Policy 2009-0003 - OCIO
HHS-OCIO Policy for Information Systems Security and Privacy
June 25, 2009
The Department of Health and Human Services, Office of the Chief Information Officer, HHS-OCIO Policy for Information Systems Security and Privacy (henceforth, “the Policy”) provides direction to the information technology (IT) security programs of Operating Divisions (OPDIVs) and Staff Divisions (STAFFDIVs) for the security and privacy of HHS data in accordance with the Federal Information Security Management Act of 2002 (FISMA)1.
The Policy is a first issuance, establishing comprehensive IT security and privacy requirements for the IT security programs and information systems of OPDIVs and STAFFDIVs. Included as an appendix to the Policy is a complementary HHS-OCIO Policy for Information Systems Security and Privacy Handbook (henceforth “the Handbook”). The Handbook outlines IT security and privacy policy requirements for IT security and privacy programs and information systems in more detail, and is organized according to information assurance (IA) control families to make the document easy to use and scalable for the future.
The Policy supersedes the HHS Automated Information Systems Security Program Handbook, known as the Redbook, dated May 1994; HHS-IRM-2004-0002.001, Information Security Program Policy, dated December 15, 2004; the HHS Information Security Program Policy, dated July 19, 2005; and the HHS IT Privacy Policy Memorandum, released in October 2006. This document does not supersede any other applicable law or higher level agency directive, policy, or guidance.
Furthermore, the authority of HHS-OCIO-2007-0002.001, Policy for Department-wide Information Security, dated September 24, 2007, has been transferred to the Policy and summarily retired. As such, the Policy codifies the Department’s authority to develop, document, implement, and oversee a Department-wide IT security and privacy program to provide IT security and privacy for the information and information systems that support the operations and assets of the Department, including those provided or managed by another federal agency, contractor, or other source. OPDIVs and STAFFDIVs shall comply with and support the implementation of a Department-wide IT security and privacy program, to include compliance with federal requirements and programmatic policies, standards, procedures, and IT security controls.
The HHS Information Security and Privacy Program (henceforth, “the Program”) has evolved and matured over the last several years as new federal requirements have been published, as advances in technology have been made, and as new threats to the Department’s infrastructure have emerged. Citizens’ concerns over the unauthorized disclosure of protected health information (PHI) and personally identifiable information (PII) have placed IT security and privacy issues at the forefront of the national dialogue, positively impacting the way in which public, private, and government organizations provide services and protect information.
Since the release of the HHS Information Security Program Policy in July 2005, the Department has released individual policy statements, mainly in the form of standards and memoranda, in response to or in advance of these occurrences and concerns. This decentralized approach has made it increasingly challenging to trace Department requirements over the years. To better serve IT security and privacy stakeholders, the Department recognized the need to appropriately incorporate, cross-reference, and organize its IT security and privacy policy requirements in a manner that clearly explains the scope and applicability of the requirements. The format in which those requirements are presented should be scalable to accommodate the modification or addition of new requirements over time.
As a result, the Policy was developed to:
- Incorporate privacy requirements and their relationship to IT security programs and system; and
- Incorporate or appropriately cross-reference individually released Department policies, standards, and memoranda.
This Policy applies to all HHS organizational components (i.e., OPDIVs and STAFFDIVs) and organizations conducting business for and on behalf of the Department through contractual relationships when using HHS IT resources. This Policy does not supersede any other applicable law, higher-level agency directive, or existing labor management agreement in place as of the effective date of this Policy.
Department officials shall apply this Policy to employees, contractor personnel, interns, and other non-government employees. All organizations collecting or maintaining information, or using or operating information systems on behalf of the Department, are also subject to the stipulations of this Policy. The content of and compliance with this Policy shall be incorporated into applicable contract language, as appropriate.
Agencies shall use this Policy or may create a more restrictive OPDIV/STAFFDIV policy, but not one that is less restrictive or comprehensive than, or less compliant with, this document.
The Policy does not apply to any network or system that processes, stores, or transmits foreign intelligence or national security information under the cognizance of the Special Assistant to the Secretary (National Security) pursuant to Executive Order (E.O.) 12333, United States Intelligence Activities, or subsequent orders. The Special Assistant to the Secretary (National Security) is the point of contact (POC) for issuing IT security and privacy policy and guidance for these systems. Furthermore, this Policy does not address Health Insurance Portability and Accountability Act of 1996 (HIPAA) requirements. Questions about the HIPAA Security Rule should be directed to the Centers for Medicare and Medicaid Services (CMS); questions about the HIPAA Privacy Rule should be directed to the HHS Office for Civil Rights (OCR).
The Department acknowledges that OPDIVs/STAFFDIVs require flexibility in implementing this policy. Variations in terminology may currently exist across the OPDIVs/STAFFDIVs (e.g., “configuration management” versus “change management”), and there may be variations in the titles of roles. These variations are acceptable. As such, OPDIVs/STAFFDIVs may utilize a phase-in period for compliance with this Policy, as necessary.
In cases in which an OPDIV/STAFFDIV cannot comply with these requirements, justification for noncompliance shall be documented using the HHS Department Information Security Policy/Standard Waiver, dated September 27, 2007 (http://intranet.hhs.gov/infosec/policies_memos.html). Justification may also be documented in security artifacts, such as system security plans (SSPs), which are subject to approval by the Designated Approving Authority (DAA)/Authorizing Official (AO) as part of an OPDIV/STAFFDIV certification and accreditation (C&A) process.
This section addresses government-wide mandates for the secure development, operations, and maintenance of information systems in the context of the Department and its OPDIVs/STAFFDIVs.
4.1.1 OPDIVs/STAFFDIVs shall use the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems (as amended), as the methodology for the C&A of information systems, in accordance with FISMA and direction from the Office of Management and Budget (OMB).
4.1.2 To standardize minimum content requirements across the Department for C&A documentation so that the documentation is consistent with the NIST SP 800-37 (as amended) methodology, the Program created the HHS Minimum Requirements for Certification and Accreditation Packages (see Section 3 of the Handbook). OPDIVs/STAFFDIVs shall comply with Department minimum requirements when preparing C&A packages for information systems.
4.1.3 OPDIVs/STAFFDIVs shall ensure that information systems provide adequate, risk-based protection in the 17 control areas defined in Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems, dated March 2006, by using the appropriate NIST SP 800-53 Rev. 2, Recommended Security Controls for Federal Information Systems,[2] baseline security controls, in accordance with the FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, dated February 2004, impact level for the system.
4.1.3.1 For instances in which NIST directs agencies to make assignments and selections within SP 800-53 Rev. 2, the Program created standard parameters (see Section 2 of the Handbook). OPDIVs/STAFFDIVs shall utilize these standard parameters, which are outlined for systems categorized as Moderate or High. OPDIVs have discretion to set NIST SP 800-53 Rev. 2 minimum requirements for a system categorization of Low, in accordance with NIST SP 800-53 Rev. 2 guidance and OMB requirements.
4.1.3.2 Deviations from the HHS assignments and selections within NIST SP 800-53 Rev. 2 are permitted providing the resulting parameters are consistent with minimum government-wide parameters. Exceptions cannot be granted to the controls themselves, as they are government-wide standards; however, compensating control policy applies (see Section 4.1.6).
4.1.3.3 OPDIVs/STAFFDIVs may exercise flexibility in the solutions used to meet the control requirement, so long as the baseline requirement is met.
4.1.4 Information assurance and privacy activities conducted within the Department shall be consistent with the guidance, methodologies, and intent prescribed by the NIST SP series, in particular NIST SP 800-53 Rev. 2 and NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems (as amended). It is incumbent upon each OPDIV to appropriately implement, document, and regularly test such controls commensurate with a system’s FIPS 199 categorization.
4.1.5 As new federal requirements are published, OPDIVs/STAFFDIVs shall ensure that newly published requirements are applied to systems that are in development before those systems are granted authority to operate (ATO), and that existing (i.e., operational) systems comply with the new requirements within one year, unless otherwise stated.
4.1.5.1 If a new federal requirement cannot be implemented on a development system before the system is granted an ATO, the Information System Security Officer (ISSO), Certification Agent (CA), or System Owner shall bring this issue to the attention of the DAA/AO when the final security accreditation package is delivered. In the security accreditation decision letter, the DAA/AO shall acknowledge the gap and shall either indicate an anticipated time period when the requirement will be met or document the risk-based decision to not comply with the requirement.
4.1.5.2 If a new federal requirement cannot be implemented on an operational system, the ISSO, CA, or System Owner shall bring this to the attention of the DAA/AO. The DAA/AO shall acknowledge the gap in the form of a Plan of Action Milestones (POA&M), and shall either indicate an anticipated time period when the requirement will be met or document the risk-based decision not to comply with the requirement.
