Policy-HHS-OCIO-2010-0006
4.1 Government-wide Controls. 4
4.2 Department-wide Controls. 6
4.3 OPDIV/STAFFDIV Controls. 7
5. Roles and Responsibilities. 7
5.6 Office of Security and Strategic Information (OSSI) 10
5.9 Senior Agency Official for Privacy (SAOP) 14
5.11 OPDIV Chief Information Officers (CIOs) 17
5.12 OPDIV Chief Information Security Officers (CISOs) 18
5.13 HHS Computer Security Incident Response Center (CSIRC) 19
5.14 OPDIV Computer Security Incident Response Team (CSIRT) 20
5.15 HHS Breach Response Team (BRT) 20
5.16 OPDIV Senior Official for Privacy (SOP) 21
5.17 Authorizing Official (AO) or Authorizing Official Designated Representative. 23
5.18 Certification Agent (CA) 24
5.19 Information System Security Officer (ISSO) 25
5.22 Data Owner/Business Owner 30
5.23 Contingency Planning Coordinator 30
5.24 System Developers and Maintainers. 31
5.25 System/Network Administrators. 32
5.26 Contracting Officers and Contracting Officer’s Technical Representatives. 33
5.27 Project/Program Managers. 34
5.28 Human Resource Officers. 34
5.30 Federal Employees and Contractors. 36
6. Applicable Laws/Guidance. 38
6.1 Federal Directives and Policies. 38
6.4 OMB Policy and Memoranda. 40
7. Information and Assistance. 42
8. Effective Date/Implementation. 43
Nature of Changes
The following revisions are made in the September 22, 2010, issuance of the HHS-OCIO-2010-0006.001, HHS-OCIO Policy for Information Systems Security and Privacy.
- The Table of Contents was changed to reflect editorial and page number changes.
- The entire document was changed to reflect editorial and administrative updates.
- New footnotes were added to reflect updated or new references and/or to provide further information for clarity.
- Section 1 was changed to reflect that this Policy is a reissuance.
- Section 3 was changed to add references to the Health Information Technology Economic and Clinical Health (HITECH) Act, and to include correct contact for questions regarding the HIPAA Security Rule and the HIPAA Privacy Rule per “Office for Civil Rights; Delegation of Authority,” 74 Federal Register 148 (August 4, 2009), pp. 38630 and updated Department Information Security Policy/Standard Waiver Request Form.
- 74 Federal Register 38630 (August 4, 2009). This section was also changed to include new terminology from National Institute of Standards and Technology (NIST) Special Publication (SP) SP 800-37 Revision (Rev.) 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, dated February 2010 terminology.
- Section 4.1 changed to address NIST SP 800-53 Rev. 3 and NIST SP 800-37 Rev. 1 updated references and new terminology.
- Section 4.2 changed to address NIST SP 800-53 Rev. 3 and NIST SP 800-37 Rev. 1 updated references and new terminology.
- Section 5.1 changed to address NIST SP 800-37 Rev. 1 updated references and new terminology. Minor change to Section 5.16 wording. Policy/requirements traceability was updated.
- 0. Section 5.2 changed to address the HHS Secretary’s Memorandum: Security of Information Technology Systems, dated November 10, 2009, corrected FISMA reference, and added privacy requirements.
- 1. Sections 5.3 and 5.4 changed per “Office of Assistant Secretary for Administration and Management and Office of the Assistant Secretary for Resources and Technology; Statement of Organization, Functions, and Delegations of Authority,” 215 Federal Register 74 (November 9, 2009), pp. 57679 – 57682.
- 2. Section 5.5 added per 215 Federal Register 74 (November 9, 2009), pp. 57679 – 57682.
- 3. Section 5.6 updated per “Statement of Organization, Functions, and Delegations of Authority,” 72 Federal Register 72 (April 16, 2007), pp. 19000 – 19001, and updated language per the HHS OCIO Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response, dated April 5, 2010, andhas an updated policy/requirements traceability section.
- 4. Section 5.7 changed to update policy/requirements traceability per Federal Register reference 74 FR 57679 – 57682 (November 09, 2009).
- 5. Section 5.8 updated per Federal Register reference 74 FR 57679 – 57682 (November 09, 2009), and changed to address HHS Secretary’s Memorandum: Security of Information Technology Systems, NIST SP 800-37 Rev. 1, and the HHS OCIO Memorandum: Resolving Security Audit Disputes, dated May 13, 2010.
- 6. Section 5.9 changed to update language for the E-Government Act and Privacy Impact Assessments, incorporate new roles and responsibilities per OMB M-10-22 Guidance for Online Use of Web Measurement and Customization Technologies; and OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications, and has an updated policy/requirements traceability section.
- 7. Section 5.10 updated per “Office of Resources and Technology; Statement of Organization, Functions and Delegations of Authority” 73 Federal Register 106 (June 2, 2008), pp. 31486 – 31487, NIST SP 800-37 Rev. 1, and the HHS OCIO Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response.
- 8. Section 5.11 updated per HHS Secretary’s Memorandum: Security of Information Technology Systems, HHS OCIO Memorandum, Process Guidance for Security Risk-Based Decisions Involving the Primary Operational Information Technology Infrastructure Managers, dated May 13, 2010, HHS OCIO Memorandum: Resolving Security Audit Disputes, dated May 13, 2010, and the HHS OCIO Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response, dated April 5, 2010.
- 9. Section 5.12 updated per HHS Secretary’s Memorandum: Security of Information Technology Systems, HHS OCIO Memorandum, Process Guidance for Security Risk-Based Decisions Involving the Primary Operational Information Technology Infrastructure Managers, dated May 13, 2010, and HHS OCIO Memorandum: Resolving Security Audit Disputes, dated May 13, 2010.
- 0. Section 5.13 updated per HHS OCIO Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response dated April 5, 2010.
- 1. Section 5.14 added and includes information from the HHS OCIO Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response, dated April 5, 2010.
- 2. Section 5.15 added and includes information from the HHS Policy for Responding to Breaches of Personally Identifiable Information (PII), dated November 17, 2008.
- 3. Section 5.16 updated to add new information on System of Records Notices, include OMB policy references, and an updated policy/requirements traceability section.
- 4. Section 5.17 updated to add new terminology per NIST SP 800-53 Rev. 3 and NIST SP 800-37 Rev. 1, and updated the policy/requirements traceability section.
- 5. Section 5.18 updated per NIST SP 800-37 Rev. 1, and updated policy/requirements traceability.
- 6. Section 5.19 updated security controls with privacy language.
- 7. Section 5.20 updated security controls with privacy language, and additional responsibility for equipment removal and transfer of custody.
- 8. Section 5.21 changed per 215 Federal Register 74 (November 9, 2009) pp. 57679-57682) and updated security controls with privacy language and additional responsibility for equipment removal and transfer of custody.
- 9. Section 5.22 updated security controls with privacy language.
- 0. Section 5.23 updated security controls with privacy language and reference was updated to NIST SP 800-34 Rev.1.
- 1. Section 5.24 updated security controls with privacy and Enterprise Performance Lifecycle language.
- 2. Section 5.25 changed to add HHS Information Security Program Rules of Behavior for Use of Technology Resources and Information (HHS RoB), updated security controls with privacy language.
- 3. Section 5.26 updated security controls with privacy language and updated policy/requirements traceability.
- 4. Section 5.27 updated security controls with privacy language.
- 5. Section 5.28 updated security controls with privacy language.
- 6. Section 5.29 updated security controls with privacy language, and updated policy/requirements traceability.
- 7. Section 5.30 changed to add HHS RoB information and has updated security controls with privacy language. Section 5.30.15 was changed to add additional POC.
- 8. Section 5.31 added per the HHS-OCIO Policy for Machine-Readable Privacy Policies, dated January 28, 2010.
- 9. Section 6 updated with applicable laws and guidance to include updated references to reflect new revisions.
- 0. Appendix A updated with new glossary terms or an update to alphabetical order and updated references to reflect new revisions or versions.
- 1. Appendix B updated with new acronyms.
The following revisions are made in the September 22, 2010, issuance of the HHS-OCIO-2010-0006.001, HHS-OCIO Policy for Information Systems Security and Privacy Handbook.
- Table of Contents changed to reflect editorial and page number changes.
- The entire document was changed to reflect editorial and administrative updates.
- New footnotes were added where there is an updated or new reference and/or where further information was needed to provide clarity.
- Introduction changed to incorporate updates from NIST SP 800-53 Rev. 3.
- Section 1.1 changed to reference HHS-OCIO Policy for Capital Planning and Investment Control, dated February 26, 2010.
- Section 1.2 changed to incorporate updates from NIST SP 800-53 Rev. 3, NIST SP 800-37 Rev. 1, and additions to the policy/requirements traceability section.
- Section 1.3 changed to incorporate updates from NIST SP 800-53 Rev. 3, and the new HHSAR.
- Section 1.6 changed to incorporate updates from NIST SP 800-53 Rev. 3, and updated policy/requirements traceability section.
- Section 1.7 changed to incorporate updates from NIST SP 800-53 Rev. 3, updated policy/requirements traceability section to include updated references to reflect new revisions, and reworded to clarify between primary and alternate sites.
- 0. Section 1.8 changed to incorporate updates from NIST SP 800-53 Rev. 3, and updated policy/requirements traceability section.
- 1. Section 1.9 changed to incorporate updates from NIST SP 800-53 Rev. 3, updates from the HHS OCIO Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response, and updated policy/requirements traceability section.
- 2. Section 1.11 changed to incorporate privacy updates, and an updated policy/requirements traceability section to include updated references to reflect new revisions.
- 3. Section 1.12 added per OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, dated June 25, 2010, and OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications, dated June 25, 2010.
- 4. Section 1.13 changed to incorporate updates from NIST SP 800-53 Rev. 3, NIST SP 800-37 Rev.1, provide an updated policy/requirements traceability section, and changed policy reference numbers to reflect the new terminology.
- 5. Section 1.15 changed to add PIA SOPs, and updates to reflect Privacy in the System Development Life Cycle.
- 6. Section 1.16 changed to incorporate updates from NIST SP 800-53 Rev. 3, NIST SP 800-37 Rev. 1.
- 7. Section 1.19 updated to render product names more generic.
- 8. Section 1.20 changed to incorporate updates from NIST SP 800-53 Rev. 3, and add a reference for HHS OCIO Memorandum: OIG Management Implication Report – Need for the Department to Adopt a Standardized Information Technology Banner that Complies with Federal Law, dated November 25, 2009.
- 9. Section 1.21 changed to incorporate updates from NIST SP 800-53 Rev. 3.
- 0. Section 1.22 wchanged to incorporate updates from NIST SP 800-53 Rev. 3.
- 1. Section 1.23 changed to incorporate updates from NIST SP 800-53 Rev. 3.
- 2. Section 1.24 changed to incorporate updates to media sanitization and policy/requirements traceability.
- 3. Section 1.25 changed to incorporate updates from NIST SP 800-53 Rev. 3.
- 4. Section 1.26 changed to incorporate updates from NIST SP 800-53 Rev. 3.
- 5. Section 1.29 changed to incorporate updates from NIST SP 800-53 Rev. 3.
- 6. Section 1.32, Network Monitoring, added and incorporates updates from the NIST SP 800-53 Rev. 3.
- 7. Section 1.33, Program Management, added and incorporates updates from the NIST SP 800-53 Rev. 3.
- 8. Section 2.1 changed to incorporate updates from NIST SP 800-53 Rev. 3.
- 9. Section 2.4 changed to incorporate updates from NIST SP 800-53 Rev. 3, and the HHS Standard: Security Content Automation Protocol (SCAP)-compliant Tools, dated June 8, 2010.
- 0. Section 2.5 changed to incorporate updates from NIST SP 800-53 Rev. 3. S-PSWD.3 removed. This section has been renumbered accordingly.
- 1. Section 2.6 changed to incorporate updates from NIST SP 800-53 Rev. 3 and the HHS Memorandum: Updated Departmental Standard for the Definition of Sensitive Information, dated May 18, 2009.
- 2. Section 2.7 changed to incorporate updates from NIST SP 800-53 Rev. 3.
- 3. Section 2.8 changed to incorporate updates from NIST SP 800-53 Rev. 3 and to clarify type of data to be encrypted.
- 4. Section 2.9 changed to add a policy/requirements traceability section.
- 5. Section 2.15 changed to add HHS Standard for IEEE 802 11WLAN as well as a policy/requirements traceability section.
The Department of Health and Human Services, Office of the Chief Information Officer, HHS-OCIO Policy for Information Systems Security and Privacy (henceforth “the Policy”) provides direction to the information technology (IT) security programs of Operating Divisions (OPDIVs) and Staff Divisions (STAFFDIVs) for the security and privacy of HHS data in accordance with the Federal Information Security Management Act of 2002 (FISMA).[1]
The Policy is a reissuance, establishing comprehensive IT security and privacy requirements for the IT security programs and information systems of OPDIVs and STAFFDIVs. Included as an appendix to the Policy is a complementary HHS-OCIO Policy for Information Systems Security and Privacy Handbook (henceforth “the Handbook”). The Handbook outlines IT security and privacy policy requirements for IT security and privacy programs and information systems in more detail, and is organized according to information assurance (IA) control families to make the document easy to use and scalable for the future.
