Skip Navigation
  • Text Size: A A A
  • Print
  • Email
  • Facebook
  • Tweet
  • Share
  • Print
  • Email
  • Facebook
  • Tweet
  • Share

HHS-OCIO-2011-0003


Table of Contents

1.       Purpose

2.       Background

3.       Scope

4.       Policy

4.1          Government-wide Controls.

4.2          Department-wide Controls

4.3          OPDIV/STAFFDIV Controls

5.       Roles and Responsibilities

5.1          Secretary of HHS

5.2          OPDIV Heads

5.3          Office of Finance (OF)/Assistant Secretary for Financial Resources (ASFR)/Chief Financial Officer (CFO)

5.4          Assistant Secretary for Financial Resources (ASFR)/Office of Grants and Acquisition Policy and Accountability (OGAPA)/Division of Acquisition (DA)

5.5          Office of the Assistant Secretary for Administration/Program Support Center (PSC)/Administrative Operations Service (AOS)

5.6          Office of Security and Strategic Information (OSSI)

5.7          Office of the Assistant Secretary for Administration (ASA)/Deputy Assistant Secretary for Human Resources (DASHR)

5.8          Assistant Secretary for Administration (ASA)/Deputy Assistant Secretary for Information Technology (DASIT)/HHS Chief Information Officer (CIO)

5.9          Senior Agency Official for Privacy (SAOP)

5.10        Office of Information Technology Security (OITS)/ HHS Chief Information Security Officer (CISO)

5.11        OPDIV Chief Information Officers (CIOs)

5.12        OPDIV Chief Information Security Officers (CISOs)

5.13        HHS Computer Security Incident Response Center (CSIRC)

5.14        OPDIV Computer Security Incident Response Team (CSIRT)

5.15        HHS Privacy Incident Response Team (PIRT)

5.16        OPDIV Senior Official for Privacy (SOP)

5.17        OPDIV Privacy Act Contact

5.18        Authorizing Official (AO) or Authorizing Official Designated Representative

5.19        Certification Agent (CA)

5.20        Information System Security Officer (ISSO)

5.21        Program Executives

5.22        System Owners

5.23        Data Owner/Business Owner

5.24        Website Owner/Administrator

5.25        Contingency Planning Coordinator

5.26        System Developers and Maintainers

5.27        System/Network Administrators

5.28        Contracting Officers and Contracting Officer’s Technical Representatives

5.29        Project/Program Managers

5.30        Human Resource Officers

5.31        Supervisors

5.32        Federal Employees and Contractors

5.33        HHS Records Officer

5.34        HHS Privacy Act Officer

6.       Applicable Laws/Guidance

6.1          Federal Directives and Policies

6.2          Statutes

6.3          HHS Policy

6.4          OMB Policy and Memoranda

6.5          NIST Guidance

7.       Information and Assistance

8.       Effective Date/Implementation

9.       Approved

Glossary

Appendix A: Reserved

Appendix B: Acronyms

 Nature of Changes

The following revisions are made in the July 7, 2011 issuance of the HHS-OCIO-2011-0003, HHS-OCIO Policy for Information Systems Security and Privacy.

 

  1. The Table of Contents was changed to reflect editorial and page number changes.
  2. The entire document was changed to reflect editorial and administrative updates.
  3. New footnotes were added to reflect updated or new references and/or to provide further information for clarity.
  4. Policy/Requirements Traceability sections were updated to reflect new references or format updates.
  5. Section 1 was changed to reflect that this Policy is a reissuance.
  6. Section 2 was updated to reflect program name change.
  7. Section 3 was changed to delete the exclusion of the HITECH Act and HIPAA from this policy, and to update general scope wording.
  8. Section 4.1 and 4.2 were changed to add “security” where applicable. 
  9. Section 5.1 was changed to address NIST SP 800-37 Rev. 1 references and new terminology including a minor change to Section 5.16 wording.
  10. 0.    Sections 5.3 through 5.8 were updated to change Federal Register references to proper format.
  11. 1.    Section 5.9 was changed to incorporate additional privacy-related policy statements, designate CISO privacy responsibilities, and update the policy/requirements traceability section.
  12. 2.    Section 5.10 was updated to add privacy language and add requirements from NIST SP 800-37 Rev. 1.
  13. 3.    Section 5.11 was updated to reflect content from NIST SP 800-37 Rev. 1. Section 5.11.12 was updated to clarify which role fulfills the Office of the Secretary (OS) Primary IT Operational Manager role.
  14. 4.    Section 5.12 was updated to add privacy language, reflect content from NIST SP 800-37 Rev. 1, change “Department” to “OPDIV” where appropriate, and reflect the name change from Breach Response Team (BRT) to the Privacy Incident Response Team (PIRT).
  15. 5.    Section 5.15 was updated to reflect the name of the PIRT, which was formerly the BRT.
  16. 6.    Section 5.16 was updated to add additional privacy-related details and requirements from the HHS Policy for Privacy Impact Assessments (PIA). Section 5.16.5 was reworded to clarify methods to approve PII. Section 5.16.7 reworded to emphasize coordinated effort to protect PII.
  17. 7.    Section 5.17 was updated to add a new section to describe the role of the OPDIV Privacy Act Contact.
  18. 8.    Sections 5.18 and 5.19 were updated to reflect content from NIST SP 800-37 Rev. 1.
  19. 9.    Section 5.20 updated to reorder requirements for additional clarity and reflect changes in NIST SP 800-37 Rev. 1.
  20. 0.    Section 5.22 was updated to reflect content from NIST SP 800-37 Rev. 1. 5.22.11 was added to emphasize system security configuration guidance. Section 5.22.14 was added to clarify Department expectation regarding frequency of testing of security controls.
  21. 1.    Section 5.23 was updated to reflect content from NIST SP 800-37 Rev. 1. Section 5.23.2 was updated to reflect compliance with FIPS.
  22. 2.    Section 5.24 was added to define the role of the Website Owner/Administrator.
  23. 3.    Section 5.26 was changed to reflect content from NIST SP 800-37 Rev. 1.
  24. 4.    Section 5.30 was changed to reflect the name change from BRT to PIRT.
  25. 5.    Section 5.34 was changed to add a new section to describe the role of the HHS Privacy Act Officer.
  26. 6.    Section 6 was changed to update applicable laws and guidance.
  27. 7.    Section 7 was changed to update contact information.
  28. 8.    Appendix A was updated with new glossary terms or an update to alphabetical order and updated references to reflect new revisions or versions.
  29. 9.    Appendix B was updated with new acronyms.       

 

The following revisions are made in the July 7, 2011 issuance of the HHS-OCIO-2011-0003H, HHS-OCIO Policy for Information Systems Security and Privacy Handbook.

 

  1. The Table of Contents was changed to reflect editorial and page number changes.
  2. The entire document was changed to reflect editorial and administrative updates.
  3. New footnotes were added for updated or new references and/or where further information was needed to provide clarity.
  4. Introduction changed to incorporate updates from NIST SP 800-53 Rev. 3.
  5. Policy/Requirements Traceability sections were updated to reflect new references or format updates.
  6. Section 1.2 was changed to reflect content from NIST SP 800-37 Rev. 1.
  7. Section 1.3 was changed to add appropriate HHSAR clauses.
  8. Section 1.11 was changed to delete items that were moved to section 1.12 and to reflect the name change from BRT to PIRT. Section P-PRIV.7 was reworded for clarity.
  9. Section 1.12 was changed to add items from section 1.11 and to clarify items that apply to OPDIVs/STAFFDIVs. Section PIA.7 was updated to add an annual PIA completion requirement. Section PIA.9 was updated to reflect that a copy of the final completed PIA is maintained. Section PIA 16.6 was updated with text from Section 1.15 P-PIA.6 for greater clarity. Section 1.12 was changed to update with the following statements from 1.15 “Privacy Impact Assessment”: P-PIA-1, P-PIA-2; P-PIA-3; P-PIA-6; and P-PIA-8.  
  10. 0.    Section 1.15 was changed to align with Federal and HHS privacy policies. Section 1.15 was changed to reflect current requirements.
  11. 1.    Section 1.18 was changed to update references to the Standard for Plans of Action and Milestones (POA&M) Management and Reporting.
  12. 2.    Section 1.27 was changed to update references to the HHS RoB.
  13. 3.    Section 1.28 was changed to update P-AT.5 with requirements from HHS Memorandum:  Role-Based Training (RBT) of Personnel with Significant Security Responsibilities. A note was added following Section 1 to reflect that OPDIVs are allowed to set more restrictive policies or control procedures than are described in Handbook Section 1.  
  14. 4.    Section 2.13 was changed to add Policy Requirements/Traceability.
  15. 5.    Section 2.4 was changed to update references to the Standard for Plans of Action and Milestones (POA&M) Management and Reporting.
  16. 6.    Section 2:  HHS Assignments and Selections, page 1 was updated to reflect that OPDIVs are allowed to set more restrictive policies or control procedures than are described in Handbook Section 2, and control CP-7 was updated to be consistent with NIST SP 800-53 Rev. 3 value for low systems. 
  17. 7.    Section 3 was changed in its entirety to reflect the transformation of the former Certification and Accreditation (C&A) process to the new Risk Management Framework (RMF) process per NIST SP 800-37 Rev. 1 and to add concepts from NIST SP 800-122.

 

 

 

 

 


 The Department of Health and Human Services (HHS), Office of the Chief Information Officer (OCIO), HHS-OCIO Policy for Information Systems Security and Privacy (henceforth “the Policy”) provides direction to the information technology (IT) security programs of Operating Divisions (OPDIVs) and Staff Divisions (STAFFDIVs) for the security and privacy of HHS data in accordance with the Federal Information Security Management Act of 2002 (FISMA).[1] 

 

The Policy is a reissuance, establishing comprehensive IT security and privacy requirements for the IT security programs and information systems of OPDIVs and STAFFDIVs. Included as an appendix to the Policy is a complementary HHS-OCIO Policy for Information Systems Security and Privacy Handbook (henceforth “the Handbook”). The Handbook outlines IT security and privacy policy requirements for IT security and privacy programs and information systems in more detail, and is organized according to information assurance (IA) control families to make the document easy to use and scalable for the future. 

 

The Policy supersedes the HHS-OCIO-2009-0003 Policy for Information Systems Security and Privacy, dated September 22, 2010 and incorporates retired policy HHS-OCIO-2007-0002.001, Policy for Department-wide Information Security (dated September 24, 2007). This document does not supersede any other applicable law or higher level agency directive, policy, or guidance. All references noted below are subject to periodic revision, update and reissuance.

 

The Policy codifies the Department’s authority to develop, document, implement, and oversee a Department-wide IT security and privacy program to provide IT security and privacy for the information and information systems that support the operations and assets of the Department, including those provided or managed by another Federal agency, contractor, or other source. OPDIVs and STAFFDIVs shall comply with and support the implementation of a Department-wide IT security and privacy program, to include compliance with Federal requirements and programmatic policies, standards, procedures, and IT security controls.

 The HHS Cybersecurity Program (henceforth “the Program”) has evolved and matured over the last several years as new Federal requirements have been published, as advances in technology have been made, and as new threats to the Department’s infrastructure have emerged. Additionally, concerns over the unauthorized disclosure of protected health information (PHI) and personally identifiable information (PII) have placed IT security and privacy issues at the forefront of the national dialogue, positively impacting the way in which public, private, and government organizations provide services and protect information.

 

Since the release of the HHS Information Security Program Policy in July 2005, the Department has released individual policy statements, mainly in the form of standards and memoranda, in response to or in advance of these occurrences and concerns. This decentralized approach has made it increasingly challenging to trace Department requirements over the years. To better serve IT security and privacy stakeholders, the Department recognized the need to appropriately incorporate, cross-reference, and organize its IT security and privacy policy requirements in a manner that clearly explains the scope and applicability of the requirements. The format in which those requirements are presented should be scalable to accommodate the modification or addition of new requirements over time.

 

As a result, the Policy was developed to:

  • Incorporate privacy requirements and clarify their relationship to IT security programs and systems; and
  • Incorporate or appropriately cross-reference individually released Department policies, standards, and memoranda.

This Policy applies to all HHS organizational components (i.e., Operating Divisions [OPDIVs] and Staff Divisions [STAFFDIVs]) and organizations conducting business for and on behalf of the Department through contractual relationships. This Policy does not supersede any other applicable law, higher-level agency directive, or existing labor management agreement in place as of the effective date of this Policy. 

 

Department officials shall apply this Policy to employees, contractor personnel, interns and other non-government employees conducting business for on behalf of the Department through contractual relationships or memoranda of agreement when using IT resources. All organizations collecting or maintaining information, or using or operating information systems on behalf of the Department, are also subject to the stipulations of this Policy. The content of and compliance with this Policy shall be incorporated into applicable contract language, as appropriate. 

 

Agencies shall use this Policy or may create a more restrictive OPDIV/STAFFDIV policy, but not one that is less restrictive, less comprehensive, or less compliant with, this document.

 

The Policy does not apply to any network or system that processes, stores, or transmits foreign intelligence or national security information under the cognizance of the Special Assistant to the Secretary (National Security) pursuant to Executive Order (E.O.) 12333, United States Intelligence Activities, or subsequent orders. The Special Assistant to the Secretary (National Security) is the point of contact (POC) for issuing IT security and privacy policy and guidance for these systems.  Questions about the Health Information Technology Economic and Clinical Health (HITECH) Act or the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule and the HIPAA Privacy Rule should be directed to the HHS Office for Civil Rights (OCR) per guidance issued August 3, 2009.[2]

 

The Department acknowledges that OPDIVs/STAFFDIVs require flexibility in implementing this policy. Variations in terminology may currently exist across the OPDIVs/STAFFDIVs (e.g., “configuration management” versus “change management”), and there may be variations in the titles of roles. These variations are acceptable. As such, OPDIVs/STAFFDIVs may utilize a phase-in period for compliance with this Policy, as necessary.

 

In cases in which an OPDIV/STAFFDIV cannot comply with these requirements, justification for noncompliance shall be documented using the Department Information Security Policy/Standard Waiver, dated July 16, 2010[3].

Justification may also be documented in security artifacts, such as security plans,[4]which are subject to approval by the Authorizing Official (AO) (formerly known as the Designated Approving Authority) or Authorizing Official Designated Representative as part of an OPDIV/STAFFDIV security authorization[5]process.


4.1            Government-wide Controls

This section addresses U.S. Government-wide mandates for the secure development, operations, and maintenance of information systems in the context of the Department and its OPDIVs/STAFFDIVs.

4.1.1    OPDIVs/STAFFDIVs shall use the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-37 Revision (Rev.) 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach (dated February 2010), as the methodology for the security authorization of information systems (formerly known as “certification and accreditation” or “C&A”), in accordance with FISMA and direction from the Office of Management and Budget (OMB). 

4.1.2    To standardize minimum content requirements across the Department for security authorization documentation so that the documentation is consistent with the NIST SP 800-37 Rev. 1 methodology, the Program created the HHS Minimum Requirements for Security Authorization Packages[6] (see Section 3 of the Handbook). OPDIVs/STAFFDIVs shall comply with Department minimum requirements when preparing security authorization packages for information systems.

4.1.3    OPDIVs/STAFFDIVs shall ensure that information systems provide adequate, risk-based protection in the control areas defined in Federal Information Processing Standard (FIPS) 200, Minimum Security Requirements for Federal Information and Information Systems (dated March 2006), by using the appropriate baseline security controls as established in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems (dated August 2009), in accordance with the impact level for the system as defined in FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (dated February 2004).

4.1.3.1    For instances in which NIST directs agencies to make assignments and selections within SP 800-53 Rev. 3, the Program created standard parameters (see Section 2 of the Handbook). OPDIVs/STAFFDIVs shall utilize these standard parameters, which are outlined for systems categorized as Low, Moderate, or High. [7]

4.1.3.2    Deviations from the HHS assignments and selections within Section 2 of the Handbook are permitted providing the resulting parameters are consistent with NIST SP 800-53 Rev. 3 or minimum government-wide parameters. Exceptions cannot be granted to the controls themselves as they are Federal Government-wide standards; however, compensating control policy applies (see Section 4.1.6).