4.1.6 OPDIVs/STAFFDIVs shall employ compensating controls only under the following conditions:
4.1.6.1 The OPDIV/STAFFDIV selects the compensating controls from the security control catalog in NIST SP 800-53 Rev. 2;
4.1.6.2 The OPDIV/STAFFDIV develops a complete and convincing rationale and justification for how the chosen compensating controls provide an equivalent security capability or level of protection for the information system; and
4.1.6.3 The OPDIV/STAFFDIV assesses and formally accepts (i.e., in writing) the risk associated with employing the compensating controls in the information system.
4.1.7 OPDIVs/STAFFDIVs shall review the use of compensating controls, document those controls in the SSP and other appropriate security documentation for the information system, and request approval of those controls from the DAA/AO for the information system.
This section outlines Department-wide controls applicable to OPDIV/STAFFDIV IT security and privacy programs and information systems.
4.2.1 To establish HHS minimum requirements for IT security and privacy programs within the OPDIVs/STAFFDIVs and to address common system security control questions that fall outside the scope of NIST SP 800-53 Rev. 2, the Program established the Handbook as a complementary appendix to this Policy. OPDIVs/STAFFDIVs shall apply the controls in the Handbook to their IT security and privacy programs and to their information systems, as appropriate.
4.2.2 Compensating controls for Department-wide system-level controls shall be employed only under the following conditions:
4.2.2.1 The OPDIV/STAFFDIV selects the compensating controls from the security control catalog in NIST SP 800-53 Rev. 2, when applicable;
4.2.2.2 The OPDIV/STAFFDIV develops a complete and convincing rationale and justification for how the chosen compensating controls provide an equivalent security capability or level of protection for the information system; and
4.2.2.3 The OPDIV/STAFFDIV assesses and formally accepts (i.e., in writing) the risk associated with employing the compensating controls in the information system.
4.2.3 OPDIVs/STAFFDIVs shall review the use of compensating controls for Department-wide system-level controls, document the compensating controls in the SSP and other appropriate security documentation for the information system, and request approval of the compensating controls from the DAA/AO for the information system.
This section sets the authority of the OPDIVs/STAFFDIVs to develop their own security controls for information systems.
4.3.1 OPDIVs/STAFFDIVs may decide whether to issue any additional OPDIV/STAFFDIV-wide security controls for OPDIV/STAFFDIV information systems to augment the government- and Department-wide controls specified herein. OPDIVs/STAFFDIVs shall ensure that parameters are established and documented for each parameterized control, unless set by the Department.
4.3.2 OPDIVs/STAFFDIVs may develop system-specific security controls and parameters. When needed and/or appropriate, it is an OPDIV/STAFFDIV decision whether to set parameters OPDIV/STAFFDIV-wide, on a system-by-system basis, or some combination thereof.
The responsibilities of the Secretary of HHS include but are not limited to:
5.1.1 Ensuring that a Department-wide IT security and privacy program is developed, documented, and implemented to provide security for all systems, networks, and data that support Department operations;
5.1.2 Ensuring that IT security and privacy management processes are integrated with HHS strategic and operational planning processes;
5.1.3 Ensuring the provision of resources necessary to administer the Program;
5.1.4 Protecting information systems and data by allocating resources commensurate with the risk and magnitude of harm posed by unauthorized access, modification, disclosure, disruption, use, and/or destruction; or as recommended by law;
5.1.5 Ensuring that senior HHS officials provide IT security and privacy for operations and IT resources under their control;
5.1.5.1 Delegating to the HHS Chief Information Officer (CIO) the authority to ensure compliance with the Program;
5.1.5.2 Ensuring that HHS has trained federal and contractor personnel to support compliance with the Program; and
5.1.5.3 Ensuring that the HHS CIO, in coordination with the OPDIV CIOs, reports annually on the effectiveness of the Program and on any required remedial actions.
Policy/Requirements Traceability: OMB Circular A-130, Management of Federal Information Resources
The responsibilities of each OPDIV Head include but are not limited to:
5.2.1 Providing IT security and privacy protections commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction, of the following:
5.2.1.1 Information collected or maintained by or on behalf of the OPDIV; and
5.2.1.2 Information systems used or operated by the OPDIV, a contractor of the OPDIV, or another organization on behalf of the OPDIV.
5.2.2 Complying with the requirements of FISMA and Department-related policies, procedures, standards, and guidelines, including:
5.2.2.1 IT security requirements promulgated under OMB Circular A-130, Appendix III; and
5.2.2.2 IT security standards and guidelines issued by OMB in accordance with NIST guidance, including Presidential Directives such as Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standards for Federal Employees and Contractors.
5.2.3 Ensuring that IT security and privacy management processes are integrated with OPDIV strategic and operational planning processes;
5.2.4 Ensuring that senior OPDIV officials provide IT security and privacy for the information and information systems that support the operations and assets under their control;
5.2.5 Designating a senior OPDIV official as the OPDIV CIO, and delegating to the OPDIV CIO the authority to ensure compliance with the security requirements imposed on the OPDIV under FISMA;
5.2.6 Ensuring that the OPDIV has trained personnel sufficiently to assist the OPDIV in complying with the security requirements under FISMA and Department policies; and
5.2.7 Ensuring that the OPDIV CIO, in coordination with other senior OPDIV officials, reports annually to the OPDIV Head on the effectiveness of the OPDIV IT security and privacy program, including the progress of any remedial actions.
Policy/Requirements Traceability: OMB Circular A-130, Management of Federal Information Resources
The responsibilities of the ASRT/CFO include but are not limited to:
5.3.1 Coordinating the Department’s internal controls program to ensure comprehensiveness and to establish responsibility for uniform security-level designations for the financial management system according to the guidelines of OMB Circular A-127, Financial Management Systems; and
5.3.2 Targeting/selecting entities to be reviewed per OMB Circular A-123, Management's Responsibility for Internal Control, applying risk-based, business-driven logic to maximize the effectiveness of the evaluations.
Policy/Requirements Traceability: OMB Memorandum (M)- 96-20, Implementation of the Information Technology Management Reform Act of 1996
The responsibilities of the ASAM include but are not limited to:
5.4.1 Partnering with the HHS CIO and the Program to develop and implement IT security and privacy-related contract clauses for incorporation in all current and future contracts; and
5.4.2 Ensuring that contracting officers (COs) enforce the requirements of IT security and privacy clauses.
5.4.3 Develop policies and procedures and provide guidance on the accountability, inventory and disposition of sensitive equipment and other personal property containing sensitive and privacy information in the HHS Logistics Management Manual (LMM).
Policy/Requirements Traceability: Federal Acquisition Regulation (FAR) and the Health and Human Services Acquisition Regulation (HHSAR)
The responsibilities of OSSI include but are not limited to:
5.5.1 Providing broad Department-wide policy direction, standards setting, coordination, and performance assessment for organizational components within HHS in the following areas: physical security, personnel security and suitability, security awareness, information security (including the safeguarding of classified material and classification management), communication security, security and threat assessments, and strategic information programs and activities;
5.5.2 Protecting employees and visitors and Department-owned and -occupied critical infrastructure;
5.5.3 Assuring the integration of strategic medical, public health, biomedical, and national security information;
5.5.4 Managing and administering the flow of classified information; and
5.5.6 Providing national security information services to all components within the Office of the Secretary (OS).
Policy/Requirements Traceability: Federal Register Document 07-1873, dated April 16, 2007 and Personnel Security/Suitability Handbook, dated February 1, 2005.
The responsibilities of the Deputy Assistant Secretary for Human Resources include but are not limited to:
5.6.1 Partnering with the HHS CIO and OPDIVs to develop, implement, and oversee personnel security controls for access to sensitive data and for the system administrators who operate critical systems; and
5.6.2 Ensuring that personnel officers notify the OPDIV Information System Security Officer (ISSO), or designated POC for physical and logical access controls, of an employee’s separation within one business day.
Policy/Requirements Traceability: FISMA
The responsibilities of the HHS CIO include but are not limited to:
5.7.1 Ensuring HHS compliance with federal regulations and FISMA IT security and privacy program implementation requirements;
5.7.2 Ensuring the development and maintenance of a Department-wide IT security and privacy program to include the development and implementation of policies, standards, procedures, and IT security controls;
5.7.3 Requiring the development and implementation of protections for HHS information and information systems commensurate with the risk and magnitude of harm posed by unauthorized access, modification, disclosure, disruption, use, and/or destruction, or as recommended by law;
5.7.4 Ensuring the dissemination of Department-wide IT security and privacy policy for OPDIV review and comment;
5.7.5 Reporting annually, in coordination with OPDIV/STAFFDIV Heads, to the Secretary of HHS on the effectiveness of the Program, including progress of remedial actions;
5.7.6 Appointing the HHS CISO to fulfill the responsibilities of the CIO in developing and maintaining a Department-wide IT security and privacy program;
5.7.7 Defining and establishing the minimum security control requirements in accordance with data sensitivity and system criticality;
5.7.8 Preparing any report that may be required of HHS to satisfy the reporting requirements of OMB Circular A-130 and FISMA;
5.7.9 Coordinate with the Secretary of HHS to ensure the provision of resources necessary to administer the Program;
5.7.10 Providing advice and assistance to OS and other senior management personnel to ensure that information resources are acquired and managed for the Department in accordance with the goals of the Capital Planning and Investment Control (CPIC) process;
5.7.11 Providing leadership for developing, promulgating, and enforcing agency information resource management policies, standards, and guidelines, and for procedures on data management, enterprise performance lifecycle (EPLC) management, security, telecommunications, IT reviews, and other related areas;
5.7.12 Establishing, implementing, and enforcing a Department-wide framework to facilitate an incident-response program, ensuring proper and timely reporting to the United States Computer Emergency Readiness Team (US-CERT); and
5.7.13 Establishing a Department-wide framework to facilitate the development of Privacy Impact Assessment (PIA) Summaries for all Department systems, as instructed by OMB.
