HHS Information System Security Controls Catalog V 1.0

(1)

HHS

Information System

Security Controls Catalog

V 1.0

(2)

Table of Contents

DOCUMENT HISTORY ... 3

1. Purpose ... 4

2. Security Controls Scope ... 4

3. Security Controls Compliance ... 4

4. Security Controls Catalog Ownership ... 4

5. HHS Security Control Framework ... 5

Security Control Class Areas ... 5

Core Principles of Information Security ... 8

Defining Potential Impact on Organizations and Individuals ... 8

6. HHS Security Controls ... 9

6.1 Management Controls ... 11

6.1.1 (CA) Security Assessment and Authorization Policy and Its Controls ... 11

6.1.2 (PL) Planning Policy and Its Controls ... 14

6.1.3 (PM) Program Management Policy and Its Controls ... 17

6.1.4 (RA) Risk Assessment Policy and Its Controls ... 19

6.1.5 (SA) System and Services Acquisition Policy and Its Controls ... 21

6.2 Operational Controls ... 26

6.2.1 (AT) Awareness and Training Policy and Its Controls ... 26

6.2.2 (CM) Configuration Management Policy and Its Controls ... 27

6.2.3 (CP) Contingency Planning Policy and Its Controls ... 30

6.2.4 (IR) Incident Response Policy and Its Controls ... 34

6.2.5 (MA) Maintenance Policy and Its Controls ... 37

6.2.6 (MP) Media Protection Policy and Its Controls ... 39

6.2.7 (PE) Physical and Environmental Protection Policy and Its Controls ... 41

6.2.8 (PS) Personnel Security Policy and Its Controls ... 44

6.2.9 (SI) System and Information Integrity Policy and Its Controls ... 46

6.3 Technical Controls ... 50

6.3.1 (AC) Access Control Policy and Its Controls ... 50

6.3.2 (AU) Audit and Accountability Policy and Its Controls ... 60

6.3.3 (IA) Identification and Authentication Policy and Its Controls ... 64

6.3.4 (SC) System and Communications Protection Policy and Its Controls ... 68

6.4 Privacy Controls ... 75

6.4.1 (AP) Authority and Purpose Policy and Its Controls ... 75

6.4.2 (AR) Accountability, Audit, and Risk Management Policy and Its Controls ... 76

6.4.3 (DI) Data Quality and Integrity Policy and Its Controls ... 78

6.4.4 (DM) Data Minimization and Retention Policy and Its Controls ... 79

6.4.5 (IP) Individual Participation and Redress Policy and Its Controls ... 80

6.4.6 (SE) Security Policy and Its Controls ... 81

6.4.7 (TR) Transparency Policy and Its Controls ... 82

6.4.8 (UL) Use Limitation Policy and Its Controls ... 83

(3)

DOCUMENT HISTORY

Revision History:

Numbering convention: Version. Revision as n.xx. Pre-publication drafts are 0.xx; first published version is 1.00; for minor revisions to a published document, increment the decimal number (ex. 1.01); for major content upgrades to a published document, increment the leading whole number (ex.2.00).

Revision Date Description

1.0 03-2013 First published version of the document distributed by the Office of the Chief Information Security Officer (CISO).

(4)

1. Purpose

The Security Controls contained in this document are the safeguards or countermeasures that when implemented and enforced will satisfy the information security requirements defined in the HHS Enterprise Information Security

Standards and Guidelines (EISSG v5.1) document.

A comprehensive set of security controls protect not only information and systems, but also individual employees and HHSC as a whole. As such, these security controls represent the HHS organizations strong commitment to information systems security.

2. Security Controls Scope

All HHS employees, contractors, and third party users, and all HHS physical, software, and information assets (whether standalone or attached to the HHS local and wide area networks), that store, process, or transmit HHS data, as well as all services that support or otherwise handle those physical, software, and information assets, are required to comply with the information systems security controls contained within this document.

3. Security Controls Compliance

Compliance with the security controls contained within this security controls catalog document is mandatory. Reviews to ensure compliance are undertaken at established intervals using authorized methods. Non-compliance is managed according to published HHS security controls.

4. Security Controls Catalog Ownership

The HHS CISO is the sponsor and issuing authority for this HHS Information Systems Security Controls Catalog document.

(5)

5. HHS Security Control Framework

Security Control Class Areas

The HHS security program makes extensive use of the information security guidance found in the National Institute of Standards and Technology (NIST) Special Publications (SP) 800-53, Revision 3 and Appendix J document. This guidance has been adapted to the unique HHS environment and provides the fundamental security principles on which this security control framework is built.

