HHS-OCIO-2009-0001.001S Standard Security Configurations Language in HHS Contracts
HHS OCIO Standard 2009-0001.001S
January 30, 2009
To implement Federal Acquisition Regulation (FAR) 39.101(d) regarding Common Security Configurations, and Department of Health and Human Services (HHS) information security requirements, the following standard language shall be incorporated in solicitations and new contracts for the operation or acquisition of information technology systems. This document supersedes HHS Standard 2008-0004.001S, HHS-OCIO Standardfor Security Configurations Language in HHS Contracts (dated September 11, 2008), and is effective immediately.(i) An approved HHS Department Information Security Policy/Standard Waiver(ii) is required to deviate from the technical standard set forth below.
1. Contractor computers containing HHS data shall be configured with the applicable Federal Desktop Core Configuration (FDCC) (http://nvd.nist.gov/fdcc/index.cfm), (iii) and shall have and maintain the latest operating system patch level and anti-virus software level.
2. The Contractor shall apply approved security configurations to information technology that is used to process information on behalf of the Department, its Operating Divisions (OPDIVs) and Staff Divisions (STAFFDIVs).
Such approved security configurations shall be identified jointly by the OPDIV/STAFFDIV Contracting Officer’s Technical Representative (COTR) and Chief Information Security Officer (CISO). Approved security configurations include, but are not limited to, those published by the Department, (iv) by the OPDIV/STAFFDIV, and by the National Institute of Standards and Technology (NIST) at http://checklist.nist.gov. OPDIVs/STAFFDIVs may have security configurations that are more stringent than the minimum baseline set by the Department or NIST. When incorporating such security configuration requirements in solicitations and contracts, the OPDIV CISO shall be consulted to determine the appropriate configuration reference for a particular system or services acquisition.
3. The Contractor shall ensure applications operated on behalf of the Department or OPDIV/STAFFDIV are fully functional and operate correctly on systems configured in accordance with the above configuration requirements. The Contractor shall use Security Content Automation Protocol (SCAP)-validated tools with FDCC Scanner capability to ensure its products operate correctly with FDCC configurations and do not alter FDCC settings. (v) The Contractor shall test applicable product versions with all relevant and current updates and patches installed. The contractor shall ensure currently supported versions of information technology (IT) products meet the latest FDCC major version and subsequent major versions. (vi)
4. The Contractor shall ensure applications designed for end users run in the standard user context without requiring elevated administrative privileges.
5. The Contractor shall ensure hardware and software installation, operation, maintenance, update, and patching will not alter the configuration settings or requirements specified above
6. Federal Information Processing Standard 201 (FIPS-201) (vii) compliant, Homeland Security Presidential Directive 12 (HSPD-12) card readers shall: (a) be included with the purchase of servers, desktops, and laptops; and (b) comply with FAR Subpart 4.13, Personal Identity Verification.
7. The Contractor shall ensure all its subcontractors which perform work under this contract (at all tiers) comply with the above requirements.
APPROVED BY & EFFECTIVE ON:
/s/ January 30, 2009
Michael W. Carleton Date
HHS Chief Information Officer and
Deputy Assistant Secretary for Information Technology
/s/ January 30, 2009
Martin J. Brown Date
HHS Senior Procurement Executive and
Deputy Assistant Secretary
for Acquisition Management and Policy
(i) This requirement will be incorporated into the HHS Acquisition Regulation and the HHS Acquisition Plan.
(ii) The HHS Departmental Information Security Policy/Standard Waiver form and process is available at http://intranet.hhs.gov/infosec/policies_memos.html.
(iii) FDCC is applicable to all computing systems using Windows XP™ and Windows Vista™, including desktops and laptops—regardless of function—but not including servers. The Department has developed an HHS version of FDCC (henceforth HHS FDCC) for Windows XP™ and Vista™ to accommodate business and operational needs in the HHS environment. These settings are available at http://intranet.hhs.gov/infosec/guidance.html. When there is a compelling business or operational need to deviate from the FDCC, Operating Divisions (OPDIVs) and Staff Divisions (STAFFDIVs) may use the HHS FDCC settings instead of the government-wide FDCC settings.
(iv) See HHS Minimum Security Configuration Standards for Departmental Operating Systems and Applications (as amended) at http://intranet.hhs.gov/infosec/guidance.html.
(v) See http://nvd.nist.gov/validation.cfm, as required by the Office of Management and Budget (OMB) Memorandum (M) 08-22, Guidance on the Federal Desktop Core Configuration (FDCC), released August 11, 2008.
(vi) This meets the self-assertion requirement under OMB M-08-22. Future FDCC changes having minimal security impact may be released as minor versions to FDCC. Self-assertion is not required for minor releases.