Policy/Requirements Traceability: FISMA; OMB Circular A-130; Clinger-Cohen Act of 1996
Within HHS, the CIO serves in the role of SAOP and acts as the breach response team (BRT) chair. The responsibilities of the SAOP include but are not limited to:
5.8.1 Ensuring the proper implementation of information privacy protections, including full compliance with federal laws, regulations, and policies relating to information privacy, such as the Privacy Act of 1974 (henceforth, “Privacy Act”) 5 U.S.C. Section 552a;
5.8.2 Maintaining appropriate documentation regarding compliance with information privacy laws, regulations, and HHS policies;
5.8.3 Overseeing, coordinating, and facilitating the Department’s privacy compliance efforts, including reviewing documented information privacy procedures to ensure comprehensiveness and currency, and coordinating revision, as necessary;
5.8.4 Approving the Department’s submission of the Privacy Management portion of the annual FISMA report;
5.8.5 Coordinating privacy-related reporting activities as mandated by federal legislation and OMB guidance;
5.8.6 Maintaining a central policy-making role in the Department’s development and evaluation of legislative, regulatory, and other policy proposals pertaining to information privacy issues, including those relating to the agency’s collection, use, sharing, and disclosure of personal information;
5.8.7 Designating responsibility for oversight of the PIA process to the OPDIV SOP;
5.8.8 Establishing a framework to facilitate the development of PIA Summaries for all OPDIV systems, as instructed by OMB;
5.8.9 Ensuring PIAs are conducted for information systems and online collections, and coordinating submission of all Department PIA Summaries to OMB;
5.8.10 Reviewing completed PIAs, and attesting that the PIAs are adequately and accurately completed;
5.8.11 Allocating proper resources to permit identification and remediation of privacy weaknesses;
5.8.12 Ensuring the Department’s employees, contractors, and stakeholders receive appropriate privacy training; and
5.8.13 Providing education programs regarding the information privacy laws, regulations, policies, and procedures governing the Department’s handling of PII.
Policy/Requirements Traceability: FISMA; OMB M-05-08, Designation of Senior Agency Officials for Privacy
The responsibilities of the HHS CISO include but are not limited to:
5.9.1 Assisting and advising the HHS CIO in the development, documentation, and implementation of the Program (e.g., issuing policy, maintaining situation awareness, and performing compliance oversight) to provide IT security and privacy safeguards for the electronic information and information systems that support the operations and assets of the Department, including those provided or managed by another federal organization or bureau, contractor, or other source;
5.9.2 Ensuring that all IT resources are reviewed in order to ensure compliance with established Departmental and external policies, standards, and regulations;
5.9.3 Monitoring OPDIV/STAFFDIV IT security program activities;
5.9.4 Fostering communication and collaboration among the Department’s security stakeholders to share knowledge and to better understand threats to Department information;
5.9.5 Overseeing the preparation of quarterly and annual FISMA reports;
5.9.6 Developing and implementing an IT security performance measurement program to evaluate the effectiveness of technical and non-technical IT security safeguards used to protect the Department’s information;
5.9.7 Coordinating requirements within the Office of Security for personnel clearances, position sensitivity, and access to information systems with the appropriate office;
5.9.8 Ensuring that all HHS-owned telephony equipment is provided with system and physical protection;
5.9.9 Implementing a security incident monitoring program for all systems and networks;
5.9.10 Disseminating information on potential security threats and recommended safeguards; and
5.9.11 Ensuring, in coordination with the HHS CIO and ASAM/OAMP, that all IT acquisitions include Department security considerations.
Policy/Requirements Traceability: FISMA
The responsibilities of each OPDIV CIO involve providing leadership to activities including but not limited to:
5.10.1 Reporting quarterly to the HHS CIO on the effectiveness of the OPDIV’s IT security and privacy program, including the progress of any remedial actions;
5.10.2 Appointing an OPDIV CISO to fulfill the responsibilities of the OPDIV CIO in maintaining the OPDIV IT security program;
5.10.3 Managing internal security reviews of the program business cases, alternatives analyses, and other specific investment documents;
5.10.4 Managing and certifying an inventory of all current and proposed investments containing an IT component in accordance with the CPIC process;
5.10.5 Ensuring that policies, procedures, and practices are consistent with Department requirements in order to ensure that systems, programs, and data are secure and protected from unauthorized access that might lead to the alteration, damage, or destruction of automated resources, unintended release of HHS data, and denial of service (DoS);
5.10.6 Ensuring that all employees and contractors comply with Department and OPDIV IT security and privacy policies;
5.10.7 Ensuring the establishment of an incident response team (IRT) to participate in the investigation and resolution of incidents in the OPDIV;
5.10.8 Enforcing incident response processes and procedures developed by the Department and those outlined in the OPDIV IT security program;
5.10.9 Managing an inventory of all major information systems, and updating the inventory at least annually as part of annual FISMA reporting; and
5.10.10 Ensuring mandatory security education and awareness is undertaken by all personnel using, operating, supervising, or managing computer systems.
Policy/Requirements Traceability: FISMA; OMB Circular A-130; Clinger-Cohen Act of 1996
The responsibilities of each OPDIV CISO include but are not limited to:
5.11.1 Leading OPDIV IT security and privacy programs and promoting proper IT security and privacy practices;
5.11.2 Supporting the HHS CISO in the implementation of the Program;
5.11.3 Fostering communication and collaboration among the Department’s security stakeholders to share knowledge and to better understand threats to Department information;
5.11.4 Providing information about the OPDIV IT security policies to management and throughout the organization;
5.11.5 Providing advice and assistance to other organizational personnel concerning the security of sensitive data and of critical data processing capabilities;
5.11.6 Advising the OPDIV CIO about security breaches in accordance with the security breach reporting procedures developed and implemented by the Department and/or OPDIV;
5.11.7 Disseminating information on potential security threats and recommended safeguards;
5.11.8 Ensuring that roles with significant security responsibilities are identified and documented per the HHS memorandum “Role-Based Training (RBT) of Personnel with Significant Security Responsibilities,” dated October 3, 2007;
5.11.9 Conducting security education and awareness training needs assessments to determine appropriate training resources and to coordinate training activities for target populations;
5.11.10 Assisting System Owners in establishing and implementing the required security safeguards to protect computer hardware, software, and data from improper use or abuse;
5.11.11 Promoting requirements for personnel clearances, position sensitivity, and access to information systems with the appropriate office;
5.11.12 Collaborating with the BRT Coordinator when the BRT Coordinator is engaging the OPDIV POC for information collection and clarification, and sitting on the HHS BRT while the breach is under investigation;
5.11.13 Coordinating with OPDIV Senior Official for Privacy to ensure privacy implications are addressed when PII incident response activities occur within the OPDIV; and
5.11.14 Supporting general privacy awareness and RBT activities for all personnel using, operating, supervising, or managing information systems.
Policy/Requirements Traceability: FISMA
5.12 HHS Computer Security Incident Response Center (CSIRC)
Note: A Concept of Operations (CONOPS) document for the HHS CSIRC is in development at the time this document is being written. Separate from this Policy, the HHS IRM Policy for Establishing an Incident Response Capability(dated January 8, 2001) will be updated based on the roles, responsibilities, and activities of the HHS CSIRC. This Policy will be updated as appropriate once the aforementioned incident response policy is updated.
The responsibilities of the OPDIV SOP include but are not limited to:
5.13.1 Supporting the Department SAOP in ad hoc privacy reporting activities as necessary, including the maintenance of and compliance with Presidential mandates and quarterly FISMA reporting activities;
5.13.2 Reviewing and approving the OPDIV FISMA and Privacy Management Report for submission to the Department;
5.13.3 Developing and supporting integration of Department privacy program initiatives into IT security practices, where applicable;
5.13.4 Establishing and implementing privacy policies, procedures, and practices consistent with Departmental privacy requirements, in coordination with the OPDIV CISO;
5.13.5 Coordinating OPDIV policy, guidance, and system-level documentation to ensure that Department management, technical, and operational privacy requirements are addressed;
5.13.6 Approving written requests for PII from personally owned or non-Department equipment in accordance with Handbook Section 2.10 Personally-Owned Equipment and Software, S-POES.4.