The Policy supersedes the HHS-OCIO-2009-0003 Policy for Information Systems Security and Privacy, dated June 25, 2009. This document does not supersede any other applicable law or higher level agency directive, policy, or guidance. All references noted below are subject to periodic revision, update and reissuance.
Furthermore, the authority of HHS-OCIO-2007-0002.001, Policy for Department-wide Information Security (dated September 24, 2007) has been transferred to the Policy and summarily retired. As such, the Policy codifies the Department’s authority to develop, document, implement, and oversee a Department-wide IT security and privacy program to provide IT security and privacy for the information and information systems that support the operations and assets of the Department, including those provided or managed by another Federal agency, contractor, or other source. OPDIVs and STAFFDIVs shall comply with and support the implementation of a Department-wide IT security and privacy program, to include compliance with Federal requirements and programmatic policies, standards, procedures, and IT security controls.
The HHS Information Security and Privacy Program (henceforth “the Program”) has evolved and matured over the last several years as new Federal requirements have been published, as advances in technology have been made, and as new threats to the Department’s infrastructure have emerged. Additionally, concerns over the unauthorized disclosure of protected health information (PHI) and personally identifiable information (PII) have placed IT security and privacy issues at the forefront of the national dialogue, positively impacting the way in which public, private, and government organizations provide services and protect information.
Since the release of the HHS Information Security Program Policy in July 2005, the Department has released individual policy statements, mainly in the form of standards and memoranda, in response to or in advance of these occurrences and concerns. This decentralized approach has made it increasingly challenging to trace Department requirements over the years. To better serve IT security and privacy stakeholders, the Department recognized the need to appropriately incorporate, cross-reference, and organize its IT security and privacy policy requirements in a manner that clearly explains the scope and applicability of the requirements. The format in which those requirements are presented should be scalable to accommodate the modification or addition of new requirements over time.
As a result, the Policy was developed to:
- Incorporate privacy requirements and their relationship to IT security programs and system; and
- Incorporate or appropriately cross-reference individually released Department policies, standards, and memoranda.
Department officials shall apply this Policy to employees, contractor personnel, interns and other non-government employees. All organizations collecting or maintaining information, or using or operating information systems on behalf of the Department, are also subject to the stipulations of this Policy. The content of and compliance with this Policy shall be incorporated into applicable contract language, as appropriate.
Agencies shall use this Policy or may create a more restrictive OPDIV/STAFFDIV policy, but not one that is less restrictive or comprehensive than, or less compliant with, this document.
The Policy does not apply to any network or system that processes, stores, or transmits foreign intelligence or national security information under the cognizance of the Special Assistant to the Secretary (National Security) pursuant to Executive Order (E.O.) 12333, United States Intelligence Activities, or subsequent orders. The Special Assistant to the Secretary (National Security) is the point of contact (POC) for issuing IT security and privacy policy and guidance for these systems. Furthermore, this Policy does not address the Health Information Technology Economic and Clinical Health (HITECH) Act or the Health Insurance Portability and Accountability Act of 1996 (HIPAA) policy requirements. Questions about the HIPAA Security Rule and the HIPAA Privacy Rule should be directed to the HHS Office for Civil Rights per guidance issued August 3, 2009.[2]
The Department acknowledges that OPDIVs/STAFFDIVs require flexibility in implementing this policy. Variations in terminology may currently exist across the OPDIVs/STAFFDIVs (e.g., “configuration management” versus “change management”), and there may be variations in the titles of roles. These variations are acceptable. As such, OPDIVs/STAFFDIVs may utilize a phase-in period for compliance with this Policy, as necessary.
In cases in which an OPDIV/STAFFDIV cannot comply with these requirements, justification for noncompliance shall be documented using the Department Information Security Policy/Standard Waiver, dated July 16, 2010 (http://intranet.hhs.gov/infosec/policies_type.html).
Justification may also be documented in security artifacts, such as security plans,[3] which are subject to approval by the Authorizing Official (AO) (formerly known as the Designated Approving Authority) or authorizing official designated representative as part of an OPDIV/STAFFDIV security authorization process.
4.1 Government-wide Controls
This section addresses government-wide mandates for the secure development, operations, and maintenance of information systems in the context of the Department and its OPDIVs/STAFFDIVs.
4.1.1 OPDIVs/STAFFDIVs shall use the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (dated February 2010), as the methodology for the security authorization of information systems (formerly known as “certification & accreditation” or “C&A”), in accordance with FISMA and direction from the Office of Management and Budget (OMB).
4.1.2 To standardize minimum content requirements across the Department for security authorization documentation so that the documentation is consistent with the NIST SP 800-37 Revision 1 methodology, the Program created the HHS Minimum Requirements for Security Authorization Packages (see Section 3 of the Handbook).[4] OPDIVs/STAFFDIVs shall comply with Department minimum requirements when preparing security authorization packages for information systems.
4.1.3 OPDIVs/STAFFDIVs shall ensure that information systems provide adequate, risk-based protection in the control areas defined in Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems (dated March 2006), by using the appropriate baseline security controls as established in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems (dated August 2009), , in accordance with the impact level for the system as defined in FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (dated February 2004).
4.1.3.1 For instances in which NIST directs agencies to make assignments and selections within SP 800-53 Rev. 3, the Program created standard parameters (see Section 2 of the Handbook). OPDIVs/STAFFDIVs shall utilize these standard parameters, which are outlined for systems categorized as Low, Moderate, or High. [5]
4.1.3.2 Deviations from the HHS assignments and selections within Section 2 of the Handbook are permitted providing the resulting parameters are consistent with NIST SP 800-53 Rev. 3 or minimum government-wide parameters. Exceptions cannot be granted to the controls themselves as they are Federal Government-wide standards; however, compensating control policy applies (see Section 4.1.6).
4.1.3.3 OPDIVs/STAFFDIVs may exercise flexibility in the solutions used to meet the control requirement, so long as the baseline requirement is met.
4.1.4 Information assurance and privacy activities conducted within the Department shall be consistent with the guidance, methodologies, and intent prescribed by the NIST SP series, in particular NIST SP 800-53 Rev. 3 and NIST SP 800-53A Revision 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans, and other relevant Federal laws and guidance documents. It is incumbent upon each OPDIV to appropriately follow the steps in the NIST SP 800-37 Rev. 1 Risk Management Framework (RMF) to select, implement, assess, authorize, and monitor such controls commensurate with a system’s FIPS 199 categorization.
4.1.5 As new Federal requirements are published, OPDIVs/STAFFDIVs shall ensure that systems that are in development comply with those newly published requirements before those systems are granted a security authorization, and that existing (i.e., operational) systems comply with the new requirements within one year, unless otherwise stated.
4.1.5.1 If a new Federal requirement cannot be implemented on a development system before the system is granted a security authorization, the Information System Security Officer (ISSO), Certification Agent (CA),[6] or System Owner shall bring this issue to the attention of the AO or authorizing official designated representative when the final security authorization package is delivered. In the security authorization package, the AO or authorizing official designated representative shall explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.
4.1.5.2 If a new Federal requirement cannot be implemented on an operational system, the ISSO, CA, or System Owner shall bring this to the attention of the AO or authorizing official designated representative. The AO or authorizing official designated representative shall acknowledge the gap in the form of a Plan of Action Milestones (POA&M), and shall either indicate an anticipated time period when the requirement will be met or document the risk-based decision not to comply with the requirement.
4.1.6 OPDIVs/STAFFDIVs shall employ compensating controls only under the following conditions:
4.1.6.1 The OPDIV/STAFFDIV selects the compensating controls from the security control catalog in NIST SP 800-53 Rev. 3;
4.1.6.2 The OPDIV/STAFFDIV develops a complete and convincing rationale and justification for how the chosen compensating controls provide an equivalent security capability or level of protection for the information system; and
4.1.6.3 The OPDIV/STAFFDIV assesses and formally accepts (i.e., in writing) the risk associated with employing the compensating controls in the information system.
4.1.7 OPDIVs/STAFFDIVs shall review the use of compensating controls, document those controls in the security plan and other appropriate security documentation for the information system, and request approval of those controls from the AO or authorizing official designated representative for the information system.
4.2 Department-wide Controls
This section outlines Department-wide controls applicable to OPDIV/STAFFDIV IT security and privacy programs and information systems.
4.2.1 To establish HHS minimum requirements for IT security and privacy programs within the OPDIVs/STAFFDIVs and to address common system security control questions that fall outside the scope of NIST SP 800-53 Rev. 3, the Program established the Handbook as a complementary appendix to this Policy. OPDIVs/STAFFDIVs shall apply the controls in the Handbook to their IT security and privacy programs and to their information systems, as appropriate.
4.2.2 Compensating controls for Department-wide system-level controls shall be employed only under the following conditions:
4.2.2.1 The OPDIV/STAFFDIV selects the compensating controls from the security control catalog in NIST SP 800-53 Rev. 3, when applicable;
4.2.2.2 The OPDIV/STAFFDIV develops a complete and convincing rationale and justification for how the chosen compensating controls provide an equivalent security capability or level of protection for the information system; and
4.2.2.3 The OPDIV/STAFFDIV assesses and formally accepts (i.e., in writing) the risk associated with employing the compensating controls in the information system.
4.2.3 OPDIVs/STAFFDIVs shall review the use of compensating controls for Department-wide system-level controls, document the compensating controls in the security plan and other appropriate security documentation for the information system, and request approval of the compensating controls from the AO or authorizing official designated representative for the information system.
4.3 OPDIV/STAFFDIV Controls
This section sets the authority of the OPDIVs/STAFFDIVs to develop their own security controls for information systems.
4.3.1 OPDIVs/STAFFDIVs may decide whether to issue any additional OPDIV/STAFFDIV-wide security controls for OPDIV/STAFFDIV information systems to augment the government- and Department-wide controls specified herein. OPDIVs/STAFFDIVs shall ensure that parameters are established and documented for each parameterized control, unless set by the Department.
4.3.2 OPDIVs/STAFFDIVs may develop system-specific security controls and parameters. When needed and/or appropriate, it is an OPDIV/STAFFDIV decision whether to set parameters OPDIV/STAFFDIV-wide, on a system-by-system basis, or some combination thereof.
5.1 Secretary of HHS
The responsibilities of the Secretary of HHS include, but are not limited to:
5.1.1 Ensuring that a Department-wide IT security and privacy program is developed, documented, and implemented to provide security for all systems, networks, and data that support department operations;
5.1.2 Ensuring that IT security and privacy management processes are integrated with HHS strategic and operational planning processes;
5.1.3 Ensuring the provision of resources necessary to administer the Program;
5.1.4 Protecting information systems and data by allocating resources commensurate with the risk and magnitude of harm posed by unauthorized access, modification, disclosure, disruption, use, and/or destruction; or as recommended by law;
5.1.5 Ensuring that senior HHS officials provide IT security and privacy for operations and IT resources under their control;
5.1.5.1 Delegating to the HHS Chief Information Officer (CIO) the authority to ensure compliance with the Program;
5.1.5.2 Ensuring that HHS has trained Federal and contractor personnel to support compliance with the Program; and
5.1.5.3 Ensuring that the HHS CIO, in coordination with the OPDIV CIOs, reports annually on the effectiveness of the Program and on any required remedial actions.
5.1.6 Establishing, through the development and implementation of policies, the organizational commitment to information security and the actions required to effectively manage risk and protect the core missions and business functions being carried out by the organization; and
5.1.7 Establishing appropriate accountability for information security and providing active support and oversight of monitoring and improvement for the information security program.
Policy/Requirements Traceability: OMB Circular A-130, Management of Federal Information Resources; and NIST SP 800-37 Rev.1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach
5.2 OPDIV Heads
The responsibilities of each OPDIV Head include, but are not limited to:
5.2.1 Providing IT security and privacy protections commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of the following:
5.2.1.1 Information collected or maintained by or on behalf of the OPDIV; and
5.2.1.2 Information systems used or operated by the OPDIV, a contractor of the OPDIV, or another organization on behalf of the OPDIV.
5.2.2 Complying with the requirements of FISMA (Title III of the E-Government Act) and Department-related policies, procedures, standards, and guidelines, including:
5.2.2.1 IT security and privacy requirements promulgated under OMB Circular A-130, Appendix III; and
5.2.2.2 IT security and privacy standards and guidelines issued by OMB in accordance with NIST guidance, including Presidential Directives such as Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standards for Federal Employees and Contractors.
5.2.3 Ensuring that IT security and privacy management processes are integrated with OPDIV strategic and operational planning processes;
5.2.4 Ensuring that senior OPDIV officials provide IT security and privacy for the information and information systems that support the operations and assets under their control;
5.2.5 Designating a senior OPDIV official as the OPDIV CIO, and delegating to the OPDIV CIO the authority to ensure compliance with the security requirements imposed on the OPDIV under FISMA;
5.2.6 Delegating responsibility and authority for management of OPDIV IT security programs to the OPDIV CIOs;[7]
5.2.7 Ensuring that the OPDIV has trained personnel sufficiently to assist the OPDIV in complying with the security requirements under FISMA and department policies; and
5.2.8 Ensuring that the OPDIV CIO, in coordination with other senior OPDIV officials, reports annually to the OPDIV Head on the effectiveness of the OPDIV IT security and privacy program, including the progress of any remedial actions.
