6. HHS Security Controls
6.2 Operational Controls
The Operational program class of controls (safeguards or countermeasures) for an information system is primarily controls that are implemented and executed by people, as opposed to systems. This class has nine control families: Awareness Training (AT), Configuration Management (CM), Contingency Planning (CP), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical and Environmental Protection (PE), and System and Information Integrity (SI).
6.2.1 (AT) Awareness and Training Policy and Its Controls
Policy: The HHS organization(i) requires that users of HHS information systems are made aware of the security risks associated with their activities and of the applicable laws, executive orders, directives, policies, standards, instructions, regulations, or procedures related to the security of HHS information systems; and (ii) requires that HHS personnel are complying with Agency security awareness training requirements.
Table 9 lists the Awareness and Training (AT) controls for moderate impact systems.
Table 9 Awareness and Training Controls Policy ID 6.2.1 HHS
Control ID
Control
Name Priority Description of Control
AT-1 Security Awareness and Training Policy and Procedures
P2 The HHS organization develops, disseminates, and reviews/updates annually:
a. A formal, documented security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
b. Formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.
AT-2 Security Awareness
P2 The HHS organization verifies that HHS users (including managers, senior executives, and contractors) receive basic security awareness training provided by HHSC as part of initial training for new users prior to accessing any system’s information, when required by system changes, and annually thereafter.
AT-3 Security Training
P1 The HHS Organization provides role-based security-related training: (i) before authorizing access to the system or performing assigned duties;
(ii) when required by system changes; and (iii) refresher training annually thereafter.
AT-4 Security Training Records
P1 The HHS Organization:
a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and;
b. Retains individual training records for three (3) years.
6.2.2 (CM) Configuration Management Policy and Its Controls
Policy: The HHS organization (i) establishes and maintains baseline configurations and inventories of HHS information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establishes and enforces security configuration settings for information technology products employed in HHS information systems.
Table 10 lists the Configuration Management (CM) controls for moderate impact systems.
Table 10 Configuration Management Controls Policy ID 6.2.2 HHS
Control ID
Control
Name Priority Description of Control
CM-1 Configuration Management Policy and Procedures
P1 The HHS organization develops, disseminates, and reviews/updates annually:
a. A formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment,
coordination among HHS entities, and compliance;
b. Formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration
management controls.
P1 The HHS organization:
a. Develops, documents, and maintains under configuration control, a current baseline configuration of the HHS information systems.
(1) Reviews and updates the baseline configuration of HHS information systems:
(a) At least once annually;
(b) When required due to major system changes/upgrades and;
(c) As an integral part of HHS component installations and upgrades.
(3) Retains older versions of baseline configurations as deemed necessary to support rollback.
(4) The HHS organization:
(a) Develops and maintains an Agency-defined list of software programs not authorized (black list) to execute on the information system.
(b) Employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on HHS information security components.
P1 The HHS organization:
a. Determines the types of changes to the HHS information systems that are configuration controlled;
b. Approves configuration-controlled changes to HHS with explicit consideration for security impact analyses;
c. Documents approved configuration-controlled changes to the system;
d. Retains and reviews records of configuration-controlled changes to the system;
e. Audits activities associated with configuration-controlled changes to the system; and;
f. Coordinates and provides oversight for configuration change control activities through HHS change control board that convenes at least monthly or as needed.
(2) The HHS organization tests, validates, and documents changes to HHS before implementing the changes on the operational system.
Table 10 Configuration Management Controls Policy ID 6.2.2 HHS
Control ID
Control
Name Priority Description of Control
CM-4 Security Impact Analysis
P3 The HHS organization analyzes changes to the HHS information system components to determine potential security impacts prior to change implementation.
CM-5 Access Restrictions for Change
P2 The HHS organization defines documents, approves, and enforces physical and logical access restrictions associated with changes to HHS.
Additional Criteria:
[i] The configuration management repository access permissions are reviewed at least every three months.
[ii]. Records reflecting all such changes are generated, reviewed, and retained.
CM-6 (3)
Configuration Settings
P1 The HHS organization:
a. Establishes and documents mandatory configuration settings for information technology products employed within the HHS information systems using the latest security configuration guidelines Data Center Services (DCS ) Master System Security Plan (MSSP) technical specification document.
b. Implements the configuration settings;
c. Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within HHS information systems based on explicit operational requirements; and;
d. Monitors and controls changes to the configuration settings in accordance with HHS policies and procedures.