The security program framework is divided into four program class areas: Management, Operational, Technical, and Privacy. Each program class area is further divided into a set of security families. There are a total of 26 control families each producing a high level security policy. Each family has a two letter identifier that is the prefix of the Control ID; see the column labeled “Family ID” in Table 1 on page 5.

Management Control Class Area – Focuses on policies that relate to the management of risk and the

management of the HHS security program. This class consists of five security policies: Security Assessment and Authorization, Planning, Program Management, Risk Assessment, System Services and Acquisition.

Operational Control Class Area – Focuses on policies that are primarily implemented and executed by people,

rather than the information system. This class consists of nine security policies: Awareness and Training,

Configuration Management, Contingency Planning, Incident Response, Maintenance, Media Protection, Physical and Environmental Protection, Personnel Security, and System and Information Integrity.

Technical Control Class Area – Focuses on policies that are primarily implemented and executed by the

information system through mechanisms contained in the hardware, software, or firmware components of the system. This class consists of four security policies: Access Control, Audit and Accountability, Identification and Authentication, and System and Communications Protection.

Privacy Control Class Area – Focuses on policies that define the administrative, technical, and physical

safeguards employed to protect HHS Restricted and Confidential Information.

Each one of the security policies has a number of supporting security controls that when implemented and enforced will satisfy the requirements of the security policy. There are a total of 197 Controls, including the Security and Privacy Controls.

(6)

Table 1 Organization of Policies and Controls Control Class Area Item Number Family ID

Policy Family Name Number of

Security Controls

Management 1. CA Security Assessment and Authorization

(formerly Certification, Accreditation, and Security Assessment)

6

2. PL Planning 5

3. PM Program Management 11

4. RA Risk Assessment 4

5. SA System Services and Acquisitions 11

Operational 6. AT Awareness and Training 4

7. CM Configuration Management 9

8. CP Contingency Planning 9

9. IR Incident Response 8

10. MA Maintenance 6

11. MP Media Protection 6

12. PE Physical and Environmental Protection 18

13. PS Personnel Security 8

14. SI System and information Integrity 11

Technical 15. AC Access Control 16

16. AU Audit and Accountability 13

17. IA Identification and Authentication 8

18. SC System and Communications Protection 21

Privacy 19. AP Authority and Purpose 2

20. AR Accountability, Audit, and Risk Management 6

21. DI Data Quality and Integrity 2

22. DM Data Minimization and Retention 2

23. IP Individual Participation and Redress 4

24. SE Security 2

25. TR Transparency 2

26. UL Use Limitation 3

TOTAL 197

Table 1: Lists the four program class areas, the security policies families, and the number of controls in each

(7)

Figure 1 is a graphical representation of the information in Table 1.

HHS Information Security Control Framework Management

Control Class Area

Operational Control Class Area

Technical Control Class Area

Security Assessment and Authorization Policy

Planning Policy

Risk Assessment Policy

System Services and Acquisition Policy Program Management Policy

Awareness and Training Policy

Configuration Management Policy

Contingency Planning Policy

Incident Response Policy

Maintenance Policy

Media Protection Policy

Physical and Environmental Protection Policy

Personnel Security Policy

System and Information Integrity Policy

Access Control Policy

Audit and Accountability Policy

Identification and Authentication Policy

System and Communications Protection Policy

AC Controls - 16 CA Controls - 6 AT Controls - 4

PL Controls - 5 CM Controls - 9 AU Controls - 13

RA Controls - 4 CP Controls - 9 IA Controls - 8 SA Controls - 11 IR Controls - 8 SC Controls - 21 PM Controls - 11 MA Controls - 6 MP Controls - 6 PE Controls -18 PS Controls - 8 SI Controls - 11 Privacy Control Class Area

Transparancey Policy

Use Limitation Policy Accountability, Audit, and Risk

Management Policy

TR Controls - 2 AP Controls - 2

UL Controls - 3 AR Controls - 6

Authority and Purpose Policy

Data Quality and Integrity Policy

DI Controls - 2

Data Minimization and Retention Policy

DM Controls - 2

Individual Participation and Redress Policy

IP Controls - 4

Security Policy

SE Controls - 2

Figure 1 HHS Security Control Framework

(8)

Core Principles of Information Security

The selection and employment of appropriate security controls for an information system are important tasks that can have major implications on the operations and assets of an organization.

Security controls are designed to prevent a breach of security by protecting the core principles of information security: confidentiality, integrity, and availability of the system and its information.

Confidentiality

“Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information…” [44 U.S.C., Sec. 3542].

A loss of confidentiality is the unauthorized disclosure of information.

Integrity

“Guarding against improper information modification or destruction, and includes ensuring information non-repudiation and authenticity…” [44 U.S.C., Sec. 3542].