4.1.3.3    OPDIVs/STAFFDIVs may exercise flexibility in the solutions used to meet the control requirement, so long as the baseline requirement is met.

4.1.4    Information assurance and privacy activities conducted within the Department shall be consistent with the guidance, methodologies, and intent prescribed by the NIST SP series, in particular NIST SP 800-53 Rev. 3 and NIST SP 800-53A Rev. 1, Guide for Assessing the Security Controls in Federal Information Systemsand Organizations, Building Effective Security Assessment Plans, and other relevant Federal laws and guidance documents. It is incumbent upon each OPDIV to appropriately follow the steps in the NIST SP 800-37 Rev. 1 Risk Management Framework (RMF) to select, implement, assess, authorize, and monitor such controls commensurate with a system’s FIPS 199 categorization.

4.1.5    As new Federal requirements are published, OPDIVs/STAFFDIVs shall ensure that systems that are in development comply with those newly published requirements before those systems are granted a security authorization, and that existing (i.e., operational) systems comply with the new requirements within one year, unless otherwise stated. 

4.1.5.1    If a new Federal requirement cannot be implemented on a development system before the system is granted a security authorization, the Information System Security Officer (ISSO), Certification Agent (CA),[8] or System Owner shall bring this issue to the attention of the AO or Authorizing Official Designated Representative when the final security authorization package is delivered. In the security authorization package, the AO or Authorizing Official Designated Representative shall explicitly accept the risk to organizational operations and assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls.

4.1.5.2    If a new Federal requirement cannot be implemented on an operational system, the ISSO, CA, or System Owner shall bring this to the attention of the AO or Authorizing Official Designated Representative. The AO or Authorizing Official Designated Representative shall acknowledge the gap in the form of a Plan of Action Milestones (POA&M), and shall either indicate an anticipated time period when the requirement will be met or document the risk-based decision not to comply with the requirement.  

4.1.6    OPDIVs/STAFFDIVs shall employ compensating security controls only under the following conditions:

4.1.6.1    The OPDIV/STAFFDIV selects the compensating security controls from the security control catalog in NIST SP 800-53 Rev. 3;

4.1.6.2    The OPDIV/STAFFDIV develops a complete and convincing rationale and justification for how the chosen compensating security controls provide an equivalent security capability or level of protection for the information system; and

4.1.6.3    The OPDIV/STAFFDIV assesses and formally accepts (i.e., in writing) the risk associated with employing the compensating security controls in the information system.

4.1.7    OPDIVs/STAFFDIVs shall review the use of compensating security controls, document those controls in the security plan and other appropriate security documentation for the information system, and request approval of those controls from the AO or Authorizing Official Designated Representative for the information system.

 

4.2            Department-wide Controls

This section outlines Department-wide controls applicable to OPDIV/STAFFDIV IT security and privacy programs and information systems. 

4.2.1    To establish HHS minimum requirements for IT security and privacy programs within the OPDIVs/STAFFDIVs and to address common system security control questions that fall outside the scope of NIST SP 800-53 Rev. 3, the Program established the Handbook as a complementary appendix to this Policy. OPDIVs/STAFFDIVs shall apply the controls in the Handbook to their IT security and privacy programs and to their information systems, as appropriate.

4.2.2    Compensating security controls for Department-wide system-level controls shall be employed only under the following conditions:

4.2.2.1    The OPDIV/STAFFDIV selects the compensating security controls from the security control catalog in NIST SP 800-53 Rev. 3, when applicable;

4.2.2.2    The OPDIV/STAFFDIV develops a complete and convincing rationale and justification for how the chosen compensating security controls provide an equivalent security capability or level of protection for the information system; and

4.2.2.3    The OPDIV/STAFFDIV assesses and formally accepts (i.e., in writing) the risk associated with employing the compensating security controls in the information system. 

4.2.3    OPDIVs/STAFFDIVs shall review the use of compensating security controls for Department-wide system-level controls, document the compensating security controls in the security plan and other appropriate security documentation for the information system, and request approval of the compensating security controls from the AO or Authorizing Official Designated Representative for the information system.

 

4.3            OPDIV/STAFFDIV Controls

This section sets the authority of the OPDIVs/STAFFDIVs to develop their own security controls for information systems.

 

4.3.1    OPDIVs/STAFFDIVs may decide whether to issue any additional OPDIV/STAFFDIV-wide security controls for OPDIV/STAFFDIV information systems to augment the government and Department-wide controls specified herein. OPDIVs/STAFFDIVs shall ensure that parameters are established and documented for each parameterized control, unless set by the Department.

4.3.2    OPDIVs/STAFFDIVs may develop system-specific security controls and parameters. When needed and/or appropriate, it is an OPDIV/STAFFDIV decision whether to set parameters OPDIV/STAFFDIV-wide, on a system-by-system basis, or some combination thereof.

 5.1            Secretary of HHS

The responsibilities of the Secretary of HHS include, but are not limited to: 

5.1.1       Ensuring that a Department-wide IT security and privacy program is developed, documented, and implemented to provide security for all systems, networks, and data that support department operations;

5.1.2       Ensuring that IT security and privacy management processes are integrated with HHS strategic and operational planning processes;

5.1.3       Ensuring the provision of resources necessary to administer the Program;

5.1.4       Protecting information systems and data by allocating resources commensurate with the risk and magnitude of harm posed by unauthorized access, modification, disclosure, disruption, use, and/or destruction; or as recommended by law;

5.1.5       Ensuring that senior HHS officials provide IT security and privacy for operations and IT resources under their control;

5.1.5.1    Delegating to the HHS Chief Information Officer (CIO) the authority to ensure compliance with the Program;

5.1.5.2    Ensuring that HHS has trained Federal and contractor personnel to support compliance with the Program; and

5.1.5.3    Ensuring that the HHS CIO, in coordination with the OPDIV CIOs, reports annually on the effectiveness of the Program and on any required remedial actions.

5.1.6       Establishing, through the development and implementation of policies, the organizational commitment to information security and the actions required to effectively manage risk and protect the core missions and business functions being carried out by the organization; and

5.1.7       Establishing appropriate accountability for information security and providing active support and oversight of monitoring and improvement for the information security program.

Policy/Requirements Traceability: OMB Circular A-130, Management of Federal Information Resources; and NIST SP 800-37 Rev.1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

 

5.2            OPDIV Heads

The responsibilities of each OPDIV Head include, but are not limited to:

5.2.1       Providing IT security and privacy protections commensurate with the risk and magnitude of harm resulting from unauthorized access, use, disclosure, disruption, modification, or destruction of the following:

5.2.1.1    Information collected or maintained by or on behalf of the OPDIV; and

5.2.1.2    Information systems used or operated by the OPDIV, a contractor of the OPDIV, or another organization on behalf of the OPDIV.

5.2.2       Complying with the requirements of FISMA (Title III of the E-Government Act) and Department-related policies, procedures, standards, and guidelines, including:

5.2.2.1    IT security and privacy requirements promulgated under OMB Circular A-130, Appendix III; and

5.2.2.2    IT security and privacy standards and guidelines issued by OMB in accordance with NIST guidance, including Presidential Directives such as Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standards for Federal Employees and Contractors

5.2.3       Ensuring that IT security and privacy management processes are integrated with OPDIV strategic and operational planning processes;

5.2.4       Ensuring that senior OPDIV officials provide IT security and privacy for the information and information systems that support the operations and assets under their control;

5.2.5       Designating a senior OPDIV official as the OPDIV CIO, and delegating to the OPDIV CIO the authority to ensure compliance with the security requirements imposed on the OPDIV under FISMA;

5.2.6       Delegating responsibility and authority for management of OPDIV IT security programs to the OPDIV CIOs;[9] 

5.2.7       Ensuring that the OPDIV has trained personnel sufficiently to assist the OPDIV in complying with the security requirements under FISMA and Department policies; and

5.2.8       Ensuring that the OPDIV CIO, in coordination with other senior OPDIV officials, reports annually to the OPDIV Head on the effectiveness of the OPDIV IT security and privacy program, including the progress of any remedial actions.

Policy/Requirements Traceability: FISMA (Title III of the E-Government Act); OMB Circular A-130; Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors; and Federal Continuity Directive 1(FCD 1), dated February 2008

 

 5.3            Office of Finance (OF)/Assistant Secretary for Financial Resources (ASFR)/Chief Financial Officer (CFO)

The responsibilities of the ASFR/CFO include, but are not limited to:

5.3.1       Coordinating the Department’s internal controls program to ensure comprehensiveness and to establish responsibility for uniform security level designations for the financial management system according to the guidelines of OMB Circular A-127, Financial Management Systems; and

5.3.2       Targeting/selecting entities to be reviewed per OMB Circular A-123, Management's Responsibility for Internal Control, applying risk-based, business-driven logic to maximize the effectiveness of the evaluations.

Policy/Requirements Traceability: OMB Circular A-127, Financial Management Systems; OMB Circular A-123, Management's Responsibility for Internal Control; OMB Memorandum M-96-20, Implementation of the Information Technology Management Reform Act of 1996; and  (Office of Assistant Secretary for Administration and Management (ASAM) and Office of the Assistant Secretary for Resources and Technology (ASRT); Statement of Organization, Functions, and Delegations of Authority, 2009)

 

 5.4            Assistant Secretary for Financial Resources (ASFR)/Office of Grants and Acquisition Policy and Accountability (OGAPA)/Division of Acquisition (DA)

The responsibilities of the ASFR/OGAPA/DA include, but are not limited to:

5.4.1       Partnering with the HHS CIO and the Program to develop and implement IT security and privacy-related contract clauses for incorporation in all current and future contracts; and

5.4.2       Ensuring that contracting officers (COs) enforce the requirements of IT security and privacy clauses.

Policy/Requirements Traceability: Federal Acquisition Regulation (FAR); Health and Human Services (HHS) Acquisition Regulation (HHSAR); and (ASAM and ASRT; Statement of Organization, 2009)

 

5.5            Office of the Assistant Secretary for Administration/Program Support Center (PSC)/Administrative Operations Service (AOS)

The responsibilities of the ASA/PSC/AOS include, but are not limited to:

 

5.5.1    Developing policies and procedures and providing guidance on the accountability, inventory, and disposition of sensitive equipment and other personal property containing sensitive and privacy information in the HHS Logistics Management Manual.

 

Policy/Requirements Traceability: HHS Logistics Management Manual); and (ASAM and ASRT; Statement of Organization, 2009)

 

 5.6            Office of Security and Strategic Information (OSSI)

The responsibilities of OSSI include, but are not limited to:

5.6.1        Providing overall leadership for the development, coordination, application, and evaluation of all policies and activities within the Department that relate to physical and personnel security, the security of classified information, and the exchange and coordination of national  security-related strategic information with other Federal agencies and the national security community, including national security-related relationships with law enforcement organizations and public safety agencies;

5.6.2        Provide current and timely intelligence or national security information to the HHS Computer Security Incident Response Center (CSIRC) and OPDIV CSIRCs and other key personnel responsible for incident response;

5.6.3        Ensure communications security, including secure telecommunications equipment and classified information systems, for the discussion and handling of classified information in support of the detection, defense, and response to security and privacy vulnerabilities, threats, and incidents;

5.6.4    Protecting employees and visitors and Department-owned and -occupied critical infrastructure;

5.6.5    Assuring the integration of strategic medical, public health, biomedical and national security information;

5.6.6    Managing and administering the flow of classified information;

5.6.7    Providing national security information services to all components within the Office of the Secretary (OS); and

5.6.8    Approving visits by a foreign national to any HHS laboratory or other facility designated as Critical Infrastructure.      

Policy/Requirements Traceability:(Office for Civil Rights; Delegation of Authority, 2007); HHS Personnel Security/Suitability Handbook, dated February 1, 2005; and HHS OCIO Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response, dated April 5, 2010

 

5.7            Office of the Assistant Secretary for Administration (ASA)/Deputy Assistant Secretary for Human Resources (DASHR)

The responsibilities of the Deputy Assistant Secretary for Human Resources include, but are not limited to:

5.7.1       Partnering with the HHS CIO and OPDIVs to develop, implement, and oversee personnel security controls for access to sensitive information[10] and for the system administrators who operate critical systems; and

5.7.2       Ensuring that personnel officers notify the OPDIV ISSO, or designated POC for physical and logical access controls, of an employee’s separation within one business day.

Policy/Requirements Traceability: FISMA and (ASAM and ASRT; Statement of Organization, 2009)

 

 5.8            Assistant Secretary for Administration (ASA)/Deputy Assistant Secretary for Information Technology (DASIT)/HHS Chief Information Officer (CIO)[11]

The responsibilities of the HHS CIO include, but are not limited to:

5.8.1       Primary responsibility and authority for management of the Department’s IT security program;[12]

5.8.2       Performing the Risk Executive function for the Department;[13]

5.8.3       Ensuring HHS compliance with Federal regulations and FISMA IT security and privacy program implementation requirements;

5.8.4       Ensuring the development and maintenance of a Department-wide IT security and privacy program to include the development and implementation of policies, standards, procedures, and IT security controls resulting in adequate security for all organizational information systems and environments of operation for those systems;

5.8.5       Requiring the development and implementation of protections for HHS information and information systems commensurate with the risk and magnitude of harm posed by unauthorized access, modification, disclosure, disruption, use, and/or destruction, or as recommended by law;

5.8.6       Ensuring the dissemination of Department-wide IT security and privacy policy for OPDIV review and comment;

5.8.7       Reporting annually, in coordination with OPDIV/STAFFDIV Heads, to the Secretary of HHS on the effectiveness of the Program, including progress of remedial actions;

5.8.8       Appointing the HHS Chief Information Security Officer (CISO)[14] to fulfill the responsibilities of the CIO in developing and maintaining a Department-wide IT security and privacy program;

5.8.9       Defining and establishing the minimum security control requirements in accordance with data sensitivity and system criticality;

5.8.10     Preparing any report that may be required of HHS to satisfy the reporting requirements of OMB Circular A-130 and FISMA;

5.8.11     Coordinating with the Secretary of HHS to ensure the provision of resources necessary to administer the Program;

5.8.12     Providing advice and assistance to OS and other senior management personnel to ensure that information resources are acquired and managed for the Department in accordance with the goals of the Capital Planning and Investment Control (CPIC) process;

5.8.13     Providing leadership for developing, promulgating, and enforcing agency information resource management policies, standards, and guidelines, and for procedures on data management, enterprise performance lifecycle (EPLC) management, security, telecommunications, IT reviews, and other related areas;

5.8.14     Establishing, implementing, and enforcing a Department-wide framework to facilitate an incident response program, ensuring proper and timely reporting to the United States Computer Emergency Readiness Team (US-CERT); 

5.8.15     Establishing a Department-wide framework to facilitate the development of Privacy Impact Assessment (PIA) Summaries for all Department systems, as instructed by OMB;

5.8.16     Primary authority to resolve any disputes from OIG reviews and audits that cannot be resolved at the OPDIV level;[15] 

5.8.17     Overseeing personnel with significant responsibilities for information security and ensuring that the personnel are adequately trained;

5.8.18     Assisting senior organizational officials concerning their security responsibilities;

5.8.19     Reporting annually, in coordination with other senior officials, to the head of the Federal agency on the overall effectiveness of the organization’s information security program, including progress of remedial actions; 

5.8.20     Determining, based on organizational priorities, the appropriate allocation of resources dedicated to the protection of the information systems supporting the organization's missions and business functions;

5.8.21     Serving as the security Authorizing Official for all OS IT systems;[16]

5.8.22     Being responsible for security authorization decisions (risk acceptance) for the OS Primary Operational IT Infrastructure;

