Summaries of OCIO Policies, Standards, & Charters
1. HHS Policy for Responding to Breaches of Personally Identifiable Information (PII), (HHS-OCIO-2008-0001.002), dated April 15, 2008
This policy establishes the Department of Health and Human Services (HHS) Personally Identifiable Information (PII) Breach Response Team (BRT) (henceforth called the HHS BRT). It also establishes the actions to take in identifying, managing, and responding to suspected or confirmed breaches of PII. This policy is first issuance and is issued under the authority of the HHS-OCIO-2007-0002, Policy for Department-wide Information Security, dated September 25, 2007.
2. HHS Policy for Department-wide Information Security, (HHS-OCIO-2007-0002), dated September 24, 2007
This policy creates the framework that formalizes the authority and responsibility to develop, document, and implement a Department-wide information security program. The information security program provides information security for the information and information systems that support the operations and assets of the agency, as required by Title III of the E-Government Act of 2002, the Federal Information Security Management Act of 2002 (FISMA). All other Department information security policies, standards and procedures are subordinate to this Policy as of the effective date of this Policy.
3. HHS IRM Information Security Program Policy, (HHS-IRM-2004-0002.001), dated December 15, 2004
The Department of Health and Human Services' (HHS) HHS Information Security Program Policy and its companion document, the HHS Information Security Program Handbook, are the foundation documents for the HHS Information Security Program. These documents implement relevant federal laws, regulations, and policies that provide a basis for the information security policies for the Department. All the policies listed in this document are accompanied by procedures and guidelines detailed in the HHS Information Security Program Handbook and subject-specific guidance in the HHS Information Security Program guidelines.
4. HHS OCIO Policy for Information Technology (IT) Enterprise Performance Life Cycle (EPLC), (HHS-OCIO-2008.0004.001) dated October 06, 2008
This Policy establishes EPLC as an IT Project Management requirement at HHS and incorporates EPLC as a fundamental partner to HHS Capital Planning and Investment Control (CPIC), HHS Enterprise Architecture, and investment portfolio management oversight.
EPLC establishes a project management and accountability environment where HHS IT projects achieve consistently successful outcomes that maximize alignment with Department-wide and individual OPDIV goals and objectives. Implementation of the EPLC methodology allows HHS to improve the quality of project planning and execution, reducing overall project risk.
5. HHS Policy for Records Management, (HHS-OCIO-2007-0004.001), dated January 30, 2008
This Department-wide Policy establishes the principles, responsibilities, and requirements for managing Health and Human Service (HHS) records. It provides the framework for specific program guidance and detailed operating procedures to be developed and implemented at the organizational unit level.
6. HHS Policy for Records Management for Emails, (HHS-OCIO-2008.0002.001), dated Mary 15, 2008
This Policy establishes the principles, responsibilities, and requirements for managing Health and Human Services (HHS) records sent, received or temporarily maintained in the electronic mail (email) system. The HHS Policy for Records Management Emails is subordinate to the authority of the HHS Policy for Records Management, HHS-OCIO-2007-0004.001, dated January 30, 2008, and emails are being addressed as a separate component of records management for the purposes of emphasis. Over time, this Policy shall be incorporated into the overarching HHS Records Management Policy.
7. HHS Policy for IT Capital Planning and Investment Control (CPIC), (HHS-OCIO-2005-0005.001), dated December 31, 2005
The Clinger-Cohen Act (CCA) of 1996, Public Law 104 – 106, legislatively mandates that IT investments be prudently managed. One key CCA goal is for agencies to develop policies and processes that implement systems at acceptable costs, within reasonable and expected time frames, and that contribute to tangible, observable improvements in mission performance. Therefore, CPIC processes shall be institutionalized throughout HHS, shall ensure compliance with the HHS Enterprise Architecture, and shall be used for all IT-related decisions.
8. HHS-OCIO Policy for IT Earned Value Management, (HHS-OCIO-2007-0001), dated June 11, 2007
This Policy establishes Earned Value Management (EVM) as an IT Investment Management requirement at HHS and incorporates EVM as a fundamental element of HHS CPIC and investment portfolio management oversight.
9. HHS-OCIO IT Policy for Enterprise Architecture (EA), (HHS-OCIO-2008-0003.001), dated August 7, 2008
The HHS EA Program enables the Department and its Operating Divisions and components to understand the relationship between and among its business operations and the information systems and resources that enable those operations.