Policy/Requirements Traceability: OMB Circular A-130, Management of Federal Information Resources; and Federal Continuity Directive 1 (FCD 1) (dated February 2008)
5.3 Office of Financial Resources (OFR)/Assistant Secretary for Financial Resources (ASFR)/Chief Financial Officer (CFO)
The responsibilities of the ASFR/CFO include, but are not limited to:
5.3.1 Coordinating the Department’s internal controls program to ensure comprehensiveness and to establish responsibility for uniform security-level designations for the financial management system according to the guidelines of OMB Circular A-127, Financial Management Systems; and
5.3.2 Targeting/selecting entities to be reviewed per OMB Circular A-123, Management's Responsibility for Internal Control, applying risk-based, business-driven logic to maximize the effectiveness of the evaluations.
Policy/Requirements Traceability: OMB Memorandum (M)-96-20, Implementation of the Information Technology Management Reform Act of 1996; and 215 FR 57679 (dated November 9, 2009)
5.4 Office of Financial Resources (OFR)/Assistant Secretary for Financial Resources (ASFR)/Office of Grants and Acquisition Policy and Accountability (OGAPA)/Division of Acquisition (DA)
The responsibilities of the ASFR/OGAPA/DA include, but are not limited to:
5.4.1 Partnering with the HHS CIO and the Program to develop and implement IT security and privacy-related contract clauses for incorporation in all current and future contracts; and
5.4.2 Ensuring that contracting officers (COs) enforce the requirements of IT security and privacy clauses.
Policy/Requirements Traceability: Federal Acquisition Regulation (FAR); Health and Human Services Acquisition Regulation (HHSAR); and 215 FR 57679 (dated November 9, 2009)
5.5 Office of the Assistant Secretary for Administration/Program Support Center (PSC)/Administrative Operations Service (AOS)
The responsibilities of the ASA/PSC/AOS include, but are not limited to:
5.5.1 Developing policies and procedures and providing guidance on the accountability, inventory and disposition of sensitive equipment and other personal property containing sensitive and privacy information in the HHS Logistics Management Manual (LMM).
Policy/Requirements Traceability: HHS Logistics Management Manual (LMM); and 215 FR 57679 (dated November 9, 2009)
5.6 Office of Security and Strategic Information (OSSI)
The responsibilities of OSSI include, but are not limited to:
5.6.1 Providing overall leadership for the development, coordination, application, and evaluation of all policies and activities within the Department that relate to physical and personnel security, the security of classified information, and the exchange and coordination of national security-related strategic information with other Federal agencies and the national security community, including national security-related relationships with law enforcement organizations (LEOs) and public safety agencies;
5.6.2 Provide current and timely intelligence or national security information to the HHS Computer Security Incident Response Center (CSIRC) and OPDIV CSIRCs and other key personnel responsible for incident response;
5.6.3 Ensure communications security, including secure telecommunications equipment and classified information systems, for the discussion and handling of classified information in support of the detection, defense, and response to security and privacy vulnerabilities, threats, and incidents;
5.6.4 Protecting employees and visitors and Department-owned and -occupied critical infrastructure;
5.6.5 Assuring the integration of strategic medical, public health, biomedical and national security information;
5.6.6 Managing and administering the flow of classified information;
5.6.7 Providing national security information services to all components within the Office of the Secretary (OS); and
5.6.8 Approving visits by a foreign national to any HHS laboratory or other facility designated as Critical Infrastructure.
Policy/Requirements Traceability: 72 FR 19000 (dated April 16, 2007); Personnel Security/Suitability Handbook (dated February 1, 2005); and HHS OCIO Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response (dated April 5, 2010)
5.7 Office of the Assistant Secretary for Administration (ASA)/Deputy Assistant Secretary for Human Resources (DASHR)
The responsibilities of the Deputy Assistant Secretary for Human Resources include, but are not limited to:
5.7.1 Partnering with the HHS CIO and OPDIVs to develop, implement, and oversee personnel security controls for access to sensitive data and for the system administrators who operate critical systems; and
5.7.2 Ensuring that personnel officers notify the OPDIV Information System Security Officer (ISSO), or designated POC for physical and logical access controls, of an employee’s separation within one business day.
Policy/Requirements Traceability: FISMA and 215 FR 57679 (dated November 9, 2009)
5.8 Assistant Secretary for Administration (ASA)/Deputy Assistant Secretary for Information Technology (DASIT)/HHS Chief Information Officer (CIO)[8]
The responsibilities of the HHS CIO include, but are not limited to:
5.8.1 Primary responsibility and authority for management of the Department’s IT security program;[9]
5.8.2 Performing the Risk Executive function for the Department;[10]
5.8.3 Ensuring HHS compliance with Federal regulations and FISMA IT security and privacy program implementation requirements;
5.8.4 Ensuring the development and maintenance of a Department-wide IT security and privacy program to include the development and implementation of policies, standards, procedures, and IT security controls;
5.8.5 Requiring the development and implementation of protections for HHS information and information systems commensurate with the risk and magnitude of harm posed by unauthorized access, modification, disclosure, disruption, use, and/or destruction, or as recommended by law;
5.8.6 Ensuring the dissemination of Department-wide IT security and privacy policy for OPDIV review and comment;
5.8.7 Reporting annually, in coordination with OPDIV/STAFFDIV Heads, to the Secretary of HHS on the effectiveness of the Program, including progress of remedial actions;
5.8.8 Appointing the HHS CISO to fulfill the responsibilities of the CIO in developing and maintaining a Department-wide IT security and privacy program;
5.8.9 Defining and establishing the minimum security control requirements in accordance with data sensitivity and system criticality;
5.8.10 Preparing any report that may be required of HHS to satisfy the reporting requirements of OMB Circular A-130 and FISMA;
5.8.11 Coordinating with the Secretary of HHS to ensure the provision of resources necessary to administer the Program;
5.8.12 Providing advice and assistance to OS and other senior management personnel to ensure that information resources are acquired and managed for the Department in accordance with the goals of the Capital Planning and Investment Control (CPIC) process;
5.8.13 Providing leadership for developing, promulgating, and enforcing agency information resource management policies, standards, and guidelines, and for procedures on data management, enterprise performance lifecycle (EPLC) management, security, telecommunications, IT reviews, and other related areas;
5.8.14 Establishing, implementing, and enforcing a Department-wide framework to facilitate an incident response program, ensuring proper and timely reporting to the United States Computer Emergency Readiness Team (US-CERT);
5.8.15 Establishing a Department-wide framework to facilitate the development of Privacy Impact Assessment (PIA) Summaries for all Department systems, as instructed by OMB;
5.8.16 Primary authority to resolve any disputes from OIG reviews and audits that cannot be resolved at the OPDIV level;[11]
5.8.17 Overseeing personnel with significant responsibilities for information security and ensuring that the personnel are adequately trained;
5.8.18 Assisting senior organizational officials concerning their security responsibilities;
5.8.19 Reporting annually, in coordination with other senior officials, to the head of the Federal agency on the overall effectiveness of the organization’s information security program, including progress of remedial actions;
5.8.20 Determine, based on organizational priorities, the appropriate allocation of resources dedicated to the protection of the information systems supporting the organization's missions and business functions.
The HHS CIO (as the Department’s risk executive) with the support of the HHS Chief Information Security Officer (CISO) works closely with authorizing officials and their designated representatives:
5.8.21 Ensuring an organization-wide information security program is effectively implemented resulting in adequate security for all organizational information systems and environments of operation for those systems;
5.8.22 Ensuring information security considerations are integrated into programming/planning/budgeting cycles, enterprise architectures, and acquisition/system development life cycles;
5.8.23 Ensuring information systems are covered by approved security plans and are authorized to operate;
5.8.24 Ensuring information security-related activities required across the organization are accomplished in an efficient, cost-effective, and timely manner; and
5.8.25 Ensuring a centralized reporting process is in place of appropriate information security-related activities.
Policy/Requirements Traceability: FISMA; OMB Circular A-130; Clinger-Cohen Act of 1996; and 215 FR 57679 (November 9, 2009); and NIST SP 800-37 Rev.1
5.9 Senior Agency Official for Privacy (SAOP)
Within HHS, the CIO serves in the role of SAOP and acts as the breach response team (BRT) chair. The responsibilities of the SAOP include, but are not limited to:
5.9.1 Ensuring the proper implementation of information privacy protections, including full compliance with Federal laws, regulations, and policies relating to information privacy, such as the Privacy Act of 1974 (henceforth, “Privacy Act”) 5 U.S.C. Section 552a; and the E-Government Act of 2002;
5.9.2 Maintaining appropriate documentation regarding compliance with information privacy laws, regulations, and HHS policies;
5.9.3 Overseeing, coordinating, and facilitating the Department’s privacy compliance efforts, including reviewing documented information privacy procedures to ensure comprehensiveness and currency, and coordinating any necessary revisions;
5.9.4 Approving the Department’s submission of the Privacy Management portion of the annual FISMA report;
5.9.5 Coordinating privacy-related reporting activities as mandated by Federal legislation and OMB guidance;
5.9.6 Maintaining a central policy-making role in the Department’s development and evaluation of legislative, regulatory, and other policy proposals pertaining to information privacy issues, including those relating to the agency’s collection, use, sharing, and disclosure of personal information;
5.9.7 Designating responsibility for oversight of the PIA process to the OPDIV Senior Official for Privacy (SOP);
5.9.8 Establishing a framework to facilitate the development of PIA Summaries for all OPDIV systems, as instructed by OMB;
5.9.9 Ensuring PIAs are conducted for information systems and online collections, and coordinating submission of all Department PIA Summaries to OMB;
5.9.10 Reviewing and acknowledging the completion and accuracy of PIAs by designating PIAs as approved for Web publishing via the Department’s PIA reporting tool;
5.9.11 Allocating proper resources to permit identification and remediation of privacy weaknesses;
5.9.12 Ensuring the Department’s employees, contractors, and stakeholders receive appropriate privacy training; and
5.9.13 Providing education programs regarding the information privacy laws, regulations, policies, and procedures governing the Department’s handling of PII.
5.9.14 Reviewing and approving any use of a multi-session Web measurement and customization technology that collects PII;
5.9.15 Providing the public with notice of proposed use of a multi-session Web measurement and customization technology that collects PII, and an opportunity to comment on the proposed use;
5.9.16 Reviewing the Department’s practices related to the use of Web measurement and customization technologies annually and making the results of the review available to the public; and
5.9.17 The SAOP should be consulted during the planning, implementation, and post-implementation review of the use of a third-party Website or application.
Policy/Requirements Traceability: FISMA; OMB M-05-08, Designation of Senior Agency Officials for Privacy; OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies; and OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications
5.10 Office of Information Technology Security (OITS)/ HHS Chief Information Security Officer (CISO)
The responsibilities of the HHS CISO[12] include but are not limited to:
5.10.1 Providing management leadership in IT security policy and guidance, expert advice and collaboration among OPDIVs and the STAFFDIVs in developing, promoting and maintaining IT security measures to adequately and cost effectively protect and ensure the confidentiality, integrity and timely availability of all data and information in the custody of the Department, as well as of the information systems required to meet the Department’s current and future business needs;
5.10.1 Assisting and advising the HHS CIO in the development, documentation, and implementation of the Program (e.g., issuing policy, maintaining situational awareness, and performing compliance oversight) in order to provide IT security and privacy safeguards for the electronic information and information systems that support the operations and assets of the Department, including those provided or managed by another Federal organization or bureau, contractor, or other source;
5. 10.2 Ensuring that all IT resources are reviewed in order to ensure compliance with established Department and external policies, standards, and regulations;
5. 10.3 Monitoring OPDIV/STAFFDIV IT security program activities;
5. 10.4 Fostering communication and collaboration among the Department’s security stakeholders to share knowledge and to better understand threats to Department information;
5. 10.5 Carrying out the CIO security responsibilities under FISMA and overseeing the preparation of quarterly and annual FISMA reports;
5. 10.6 Developing and implementing an IT security performance measurement program to evaluate the effectiveness of technical and non-technical IT security safeguards used to protect the Department’s information;
5. 10.7 Coordinating requirements within the Office of Security for personnel clearances, position sensitivity, and access to information systems with the appropriate office;
5. 10.8 Ensuring that all HHS-owned telephony equipment is provided with system and physical protection;
5. 10.9 Implementing a security incident monitoring program for all systems and networks;
5. 10.10 Disseminating information on potential security threats and recommended safeguards;
5. 10.11 Ensuring, in coordination with the HHS CIO and ASFR/OGAPA/DA, that all IT acquisitions include Department security considerations;
5. 10.12 Ensuring the Department-wide implementation of Federal policies and procedures related to IT security and privacy incident response;
5. 10.13 Overseeing the HHS CSIRC and managing the resources that support HHS CSIRC operations;
5. 10.16 Serving as the primary liaison for the CIO to the organization’s authorizing officials, information system owners, common control providers, and information system security officers;
5. 10.17 Providing management and oversight of activities under IT critical information protection (CIP); and
5. 10.18 Serving, as necessary, as authorizing official designated representatives or security control assessors.
