Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

HHS-OCIO Standard for the Segregation of Development/Test Environments from Production

HHS Standard 2008-0003.002S

August 7, 2008


The following is effective immediately.

1. All test and development systems [1] shall, at a minimum, be physically or logically segregated from production systems, for example, by using a firewall or router with an access control list (ACL).

    Informative: It is preferable that all testing be conducted in a test or a development environment. However, the Department understands that there may be instances where a system, for example a system with a mixed life cycle, must undergo additional testing once in production. Testing in a production environment does not reclassify a system as a test or development system. This standard does not seek to prohibit required testing in a production environment.

2. HHS data that is categorized as Moderate or High according to the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, shall not reside in or transmit through test or development systems unless the test/development system(s) employ security controls equivalent to that of the production system. System owners shall obtain written authorization in the form of an HHS Department Information Security Policy/Standard Waiver if compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a mission or business function. Please refer to the waiver form for additional details.[2]


                                      /s/                                                 August 7, 2008
Michael W. Carleton                                                                Date
HHS Chief Information Officer

[1] Test and development systems are those systems that have not reached Phase 4 (Operation or Maintenance) of the System Development Life Cycle, as described in Table 2-1 of NIST SP 800-30, Risk Management Guide for Information Technology Systems.

[2]The HHS Departmental Information Security Policy/Standard Waiver form and process is available at