5.8.23     Serving as the HHS Senior Agency Official for Privacy (SAOP) and the OS OPDIV Senior Official for Privacy (SOP)[17];

As the Department’s risk executive, with the support of the HHS CISO, the HHS CIO also works closely with authorizing officials and their designated representatives to execute the following responsibilities:

5.8.24     Ensuring information security considerations are integrated into programming/planning/budgeting cycles, enterprise architectures, and acquisition/system development life cycles;

5.8.25     Ensuring information systems are covered by approved security plans and are authorized to operate;

5.8.26     Ensuring information security-related activities required across the organization are accomplished in an efficient, cost-effective, and timely manner;

5.8.27     Ensuring a centralized reporting process is in place for appropriate information security-related activities; and

5.8.28     Executing the RMF tasks as listed in NIST SP 800-37 Rev. 1.

 

Policy/Requirements Traceability: FISMA; OMB Circular A-130; Clinger-Cohen Act of 1996;  (ASAM and ASRT; Statement of Organization, 2009); and NIST SP 800-37 Rev. 1; and HHS Memorandum: Resolving Security Audit Disputes, dated May 13, 2010

5.9            Senior Agency Official for Privacy (SAOP)

Within HHS, the CIO serves in the role of SAOP. The responsibilities of the SAOP include, but are not limited to:

5.9.1       Ensuring the proper implementation of information privacy protections, including full compliance with Federal laws, regulations, and policies relating to information privacy, such as the Privacy Act of 1974 (henceforth, “Privacy Act”) 5 U.S.C. Section 552a; and the E-Government Act of 2002;

5.9.2       Maintaining appropriate documentation regarding compliance with information privacy laws, regulations, and HHS policies;

5.9.3       Overseeing, coordinating, and facilitating the Department’s privacy compliance efforts, including reviewing documented information privacy procedures to ensure comprehensiveness and currency, and coordinating any necessary revisions;

5.9.4       Approving the Department’s submission of the Privacy Management portion of the annual FISMA report;

5.9.5       Coordinating privacy-related reporting activities as mandated by Federal legislation and OMB guidance;

5.9.6       Maintaining a central policy-making role in the Department’s development and evaluation of legislative, regulatory, and other policy proposals pertaining to information privacy issues, including those relating to the agency’s collection, use, sharing, and disclosure of personal information;

5.9.7       Ensuring that data sharing activities occur within applicable privacy laws and with appropriate safeguards;

5.9.8       Designating responsibility for oversight of the PIA process to the OPDIV SOP;

5.9.9       Establishing a framework to facilitate the development of PIA Summaries for all OPDIV systems, as instructed by OMB;

5.9.10     Ensuring PIAs are conducted for information systems and online collections, and coordinating submission of all Department PIA Summaries to OMB;

5.9.11     Reviewing and acknowledging the completion and accuracy of PIAs by designating PIAs as approved for Web publishing via the Department’s PIA reporting tool;

5.9.12     Allocating proper resources to permit identification and remediation of privacy weaknesses;

5.9.13     Ensuring the Department’s employees, contractors, and stakeholders receive appropriate privacy training;

5.9.14     Providing education programs regarding the information privacy laws, regulations, policies, and procedures governing the Department’s handling of PII;

5.9.15     Serving as the Chair of the Privacy Incident Response Team (PIRT);

5.9.16     Reviewing and approving any use of a multi-session Web measurement and customization technology that collects PII;

5.9.17     Providing the public with notice of proposed use of a multi-session Web measurement and customization technology that collects PII, and an opportunity to comment on the proposed use;

5.9.18     Reviewing the Department’s practices related to the use of Web measurement and customization technologies annually and making the results of the review available to the public;

5.9.19     Consulting OPDIVs during the planning, implementation, and post-implementation review of the use of a third-party Website or application; and

5.9.20     Designating responsibility to the HHS Chief Information Security Officer for the management and oversight of the privacy components of FISMA and related OMB guidance.

Policy/Requirements Traceability: Privacy Act of 1974 (henceforth, “Privacy Act”) 5 U.S.C. Section 552a; E-Government Act of 2002; FISMA; M-05-08, Designation of Senior Agency Officials for Privacy; M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies; M-10-23, Guidance for Agency Use of Third-Party Websites and Applications, and M-11-02, Sharing Data While Protecting Privacy

 

5.10       Office of Information Technology Security (OITS)/ HHS Chief Information Security Officer (CISO)

The responsibilities of the HHS CISO[18] include but are not limited to:

5.10.1     Providing management leadership in IT security and privacy policy and guidance, expert advice and collaboration among OPDIVs and the STAFFDIVs in developing, promoting and maintaining IT security and privacy measures to adequately and cost effectively protect and ensure the confidentiality, integrity and timely availability of all data and information in the custody of the Department, as well as of the information systems required to meet the Department’s current and future business needs;

5.10.2     Assisting and advising the HHS CIO in the development, documentation, and implementation of the Program (e.g., issuing policy, maintaining situational awareness, and performing compliance oversight) in order to provide IT security and privacy safeguards for the electronic information and information systems that support the operations and assets of the Department, including those provided or managed by another Federal organization or bureau, contractor, or other source;

5. 10.3    Ensuring that all IT resources are reviewed  to ensure compliance with established Department and external policies, standards, and regulations;

5. 10.4    Monitoring OPDIV/STAFFDIV IT security and privacy program activities;

5. 10.5    Fostering communication and collaboration among the Department’s security and privacy stakeholders to share knowledge and to better understand threats to Department information;

5. 10.6    Carrying out the CIO security and SAOP responsibilities under FISMA and overseeing the preparation of quarterly and annual FISMA reports;

5. 10.7    Developing and implementing an IT security performance measurement program to evaluate the effectiveness of technical and non-technical IT security safeguards used to protect the Department’s information;

5. 10.8    Coordinating requirements within the Office of Security for personnel clearances, position sensitivity, and access to information systems with the appropriate office;

5. 10.9    Ensuring that all HHS-owned telephony equipment is provided with system and physical protection;

5. 10.10  Implementing a security incident monitoring program for all systems and networks;

5. 10.11  Disseminating information on potential security threats and recommended safeguards;

5. 10.12  Ensuring, in coordination with the HHS CIO and ASFR/OGAPA/DA, that all IT acquisitions include Department security and privacy considerations;

5. 10.13  Ensuring the Department-wide implementation of Federal policies and procedures related to IT security and privacy incident response;

5. 10.14  Overseeing the HHS CSIRC and managing the resources that support HHS CSIRC operations;

5. 10.15 Serving as the primary liaison for the CIO to authorizing officials, system owners,[19] primary operational IT infrastructure managers[20] , information system security officers, and senior officials for privacy;

5. 10.16 Providing management and oversight of activities under IT critical information protection (CIP);

5. 10.17 Serving, as necessary, as an Authorizing Official Designated Representative or Certification Agent (also known as Security Control Assessor);

5.10.18   Serving as the “Primary” Certification Agent for all OS IT systems and providing the final security authorization decision recommendation to the Authorizing Official for those systems; and

5.10.19   Executing the RMF tasks as listed in NIST SP 800-37 Rev. 1.

Policy/Requirements Traceability: FISMA; NIST SP 800-37 Rev. 1; and (Office of Resources and Technology: Statement of Organization, Functions and Delegations of Authority, 2008)

 

 5.11       OPDIV Chief Information Officers (CIOs)

The responsibilities of each OPDIV CIO[21] involve providing leadership to activities including, but not limited to:

5.11.1     Reporting quarterly to the HHS CIO on the effectiveness of the OPDIV’s IT security and privacy program, including the progress of any remedial actions;

5.11.2     Appointing an OPDIV CISO to fulfill the responsibilities of the OPDIV CIO in maintaining the OPDIV IT security program;

5.11.3     Managing internal security reviews of the program business cases, alternatives analyses, and other specific investment documents;

5.11.4     Managing and certifying an inventory of all current and proposed investments containing an IT component in accordance with the CPIC process;

5.11.5     Ensuring that policies, procedures, and practices are consistent with Department requirements in order to ensure that systems, programs, and data are secure and protected from unauthorized access that might lead to the alteration, damage, or destruction of automated resources, unintended release of HHS data, and denial of service (DoS);

5.11.6     Ensuring that all employees and contractors comply with Department and OPDIV IT security and privacy policies;

5.11.7     Ensuring the establishment of a computer security incident response team (CSIRT) to participate in the investigation and resolution of incidents in the OPDIV;

5.11.8     Establishing, implementing, and enforcing an OPDIV-wide framework to facilitate an incident response program (including PII and PHI breaches) that ensures proper and timely reporting to HHS;

5.11.9     Managing an inventory of all major information systems, devices and other items per FISMA requirements and as required by OMB;

5.11.10   Ensuring mandatory security education and awareness is undertaken by all personnel using, operating, supervising, or managing computer systems;

5.11.11   Exercising primary responsibility and authority for management of the OPDIV’s IT security program;[22][23]

5.11.12   Serving as one of six primary operational IT infrastructure managers[24][25] (applies to the CIO for CDC, FDA, IHS, CMS, NIH, and OS). When an OPDIV CIO performs as a primary operational IT infrastructure manager, he/she is responsible for performing IT risk-management duties. Where an information system relies (or partially relies) on one of the six primary operational IT infrastructures, the associated primary operational IT infrastructure manager(s) must concur with the risk acceptance by also signing the security authorization package as the Authorizing Official;  

5.11.13   Resolving any disputes from OIG reviews and audits at the OPDIV level, where possible. If disputes cannot be resolved, they shall be escalated to the HHS CIO;  [26] 

5.11.14   Developing a strategy for the continuous monitoring[27] of security control effectiveness and any proposed or actual changes to the information system and its environment of operation[28]; and

5.11.15   Executing the RMF tasks as listed in NIST SP 800-37 Rev. 1.

Policy/Requirements Traceability: FISMA; OMB Circular A-130; Clinger-Cohen Act of 1996; NIST SP 800-37 Rev.1; HHS Memorandum: Security of Information Technology Systems, dated November 10, 2009 and HHS Memorandum, Process Guidance for Security Risk-Based Decisions Involving the Primary Operational. Information Technology Infrastructure Managers, dated May 13, 2010

 

 5.12       OPDIV Chief Information Security Officers (CISOs)

The responsibilities of each OPDIV CISO[29] include, but are not limited to:

5.12.1     Leading OPDIV IT security and privacy programs and promoting proper IT security and privacy practices;

5.12.2     Supporting the HHS CISO in the implementation of the Program;

5.12.3     Fostering communication and collaboration among the OPDIV’s security and privacy stakeholders to share knowledge and to better understand threats to OPDIV information;

5.12.4     Providing information about the OPDIV IT security and privacy policies to management and throughout the OPDIV;

5.12.5     Providing advice and assistance to other organizational personnel concerning the security of sensitive information and of critical data processing capabilities;

5.12.6     Advising the OPDIV CIO about security breaches in accordance with the security breach reporting procedures developed and implemented by the Department and/or OPDIV;

5.12.7     Disseminating information on potential security threats and recommended safeguards;

5.12.8     Ensuring that roles with significant security responsibilities are identified and documented per the HHS Memorandum Role-Based Training of Personnel with Significant Security Responsibilities, dated May 16, 2011;

5.12.9     Conducting security education and awareness training needs assessments to determine appropriate training resources and to coordinate training activities for target populations;

5.12.10   Assisting System Owners in establishing and implementing the required security safeguards to protect computer hardware, software, and data from improper use or abuse;

5.12.11   Promoting requirements for personnel clearances, position sensitivity, and access to information systems with the appropriate office;

5.12.12   Ensuring OPDIV-wide implementation of Department and OPDIV policies and procedures that relate to IT security and privacy incident response;

5.12.13   Collaborating with the PIRT Coordinator when the PIRT Coordinator is engaging the OPDIV POC for information collection and clarification, and sitting on the HHS PIRT while the breach is under investigation;

5.12.14   Coordinating with OPDIV Senior Official for Privacy to ensure privacy implications are addressed when PII incident response activities occur within the OPDIV;

5.12.15   Supporting general privacy awareness and Role-Based Training activities for all personnel using, operating, supervising, or managing information systems;

5.12.16   Establishing, documenting, and enforcing requirements and processes for granting and terminating all administrative privileges including, but not limited to, servers, security domains, and local workstations. Audit these processes for effectiveness[30]; and

5.12.17   Executing the RMF tasks as listed in NIST SP 800-37 Rev. 1.

      Policy/Requirements Traceability: FISMA; HHS Memorandum Role-Based Training of Personnel with Significant Security Responsibilities, dated May 16, 2011; and HHS Memorandum: Office of Inspector General Management Implication Report – Need for Departmental Security Enhancements for Information Technology Assets, dated October 13, 2009

 

5.13       HHS Computer Security Incident Response Center (CSIRC)

The responsibilities of the HHS CSIRC include, but are not limited to:

5.13.1     Establishing and maintaining a partnership with OPDIV CSIRTs to ensure the HHS CSIRC is aware of security and privacy vulnerabilities, threats, and incidents that may negatively impact the ability of the OPDIV and/or the Department to fulfill its mission and functions; 

5.13.2     Serving as the primary entity in the Department responsible for maintaining Department-wide operational IT security situational awareness and determining the overall IT security risk posture of HHS;

5.13.3     Serving as the lead organization for coordinating Department-wide cybersecurity information sharing, analysis, and response activities;

5.13.4     Reporting HHS IT security and privacy incidents to US-CERT; and

5.13.5     Serving as the Department's primary point of contact with US-CERT.

Policy/Requirements Traceability: HHS OCIO Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response, dated April 5, 2010

 

5.14       OPDIV Computer Security Incident Response Team (CSIRT)

The responsibilities of the OPDIV CSIRT include, but are not limited to:

5.14.1     Serving as the primary entity in the OPDIV responsible for maintaining OPDIV-wide operational IT security situational awareness and determining the overall IT security risk posture of the OPDIV;

5.14.2     Serving as the lead organization for coordinating OPDIV-wide cybersecurity information sharing, analysis, and response activities;

5.14.3     Reporting OPDIV IT security and privacy incidents to HHS CSIRC[31]; and

5.14.4     Serving as the OPDIV's primary point of contact with HHS CSIRC.

              Policy/Requirements Traceability: HHS OCIO Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response, dated April 5, 2010 

 

5.15       HHS Privacy Incident Response Team (PIRT)

The responsibilities of the HHS PIRT include, but are not limited to:

5.15.1          Evaluating breaches or suspected breaches of PII and deciding which actions should be taken;

5.15.2          Providing input to and approving breach response activities for breaches involving PII;

5.15.3          Assessing the responsible organization’s proposed course of action, risk assessments, response plan, and proposed notification activities; providing feedback; and making recommendations for improvement or course corrections in a timely manner;

5.15.4          Ensuring proper reporting, notification, and follow-up actions to stakeholders across relevant HHS organizational components when a breach involving PII occurs;

5.15.5          Working closely with the HHS Information Security and Privacy Program to coordinate Department response activities and data collection;

5.15.6          Referring HIPAA compliance breaches to HHS OCR as appropriate;

5.15.7          Notifying appropriate internal HHS stakeholders, including the following: OPDIV Security Offices; HHS Records Officer; building physical security; the HHS Assistant Secretary for Preparedness and Response (ASPR); the Office of the Inspector General (OIG); HHS OCR; as well as appropriate external entities such as the US-CERT and law enforcement; and

5.15.8     Provide notification and assessments of information breaches to the HHS Risk Management and Financial Oversight Board (RMFOB).