Policy/Requirements Traceability: FISMA; NIST SP 800-37 Rev. 1; and “Office of Resources and Technology; Statement of Organization, Functions and Delegations of Authority” 73 Federal Register 106 (dated June 2, 2008), pp. 31486 – 31487
5.11 OPDIV Chief Information Officers (CIOs)
The responsibilities of each OPDIV CIO involve providing leadership to activities including, but not limited to:
5.11.1 Reporting quarterly to the HHS CIO on the effectiveness of the OPDIV’s IT security and privacy program, including the progress of any remedial actions;
5.11.2 Appointing an OPDIV CISO to fulfill the responsibilities of the OPDIV CIO in maintaining the OPDIV IT security program;
5.11.3 Managing internal security reviews of the program business cases, alternatives analyses, and other specific investment documents;
5.11.4 Managing and certifying an inventory of all current and proposed investments containing an IT component in accordance with the CPIC process;
5.11.5 Ensuring that policies, procedures, and practices are consistent with Department requirements in order to ensure that systems, programs, and data are secure and protected from unauthorized access that might lead to the alteration, damage, or destruction of automated resources, unintended release of HHS data, and denial of service (DoS);
5.11.6 Ensuring that all employees and contractors comply with Department and OPDIV IT security and privacy policies;
5.11.7 Ensuring the establishment of a computer security incident response team (CSIRT) to participate in the investigation and resolution of incidents in the OPDIV;
5.11.8 Establishing, implementing, and enforcing an OPDIV-wide framework to facilitate an incident response program (including PII and PHI breaches) that ensures proper and timely reporting to HHS;
5.11.9 Managing an inventory of all major information systems, devices and other items per FISMA requirements and as required by OMB;
5.11.10 Ensuring mandatory security education and awareness is undertaken by all personnel using, operating, supervising, or managing computer systems;
5.11.1 Exercising primary responsibility and authority for management of the OPDIV’s IT security program;[13]
5.11.12 Serving as one of six primary operational IT infrastructure managers[14] (applies to the CIO for CDC, FDA, IHS, CMS, NIH, and OS/ASA). When an OPDIV CIO performs as a primary operational IT infrastructure manager, he/she is responsible for performing IT risk-management duties. Where an information system relies (or partially relies) on one of the six primary operational IT infrastructures, the associated IT infrastructure manager(s) must concur with the risk acceptance by also signing the security authorization package as the Authorizing Official; and
5.11.13 Resolving any disputes from OIG reviews and audits at the OPDIV level, where possible. If disputes cannot be resolved, they shall be escalated to the HHS CIO. [15]
Policy/Requirements Traceability: FISMA; OMB Circular A-130; and Clinger-Cohen Act of 1996
5.12 OPDIV Chief Information Security Officers (CISOs)
The responsibilities of each OPDIV CISO include, but are not limited to:
5.12.1 Leading OPDIV IT security and privacy programs and promoting proper IT security and privacy practices;
5.12.2 Supporting the HHS CISO in the implementation of the Program;
5.12.3 Fostering communication and collaboration among the Department’s security stakeholders to share knowledge and to better understand threats to Department information;
5.12.4 Providing information about the OPDIV IT security policies to management and throughout the Department;
5.12.5 Providing advice and assistance to other organizational personnel concerning the security of sensitive data and of critical data processing capabilities;
5.12.6 Advising the OPDIV CIO about security breaches in accordance with the security breach reporting procedures developed and implemented by the Department and/or OPDIV;
5.12.7 Disseminating information on potential security threats and recommended safeguards;
5.12.8 Ensuring that roles with significant security responsibilities are identified and documented per the HHS Memorandum “Role-Based Training of Personnel with Significant Security Responsibilities,” dated October 3, 2007;
5.12.9 Conducting security education and awareness training needs assessments to determine appropriate training resources and to coordinate training activities for target populations;
5.12.10 Assisting System Owners in establishing and implementing the required security safeguards to protect computer hardware, software, and data from improper use or abuse;
5.12.11 Promoting requirements for personnel clearances, position sensitivity, and access to information systems with the appropriate office;
5.12.12 Ensuring OPDIV-wide implementation of Department and OPDIV policies and procedures that relate to IT security and privacy incident response;
5.12.12 Collaborating with the BRT Coordinator when the BRT Coordinator is engaging the OPDIV POC for information collection and clarification, and sitting on the HHS BRT while the breach is under investigation;
5.12.13 Coordinating with OPDIV Senior Official for Privacy to ensure privacy implications are addressed when PII incident response activities occur within the OPDIV;
5.12.14 Supporting general privacy awareness and Role-Based Training activities for all personnel using, operating, supervising, or managing information systems; and
5.12.15 Establishing, documenting, and enforcing requirements and processes for granting and terminating all administrative privileges including, but not limited to, servers, domains, and local workstations. Audit these processes for effectiveness.[16]
Policy/Requirements Traceability: FISMA
5.13 HHS Computer Security Incident Response Center (CSIRC)
The responsibilities of the HHS CSIRC include, but are not limited to:
5.13.1 Establishing and maintaining a partnership with OPDIV CSIRTs to ensure the HHS CSIRC is aware of security and privacy vulnerabilities, threats, and incidents that may negatively impact the ability of the OPDIV and/or the Department to fulfill its mission and functions;
5.13.2 Serving as the primary entity in the Department responsible for maintaining Department-wide operational IT security situational awareness and determining the overall IT security risk posture of HHS;
5.13.3 Serving as the lead organization for coordinating Department-wide cybersecurity information sharing, analysis, and response activities;
5.13.4 Reporting HHS IT security and privacy incidents to US-CERT; and
5.13.5 Serving as the Department's primary point of contact with US-CERT.
Policy/Requirements Traceability: HHS OCIO Policy for Information Technology Security and Privacy Incident Reporting and Response (dated April 5, 2010)
5.14 OPDIV Computer Security Incident Response Team (CSIRT)
The responsibilities of the OPDIV CSIRT include, but are not limited to:
5.14.1 Serving as the primary entity in the OPDIV responsible for maintaining OPDIV-wide operational IT security situational awareness and determining the overall IT security risk posture of the OPDIV;
5.14.2 Serving as the lead organization for coordinating OPDIV-wide cybersecurity information sharing, analysis, and response activities;
5.14.3 Reporting OPDIV IT security and privacy incidents to HHS CSIRC; and
5.14.4 Serving as the OPDIV's primary point of contact with HHS CSIRC.
Policy/Requirements Traceability: HHS OCIO Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response (dated April 5, 2010)
5.15 HHS Breach Response Team (BRT)
The responsibilities of the HHS BRT include, but are not limited to:
5.15.1 Evaluating breaches or suspected breaches of PII and deciding which actions should be taken;
5.15.2 Providing input to and approving breach response activities for breaches involving PII not covered by HIPAA;
5.15.3 Assessing the responsible organization’s proposed course of action, risk assessments, response plan, and proposed notification activities; providing feedback; and making recommendations for improvement or course corrections in a timely manner;
5.15.4 Ensuring proper reporting, notification, and follow-up actions to stakeholders across relevant HHS organizational components when a breach involving PII occurs;
5.15.5 Working closely with the HHS Information Security and Privacy Program to coordinate Department response activities and data collection;
5.15.6 Referring HIPAA compliance breaches to HHS OCR or CMS Office of E-Health Standards and Services (OESS), as appropriate;
5.15.7 Notifying appropriate internal HHS stakeholders, including the following: OPDIV Security Offices; HHS Records Officer; building physical security; the HHS Assistant Secretary for Preparedness and Response (ASPR); the Office of the Inspector General (OIG); HHS OCR; and CMS OESS; as well as appropriate external entities such as the United States Computer Emergency Readiness Team (US-CERT) and law enforcement; and
5.15.8 Provide notification and assessments of information breaches to the HHS Risk Management and Financial Oversight Board (RMFOB).
Policy/Requirements Traceability: HHS Policy for Responding to Breaches of Personally Identifiable Information (PII); and OMB M-08-10, Use of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA).
5.16 OPDIV Senior Official for Privacy (SOP)
The SOP title was extended by the Department to each OPDIV to effectively meet the reporting requirements outlined in OMB M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. The agency requirement for the title is outlined in OMB M-05-08, Designation of Senior Agency Officials for Privacy.
The responsibilities of the OPDIV SOP include, but are not limited to:
5.16.1 Supporting the Department SAOP in ad hoc privacy reporting activities as necessary, including the maintenance of and compliance with Presidential mandates and quarterly FISMA reporting activities;
5.16.2 Reviewing and approving the OPDIV FISMA and Privacy Management Report for submission to the Department;
5.16.3 Developing and supporting integration of Department privacy program initiatives into IT security practices, where applicable;
5.16.4 Establishing and implementing privacy policies, procedures, and practices consistent with Department privacy requirements, in coordination with the OPDIV CISO;
5.16.5 Coordinating OPDIV policy, guidance, and system-level documentation to ensure that Department management, technical, and operational privacy requirements are addressed;
5.16.6 Approving written requests for PII from personally owned or non-Department equipment in accordance with Handbook Section 2.10 Personally-Owned Equipment and Software, S-POES.4;
5.16.7 Obtaining contractual assurances from third parties to ensure that the third party will protect PII in a manner consistent with the privacy practices of the Department, in coordination with the OPDIV CISO and privacy stakeholders;
5.16.8 Reporting, in coordination with the OPDIV, to the HHS CIO/SAOP the effectiveness of the OPDIV privacy program, including weaknesses and the progress of remedial actions, as identified;
5.16.9 Establishing an OPDIV policy framework to facilitate the development and maintenance of PIAs for all systems based on department and Federal legislative requirements;
5.16.10 Tracking and maintaining all OPDIV PIA activities in the Department’s PIA reporting tool;
5.16.11 Reviewing completed OPDIV PIAs and attesting that they are adequately and accurately completed;
5.16.12 Promoting (i.e., escalating) OPDIV PIAs to the Department, and submitting completed OPDIV PIAs to the SAOP, or seeking revisions from the PIA author if errors are found;
5.16.13 Coordinating and ensuring that privacy education and awareness activities, specific to the OPDIV privacy culture, are established for all personnel using, operating, supervising, or managing computer systems;
5.16.14 Coordinating with OPDIV budgetary offices to ensure PIA and System of Records Notice (SORN) activities are included as part of Exhibit 300 development;
5.16.15 Coordinating with the OPDIV privacy contact to ensure that all required SORNs are completed and published in the Federal Register, and also on the hhs.gov Website;
5.16.16 Coordinating with OPDIV Privacy Act Coordinators to complete biannual SORN updates in accordance with OMB Circular A-130;
5.16.17 Making recommendations to the HHS CIO/SAOP and senior level officials with budgetary authority in order to allocate proper resources to identify and mitigate privacy weaknesses found in system PIAs;
5.16.18 Coordinating with HHS Website owners/administrators to ensure that Web-based privacy compliance requirements are met across the Department;
5.16.19 Coordinating with the OPDIV’s CSIRT and/or BRT concerning reports of the loss of control of PII; and
5.16.20 Coordinating with the Privacy Act Contact to:
5.16.20.1 Keep track of the location of Privacy Act records;
5.16.20.2 Approve/deny/track access to and amendments of records;
5.16.20.3 Ensure records are complete, accurate, timely and relevant;
5.16.20.4 Ensure that system users are made aware of their privacy responsibilities when accessing systems that contain personal information; and
5.16.20.5 Ensure data collection forms include a Privacy Act Notification Statement.
Policy/Requirements Traceability: OMB M-05-08, Designation of Senior Agency Officials for Privacy; and HHS Policy for Responding to Breaches of Personally Identifiable Information (PII); HHS Policy for Privacy Impact Assessments (PIA); and FISMA.
5.17 Authorizing Official (AO) or Authorizing Official Designated Representative
The responsibilities of the AO or authorizing official designated representative[17] for systems and networks under his or her authority include, but are not limited to, the following:
5.17.1 Determining, through the security authorization process whether to accept residual risks or to implement appropriate risk mitigation countermeasures, based on the analysis provided by the CA (or designee);
5.17.2 Making the final security authorization decision and signing the authorization decision document; and
5.17.3 Ensuring that sensitive data is protected from unauthorized access in all forms at rest or in transit;
Note: AOs or authorizing official designated representatives typically have budgetary oversight for an information system or are responsible for the mission or business operations supported by the system. Accordingly, AOs or authorizing official designated representatives should be in management positions with a level of authority commensurate with understanding and accepting such information system-related security risks. With the increasing complexity of missions/business processes, partnership arrangements, and the use of external/shared services, it is possible that a particular information system may involve multiple Authorizing Officials. If so, agreements should be established among the AOs or authorizing official designated representatives and documented in the security plan. In addition, an AO may designate a representative to help manage the portfolio of systems for which that AO or authorizing official designated representative is responsible and make decisions on behalf of the AO; however, responsibility for the portfolio of systems ultimately resides with the AO assigned to those systems.
