6. HHS Security Controls
6.3 Technical Controls
The Technical program class of controls for an information system is primarily controls that are implemented and executed through mechanisms contained in the hardware, software, or firmware components of the information system. This class has four families: Access Control (AC), Audit and Accountability (AU), Identification and Authentication (IA), and System and Communication Protection (SC).
6.3.1 (AC) Access Control Policy and Its Controls
Policy: The HHS organization requires limited access to applications, servers, databases, and network devices in the HHS environment. Access is limited to authorized users, processes acting on behalf of authorized users, or devices. Authorized users are further limited to the types of transactions and functions that they are permitted to exercise.
Table 18 lists the Access Controls (AC) for moderate impact systems.
Table 18 Access Controls Policy ID 6.3.1 HHS
Control ID
Control
Name Priority Description of Control
AC-1 Access Control Policy and
Procedures
P1 HHS organization develops, disseminates, and reviews/updates annually.
a. A formal, documented access control policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among HHS entities, and compliance;
b. Formal, documented procedures to facilitate the implementation of the access control policy and associated access controls.
Table 18 Access Controls Policy ID 6.3.1 HHS
Control ID
Control
Name Priority Description of Control
AC-2 (1) (2) (3) (4)
Account Management
P1 The HHS organization manages HHS information systems accounts, including:
a. Identifying account types (i.e., individual, group, system, application, guest/anonymous, temporary);
b. Establishing conditions for group membership;
c. Identifying authorized users and specifying access privileges;
d. Requiring appropriate approvals for requests to establish accounts;
e. Establishing, activating, modifying, disabling, and removing accounts;
f. Specifically authorizing and monitoring the use of guest/anonymous and temporary accounts;
g. Notifying account managers when temporary accounts are no longer required and when HHS users are terminated, transferred, or HHS information system usage or need-to-know/need-to-share changes;
h. Deactivating: (i) temporary accounts that are no longer required;
and (ii) accounts of terminated or transferred users;
i. Granting access to the system based on:
i. a valid access authorization;
ii. intended system usage; and;
iii. other attributes as required by HHS or associated missions/business functions; and;
j. Reviewing accounts every six months.
(1) Employs automated mechanisms to support the management of accounts.
(2) HHS information systems automatically terminate emergency accounts within 24 hours and temporary accounts with a fixed duration not to exceed 12 months.
(3) HHS information systems disable inactive privileged accounts after sixty (60) days and non-privileged accounts after ninety (90) days.
(4) HHS information systems automatically audit account creation, modification, disabling, and termination actions and notify appropriate individuals, as required.
Additional Criteria:
{i} Regulate the access provided to contractors and define security requirements for contractors.
[ii] Accounts do not have the same user or account name.
[iii] Accounts have not been assigned the same uid.
[iv] Accounts are locked after 90 days of inactivity.
[v] Unused default accounts will be disabled.
{vi} Implement centralized control of user access administrator functions.
Table 18 Access Controls Policy ID 6.3.1 HHS
Control ID
Control
Name Priority Description of Control
AC-3 Access Enforcement
P1 The HHS organization enforces approved authorizations for logical access to the system in accordance with applicable policy.
Additional Criteria:
{i} If encryption is used as an access control mechanism, it must meet approved (FIPS 140-2 compliant and a NIST-validated module) encryption standards (see SC-13).
{ii} Configure operating system controls to disable public "read" and
"write" access to files, objects, and directories that may directly impact system functionality and/or performance, or that contain sensitive information (such as FTI or Privacy Act protected information).
{iii} Data stored in the information system must be protected with system access controls.
AC-4 Information Flow
Enforcement
P1 The HHS organization enforces approved authorizations for
controlling the flow of information within the HHS information systems and between interconnected systems in accordance with applicable policy.
AC-5 Separation of
Duties
P1 The HHS organization:
a. Separates duties of individuals as necessary, to prevent malevolent activity without collusion;
b. Documents separation of duties, and;
c. Implements separation of duties through assigned HHS component access authorizations.
Additional Criteria
{i} Ensure that audit functions are not performed by security personnel responsible for administering access control.
{ii}. Ensure that HHS testing functions (i.e., user acceptance, quality assurance, information security) and production functions are divided among separate individuals or groups.
{iii} Ensure that an independent entity, not the business owner, system developers/maintainers, or system administrators responsible for the information system, conducts information security testing of the information system.