Policy/Requirements Traceability: HHS Policy for Responding to Breaches of Personally Identifiable Information (PII), dated November 17, 2008; and M-08-10, Use of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA)

 

 5.16       OPDIV Senior Official for Privacy (SOP)

The SOP title was extended by the Department to each OPDIV to effectively meet the reporting requirements outlined in M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management. The agency requirement for the title is outlined in M-05-08, Designation of Senior Agency Officials for Privacy

The responsibilities of the OPDIV SOP include, but are not limited to:

5.16.1     Supporting the Department SAOP in ad hoc privacy reporting activities as necessary, including the maintenance of and compliance with presidential mandates and quarterly and annual FISMA reporting activities;

5.16.2     Reviewing and approving the OPDIV FISMA and Privacy Management Report for submission to the Department;

5.16.3     Developing and supporting integration of Department privacy program initiatives into IT security practices, where applicable;

5.16.4     Establishing and implementing privacy policies, procedures, and practices consistent with Department privacy requirements, in coordination with the OPDIV CISO;

5.16.5     Coordinating OPDIV policy, guidance, and system-level documentation to ensure that Department management, technical, and operational privacy requirements are addressed;

5.16.6     Approving written requests to process, access, or store PII from personally owned or non-Department equipment in accordance with Handbook Section 2.10 Personally-Owned Equipment and Software, S-POES.4;

5.16.7     Coordinating with the OPDIV CISO to confirm the OPDIV obtains contractual assurances from third parties to ensure that the third party will protect PII in a manner consistent with the privacy practices of the Department and the OPDIV;

5.16.8     Reporting, in coordination with the OPDIV CISO, to the HHS CIO/SAOP the effectiveness of the OPDIV privacy program, including weaknesses and the progress of remedial actions, as identified;

5.16.9     Establishing an OPDIV policy framework to facilitate the development and maintenance of PIAs for all systems based on department and Federal legislative requirements;

5.16.10   Tracking and maintaining all OPDIV PIA activities in the Department’s PIA reporting tool;

5.16.11   Reviewing completed OPDIV PIAs and attesting that they are adequately and accurately completed;

5.16.12   Promoting (i.e., escalating) OPDIV PIAs to the Department, and submitting completed OPDIV PIAs to the SAOP, or seeking revisions from the PIA author if errors are found;

5.16.13   Coordinating activities to regularly review PII holdings, assessing the PII confidentiality impact level of the PII holdings, recommending controls to protect the confidentiality of the PII, and eliminating the unnecessary use or collection of PII (including Social Security numbers);

5.16.14   Coordinating and ensuring that privacy education and awareness activities, specific to the OPDIV privacy culture, are established for all personnel using, operating, supervising, or managing computer systems;

5.16.15   Coordinating with OPDIV budgetary offices to ensure PIA and System of Records Notice (SORN) activities are included as part of Exhibit 300 development;

5.16.16   Coordinating with the OPDIV Privacy Act Contact to ensure that all required SORNs are completed and published in the Federal Register, and also on the HHS.gov Website;

5.16.17   Coordinating with the OPDIV Privacy Act Contact to:

5.16.17.1  Keep track of the location of Privacy Act records;

5.16.17.2  Approve/deny/track access to and amendments of records;

5.16.17.3  Ensure records are complete, accurate, timely and relevant;

5.16.17.4  Ensure that system users are made aware of their privacy    responsibilities when accessing systems that contain personal information; and

5.16.17.5  Ensure data collection forms include a Privacy Act Notification Statement;

5.16.18   Coordinating with OPDIV Privacy Act Contact to complete biannual SORN updates in accordance with OMB Circular A-130;

5.16.19   Coordinating completion of Privacy Act reviews, as defined by OMB Circular A-130, with OPDIV Privacy Act Contact;

5.16.20   Coordinating reviews of data sharing activities to ensure they occur according to applicable privacy laws and with appropriate safeguards;

5.16.21   Making recommendations to the HHS CIO/SAOP and senior level officials with budgetary authority in order to allocate proper resources to identify and mitigate privacy weaknesses found in system PIAs;

5.16.22   Coordinating with HHS Website owners/administrators to ensure that Web-based privacy compliance requirements are met across the OPDIV; and

5.16.23   Coordinating with the OPDIV’s CSIRT and/or HHS PIRT concerning reports of the loss of control of PII.

 

Policy/Requirements Traceability:M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management; M-05-08 andHHS Policy for Responding to Breaches of Personally Identifiable Information (PII), dated November 17, 2008; OMB Circular A-130; Privacy Act; FISMA;M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information; M-11-02,; and NIST SP 800-122, Guide to Protecting Confidentiality of PII 

 

5.17       OPDIV Privacy Act Contact

The responsibilities of the OPDIV Privacy Act Contact include, but are not limited to:

5.17.1     Serving as a POC for issues related to the Privacy Act within the OPDIV;

5.17.2     Coordinating with OPDIV SOP on development, publishing, and maintenance of OPDIV SORNs;

5.17.3     Maintaining an OPDIV SORN Website to post current SORNs per the guidance of the HHS Privacy Act Officer;

5.17.4     Supporting the OPDIV SOP and OPDIV CISO in completing required Privacy Act reviews, as defined by OMB Circular A-130;and

5.17.5     Supporting completion of the OPDIV FISMA and Privacy Management Report for submission to the Department.

 

Policy/Requirements Traceability: OMB Circular A-130; Privacy Act; and FISMA

 

5.18       Authorizing Official (AO) or Authorizing Official Designated Representative

The responsibilities of the AO or Authorizing Official Designated Representative[32] for systems and networks under his or her authority include, but are not limited to, the following:

5.18.1     Determining , through the security authorization process, in collaboration with the OPDIV CISO, whether to accept residual risks or to implement appropriate risk mitigation countermeasures, based on the analysis provided by the CA (or designee);

5.18.2     Making the final security authorization decision and signing the authorization decision document;

5.18.3     Ensuring that sensitive information is protected from unauthorized access in all forms at rest or in transit;

 

Note:AOs or Authorizing Official Designated Representatives typically have budgetary oversight for an information system or are responsible for the mission or business operations supported by the system. Accordingly, AOs or Authorizing Official Designated Representatives should be in management positions with a level of authority commensurate with understanding and accepting such information system-related security risks. With the increasing complexity of missions/business processes, partnership arrangements, and the use of external/shared services, it is possible that a particular information system may involve multiple Authorizing Officials. If so, agreements should be established among the AOs or Authorizing Official Designated Representatives and documented in the security plan. In addition, an AO may designate a representative to help manage the portfolio of systems for which that AO or Authorizing Official Designated Representative is responsible and make decisions on behalf of the AO; however, responsibility for the portfolio of systems ultimately resides with the AO assigned to those systems.

 

5.18.4     Maintaining budgetary oversight for an information system or responsibility for the mission and/or business operations supported by the system;

5.18.5     Maintaining accountability, through the security authorization process, for the security risks associated with information system operations;

5.18.6     Providing written authorization accepting responsibility and risk for operating a system or application not in compliance with the HHS minimum standard;

5.18.7     Determining (with the CIO), based on organizational priorities, the appropriate allocation of resources dedicated to the protection of the information systems supporting the organization's missions and business functions;

5.18.8     Approving the continuous monitoring strategy including the set of security controls that are to be monitored on an ongoing basis and the frequency of the monitoring activities; and

5.18.9     Executing the RMF tasks as listed in NIST SP 800-37 Rev. 1.

 

Policy/Requirements Traceability: OMB Circular A-130; NIST SP 800-37 Rev.1; and NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems

 

 5.19       Certification Agent (CA)

The responsibilities of the CA[33][34][35] include, but are not limited to, the following for systems and networks under his or her authority:

5.19.1     Assessing management, operational, and technical security controls employed within or inherited by an information system to evaluate the extent to which the controls are correctly implemented, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;

5.19.2     Complying with the assessment of all the Department’s systems and networks;

5.19.3     Ensuring the security authorization process is conducted in accordance with NIST guidance and OPDIV/STAFFDIV processes;

5.19.4     Reviewing the system security documentation and results of the security control assessments and providing the results of the security control assessment (the security assessment report) in writing to the Authorizing Official or Authorizing Official Designated Representative;

5.19.5     Providing an assessment of the severity of weaknesses or deficiencies discovered in the information system and its environment of operation and recommend corrective actions to address identified vulnerabilities;

5.19.6     Preparing the final security assessment report containing the results and findings from the assessment; 

5.19.7     Conducting, prior to initiating the security control assessment, an assessment of the security plan to help ensure that the plan provides a set of security controls for the information system that meet the stated security requirements;

5.19.8     Executing the RMF tasks as listed in NIST SP 800-37 Rev. 1.

  

Policy/Requirements Traceability: FISMA and NIST SP 800-37 Rev. 1

 

5.20       Information System Security Officer (ISSO)

The responsibilities of each ISSO include, but are not limited to:

5.20.1     Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches;

5.20.2     Serving as an OPDIV focal point for IT security and privacy incident reporting and subsequent resolution;

5.20.3     Ensuring that IT security notices and advisories are distributed to appropriate OPDIV personnel and that vendor-issued security patches are expeditiously installed;

5.20.4     Assisting the OPDIV CISO in reviewing contracts for systems under the OPDIV CISO’s control to ensure that IT security is appropriately addressed in contract language;

5.20.5     Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs;

5.20.6     Maintaining the security documentation for systems under his or her purview, according to NIST SP 800-37 Rev. 1;

5.20.7     Ensuring NIST SP 800-53 Rev. 3 controls are appropriate to the system based on the FIPS 199 security categorization;

5.20.8     Assisting his or her System Owner, Data Owner/Business Owner, and OPDIV CISO in capturing all system weaknesses in the POA&M;

5.20.9     Reinforcing the concept of separation of duties by ensuring that no single individual has control of any critical process in its entirety per NIST SP 800-53 Rev. 3;

5.20.10   Participating in Department and OPDIV-required security Role-Based Training;

5.20.11   Tracking all security education and awareness training conducted for personnel and contractors, as appropriate;

5.20.12   Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO – in coordination with the system/network administrators – in ensuring that proper backup procedures exist for all system and network information;

5.20.13   Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in ensuring logical access controls are in place that provide protection from unauthorized access, alteration, loss, and disclosure of information;

5.20.14   Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO with ensuring account lockout controls are in place that limit the number of consecutive failed log-in attempts against a given system;

5.20.15   Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in ensuring limits are established for the amount of time a session may be inactive before that session is timed out;

5.20.16   Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in ensuring that security-event monitoring technologies are used for all systems and networks;

5.20.17   Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in coordinating with Human Resources to manage physical and logical access controls for new and departing HHS employees and contractors;

5.20.18   Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in ensuring all incoming and outgoing connections from Department networks to the Internet, intranet, and extranets are made through a firewall;

5.20.19   Assisting the System Owner, Data Owner/Business Owner, and OPDIV CISO in analyzing audit logs with the frequency defined by the OPDIV CISO, and monitoring the types of assistance users request;

5.20.20   Ensuring that the appropriate operational security posture is maintained for an information system and as such, works in close collaboration with the system owner;

5.20.21   Serving as a principal advisor on matters involving the security of an information system; and

5.20.22   Executing the RMF tasks as listed in NIST SP 800-37 Rev. 1.

 

Policy/Requirements Traceability: FISMA and NIST SP 800-37 Rev. 1; NIST SP 800-53 Rev. 3; FIPS 199, Standards for Security Categorization of Federal Information and Information Systems 

 

 5.21       Program Executives

The responsibilities of the Program Executives[36] include, but are not limited to:

5.21.1     Ensuring that systems and data that are critical to the Program’s mission receive adequate protection;

5.21.2     Determining, in coordination with the Data Owner/Business Owner and System Owner, appropriate security controls and identifying resources to implement those controls;

5.21.3     Coordinating system and data security requirements with IT security personnel by adequately delegating system-level security requirements;

5.21.4     Ensuring that security for each information system is planned, documented, and integrated into the EPLC from the information system’s initiation phase to the system’s disposal phase;

5.21.5     Ensuring adequate funding is provided to implement security requirements in the EPLC for systems that fall within the management authority of the Program Executive;

5.21.6     Signing off on the FIPS 199 security categorization;

5.21.7     Accepting reasonable risks, based on recommendations by the HHS CISO, OPDIV CISO, or OPDIV ISSO;

5.21.8     Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches; and

5.21.9     Ensuring that sensitive information and proprietary software is removed from IT equipment including printers, hard drives, and other memory devices prior to those items being offered for disposal or when a transfer of custody occurs.

Policy/Requirements Traceability: FISMA and FIPS 199

 

 5.22       System Owners

The responsibilities of the System Owners[37] include, but are not limited to:

5.22.1     Coordinating with the COs and Contracting Officer’s Technical Representatives (COTRs), Project Officer/Manager, and CISO to ensure that the appropriate security contracting language from Health and Human Services Acquisition Regulation (HHSAR) and other relevant sources is incorporated in each IT contract; 

5.22.2     Accepting accountability for the operation of a system(s) in support of the overall Program mission;

5.22.3     Processing systems at facilities and IT utilities (ITUs) that are certified at a level of security equal to or higher than the security level designated for their system;

5.22.4     Ensuring that information and system categorization has been established for their system(s) and data in accordance with FIPS 199;

5.22. 5    Consulting with Authorizing Officials, OPDIV CIOs[38], OPDIV CISOs, System Developers and Maintainers, and the Risk Executive (function) when establishing or changing system boundaries.

5.22.6     Determining, in coordination with the Program Executive and Data Owner/Business Owner, appropriate security controls and identifying resources to implement those controls;

5.22.7     Consulting with the OPDIV CIO or OPDIV CISO to establish consistent methodologies for determining IT security costs for systems;

5.22.8     Ensuring that security for each information system is planned, documented, and integrated into the EPLC from the information system’s initiation phase to the system’s disposal phase;

5.22.9     Ensuring provision of adequate funding to implement the security requirements in the EPLC for systems that fall within the management authority of the Program Executive;

5.22.10   Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs;

5.22.11   Ensuring that all IT systems are configured in accordance with most recent Federal system security configuration guidance;[39]

5.22.12   Conducting PIAs on their system(s), in coordination with their respective OPDIV SOP, if the system(s) is used to collect information on individuals, or when the Department develops, acquires, or buys new systems to handle collecting PII;

5.22.13   Conducting assessments of the risk and magnitude of the harm that would result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the Department’s critical operations, at no less than every three years or when significant changes occur to the system/network;

5.22.14   Supporting the annual FISMA program reviews including the annual testing of security controls.[40]

5.22.15   Ensuring that system weaknesses are captured in the POA&M and are updated according to the HHS POA&M standard;

5.22.16   Ensuring that sensitivity and criticality levels have been established for their systems and data in accordance with NIST standards and guidelines;

5.22.17   Ensuring proper physical, administrative, and technical controls are in place to protect PII if found in the system;

5.22.18   Developing security plans for their system(s) and network(s) and documenting the security control implementation, as appropriate, in the security plan, providing a functional description of the control implementation (including planned inputs, expected behavior, and expected outputs);

5.22.19   Obtaining appropriate interconnection security agreements (ISAs) or memoranda of understanding (MOUs) prior to connecting with other systems and/or sharing sensitive data/information;[41]

5.22.20   Ensuring that system users and support personnel receive the requisite security training (e.g., instruction in RoB) and developing system-specific rules of behavior (RoB) for systems under their responsibility;

5.22.21   Participating in Department and OPDIV-required security role-based training (RBT);    

5.22.22   Determining who should be granted access to the system and with what rights and privileges, and granting users the fewest possible privileges necessary for job performance in order to ensure privileges are based on a legitimate need;

5.22.23   Conducting annual reviews and validations of system users’ accounts to ensure the continued need for access to a system;

5.22.24   Enforcing the concept of separation of duties by ensuring that no single individual has control of the entirety of any critical process;

5.22.25   Ensuring that special physical security or environmental security requirements are implemented for facilities and equipment used for processing, transmitting, or storing sensitive information based on the level of risk;

5.22.26   Ensuring the development, execution, and activation of a system-to-system interconnection implementation plan for each instance of a system-to-system interconnection;

5.22.27   Serving as a POC for the system to whom privacy issues may be addressed;

5.22.28   Collecting, modifying, using, and/or disclosing the minimum PII necessary to accomplish mission objectives;

5.22.29   Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches;

5.22.30   Ensuring that sensitive information and proprietary software is removed from IT equipment (including printers), hard drives, and other memory devices prior to those items being offered for disposal or when a transfer of custody occurs;

5.22.31   Accepting accountability for having an active security authorization for all deployed systems to include pilot systems and retiring systems, to include assembling the authorization package and submitting it to the Authorizing Official and Authorizing Official Designated Representative;  

5.22.32   Developing a strategy for the continuous monitoring[42] of security control effectiveness and any proposed or actual changes to the information system and its environment of operation[43]; and

5.22.33   Executing the RMF tasks as listed in NIST SP 800-37 Rev. 1.

 

Policy/Requirements Traceability: FISMA; NIST SP 800-37 Rev. 1;  NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model; and (ASAM and ASRT; Statement of Organization, 2009) 

 

5.23       Data Owner/Business Owner

The responsibilities of Data Owner/Business Owner[44] include, but are not limited to:

5.23.1     Gathering, processing, storing, or transmitting Department data in support of the Program’s mission;

5.23.2     Ensuring that System Owners are aware of the sensitivity of data to be handled, and ensuring that data is not processed on a system with security controls that are not commensurate with the sensitivity of the data in accordance with FIPS 199 and FIPS 200; and

5.23.3     Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches; and

5.23.4     Executing the RMF tasks as listed in NIST SP 800-37 Rev. 1.

 

Policy/Requirements Traceability: FISMA and NIST SP 800-16 (as amended)

 

5.24       Website Owner/Administrator

The responsibilities of Website Owner/Administrator include, but are not limited to:

5.24.1     Coordinating Website privacy practices and compliance activities with the OPDIV SOP;

5.24.2     Ensuring that any OPDIV Website that employs a multi-session Web measurement and tracking technology that collects PII is approved by the SAOP prior to its use; and

5.24.3     Ensuring that OPDIV Websites or OPDIV use of a third-party Website or application includes applicable privacy policies, privacy notices, and machine-readable privacy policies and that the content is accurate.