5.13.7 Obtaining contractual assurances from third parties to ensure that the third party will protect PII in a manner consistent with the privacy practices of the Department, in coordination with the OPDIV CISO and privacy stakeholders;
5.13.8 Reporting, in coordination with the OPDIV, to the HHS CIO/SAOP the effectiveness of the OPDIV privacy program, including weaknesses and the progress of remedial actions, as identified;
5.13.9 Establishing an OPDIV policy framework to facilitate the development and maintenance of PIAs for all systems based on Department and federal legislative requirements;
5.13.10 Tracking and maintaining all OPDIV PIA activities in the Department’s PIA reporting tool;
5.13.11 Reviewing completed OPDIV PIAs and attesting that they are adequately and accurately completed;
5.13.12 Promoting (i.e., escalating) OPDIV PIAs to the Department, and submitting completed OPDIV PIAs to the SAOP, or seeking revisions from the PIA author if errors are found;
5.13.13 Coordinating and ensuring that privacy education and awareness activities, specific to the OPDIV privacy culture, are established for all personnel using, operating, supervising, or managing computer systems;
5.13.14 Coordinating with OPDIV budgetary offices to ensure PIA and System of Records Notice (SORN) activities are included as part of Exhibit 300 development;
5.13.15 Coordinating with OPDIV Privacy Act Coordinators to complete biannual SORN updates in accordance with OMB Circular A-130;
5.13.16 Making recommendations to the HHS CIO/SAOP and senior level officials with budgetary authority in order to allocate proper resources to identify and mitigate privacy weaknesses found in system PIAs;
5.13.17 Coordinating with HHS website owners/administrators to ensure that web-based privacy compliance requirements are met across the Department;
5.13.18 Coordinating with the OPDIV’s IRT and/or BRT concerning reports of the loss of control of PII; and
5.13.19 Coordinating with the Privacy Act Contact to:
5.13.19.1 Keep track of the location of Privacy Act records;
5.13.19.2 Approve/deny/track access to and amendments of records;
5.13.19.3 Ensure records are complete, accurate, timely and relevant;
5.13.19.4 Ensure that system users are made aware of their privacy responsibilities when accessing systems that contain personal information; and
5.13.19.5 Ensure data collection forms include a Privacy Act Notification Statement.
Policy/Requirements Traceability: OMB M-05-08
The responsibilities of the DAA/AO include, but are not limited to, the following for systems and networks under his or her authority:
5.14.1 Determining, through the security accreditation process, whether the level of risk remaining, once security procedures and controls have been implemented, provides protection commensurate with a system’s sensitivity;
5.14.2 Determining, based on the analysis provided by the CA (or designee), whether to accept a risk or to implement countermeasures;
5.14.3 Being accountable for the residual risks accepted;
5.14.4 Making the final decision on the type of accreditation, and signing the document prepared by the CA (or designee) to document the decision; and
5.14.5 Ensuring that sensitive data is protected from unauthorized access in all forms at rest or in transit.
Note: DAAs/AOs may typically have budgetary oversight for an information system or are responsible for the mission or business operations supported by the system. Accordingly, DAAs/AOs should be in management positions with a level of authority commensurate with understanding and accepting such information system-related security risks. With the increasing complexity of missions/business processes, partnership arrangements, and the use of external/shared services, it is possible that a particular information system may involve multiple authorizing officials. If so, agreements should be established among the DAAs/AOs and documented in the security plan. In addition, a DAA/AO may designate a representative to help manage the portfolio of systems for which that DAA/AO is responsible and make decisions on behalf of the DAA/AO; however, responsibility for the portfolio of systems ultimately resides with the DAA/AO assigned to those systems.
Policy/Requirements Traceability: OMB Circular A-130
The responsibilities of the CA include, but are not limited to, the following for systems and networks under his or her authority:
5.15.1 Assessing security controls to evaluate the extent to which the controls are correctly implemented, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;
5.15.2 Complying with the certification of all the Department’s systems and networks;
5.15.3 Ensuring the C&A process is conducted in accordance with NIST guidance and OPDIV/STAFFDIV processes; and
5.15.4 Reviewing the system security documentation and results of the security testing and evaluation (ST&E) and documenting his or her recommendation for acceptance or rejection of risk and accreditation or non-accreditation.
Policy/Requirements Traceability: FISMA; NIST SP 800-37 (as amended)
The responsibilities of each ISSO include but are not limited to:
5.16.1 Notifying the OPDIV CISO of computer-security incidents, both actual or suspected;
5.16.2 Ensuring that IT security notices and advisories are distributed to appropriate OPDIV personnel and that vendor-issued security patches are expeditiously installed;
5.16.3 Serving as an OPDIV focal point for incident reporting and subsequent resolution;
5.16.4 Assisting the CISO in reviewing contracts for systems under the CISO’s control to ensure that IT security is appropriately addressed in contract language;
5.16.5 Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs;
5.16.6 Maintaining the security documentation for systems under his or her purview, according to NIST SP 800-37;
5.16.7 Ensuring NIST SP 800-53 Rev. 2 controls are appropriate to the system based on the FIPS 199 security categorization;
5.16.8 Assisting his or her System Owner, Data Owner/Business Owner, and OPDIV CISO in capturing all system weaknesses in the POA&M;
5.16.9 Reinforcing the concept of separation of duties by ensuring that no single individual has control of any critical process in its entirety per NIST SP 800-53 Rev.2;
5.16.10 Participating in Department- and OPDIV-required security RBT;
5.16.11 Tracking all security education and awareness training conducted for personnel and contractors, as appropriate;
5.16.12 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO, in coordination with the system/network administrators, in ensuring that proper backup procedures for all system and network information exist;
5.16.13 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in ensuring logical access controls are in place that provide protection from unauthorized access, alteration, loss, and disclosure of information;
5.16.14 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO with ensuring account lockout controls are in place that limit the number of consecutive failed log-in attempts against a given system;
5.16.15 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in ensuring limits are established for the amount of time a session may be inactive before that session is timed out;
5.16.16 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in ensuring that security-event monitoring technologies are used for all systems and networks;
5.16.17 Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in coordinating with Human Resources to manage physical and logical access controls for new and departing HHS employees and contractors;
5.16.18 Ensuring all incoming and outgoing connections from Department networks to the Internet, intranet, and extranets are made through a firewall; and
5.16.19 Analyzing audit logs with the frequency defined by the OPDIV CISO, and monitoring the types of assistance users request.
Policy/Requirements Traceability: FISMA; NIST SP 800-37 (as amended)
The responsibilities of the Program Executives include but are not limited to:
5.17.1 Ensuring that systems and data that are critical to the Program’s mission receive adequate protection;
5.17.2 Determining, in coordination with the Data Owner/Business Owner and System Owner, appropriate security controls and identifying resources to implement those controls;
5.17.3 Coordinating system and data security requirements with IT security personnel by adequately delegating system-level security requirements;
5.17.4 Ensuring that, for each information system, security is planned, documented, and integrated into the EPLC from the information system’s initiation phase to the system’s disposal phase;
5.17.5 Ensuring adequate funding is provided to implement security requirements in the EPLC for systems that fall within the management authority of the Program Executive;