Table 18 Access Controls Policy ID 6.3.1 HHS
Control ID
Control
Name Priority Description of Control
AC-6 (1) (2)
Least Privilege
P1 The HHS organization employs the concept of least privilege,
allowing only authorized accesses for users (and processes acting on behalf of users) that are necessary to accomplish assigned tasks in accordance with HHS missions and business functions.
(1) Explicitly authorizes access to privileged functions (deployed in hardware, software, and firmware) and security-relevant information is restricted to explicitly authorized individuals.
(2) Requires that users of HHS information system accounts, or roles, with access to security functions or security-relevant information, use non-privileged accounts, or roles, when accessing other system functions, and if feasible, audits any use of privileged accounts, or roles, for such functions.
Additional Criteria:
{i} Disable all file system access not explicitly required for system, application, and administrator functionality.
{ii} Contractors must be provided with minimal system and physical access, and must agree to and support the HHS security
requirements.
AC-7 Unsuccessful Login
Attempts
P1 HHS information systems:
For Restricted data:
a. Enforce a limit of three (3) consecutive invalid access attempts by a user within a fifteen (15) minute period; and;
b. Automatically lock the account/node for one (1) hour or until released by an account administrator. The control applies regardless of whether the login occurs via a local or network connection.
For other HHS classified systems, enforce the following:
a. Account lockout duration of 30 minutes;
b. Account lockout threshold after 5 invalid logon attempts, and;
c. Reset account lockout counter after 30 minutes of lock out.
Additional Criteria:
[i]The login delay between login prompts after a failed login is set to more than four seconds.
Table 18 Access Controls Policy ID 6.3.1 HHS
Control ID
Control
Name Priority Description of Control
AC-8 System Use
Notification
P1 HHS information systems will display an approved system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable Federal, Texas laws, executive orders, directives, policies,
regulations, Health and Human Services Commission (HHSC) standards, and guidance and states that:
(i) users are accessing a U.S. Government information system;
(ii) system usage may be monitored, recorded, and subject to audit;
(iii) unauthorized use of the system is prohibited and subject to criminal and civil penalties; and;
(iv) use of the system indicates consent to monitoring and recording;
The recommended banner for IRS FTI information resources is:
“WARNING
This system may contain U.S. Government information, which is restricted to authorized users ONLY. Unauthorized access, use, misuse, or modification of this computer system or of the data contained herein or in transit to/from this system constitutes a violation of Title 18, United States Code, Section 1030, and may subject the individual to Criminal and Civil penalties pursuant to Title 26, United States Code, Sections 7213, 7213A (the Taxpayer Browsing Protection Act), and 7431. This system and equipment are subject to monitoring to ensure proper performance of applicable security features or procedures. Such monitoring may result in the acquisition, recording and analysis of all data being communicated, transmitted, processed or stored in this system by a user. If
monitoring reveals possible evidence of criminal activity, such evidence may be provided to Law Enforcement Personnel.
ANYONE USING THIS SYSTEM EXPRESSLY CONSENTS TO SUCH MONITORING”
b. Retain the notification message or banner on the screen until users take explicit actions to log on to or further access the information system; and;
c. For publicly accessible systems:
i. Display the system use information when appropriate, before granting further access;
ii. Display references, if any, to monitoring, recording, or auditing that are consistent with privacy accommodations for such systems that generally prohibit those activities; and;
iii. Include a description of the authorized uses of the system in the
Table 18 Access Controls Policy ID 6.3.1 HHS
Control ID
Control
Name Priority Description of Control
AC-10 Concurrent Session
Control
P3 The HHS organization limits the number of concurrent sessions for each system account to one (1) session.
Additional Criteria:
{i} The number of concurrent sessions is limited and enforced to the number of sessions expressly required for the performance of job duties and any requirement for more than one (1) concurrent session is documented in the system security plan.
AC-11 Session Lock P1 HHS information systems:
a. Prevent further access to the system by initiating a session lock after fifteen (15) minutes of inactivity or at request of user, and;
b. Retain the session lock until the user reestablishes access using established identification and authentication procedures.
Additional Criteria:
[i] Ensure a password protected screen lock mechanism is used.
AC-14 (1)
Permitted Actions Without Identification or
Authentication
P3 The HHS organization:
a. Identifies specific user actions that can be performed on the information system without identification or authentication; and;
b. Documents and provides supporting rationale in the specific system security plan for HHS information system, user actions not requiring identification and authentication.
Permits actions to be performed without identification and authentication only to the extent necessary to accomplish mission/business objectives.
Additional Criteria:
[i] Services that allow interaction without authentication or via anonymous authentication are documented, justified to the HHS CISO, and are properly secured and segregated from other systems that contain services that explicitly require authentication and identity verification.