 

Policy/Requirements Traceability: M-10-22; M-10-23; and HHS-OCIO-2010-0001 Policy for Machine-Readable Privacy Policies, dated January 28, 2010

 

5.25       Contingency Planning Coordinator

The responsibilities of the Contingency Planning Coordinator include, but are not limited to:

5.25.1     Developing the contingency plan (CP) strategy, in cooperation with other functional and resource managers associated with the system or the business processes supported by the system;

5.25.2     Managing development and execution of the CP;

5.25.3     Coordinating with the ISSO and other key functional and resource managers to test the Information Technology Contingency Plan (ITCP) in accordance with NIST SP 800-53 Rev. 3 control CP-4 (see Section 2 of the Handbook);

5.25.4     Updating/maintaining all aspects of the ITCP;

5.25.5     Ensuring that each team is trained and ready to deploy in the event of a disruptive situation requiring CP activation;

5.25.6     Ensuring that recovery personnel are assigned to each team to respond to the event, recover capabilities, and return the system to normal operations; and

5.25.7     Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.

Policy/Requirements Traceability: OMB Circular A-130 and NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems

 

 5.26       System Developers and Maintainers

The responsibilities of System Developers and Maintainers[45] include, but are not limited to:

5.26.1     Understanding the need to plan security into information systems, especially from the beginning, and the benefits to be derived from doing so;

5.26.2     Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs;

5.26.3     Identifying laws and regulations relevant to the system’s design and operation;

5.26.4     Interpreting applicable laws and regulations into security functional requirements;

5.26.5     Evaluating conflicting functional requirements to select for implementation those requirements that provide the highest level of security at the minimum cost consistent with applicable laws and regulations;

5.26.6     Understanding the relationship between planned security safeguards and the features being installed on the system under development;

5.26.7     Evaluating development efforts to ensure that baseline security safeguards are appropriately installed for systems being developed or modified;

5.26.8     Participating in the construction of the information system in accordance with the formal design specifications, developing manual procedures, using commercial off-the-shelf (COTS) hardware/software components, writing program code, customizing hardware components, and/or using other IT capabilities;

5.26.9     Designing and developing tests for security safeguard performance under a variety of normal and abnormal operating circumstances and workload levels;

5.26.10   Analyzing system performance for potential security problems, and providing direction to correct any security problems identified during testing;

5.26.11   Identifying IT security impacts associated with system implementation procedures;

5.26.12   Leading the design, development, and modification of safeguards to correct vulnerabilities identified during system implementation;

5.26.13   Supporting assessments, reviews, evaluations, tests and audits of the system by both internal and external entities;

5.26.14   Follow the EPLC in developing and maintaining HHS systems; and

5.26.15   Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches; and

5.26.16   Executing the RMF tasks as listed in NIST SP 800-37 Rev. 1.

Policy/Requirements Traceability: FISMA and NIST SP 800-16 (as amended)

 

5.27       System/Network Administrators[46]

The responsibilities of System/Network Administrators include, but are not limited to:

5.27.1     Reading, acknowledging, signing, and complying with the HHS Information Security Program Rules of Behavior For Use of HHS Information Technology Resources(HHS RoB), and OPDIV and system-specific RoB, before gaining access to the Department’s systems and networks;

5.27.2     Completing required privacy and security awareness training;

5.27.3     Participating in Department- and OPDIV-required security RBT;

5.27.4     Ensuring that the IT security posture of the network is maintained during all network maintenance, monitoring activities, installations or upgrades, and throughout day-to-day operations;

5.27.5     Ensuring that appropriate security requirements are implemented and enforced for all Department systems or networks;

5.27.6     Examining unresolved system vulnerabilities and determining which corrective action(s) or additional safeguards are necessary to mitigate them;

5.27.7     Implementing proper system backups, patching security vulnerabilities, and accurately reporting security incidences;

5.27.8     Utilizing his or her “root” or “administrative” access rights to a computer, based on need-to-know;

5.27.9     Ensuring all incoming and outgoing connections from Department networks to the Internet, intranet, and extranets are made through a firewall;

5.27.10   Analyzing system performance for potential security problems;

5.27.11   Conducting tests of security safeguards in accordance with the established test plan and procedures;

5.27.12   Assessing the performance of security controls (to include hardware, software, firmware, and telecommunications, as appropriate) to ensure that the residual risk is within an acceptable range;

5.27.13   Identifying IT security impacts associated with system implementation procedures;

5.27.14   Leading the design, development, and modification of safeguards to correct vulnerabilities identified during system implementation;

5.27.15   Recognizing potential security violations and taking appropriate action to report any such incident as required by Federal regulation, and mitigating any adverse impact;

5.27.16   Developing and/or executing a system termination plan to ensure that IT security breaches are avoided during shutdown, and that long-term protection of archived resources is achieved;

5.27.17   Ensuring that hardware, software, data, and facility resources are archived, sanitized, or disposed of in a manner consistent with the system termination plan;

5.27.18   Reporting any suspected or actual computer incidents, including the loss of control of PII and PHI, immediately to the OPDIV CSIRT; and

5.27.19   Notifying the OPDIV CISO of actual or suspected computer-security incidents, included PII and PHI breaches.

Policy/Requirements Traceability: FISMA; HHS Rules of Behavior For Use of HHS Information Technology Resources, dated August 26, 2010; and NIST SP 800-16 (as amended)

 

 5.28       Contracting Officers and Contracting Officer’s Technical Representatives

The responsibilities of the COs and COTRs include, but are not limited to:

5.28.1     Coordinating with the System Owner, Data Owners/Business Owners, Project Officer/Manager, and CISO to ensure that the appropriate security and privacy contracting language from ASFR and other relevant sources are incorporated into each IT contract; 

5.28.2     Determining the applicability of the Privacy Act (HHSAR 324.102) when the design, development, or operation of a Privacy Act SOR on individuals is required to accomplish an agency function

5.28.3     Maintaining the integrity and quality of the proposal evaluation, negotiation, and source selection processes, while ensuring that all terms and conditions of the IT contract are met;

5.28.4     Monitoring contract performance and reviewing deliverables for conformance with contract requirements related to IT security and privacy;

5.28.5     Taking action as needed to ensure that accepted products meet contract requirements;

5.28.6     Ensuring that sufficient funds are available for obligation per the FAR;[47] 5.28.7  Determining the applicability of the Privacy Act (HHSAR 324.102) when the design, development, or operation of a Privacy Act SOR on individuals is required to accomplish an agency function; and

5.28.8     Advising contractors who develop or maintain a Privacy Act System of Records (SOR) on behalf of the Federal Government that the Privacy Act applies to them to the same extent that it applies to the government, per Section 552a(m) of the Privacy Act;

 

5.28.9     Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.

Policy/Requirements Traceability: FAR; NIST SP 800-16 (as amended); and HHSAR

 

 5.29       Project/Program Managers

The responsibilities of the Project/Program Managers include, but are not limited to:

5.29.1     Evaluating proposals, if requested, to determine whether proposed security solutions effectively address agency requirements as detailed in acquisition documents;

5.29.2     Ensuring that security-related documentation at each phase of the EPLC meets all identified security needs; and

5.29.3     Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.

Policy/Requirements Traceability: FISMA; NIST SP 800-16 (as amended); and Privacy Act

 

5.30       Human Resource Officers

The responsibilities of the Human Resource Officers include, but are not limited to:

5.30.1     Coordinating with appropriate OPDIV CIO POCs and Office of Security and Drug Testing (OSDT) POCs to ensure background checks are conducted for individuals with significant security responsibilities;

5.30.2     Notifying the appropriate OPDIV CIO POC within one business day when OPDIV personnel are separated from the Department;

5.30.3     Ensuring relevant paperwork, interviews and notifications are sent to the appropriate OPDIV CIO personnel when personnel join, transfer within, or leave the organization, either permanently or on detail;

5.30.4     Participating at the request of the HHS CSIRC in the investigation of Federal employees with regard to security incidents;

5.30.5     Participating at the request of the HHS PIRT in the investigation of Federal employees relative to PII incidents and violations; and

5.30.6     Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches.

 

Policy/Requirements Traceability:HHS RoB

 

 5.31       Supervisors

The responsibilities of Supervisors include, but are not limited to:

5.31.1     Ensuring compliance with IT security and privacy policies by all personnel under their direction; and providing the personnel, financial, and physical resources required to protect information resources appropriately;

5.31.2     Budgeting resources for IT security training, including privacy and Role-Based Training, for personnel with security-related responsibilities (e.g., time, money, staff coverage);

5.31.3     Ensuring that personnel under their direct report complete all required IT security training, including privacy and role-based training, within the mandated timeframe;

5.31.4     Notifying the appropriate OPDIV ISSO, or the OPDIV CISO if the ISSO is not available, immediately of the unfriendly departure or separation of a Department employee or contractor;

5.31.5     Pursuing disciplinary or adverse actions against personnel and contractors who violate HHS policies or standards, including the HHS RoB and OPDIV-specific policies and procedures, including system-specific RoB;

5.31.6     Preventing the sharing of personal data, unless the recipient is listed under the routine uses of disclosure of the Privacy Act Systems of Records Notice or covered in one of the provisions found in 5 U.S.C. § 552a(b)(1)-(12) of the Privacy Act, unless the record subject has given written permission to disclose the data;

5.31.7     Reporting any suspected or actual computer security incidents, including the loss of control of PII and PHI, immediately to the OPDIV CSIRT;

5.31.8     Notifying the OPDIV CISO of actual or suspected computer-security incidents, including PII and PHI breaches; and

5.31.9     Verifying personnel security requirements are defined in the position description, the position description is reviewed annually for accuracy, and personnel security requirements are met for all employees.

Policy/Requirements Traceability: FISMA and NIST SP 800-16 (as amended)

 

5.32       Federal Employees and Contractors

The responsibilities of the Department’s users and contractors operating on behalf of the Department include, but are not limited to:

5.32.1     Complying with the Department’s policies, standards, and procedures;

5.32.2     Possessing awareness that they are not acting in an official capacity when using Department IT resources for non-governmental purposes;

5.32.3     Familiarizing themselves with any special requirements for accessing, protecting, and using data, including Privacy Act data, copyright data, and procurement-sensitive information;

5.32.4     Reporting any suspected or actual computer security incidents, including the loss of control of PII and PHI, immediately to the OPDIV CSIRT;

5.32.5     Seeking guidance from supervisors when in doubt about implementing this document;

5.32.6     Ensuring that all media containing Department data is appropriately marked and labeled to indicate the sensitivity of the data;

5.32.7     Abstaining from loading unapproved software from unauthorized sources[48] on Department systems or networks;

5.32.8     Ensuring that sensitive information is not stored on laptop computers or other portable devices unless the data is secured using encryption standards commensurate with the sensitivity level of the data;

5.32.9     Reading, acknowledging, signing, and complying with the HHS RoB, as well as any OPDIV- and system-specific RoB, before gaining access to the Department’s systems and networks;

5.32.10   Completing required privacy and security awareness training;

5.32.11   Implementing specified security and privacy safeguards to prevent fraud, waste, or abuse of the systems, networks, and data they are authorized to use;

5.32.12   Conforming to security policies and procedures that minimize the risk to the Department’s systems, networks, and data from malicious software and intrusions;

5.32.13   Agreeing not to disable, remove, install with intent to bypass, or otherwise alter security or administrative settings designed to protect Department IT resources;  

5.32.14   Ensuring that adequate protection is maintained on their workstation, including not sharing passwords with any other person, and logging out, locking, or enabling a password-protected screen saver before leaving their workstation; and

5.32.15   Notifying the OPDIV CISO or OPDIV CSIRT of actual or suspected computer-security incidents, including PII and PHI breaches.