5.17.6 Signing off on the FIPS 199 security categorization; and
5.17.7 Accepting reasonable risks, based on recommendations by the HHS CISO, OPDIV CISO, or OPDIV ISSO.
Policy/Requirements Traceability: FISMA
The responsibilities of the System Owners include but are not limited to:
5.18.1 Coordinating with the Contracting Officers (COs) and Contracting Officer’s Technical Representatives (COTRs), Project Officer/Manager, and CISO to ensure that the appropriate security contracting language from ASAM/OAMP and other relevant sources is incorporated in each IT contract;
5.18.2 Accepting accountability for the operation of a system(s) in support of the overall Program mission;
5.18.3 Processing systems at facilities and IT utilities (ITUs) that are certified at a level of security equal to or higher than the security level designated for their system;
5.18.4 Ensuring that information and system categorization has been established for their system(s) and data in accordance with FIPS 199;
5.18.5 Determining, in coordination with the Program Executive and Data Owner/Business Owner, appropriate security controls and identifying resources to implement those controls;
5.18.6 Consulting with the OPDIV CIO or OPDIV CISO to establish consistent methodologies for determining IT security costs for systems;
5.18.7 Ensuring that, for each information system, security is planned, documented, and integrated into the EPLC from the information system’s initiation phase to the system’s disposal phase;
5.18.8 Ensuring provision of adequate funding to implement the security requirements in the EPLC for systems that fall within the management authority of the Program Executive;
5.18.9 Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs;
5.18.10 Conducting PIAs, in coordination with their respective OPDIV Senior Officer for Privacy (SOP) on their system(s) if the system(s) is used to collect information on individuals, or when the Department develops, acquires, or buys new systems to handle collecting PII;
5.18.11 Conducting assessments of the risk and magnitude of the harm that would result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the Department’s critical operations, at least annually;
5.18.12 Reviewing the security controls for their system(s) and network(s) when significant modifications are made to the system(s) and network(s), or at least every three years;
5.18.13 Ensuring that system weaknesses are captured in the POA&M and are updated according to the POA&M standard;
5.18.14 Ensuring that sensitivity and criticality levels have been established for their systems and data in accordance with NIST standards and guidelines;
5.18.15 Ensuring proper physical, administrative, and technical controls are in place to protect PII if found in the system;
5.18.16 Developing SSPs for their system(s) and network(s);
5.18.17 Obtaining appropriate interconnection security agreements (ISAs) or memoranda of understanding (MOUs) prior to connecting with other systems and/or sharing sensitive data/information;
5.18.18 Developing system-specific rules of behavior (RoB) for systems under their responsibility;
5.18.19 Participating in Department- and OPDIV-required security RBT;
5.18.20 Determining who should be granted access to the system and with what rights and privileges, and granting users the fewest possible privileges necessary for job performance in order to ensure privileges are based on a legitimate need;
5.18.21 Conducting annual reviews and validations of system users’ accounts to ensure the continued need for access to a system;
5.18.22 Enforcing the concept of separation of duties by ensuring that no single individual has control of the entirety of any critical process;
5.18.23 Ensuring that special physical security or environmental security requirements are implemented for facilities and equipment used for processing, transmitting, or storing sensitive information based on the level of risk;
5.18.24 Ensuring the development, execution, and activation of a system-to-system interconnection implementation plan for each instance of a system-to-system interconnection;
5.18.25 Serving as a POC for the system to whom privacy issues may be addressed; and
5.18.26 Collecting, modifying, using, and/or disclosing the minimum PII necessary to accomplish mission objectives.
Policy/Requirements Traceability: FISMA; NIST SP 800-37 (as amended); NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model
The responsibilities of Data Owner/Business Owner include but are not limited to:
5.19.1 Gathering, processing, storing, or transmitting Department data in support of the Program’s mission; and
5.19.2 Ensuring that System Owners are aware of the sensitivity of data to be handled, and ensuring that data is not processed on a system with security controls that are not commensurate with the sensitivity of the data.
Policy/Requirements Traceability: FISMA; NIST SP 800-16 (as amended)
The responsibilities of the Contingency Planning Coordinator include but are not limited to:
5.20.1 Developing the contingency plan (CP) strategy, in cooperation with other functional and resource managers associated with the system or the business processes supported by the system;
5.20.2 Managing development and execution of the CP;
5.20.3 Coordinating with the ISSO and other key functional and resource managers to test the Information Technology Contingency Plan (ITCP) in accordance with NIST SP 800-53 Rev. 2 control CP-4 (see Section 2 of the Handbook);
5.20.4 Updating/maintaining all aspects of the ITCP;
5.20.5 Ensuring that each team is trained and ready to deploy in the event of a disruptive situation requiring CP activation; and
5.20.6 Ensuring that recovery personnel are assigned to each team to respond to the event, recover capabilities, and return the system to normal operations.
Policy/Requirements Traceability:OMB Circular A-130; NIST SP 800-34, Contingency Planning Guide for Information Technology Systems (as amended)
The responsibilities of System Developers and Maintainers include but are not limited to:
5.21.1 Understanding the need to plan security into information systems, especially from the beginning, and the benefits to be derived from doing so;
5.21.2 Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs;
5.21.3 Identifying laws and regulations relevant to the system’s design and operation;
5.21.4 Interpreting applicable laws and regulations into security functional requirements;
5.21.5 Evaluating conflicting functional requirements to select for implementation those requirements that provide the highest level of security at the minimum cost consistent with applicable laws and regulations;
5.21.6 Understanding the relationship between planned security safeguards and the features being installed on the system under development;
5.21.7 Evaluating development efforts to ensure that baseline security safeguards are appropriately installed for systems being developed or modified;
5.21.8 Participating in the construction of the information system in accordance with the formal design specifications, developing manual procedures, using commercial off-the-shelf (COTS) hardware/software components, writing program code, customizing hardware components, and/or using other IT capabilities;
5.21.9 Designing and developing tests for security safeguard performance under a variety of normal and abnormal operating circumstances and workload levels;
5.21.10 Analyzing system performance for potential security problems, and providing direction to correct any security problems identified during testing;
5.21.11 Identifying IT security impacts associated with system implementation procedures;
5.21.12 Leading the design, development, and modification of safeguards to correct vulnerabilities identified during system implementation; and
5.21.13 Supporting assessments, reviews, evaluations, tests and audits of the system by both internal and external entities.
Policy/Requirements Traceability:FISMA; NIST SP 800-16 (as amended)
The responsibilities of System/Network Administrators include but are not limited to:
5.22.1 Participating in Department- and OPDIV-required security RBT;
5.22.2 Ensuring that the IT security posture of the network is maintained during all network maintenance, monitoring activities, installations or upgrades, and throughout day-to-day operations;
5.22.3 Ensuring that appropriate security requirements are implemented and enforced for all Department systems or networks;
5.22.4 Examining unresolved system vulnerabilities and determining which corrective action(s) or additional safeguards are necessary to mitigate them;
5.22.5 Implementing proper system backups, patching security vulnerabilities, and accurately reporting security incidences;
5.22.6 Utilizing his or her “root” or “administrative” access rights to a computer, based on need-to-know;
5.22.7 Ensuring all incoming and outgoing connections from Department networks to the Internet, intranet, and extranets are made through a firewall;
5.22.8 Analyzing system performance for potential security problems;
5.22.9 Conducting tests of security safeguards in accordance with the established test plan and procedures;
5.22.10 Assessing the performance of security controls (to include hardware, software, firmware, and telecommunications, as appropriate) to ensure that the residual risk is within an acceptable range;
5.22.11 Identifying IT security impacts associated with system implementation procedures;
5.22.12 Leading the design, development, and modification of safeguards to correct vulnerabilities identified during system implementation;
5.22.13 Recognizing potential security violations, and taking appropriate action to report any such incident as required by federal regulation, and mitigating any adverse impact;
5.22.14 Developing and/or executing a system termination plan to ensure that IT security breaches are avoided during shutdown, and that long-term protection of archived resources is achieved;
5.22.15 Ensuring that hardware, software, data, and facility resources are archived, sanitized, or disposed of in a manner consistent with the system termination plan; and
5.22.16 Reporting any suspected or actual computer incidents, including the loss of control of PII, immediately to the OPDIV IRT.
Policy/Requirements Traceability: FISMA; NIST SP 800-16 (as amended)
5.23 Contracting Officers (COs) and Contracting Officer’s Technical Representatives (COTRs)
The responsibilities of the COs and COTRs include but are not limited to:
5.23.1 Coordinating with the System Owner, Data Owners/Business Owners, Project Officer/Manager, and CISO to ensure that the appropriate security and privacy contracting language from ASAM and other relevant sources is incorporated into each IT contract;
5.23.2 Advising contractors who develop or maintain a Privacy Act System of Records (SOR) on behalf of the federal government that the Privacy Act applies to them to the same extent that it applies to the government, per Section 552a(m) of the Privacy Act;
5.23.3 Maintaining the integrity and quality of the proposal evaluation, negotiation, and source selection processes, while ensuring that all terms and conditions of the IT contract are met;
5.23.4 Monitoring contract performance and reviewing deliverables for conformance with contract requirements related to IT security and privacy;
5.23.5 Taking action as needed to ensure that accepted products meet contract requirements;
5.23.6 Ensuring that that sufficient funds are available for obligation per the FAR;[6] and
5.23.7 Maintaining the integrity and quality of the proposal evaluation, negotiation, and source selection processes while ensuring that all privacy terms and conditions of the contract are met; and
5.23.8 Determining the applicability of the Privacy Act (HHSAR 324.102) when the design, development, or operation of a Privacy Act SOR on individuals is required to accomplish an agency function.