Table 18 Access Controls Policy ID 6.3.1 HHS
Control ID
Control
Name Priority Description of Control
AC-17 (1) (2) (3) (4) (5) (7) (8)
Remote Access
P1 The HHS organization:
a. Requires that the allowed methods of remote access to HHS information systems are;
GoToMyPC;
VPN;
Outlook Webaccess;
The requirements for remote access are two factor authentications.
b. Establishes usage restrictions and implementation guidance for each allowed remote access method;
c. Monitors for unauthorized remote access;
d. Authorizes remote access prior to connection; and;
e. Enforces requirements for remote connections.
(1) HHS information systems employ automated mechanisms to facilitate the monitoring and control of remote access methods.
(2) The HHS organization uses cryptography to protect the confidentiality and integrity of remote access sessions.
(3) HHS information systems route all remote accesses through a limited number of managed access control points.
(4) The HHS organization authorizes the execution of privileged commands and access to security-relevant information via remote access only for compelling operational needs and documents the rationale for such access and use of commands in the specific system security plan for the information system.
(5) The HHS organization monitors for unauthorized remote
connections to HHS information systems at least quarterly and takes appropriate action if an unauthorized connection is discovered.
(7) The HHS organization requires that remote sessions used for remote administration employ additional security measures (e.g.:
Secure Shell [SSH], Virtual Private Networking [VPN] with blocking mode enabled) (see SC-13) and the sessions are audited.
(8) The HHS organization disables networking protocols deemed to be nonsecure (such as Bluetooth, peer-to-peer networking) except for explicitly identified components in support of specific operational requirements.
Additional Criteria:
[i] No unauthorized remote sessions are allowed.
[ii] The administrative password is not passed over a network in clear text form.
Table 18 Access Controls Policy ID 6.3.1 HHS
Control ID
Control
Name Priority Description of Control
AC-18 (1)
Wireless Access
P1 The HHS organization:
a. Establishes usage restrictions and implementation guidance for wireless access;
b. Monitors for unauthorized wireless access to HHS information systems;
c. Authorizes wireless access to the information system prior to connection; and;
d. Enforces requirements for wireless connections to HHS information systems.
(1) HHS information systems protect wireless access using authentication and encryption.
Additional Criteria:
When deploying wireless access points the following minimum standards shall apply:
1. File sharing on wireless clients shall be disabled.
2. Client NIC and Access Point firmware shall be upgradeable so that security patches may be deployed as they become available.
3. Access Points shall be turned off when they are not in use (e.g., after hours and on weekends).
4. The Access Point’s Service Set Identifier, SSID, shall be changed from the default setting to an ID that does not reflect the identity of the Agency, department, and the nature of the work of the physical location where it is installed, and the SSID Broadcast shall be disabled.
5. All non-secure and nonessential management protocols on Access Points shall be disabled.
6. All security features of the WLAN product, including the cryptographic authentication feature, shall be enabled.
7. Wi-Fi Protected Access, WPA, security standard or greater shall be implemented.
8. Access Points shall have strong passwords and shall be changed regularly.
9. User authentication shall use an RFC compliant method, such as RADIUS, TACACS, etc.
10. Authentication mechanisms for the management interfaces of the Access Point shall be enabled and management traffic destined for Access Points shall be on a dedicated wired subnet.
11. SNMP settings on Access Points shall be disabled or set for least privilege (i.e., read only), with SNMPv3 or equivalent cryptographically protected protocol in use.
12. Installers shall ensure that new WLAN installations do not interfere with other existing equipment.
13. Physical and remote access to the Access Point Reset Function shall be restricted to authorized administrators only.
14. The default cryptographic key shall be changed from the factory default and shall be changed on a regular basis.
Table 18 Access Controls Policy ID 6.3.1 HHS
Control ID
Control
Name Priority Description of Control
AC-19
P2 The HHS organization:
a. Establishes usage restrictions and implementation guidance for HHS-controlled mobile devices;
b. Authorizes connection of mobile devices meeting HHS usage restrictions and implementation guidance to HHS information systems;
c. Monitors for unauthorized connections of mobile devices to HHS information systems;
d. Enforces requirements for the connection of mobile devices to HHS information systems;
e. Disables information system functionality that provides the capability for automatic execution of code on mobile devices without user direction;
f. Issues specially configured mobile devices to individuals traveling to locations deemed to be of significant risk in accordance with HHS policies and procedures; and;
g. Examines the device for signs of physical tampering and purging/reimaging the hard disk drive to mobile devices returning from locations that the organization deems to be of significant risk in accordance with HHS organizational policies and procedures.