Policy/Requirements Traceability: HHS RoB; and NIST SP 800-37 Rev. 1  

 

5.33       HHS Records Officer

The HHS Records Officer is responsible for:

5.33.1     Ensuring compliance with the Federal Records Act of 1950; National Archives and Records Administration (NARA) regulations and/or guidance; OMB directives; and GAO audit requirements;

5.33.2     Serving as chair person of the HHS Records Management Council;

5.33.3     Developing HHS records management policies and procedures; and

5.33.4     Providing Department-wide guidance, training, and assistance for compliance with laws and regulations.

 

Policy/Requirements Traceability: Federal Records Act of 1950; and HHS-OCIO Policy for Machine-Readable Privacy Policies 

 

5.34       HHS Privacy Act Officer

The HHS Privacy Act Officer is responsible for:

5.34.1     Reviewing HHS Privacy Act SORNs prior to publication;

5.34.2     Responding to and reviewing questions relating to the Privacy Act via the Agency Privacy Management Report section of FISMA; and

5.34.3     Implementing requirements of the Privacy Act and corresponding operating procedures.

 

Policy/Requirements Traceability: OMB Circular A-130; Privacy Act; and FISMA

 


6.1            Federal Directives and Policies

  • Federal Continuity Directive 1 (FCD 1): Federal Executive Branch National Continuity Program and Requirements, February 2008
  • HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004
  • HSPD-7, Critical Infrastructure Identification, Prioritization, and Protection, dated December 17, 2003
  • Office of Assistant Secretary for Administration and Management and Office of the Assistant Secretary for Resources and Technology: Statement of Organization, Functions, and Delegations of Authority, 74 Fed. Reg. 57679-57682 (2009)
  • Office for Civil Rights: Delegation of Authority, 74 Fed. Reg. 38630 (2009) Office of Resources and Technology: Statement of Organization, Functions and Delegations of Authority, 73 Fed. Reg. 31486-31487 (2008)
  • Office of the Secretary: Statement of Organization, Functions, and Delegations of Authority, 72 Fed. Reg. 19000-19001 (2007)
  • Office of Personnel Management (OPM) Regulation 5 Code of Federal Regulations (CFR) 930.301

 

6.2            Statutes

  • The Health Information Technology for Economic and Clinical Health Act, enacted as part of the American Recovery and Reinvestment Act of 2009
  • Public Welfare, Title 45 Code of Federal Regulations, Pt. 160. 2009 ed.
  • Federal Acquisition Regulation (as amended)
  • E-Government Act of 2002
  • Federal Information Security Management Act of 2002 (Pub. L. No. 107-347, Title III)
  • Clinger-Cohen Act of 1996
  • The Health Insurance Portability and Accountability Act of 1996
  • Paperwork Reduction Act of 1995
  • Children’s Online Privacy Protection Act of 1988
  • The Computer Matching and Privacy Protection Act of 1988
  • The Privacy Act of 1974 (as amended)
  • Office of Federal Procurement Policy Act of 1974
  • Freedom of Information Act of 1966 (Public Law 89-554, 80 Stat. 383; Amended 1996, 2002, 2007)
  • Federal Records Act of 1950

6.3            HHS Policy

  • HHS-OCIO-2011-0001 001S, Standard for Plans of Action and Milestones (POA&M) Management and Reporting, dated March 30, 2011
  • HHS-OCIO-2010-0002.001S, HHS Rules of Behavior For Use of HHS Information Technology Resources, dated August 26, 2010
  • HHS-OCIO-2010-0001.001S, HHS-OCIO Standard for Security Content Automation Protocol (SCAP)-Compliant Tools, dated June 8, 2010
  • HHS-OCIO-2010-0004, Policy for Information Technology (IT) Security and Privacy Incident Reporting and Response, dated April 5, 2010
  • HHS-OCIO-2010-0003, HHS-OCIO Policy for Social Media Technologies, dated March 31, 2010
  • HHS-OCIO-2010-0002, HHS-OCIO Policy for Capital Planning and Investment Control, dated February 26, 2010
  • HHS-OCIO-2010-0001, HHS-OCIO Policy for Machine-Readable Privacy Policies, dated January 28, 2010
  • HHS-OCIO-2009-0003.001S, HHS Standard for IEEE 802.11 WLAN, dated July 27, 2009
  • HHS-OCIO-2009-0001.001S, HHS Standard for Security Configurations Language in HHS Contracts, dated January 30, 2009
  • HHS-OCIO-2009-0002.001S, HHS Standard for Encryption Language in HHS Contracts, dated January 30, 2009
  • HHS-OCIO-2008-0004.001, HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC), dated October 6, 2008
  • HHS-OCIO-2008-0002.002S, HHS Standard for Managing Outbound Web Traffic, dated June 6, 2008
  • HHS-OCIO-2008-0006.001S, HHS Standard for FISMA Inventory Management, dated December 23, 2008 
  • HHS-OCIO-2008-0007.001S, HHS Standard for Encryption, dated December 23, 2008
  • HHS-OCIO-2008-0001.003, HHS Policy for Responding to Breaches of Personally Identifiable Information, dated November 17, 2008
  • HHS-OCIO-2007.0004.001, Policy for Records Management, dated January 30, 2007
  • HHS-OCIO-2006-0001, Policy for Personal Use of Information Technology Resources, dated February 17, 2006
  • HHS CSIRC Concept of Operations, dated June 9, 2010
  • HHS Minimum Security Configuration Standards for Departmental Operating Systems and Applications, dated August 4, 2009
  • HHS Federal Desktop Core Configuration (FDCC) Deviations, dated November 5, 2008
  • HHS Federal Desktop Core Configuration (FDCC) Standard for Windows Vista, dated November 5, 2008
  • HHS Federal Desktop Core Configuration (FDCC) Standard for Windows XP, dated November 5, 2008
  • HHS Memorandum, Continued Implementation of Homeland Security Presidential Directive (HSPD) 12-Policy for a Common Identification Standard for Federal Employees and Contractors, dated April 15, 2011
  • HHS Memorandum, Process Guidance for Security Risk-Based Decisions Involving the Primary Operational Information Technology Infrastructure Managers, dated May 13, 2010
  • HHS Memorandum, Resolving Security Audit Finding Disputes, dated May 13, 2010
  • HHS Memorandum, Security of Information Technology Systems, dated November 10, 2009
  • HHS Memorandum, Office of Inspector General Management Implication Report – Need for Departmental Security Enhancements for Information Technology Assets, dated October 13, 2009
  • HHS Memorandum, Updated Departmental Standard for the Definition of Sensitive Information, dated May 18, 2009
  • HHS Memorandum, Role-Based Training (RBT) of Personnel with Significant Security Responsibilities, dated May 16, 2011
  • HHS Memorandum, Security Related to Hosting Foreign Visitors and Foreign Travel by HHS Personnel, dated April 23, 2004
  • 48 CFR Chapter 3 Health and Human Services Acquisition Regulation (HHSAR), dated November 27, 2009
  • FAC-2005-46, Federal Acquisition Regulation (FAR), amendments dated October 29, 2010
  • Department Information Security Policy/Standard Waiver, dated July 16, 2010
  • HHS Logistics Management Manual, dated February 23, 2007
  • HHS Information Security Program Privacy in the System Development Life Cycle, dated January 16, 2007
  • HHS Memorandum, Federal Information Processing Standards (FIPS) 200 Implementation, dated January 9, 2007
  • HHS National Security Information Manual, dated February 1, 2005
  • HHS Personnel Security/Suitability Handbook, dated February 1, 2005

 

6.4            OMB Policy and Memoranda

  • OMB Circular A-127, Financial Management Systems, dated January 9, 2009
  • OMB Circular A-130, Management of Federal Information Resources, dated November 28, 2000
  • OMB Circular A-123, Management Accountability and Control, dated June 21, 1995
  • OMB M-11-11, Continued Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors, dated February 3, 2011
  • OMB M-11-02, Sharing Data While Protecting Privacy, dated November 3, 2010
  • OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies, dated June 25, 2010
  • OMB M-10-23, Guidance for Agency Use of Third-Party Websites and Applications, dated June 25, 2010
  • OMB M-10-15, FY 2010 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated April 21, 2010
  • OMB M-10-06, Open Government Directive, dated December 8, 2009
  • OMB M-09-29, FY 2009 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated August 20, 2009
  • OMB M-08-21, FY 2008 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated July 14, 2009
  • OMB M-08-23, Securing the Federal Government’s Domain Name System Infrastructure, dated August 22, 2008
  • OMB M-08-09, New FISMA Privacy Reporting Requirements for FY 2008, dated January 18, 2008
  • OMB M-08-10, Use of Commercial Independent Risk Analysis Services Blanket Purchase Agreements (BPA), dated February 4, 2008
  • OMB M-07-20, FY 2007 E-Government Act Reporting Instructions, dated August 14, 2007
  • OMB M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated July 25, 2007
  • OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information, dated May 22, 2007
  • OMB M-06-20, FY 2006 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated July 16, 2006
  • OMB M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments, dated July 12, 2006
  • OMB M-06-16, Protection of Sensitive Agency Information, dated June 23, 2006
  • OMB M-06-15, Safeguarding Personally Identifiable Information, dated May 22, 2006
  • OMB M-05-24, Implementation of Homeland Security Presidential Directive (HSPD) 12 – Policy for a Common Identification Standard for Federal Employees and Contractors, dated August 5, 2005
  • OMB M-05-15, FY 2005 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management, dated June 13, 2005
  • OMB M-05-08, Designation of Senior Agency Officials for Privacy, dated February 11, 2005
  • OMB M-05-04, Policies for Federal Agency Public Websites, dated December 17, 2005
  • OMB M-04-26, Personal Use Policies and ‘File Sharing’ Technology, dated September 8, 2004
  • OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002 (as amended), dated September 26, 2003
  • OMB M-04-04, E-Authentication Guidance for Federal Agencies, dated December 16, 2003
  • OMB M-01-24, Reporting Instructions for the Government Information Security Reform Act, dated June 22, 2001
  • OMB M-01-05, Guidance on Inter-Agency Sharing of Personal Data - Protecting Personal Privacy, dated December 20, 2000
  • OMB M-99-20, Security of Federal Automated Information Resources, dated June 23, 1999
  • OMB M-99-05, Instructions on Complying with President's Memorandum of May 14, 1998, "Privacy and Personal Information in Federal Records," dated January 7, 1999
  • OMB M-96-20, Implementation of the Information Technology Management Reform Act of 1996, dated April 4, 1996

 

6.5            NIST Guidance

  • NIST SP 800-122, Guide to Protecting Confidentiality of PII, dated April 2010
  • NIST SP 800-81 Rev. 1, Secure Domain Name System (DNS) Deployment Guide, dated April 2010
  • NIST SP 800-65, Integrating IT Security into the Capital Planning and Investment Control Process, dated January 2005
  • NIST SP 800-64 Revision 2, Security Considerations in the System Development Lifecycle, dated October 2008
  • NIST SP 800-63 Version 1.0.2, Electronic Authentication Guideline, dated April 2006
  • NIST SP 800-61 Revision 1, Computer Security Incident Handling Guide, dated March 2008
  • NIST SP 800-60 Revision 1, Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes) - Volume 1: Guide Volume 2: Appendices, dated August 2008
  • NIST SP 800-58, Security Considerations for Voice Over IP Systems, dated January 2005
  • NIST SP 800-53A, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans, dated June 2010
  • NIST SP 800-53 Revision 3, Recommended Security Controls for Federal Information Systems, dated August 2009
  • NIST SP 800-37 Revision 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach, dated February 2010
  • NIST SP 800-34 Revision 1, Contingency Planning Guide for Information Technology Systems, dated June 2002
  • NIST SP 800-30, Risk Management Guide for Information Technology Systems, dated July 2002
  • NIST SP 800-18 Revision 1, Guide for Developing Security Plans for Federal Information Systems, dated February 2006
  • NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model, dated April 1998
  • FIPS 200, Minimum Security Requirements for Federal Information and Information Systems, dated March 2006
  • FIPS 199, Standards for Security Categorization of Federal Information and Information Systems, dated February 2004
  • FIPS 140-2, Security Requirements for Cryptographic Modules, dated May 2001

HHS OCIO policies and standards are posted on the following Website: http://www.hhs.gov/ocio/policy/index.html

 

Direct any questions, comments, suggestions, or requests for further information to the HHS Cybersecurity Program at (202) 205-9581.

The effective date of this Policy is the date on which the Policy is approved.

 

Requirements stated in this Policy are consistent with law, regulations, and other Department policies applicable at the time of its issuance. Actions taken through the implementation of this Policy must comply with the requirements of pertinent laws, rules and regulations, as well as the lawful provisions of applicable negotiated agreements for employees in exclusive bargaining units.

 

The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary’s policy statement dated August 7, 1997, as amended, titled Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations. It is HHS policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department’s plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.

/Michael Carleton/

 

July 7, 2011

Michael W. Carleton

 

DATE

HHS Chief Information Officer


Access — The ability to make use of any information system resource. (Defined in NIST SP 800-32, Introduction to Public Key Technology and the Federal PKI Infrastructure)

 

Access Control — The process of granting or denying specific requests: 1) for obtaining and using information and related information processing services; and 2) to enter specific physical facilities (e.g., Federal buildings, military establishments, and border crossing entrances). (Defined in FIPS 201-1, Personal Identity Verification for Federal Employees and Contractors)

 

Access Control List (ACL) — A register of: (i) users (including groups, machines, and processes) who have been given permission to use a particular system resource; and (ii) the types of access they have been permitted. (Defined in NIST SP 800-12, An Introduction to Computer Security: The NIST Handbook)

 

Asset Management — The ability to actively discover, audit, and assess asset characteristics including: installed and licensed products; location within the world, a network or enterprise; ownership; and other related information on IT assets such as workstations, servers, and routers. (Defined at NIST Website: http://scap.nist.gov/validation/)

 

Assurance — The grounds for confidence that the set of intended security controls in an information system are effective in their application. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Authentication — Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)

 

Authorization — The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation based on the implementation of an agreed-upon set of security controls. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)

 

Authorization Boundary — All components of an information system to be authorized for operation by an authorizing official and excludes separately authorized systems, to which the information system is connected. With regard to the risk management process and information security, the term information system boundary is synonymous with authorization boundary. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Authorizing Official — A senior (Federal) official or executive with the authority to formally assume responsibility for operating an information system at an acceptable level of risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Authorizing Official Designated Representative — An organizational official acting on behalf of an authorizing official in carrying out and coordinating the required activities associated with security authorization. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Availability — Ensuring timely and reliable access to and use of information. A loss of availability is the disruption of access to or use of information or an information system. (Defined in FIPS 199, Standards for Security Categorization of Federal Information and Information Systems)

 

Breach — The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for an other than authorized purpose have access or potential access to personally identifiable information, whether physical or electronic. (Defined in OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information) 

Common Control
— A security control that is inherited by one or more organizational information systems. See “Security Control Inheritance.” (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)

 

Common Control Provider — An organizational official[49] responsible for the development, implementation, assessment, and monitoring of common controls (i.e., security controls inherited by information systems). (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach

 

Compensating Security Controls — The management, operational, or technical controls (i.e., safeguards or countermeasures) employed by an organization, in lieu of the recommended controls in the Low, Moderate, or High baselines described in NIST SP 800-53, which provide equivalent or comparable protection for an information system. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Confidentiality — Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information. (Defined in FIPS 199, Standards for Security Categorization of Federal Information and Information Systems)

 

Configuration Management (CM) — A discipline applying technical and administrative direction and surveillance to identify and document the functional and physical characteristics of a configuration item, control changes to those characteristics, record and report change processing and implementation status, and verify compliance with specified requirements. (Defined in IEEE 610.12, Standard Glossary of Software Engineering Terminology)

 

Contingency Plan (CP) — Management policy and procedures designed to maintain or restore business operations, including computer operations, possibly at an alternate location, in the event of emergencies, system failures, or disaster. (Defined in NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems)

 

Cookie  — A piece of state information supplied by a Web server to a browser, in a response for a requested resource, for the browser to store temporarily and return to the server on any subsequent visits or requests. This term may be associated with Web Measurement and Customization Technologies.  (Defined in NIST SP 800-28 Version 2, Guidelines on Active Content and Mobile Code)

 

Cryptographic Module Validation Program (CMVP) — The CMVP is a joint effort between NIST and the Communications Security Establishment (CSE) of the Government of Canada that validates cryptographic modules to Federal Information Processing Standard (FIPS) 140-2 and other cryptography based standards. Products validated as conforming to FIPS 140-2 are accepted by the Federal agencies of both countries for the protection of sensitive information (United States) or designated information (Canada). (Defined in FIPS 140-2, Security Requirements for Cryptographic Modules)

 

Cryptography — The discipline that embodies the principles, means, and methods for the transformation of data in order to hide their semantic content, prevent their unauthorized use, or prevent their undetected modification. (Defined in NIST SP 800-59, Guideline for Identifying an Information System as a National Security System)

 

Domain —  An environment or context that includes a set of system resources and a set of system entities that have the right to access the resources as defined by a common security policy, security model, or security architecture. (Defined in CNSSI 4009, National Information Assurance (IA) Glossary)

 

Domain Name System (DNS) — A system that translates domain names to Internet protocol (IP) addresses and back. (Defined in NIST SP 800-81 Rev. 1, Secure Domain Name System (DNS) Deployment Guide)

 

Enterprise Architecture (EA) — A strategic information asset base that defines the business, the information necessary to operate the business, the technologies necessary to support the business operations, and the transitional processes necessary for implementing new technologies in response to the changing business needs. It is a representation or blueprint. (Defined in the Chief Information Officers Council Federal Enterprise Architecture Framework Version 1.1 as “Federal enterprise architecture”)

 

Enterprise Performance Life Cycle (EPLC) — A framework that establishes a project management and accountability environment where HHS information technology projects achieve consistently successful outcomes that maximize alignment with Department-wide and individual OPDIV goals and objectives. Implementation of the EPLC methodology allows HHS to improve the quality of project planning and execution, reducing overall project risk. (Defined in HHS-OCIO-2008-0004.001, HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC))

 

Environment of Operation — The physical surroundings in which an information system processes, stores, and transmits information. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

EventAny observable occurrence in a system and/or network. Examples of events include the system boot sequence, a system crash, and packet flooding within a network. (Defined in HHS-IRM-2000-0006, Policy for Establishing an Incident Response Capability)

 

High-Impact System — An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of high. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)

 

Identification — The process of discovering the true identity (i.e., origin, initial history) of a person or item from the entire collection of similar persons or items. (Defined in FIPS 201-1, Personal Identity Verification for Federal Employees and Contractors)

 

Information System Security OfficerAn individual with assigned responsibility for maintaining the appropriate operational security posture for an information system or program. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Incident — A violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices. (Defined in NIST SP 800-61 Rev.1, Computer Security Incident Handling Guide)

 

Incident Response Plan — The documentation of a predetermined set of instructions or procedures to detect, respond to, and limit consequences of a malicious cyber attacks against an organization’s information systems(s). (Defined in NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems)

 

Independent Assessor — Any individual or group capable of conducting an impartial assessment of security controls employed within or inherited by an information system. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Information — Any communication or representation of knowledge such as facts, data, or opinions in any medium or form including textual, numerical, graphic, cartographic, narrative, or audiovisual forms. (Defined in OMB Circular A-130, Transmittal Memorandum #4, Management of Federal Information Resources, 6(a))

 

Information Owner/Steward - An organizational official[50] with statutory, management, or operational authority for specified information and the responsibility for establishing the policies and procedures governing its generation, collection, processing, dissemination, and disposal. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach).

