Policy for Managing the Use of Third-Party Websites and Applications
The purpose of this Department of Health and Human Services (HHS) Policy is to establish policy for the use of Third-Party Websites and Applications (TPWAs) as part of any general support or application system and to incorporate by reference related Federal-government-wide guidelines and HHS policies.
The Department of Health and Human Services (HHS), Office of the Chief Information Officer (OCIO) HHS-OCIO Policy for Managing the Use of Third-Party Websites and Applications establishes requirements for Department access to web-based technologies that are not exclusively operated or controlled by HHS. This policy, in conjunction with the HHS Minimum Security Configuration Standards for Websense is consistent with federal guidelines and regulations.
In the past, the Department blocked access to many TPWAs in the HHS environment; however, in response to federal initiatives aimed at creating a more open government, the Department has expanded its use of TPWAs to promote transparency, encourage public participation, and increase collaboration both within and outside of HHS. The Department trusts the integrity of its employees and believes that access to new and innovative collaboration tools and capabilities enable staff to think creatively about business problems, improving the delivery of services and the fulfillment of agency missions.
This Policy applies to all Department Operating Divisions (OpDivs), including the Office of the Secretary, and organizations conducting business for and on behalf of the Department through contractual relationships when using HHS IT resources. This Policy does not supersede any other applicable law or higher level agency directive, or existing labor management agreement in effect as of the effective date of this Policy.
Agency officials shall apply this Policy to employees, contractor personnel, interns, and other non-government employees by incorporating references in contracts or memorandums of agreement as conditions for establishing Government IT policy documents, under the instruction and direction of Government management. Agencies shall use this Policy or may create an OpDiv/StaffDiv policy, but not one in contradiction with this Department IT Policy.
4.1 Policy for Managing Outbound Web Traffic
- OpDiv CISOs must implement the HHS standard product or equivalent technology for managing outbound Web traffic and comply with the baseline category settings defined in the HHS Minimum Security Configuration Standards for Websense, dated April 30, 2012.
- OpDiv CISOs must establish, document, and enforce requirements and processes for modifying traffic management behaviors, including the re-categorization of uniform resource locators (URLs) consistent with Department policy.
- OpDiv CISOs must provide documentation of URL re-categorization for periodic review by the HHS Chief Information Officer (CIO) to ensure consistency with Department policy.
This policy establishes the default HHS stance as embracing access to TPWAs, without requiring a business justification, unless the OpDiv CISO identifies a specific and unique risk.
- OpDivs must obtain written authorization from the OpDiv CISO if compliance with this policy is not feasible or technically possible.
- OpDivs must request a waiver from the OpDiv CISO to deviate from the baseline settings defined in the HHS Minimum Security Configuration Standards for Websense, including further restricting access to a TPWA.
- OpDiv CISOs must provide documentation of approved waivers for periodic review by the Department CISO to ensure consistency with Department policy
HHS OpDivs and Staff Divisions may prioritize the use of Third Party Websites and Applications (TPWA) technologies among other demands for telecommunications bandwidth based on mission accomplishment.
The HHS CIO is responsible for:
- Evaluating TPWAs for potential security risks, establishing access standards and communicating those access standards to the OpDivs;
- Establishing a mechanism and schedule for the periodic review of URL re-categorization;
- Reviewing and adjudicating waiver requests from the OpDivs; and
- Maintaining the list of granted waivers submitted by OpDivs.
The OpDiv CIOs are responsible for:
- Assisting in the evaluation of TPWAs for potential security risks and communicating risks to the HHS CIO;
- Providing the level of access established by the HHS CIO, unless a specific waiver is granted for their OpDiv. OpDiv CIOs are required to comply with the access standard within a timeframe to be negotiated with each OpDiv of the notification from the HHS CIO that an access standard has been established;
- Defining the risk justifying any waivers they submit requesting deviation from the access standards. OpDiv CIOs are also responsible for defining how the requested deviation from the access standard will be implemented if the waiver request is granted;
- Establishing processes and procedures for customers to request access to blocked websites and communicating risk and access decisions clearly to customers in a timely manner;
- Establishing exemption policies and procedures for allowing users to bypass a Websense blocked category for the purposes of a work related business case; and
- Providing documentation of URL re-categorization for periodic review by the HHS CIO to ensure consistency with Department policy.
The ASPA Web Communication and New Media Division is responsible for:
- Pursuing new TPWA tools and capabilities and supporting the strategic implementation of TPWAs across the Department;
- Assisting the HHS CIO in the evaluation of TPWAs for potential security risks by providing expertise as it pertains to public affairs and business use; and
- Coordinating with the HHS CIO to ensure timely and appropriate access to TPWAs.
Information Technology Security risks associated with use of TPWA technologies are manageable within a defense-in-depth strategy described by the Federal CIO Council in the Guidelines for Secure Use of Social Media by Federal Departments and Agencies Version 1.0.
Information Technology Security policies and standards to implement a defense-in-depth strategy are numerous and include the HHS-OCIO Policy for Information Systems Security and Privacy, the HHS Rules of Behavior (For Use of HHS Information Technology Resources) and the HHS-OCIO Policy for Personal Use of Information Technology Resources.
Development and operations of systems that use TPWA technologies remain subject to established technology, project, privacy, records management and governance policies.
Further guidance on applicable standards and policies for official use of TPWAs is available at http://www.newmedia.hhs.gov/standards/.
Direct questions, comments or suggestions about this policy to the OCIO at OCIO.HHS@hhs.gov or (202) 690-6162.
These policies and procedures will not be implemented in any recognized bargaining unit until the union has been provided notice of the proposed changes and given an opportunity to fully exercise its representational rights.
The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled "Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations." It is HHS' policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
__Frank Baitman_ /s/ ________4-10-13
Frank Baitman DATE
HHS Chief Information Officer
 OpDivs requesting a waiver must use the Departmental Security Policy and Standard Waiver Form, available at:http://intranet.hhs.gov/it/cybersecurity/policies_by_document_type/
 Available at: http://intranet.hhs.gov/it/cybersecurity/docs/policies_guides/
 Available at: http://www.hhs.gov/ocio/policy/.