HHS-OCIO-2009-0002.001S Standard for Encryption Language in HHS Contracts
HHS Standard 2009-0002.001S
January 30, 2009
The Department of Health and Human Services (HHS) requires incorporation of the following standard language in solicitations and new contracts that either purchase or require the use of desktop or laptop computers, mobile devices, or portable media to store or process HHS sensitive information that is categorized as Moderate or High under Federal Information Processing Standard 199 (FIPS 199).(1) An approved HHS Department Information Security Policy/Standard Waiver (2) is required to deviate from these technical standards. This standard is effective immediately. (3)
1. The Contractor shall use FIPS 140-2 (as amended) compliant encryption (4) to protect all instances of HHS sensitive information (5) during storage and transmission.
2. The Contractor shall verify that the selected encryption product has been validated under the Cryptographic Module Validation Program (http://csrc.nist.gov/cryptval/) to confirm compliance with FIPS 140-2 (as amended). The Contractor shall provide a written copy of the validation documentation to both the Contracting Officer and the Contracting Officer’s Technical Representative (COTR).
3. The Contractor shall use the Key Management Key on the HHS personal identification verification (PIV) card; or alternatively, the Contractor shall establish and use a key recovery mechanism to ensure the ability for authorized personnel to decrypt and recover all encrypted information. (6)
4. The Contractor shall securely generate and manage encryption keys to prevent unauthorized decryption of information, in accordance with FIPS 140-2 (as amended).
5. The Contractor shall: ensure that this standard is incorporated into the Contractor’s property management/control system; or establish a procedure to account for all laptop computers, desktop computers, and other mobile devices and portable media that store or process sensitive HHS information.
6. The Contractor shall ensure that all of its employees, subcontractors (at all tiers), and employees of each subcontractor, who perform work under this contract/subcontract, comply with the above requirements.
APPROVED BY & EFFECTIVE ON:
/s/ January 30, 2009
Michael W. Carleton Date
HHS Chief Information Officer and
Deputy Assistant Secretary for Information Technology
/s/ January 30, 2009
Martin J. Brown Date
HHS Senior Procurement Executive and
Deputy Assistant Secretary for Acquisition Management and Policy
(1) FIPS-199, Standards for Security Categorization of Federal Information and Information Systems, dated February 2004.
(2) The HHS Departmental Information Security Policy/Standard Waiver form and process is available at http://intranet.hhs.gov/infosec/policies_memos.html.
(3) This requirement will be incorporated into the HHS Acquisition Regulation and the HHS Acquisition Plan.
(4) The Office of Management and Budget (OMB) Memorandum (M) 07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (released May 22, 2007) requires the use of FIPS 140-2, Security Requirements for Cryptographic Module, compliant encryption technologies on laptop computers and all other mobile computers and devices containing sensitive information. The HHS memorandum Mandatory Protection of Sensitive Information on Computers, Mobile Devices, and Portable Media (henceforth called the Protection of Sensitive Information Memo), signed by the HHS Chief of Staff on May 19, 2008, directs expansion of the current HHS Encryption Standard for Mobile Devices and Portable Media to “all government and non-government-furnished desktops used on behalf of the government that store sensitive information.”
(5) For the purposes of this contract, information is considered sensitive if the FIPS 199 Confidentiality or Integrity security objective is rated Moderate or High by the OPDIV Chief Information Security Officer (CISO) or HHS Chief Information Security Officer (CISO), as appropriate.
(6) Key recovery is required by OMB Guidance to Federal Agencies on Data Availability and Encryption, November 26, 2001, http://csrc.nist.gov/policies/ombencryption-guidance.pdf. Authorized personnel to decrypt and recover all encrypted information shall be identified by contract.