HHS seeks zero trust support

Nathan Posner/Anadolu Agency via Getty Images

The highly federated agency is looking for contactor assistance to hit enterprisewide security goals.

The Department of Health and Human Services is looking for a contractor to help manage the implementation of zero trust architecture across multiple operating divisions, as deadlines to comply with White House-issued cybersecurity mandates loom.

In a request for information published on Nov. 20, HHS notes some of its particular challenges in funding and executing zero trust implementation on an enterprise level. 

"Many of the skills and technologies required under [zero trust architecture] already exist in HHS, but putting all the components together requires HHS to significantly upgrade governance and information technology management, and more deeply integrate teams and technologies," the introduction to the RFI states.

HHS, which spent more than $8.5 billion on IT in fiscal year 2023, is a large, federated agency that includes the Centers for Medicare and Medicaid Services, the Food and Drug Administration and the Centers for Disease Control and Prevention among its many operating divisions. The RFI notes that achieving zero trust goals "in a cost-effective manner challenges the financial governance structures that exist since HHS component agencies and sometimes programs are independently funded" by Congress.

The agency is hoping to secure a contractor to provide program management support services and create a picture of where the agency's operating divisions are with respect to zero trust capabilities and gaps. The contract also aims to identify ways to assess compliance with the Cybersecurity and Infrastructure Security Agency's Zero Trust Maturity Model.

The contractor will also develop a zero trust scorecard to track achievements against CISA's maturity model while establishing an enterprisewide zero trust road map in coordination with HHS tech leadership and look for possible enterprise-level solutions that can help advance operating divisions toward zero trust goals. 

Additionally, the contractor will be tasked with providing a sandbox for testing tools and technologies that could help advance zero trust compliance, as well as formulating pilot projects and coordinating budgeting and spending reports for internal use and for the Office of Management and Budget.

HHS did not score well on the most recent cybersecurity audit conducted by its Inspector General, as required by the Federal Information Security Modernization Act. One of the key issues across different risk categories was the lack of coordination across operating divisions. The report for fiscal year 2022 noted that the agency "should ensure that policies and procedures are being consistently implemented as defined across all [operating divisions] in order to meet the requirements for effective maturity. This oversight should extend to all requirements whether they are to be implemented using centralized, federated or hybrid controls." While these comments didn't directly pertain to zero trust architecture implementation, they did cover multiple underlying components of ZTA, including identity and access management.

Right now, HHS is conducting market research, which closes December 6, 2023. There's no schedule for the agency to release a solicitation for these services, but HHS is facing a tight schedule when it comes to zero trust implementation. OMB's governmentwide zero trust memo requires agencies to hit zero trust maturity goals by the end of fiscal year 2024.