March 07, 2012
Policy 2010-0003.1 - OCIO
Table of Contents
- Nature of Changes
- Applicable Laws and Guidance
- Effective Date
The purpose of this Department of Health and Human Services (HHS) Policy is to establish policy for the use of Third-Party Websites and Applications (TPWAs) (social media and related technologies) as part of any general support or application system and to incorporate by reference related Federal-government-wide guidelines and HHS policies. In effect this policy changes the default from avoiding use of TPWAs except when a specific business case is approved to embracing TPWAs unless a specified risk must be avoided.
This revision establishes the concept of access standards for TPWAs and directs all OPDIVs to default to the maximum access defined in a given TPWA access standard.
All Department staff should have access to commonly used websites, to include Third-party Websites and Applications (TPWAs), which are used to fulfill agency missions. Website availability also applies to content embedded from these websites. For example, YouTube videos embedded on .gov and other non-youtube.com websites should be made available. Outward access to mainstream social media sites is allowed to facilitate communications and outreach to external audiences and should be generally available to HHS staff.
This policy applies to all Department Operating Divisions (OPDIVs), including the Office of the Secretary and to all those retained to perform services on behalf of HHS under contract, grant, or other agreement. This policy does not supersede any applicable law or higher level agency directive, or existing labor management agreement in effect as of the effective date of this policy.
Access to TPWAs shall default to the maximum access assessed acceptable to the HHS Chief Information Officer (CIO).
Terms of Service (TOS) agreements for use of any TPWAS shall default to the TOS agreement executed between the Department and the TPWA provider. These default TOS agreements shall be based on the models negotiated for the Federal government by the General Services Administration, if any.
Each Operating Division is allowed to make a risk based decision on the value and need to deviate from the Departmental access standard for a given TPWA or the default TOS agreement for a given TPWA. An OPDIV may request a waiver to either further open or further restrict access or to alter the TOS agreement. For waiver requests to further restrict access from an established Departmental standard, the requesting Operating Division is authorized to temporarily implement the requested further access restrictions pending adjudication of the waiver.
The CIO is responsible for evaluating TPWAs and establishing access standards and communicating those access standards to the OPDIVs.
The CIO is responsible for executing TOS agreements with TPWA providers, in collaboration with the Web Communications Division in the Office of the Assistant Secretary for Public Affairs and the Office of General Counsel.
The CIO is responsible for reviewing and adjudicating waiver requests from the OPDIVs.
The Cybersecurity Division within the Office of the Chief Information Officer is responsible for assisting in establishing access standards for TPWAs.
The Cybersecurity Division is responsible for maintaining the list of granted waivers for the access standards and TOS agreements, along with the risk assessments and implementation descriptions submitted by the OPDIVs.
The OPDIV Chief Information Officers are responsible for providing the level of access defined in each TPWA access standard established by the HHS Chief Information Officer, unless a specific waiver is granted for their OPDIV. OPDIV Chief Information Officers are required to comply with the access standard for a given TPWA within 30 days of the notification from the CIO that an access standard has been established.
The OPDIV Chief Information Officers are responsible for defining the risk justifying any waivers they submit requesting deviation from the access standards or TOS agreements. The OPDIV Chief Information Officers are also responsible for defining how the requested deviation from the access standard or TOS agreement will be implemented if the waiver request is granted.
Information Technology Security risks associated with use of social media technologies are manageable within a defense-in-depth strategy described by the Federal CIO Council in the Guidelines for Secure Use of Social Media by Federal Departments and Agencies Version 1.0 (https://www.fbiic.gov/public/2009/sep/Guidelines_for_Secure_Use_Social_Media_v01-0.pdf).
Information Technology Security policies and standards to implement a defense-in-depth strategy are numerous and include the HHS-OCIO Policy for Information Systems Security and Privacy, the HHS Standard for Managing Outbound Web Traffic, the HHS Rules of Behavior and the HHS-OCIO Policy for Personal Use of Information Technology Resources.
Where implementation of HHS IT security policies and standards are observed to be incomplete, access to social media technologies may be enabled by establishing a network segment that is logically and physically separated from the HHS network backbone.
Development and operations of systems that use social media technologies remain subject to established technology, project, and governance policies.
The General Services Administration, in collaboration with other Federal Agencies, drafted model Terms of Service Agreements for a number of TPWAs. The list of model agreements is available at the URL below.
Privacy requirements for TPWAs are unique. HHS policy and requirements closely follow the OMB Memorandum 10-23, Guidance for Agency Use of Third-Party Websites and Applications available at https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/memoranda_2010/m10-23.pdf.
Records Management requirements for social media technologies are similar to any other information system. The HHS Records Management policy is published on the HHS intranet.
HHS Operating and Staff Divisions must prioritize the use of social media technologies among all other demands for telecommunications bandwidth based upon mission accomplishment. This will entail engineering acceptable utilization rates, including accommodation of peak loads and avoidance of disruption of operations.
Requirements stated in this Policy are consistent with law, regulations, and other Department policies applicable at the time of its issuance. Actions taken through the implementation of this Policy must comply with the requirements of pertinent laws, rules and regulations, as well as the lawful provisions of applicable negotiated agreements for employees in exclusive bargaining units. The HHS policies contained in this issuance shall be exercised in accordance with Public Law 93-638, the Indian Self-Determination and Education Assistance Act, as amended, and the Secretary's policy statement dated August 7, 1997, as amended, titled “Department Policy on Consultation with American Indian/Alaska Native Tribes and Indian Organizations.” It is HHS’ policy to consult with Indian people to the greatest practicable extent and to the extent permitted by law before taking actions that affect these governments and people; to assess the impact of the Department's plans, projects, programs and activities on tribal and other available resources; and to remove any procedural impediments to working directly with tribal governments or Indian people.
Direct questions, comments or suggestions about this policy to the HHS CIO, at https://ocioportal.hhs.gov/public/feedback/default.aspx or (202) 690-6162.
The effective date of this Policy is the date the Policy is approved.
/s/ March 7, 2012
Franklin Baitman DATE
HHS Chief Information Officer