5.17.6 Maintaining budgetary oversight for an information system or responsibility for the mission and/or business operations supported by the system;
5.17.7 Maintaining accountability, through the security authorization process, for the security risks associated with information system operations;
5.17.8 Providing written authorization accepting responsibility and risk for operating a system or application not in compliance with the HHS minimum standard; and
5.17.9 Determining (with the CIO), based on organizational priorities, the appropriate allocation of resources dedicated to the protection of the information systems supporting the organization's missions and business functions;
Policy/Requirements Traceability: OMB Circular A-130; NIST SP 800-37 Rev.1; and NIST SP 800-53 Rev. 3
5.18 Certification Agent (CA) [18]
The responsibilities of the CA include, but are not limited to, the following for systems and networks under his or her authority:
5.18.1 Assessing management, operational, and technical security controls employed within or inherited by an information system to evaluate the extent to which the controls are correctly implemented, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;
5.18.2 Complying with the assessment of all the Department’s systems and networks;
5.18.3 Ensuring the security authorization process is conducted in accordance with NIST guidance and OPDIV/STAFFDIV processes; and
5.18.4 Reviewing the system security documentation and results of the security control assessments and providing the results of the security control assessment (the security assessment report) in writing to the authorizing official or authorizing official designated representative;
5.18.5 Providing an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommend corrective actions to address identified vulnerabilities;
5.18.6 Preparing the final security assessment report containing the results and findings from the assessment; and
5.18.7 Conducting, prior to initiating the security control assessment, an assessment of the security plan to help ensure that the plan provides a set of security controls for the information system that meet the stated security requirements.
Policy/Requirements Traceability: FISMA and NIST SP 800-37 Rev. 1
5.19 Information System Security Officer (ISSO)
The responsibilities of each ISSO include, but are not limited to:
5.19.1 Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches;
5.19.2 Ensuring that IT security notices and advisories are distributed to appropriate OPDIV personnel and that vendor-issued security patches are expeditiously installed;
5.19.3 Serving as an OPDIV focal point for IT security and privacy incident reporting and subsequent resolution;
5.19.4 Assisting the CISO in reviewing contracts for systems under the CISO’s control to ensure that IT security is appropriately addressed in contract language;
5.19.5 Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs;
5.19.6 Maintaining the security documentation for systems under his or her purview, according to NIST SP 800-37 Rev. 1;
5.19.7 Ensuring NIST SP 800-53 Rev. 3 controls are appropriate to the system based on the FIPS 199 security categorization;
5.19.8 Assisting his or her System Owner, Data Owner/Business Owner, and OPDIV CISO in capturing all system weaknesses in the POA&M;
519.9 Reinforcing the concept of separation of duties by ensuring that no single individual has control of any critical process in its entirety per NIST SP 800-53 Rev. 3;
5.19.10 Participating in Department- and OPDIV-required security Role-Based Training;
5.19.11 Tracking all security education and awareness training conducted for personnel and contractors, as appropriate;
5.19.12 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO – in coordination with the system/network administrators – in ensuring that proper backup procedures exist for all system and network information;
5.19.13 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in ensuring logical access controls are in place that provide protection from unauthorized access, alteration, loss, and disclosure of information;
5.19.14 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO with ensuring account lockout controls are in place that limit the number of consecutive failed log-in attempts against a given system;
5.19.15 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in ensuring limits are established for the amount of time a session may be inactive before that session is timed out;
5.19.16 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in ensuring that security-event monitoring technologies are used for all systems and networks;
5.19.17 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in coordinating with Human Resources to manage physical and logical access controls for new and departing HHS employees and contractors;
5.19.18 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in ensuring all incoming and outgoing connections from Department networks to the Internet, intranet, and extranets are made through a firewall; and
5.19.19 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in analyzing audit logs with the frequency defined by the OPDIV CISO, and monitoring the types of assistance users request.
Policy/Requirements Traceability: FISMA and NIST SP 800-37 Rev. 1
5.20 Program Executives
The responsibilities of the Program Executives[19] include, but are not limited to:
5.20.1 Ensuring that systems and data that are critical to the Program’s mission receive adequate protection;
5.20.2 Determining, in coordination with the Data Owner/Business Owner and System Owner, appropriate security controls and identifying resources to implement those controls;
5.20.3 Coordinating system and data security requirements with IT security personnel by adequately delegating system-level security requirements;
5.20.4 Ensuring that security for each information system is planned, documented, and integrated into the EPLC from the information system’s initiation phase to the system’s disposal phase;
5.20.5 Ensuring adequate funding is provided to implement security requirements in the EPLC for systems that fall within the management authority of the Program Executive;
5.20.6 Signing off on the FIPS 199 security categorization;
5.20.7 Accepting reasonable risks, based on recommendations by the HHS CISO, OPDIV CISO, or OPDIV ISSO; and
5.20.8 Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.
5.20.9 Ensuring that sensitive information[20] and proprietary software is removed from IT equipment (including printers), hard drives, and other memory devices prior to those items being offered for disposal or when a transfer of custody occurs.
Policy/Requirements Traceability: FISMA
5.21 System Owners
The responsibilities of the System Owners[21] include, but are not limited to:
5.21.1 Coordinating with the COs and Contracting Officer’s Technical Representatives (COTRs), Project Officer/Manager, and CISO to ensure that the appropriate security contracting language from ASFR/OGAPA and other relevant sources is incorporated in each IT contract;
5.21.2 Accepting accountability for the operation of a system(s) in support of the overall Program mission;
5.21.3 Processing systems at facilities and IT utilities (ITUs) that are certified at a level of security equal to or higher than the security level designated for their system;
5.21.4 Ensuring that information and system categorization has been established for their system(s) and data in accordance with FIPS 199;
5.21.5 Determining, in coordination with the Program Executive and Data Owner/Business Owner, appropriate security controls and identifying resources to implement those controls;
5.21.6 Consulting with the OPDIV CIO or OPDIV CISO to establish consistent methodologies for determining IT security costs for systems;
5.21.7 Ensuring that security for each information system is planned, documented, and integrated into the EPLC from the information system’s initiation phase to the system’s disposal phase;
5.21.8 Ensuring provision of adequate funding to implement the security requirements in the EPLC for systems that fall within the management authority of the Program Executive;
5.21.9 Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs;
5.21.10 Conducting PIAs, in coordination with their respective OPDIV Senior Officer for Privacy (SOP) on their system(s) if the system(s) is used to collect information on individuals, or when the Department develops, acquires, or buys new systems to handle collecting PII;
5.21.11 Conducting assessments of the risk and magnitude of the harm that would result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the Department’s critical operations, at least annually;
5.21.12 Reviewing the security controls for their system(s) and network(s) when significant modifications are made to the system(s) and network(s), or at least every three years;
5.21.13 Ensuring that system weaknesses are captured in the POA&M and are updated according to the POA&M standard;
5.21.14 Ensuring that sensitivity and criticality levels have been established for their systems and data in accordance with NIST standards and guidelines;
5.21.15 Ensuring proper physical, administrative, and technical controls are in place to protect PII if found in the system;
5.21.16 Developing security plans for their system(s) and network(s);
5.21.17 Obtaining appropriate interconnection security agreements (ISAs) or memoranda of understanding (MOUs) prior to connecting with other systems and/or sharing sensitive data/information;
5.21.18 Developing system-specific rules of behavior (RoB) for systems under their responsibility;
5.21.19 Participating in Department- and OPDIV-required security role-based training;
5.21.20 Determining who should be granted access to the system and with what rights and privileges, and granting users the fewest possible privileges necessary for job performance in order to ensure privileges are based on a legitimate need;
5.21.21 Conducting annual reviews and validations of system users’ accounts to ensure the continued need for access to a system;
5.21.22 Enforcing the concept of separation of duties by ensuring that no single individual has control of the entirety of any critical process;
5.21.23 Ensuring that special physical security or environmental security requirements are implemented for facilities and equipment used for processing, transmitting, or storing sensitive information based on the level of risk;
5.21.24 Ensuring the development, execution, and activation of a system-to-system interconnection implementation plan for each instance of a system-to-system interconnection;
5.21.25 Serving as a POC for the system to whom privacy issues may be addressed;
5.21.26 Collecting, modifying, using, and/or disclosing the minimum PII necessary to accomplish mission objectives; and
5.21.27 Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.
5.21.28 Ensuring that sensitive information[22] and proprietary software is removed from IT equipment (including printers), hard drives, and other memory devices prior to those items being offered for disposal or when a transfer of custody occurs.
Policy/Requirements Traceability: FISMA; NIST SP 800-37 Rev. 1; and NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model
5.22 Data Owner/Business Owner[23]
The responsibilities of Data Owner/Business Owner include, but are not limited to:
5.22.1 Gathering, processing, storing, or transmitting Department data in support of the Program’s mission;
5.22.2 Ensuring that System Owners are aware of the sensitivity of data to be handled, and ensuring that data is not processed on a system with security controls that are not commensurate with the sensitivity of the data; and
5.22.3 Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.
Policy/Requirements Traceability: FISMA and NIST SP 800-16
5.23 Contingency Planning Coordinator
The responsibilities of the Contingency Planning Coordinator include, but are not limited to:
5.23.1 Developing the contingency plan (CP) strategy, in cooperation with other functional and resource managers associated with the system or the business processes supported by the system;
5.23.2 Managing development and execution of the CP;
5.23.3 Coordinating with the ISSO and other key functional and resource managers to test the Information Technology Contingency Plan (ITCP) in accordance with NIST SP 800-53 Rev. 3 control CP-4 (see Section 2 of the Handbook);
5.23.4 Updating/maintaining all aspects of the ITCP;
5.23.5 Ensuring that each team is trained and ready to deploy in the event of a disruptive situation requiring CP activation;
5.23.6 Ensuring that recovery personnel are assigned to each team to respond to the event, recover capabilities, and return the system to normal operations; and
5.23.7 Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.
Policy/Requirements Traceability: OMB Circular A-130 and NIST SP 800-34 Revision 1, Contingency Planning Guide for Information Technology Systems
5.24 System Developers and Maintainers
The responsibilities of System Developers and Maintainers include, but are not limited to:
5.24.1 Understanding the need to plan security into information systems, especially from the beginning, and the benefits to be derived from doing so;
5.24.2 Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs;
5.24.3 Identifying laws and regulations relevant to the system’s design and operation;
5.24.4 Interpreting applicable laws and regulations into security functional requirements;
5.24.5 Evaluating conflicting functional requirements to select for implementation those requirements that provide the highest level of security at the minimum cost consistent with applicable laws and regulations;
5.24.6 Understanding the relationship between planned security safeguards and the features being installed on the system under development;
5.24.7 Evaluating development efforts to ensure that baseline security safeguards are appropriately installed for systems being developed or modified;
5.24.8 Participating in the construction of the information system in accordance with the formal design specifications, developing manual procedures, using commercial off-the-shelf (COTS) hardware/software components, writing program code, customizing hardware components, and/or using other IT capabilities;
5.24.9 Designing and developing tests for security safeguard performance under a variety of normal and abnormal operating circumstances and workload levels;
5.24.10 Analyzing system performance for potential security problems, and providing direction to correct any security problems identified during testing;
5.24.11 Identifying IT security impacts associated with system implementation procedures;
5.24.12 Leading the design, development, and modification of safeguards to correct vulnerabilities identified during system implementation;
5.24.13 Supporting assessments, reviews, evaluations, tests and audits of the system by both internal and external entities;
5.24.14 Follow the EPLC in developing and maintaining HHS systems; and
5.24.15 Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.