(1) Restricts the use of writable, removable media in HHS information systems.
(2) Prohibits the use of personally owned, removable media in HHS information systems.
(3) Prohibits the use of removable media in HHS information systems when the media has no identifiable owner.
AC-20
P3 The HHS organization establishes terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information systems, allowing authorized individuals to:
a. Access the information system from the external information systems; and;
b. Process, store, and/or transmit organization-controlled information using the external information systems.
(1) Permits authorized individuals to use an external information system to access the information system or to process, store, or transmit organization-controlled information only when HHS:
(a) Can verify the implementation of required security controls on the external system as specified in HHS information security policy and specific system security plan; or
(b) Has approved information system connection or processing agreements with HHS entity hosting the external information
Table 18 Access Controls Policy ID 6.3.1 HHS
Control ID
Control
Name Priority Description of Control
AC-22 Publicly Accessible Content
P3 The HHS organization:
a. Designates individuals authorized to post information on a HHS component that is publicly accessible;
b. Trains authorized individuals to ensure that publicly accessible information does not contain nonpublic information;
c. Reviews the proposed content of publicly accessible information for nonpublic information prior to posting on HHS information systems;
d. Reviews the content on the publicly accessible HHS information systems for nonpublic information on a monthly basis; and;
e. Removes nonpublic information from the publicly accessible HHS information systems, if discovered.
6.3.2 (AU) Audit and Accountability Policy and Its Controls
Policy: The HHS organization (i) requires the creation, protection, and retention of information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) requires that the actions of individual
information system users can be uniquely traced to those users so they can be held accountable for their actions.
Table 19 lists the Audit and Accountability (AU) controls for moderate impact systems.
Table 19 Audit and Accountability Controls Policy ID 6.3.2 HHS
Control ID
Control
Name Priority Description of Control
AU-1 Audit and
Accountability Policy and Procedures
P1 The HHS organization develops, disseminates, and reviews/updates within annually:
a. A formal, documented audit and accountability policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance;
b. Formal, documented procedures to facilitate the implementation of the audit and accountability policy and associated audit and
accountability controls.
AU-2 (3) (4)
Auditable Events
P1 The HHS organization:
a. Determines, based on a risk assessment and HHS
mission/business needs, that HHS information systems must be capable of auditing the events described in "Appendix C
Recommended Events for Logging"
b. Coordinates the security audit function with other HHS entities requiring audit-related information to enhance mutual support and to help guide the selection of auditable events;
c. The list of auditable events are deemed to be adequate to support after-the-fact investigations of security incidents based on current threat information and ongoing assessment of risk; and;
d. Determines, based on current threat information and ongoing assessment of risk, that the events specified in AU-2a are to be audited at the frequencies specified in the system security plan.
(3) Reviews and updates the list of auditable events annually.
(4) Includes execution of privileged functions in the list of events to be audited by the information system, including administrator and user account activities, failed and successful log-on, security policy modifications, use of administrator privileges, system shutdowns, reboots, errors, and access authorizations.
AU-3 (1) Content of Audit Records
P1 HHS information systems shall produce audit records that contain sufficient information to, at a minimum, establish what type of event occurred, date and time the event occurred, where the event
Table 19 Audit and Accountability Controls Policy ID 6.3.2 HHS
Control ID
Control
Name Priority Description of Control
AU-4 Audit Storage
Capacity
P1 The HHS organization allocates audit record storage capacity and configures auditing to reduce the likelihood of such capacity being exceeded.
AU-5 Response to
Audit Processing Failures
P1 HHS information systems:
a. Alert designated HHS officials in the event of an audit processing failure; and;
b. Take the following additional actions in response to an audit failure or audit storage capacity issue.
- Shutdown HHS information system/applications;
- Stop generating audit records, or;
- Overwrite the oldest records, in the case that storage media is unavailable.
AU-6 Audit Review,
Analysis, and Reporting
P1 The HHS organization:
(a) Reviews and analyzes audit records for defined key HHS information systems on a daily basis for indications of inappropriate or unusual activity, and reports findings to designated HHS officials;
- Excessive logon attempt failures by single or multiple users’
- Logons at unusual/non-duty hours’
- Failed attempts to access restricted system or data files indicating a possible pattern of deliberate browsing’
- Failed attempts to access restricted system or data files indicating a possible pattern of deliberate browsing’