Policy/Requirements Traceability: FAR; NIST SP 800-16 (as amended)
The responsibilities of the Project/Program Managers include but are not limited to:
5.24.1 Evaluating proposals, if requested, to determine whether proposed security solutions effectively address agency requirements as detailed in solicitation documents;
5.24.2 Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs;
Policy/Requirements Traceability:FISMA; NIST SP 800-16 (as amended; Privacy Act
The responsibilities of the Human Resource Officers include but are not limited to:
5.25.1 Coordinating with appropriate OPDIV CIO POCs and Office of Security and Drug Testing (OSDT) POCs to ensure background checks are conducted for individuals with significant security responsibilities;
5.25.2 Notifying the appropriate OPDIV CIO POC within one business day when OPDIV personnel are separated from the Department;
5.25.3 Ensuring relevant paperwork, interviews and notifications are sent to the appropriate OPDIV CIO personnel when personnel join, transfer within, or leave the organization, either permanently or on detail;
5.25.4 Participating at the request of the HHS CSIRC in the investigation of federal employees with regard to security incidents; and
5.25.5 Participating at the request of the HHS PII BRT in the investigation of federal employees relative to PII incidents and violations.
The responsibilities of Supervisors include but are not limited to:
5.26.1 Ensuring compliance with IT security and privacy policies by all personnel under their direction, and providing the personnel, financial, and physical resources required to protect information resources appropriately;
5.26.2 Budgeting resources for IT security training, including privacy and RBT, for personnel with security-related responsibilities (e.g., time, money, staff coverage);
5.26.3 Ensuring that personnel under their direct report complete all required IT security training, including privacy and RBT, within the mandated timeframe;
5.26.4 Notifying the appropriate OPDIV ISSO, or the OPDIV CISO if the ISSO is not available, immediately of the unfriendly departure or separation of a Department employee or contractor; and
5.26.5 Pursuing disciplinary or adverse actions against personnel and contractors who violate HHS policies or standards, including HHS Information Security Program Rules of Behavior For Use of Technology Resources and Information (HHS Rules), dated February 12, 2008, and OPDIV-specific policies and procedures, including system-specific RoB;
5.26.6 Preventing the sharing of personal data, unless the recipient is listed under the routine uses of disclosure of the Privacy Act Systems of Records Notice or covered in one of the provisions found in 5 U.S.C. § 552a(b)(1)-(12) of the Privacy Act, unless the record subject has given written permission to disclose the data; and
5.26.7 Reporting any suspected or actual computer security incidents, including the loss of control of PII, immediately to the OPDIV IRT.
Policy/Requirements Traceability: FISMA; NIST SP 800-16 (as amended)
The responsibilities of the Department’s users and contractors operating on behalf of the Department include but are not limited to:
5.27.1 Complying with the Department’s policies, standards, and procedures;
5.27.2 Possessing awareness that they are not acting in an official capacity when using Department IT resources for non-governmental purposes;
5.27.3 Familiarizing themselves with any special requirements for accessing, protecting, and using data, including Privacy Act data, copyright data, and procurement-sensitive data;
5.27.4 Reporting any suspected or actual computer security incidents, including the loss of control of PII, immediately to the OPDIV IRT;
5.27.5 Seeking guidance from supervisors when in doubt about implementing this document;
5.27.6 Ensuring that all media containing Department data is appropriately marked and labeled to indicate the sensitivity of the data;
5.27.7 Abstaining from loading unapproved software from unauthorized sources[7] on Department systems or networks;
5.27.8 Ensuring that sensitive data is not stored on laptop computers or other portable devices unless the data is secured using encryption standards commensurate with the sensitivity level of the data;
5.27.9 Reading, acknowledging, signing, and complying with the HHS Rules, and OPDIV- and system-specific RoB, before gaining access to the Department’s systems and networks;
5.27.10 Completing required privacy and security awareness training;
5.27.11 Implementing specified security and privacy safeguards to prevent fraud, waste, or abuse of the systems, networks, and data they are authorized to use;
5.27.12 Conforming to security policies and procedures that minimize the risk to the Department’s systems, networks, and data from malicious software and intrusions;
5.27.13 Agreeing not to disable, remove, install with intent to bypass, or otherwise alter security or administrative settings designed to protect Department IT resources;
5.27.14 Ensuring that adequate protection is maintained on their workstation, including not sharing passwords with any other person, and logging out, locking, or enabling a password-protected screen saver before leaving their workstation; and
5.27.15 Completing required privacy and security awareness training.
Policy/Requirements Traceability:HHS Rules; NIST SP 800-37 (as amended)
- E-Government Act of 2002.
- Federal Acquisition Regulation, as amended.
- HSPD-7, Critical Infrastructure Identification, Prioritization, and Protection, dated December 17, 2003.
- Federal Information Security Management Act of 2002 (FISMA).
- Clinger-Cohen Act of 1996.
- Paperwork Reduction Act (PRA) of 1995.
- The Privacy Act of 1974, as amended.
- Office of Federal Procurement Policy Act of 1974
- Federal Records Act of 1950
- HHS-OCIO-2009-0002, HHS Policy for Privacy Impact Assessments (PIA), dated February 9, 2009.
- HHS-OCIO-2009-0001.001S, HHS Standard for Security Configurations Language in HHS Contracts, dated January 30, 2009.
- HHS-OCIO-2009-0002.001S, HHS Standard for Encryption Language in HHS Contracts, dated January 30, 2009.
- HHS-OCIO-2008-0002.002S, HHS Standard for Managing Outbound Web Traffic, dated June 6, 2008.
- HHS-OCIO-2008-0005.001S, Standard for Plan of Action and Milestones (POA&M), dated December 23, 2008.
- HHS-OCIO-2008-0006.001S, HHS Standard for FISMA Inventory Management, dated December 23, 2008.
- HHS-OCIO-2008-0007.001S, HHS Standard for Encryption, dated December 23, 2008.
- HHS-OCIO-2008-0001.003, HHS Policy for Responding to Breaches of Personally Identifiable Information, signed November 17, 2008.
- HHS-OCIO-2006-0001, Policy for Personal Use IT Resources, dated February 17, 2006.
- HHS-OCIO-2008-0001.003S, HHS Information Security Program Rules of Behavior For Use of Technology Resources and Information (HHS Rules), dated February 12, 2008.
- HHS Minimum Security Configuration Standards for Departmental Operating Systems and Applications, dated December 2, 2008.
- HHS Federal Desktop Core Configuration (FDCC) Deviations, dated November 5, 2008.
- HHS Federal Desktop Core Configuration (FDCC) Standard for Windows Vista, dated November 5, 2008.
- HHS Federal Desktop Core Configuration (FDCC) Standard for Windows XP, dated November 5, 2008.
- HHS memorandum, Updated Departmental Standard for the Definition of Sensitive Information, dated May 18, 2009.
- HHS memorandum, Role-Based Training (RBT) of Personnel with Significant Security Responsibilities, dated October 3, 2007.
- HHS memorandum, Federal Information Processing Standards (FIPS) 200 Implementation, dated January 9, 2007.
- HHS memorandum, Security Related to Hosting Foreign Visitors and Foreign Travel by HHS Personnel, dated April 23, 2004.
- HHS memorandum, Security Related to Hosting Foreign Visitors and Foreign Travel by HHS Personnel, dated April 23, 2004.
- HHS Logistics Management Manual (LMM), dated February 23, 2007.
- HHS National Security Information Manual, dated February 1, 2005
- HHS-OCIO-2007.0004.001, Policy for Records Management, dated January 30, 2007.
- OMB Circular A-127, Financial Management Systems, dated January 9, 2009.
- OMB Circular A-130, Management of Federal Information Resources, dated November 28, 2000.
- OMB Circular A-123, Management Accountability and Control, dated June 21, 1995.
- OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, dated May 22, 2007.
- OMB M-06-16, Protection of Sensitive Agency Information, dated June 23, 2006.
- OMB M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, dated July 12, 2006.
- OMB M-05-08, Designation of Senior Agency Officials for Privacy, dated February 11, 2005.
- OMB M-04-26, Personal Use Policies and ‘File Sharing’ Technology, dated September 8, 2004.
- OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002, dated September 26, 2003.
- OMB M-04-04, E-Authentication Guidance for Federal Agencies, dated December 16, 2003.
- OMB M-01-24, Reporting Instructions for the Government Information Security Reform Act, dated June 22, 2001.
- OMB M-99-20, Security of Federal Automated Information Resources, dated June 23, 1999.
- OMB M-96-20, Implementation of the Information Technology Management Reform Act of 1996, dated April 4, 1996.
- NIST SP 800-64, Revision 2, Security Considerations in the System Development Lifecycle, dated October 2008.
- NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems, dated July 2008.
- NIST SP 800-53, Revision 2, Recommended Security Controls for Federal Information Systems, dated December 2007.
- NIST SP 800-63 Version 1.0.2, Electronic Authentication Guideline, dated April 2006.
- NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems, dated February 2006.
- NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process, dated January 2005.
- NIST SP 800-58, Security Considerations for Voice Over IP Systems, dated January 2005.
- NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems, dated May 2004.
- NIST SP 800-34, Contingency Planning Guide for Information Technology Systems, dated June 2002.
- NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, dated April 1998.
- FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, dated March 2006.
- FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, dated February 2004.
