HHS Standard 2010-0001.001S
The following is effective immediately.
(1) Operating Divisions (OPDIVs) are required to implement the Department of Health and Human Services (HHS) Security Content Automation Protocol (SCAP)-compliant security configuration and compliance monitoring tool or alternative National Institute of Standards and Technology (NIST)-validated SCAP compliant security configuration and compliance monitoring tools to facilitate the accurate and timely reporting of security configuration and vulnerability information for HHS information technology (IT) assets.
(2) OPDIVs shall ensure SCAP-compliant monitoring tools are configured to scan all network connected IT assets and shall perform information system scans for network mapping, host discovery, security configuration compliance, and patch and vulnerability scans with a minimum frequency of at least monthly.
(3) The OPDIV-selected tool(s) for security configuration and compliance monitoring shall be configured to automatically provide security configuration and vulnerability information at least monthly, to the HHS aggregation portal. OPDIVs must work with the HHS Computer Security Incident Response Center (CSIRC) in order to integrate the outputs from the OPDIV security tool(s) to the HHS aggregation portal that is being used to collect OPDIV security configuration and compliance monitoring information.
(4) Written authorization via a waiver shall be obtained from the OPDIV Chief Information Officer (CIO) and applicable Primary Operational IT Infrastructure Manager if compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a mission or business function. Waiver consideration shall be a risk-based determination by the OPDIV CIO and applicable Primary Operational IT Infrastructure Manager. To obtain a waiver, compensating controls must be identified and documented in the waiver form. Waivers shall be recorded and maintained by the OPDIV and a copy provided to the HHS Chief Information Security Officer (CISO) upon approval.
APPROVED BY & EFFECTIVE ON:
/s/ June 8, 2010
Michael W. Carleton Date
HHS Chief Information Officer
 Reference HHS Secretary Memorandum dated November 10, 2009, Security of Information Technology Systems the CIOs in CDC, CMS, FDA, IHS, NIH or OS/ASA
 The HHS information security waiver form and process is available at http://intranet.hhs.gov/infosec/policies_memos.html.