NIH’s core security functions remain deficient

Numerous control and program deficiencies persist in the National Institutes of Health’s core security functions, despite its efforts to make systems more resilient, according to a Government Accountability Office report made public Tuesday.

GAO made 219 recommendations to NIH for improving cybersecurity, of which it fully implemented a third and partially implemented half as of June 2021.

The agency released a limited, official-use-only report at that time detailing NIH’s struggles identifying risks, protecting systems from threats and vulnerabilities, detecting and responding to cyber events, and recovering system operations. GAO subsequently deleted the names of the information systems and computer networks it examined, certain details about control deficiencies, and conclusions and recommendations before issuing its public report.

“These deficiencies increased the risk that sensitive research and health-related information could be disclosed or disrupted,” reads the public report.

GAO found NIH had taken steps to develop security plans, ensure the majority of personnel had basic security awareness training and develop remedial action plans. The NIH implemented 25 of GAO’s recommendations for its security program out of 66, or 38%, and 37 recommendations across 11 select systems out of 153, or 24%.

On the other hand, NIH hadn’t fully implemented recommendations for identifying cyber threats like completing an inventory of all major information systems, categorizing systems per guidance, developing a complete risk management strategy and using it to review systems, developing complete system security plans, consistently authorizing systems based on defined system boundaries, and completely documenting its policies and procedures.

Protection recommendations NIH hadn’t fully implemented included consistently adding access controls, encrypting sensitive data, configuring devices securely or patching them regularly, and ensuring significant security staff received role-based training.

On the detection front, NIH hadn’t fully implemented recommendations to add logging and monitoring capabilities, reliably assess security controls, and develop a system continuous monitoring program.

“Although NIH had implemented controls for incident response to detect cybersecurity events, it did not always develop incident response plans and test response capability and consistently document and take timely corrective actions to remediate identified deficiencies,” reads the report.

NIH had begun developing contingency plans for the 11 systems GAO audited, but two were incomplete — lacking all system locations in one plan.

The agency hadn’t reviewed and tested the plans in three instances nor established alternate processing sites for three per guidance. Officials cited the fact they were reevaluating system boundaries, but they couldn’t give GAO a timeframe for completion and lacked a quality assurance process.

“Until NIH takes additional steps to ensure that contingency plans are developed, tested and annually reviewed for all information systems, the agency is at risk that it may not be able to recover mission essential functions or ensure recovery activities are effective,” reads the report. Further, in not establishing and documenting alternate processing sites, NIH is at increased risk of disruption to mission essential functions.”

NIH responded to GAO’s findings stating it expected to close more than 93% of the recommendations by June 2022 and all of them by December 2022.

“NIH will continue to work with GAO to provide evidence of the actions it has taken to implement recommendations and to keep them updated as the remaining recommendations are completed,” reads the agency’s response letter. “We do not anticipate any issues with reaching closure on these matters.”