7. Information and Assistance
HHS OCIO policies and standards are posted on the following website: http://www.hhs.gov/ocio/policy/index.html.
Direct any questions, comments, suggestions, or requests for further information to the HHS Information Security and Privacy Program at (202) 690-6162.
The effective date of this Policy is the date on which the Policy is approved.
Requirements stated in this Policy are consistent with law, regulations and other Department policies applicable at the time of its issuance. Actions taken through the implementation of this Policy must comply with the requirements of pertinent laws, rules and regulations, as well as the lawful provisions of applicable negotiated agreements for employees in exclusive bargaining units.
The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary’s policy statement dated August 7, 1997, as amended, titled Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations. It is HHS policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department’s plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
/s/ | | June 25, 2009 |
Michael W. Carleton | | DATE |
HHS Chief Information Officer
Access — Ability to make use of any information system resource. (Defined in NIST SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure)
Accreditation — The official management decision given by a senior agency official to authorize operation of an information system and to explicitly accept the risk to agency operations (including mission, functions, image, or reputation), agency assets, or individuals, based on the implementation of an agreed-upon set of security controls. (Defined in NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems)
Access Control — The process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., federal buildings, military establishments, and border crossing entrances). (Defined in FIPS 201-1, Personal Identity Verification for Federal Employees and Contractors)
Access Control List (ACL) — A register of: (i) users (including groups, machines, processes) who have been given permission to use a particular system resource; and (ii) the types of access they have been permitted. (Defined in NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook)
Asset Management — The tracking and management of assets to ensure they are not stolen or misused. (Defined in NIST Security Management and Assistance documentation)
Authentication — Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)
Breach — The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. (Defined in OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information)
Certification — A comprehensive assessment of the management, operational, and technical security controls in an information system, made in support of security accreditation, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)
Compensating Controls — Management, operational, or technical controls employed by an organization, in lieu of prescribed controls in the Low, Moderate, or High security National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53 Revision 2 control baselines, which provide equivalent or comparable protection for an information system. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)
Confidentiality — Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (Defined in FIPS 199, Standards for Security Categorization of Federal Information and Information Systems)
Configuration Management (CM) — A discipline applying technical and administrative direction and surveillance to: identify and document the functional and physical characteristics of a configuration item; control changes to those characteristics; record and report change processing and implementation status; and, verify compliance with specified requirements. (Defined in IEEE 610.12, Standard Glossary of Software Engineering Terminology)
Contingency Plan (CP) — Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster. (Defined in NIST SP 800-34, Contingency Planning Guide for Information Technology Systems)
Cryptography — The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification. (Defined in NIST SP 800-59, Guideline for Identifying an Information System as a National Security System)
Cryptographic Module Validation Program (CMVP) — The CMVP is a joint effort between NIST and the Communications Security Establishment (CSE) of the Government of Canada that validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography based standards. Products validated as conforming to FIPS 140-2 are accepted by the federal agencies of both countries for the protection of sensitive information (United States) or designated information (Canada). (Defined in FIPS 140-2, Security Requirements for Cryptographic Modules)
Domain Name System (DNS) — System that translates domain names to Internet protocol (IP) addresses and back. (Defined in NIST SP 800-81, Secure Domain Name System (DNS) Deployment Guide)
Enterprise Architecture (EA) — A strategic information asset base, which defines the business, the information necessary to operate the business, the technologies necessary to support the business operations, and the transitional processes necessary for implementing new technologies in response to the changing business needs. It is a representation or blueprint. (Defined in the Chief Information Officers Council Federal Enterprise Architecture Framework Version 1.1 as “federal enterprise architecture”)
Enterprise Performance Life Cycle (EPLC) — A framework that establishes a project management and accountability environment where Department of Health and Human Services (HHS) information technology (IT) projects achieve consistently successful outcomes that maximize alignment with Department-wide and individual Operating Division (OPDIV) goals and objectives. Implementation of the EPLC methodology allows HHS to improve the quality of project planning and execution, reducing overall project risk. (Defined in HHS-OCIO-2008-0004.001, HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC)
Event — Any observable occurrence in a system and/or network. Examples of events include the system boot sequence, a system crash, and packet flooding within a network. (Defined in HHS-IRM-2000-0006, Policy for Establishing an Incident Response Capability)
Identification — The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items. (Defined in FIPS 201-1, Personal Identity Verification for Federal Employees and Contractors)
Incident — An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information that the system possesses, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)
Incident Response Plan — The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information systems(s). (Defined in NIST SP 800-34, Contingency Planning Guide for Information Technology Systems)
Information — Any communication or representation of knowledge such as facts, data, or opinions in any medium or form; including textual, numerical, graphic, cartographic, narrative, or audiovisual forms. (Defined in OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources, 6(a))
Information Resources — Information and related resources, such as personnel, equipment, funds, and IT. (Defined in 44 U.S.C., SEC. 3502)
Information Security Measures — Activities used to facilitate decision making and improve performance and accountability through the collection, analysis and reporting of relevant performance-related data. (Defined in NIST SP 800-55, Performance Measurement Guide for Information Security)
Information System — A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. (Defined in NIST SP 800-53, Recommended Security Controls for Federal Information Systems, Appendix B)
Integrity — Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)
Interconnection Security Agreement (ISA) — An agreement established between the organizations that own and operate connected information systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations. (Defined in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)
Information Technology Contingency Plan (ITCP) — Interim measures to recover IT services following an emergency or system disruption. (Defined in NIST SP 800-34, Contingency Planning Guide for Information Technology Systems)
Information Technology Security Architecture — A description of security principles and an overall approach for complying with the principles that drive the system design; i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments. (Defined in NIST SP 800-27A, Engineering Principles for Information Technology Security (A Baseline for Achieving Security))
Key Management — The activities involving the handling of cryptographic keys and other related security parameters (e.g., IVs and passwords) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, and destruction. (Defined in NIST 800-57, Recommendation for Key Management)
Key Recovery — A function in the lifecycle of keying material; mechanisms and processes that allow authorized entities to retrieve keying material from key backup or archive. (Defined in NIST SP 800-57, Recommendation for Key Management)
Memorandum of Understanding/Agreement (MOU/A) — A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection. (Defined in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)
Mobile Devices — Any computer or other apparatus that can store and process data and is designed to be mobile. Examples include laptop computers, iPODs, Blackberries, Treos, Palm Pilots and other personal digital assistants (PDAs). (Defined in HHS Standard 2008-0007.001S, HHS Standard for Encryption)
Patch — An additional piece of code developed to address a problem in an existing piece of software. (Defined in NIST SP 800-40, Creating a Patch and Vulnerability Management Program)
Peer-to-peer (P2P) — Any software or system allowing individual users of the Internet to connect to each other and trade files. (Defined in OMB M-04-26, Personal Use Policies and ‘File Sharing’ Technologies)
Penetration Testing — Security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. (Defined in NIST SP 800-115, Technical Guide to Information Security Testing and Assessment)
Personal Identification Verification (PIV) Card — A secure and reliable form of identification credential issued by the federal government to its employees and contractors. This credential is intended to authenticate an individual who requires access to federally controlled facilities, information systems, and applications. (Defined in FIPS 201-1)
Personally Identifiable Information (PII) — Information in an IT system or online collection: (1) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address), or (2) by which an agency intends to identify specific individuals in conjunction with other data elements (i.e., indirect identification). (These data elements may include a combination of gender, race, birth date, geographic indicator, and other descriptors.) (Defined in OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002)
Plan of Action & Milestones (POA&M) — A document that identifies tasks needing to be accomplished, and details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. (Defined in OMB M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones)
Policy — The rules and regulations set by an organization that define the purpose of the program and its scope within an organization; assigns responsibilities for direct program implementation, as well as other responsibilities to related offices (e.g., Chief Information Office); and addresses compliance issues. A program policy sets organizational and strategic directions for security and assigns resources for the program’s implementation. (Defined in NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook)