Policy/Requirements Traceability: FISMA and NIST SP 800-16
5.25 System/Network Administrators[24]
The responsibilities of System/Network Administrators include, but are not limited to:
5.25.1 Reading, acknowledging, signing, and complying with the HHS Information Security Program Rules of Behavior For Use of Technology Resources and Information (HHS RoB), and OPDIV and system-specific RoB, before gaining access to the Department’s systems and networks;
5.25.2 Completing required privacy and security awareness training;
5.25.3 Participating in Department- and OPDIV-required security Role-Based Training;
5.26.4 Ensuring that the IT security posture of the network is maintained during all network maintenance, monitoring activities, installations or upgrades, and throughout day-to-day operations;
5.25.5 Ensuring that appropriate security requirements are implemented and enforced for all Department systems or networks;
5.25.6 Examining unresolved system vulnerabilities and determining which corrective action(s) or additional safeguards are necessary to mitigate them;
5.25.7 Implementing proper system backups, patching security vulnerabilities, and accurately reporting security incidences;
5.25.8 Utilizing his or her “root” or “administrative” access rights to a computer, based on need-to-know;
5.25.9 Ensuring all incoming and outgoing connections from Department networks to the Internet, intranet, and extranets are made through a firewall;
5.25.10 Analyzing system performance for potential security problems;
5.25.11 Conducting tests of security safeguards in accordance with the established test plan and procedures;
5.25.12 Assessing the performance of security controls (to include hardware, software, firmware, and telecommunications, as appropriate) to ensure that the residual risk is within an acceptable range;
5.25.13 Identifying IT security impacts associated with system implementation procedures;
5.25.14 Leading the design, development, and modification of safeguards to correct vulnerabilities identified during system implementation;
5.25.15 Recognizing potential security violations and taking appropriate action to report any such incident as required by Federal regulation, and mitigating any adverse impact;
5.25.16 Developing and/or executing a system termination plan to ensure that IT security breaches are avoided during shutdown, and that long-term protection of archived resources is achieved;
5.25.17 Ensuring that hardware, software, data, and facility resources are archived, sanitized, or disposed of in a manner consistent with the system termination plan;
5.25.18 Reporting any suspected or actual computer incidents, including the loss of control of PII and PHI, immediately to the OPDIV CSIRT; and
5.25.19 Notifying the OPDIV CISO of actual or suspected computer-security incidents, included PII and PHI breaches.
Policy/Requirements Traceability: FISMA and NIST SP 800-16
5.26 Contracting Officers and Contracting Officer’s Technical Representatives
The responsibilities of the COs and COTRs include, but are not limited to:
5.26.1 Coordinating with the System Owner, Data Owners/Business Owners, Project Officer/Manager, and CISO to ensure that the appropriate security and privacy contracting language from ASA and other relevant sources are incorporated into each IT contract;
5.26.2 Advising contractors who develop or maintain a Privacy Act System of Records (SOR) on behalf of the Federal Government that the Privacy Act applies to them to the same extent that it applies to the government, per Section 552a(m) of the Privacy Act;
5.26.3 Maintaining the integrity and quality of the proposal evaluation, negotiation, and source selection processes, while ensuring that all terms and conditions of the IT contract are met;
5.26.4 Monitoring contract performance and reviewing deliverables for conformance with contract requirements related to IT security and privacy;
5.26.5 Taking action as needed to ensure that accepted products meet contract requirements;
5.26.6 Ensuring that sufficient funds are available for obligation per the FAR;[25]
5.26.7 Maintaining the integrity and quality of the proposal evaluation, negotiation, and source selection processes while ensuring that all privacy terms and conditions of the contract are met;
5.26.8 Determining the applicability of the Privacy Act (HHSAR 324.102) when the design, development, or operation of a Privacy Act SOR on individuals is required to accomplish an agency function; and
5.26.9 Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.
Policy/Requirements Traceability: FAR; NIST SP 800-16; and HHSAR.
5.27 Project/Program Managers
The responsibilities of the Project/Program Managers include, but are not limited to:
5.27.1 Evaluating proposals, if requested, to determine whether proposed security solutions effectively address agency requirements as detailed in acquisition documents;
5.27.2 Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs; and
5.27.3 Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.
Policy/Requirements Traceability: FISMA; NIST SP 800-16 (as amended; and Privacy Act
5.28 Human Resource Officers
The responsibilities of the Human Resource Officers include, but are not limited to:
5.28.1 Coordinating with appropriate OPDIV CIO POCs and Office of Security and Drug Testing (OSDT) POCs to ensure background checks are conducted for individuals with significant security responsibilities;
5.28.2 Notifying the appropriate OPDIV CIO POC within one business day when OPDIV personnel are separated from the Department;
5.28.3 Ensuring relevant paperwork, interviews and notifications are sent to the appropriate OPDIV CIO personnel when personnel join, transfer within, or leave the organization, either permanently or on detail;
5.28.4 Participating at the request of the HHS CSIRC in the investigation of Federal employees with regard to security incidents;
5.28.5 Participating at the request of the HHS PII BRT in the investigation of Federal employees relative to PII incidents and violations; and
5.28.6 Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.
Policy/Requirements Traceability: HHS Information Security Program Rules of Behavior For Use of Technology Resources and Information (HHS RoB)
5.29 Supervisors
The responsibilities of Supervisors include, but are not limited to:
5.29.1 Ensuring compliance with IT security and privacy policies by all personnel under their direction; and providing the personnel, financial, and physical resources required to protect information resources appropriately;
5.29.2 Budgeting resources for IT security training, including privacy and Role-Based Training, for personnel with security-related responsibilities (e.g., time, money, staff coverage);
5.29.3 Ensuring that personnel under their direct report complete all required IT security training, including privacy and role-based training, within the mandated timeframe;
5.29.4 Notifying the appropriate OPDIV ISSO, or the OPDIV CISO if the ISSO is not available, immediately of the unfriendly departure or separation of a Department employee or contractor;
5.29.5 Pursuing disciplinary or adverse actions against personnel and contractors who violate HHS policies or standards, including the HHS RoB and OPDIV-specific policies and procedures, including system-specific RoB;
5.29.6 Preventing the sharing of personal data, unless the recipient is listed under the routine uses of disclosure of the Privacy Act Systems of Records Notice or covered in one of the provisions found in 5 U.S.C. § 552a(b)(1)-(12) of the Privacy Act, unless the record subject has given written permission to disclose the data;
5.29.7 Reporting any suspected or actual computer security incidents, including the loss of control of PII and PHI, immediately to the OPDIV CSIRT;
5.29.8 Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches; and
5.29.8 Verifying personnel security requirements are defined in the position description, the position description is reviewed annually for accuracy, and personnel security requirements are met for all employees.
Policy/Requirements Traceability: FISMA and NIST SP 800-16
5.30 Federal Employees and Contractors
The responsibilities of the Department’s users and contractors operating on behalf of the Department include, but are not limited to:
5.30.1 Complying with the Department’s policies, standards, and procedures;
5.30.2 Possessing awareness that they are not acting in an official capacity when using Department IT resources for non-governmental purposes;
5.30.3 Familiarizing themselves with any special requirements for accessing, protecting, and using data, including Privacy Act data, copyright data, and procurement-sensitive data;
5.30.4 Reporting any suspected or actual computer security incidents, including the loss of control of PII and PHI, immediately to the OPDIV CSIRT;
5.30.5 Seeking guidance from supervisors when in doubt about implementing this document;
5.30.6 Ensuring that all media containing Department data is appropriately marked and labeled to indicate the sensitivity of the data;
5.30.7 Abstaining from loading unapproved software from unauthorized sources[26] on Department systems or networks;
5.30.8 Ensuring that sensitive data is not stored on laptop computers or other portable devices unless the data is secured using encryption standards commensurate with the sensitivity level of the data;
5.30.9 Reading, acknowledging, signing, and complying with the HHS RoB, as well as any OPDIV- and system-specific RoB, before gaining access to the Department’s systems and networks;
5.30.10 Completing required privacy and security awareness training;
5.30.11 Implementing specified security and privacy safeguards to prevent fraud, waste, or abuse of the systems, networks, and data they are authorized to use;
530.12 Conforming to security policies and procedures that minimize the risk to the Department’s systems, networks, and data from malicious software and intrusions;
5.30.13 Agreeing not to disable, remove, install with intent to bypass, or otherwise alter security or administrative settings designed to protect Department IT resources;
5.30.14 Ensuring that adequate protection is maintained on their workstation, including not sharing passwords with any other person, and logging out, locking, or enabling a password-protected screen saver before leaving their workstation; and
5.30.15 Notifying the OPDIV CISO or OPDIV CSIRT of actual or suspected computer-security incidents, including PII and PHI breaches.
Policy/Requirements Traceability: HHS RoB; and NIST SP 800-37 Rev. 1
5.31 HHS Records Officer
The HHS Records Officer is responsible for:
5.31.1 Ensuring compliance with the Federal Records Act; National Archives and Records Administration (NARA) regulations and/or guidance; OMB directives; and GAO audit requirements;
5.31.2 Serving as chairperson of the HHS Records Management Council;
5.31.3 Developing HHS records management policies and procedures; and
5.31.4 Providing Department-wide guidance, training, and assistance for compliance with laws and regulations.
Policy/Requirements Traceability: HHS-OCIO Policy for Machine-Readable Privacy Policies
6.1 Federal Directives and Policies
- Federal Continuity Directive 1 ("FCD 1"): Federal Executive Branch National Continuity Program and Requirements, February 2008
- HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004
- HSPD-7, Critical Infrastructure Identification, Prioritization, and Protection, dated December 17, 2003
- “Office of Assistant Secretary for Administration and Management and Office of the Assistant Secretary for Resources and Technology; Statement of Organization, Functions, and Delegations of Authority,” 215 Federal Register 74 (November 9, 2009), pp. 57679 – 57682
- “Office for Civil Rights; Delegation of Authority,” 74 Federal Register 148 (August 4, 2009), pp. 38630
- “Office of Resources and Technology; Statement of Organization, Functions and Delegations of Authority” 73 Federal Register 106 (June 2, 2008), pp. 31486 – 31487
- “Statement of Organization, Functions, and Delegations of Authority,” 72 Federal Register 72 (April 16, 2007), pp. 19000 – 19001
6.2 Statutes
- Public Welfare, Title 45 Code of Federal Regulations, Pt. 160. 2009 ed.
- Federal Acquisition Regulation (as amended)
- E-Government Act of 2002
- Federal Information Security Management Act of 2002 (Pub. L. No. 107-347, Title III)
- Clinger-Cohen Act of 1996
- Paperwork Reduction Act of 1995
- Children’s Online Privacy Protection Act of 1988
- The Privacy Act of 1974 (as amended)
- Office of Federal Procurement Policy Act of 1974
- Federal Records Act of 1950
6.3 HHS Policy
- HHS CSIRC Concept of Operations, dated June 9, 2010
- HHS-OCIO-2010-0001.001S, HHS-OCIO Standard for Security Content Automation Protocol (SCAP)-Compliant Tools, dated June 8, 2010
- HHS-OCIO-2010-0004, Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response, dated April 5, 2010
- HHS-OCIO-2010-0003, HHS-OCIO Policy for Social Media Technologies, dated March 31, 2010
- HHS-OCIO-2010-0001, HHS-OCIO Policy for Machine-Readable Privacy Policies, dated January 28, 2010
- HHS-OCIO-2009-0003.001S, HHS Standard for IEEE 802.11 WLAN dated July 27, 2009
- HHS-OCIO Policy for Capital Planning and Investment Control, dated February 26, 2010
- HHS-OCIO-2009-0002, HHS Policy for Privacy Impact Assessments (PIA), dated February 9, 2009
- HHS-OCIO-2009-0001.001S, HHS Standard for Security Configurations Language in HHS Contracts, dated January 30, 2009
- HHS-OCIO-2009-0002.001S, HHS Standard for Encryption Language in HHS Contracts, dated January 30, 2009
- HHS-OCIO-2008-0002.002S, HHS Standard for Managing Outbound Web Traffic, dated June 6, 2008
- HHS-OCIO-2008-0005.001S, Standard for Plan of Action and Milestones (POA&M), dated December 23, 2008
- HHS-OCIO-2008-0006.001S, HHS Standard for FISMA Inventory Management, dated December 23, 2008
- HHS-OCIO-2008-0007.001S, HHS Standard for Encryption, dated December 23, 2008
- HHS-OCIO-2008-0001.003, HHS Policy for Responding to Breaches of Personally Identifiable Information, signed November 17, 2008
- HHS-OCIO-2007.0004.001, Policy for Records Management, dated January 30, 2007
- HHS-OCIO-2006-0001, Policy for Personal Use IT Resources, dated February 17, 2006
- HHS-OCIO-2008-0001.003S, HHS Information Security Program Rules of Behavior For Use of Technology Resources and Information (HHS RoB), dated February 12, 2008
- HHS Minimum Security Configuration Standards for Departmental Operating Systems and Applications, dated August 4, 2009
- HHS Federal Desktop Core Configuration (FDCC) Deviations, dated November 5, 2008
- HHS Federal Desktop Core Configuration (FDCC) Standard for Windows Vista, dated November 5, 2008
- HHS Federal Desktop Core Configuration (FDCC) Standard for Windows XP, dated November 5, 2008
- HHS Memorandum, Process Guidance for Security Risk-Based Decisions Involving the Primary Operational Information Technology Infrastructure Managers, dated May 13, 2010
- HHS Memorandum, Resolving Security Audit Finding Disputes, dated May 13, 2010
- HHS Memorandum, Exception for Use of Persistent Cookies in the Department's Information Technology (IT) Security Awareness Training Course, dated February 16, 2010
- HHS Memorandum, Security of Information Technology Systems, dated November 10, 2009
- HHS Memorandum, Office of Inspector General Management Implication Report – Need for Departmental Security Enhancements for Information Technology Assets, dated October 13, 2009
- HHS Memorandum, Updated Departmental Standard for the Definition of Sensitive Information, dated May 18, 2009
- HHS Memorandum, Role-Based Training (RBT) of Personnel with Significant Security Responsibilities, dated October 3, 2007
- HHS memorandum, Security Related to Hosting Foreign Visitors and Foreign Travel by HHS Personnel, dated April 23, 2004
- HHS Health and Human Services Acquisition Regulation (HHSAR), dated November 27, 2009
- HHS-FAC-2005-31, Federal Acquisition Regulation (FAR), dated April 2009
- Department Information Security Policy/Standard Waiver, dated July 16, 2010
- HHS Logistics Management Manual (LMM), dated February 23, 2007
- HHS Information Security Program Privacy in the System Development Life Cycle, dated January 16, 2007
- HHS Memorandum, Federal Information Processing Standards (FIPS) 200 Implementation, dated January 9, 2007
- HHS National Security Information Manual, dated February 1, 2005
6.4 OMB Policy and Memoranda
- OMB Circular A-127, Financial Management Systems, dated January 9, 2009
- OMB Circular A-130, Management of Federal Information Resources, dated November 28, 2000
- OMB Circular A-123, Management Accountability and Control, dated June 21, 1995
- OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies (June 25, 2010)
- OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications (June 25, 2010)
- OMB M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated April 21, 2010
- OMB M-10-06, Open Government Directive, dated December 8, 2009
- OMB M-09-29, FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated August 20, 2009
- OMB M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated July 14, 2009
- OMB M-08-09, New FISMA Privacy Reporting Requirements for FY 2008, dated January 18, 2008
- OMB M-08-10, Use of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA), dated February 4, 2008
- OMB M-07-20, FY 2007 E-Government Act Reporting Instructions, dated August 14, 2007
- OMB M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated July 25, 2007
- OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, dated May 22, 2007
- OMB M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated July 16, 2006
- OMB M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, dated July 12, 2006
- OMB M-06-16, Protection of Sensitive Agency Information, dated June 23, 2006
- OMB M-06-15, Safeguarding Personally Identifiable Information, dated May 22, 2006
- OMB M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors, dated August 5, 2005
- OMB M-05-15, FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated June 13, 2005
- OMB M-05-08, Designation of Senior Agency Officials for Privacy, dated February 11, 2005
- OMB M-05-04, Policies for Federal Agency Public Websites, dated December 17, 2005
- OMB M-04-26, Personal Use Policies and ‘File Sharing’ Technology, dated September 8, 2004
- OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, dated September 26, 2003
- OMB M-04-04, E-Authentication Guidance for Federal Agencies, dated December 16, 2003
- OMB M-01-24, Reporting Instructions for the Government Information Security Reform Act, dated June 22, 2001
- OMB M-01-05, Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy, dated December 20, 2000
- OMB M-99-20, Security of Federal Automated Information Resources, dated June 23, 1999
- OMB M-99-05, Instructions on Complying with President's Memorandum of May 14, 1998, "Privacy and Personal Information in Federal Records", dated January 7, 2009
- OMB M-96-20, Implementation of the Information Technology Management Reform Act of 1996, dated April 4, 1996
6.5 NIST Guidance
- NIST SP 800-122, Guide to Protecting Confidentiality of PII, dated April 2010
- NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process, dated January 2005
- NIST SP 800-64 Revision 2, Security Considerations in the System Development Lifecycle, dated October 2008
- NIST SP 800-63 Version 1.0.2, Electronic Authentication Guideline, dated April 2006
- NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide, dated March 2008
- NIST SP 800-58, Security Considerations for Voice Over IP Systems, dated January 2005
- NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans, dated June 2010
- NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems, dated August 2009
- NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, dated February 2010
- NIST SP 800-34 Revision 1, Contingency Planning Guide for Information Technology Systems, dated June 2002
- NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems, dated February 2006
- NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, dated April 1998
- FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, dated March 2006
- FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, dated February 2004
HHS OCIO policies and standards are posted on the following Website: http://www.hhs.gov/ocio/policy/index.html.