10. CIO Roles and Responsibilities – (Circular No. IRM-101), dated March 18, 1999
This circular establishes the policy and responsibilities of the Department of Health and Human Services (HHS) and Operating Division (OPDIV) Chief Information Officers (CIOs) to ensure compliance with legislative and executive level guidance and to support the needs of the Department. It supersedes the current Principal Information Resource Management (IRM) Official and IRM Advisory Council Circulars.
11. HHS-OCIO IT Policy for HHS Mail Change Management, (HHS-OCIO-2006-0002), dated March 2, 2006
This document establishes the Policy for change management implemented within the Department of Health and Human Services’ (HHS) HHSMail project.
12. HHS IRM Policy for Conducting Alternative Analysis, (HHS-IRM-2003-0002), dated June 13, 2003
This document establishes the policies and responsibilities for conducting alternative analyses throughout HHS. The CCA legislatively mandates the prudent management of IT investments. One key goal of the CCA is for agencies to develop policies and processes that will result in implementation of systems at acceptable costs, within reasonable and expected time frames, and that are contributing to tangible, observable mission performance.
13. HHS IRM Policy for Personal Use of HHS Information Technology Resources (HHS-IRM-2006-0001), dated February 17, 2006
This document establishes the policy for limited acceptable personal use of HHS owned information technology (IT) resources by staff and contract personnel. This policy establishes new privileges and additional responsibilities for employees in HHS. It recognizes these employees as responsible individuals who are the key to making government more responsive to its citizens. It allows employees to use HHS IT resources for non-government purposes when such use involves minimal additional expense to the government, is performed during employees’ non-work time, does not interfere with the mission or operations of HHS; does not violate the Standards of Ethical Conduct for Employees of the Executive Branch and, does not pose security risks.
14. HHS IRM Policy for Use of Broadcast Messages, Spamming & Targeted Audiences, (HHS-IRM-2000-0004), dated January 8, 2001
This document establishes the policies and procedures to regulate the distribution of e-mail when addressed to large numbers of HHS staff. It addresses e-mail generated both from within and outside the Department.
15. HHS Policy for IT Policy Development, (HHS-OCIO-2006-0004), dated November 28, 2004
The HHS Policy for Information Technology (IT) Policy Development establishes IT policy standards of content, uniform format and style for all IT policies written by the Department or on behalf of the Department.
The Policy also formally establishes the HHS Three Level IT Policy Review Process for the Department IT policy (or any IT policy written on behalf of the Department) development and review.
16. HHS OCIO Policy for E-Gov. Forms, (HHS-IRM-2006-0003) dated June 7, 2006
This document establishes the Policy for the Department of Health and Human Services (HHS) E-Gov Forms to ensure HHS maintains accurate form content for those HHS forms that are in the E-Gov Forms Catalogue (FORMS.GOV), managed by the Small Business Administration (SBA) and the General Services Administration (GSA) under the Business Gateway (BG) initiative.
17. HHS IRM Policy for IT Security for Remote Access, Telecommuting and Flexiplace, (HHS-IRM-2000-0005), dated January 8, 2001
This document establishes the policies and procedures that are to be followed to assure that the Department=s information technology (IT) resources are appropriately protected when authorizing the remote access of HHS automated information and systems.
18. HHS IRM Policy for Establishing an Incident Response Capability, (HHS-IRM-2000-0006), dated January 8, 2001
This document provides the policies for responding to adverse events such as computer viruses, malicious software, hoaxes, vandalism, automated attacks and intrusions. The purpose is to ensure that appropriate action is taken to minimize the consequences of a virus, malicious software, or an intrusion, and that emergency response procedures and responsibilities are documented, understood, and properly executed when necessary.
19. HHS IRM Policy for Virus Prevention, Detection, Removal and Reporting, (HHS-IRM-2000-0007), dated January 8, 2001
This document provides the policies for preventing, detecting, removing, and reporting malicious computer software, such as viruses. The purpose is to assure that pro-active security measures are taken to prevent viruses from occurring; to raise awareness for recognizing and immediately reporting the occurrence of a virus; and to ensure that appropriate action is taken to minimize the consequences of a virus attack.