(3) Incorporates detection of unauthorized, security-relevant configuration changes into the incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes.
Additional Criteria:
[i] The Agency establishes and documents mandatory security configuration settings for HHS information systems.
CM-7 (1)
Least Functionality
P1 The HHS organization:
a. Configures the HHS information systems to provide only essential capabilities and specifically prohibits or restricts the use of functions, ports, protocols, and/or services.
(1)Reviews HHS information systems within annually to identify and eliminate unnecessary functions, ports, protocols, and/or services.
Additional Criteria:
{i} A list of specifically needed system services, ports, and network protocols should be maintained and documented in the system security
Table 10 Configuration Management Controls Policy ID 6.2.2 HHS
Control ID
Control
Name Priority Description of Control
CM-8 (1) (5)
Information System Component Inventory
P1 The HHS organization develops, documents, and maintains an inventory of HHS information systems that:
a. Accurately reflects current HHS information system components; (e.g.
desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, voiceover-IP telephones, etc. The inventory of information system components includes detail such as make, model, OS, type, model, serial number, physical location, owner, and machine name).
b. Is consistent with the authorization boundary of the HHS organization;
c. Is at the level of granularity deemed necessary for tracking and reporting;
d. Includes manufacturer, model/type, serial number, version number, location (i.e. physical location and logical position within the HHS architecture, and ownership; and;
e. Is available for review and audit by designated HHS officials.
(1) Updates the inventory of HHS information systems as an integral part of component installations, removals, and updates.
(5) Verifies that all components within the authorization boundary of the HHS organization are either inventoried as a part of the system or recognized by another system as a component within that system.
Additional Criteria:
[i] The inventory should be kept current through periodic manual inventory checks or a network monitoring tool automatically maintains the inventory.
[ii] The network should be monitored for deviations from the expected inventory of assets on the network, and security and/or operations personnel are alerted when deviations or unauthorized hosts are discovered.
CM-9 Configuration Management Plan
P2 The HHS organization develops, documents, and implements a configuration management plan for the HHS information systems that:
a. Addresses roles, responsibilities, and configuration management processes and procedures;
b. Defines the configuration items for HHS and when in the system development life cycle the configuration items are placed under configuration management; and;
c. Establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the
configuration of the configuration items.
6.2.3 (CP) Contingency Planning Policy and Its Controls
Policy: The HHS organization establishes, maintains, and effectively implements plans for emergency response, backup operations, and post-disaster recovery for HHS information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
Table 11 lists the Contingency Planning (CP) controls that are for moderate impact systems.
Table 11 Contingency Planning Controls Policy ID 6.2.3 HHS
Control ID
Control Name Priority Description of Control
CP-1 Contingency Planning Policy and Procedures
P2 The HHS organization develops, disseminates, and reviews/updates annually:
a. A formal, documented contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among HHS entities, and compliance;
b. Formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.
CP-2 (1) Contingency Plan / Continuity of Operations Plan
P1 The HHS organization:
a. Develops a contingency plan (CP) or Continuity of Operations Plan (COOP) for HHS information systems that:
- Identifies essential HHS missions and business functions and associated contingency requirements;
- Provides recovery objectives, restoration priorities, and metrics;
- Addresses contingency roles, responsibilities, assigned individuals with contact information;
- Addresses maintaining essential HHS missions and business functions despite a HHS disruption, compromise, or failure;
- Addresses eventual, full HHS restoration without deterioration of the security measures originally planned and implemented;
and;
- Is reviewed and approved by designated officials within the HHS organization;
b. Distributes copies of the COOP to key contingency personnel (identified by name and/or by role) and organizational elements;
c. Coordinates contingency planning activities with incident handling activities;
d. Reviews the COOP for the HHS information systems annually.
e. Revises the COOP to address changes to the HHS organization, HHS information systems, or environment of operation and
problems encountered during COOP implementation, execution, or testing; and;
f. Communicates COOP changes to key contingency personnel (identified by name and/or by role) and others as defined in the
Table 11 Contingency Planning Controls Policy ID 6.2.3 HHS
Control ID
Control Name Priority Description of Control
CP-4 (1) Contingency Plan Testing and Exercises
P1 The HHS organization:
a. Tests and/or exercises the contingency plan for the mission critical HHS information systems annually using defined tests and/or exercises such as the tabletop test in accordance with the current COOP procedure to determine the plan’s effectiveness and HHS’s readiness to execute the plan; and;
b. Documents and reviews the contingency plan test/exercise results and initiates reasonable and appropriate corrective actions to close or reduce the impact of contingency plan failures and deficiencies.
