Information Security

Jump To:
Image

Open Recommendations

Electronic Health Information: HHS Needs to Improve Communications for Breach Reporting

GAO-22-105425
Jun 27, 2022
Show
1 Open Recommendations
Agency Affected Recommendation Status
Department of Health and Human Services The Secretary of HHS should ensure that OCR establishes a mechanism for covered entities and business associates to provide feedback on OCR's breach reporting process. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Cybersecurity: OMB Should Update Inspector General Reporting Guidance to Increase Rating Consistency and Precision

GAO-22-104364
Mar 31, 2022
Show
2 Open Recommendations
Agency Affected Recommendation Status
Office of Management and Budget The Director of OMB should collaborate with its partners in DHS and CIGIE to clarify the IG FISMA metrics guidance to specify when IGs should use OMB's recommended methodology and when they should use another method to determine agencies' overall effectiveness ratings. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Office of Management and Budget The Director of OMB should collaborate with its partners in DHS and CIGIE to create a more precise overall effectiveness rating scale for IG FISMA reports. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

Privacy: Federal Financial Regulators Should Take Additional Actions to Enhance Their Protection of Personal Information

GAO-22-104551
Jan 13, 2022
Show
8 Open Recommendations
Agency Affected Recommendation Status
Federal Deposit Insurance Corporation The Chair of FDIC should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended. (Recommendation 1)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Reserve System The Chair of the Federal Reserve should define a process for documenting the actions the Federal Reserve takes to minimize collection and use of PII. (Recommendation 2)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Reserve System The Chair of the Federal Reserve should include information from systems maintained by Federal Reserve contractors in the Federal Reserve's inventory of information systems that handle PII. (Recommendation 3)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Reserve System The Chair of the Federal Reserve should identify and specify metrics to determine whether privacy controls are implemented correctly and operating as intended. (Recommendation 4)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
Federal Reserve System The Chair of the Federal Reserve should establish a timeframe for including information on privacy controls to be tested within the Federal Reserve's written privacy continuous monitoring strategy. (Recommendation 5)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.
National Credit Union Administration The Executive Director of NCUA should enhance NCUA's ability to query information from an agencywide inventory of information systems containing PII, including contractor-run systems, to facilitate regular reviews of the inventory for accuracy and completion. (Recommendation 6)
Open
When we confirm what actions the agency has taken in response to this recommendation, we will provide updated information.

DHS Privacy: Selected Component Agencies Generally Provided Oversight of Contractors, but Further Actions Are Needed to Address Gaps

GAO-22-104144
Dec 16, 2021
Show
7 Open Recommendations
Agency Affected Recommendation Status
Department of Homeland Security The Secretary of the Department of Homeland Security should direct its Privacy Office to provide targeted role-based privacy training to contractors who are responsible for protecting PII. (Recommendation 1)
Open
As of April 2022, DHS has not provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
United States Coast Guard The Commandant of the U.S. Coast Guard should direct the USCG Privacy Office to establish a time frame to complete the development of a process that can be used to identify and assess the gaps in contractor compliance with privacy requirements. (Recommendation 2)
Open
As of April 2022, the Coast Guard Privacy Office in coordination with the Coast Guard HIPAA Privacy Officer, are drafting an Overarching Medical Program Privacy Impact Assessment (PIA) to describe the use of all laboratory services, medical-related programs, and systems not currently included in the Service's Electronic Health Records Acquisition (eHRA) PIA. In order to close this recommendation, USCG will need to provide information on how the draft Overarching Medical Program PIA will be used to identify and assess the gaps in contractor compliance with privacy requirements.
United States Coast Guard The Commandant of the U.S. Coast Guard should direct the USCG Privacy Office to ensure, in conjunction with the acquisition office, that contractors certify their acceptance of their privacy requirement responsibilities. (Recommendation 3)
Open
As of April 2022, the Coast Guard Privacy Office continues to work on the processes for documenting contractor training pertaining to privacy awareness and other privacy-related training required in contractual clauses. In order to close this recommendation, USCG will need to provide documentation that demonstrates contractors certifying their acceptance of their privacy requirement responsibilities.
United States Coast Guard The Commandant of the U.S. Coast Guard should direct the USCG Privacy Office to ensure the evaluation of proposed new instances of sharing personally identifiable information with third parties are fully documented. (Recommendation 4)
Open
As of April 2022, the Coast Guard stated that it did not have documentation of new information sharing requests because the specific contractual relationship for laboratory services assessed by GAO did not include new instances of information sharing. The agency added that the Coast Guard Privacy Office reviews all new and updated contracts, including those requiring information sharing outside of the contract scope. In addition, they stated that information sharing requests are documented in the updated contract and reviewed through the DHS-mandated Appendix G process. However, the documentation provided by Coast Guard indicates that it is used during the procurement process and not used for the evaluation of proposed new instances of information sharing. In order to close this recommendation, USCG will need to provide documentation that specifies the process in place to evaluate proposed new instances of sharing PII.
United States Customs and Border Protection The Commissioner of U.S. Customs and Border Protection should direct the CBP Privacy Office to ensure that risk assessments are fully documented in the incident database. (Recommendation 5)
Open
As of April 2022, CBP has not provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
United States Customs and Border Protection The Commissioner of U.S. Customs and Border Protection should direct the CBP Privacy Office to ensure that recommendations to notify affected individuals of privacy incidents are fully documented in the incident database. (Recommendation 6)
Open
As of April 2022, CBP has not provided information pertaining to planned actions for this recommendation. Once the agency states that it has taken action, we plan to verify whether implementation has occurred.
GAO Contacts