Policy for Department-wide Information Security
September 24, 2007
Table of Contents
- 1. Purpose
- 2. Background
- 3. Scope
- 4. Policy
- 5. Roles and Responsibilities.
- 6. Applicable Laws and Guidance
- 7. Information and Assistance
- 8. Effective Date/Implementation
- 9. Approved
This policy applies to all Department Operating Divisions (OPDIVs) and Staff Divisions (STAFFDIVs), to include the following:
- Administration for Children and Families (ACF)
- Administration on Aging (AoA)
- Agency for Healthcare Research and Quality (AHRQ)
- Centers for Disease Control and Prevention (CDC), to include the Agency for Toxic Substances and Disease Registry (ATSDR)
- Centers for Medicare & Medicaid Services (CMS)
- Food and Drug Administration (FDA)
- Health Resources and Services Administration (HRSA)
- Indian Health Service (IHS)
- National Institutes of Health (NIH)
- Office of Inspector General (OIG)
- Office of the Secretary (OS), to include the Program Support Center (PSC)and all STAFFDIVs
- Substance Abuse and Mental Health Services Administration (SAMHSA)
All organizations collecting or maintaining information or using or operating information systems on behalf of the Department are also subject to the stipulations of this policy. The content of and compliance with this policy shall be incorporated into applicable contract language or memoranda of agreement under separate cover, e.g., Interim HHSAR FISMA policy.
This policy does not supersede any other applicable law or higher level agency directive or policy guidance. Agency officials shall apply this policy to Federal employees, contractors and contract personnel, interns, and other non-government employees.
Agencies shall use this Policy or may create a more restrictive OPDIV policy, but not one that is less restrictive, less comprehensive or less compliant with this Department-wide Information Security Policy.
As such, Federal agencies must establish information security programs to ensure the adequate protection of information and develop comprehensive policies and procedures to direct the proper implementation of the information security programs.
This authority document is listed in detail in Chapter 6, Applicable Laws and Guidance, of this document.
This policy codifies HHS’ authority to develop, document, and implement a Department-wide information security program to provide information security for the information and information systems that support the operations and assets of the Agency, including those provided or managed by another Federal agency, contractor, or other source. OPDIVs and STAFFDIVs shall comply with and support the implementation of a Department-wide information security program, to include compliance with Federal requirements and programmatic policies, standards, procedures, and information security controls.
FISMA explicitly assigns information security responsibilities, to include program implementation and policymaking, to three key roles within the Agency – the Secretary of HHS, the HHS Chief Information Officer (CIO) and the HHS Chief Information Security Officer (CISO), as designated by the HHS CIO. These responsibilities are outlined below, as well as the HHS-defined roles and responsibilities of the OPDIV Heads, OPDIV CIOs and OPDIV Chief Information Security Officers (CISOs).
5.1 Secretary of HHS
The Secretary of HHS shall:
5.1.1 Ensure that an agency-wide information security program is developed, documented, and implemented to provide security for all systems, networks, and data that support Agency operations, to include the development and implementation of information security policies and procedures to cost-effectively reduce risks to acceptable levels;
5.1.2 Provide protections for HHS’ information and information systems commensurate with the risk and magnitude of harm posed by unauthorized access, modification, disclosure, disruption, use, and/or destruction; or as recommended by law;
5.1.3 Ensure HHS complies with existing and emerging information security policies, standards and procedures; and
5.1.4 Delegate to the HHS CIO the authority to ensure compliance with all FISMA and other Federal requirements.
5.2 The Deputy Assistant Secretary for Information Technology (DASIT)/HHS Chief Information Officer (CIO)
The HHS CIO, under the authority delegated by the Assistant Secretary for Resources and Technology (ASRT), shall:
5.2.1 Ensure Department compliance and conformance with Public Laws, Office of Management and Budget (OMB) and Government Accountability Office (GAO) regulations, policies, standards, procedures, and information security controls concerning Department-wide operations and reviews;
5.2.2 Head an office with the mission and resources to ensure HHS compliance with federal regulations and FISMA information security program implementation requirements;
5.2.3 Ensure the development and maintenance of a Department-wide information security program to include the development and implementation of policies, standards, procedures, and information security controls;
5.2.4 Require the development and implementation of protections for HHS’ information and information systems commensurate with the risk and magnitude of harm posed by unauthorized access, modification, disclosure, disruption, use, and/or destruction, or recommended by law;
5.2.5 Ensure the dissemination of Department-wide information security policy for OPDIV review and comment;
5.2.6 Ensure the dissemination of approved Department-wide information security policy; and
5.2.7 Designate a senior agency information security officer – the HHS CISO – to oversee information security-related issues and initiatives on a daily basis.
