Best Practices for Protecting Third-Party Websites and Applications
Federal agencies use Third-Party Websites and Applications, also commonly referred to as social media accounts, to engage with people in a variety of ways and to reach those that might not otherwise find their way to our websites. However, because, by definition, the government does not control third-party websites and applications, these systems are not built to the same standards as systems developed by federal agencies and it is possible they could be “hacked.” For this reason, it is important to adopt best practices to protect federal information, reduce your chances of getting hacked, and plan ahead in the event an account is compromised.
Use Approved Tools
Third-party systems used by a federal agency for the purpose of engaging the public should have a reviewed or negotiated Terms of Service agreement, for use by the federal government.
Only share public information
All information distributed and stored using third-party systems must be un-classified and non-sensitive information, as defined in the HHS Standard for the Definition of Sensitive Information,. This includes any information in the system that remains in a draft or unpublished state, such as moderated comments. Any exceptions should be evaluated on a case-by-case basis with the consultation of the HHS Cybersecurity team. Sensitive data about individuals or agency operations, should only be collected and stored using official Federal Information Systems that have been reviewed and certified for FISMA compliance.
Follow the rules
Abide by the HHS Rules of Behavior as they relate to the use of third-party systems. Specifically, individuals shall log-off systems when they are not in use, avoid sharing accounts, and practice commonly accepted security standards for password management (including changing and safeguarding passwords).
Use strong passwords
The HHS-OCIO Policy for Information Systems Security and Privacy (IS2P) requires that passwords contain a minimum of eight characters and at least one uppercase letter, one lowercase letter, one number, and one special character (i.e. @#$%^&;). Passwords should be changed at least every 60 days, and not reused until at least six other passwords have been used.
Link to your official website
All accounts within third-party systems should provide a prominent link to the official website. All information posted to the account should be generally verifiable on a .gov domain, which resides within a federal information system in a secure environment.
Plan ahead in case your account is hacked
Use of third-party systems is not without risk. Assess the impact to the agency in the event that an account is compromised. Create an incident response plan that outlines relevant implications, and the procedures for notifying internal personnel and making an outward announcement.
Third-party tools create an opportunity for the public to inadvertently provide sensitive or personally identifiably information. Create a mitigation plan for situations when individuals may share such information. These should be addressed in the Privacy Impact Assessment (PIA) as required by OMB Memo 10-23.
The best practices outlined here are consistent with the spirit of the Federal Information Systems Management Act (FISMA) which emphasizes the protection of the confidentiality, availability, and integrity of federal information.
Refer to the FISMA Overview from NIST for more information.