 

Information Resources — Information and related resources, such as personnel, equipment, funds, and IT. (Defined in 44 U.S.C., SEC. 3502)

 

Information Security Architect  — An individual, group, or organization[51] responsible for ensuring that the information security requirements necessary to protect the organization’s core missions and business processes are adequately addressed in all aspects of enterprise architecture including reference models, segment and solution architectures, and the resulting information systems supporting those missions and business processes. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Information Security Measures — Activities used to facilitate decision making and improve performance and accountability through the collection, analysis, and reporting of relevant performance-related data. (Defined in NIST SP 800-55 Rev. 1, Performance Measurement Guide for Information Security)

 

Information Security Program Plan — A formal document that provides an overview of the security requirements for an organization-wide information security program and describes the program management controls and common controls in place or planned for meeting those requirements.[52] See also “Security Plan.” (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Information System — A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)

 

Information System Owner — The official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.[53] (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Information System Security Engineer — An individual assigned responsibility for conducting information system security engineering activities.[54] (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Information System-related Security Risks — Risks that arise through the loss of confidentiality, integrity, or availability of information or information systems and consider impacts to the organization (including assets, mission, functions, image, or reputation), individuals, other organizations, and the Nation. See “Risk.” (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Information Technology Contingency Plan (ITCP) — Interim measures to recover IT services following an emergency or system disruption. (Defined in NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems)

 

Information Technology Security Architecture — A description of security principles and an overall approach for complying with the principles that drive the system design (i.e., guidelines on the placement and implementation of specific security services within various distributed computing environments). (Defined in NIST SP 800-27A, Engineering Principles for Information Technology Security [A Baseline for Achieving Security])

 

Integrity — Guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)

 

Interconnection Security Agreement (ISA) — An agreement established between the organizations that own and operate connected information systems to document the technical requirements of the interconnection. The ISA also supports a Memorandum of Understanding or Agreement (MOU/A) between the organizations. (Defined in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)

 

Joint Authorization — A security authorization involving multiple authorizing officials. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Key Management — The activities involving the handling of cryptographic keys and other related security parameters (e.g., Initialization Vectors and passwords) during the entire lifecycle of the keys, including their generation, storage, establishment, entry and output, and destruction. (Defined in NIST 800-57, Recommendation for Key Management)

 

Key Recovery — A function in the lifecycle of keying material; mechanisms and processes that allow authorized entities to retrieve keying material from key backup or archive. (Defined in NIST SP 800-57, Recommendation for Key Management)

 

Low-Impact System — An information system in which all three security objectives (i.e., confidentiality, integrity, and availability) are assigned a FIPS 199 potential impact value of low. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)

 

Memorandum of Understanding/Agreement (MOU/A) — A document established between two or more parties to define their respective responsibilities in accomplishing a particular goal or mission. In this guide, an MOU/A defines the responsibilities of two or more organizations in establishing, operating, and securing a system interconnection. (Defined in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems)

 

Mobile Devices — Portable cartridge/disk-based removable storage media (e.g., floppy disks, compact disks, USB flash drives, and other flash memory cards/drives that contain non-volatile memory) or portable computing and communication devices with information storage capability (e.g., notebook, laptop computers, personal digital assistants, cellular telephones, digital cameras, and audio recording devices). (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)

 

Moderate-Impact System — An information system in which at least one security objective (i.e., confidentiality, integrity, or availability) is assigned a FIPS 199 potential impact value of moderate, and no security objective is assigned a FIPS 199 potential impact value of high. (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)

 

Multi-Session Web Measurement Technology — Technologies that remember a user’s online interactions through multiple sessions. This approach requires the use of a persistent identifier for each user, which lasts across multiple sessions or visits. (Defined in OMB M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies)

 

Patch — An additional piece of code developed to address a problem in an existing piece of software. (Defined in NIST SP 800-40 Version 2.0, Creating a Patch and Vulnerability Management Program

 

Peer-to-peer (P2P) — Any software or system allowing individual users of the Internet to connect to each other and trade files. (Defined in OMB M-04-26, Personal Use Policies and ‘File Sharing’ Technologies)

 

Penetration Testing — Security testing in which assessors mimic real-world attacks to identify methods for circumventing the security features of an application, system, or network. (Defined in NIST SP 800-115, Technical Guide to Information Security Testing and Assessment)

 

Personal Identification Verification (PIV) Card — A secure and reliable form of identification credential issued by the Federal Government to its employees and contractors. This credential is intended to authenticate an individual who requires access to federally controlled facilities, information systems, and applications. (Defined in FIPS 201-1, Personal Identity Verification (PIV) of Federal Employees and Contractors)

 

Personally Identifiable Information (PII) — Information which can be used to distinguish or trace an individual's identity, such as their name, Social Security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother’s maiden name, etc. (Defined in OMB M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information)

 

Any information about an individual maintained by an agency, including, but not limited to, education, financial transactions, medical history and information which can be used to distinguish or trace an individual’s identify, such as their name, SSN, date and place of birth, mother’s maiden name, biometric records, etc., including any other personal information which is linked or linkable to an individual. (Defined in OMB M-06-19, Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency IT Investments)

 

Plan of Action & Milestones (POA&M) — A document that identifies tasks needing to be accomplished, and details resources required to accomplish the elements of the plan, any milestones in meeting the tasks, and scheduled completion dates for the milestones. (Defined in OMB M-02-01, Guidance for Preparing and Submitting Security Plans of Action and Milestones)

 

Policy — The rules and regulations set by an organization that define the purpose of the program and its scope within an organization; assigns responsibilities for direct program implementation, as well as other responsibilities to related offices (e.g., Chief Information Office); and addresses compliance issues. A program policy sets organizational and strategic directions for security and assigns resources for the program’s implementation. (Defined in NIST SP 800-12, An Introduction to Computer Security:  The NIST Handbook)

 

Portable Media — Any device that can store data electronically and is portable, such as portable hard drives, universal serial bus (USB) drives, secure digital (SD) card media, compact discs – read only memory (CD-ROMs), and digital video discs (DVDs). (Defined in HHS Standard 2008-0007.001S, HHS Standard for Encryption)

 

Primary Operational IT Infrastructure Managers — The CIOs for CDC, CMS, FDA, IHS, NIH, and OS/ASA are the six primary operational IT infrastructure managers[55] and these individuals are required to concur on all OPDIV-level IT security risk acceptance decisions related to the infrastructures they manage. A primary operational IT infrastructure manager must exercise technical controls to isolate or disconnect any systems or devices not in compliance with minimum HHS security standards. (Defined in HHS Secretary’s Memorandum: Security of Information Technology Systems, dated November 10, 2009) 

 

Privacy — The appropriate use of personal information under the circumstances. What is appropriate will depend on context, law, and the individual’s expectations; also, the right of an individual to control the collection, use, and disclosure of personal information. (Defined in the International Association of Privacy Professionals site glossary)

 

Privacy ActRecord — Any item, collection, or grouping of information about individuals that is maintained by an agency including (but not limited to) their education, financial transactions, and/or medical, criminal, or employment history and that contains their name; or it contains the identifying number, symbol, or other identifying information assigned to the individual, such as a finger or voice print or a photograph. (Defined in The Privacy Act of 1974)

 

Privacy Impact Assessment (PIA) — An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. (Defined in OMB M-03-22, OMB Guidance for Implementing the Privacy Provisions of the E-Government Act of 2002)

 

Privacy Incident — An incident that involves personally identifiable information or protected health information. (Defined in US-CERT Quarterly Trends and Analysis Report, Volume 1, Issue 2, adapted)

 

Privileged User — A user that is authorized (and therefore trusted) to perform security-relevant functions that ordinary users are not authorized to perform. (Defined in CNSSI 4009, National Information Assurance Glossary, adapted)

 

Protected Healthcare Information (PHI) — Individually identifiable health information" held or transmitted by a covered entity or its business associate, in any form or media, whether electronic, paper, or oral. Individually identifiable health information is information, including demographic data, that relates to:

  • the individual’s past, present or future physical or mental health or condition,
  • the provision of health care to the individual, or
  • the past, present, or future payment for the provision of health care to the individual;

and that identifies the individual or for which there is a reasonable basis to believe it can be used to identify the individual. Individually identifiable health information includes many common identifiers (e.g., name, address, birth date, Social Security number). 

 

The HIPAA Privacy Rule excludes from protected health information any employment records that a covered entity maintains in its capacity as an employer, and education and certain other records subject to, or defined in, the Family Educational Rights and Privacy Act, 20 U.S.C. §1232g. (Defined in the HIPAA Privacy Rule)

 

Remote Access — Access by users (or information systems) communicating external to information system security perimeter. (Defined in NIST 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems)

 

Risk — A measure of the extent to which an entity is threatened by a potential circumstance or event, and typically a function of: (i) the adverse impacts that would arise if the circumstance or event occurs; and (ii) the likelihood of occurrence. 

 

Information system-related security risks are those risks that arise from the loss of confidentiality, integrity, or availability of information or information systems and reflect the potential adverse impacts to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)

 

Risk Assessment — The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, other organizations, and the Nation, resulting from the operation of an information system. Part of risk management, incorporates threat and vulnerability analyses, and considers mitigations provided by security controls planned or in place. This term is synonymous with risk analysis. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)

 

Risk Executive (Function) — An individual or group[56] within an organization that helps to ensure that: (i) security risk-related considerations for individual information systems, to include the authorization decisions, are viewed from an organization-wide perspective with regard to the overall strategic goals and objectives of the organization in carrying out its missions and business functions; and (ii) managing information system-related security risks is consistent across the organization, reflects organizational risk tolerance, and is considered along with other organizational risks affecting mission/business success. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Risk Management Framework (RMF) — The new six-step process established in NIST SP 800-37 Rev.1, which is the transformation of the previous certification and accreditation (C&A) process. The RMF changes the traditional focus of C&A as a static, procedural activity to a more dynamic approach that provides the capability to more effectively manage information system-related security risks in highly diverse environments of complex and sophisticated cyber threats, ever-increasing system vulnerabilities, and rapidly changing missions. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Role-Based Training — Training focused on the knowledge, skills, and abilities an individual needs to perform the IT security responsibilities specific to each of his or her roles in the organization. (Defined in NIST SP 800-16, Information Technology Security Training Requirements: A Role- and Performance-Based Model)

 

Routine Use — The use of such record for a purpose which is compatible with the purpose for which it was collected. (Defined in the Privacy Act of 1974)

 

Sanitization — A general term referring to the actions taken to render data written on media unrecoverable by both ordinary and, for some forms of sanitization, extraordinary means. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)

 

Security Assessment Report — Prepared by the security control assessor,[57] this report provides the results of the assessment of the implementation of security controls identified in the security plan to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the specified security requirements. The security assessment report can also contain a list of recommended corrective actions or deficiencies identified in the security controls. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Security Authorization — See “Authorization.” (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)

 

Security Content Automated Protocol (SCAP) — A method for using specific standards to enable automated vulnerability management, measurement, and policy compliance evaluation (e.g., FISMA compliance). (Defined in The Information Security Automation Program and The Security Content Automation Protocol released by the National Vulnerability Database/NIST)

 

Security Control Assessment — The testing and/or evaluation of the management, operational,  and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired  outcome with respect to meeting the security requirements for the  system. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Security Control Assessor — An individual, group, or organization[58] responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the overall effectiveness of the controls (i.e., the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system). (Defined in NIST SP 800-37, Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Security Control Families — The security control families in NIST SP 800-53 Rev. 3 are closely aligned with the security-related areas in FIPS 200 specifying the minimum security requirements for protecting Federal information and information systems. Each security control family contains security controls related to the security functionality of the family. (Defined in NIST SP 800-53 Rev. 3 Recommended Security Controls for Federal Information Systems)

 

Security Controls — The management, operational, and technical controls (i.e., safeguards or countermeasures) prescribed for an information system that, taken together, adequately protect the confidentiality, integrity, and availability of the system and its information. (Defined in FIPS 199, Standards for Security Categorization of Federal Information and Information Systems)

 

Security Plan — Formal document that provides an overview of the security requirements for an information system or an information security program and describes the security controls in place or planned for meeting those requirements. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Senior (Agency) Information Security Officer — The official[59] responsible for carrying out the Chief Information Officer responsibilities under FISMA and serving as the Chief Information Officer’s primary liaison to the agency’s authorizing officials, information system owners, and information system security officers. (Defined in 44 U.S.C., Sec. 3544, adapted)

 

Significant Change — A change that is likely to affect the security state of an information system. (Defined in NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach)

 

Single-session Technologies — These technologies remember a user’s online interactions within a single session or visit. Any identifier correlated to a particular user is used only within that session, is not later reused, and is deleted immediately after the session ends. (Defined in M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies)

 

System Development Life Cycle (SDLC) — The scope of activities associated with a system, encompassing the system’s initiation, development and acquisition, implementation, operation and maintenance, and ultimately its disposal that instigates another system initiation. (Defined in NIST SP 800-34 Rev. 1, Contingency Planning Guide for Information Technology Systems)

 

System of Records (SOR) — A group of any records under the control of any agency from which information is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (Defined in the Privacy Act of 1974)

 

System Security Plan (SSP) — An analysis of how information is handled: 1) to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; 2) to determine the risks and effects of collecting, maintaining and disseminating information in identifiable form in an electronic information system; and 3) to examine and evaluate protections and alternative processes for handling information to mitigate potential privacy risks. See also “Security Plan.” (Defined in FIPS 200, Minimum Security Requirements for Federal Information and Information Systems)

 

Tier 1 –Single Session — This tier encompasses any use of single session web measurement and customization technologies. (Defined in M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies)

 

Tier 2 – Multi-session Without PII — This tier encompasses any use of multi-session web measurement and customization technologies when no PII is collected (including when the agency is unable to identify an individual as a result of its use of such technologies). (Defined in M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies)

 

Tier 3 – Multi-session with PII — This tier encompasses any use of multi-session web measurement and customization technologies when PII is collected (including when the agency is able to identify an individual as a result of its use of such technologies). (Defined in M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies)

 

 

User — Individual, or (system) process acting on behalf of an individual, who is authorized to access an information system. (Defined in CNSSI 4009, National Information Assurance Glossary, adapted)

 

Voice Over Internet Protocol (VOIP) — Equipment that provides the ability to dial telephone numbers and communicate with parties on the other end of a connection who have either another VOIP system or a traditional analog telephone. (Defined in NIST 800-58, Security Considerations for Voice Over IP Systems)

 