(1) Coordinates contingency plan testing and/or exercises with HHS elements responsible for related plans.
CP-6 (1) (3)
Alternate Storage Site
P2 The HHS organization:
a. Establishes an alternate storage site including necessary agreements to permit the storage and recovery of HHS backup information.
(1) Identifies an alternate storage site that is separated from the primary storage site so as not to be susceptible to the same hazards.
(3) Identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
CP-7 (1) (2) (3) (5)
Alternate Processing Site
P2 The HHS organization:
a. Establishes an alternate processing site including necessary agreements to permit the resumption of HHS operations for essential HHS missions and business functions within an Agency defined period consistent with recovery time objective when the primary processing capabilities are unavailable; and;
b. Ensures that equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the Agency defined time period for restoration of service.
(1) Identifies an alternate processing site that is separated from the primary processing site so as not to be susceptible to the same hazards.
(2) Identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.
(3) Develops alternate processing site agreements that contain priority-of-service provisions in accordance with HHS’s availability requirements.
(5) Ensures that the alternate processing site provides information security measures equivalent to that of the primary site.
Table 11 Contingency Planning Controls Policy ID 6.2.3 HHS
Control ID
Control Name Priority Description of Control
CP-8 (1) (2)
Telecommunications Services
P3 The HHS organization establishes alternate telecommunications services including necessary agreements to permit the resumption of HHS information systems operations for essential HHS
organization missions and business functions within an Agency defined time period when the primary telecommunications capabilities are unavailable.
(1) The HHS organization:
(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in
accordance with HHS’s availability requirements; and;
(b) Requests Telecommunications Service Priority (TSP) for all telecommunications services used for national security
emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.
(2) Obtains alternate telecommunications services with
consideration for reducing the likelihood of sharing a single point of failure with primary telecommunications services.
CP-9 (1) Information System Backup
P2 The HHS organization:
a. Conducts backups of user-level information contained in HHS information systems: full backups weekly, incremental or differential backups daily;
b. Conducts backups of system-level information contained in HHS information systems: full backups weekly, incremental or differential backups daily;
c. Conducts backups of HHS documentation including security-related documentation full backups weekly, incremental or differential backups daily; and;
d. Protects the confidentiality and integrity of backup information at the storage location.
(1) Tests backup information following each backup to verify media reliability and information integrity.
Additional Criteria:
{i} Backups to include user-level and system-level information (including system state information). Three (3) generations of backups (full plus all related incremental or differential backups) are stored off-site. Log off-site and on-site backups with name, date, time and action.
{ii} (For (HHS Restricted and Confidential Information only) Ensure that a current, retrievable, copy of HHS Restricted and Confidential Information is available before movement of servers.
Table 11 Contingency Planning Controls Policy ID 6.2.3 HHS
Control ID
Control Name Priority Description of Control
CP-10 (2) (3)
Information System Recovery and Reconstitution
P2 The HHS organization:
a. Provides for the recovery and reconstitution of HHS to a known state after a disruption, compromise, or failure.
(2) HHS information systems implement transaction recovery for systems that are transaction-based.
(3) The HHS organization provides compensating security controls to address circumstances that inhibit recovery and reconstitution to a known state.
Additional Criteria:
{i} Recovery and reconstitution for HHS information systems includes, but is not limited to:
(a) Resetting all system parameters (either default or organization-established),
(b) Reinstalling patches,
(c) Reestablishing configuration settings,
(d) Reinstalling application and system software, and;
(e) Testing the system fully.
6.2.4 (IR) Incident Response Policy and Its Controls
Policy: The HHS organization (i) establishes an operational incident handling capability for HHS information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) tracks, documents, and reports incidents to appropriate HHS and HHSC officials and/or authorities.
Table 12 lists the Incident Response (IR) controls for moderate impact systems.
