITARA scorecard contains subcomponents. The main driver for HHS performance was the subcategory of cyber/FISMA (the Federal Information Security Management Act).  For detailed actions regarding HHS plan for improvement see https://oig.hhs.gov/oas/reports/region18/181811200.pdf.

The HHS Office of Inspector General identified weaknesses in the following areas: risk management, configuration management, identity and access management, data protection and privacy, security training, information security continuous monitoring, incident response, and contingency planning. To address these findings, HHS will provide technical assistance to the OpDivs as they review and address vulnerabilities discovered, implement account management procedures, and track systems to ensure they are operating with a current and valid Authority to Operate. Additionally, the Department will focus on configuring recently deployed continuous diagnostic monitoring tools to automate the integration of cyber risks into newly developed enterprise risk management programs. These steps will strengthen the program and further enhance the HHS mission. HHS will continue to work to combat cyber threats and incidents as well as work towards a holistic view of the enterprise.