Vulnerability — A weakness in an information system, system security procedures, internal controls, or implementation that could be exploited or triggered by a threat source. (Defined in NIST SP 800-53 Rev. 3, Recommended Security Controls for Federal Information Systems)

 

Web Measurement and Customization Technology —  Technologies used to remember a user’s online interactions with a Website or online application in order to conduct measurement and analysis of usage or to customize the user’s experience. This term may be associated with the term cookie. (Defined in M-10-22, Guidance for Online Use of Web Measurement and Customization Technologies)

 

Wireless Local Area Network (WLAN) — A group of computers and associated devices that share a common communications line or wireless link and typically share the resources of a single processor or server within a small geographic area (for example, within an office building). (Defined in NIST SP 800-46 Rev. 1, Security for Telecommuting and Broadband Communications)

 

 

 

 


Appendix A: Reserved

 

  

 

 

 

 

 

 

 

 

 

 


 Appendix B: Acronyms

ACL

Access Control List

AO

Authorizing Official

AOS

Administrative Operations Service

ASA

Assistant Secretary for Administration

ASAM

Assistant Secretary for Administration and Management

ASFR

Assistant Secretary for Financial Resources

ASPR

Assistant Secretary for Preparedness and Response

ASRT

Assistant Secretary for Resources and Technology

ATO

Authority to Operate

BI

Background Investigation

BPA

Blanket Purchase Agreement

C&A

Certification and Accreditation

CA

Certification Agent

CCB

Change Control Body

CD

Compact Disc

CDC

Centers for Disease Control

CFE

Contractor-furnished Equipment

CFO

Chief Financial Officer

CIO

Chief Information Officer

CIP

Critical Infrastructure Protection

CISO

Chief Information Security Officer

CM

Configuration Management

CMS

Centers for Medicare and Medicaid Services

CMVP

Cryptographic Module Validation Program

CO

Contracting Officer

CONOPS

Concept of Operations

COOP

Continuity of Operations Plan

COPPA

Children’s Online Privacy Protection Act

COTR

Contracting Officer’s Technical Representative

COTS

Commercial Off-the-Shelf

CP

Contingency Plan

CPIC

Capital Planning and Investment Control

CSIRC

Computer Security Incident Response Center

CSIRT

Computer Security Incident Response Team

CVE

Common Vulnerabilities and Exposures

DA

Division of Acquisition

DNS

Domain Name System

DoS

Denial of Service

DVD

Digital Video Disc

EA

Enterprise Architecture

EPLC

Enterprise Performance Lifecycle

ERA

E-Authentication Risk Assessment

EPLC

Enterprise Performance Lifecycle

ETA

E-Authentication Threshold Analysis

FAR

Federal Acquisition Regulation

FCD

Federal Continuity Directive

FDA

Food and Drug Administration

FDCC

Federal Desktop Core Configuration

FIPS

Federal Information Processing Standard

FISMA

Federal Information Security Management Act of 2002

FOIA

Freedom of Information Act

GAO

General Accounting Office

GFE

Government-furnished Equipment

HITECH

Health Information Technology Economic and Clinical Health

HHS

Department of Health and Human Services

HHSAR

Department of Health and Human Services Acquisition Regulation

HHSID

Department of Health and Human Services User Identification

HIPAA

Health Insurance Portability and Accountability Act

HSPD

Homeland Security Presidential Directive

HW

Hardware

IA

Information Assurance

I&A

Identification and Authentication

IEEE

Institute of Electrical and Electronics Engineers

IG

Inspector General

IHS

Indian Health Service          

IS2P

Policy for Information Systems Security and Privacy

ISA

Interconnection Security Agreement

ISSO

Information Systems Security Officer

IT

Information Technology

ITCP

Information Technology Contingency Plan

ITU

Information Technology Utilities

LEO

Law Enforcement Organization

LMM

HHS Logistics Management Manual

M

Memorandum

MAC

Media Access Control

MOA

Memorandum of Agreement

MOU

Memorandum of Understanding

NARA

National Archives and Records Administration

NIH

National Institute of Health

NIST

National Institute of Standards and Technology

NSA

National Security Agency

NTP

Network Time Protocol

O&M

Operations and Maintenance

OCIO

Office of the Chief Information Officer

OCR

Office for Civil Rights

OGAPA

Office for Grants and Acquisition Policy & Accountability

OHR

Office of Human Resources

OIG

Office of Inspector General

OITS

Office of Information Technology Security

OMB

Office of Management and Budget

OPDIV

Operating Division

OPM

Office of Personnel Management

OS

Office of the Secretary

OSDT

Office of Security and Drug Testing

OSSI

Office of Security and Strategic Information

P2P

Peer-to-Peer

PDA

Personal Digital Assistant

PHI

Protected Health Information

PIA

Privacy Impact Assessment

PII

Personally Identifiable Information

PIICA

Personally Identifiable Information (PII) Confidentiality Assessment

PIRT

Privacy Incident Response Team (formerly known as the Breach Response Team (BRT))

PIV

Personal Identification Verification

PKI

Public Key Infrastructure

POA&M

Plan of Action and Milestones

POC

Point of Contact

POES

Personally-Owned Equipment and Software

PRA

Paperwork Reduction Act

PSC

Program Support Center

PTA

Privacy Threshold Analysis

RA

Risk Assessment

RAS

Remote Access Server

RBT

Role-Based Training

RMF

Risk Management Framework

RMFOB

Risk Management and Financial Oversight Board

RoB

Rules of Behavior

SAOP

Senior Agency Official for Privacy

SAR

Security Assessment Report

SCAP

Security Content Automation Protocol

SD

Secure Digital

SDLC

System Development Lifecycle

SOP

Senior Official for Privacy

SOR

System of Records

SORN

System of Records Notice

SOW

Statement of Work

SP

Special Publication

SSN

Social Security Number

SSP

System Security Plan

ST&E

Security Testing and Evaluation

STAFFDIV

Staff Division

SW

Software

URL

Uniform Resource Locator

US-CERT

United States Computer Emergency Readiness Team

USB

Universal Serial Bus

VoIP

Voice over Internet Protocol

VPN

Virtual Private Network

WLAN

Wireless Local Area Network

 

 
 

 

 

 

 



[1] The terms information security, IT security, and information systems security are used interchangeably in FISMA and associated guidance from the Office of Management and Budget and the National Institute of Standards and Technology.

[2] Office for Civil Rights: Delegation of Authority, 74 Fed. Reg. 38630 (2009). Available at: http://frwebgate.access.gpo.gov/cgi-bin/getpage.cgi?position=all&page=38630&dbname=2009_register

[3] http://intranet.hhs.gov/infosec/policies_type.html

[4] Per NIST SP 800-37 Rev. 1, common control providers are responsible for: (i) documenting the organization-identified common controls in a security plan (or equivalent document prescribed by the organization). Equivalent documentation may include a system security plan or information security program plan.

[5] This term was formerly known as "Security Accreditation.”  Refer to NIST SP 800-37 Rev. 1 for more details.

[6] This term was formerly known as "Accreditation Package.” Refer to NIST SP 800-37 Rev. 1 for more details.

[7] NIST SP 800-53 Rev. 3 tailored security control baseline represents the minimum controls for low-impact, moderate-impact and high-impact information systems; NIST SP 800-53 Rev. 3 adds requirements to the baseline for low systems, whereas NIST 800-53 Rev. 2 only specified requirements in the baseline for moderate and high systems.

[8] Security control assessor is a new term (role) in NIST SP 800-37 Rev.1. Security control assessors may be called certification agents in some organizations. OPDIVs may use current Certification Agent roles to fulfill the security control assessor role.   

[9] HHS Memorandum: Security of Information Technology Systems, dated November 10, 2009.

[10] HHS definition of sensitive information is defined in the HHS memorandum Updated Departmental Standard for the Definition of Sensitive Information, dated May 18, 2009, available at http://intranet.hhs.gov/infosec/policies_type.html. At HHS, sensitive information is information that has a degree of confidentiality such that its loss, misuse, unauthorized access, or modification could compromise the element of confidentiality and thereby adversely affect national health interests, the conduct of HHS programs, or the privacy of individuals entitled under the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA). IT security personnel and system owners can equate this definition of sensitive information with data that has a FIPS 199 security impact level of Moderate or High for the confidentiality security objective. This definition of sensitive information is media neutral, applying to information as it appears in either electronic or hardcopy format.

[11] Per NIST SP 800-37 Rev. 1, for selected information systems, the Chief Information Officer may be designated as an Authorizing Official or a Co-Authorizing Official with other senior organizational officials. The HHS CIO serves as the Authorizing Official for all OS IT systems. 

[12] HHS Secretary Memorandum: Security of Information Technology Systems dated November 10, 2009.

[13] NIST SP 800-37 Rev. 1 introduces the new term of Risk Executive (function) which the agency head may retain or delegate to an official or group. The HHS CIO performs the Risk Executive (function) on behalf of the HHS Secretary. 

[14] The role of HHS CISO maps to the NIST SP 800-37 Rev. 1 role of Senior Agency Information Security Officer and Senior Information Security Officer.

[15] HHS Memorandum: Resolving Security Audit Disputes, dated May 13, 2010.

[16] PSC-ITIO operates and manages the OS primary operational IT infrastructure, however, security authorization decisions must be approved by the HHS CIO.

[17] Day to day SOP duties for OS are performed by the Team Leader for FISMA and Privacy in HHS OCIO.

[18] The HHS CISO is also referred to as the Director of the Office of Information Technology Security or as the Senior Agency Information Security Officer. The HHS CISO also serves as the CISO for OS.

[19] The HHS role of System Owner maps to the NIST SP 800-37 Rev. 1 role of Information System Owner.

[20] The HHS role of Primary Operational IT Infrastructure Managers maps to the NIST SP 800-37 Rev. 1 role of Common Control Providers.

[21] The OPDIV CIOs perform the OPDIV Risk Executive (function) on behalf of the OPDIV Heads.

[22] HHS Secretary Memorandum: Security of Information Technology Systems, dated November 10, 2009.

[23] The OPDIV CIOs perform the OPDIV Risk Executive (function) on behalf of the OPDIV Heads.

[24] Reference HHS Secretary Memorandum: Security of Information Technology Systems, dated November 10, 2009 and HHS OCIO Memorandum, Process Guidance for Security Risk-Based Decisions Involving the Primary Operational. Information Technology Infrastructure Managers, dated May 13, 2010. The ASA internal realignment abolished the OS CIO position; those duties are now performed by the HHS CIO who serves as the primary operational IT infrastructure manager for OS. 

[25] The Common Control Provider role defined in NIST SP 800-37 Rev. 1 is assigned at HHS to the Primary Operational IT Infrastructure Manager.

[26] HHS OCIO Memorandum: Resolving Security Audit Disputes dated May 13, 2010.

[27] The monitoring strategy can be included in the security plan to support the concept of near real-time risk management and ongoing authorization. The approval of the monitoring strategy can be obtained in conjunction with the security plan approval. The monitoring of security controls continues throughout the EPLC.

[28] This is the responsibility of the System Owner or the Primary Operational IT Infrastructure Manager.

[29] Organizations also refer to this position as the Senior Agency Information Security Officer.

[30] From HHS CISO Memorandum to OPDIV CISOs: Office of Inspector General Management Implication Report – Need for Departmental Security Enhancements for Information Technology Assets, dated October 13, 2009.

[31] OPDIVs should share events and analysis with the CSIRC in near real time.

[32] The set of AOs at HHS includes, but is not limited to, the Primary Operational IT Infrastructure Managers, Chief Information Officers, and others, as appropriate.

[33] Security control assessor is a new term (role) in NIST SP 800-37 Rev.1. Security control assessors may be called certification agents in some organizations. OPDIVs may use current Certification Agent roles to fulfill the security control assessor role.   

[34] There may be several Certification Agents supporting an OPDIV. An OPDIV may designate or appoint a lead or primary Certification Agent to support the Authorizing Official.

[35] For OS IT systems, there may be several Certification Agents, with each IT system Certification Agent supporting the Primary Certification Agent. The OS IT system Certification Agent role should be fulfilled by an office or organization that is independent from the IT system developer or project management staff. The OS IT system Certification Agent role can be fulfilled by PSC staff, HHS OCIO staff, or any other qualified security staff (including non-HHS) that is independentfrom the IT system developer or project management staff.

[36] In some cases, the Program Executive may be the System Owner and/or the Data Owner/Business Owner.

[37] The HHS role of System Owner maps to the NIST SP 800-37 Rev. 1 role of Information System Owner.

[38] The CIOs for CDC, FDA, IHS, CMS, NIH, and OS serve as primary operational IT infrastructure managers.

[39] Departmental guidance is posted to the HHS Cybersecurity Program website located at http://intranet.hhs.gov/infosec/policies_type.html. While the Department has unique security configurations in place for some IT assets, the Department will rely on security configuration guidance from other Federal agencies such as NIST, DISA, and NSA for any HHS assets for which HHS does not have its own Department specific security configuration standard.

[40] Per the previous FISMA OMB reporting guidance, the Department expects annual testing of at least one-third of all security controls for each information system so that all controls are tested every three years in accordance with OMB M-10-15.

[41] HHS definition of sensitive information is defined in the HHS memorandum Updated Departmental Standard for the Definition of Sensitive Information dated May 18, 2009, available at http://intranet.hhs.gov/infosec/policies_type.html. At HHS, sensitive information is information that has a degree of confidentiality such that its loss, misuse, unauthorized access, or modification could compromise the element of confidentiality and thereby adversely affect national health interests, the conduct of HHS programs, or the privacy of individuals entitled under the Privacy Act or the Health Insurance Portability and Accountability Act (HIPAA). IT security personnel and system owners can equate this definition of sensitive information with data that has a FIPS 199 security impact level of Moderate or High for the confidentiality security objective. This definition of sensitive information is media neutral, applying to information as it appears in either electronic or hardcopy format.

[42] The monitoring strategy can be included in the security plan to support the concept of near real-time risk management and ongoing authorization. The approval of the monitoring strategy can be obtained in conjunction with the security plan approval. The monitoring of security controls continues throughout the EPLC.

[43] This is the responsibility of the System Owner or the Primary Operational IT Infrastructure Manager.

[44] The NIST SP 800-37 Rev. 1 role of Information Owner/Steward may be fulfilled by HHS Data Owner/Business Owner.

[45] The NIST SP 800-37 Rev. 1 role of Information Security Architect is assigned to HHS System Developers and Maintainers.

[46]System/Network Administrator roles are inclusive of other types of administrator roles such as application administrator, Web administrator, and database administrator.

[47] FAR 1.602-1(b) states that no contract shall be entered into unless the CO ensures that all requirements of law, executive orders, regulations, and all other applicable procedures, including clearances and approvals, have been met.

[48] An unauthorized source is any location (e.g., file store or server to which a device could connect, Internet site, intranet site) or process that is not permitted by HHS or OPDIV/STAFFDIV IT security personnel for the distribution of software.

[49] Note that at HHS this role is assigned to the Primary Operational IT Infrastructure Manager.

 

[50] Note that at HHS this role is performed by Data Owner/Business Owners.

[51] Note that at HHS this role is performed by System Developers and Maintainers. 

[52] The HHS-OCIO Policy for Information Systems Security and Privacy (this document) is the information security program plan for HHS.

[53] The HHS role of System Owner performs this role.

[54] The HHS role of system software engineers performs this role.

[55] This role performs the Common Control Provider role described in NIST SP 800-37 Rev. 1.

[56] Note that the HHS CIO performs the Risk Executive (function) for the Department and the OPDIV CIOs perform the Risk Executive (function) for the OPDIVs.

[57] Security control assessor is a new term (role) in NIST SP 800-37 Rev.1. Security control assessors may be called certification agents in some organizations.    

[58] Security control assessors may be called certification agents in some organizations. OPDIVs may use current Certification Agent roles to fulfill the security control assessor role. 

[59] Note that this role is performed by the HHS Chief Information Security Officer.