The HHS CISO, under the authority delegated by the HHS CIO, shall:
5.3.1 Fulfill the information security roles and responsibilities of the HHS CIO as delegated;
5.3.2 Develop, maintain and direct a Department-wide information security program to include the development and implementation of policies, standards, procedures, and information security controls;
5.3.3 Ensure the integration of Department-wide policies, standards, procedures, and information security controls in information security training; and
5.3.4 Conduct oversight activities to ensure Department-wide information policies, standards, procedures, and information security controls, are implemented appropriately.
OPDIV Heads shall:
5.4.1 Ensure the development and implementation of OPDIV information security programs, and related policies, standards, procedures, and information security controls compliant with Department policies, standards, procedures, and information security controls; and
5.4.2 Require consistency and compliance with Department-wide policies, standards, procedures, and information security controls.
OPDIV CIOs shall:
5.5.1 Ensure the development, implementation and maintenance of OPDIV information security programs, and related policies, standards, procedures, and information security controls compliant with Department policies, standards, procedures, and information security controls;
5.5.2 When needed, facilitate the development and approval of OPDIV policies that are consistent with or more restrictive than Department-wide information security policies but never less restrictive, comprehensive, or compliant;
5.5.3 Ensure employees and/or contractors participate in Integrated Program Teams (IPT) to assist in the development and review of Department-wide and OPDIV information security policies; and
5.5.4 Ensure all employees and contractors receive required information security training as specified in forthcoming Department security Procedures.
5.6.1 Fulfill the information security roles and responsibilities of the OPDIV CIO, as defined by FISMA and other Federal regulations, and delegated;
5.6.2 Develop, implement and maintain an OPDIV information security program to include the development and implementation of policies, standards, procedures, and information security controls consistent and compliant with Department-wide policies, standards, procedures, and information security controls;
5.6.3 Ensure the integration of Department policies, standards, procedures, information and security controls in annual information security training, and that all employees and contractors receive training on Department information security policies, standards, procedures, and information security controls, as appropriate; and
5.6.4 Conduct periodic oversight activities to ensure Department and OPDIV policies and applicable Federal information security regulations are implemented appropriately.
Federal Register, Volume 70, Number 140, 42321-42324, Department of Health and Human Services, Office of Budget, Technology and Finance; Statement of Organization, Functions, and Delegations of Authority, July 22, 2005.
HHS Information Resource Management (IRM) Policy Circular No 101, Chief Information Officer Roles and Responsibilities, March 1999.
OMB Circular A-130, Management of Federal Information Resources, Appendix III,
Security of Federal Automated Information Resources, November 28, 2000.
Public Law 93-579, Privacy Act of 1974, December 31, 1974.
Public Law 104-106, Division E, Information Technology Management Reform Act (ITMRA, or Clinger-Cohen Act), February 10, 1996.
Public Law 107-347 [H.R. 2458], The E-Government Act of 2002. Title III of this Act is the Federal Information Security Management Act of 2002, December 17, 2002.
All Department policies, standards, procedures and information security controls will be posted on the following website: http://intranet.hhs.gov/infosec/policies_memos.html. Direct questions, comments, suggestions, or requests for further information to the HHS CISO, (202) 205-9581.
The effective date of this policy is the date the policy is approved.
These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.
The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
____________/s/______________________ September 24, 2007___
Michael W. Carleton
HHS Chief Information Officer (CIO) DATE
Information — any communication or representation of knowledge such as facts, data, or opinions in any medium or form; including textual, numerical, graphic, cartographic, narrative, or audiovisual forms. (Defined in OMB Circular A-130, 6(a).)
Information Resources — information and related resources, such as personnel, equipment, funds, and information technology. (Defined in 44 U.S.C., SEC. 3502.)
Information System — a discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. (Defined in NIST SP 800-53, Appendix B.)
Policy — the rules and regulations set by an organization that define the purpose of the program and its scope within an organization; assigns responsibilities for direct program implementation, as well as other responsibilities to related offices (e.g., Chief Information Office); and addresses compliance issues. A program policy sets organizational and strategic directions for security and assigns resources for its implementation. (Defined in NIST 800-12.)
Risk — the level of impact on agency operations (including mission, functions, image, or reputation), agency assets, or individuals resulting from the operation of an information system given the potential impact of a threat and the likelihood of that threat occurring. (Defined in NIST SP 800-30, Rev A, Appendix E.)
Security Controls — the management, operational, and technical controls (safeguards or countermeasures) prescribed for an information system which, taken together, adequately protect the confidentiality, integrity, and availability of the system and its information. (Defined in NIST SP 800-53, Appendix B.)
 For purposes of this policy document, the terms “Agency” or “Agencies” refer to HHS in its entirety, to include the Department, all OPDIVs and all STAFFDIVs. The terms “Federal agency” or “Federal agencies” refer to HHS as a whole and its status as a Cabinet-level Agency within the Federal government.