20. HHS IRM Policy for Domain Names, (HHS-IRM-2000-0008), dated January 8, 2001
This document establishes the policies and responsibilities for acquiring and approving HHS Domain Names that represent HHS and its Agencies on the Internet. Examples include healthfinder.gov
21. HHS IRM Policy for Usage of Persistent Cookies , (HHS-IRM-2000-0009), dated January 8, 2001
This document establishes the policies and responsibilities for the usage of web cookies by HHS and its Agencies. A cookie is a mechanism that allows the server to store its own information about a user on the user's own computer. A persistent web cookie is a web cookie that can track "the activities of users over time and across different web sites."
OMB policy mandates that the use of persistent cookies must be approved by the Secretary. The concern about “persistent cookies” is that sometimes even if they do not themselves contain personally identifiable information, cookies can often be linked to a person after the fact, even when that was not the original intent of the web site operator.
22. HHS IRM Policy for Active Directory, (HHS-IRM-2000-0010), dated January 8, 2001
This document establishes the policies and responsibilities for the installation and coordination of Active Directory throughout HHS.
Microsoft Windows 2000 networking is being installed in many parts of HHS operations as a replacement for a variety of other networking products. As this occurs the opportunity exists to dramatically facilitate communications across OPDIVs, to reduce the expenses of duplicate support activities, and to increase productivity by sharing intellectual resources. A common “forest” of Windows 2000 “domains,” (i.e. sharing a single Active Directory) will accomplish this effort while also facilitating the independence, security, and operational integrity of each OPDIV. It will also increase efficiency in the management of the enterprise architecture while improving compliance with the CCA.
23. HHS IRM Policy for Public Key Infrastructure (PKI)/Certification Authority (CA) ,
(HHS-IRM-2000-011), dated January 8, 2001
This document establishes the policies and responsibilities for the Implementation and Usage of Public Key Infrastructure (PKI) Certification Authority (CA) by HHS and its Agencies. To secure both internal and external electronic communications, HHS plans to implement an Enterprise Certification Authority using Public Key Infrastructure (PKI) technology and an Enterprise Directory Service using Lightweight Directory Access Protocol (LDAP) technology.
A PKI implementation is a combination of technology, policies and procedures, which supports digital signatures, encryption and other inherent PKI-Enabled security services. A PKI enables users of a basically unsecured public network such as the Internet to securely and privately exchange data through the use of a public and a private cryptographic key pair that is obtained and shared through a trusted authority. The public key infrastructure provides for a digital certificate that can identify an individual or an organization and a directory service that can store the certificates.
24. HHS IRM Policy for Directory Services Using LDAP, (HHS-IRM-2000-0012), dated January 8, 2001
This document establishes the policies and responsibilities for the Implementation and Usage of the Enterprise Directory Service using Lightweight Directory Access Protocol (LDAP) by the Department of Health and Human Services (HHS) and its Agencies. HHS will implement an Enterprise Directory Service. The HHS centralized enterprise directory will be used to manage access rights of its internal personnel, business partners and customers.
The Enterprise Directory is a global service comprised of independently operated and distributed Directory Service Agents (DSAs) that provide information in the form of a “White Pages” Telephone Directory. An Enterprise Directory service provides a common access point for this distributed information, and is generally configured to make access to the information sought intuitive and easy.
25. HHS-IRM Policy for Government Emergency Telecommunication System Cards Ordering, Usage and Termination
(HHS_IRM_2002-0001), dated November 25, 2002
This document establishes the policy for the issuance, usage and termination of the Government Emergency Telecommunication System (GETS) Cards. This policy establishes new privileges and additional responsibilities of employees in HHS.
26. HHS IRM Policy for Comments From and Responses to Operating Divisions on Newly Developed Polices and CIO Council and ITIRB Clearance Documents, (HHS_IRM_2003-0001), dated February 14, 2003
This policy establishes a fifteen calendar-day comment period for Operating Divisions (OPDIVS) and StaffDivs when new policies are developed or revised, and a ten calendar-day comment period for OPDIVs and StaffDivs when CIO Council or Information Technology Investment Review Board (ITIRB) Documents are developed or revised. The comment period begins from the date of the e-mail distribution for Policies and from the date of assignment for CIO Council or ITIRB materials.