Table 12 Incident Response Controls Policy ID 6.2.4 HHS
Control ID
Control
Name Priority Description of Control
IR-1 Incident Response Policy and Procedures
P2 The HHS organization develops, disseminates, and reviews/updates within annually:
a. A formal, documented incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among HHS entities, and compliance;
b. Formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls.
IR-2 Incident Response Training
P2 The HHS organization:
a. Trains personnel in their incident response roles and responsibilities with respect to HHS information systems; and;
b. Provides refresher training within annually.
IR-3 Incident Response Testing and Exercises
P1 The HHS organization tests and/or exercises the incident response capability for the HHS information systems within annually using reviews, analyses, and simulations to determine the incident response effectiveness and documents the results.
Additional Criteria:
[i] The Agency defines incident response tests/exercises that contain procedures for the following:
- Detecting unauthorized FTI access;
- Reporting unauthorized FTI access to IRS, TIGTA, and internal Agency incident response team.
[ii]. The Agency tests/exercises the incident response capability for FTI related security violations (e.g. simulated successful unauthorized access to FTI) at least annually.
Note: The incident response tests/exercise should be different from any testing activities perform as part of Disaster Recovery or Contingency Planning.
[iii] The Agency documents the results of incident response tests/exercises.
Table 12 Incident Response Controls Policy ID 6.2.4 HHS
Control ID
Control
Name Priority Description of Control
IR-4 (1) Incident Handling
P2 The HHS organization:
a. Implements an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery;
b. Coordinates incident handling activities with contingency planning activities; and;
c. Incorporates lessons learned from ongoing incident handling activities into incident response procedures, training, and
testing/exercises, and implements the resulting changes accordingly.
(1) Employs automated mechanisms to support the incident handling process.
Additional Criteria:
{i} Document relevant information related to a security incident as outlined in the Security Incident Management Plan.
{ii} Identify vulnerability exploited during a security incident. Implement security safeguards to reduce risk and vulnerability exploit exposure.
IR-5 Incident Monitoring
P2 The HHS organization tracks and documents security incidents for HHS information systems.
IR-6 (1) Incident Reporting
P2 The HHS organization:
a. Requires personnel to report suspected security incidents to the HHS organizational incident response capability within the timeframe
established in the Security Incident Management Plan; and;
b. Reports security incident information to designated authorities.
(1) HHS employs automated mechanisms to assist in the reporting of security incidents.
IR-7 (1) Incident Response Assistance
P3 The HHS organization provides an incident response support resource, integral to HHS organizational incident response capability, which offers advice and assistance to users of the HHS information systems for the handling and reporting of security incidents.
(1) Employs automated mechanisms to increase the availability of incident response-related information and support.
Table 12 Incident Response Controls Policy ID 6.2.4 HHS
Control ID
Control
Name Priority Description of Control
IR-8 Incident Response Plan
P2 The HHS organization:
a. Develops an incident response plan that:
- Create a HHS-defined list of incident response personnel (identified by name and/or by role) and HHS element;
- Provides HHS with a roadmap for implementing its incident response capability;
- Describes the structure and organization of the incident response capability;
- Provides a high-level approach for how the incident response capability fits into the overall HHS organization;
- Meets the unique requirements of HHS, which relate to HHS mission, size, structure, and functions;
- Defines reportable incidents;
- Provides metrics for measuring the incident response capability within HHS.
- Defines the resources and management support needed to effectively maintain and mature an incident response capability;
and;
- Is reviewed and approved by designated officials within HHS;
b. Distributes copies of the incident response plan to incident response personnel and organizational elements;
c. Reviews the incident response plan within annually;
d. Revises the incident response plan to address system/ HHS changes or problems encountered during plan implementation, execution, or testing; and;
e. Communicates incident response plan changes to incident response personnel and HHS elements.
6.2.5 (MA) Maintenance Policy and Its Controls
Policy: The HHS organization requires that (i) periodic and timely maintenance on HHS information systems occur; and (ii) effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance are in place.
Table 13 lists the Maintenance (MA) controls for moderate impact systems.
Table 13 Maintenance Controls Policy ID 6.2.5 HHS
Control ID
Control
Name Priority Description of Control
MA-1 System Maintenance Policy and Procedures
P2 The HHS organization develops, disseminates, and reviews/updates within annually:
a. A formal, documented HHS information systems maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among HHS entities, and compliance;
a. A formal, documented HHS information systems maintenance policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among HHS entities, and compliance;