HHS-OCIO Policy for Social Media Technologies
March 31, 2010
Policy 2010-0003 - OCIO
Purpose: The purpose of this Department of Health and Human Services (HHS) Policy is to establish policy for the use of social media technologies as part of any general support or application system and to incorporate by reference related Federal-government-wide guidelines and HHS policies. In effect this policy changes the default from avoiding use of social media technologies except when a specific business case is approved to embracing social media technologies unless a specified risk must be avoided.
Responsibilities: The HHS Office of the Deputy Assistant Secretary for Information Technology (IT), Office of the Chief Information Officer (OCIO) is responsible for all policies pertaining to use of information technology. All Department CIO policies and standards are posted at: http://www.hhs.gov/ocio/policy. The Office of the Deputy Assistant Secretary for Public Affairs, Web Communications Division is responsible for content management, agency branding and conformance with information dissemination and collection policies posted at: http://www.newmedia.hhs.gov/standards/ .
Policy: All uses of social media technologies by HHS shall conform to the following Federal Government-wide policies and guidelines and HHS policies:
1- Terms of Service (TOS) for use of social media technologies must reflect those specifically negotiated for the Federal government by the General Services Administration if any: http://www.usa.gov/webcontent/resources/tools/TOSagreements.shtml;
2-Prohibited uses of social media technologies are similar to any other media in the Federal government: http://www.usoge.gov/;
3-Information Technology Security risk associated with use of social media technologies are manageable within a defense-in-depth strategy described by the Federal CIO Council in the Guidelines for Secure Use of Social Media by Federal Departments and Agencies Version 1.0: (http://www.cio.gov/Documents/Guidelines_for_Secure_Use_Social_Media_v01-0.pdf);
4-Information Technology Security policies and standards to implement a defense-in-depth strategy are numerous and include the HHS-OCIO Policy for Information Systems Security and Privacy, the HHS Standard for Managing Outbound Web Traffic, the HHS Rules of Behavior and the HHS-OCIO Policy for Personal Use of Information Technology Resources: http://www.hhs.gov/ocio/policy. Where implementation of HHS IT security policies and standards are observed to be incomplete, access to social media technologies may be enabled by establishing a network segment that is logically and physically separated from the HHS network backbone;
5- Development and operations of systems that use social media technologies continue to be subject to various technology, project, and governance risk management strategies including HHS-OCIO Policy for Capital Planning and Investment Control, HHS-OCIO Policy for Management of the Enterprise IT System Inventory, HHS-OCIO IT Policy for Enterprise Architecture (EA), and HHS-OCIO Policy for Enterprise Performance Life Cycle: http://www.hhs.gov/ocio/policy
6- Privacy notifications to users of social media technologies are similar to any other information system and shall be made in conformance with existing policy: http://www.hhs.gov/Privacy.html
7- Records Management requirements for social media technologies are similar to any other information system and shall be in conformance with existing policy: http://www.hhs.gov/ocio/policy/policydocs/2007-0004.001.doc; and http://www.newmedia.hhs.gov/standards/.
Bandwidth: HHS Operating and Staff Divisions must prioritize the use of social media technologies among all other demands for telecommunications bandwidth based upon mission accomplishment. This will entail engineering acceptable utilization rates, including accommodation of peak loads and avoidance of disruption of operations.
Applicability: This policy applies to all HHS components and all those retained to perform services on behalf of HHS under contract, grant, or other agreement.
Labor Management Relations: Requirements stated in this Policy are consistent with law, regulations, and other Department policies applicable at the time of its issuance. Actions taken through the implementation of this Policy must comply with the requirements of pertinent laws, rules and regulations, as well as the lawful provisions of applicable negotiated agreements for employees in exclusive bargaining units. The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled “Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations.” It is HHS’ policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
Contact: Questions, comments or suggestions about this policy are welcome by the Deputy Assistant Secretary for Information Technology, who serves as the HHS CIO, at https://ocioportal.hhs.gov/public/feedback/default.aspx or call (202) 690-6162.
Effective Date: The effective date of this Policy is the date the Policy is approved.
Issuance: This Policy is a first issuance.
March 31, 2010
Michael W. Carleton
HHS Chief Information Officer