Portable Media — Any device that can store data electronically and is portable, such as portable hard drives, universal serial bus (USB) drives, secure digital (SD) card media, compact discs – read only memory (CD-ROMs), and digital video discs (DVDs). (Defined in HHS Standard 2008-0007.001S, HHS Standard for Encryption)
Privacy — The appropriate use of personal information. (Defined in the International Association of Privacy Professionals site glossary)
Privacy Impact Assessment (PIA) — An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. (Defined in OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002)
Protected Healthcare Information (PHI) — Any information held by a HIPAA-covered entity which concerns health status, provision of health care, or payment for health care that can be linked to an individual. (Defined in the Health Insurance Portability and Accountability Act of 1996 (HIPAA))
Record — Any item, collection, or grouping of information about individuals that is maintained by an agency, including, but not limited to, their education, financial transactions, and/or medical, criminal, or employment history and that contains their name; or it contains the identifying number, symbol, or other identifying information assigned to the individual, such as a finger or voice print or a photograph. (Defined in The Privacy Act of 1974)
Remote Access — Access by users (or information systems) communicating external to information system security perimeter. (Defined in NIST 800-18 Rev 1, Guide for Developing Security Plans for Federal Information Systems)
Risk — The level of impact on agency operations (including mission, function, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. (Defined in NIST SP 800-53, Recommended Security Controls for Federal Information Systems)
Risk Assessment — The process of identifying risks to agency operations (including mission, functions, image, or reputation), agency assets, or individuals by determining the probability of occurrence, the resulting impact, and additional security controls that would mitigate this impact. Part of risk management, synonymous with risk analysis, and incorporates threat and vulnerability analyses. (Defined in NIST SP 800-53, Recommended Security Controls for Federal Information Systems)
Role-Based Training (RBT) — Training focused on the knowledge, skills, and abilities an individual needs to perform the IT security responsibilities specific to each of his or her roles in the organization. (Defined in NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model)
Routine Use — The use of such record for a purpose which is compatible with the purpose for which it was collected. (Defined in the Privacy Act of 1974)
Sanitization — Process to remove information from media such that information recovery is not possible. It includes removing all labels, marking, and activity logs. (Defined in NIST SP 800-53, Recommended Security Controls for Federal Information Systems)
Security Assessment Report — Prepared by the certification agent, this report provides the results of assessing the security controls in the information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the system security requirements. The security assessment report can also contain a list of recommended corrective actions. (Defined in NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems)
Security Content Automated Protocol (SCAP) — A method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). (Defined in The Information Security Automation Program and The Security Content Automation Protocol released by the National Vulnerability Database/NIST)
Security Controls — The management, operational, and technical controls (safeguards or countermeasures) prescribed for an information system which, taken together, adequately protect the confidentiality, integrity, and availability of the system and its information. (Defined in NIST SP 800-53, Recommended Security Controls for Federal Information Systems, Appendix B)
Security Control Families — The seventeen security control families in NIST Special Publication 800-53 are closely aligned with the seventeen security-related areas in FIPS 200 specifying the minimum security requirements for protecting federal information and information systems. Families are assigned to their respective classes based on the dominant characteristics of the controls in that family. Many security controls, however, can be logically associated with more than one class. For example, CP-1, the policy and procedures control from the Contingency Planning family, is listed as an operational control but also has characteristics that are consistent with security management as well. (Defined in NIST SP 800-53, Recommended Security Controls for Federal Information Systems)
Significant Change — Any major alteration to one or more aspects of an information system that requires the information system to be reviewed for possible re-accreditation. Major alterations include, but are not limited to, the following: (i) installation of a new or upgraded operating system, middleware component, or application; (ii) modifications to system ports, protocols, or services; (iii) installation of a new or upgraded hardware platform or firmware component; or (iv) modifications to cryptographic modules or services. Changes in laws, directives, policies, or regulations, while not always directly related to the information system, can also potentially affect the security of the system and trigger a re-accreditation action. (Defined in NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems)
System Development Life Cycle (SDLC) — The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation. (Defined in NIST SP 800-34, Contingency Planning Guide for Information Technology Systems)
System Security Plan (SSP) — An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)
System of Records (SOR) — A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (Defined in the Privacy Act of 1974)
Voice Over Internet Protocol (VOIP) — Equipment that provides the ability to dial telephone numbers and communicate with parties on the other end of a connection who have either another VOIP system or a traditional analog telephone. (Defined in NIST 800-58, Security Considerations for Voice Over IP Systems)
Vulnerability — Weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. (Defined in NIST SP 800-53, Recommended Security Controls for Federal Information Systems)
Wireless Local Area Network (WLAN) — A group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building). (Defined in NIST SP 800-46, Security for Telecommuting and Broadband Communications)
ACL | Access Control List |
AO | Authorizing Official |
ASAM | Assistant Secretary for Administration and Management |
ATO | Authority to Operate |
BI | Background Investigation |
C&A | Certification and Accreditation |
CA | Certification Authority |
CCB | Change Control Body |
CD-ROM | Compact Disc – Read Only Memory |
CFE | Contractor-furnished Equipment |
CIO | Chief Information Officer |
CIP | Critical Infrastructure Protection |
CISO | Chief Information Security Officer |
CMS | Centers for Medicare and Medicaid Services |
CO | Contracting Officer |
CONOPS | Concept of Operations |
COOP | Continuity of Operations Plan |
COPPA | Children’s Online Privacy Protection Act |
COTR | Contracting Officer’s Technical Representative |
COTS | Commercial Off-the-Shelf |
CP | Contingency Plan |
CPIC | Capital Planning and Investment Control |
CSIRC | Computer Security Incident Response Center |
CVE | Common Vulnerabilities and Exposures |
DAA/AO | Designated Approving Authority / Authorizing Official |
DNS | Domain Name System |
DoS | Denial of Service |
DVD | Digital Video Disc |
E.O. | Executive Order |
EPLC | Enterprise Performance Lifecycle |
FAR | Federal Acquisition Regulation |
FDCC | Federal Desktop Core Configuration |
FIPS | Federal Information Processing Standard |
FISMA | Federal Information Security Management Act of 2002 |
FOIA | Freedom of Information Act |
FPC | Federal Preparedness Circular |
GAO | General Accounting Office |
GFE | Government-furnished Equipment |
HHS | Department of Health and Human Services |
HHSAR | Department of Health and Human Services Acquisition Regulation |
HHSID | Department of Health and Human Services User Identification |
HIPAA | Health Insurance Portability and Accountability Act |
HSPD | Homeland Security Presidential Directive |
HW | Hardware |
I&A | Identification and Authentication |
IEEE | Institute of Electrical and Electronics Engineers |
IG | Inspector General |
IRT | Incident Response Team |
ISA | Interconnection Security Agreement |
ISSO | Information Systems Security Officer |
IT | Information Technology |
ITCP | Information Technology Contingency Plan |
ITU | Information Technology Utilities |
M | Memorandum |
MEF | Mission Essential Function |
MOU | Memorandum of Understanding |
NIST | National Institute of Standards and Technology |
NSA | National Security Agency |
O&M | Operations and Maintenance |
OCIO | Office of the Chief Information Officer |
OCR | Office for Civil Rights |
OHR | Office of Human Resources |
OIG | Office of Inspector General |
OMB | Office of Management and Budget |
OPDIV | Operating Division |
OPM | Office of Personnel Management |
OS | Office of the Secretary |
OSDT | Office of Security and Drug Testing |
OSSI | Office of Security and Strategic Information |
P2P | Peer-to-Peer |
PDA | Personal Digital Assistant |
PDD | Presidential Decision Directive |
PIA | Privacy Impact Assessment |
PII | Personally Identifiable Information |
PIV | Personal Identification Verification |
PMA | President’s Management Agenda |
POA&M | Plan of Action and Milestones |
POC | Point of Contact |
PRA | Paperwork Reduction Act |
RA | Risk Assessment |
RAS | Remote Access Server |
RBT | Role-Based Training |
RoB | Rules of Behavior |
SAOP | Senior Agency Official for Privacy |
SAR | Security Assessment Report |
SCAP | Security Content Automation Protocol |
SD | Secure Digital |
SDLC | System Development Lifecycle |
SOP | Senior Official for Privacy |
SORN | System of Records Notice |
SOW | Statement of Work |
SP | Special Publication |
SSN | Social Security Number |
SSP | System Security Plan |
ST&E | Security Testing and Evaluation |
STAFFDIV | Staff Division |
SW | Software |
UPI | Unique Project Identifier |
URL | Uniform Resource Locator |
USB | Universal Serial Bus |
US-CERT | United States Computer Emergency Readiness Team |
VoIP | Voice over Internet Protocol |
VPN | Virtual Private Network |
WLAN | Wireless Local Area Network |
Footnotes
[1] The terms information security, IT security, and information systems security are used interchangeably in FISMA and associated guidance from the Office of Management and Budget and the National Institute of Standards and Technology.
] Should NIST introduce a revision to the NIST SP 800-53 series, dated February 2009, this Policy and its associated Handbook will be updated as appropriate.
] In some cases, the Program Executive may be the System Owner and/or the Data Owner/Business Owner.
] In some cases, the System Owner may be the Program Executive and/or the Data Owner/Business Owner.
] In some cases the Data Owner/Business Owner may be the System Owner and/or Program Executive.
] FAR 1.602-1(b) states that no contract shall be entered into unless the CO ensures that all requirements of law, executive orders, regulations, and all other applicable procedures, including clearances and approvals, have been met.
] An unauthorized source is any location (e.g., file store or server to which a device could connect, Internet site, Intranet site) or process that is not permitted by HHS or OPDIV/STAFFDIV IT security personnel for the distribution of software.
Print 
Download Reader 
HHS Home|HHS News|About HHS
