HHS Standard for FISMA Inventory ManagementDecember 23, 2008
HHS Standard 2008-0006.001S
This standard ensures consistency across the Department of Health and Human Services (HHS) in determining how information technology (IT) systems are reported and tracked by the Operating Division (OPDIV) Chief Information Officers (CIOs)/Chief Information Security Officers (CISOs) for the Federal Information Security Management Act (FISMA) of 2002. This collection of IT systems, known as the HHS FISMA Inventory, is a subset inventory nested within the HHS Enterprise Architecture (EA) System Inventory.
The security Certification and Accreditation (C&A) process from National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems (as amended), determines how each IT system is accounted for in the HHS FISMA Inventory. NIST guidance recognizes that agencies have flexibility in determining what constitutes an IT system (i.e., General Support System [GSS], major application, or minor application) and the resulting security accreditation boundary that is associated with that system.(1) If a set of IT resources is identified as an IT system, the resources should generally be under the same direct management control. It is quite possible for multiple information systems to be validly considered subsystems of a single, larger system, provided all of these subsystems fall under the same higher management authority or support the same major business function. This situation is common across the federal government and occurs when IT systems other than major applications (i.e., minor applications) are coalesced into a GSS or when multiple applications supporting the same major business function are grouped for purposes of security C&A.
The IT systems listed as specific entries in the HHS FISMA Inventory shall primarily consist of GSSs and major applications. Most major applications have their own security C&A packages, and each package generally consists of an application-specific Federal Information Processing Standard (FIPS) 199 impact designation, System Security Plan, Risk Assessment (utilizing automated vulnerability scanning, security test and evaluation [ST&E], and/or penetration testing test methods),(2) IT Contingency Plan, Security Assessment Report, Plan of Action and Milestones (POA&M), signed accreditation letter, and the other C&A artifacts prescribed by NIST(3) and HHS guidance.
Each GSS shall have its own security C&A package, whose contents depend on the number of major applications and minor applications included as part of the GSS accreditation boundary. Every GSS shall be specifically listed in the HHS FISMA Inventory; however, major applications and minor applications included in the security C&A of a GSS do not need to be separately listed in the HHS FISMA Inventory.
Although most minor applications are generally included within the accreditation boundary of a GSS or major application, there may be instances when a minor application requires its own security C&A package. In this scenario, the minor application shall also be listed separately in the HHS FISMA Inventory.
This standard applies to all IT systems owned by HHS or operated on behalf of HHS (e.g. by a contractor). It is effective immediately and supersedes all prior directives establishing the scope of the HHS FISMA Inventory.
1) Every GSS shall be explicitly listed in the HHS FISMA Inventory.
2) Each major application shall be explicitly listed in the HHS FISMA Inventory, except in limited circumstances where the major application is included in the accreditation boundary of a GSS.
3) Each minor application shall be accounted for in the HHS FISMA Inventory by either explicitly listing it or by including it in the accreditation boundary of a GSS.
4) All IT systems in the HHS FISMA Inventory shall be recorded through the HHS FISMA reporting tool. Minimally, the following shall be documented within the reporting tool for each IT system listed in the HHS FISMA Inventory:
• System type (i.e., GSS, major application, minor application [stand-alone],(4) or minor application [child](5));
• Information type(s) and corresponding FIPS 199 risk impact levels (i.e., categorizations) for the individual information types and for the IT system;
• Privacy Impact Assessment (PIA);
• e-Authentication risk assessment completion date and highest authentication assurance level; and
• Weaknesses and corrective actions within a POA&M. The GSS or major application POA&M must account for the weaknesses of all applications (major or minor, as applicable) within its accreditation boundary.
5) All IT systems in the HHS FISMA Inventory shall undergo C&A in accordance with NIST and HHS guidance. The C&A for a GSS or major application shall account for all IT systems within its accreditation boundary. The scope of the C&A shall be commensurate with the FIPS 199 risk impact level of the system. C&A documentation shall minimally include the following:
• Department-compliant C&A package—including Risk Assessment, Security Assessment Report, and POA&M—and accreditation decision letter with corresponding full Authorization to Operate (ATO);
• Up-to-date System Security Plan and IT Contingency Plan, which provide a listing of all information technology comprising the system;
• Annual security control test plans and evaluation reports; and
• Annual IT contingency plan test plans and test results.
APPROVED BY & EFFECTIVE ON:
/s/ December 23, 2008
Michael W. Carleton Date
HHS Chief Information Officer
(1) Per NIST SP 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems, released February 2006.
(2) Per NIST SP 800-30, Risk Management Guide for Information Technology Systems, released July 2002.
(3) Per NIST SP 800-37, Guide for the Security Certification and Accreditation of Federal Information Systems (as amended).
(4) Standalone refers to a minor application which is not accounted for within the C&A boundary of a GSS and, therefore, must be individually tracked as an IT system in the HHS FISMA Inventory and must have its own C&A.
(5) A minor application (child) that is managed as part of a GSS need not be separately entered into the HHS FISMA reporting tool. Independent risk assessments for minor application (child) systems facilitate determining which systems (i.e., GSSs) are potential “hosts.” The risk assessment of the minor application (child) must then be incorporated into the C&A for the GSS. Alternatively, the risk assessment for the GSS may address and reference the minor application (child) in lieu of separate risk assessments. The HHS FISMA reporting tool may be used to individually document these risk assessments.