FY 2021 Annual Performance Plan and Report - Goal 5 Objective 4

Fiscal Year 2021
Released March, 2020

Goal 5. Objective 4: Protect the safety and integrity of our human, physical, and digital assets

Providing security for HHS involves more than preventing breaches or cybersecurity attacks.  The Department’s OpDivs and StaffDivs participate in efforts to preserve physical security; personnel security and suitability; security awareness; information security, including the safeguarding of sensitive and classified material; and security and threat assessments.  In addition, the Department has established a network of scientific, public health, and security professionals internally, as well as points of contact in other agencies, in the intelligence community, and in the Information Sharing Environment Council.  The Department has specialized staff to provide policy direction to facilitate the identification of potential vulnerabilities or threats to security, conduct analyses of potential or identified risks to security and safety, and work with agencies to develop methods to address them.

The Office of the Secretary leads this objective. All divisions contribute to the achievement of this objective. HHS  believes performance toward this objective is progressing. The narrative below provides a brief summary of progress made and achievements or challenges, as well as plans to improve or maintain performance.

Objective 5.4 Table of Related Performance Measures

Decrease the Percentage of Susceptibility among personnel to phishing (Lead Agency - ASA; Measure ID - 3.5)

  FY 2014 FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020 FY 2021
Target N/A N/A N/A N/A Baseline 6.8% 6.5% 6.2%
Result N/A N/A N/A N/A 7% 4.5% 12/31/20 12/31/21
Status N/A N/A N/A N/A Actual Target Met Pending Pending

Phishing is a fraudulent attempt to obtain sensitive information, like user names and passwords, to access a system or network.  HHS provides training, education, and tools (e.g., email add-in) to reduce the likelihood of staff mistaking phishing email attempts for legitimate communications over time.  In order to mitigate future breaches, HHS focuses on vulnerabilities to phishing attacks and other cyber threats.  In FY 2020 HHS will continue training and phishing exercises to assess progress.

Maintain the number of days since last major incident of personally identifiable information (PII) breach (Lead Agency - ASA; Measure ID - 3.6)53

  FY 2014 FY 2015 FY 2016 FY 2017 FY 2018 FY 2019 FY 2020 FY 2021
Target N/A N/A N/A N/A Baseline 365 366 365
Result N/A N/A N/A N/A 365 365 9/20/20 9/20/21
Status N/A N/A N/A N/A Actual Target Met Pending Pending

If an employee misuses, loses, or otherwise compromises PII, the action results in steep financial costs and damage to the Department’s reputation. The Department is committed to protecting PII from misuse. HHS has developed a privacy program for the protection of personally identifiable information that the Department information systems collect, use, maintain, share, and expunges. 54 This measure tracks the number of days in a fiscal year since a major harm incident. A major data breach has not occurred in more than 730 days. HHS will continue to train staff in protecting and safeguarding PII.

53 HHS has updated the FY 2020 target for this measure to reflect that this is a leap year.

54 A major harm incident is any incident that is likely to result in demonstrable harm to the national security interests, foreign relations, or economy of the United States or to the public confidence, civil liberties, or public health and safety of the American people.


Content created by Office of Budget (OB)
Content last reviewed