HHS Standard for Managing Outbound Web TrafficJune 6, 2008
HHS Standard 2008-0002.002
The following is effective immediately.
(1) Operating Divisions (OPDIVs) shall implement the HHS standard product or equivalent technology for managing outbound Web traffic and establish and apply a baseline management policy to all outbound Web traffic. The management policies shall comply with, or be stricter than, settings defined in the “Websense Configuration Guide” section of the HHS Minimum Security Configuration Standards for Departmental Operating Systems and Applications.
(2) OPDIVs shall establish, document, and enforce requirements and processes for modifying the traffic management behaviors, including the re-categorization of uniform resource locators (URLs), modification of category, and filtering changes. Documentation developed must be consistent with Department policy and provided to the HHS Chief Information Security Officer (CISO) upon request.
(3) OPDIVs shall establish, document, and enforce requirements and processes for granting modified access to Internet content that is blocked by their baseline configuration. The process will include, at a minimum, the following compensating controls:
a) Modified access must be approved by the Operating Division (OPDIV) Chief Information Officer (CIO), OPDIV CISO, or designated authority as appropriate.
b) Modified access must be for a valid and documented business need.
c) Modified access will rely on technical solutions to define, as narrowly as possible, membership in the access group.
d) The requirement for modified access will be reviewed at least once every three years.
System owners shall obtain written authorization from the OPDIV CIO if compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a mission or business function. Waiver consideration shall be a risk-based determination by the OPDIV CIO. To obtain a waiver, compensating controls must be identified and documented in the waiver form. Waivers shall be recorded and maintained by the OPDIV and provided to the HHS Chief Information Security Officer (CISO) upon approval.
APPROVED BY & EFFECTIVE ON:
/s/ John Teeter for June 6, 2008
Michael W. Carleton Date
HHS Chief Information Officer