Direct any questions, comments, suggestions, or requests for further information to the HHS Information Security and Privacy Program at (202) 690-6162.
The effective date of this Policy is the date on which the Policy is approved.
Requirements stated in this Policy are consistent with law, regulations, and other Department policies applicable at the time of its issuance. Actions taken through the implementation of this Policy must comply with the requirements of pertinent laws, rules and regulations, as well as the lawful provisions of applicable negotiated agreements for employees in exclusive bargaining units.
The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary’s policy statement dated August 7, 1997, as amended, titled Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations. It is HHS policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department’s plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
\s\ |
| September 22, 2010 |
Michael W. Carleton |
| DATE |
HHS Chief Information Officer
Access — Ability to make use of any information system resource. (Defined in NIST SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure)
Access Control — The process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances). (Defined in FIPS 201-1, Personal Identity Verification for Federal Employees and Contractors)
Access Control List (ACL) — A register of: (i) users (including groups, machines, processes) who have been given permission to use a particular system resource; and (ii) the types of access they have been permitted. (Defined in NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook)
Asset Management — The ability to actively discover, audit, and assess asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers. (Defined at NIST Website: http://scap.nist.gov/validation/)
Authentication — Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)
Authorization — The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)
Authorizing Official — A senior (Federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)
Authorizing Official Designated Representative — An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with security authorization. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)
Availability — Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. (Defined in FIPS 199, Standards for Security Categorization of Federal Information and Information Systems)
Breach — The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. (Defined in OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information)
Compensating Controls — Management, operational, or technical controls employed by an organization, in lieu of prescribed controls in the Low, Moderate, or High security National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 control baselines, which provide equivalent or comparable protection for an information system. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)
Confidentiality — Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (Defined in FIPS 199, Standards for Security Categorization of Federal Information and Information Systems)
Configuration Management (CM) — A discipline applying technical and administrative direction and surveillance to: identify and document the functional and physical characteristics of a configuration item; control changes to those characteristics; record and report change processing and implementation status; and verify compliance with specified requirements. (Defined in IEEE 610.12, Standard Glossary of Software Engineering Terminology)
Contingency Plan (CP) — Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster. (Defined in NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems)
Cookie — A piece of state information supplied by a Web server to a browser, in a response for a requested resource, for the browser to store temporarily and return to the server on any subsequent visits or requests. (Defined in NIST SP 800-28 Version 2, Guidelines on Active Content and Mobile Code)
Cryptographic Module Validation Program (CMVP) — The CMVP is a joint effort between NIST and the Communications Security Establishment (CSE) of the Government of Canada that validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography based standards. Products validated as conforming to FIPS 140-2 are accepted by the Federal agencies of both countries for the protection of sensitive information (United States) or designated information (Canada). (Defined in FIPS 140-2, Security Requirements for Cryptographic Modules)
Cryptography — The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification. (Defined in NIST SP 800-59, Guideline for Identifying an Information System as a National Security System)
Domain Name System (DNS) — System that translates domain names to Internet protocol (IP) addresses and back. (Defined in NIST SP 800-81 Rev. 1, Secure Domain Name System (DNS) Deployment Guide)
Enterprise Architecture (EA) — A strategic information asset base, which defines the business, the information necessary to operate the business, the technologies necessary to support the business operations, and the transitional processes necessary for implementing new technologies in response to the changing business needs. It is a representation or blueprint. (Defined in the Chief Information Officers Council Federal Enterprise Architecture Framework Version 1.1 as “Federal enterprise architecture”)
Enterprise Performance Life Cycle (EPLC) — A framework that establishes a project management and accountability environment where HHS information technology projects achieve consistently successful outcomes that maximize alignment with Department-wide and individual OPDIV goals and objectives. Implementation of the EPLC methodology allows HHS to improve the quality of project planning and execution, reducing overall project risk. (Defined in HHS-OCIO-2008-0004.001, HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC))
Event — Any observable occurrence in a system and/or network. Examples of events include the system boot sequence, a system crash, and packet flooding within a network. (Defined in HHS-IRM-2000-0006, Policy for Establishing an Incident Response Capability)
Identification — The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items. (Defined in FIPS 201-1, Personal Identity Verification for Federal Employees and Contractors)
Incident — A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices. (Defined in NIST SP 800-61 Rev.1, Computer Security Incident Handling Guide)
Incident Response Plan — The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information systems(s). (Defined in NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems)
Independent Assessor — Any individual or group capable of conducting an impartial assessment of security controls employed within or inherited by an information system. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)
Information — Any communication or representation of knowledge such as facts, data, or opinions in any medium or form; including textual, numerical, graphic, cartographic, narrative, or audiovisual forms. (Defined in OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources, 6(a))
Information Resources — Information and related resources, such as personnel, equipment, funds, and IT. (Defined in 44 U.S.C., SEC. 3502)
Information Security Architect — Individual, group, or organization responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)
Information Security Measures — Activities used to facilitate decision making and improve performance and accountability through the collection, analysis and reporting of relevant performance-related data. (Defined in NIST SP 800-55 Rev. 1, Performance Measurement Guide for Information Security)
Information Security Program Plan — Formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements. See also “Security Plan.” (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)
Information System — A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)
Information Technology Contingency Plan (ITCP) — Interim measures to recover IT services following an emergency or system disruption. (Defined in NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems)
Information Technology Security Architecture — A description of security principles and an overall approach for complying with the principles that drive the system design (i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments). (Defined in NIST SP 800-27A, Engineering Principles for Information Technology Security [A Baseline for Achieving Security])
Integrity — Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)
Interconnection Security Agreement (ISA) — An agreement established between the organizations that own and operate connected information systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations. (Defined in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)
Key Management — The activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, and destruction. (Defined in NIST 800-57, Recommendation for Key Management)
Key Recovery — A function in the lifecycle of keying material; mechanisms and processes that allow authorized entities to retrieve keying material from key backup or archive. (Defined in NIST SP 800-57, Recommendation for Key Management)
Memorandum of Understanding/Agreement (MOU/A) — A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection. (Defined in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)
Mobile Devices — Portable cartridge/disk-based removable storage media (e.g., floppy disks, compact disks, USB flash drives, and other flash memory cards/drives that contain non-volatile memory). Portable computing and communication devices with information storage capability (e.g., notebook, laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)
Patch — An additional piece of code developed to address a problem in an existing piece of software. (Defined in NIST SP 800-40 Version 2.0, Creating a Patch and Vulnerability Management Program)
Peer-to-peer (P2P) — Any software or system allowing individual users of the Internet to connect to each other and trade files. (Defined in OMB M-04-26, Personal Use Policies and ‘File Sharing’ Technologies)
Penetration Testing — Security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. (Defined in NIST SP 800-115, Technical Guide to Information Security Testing and Assessment)
Personal Identification Verification (PIV) Card — A secure and reliable form of identification credential issued by the Federal Government to its employees and contractors. This credential is intended to authenticate an individual who requires access to federally controlled facilities, information systems, and applications. (Defined in FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors)
Personally Identifiable Information (PII) — Information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (Defined in OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information); Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history and information which can be used to distinguish or trace an individual’s identify, such as their name, SSN, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. (Defined in OMB M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency IT Investments)
Plan of Action & Milestones (POA&M) — A document that identifies tasks needing to be accomplished, and details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. (Defined in OMB M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones)
Policy — The rules and regulations set by an organization that define the purpose of the program and its scope within an organization; assigns responsibilities for direct program implementation, as well as other responsibilities to related offices (e.g., Chief Information Office); and addresses compliance issues. A program policy sets organizational and strategic directions for security and assigns resources for the program’s implementation. (Defined in NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook)
Portable Media — Any device that can store data electronically and is portable, such as portable hard drives, universal serial bus (USB) drives, secure digital (SD) card media, compact discs – read only memory (CD-ROMs), and digital video discs (DVDs). (Defined in HHS Standard 2008-0007.001S, HHS Standard for Encryption)
Primary Operational IT Infrastructure Managers — The CIOs for CDC, CMS, FDA, IHS, NIH, and OS/ASA are the six primary operational IT infrastructure managers and these individuals are required to concur on all OPDIV-level IT security risk acceptance decisions related to the infrastructures they manage. A primary operational IT infrastructure manager must exercise technical controls to isolate or disconnect any systems or devices not in compliance with minimum HHS security standards. (Defined in HHS Secretary’s Memorandum: Security of Information Technology Systems, dated November 10, 2009)
Privacy — The appropriate use of personal information. (Defined in the International Association of Privacy Professionals site glossary)
Privacy Act Record — Any item, collection, or grouping of information about individuals that is maintained by an agency, including, but not limited to, their education, financial transactions, and/or medical, criminal, or employment history and that contains their name; or it contains the identifying number, symbol, or other identifying information assigned to the individual, such as a finger or voice print or a photograph. (Defined in The Privacy Act of 1974)
Privacy Impact Assessment (PIA) — An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. (Defined in OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002)
Privacy Incident — An incident that involves personally identifiable information or protected health information. (Defined in US-CERT Quarterly Trends and Analysis Report, Volume 1, Issue 2, adapted)
Privileged User — A user that is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. (Defined in CNSSI 4009, National Information Assurance Glossary, adapted)
Protected Healthcare Information (PHI) — "Individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. “Individually identifiable health information” is information, including demographic data, that relates to:
- the individual’s past, present or future physical or mental health or condition,
- the provision of health care to the individual, or
- the past, present, or future payment for the provision of health care to the individual;
and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security Number).
The HIPAA Privacy Rule excludes from protected health information employment records that a covered entity maintains in its capacity as an employer and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. (Defined in the HIPAA Privacy Rule)
Remote Access — Access by users (or information systems) communicating external to information system security perimeter. (Defined in NIST 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems)
Risk — A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence.
Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems,)
Risk Assessment — The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. This term is synonymous with risk analysis. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)
Risk Executive (Function) — An individual or group within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing information system-related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)
Risk Management Framework — The new six-step process established in NIST SP 800-37 Rev.1, which is the transformation of the previous Certification and Accreditation (C&A) process. The Risk Management Framework (RMF) changes the traditional focus of C&A as a static, procedural activity to a more dynamic approach that provides the capability to more effectively manage information system-related security risks in highly diverse environments of complex and sophisticated cyber threats, ever-increasing system vulnerabilities, and rapidly changing missions. (Defined in NIST SP 800-37 Rev. 1,Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)
Role-Based Training — Training focused on the knowledge, skills, and abilities an individual needs to perform the IT security responsibilities specific to each of his or her roles in the organization. (Defined in NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model)
Routine Use — The use of such record for a purpose which is compatible with the purpose for which it was collected. (Defined in the Privacy Act of 1974)
Sanitization — A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)
Security Assessment Report — Prepared by the security control assessor,[27] this report provides the results of the assessment of the implementation of security controls identified in the security plan to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the specified security requirements. The security assessment report can also contain a list of recommended corrective actions or deficiencies identified in the security controls. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)
Security Authorization — See “Authorization.” (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)
Security Content Automated Protocol (SCAP) — A method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). (Defined in The Information Security Automation Program and The Security Content Automation Protocol released by the National Vulnerability Database/NIST)
Security Control Assessor — An individual, group, or organization responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system). (Defined in NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)
Security Control Families — The security control families in NIST Special Publication 800-53 Rev. 3 are closely aligned with the security-related areas in FIPS 200 specifying the minimum security requirements for protecting Federal information and information systems. Each security control family contains security controls related to the security functionality of the family. (Defined in NIST SP 800-53 Rev. 3 Recommended Security Controls for Federal Information Systems)
Security Controls — The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system which, taken together, adequately protect the confidentiality, integrity, and availability of the system and its information. (Defined in FIPS 199, Standards for Security Categorization of Federal Information and Information Systems)
Security Plan — Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)
Significant Change — A change that is likely to affect the security state of an information system. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)
System Development Life Cycle (SDLC) — The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation. (Defined in NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems)
System of Records (SOR) — A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (Defined in the Privacy Act of 1974)
System Security Plan (SSP) — An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. See also “Security Plan.” (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)
User — Individual, or (system) process acting on behalf of an individual, who is authorized to access an information system. (Defined in CNSSI 4009, National Information Assurance Glossary, adapted)
Voice Over Internet Protocol (VOIP) — Equipment that provides the ability to dial telephone numbers and communicate with parties on the other end of a connection who have either another VOIP system or a traditional analog telephone. (Defined in NIST 800-58, Security Considerations for Voice Over IP Systems)
Vulnerability — A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)
Wireless Local Area Network (WLAN) — A group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building). (Defined in NIST SP 800-46 Rev. 1, Security for Telecommuting and Broadband Communications)
ACL | Access Control List |
AO | Authorizing Official |
AOS | Administrative Operations Service |
ASA | Assistant Secretary for Administration |
ASFR | Assistant Secretary for Financial Resources |
ASPR | Assistant Secretary for Preparedness and Response |
BI | Background Investigation |
BRT | Breach Response Team |
CA | Certification Agent |
CCB | Change Control Body |
CDC | Centers for Disease Control |
CD-ROM | Compact Disc – Read Only Memory |
CFE | Contractor-furnished Equipment |
CFO | Chief Financial Officer |
CIO | Chief Information Officer |
CIP | Critical Infrastructure Protection |
CISO | Chief Information Security Officer |
CM | Configuration Management |
CMS | Centers for Medicare and Medicaid Services |
CO | Contracting Officer |
CONOPS | Concept of Operations |
COOP | Continuity of Operations Plan |
COPPA | Children’s Online Privacy Protection Act |
COTR | Contracting Officer’s Technical Representative |
COTS | Commercial Off-the-Shelf |
CP | Contingency Plan |
CPIC | Capital Planning and Investment Control |
CSIRC | Computer Security Incident Response Center |
CSIRT | Computer Security Incident Response Team |
CVE | Common Vulnerabilities and Exposures |
DA | Division of Acquisition |
DASHR | Deputy Assistant Secretary for Human Resources |
DASIT | Deputy Assistant Secretary for Information Technology |
DNS | Domain Name System |
DoS | Denial of Service |
DVD | Digital Video Disc |
EA | Enterprise Architecture |
ERA | E-Authentication Risk Assessment |
EO | Executive Order |
EPLC | Enterprise Performance Lifecycle |
FAR | Federal Acquisition Regulation |
FDA | Food and Drug Administration |
FDCC | Federal Desktop Core Configuration |
FIPS | Federal Information Processing Standard |
FISMA | Federal Information Security Management Act of 2002 |
FOIA | Freedom of Information Act |
FPC | Federal Preparedness Circular |
GAO | General Accounting Office |
GFE | Government-furnished Equipment |
HHS | Department of Health and Human Services |
HHSAR | Department of Health and Human Services Acquisition Regulation |
HHSID | Department of Health and Human Services User Identification |
HIPAA | Health Insurance Portability and Accountability Act |
HSPD | Homeland Security Presidential Directive |
HW | Hardware |
IA | Information Assurance |
I&A | Identification and Authentication |
IEEE | Institute of Electrical and Electronics Engineers |
IG | Inspector General |
IHS | Indian Health Service |
ISA | Interconnection Security Agreement |
ISSO | Information Systems Security Officer |
IT | Information Technology |
ITCP | Information Technology Contingency Plan |
ITU | Information Technology Utilities |
LEO | Law Enforcement Organization |
LMM | HHS Logistics Management Manual |
M | Memorandum |
MEF | Mission Essential Function |
MOU | Memorandum of Understanding |
NIH | National Institute of Health |
NIST | National Institute of Standards and Technology |
NSA | National Security Agency |
NTP | Network Time Protocol |
OAMP | Office of Acquisition Management and Policy |
O&M | Operations and Maintenance |
OCIO | Office of the Chief Information Officer |
OCR | Office for Civil Rights |
OESS | Office of E-Health Standards and Services |
OFR | Office of Financial Resources |
OGAPA | Office for Grants and Acquisition Policy & Accountability |
OHR | Office of Human Resources |
OIG | Office of Inspector General |
OITS | Office of Information Technology Security |
OMB | Office of Management and Budget |
OPDIV | Operating Division |
OPM | Office of Personnel Management |
OS | Office of the Secretary |
OSDT | Office of Security and Drug Testing |
OSSI | Office of Security and Strategic Information |
P2P | Peer-to-Peer |
PDA | Personal Digital Assistant |
PDD | Presidential Decision Directive |
PHI | Protected Health Information |
PIA | Privacy Impact Assessment |
PII | Personally Identifiable Information |
PIV | Personal Identification Verification |
PMA | President’s Management Agenda |
POA&M | Plan of Action and Milestones |
POC | Point of Contact |
PRA | Paperwork Reduction Act |
PSC | Program Support Center |
RA | Risk Assessment |
RAS | Remote Access Server |
RBT | Role-Based Training |
RMF | Risk Management Framework |
RMFOB | HHS Risk Management and Financial Oversight Board |
RoB | Rules of Behavior |
SAOP | Senior Agency Official for Privacy |
SAR | Security Assessment Report |
SCAP | Security Content Automation Protocol |
SD | Secure Digital |
SDLC | System Development Lifecycle |
SOP | Senior Official for Privacy |
SORN | System of Records Notice |
SOW | Statement of Work |
SP | Special Publication |
SSN | Social Security Number |
SSP | System Security Plan |
ST&E | Security Testing and Evaluation |
STAFFDIV | Staff Division |
SW | Software |
UPI | Unique Project Identifier |
URL | Uniform Resource Locator |
US-CERT | United States Computer Emergency Readiness Team |
USB | Universal Serial Bus |
US-CERT | United States Computer Emergency Readiness Team |
VoIP | Voice over Internet Protocol |
VPN | Virtual Private Network |
WLAN | Wireless Local Area Network |
|
[1] The terms information security, IT security, and information systems security are used interchangeably in FISMA and associated guidance from the Office of Management and Budget and the National Institute of Standards and Technology.
[2] “Office for Civil Rights; Delegation of
Authority,” 74 Federal Register 148 (4 August 2009), pp. 38630. Available at: http://frwebgate.access.gpo.gov/cgi-bin/getpage.cgi?position=all&page=38630&dbname=2009_register
[3] Per NIST SP 800-37 Rev. 1, common control providers are responsible for: (i) documenting the organization-identified common controls in a security plan (or equivalent document prescribed by the organization). Equivalent documentation may include a system security plan or information security program plan.
[4] The current HHS Minimum Requirements for Security Authorization Packages (see Section 3 of the Handbook) is based on NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, dated May 2004. Section 3 of the Handbook will be updated in the next reissuance of the HHS-OCIO Policy for Information Systems Security and Privacy to include NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, dated February 2010.
[5] NIST SP 800-53 Rev. 3 tailored security control baseline represents the minimum controls for low-impact, moderate-impact and high-impact information systems; NIST SP 800-53 Rev. 3 adds requirements to the baseline for low systems, whereas NIST 800-53 Rev. 2 only specified requirements in the baseline for moderate and high systems.
[6] Security control assessor is a new term (role) in NIST SP 800-37 Rev.1. Security control assessors may be called certification agents in some organizations. OPDIVs may use current Certification Agent (CA) roles to fulfill the security control assessor role.
[7] HHS Secretary Memorandum: Security of Information Technology Systems, dated November 10, 2009.
[8] Per NIST SP 800-37 Rev. 1, for selected information systems, the Chief Information Officer may be designated as an authorizing official or a co-authorizing official with other senior organizational officials.
[9] HHS Secretary Memorandum: Security of Information Technology Systems dated November 10, 2009.
[10] NIST SP 800-37 Rev. 1 introduces the new term of Risk Executive (function) which the agency head may retain or delegate to an official or group.
[11] HHS Memorandum: Resolving Security Audit Disputes, dated May 13, 2010.
[12] The CISO is also referred to as the Director of the Office of Information Technology Security (OITS).
[13] HHS Secretary Memorandum: Security of Information Technology Systems, dated November 10, 2009.
[14] HHS Secretary Memorandum: Security of Information Technology Systems, dated November 10, 2009 and HHS OCIO Memorandum, Process Guidance for Security Risk-Based Decisions Involving the Primary Operational. Information Technology Infrastructure Managers, dated May 13, 2010.
[15] HHS OCIO Memorandum: Resolving Security Audit Disputes dated May 13, 2010.
[16] From HHS CISO Memorandum to OPDIV CISOs: Office of Inspector General Management Implication Report – Need for Departmental Security Enhancements for Information Technology Assets, dated October 13, 2009.
[17] The set of AOs at HHS includes, but is not limited to, the Primary Operational IT Infrastructure Managers, Chief Information Officers, and others, as appropriate.
[18] Security control assessor is a new term (role) in NIST SP 800-37 Rev.1. Security control assessors may be called certification agents in some organizations. OPDIVs may use current Certification Agent (CA) roles to fulfill the security control assessor role.
[19] In some cases, the Program Executive may be the System Owner and/or the Data Owner/Business Owner.
[20] HHS definition of sensitive information is defined in the HHS memorandum “Updated Departmental Standard for the Definition of Sensitive Information” dated May 18, 2009, available at http://intranet.hhs.gov/infosec/policies_memos.html. At HHS, sensitive information is information that has a degree of confidentiality such that its loss, misuse, unauthorized access, or modification could compromise the element of confidentiality and thereby adversely affect national health interests, the conduct of HHS programs, or the privacy of individuals entitled under the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA). IT security personnel and system owners can equate this definition of sensitive information with data that has a FIPS 199 security impact level of Moderate or High for the confidentiality security objective. This definition of sensitive information is media neutral, applying to information as it appears in either electronic or hardcopy format.
[21] In some cases, the System Owner may be the Program Executive and/or the Data Owner/Business Owner.
[22] HHS definition of sensitive information is defined in the HHS memorandum “Updated Departmental Standard for the Definition of Sensitive Information” dated May 18, 2009, available at http://intranet.hhs.gov/infosec/policies_memos.html. At HHS, sensitive information is information that has a degree of confidentiality such that its loss, misuse, unauthorized access, or modification could compromise the element of confidentiality and thereby adversely affect national health interests, the conduct of HHS programs, or the privacy of individuals entitled under the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA). IT security personnel and system owners can equate this definition of sensitive information with data that has a FIPS 199 security impact level of Moderate or High for the confidentiality security objective. This definition of sensitive information is media neutral, applying to information as it appears in either electronic or hardcopy format.
[23] In some cases the Data Owner/Business Owner may be the System Owner and/or Program Executive.
[24]System/Network Administrator roles are inclusive of other types of administrator roles such as application administrator, Web administrator, and database administrator.
[25] FAR 1.602-1(b) states that no contract shall be entered into unless the CO ensures that all requirements of law, executive orders, regulations, and all other applicable procedures, including clearances and approvals, have been met.
[26] An unauthorized source is any location (e.g., file store or server to which a device could connect, Internet site, intranet site) or process that is not permitted by HHS or OPDIV/STAFFDIV IT security personnel for the distribution of software.
[27] Security control assessor is a new term (role) in NIST SP 800-37 Rev.1. Security control assessors may be called certification agents in some organizations.