Government Watchdog Notes NIH’s Deficient Cybersecurity Functions
A new Government Accountability Office report noted that the National Institutes of Health had not fully implemented cybersecurity recommendations to resolve system control deficiencies.
The report is the public version of a June 2021 limited, official-use-only document detailing the NIH’s struggles on four core security functions: identifying risks, protecting systems from threats and vulnerabilities, detecting cyber events and recovering system operations.
GAO offered 219 recommendations to the NIH, a third of which has been fully implemented and half of which has been partially implemented, FedScoop reported.
The watchdog highlighted steps taken by the health agency to develop security plans, ensure the majority of personnel had basic security awareness training, and develop remedial action plans.
However, the NIH was called out for lacking measures in threat identification, including completing an inventory of all major information systems, categorizing systems per guidance, developing a complete risk management strategy, drafting complete system security plans and consistently authorizing systems based on defined system boundaries.
In terms of systems protection, the NIH has yet to fully implement measures for adding access controls, encrypting sensitive data, configuring devices securely and providing role-based training to security staff.
Meanwhile, the agency has to improve detection efforts such as developing a system continuous monitoring program and introducing logging and monitoring capabilities.
In response to the GAO’s findings, the NIH said it expects to close all recommendations by December 2022.
Tags: cyber event detection cybersecurity FedScoop GAO Government Accountability Office National Institutes of Health NIH risk identification security functions systems protection