A loss of integrity is the unauthorized modification or destruction of information.

Availability

“Ensuring timely and reliable access to and use of information…” [44 U.S.C., SEC. 3542]. A loss of availability is the disruption of access to or use of information or an information system.

Defining Potential Impact on Organizations and Individuals

FIPS Publication 199 defines three levels of potential impact on organizations or individuals should there be a breach of security, a loss of confidentiality, integrity, or availability. The application of these definitions takes place within the context of each organization and the overall national interest. The potential impact is:

Low

When the loss of confidentiality, integrity, or availability is expected to have a limited adverse effect on organizational operations, organizational assets, or individuals.

Moderate

When the loss of confidentiality, integrity, or availability is expected to have a serious adverse effect on organizational operations, organizational assets, or individuals.

High

When the loss of confidentiality, integrity, or availability is expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals.

The security program team, working with the HHS Chief Information Security Officer (CISO), has determined that the information systems operating within the HHS environment are assigned a Security Category of Moderate

Impact. The controls defined in this document are the minimum set of controls required to secure moderate

impact information systems and are identified as Minimum Baseline Security Controls for the moderate impact information systems within HHS.

(9)

6. HHS Security Controls

Section 5 lists all of the security controls that could be used to protect the HHS information systems that process, store or transmit data. A subsection contains the controls for each of program class areas: 6.1 Management, 6.2 Operational, 6.3 Technical, and 6.4 Privacy.

Table 2 is an example of a control table.

Table 3 explains the information in the controls tables.

Table 2 Example of Controls Table

Control ID

Control

Name Priority Description of Control

CM-7 (1)

Least Functionality

P1 The HHS organization configures the HHS information systems to provide only essential capabilities and specifically prohibits or restricts the use of functions, ports, protocols, and/or services.

(1) Reviews HHS information systems within annually to identify and eliminate unnecessary functions, ports, protocols, and/or services.

Additional Criteria:

{i} A list of specifically needed system services, ports, and network protocols should be maintained and documented in the system security plan; all others are disabled.

 Any functions installed by default that are not required by the HHS information systems are disabled.

 Services and or software that are not needed should not be present on the server.

Table 3 How to Read the Controls Tables

Column Number/Name

Composed

Of Definition Example from Table 2

1 Control ID

AA Two letter family identifier that specifies the policy that the control belongs to.

CM

-# Arbitrary sequential number that makes each Control ID unique.

-7 (#) One or more control Enhancements

that are defined in the Description of Control column.

(1)

2 Control Name

Not applicable A unique descriptive name for each specific control.

Least Functionality

3 Priority

P1 through P3 See Table 30. P1

4 Control Description

Control Description

The specific criteria for the control that is testable and auditable and when implemented and enforced mitigates the risks and threats to the information system.

The HHS organization configures the HHS information systems to provide only essential capabilities and specifically prohibits or restricts the use of functions, ports, protocols, and/or services.

(10)

extra security control criteria to make the control more robust.

within annually to identify and eliminate unnecessary functions, ports, protocols, and/or services.

Additional Criteria

Provides instructions from

authoritative sources to the control owner on how to implement. [i] This is for criteria from IRS Publication 1075. The criteria is preceded by [and Roman numerals and followed by].

{i} This is for criteria from Center for Medicare and Medicaid Services (CMS) The criteria is preceded by {and Roman numerals and followed by}.

{i} A list of specifically needed system services, ports, and network protocols should be maintained and documented in the system security plan; all others are disabled.

 Any functions installed by default that are not required by the HHS

information systems are disabled.  Services and or software that are not

needed should not be present on the server.

(11)

6.1 Management Controls

The Management program class of controls (safeguards or countermeasures) for an information system is focused on the management of risk and the management of information system security. This class has five control families: Security Assessment and Authorization (CA), Planning (PL), Program Management (PM), Risk Assessment (RA), and System and Services Acquisition (SA).

6.1.1 (CA) Security Assessment and Authorization Policy and Its Controls

Policy: The HHS organization requires that (i) an initial assessment of the security controls for key information systems is performed to determine if the controls are effective in their application; (ii) controls are monitored on an ongoing basis to ensure their continued effectiveness; (iii) information systems containing potential vulnerabilities due to deficiencies in their controls are documented and acknowledged by the HHS CISO and/or his designee and (iv) plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities are developed and implemented.

Table 4 lists the Security Assessment and Authorization (CA) controls for moderate impact systems. Table 4 Security Assessment and Authorization Controls Policy ID 6.1.1

Control ID

Control

CA-1 Security Assessment and Authorization Policies and Procedures

P1 The HHS organization develops, disseminates, and reviews/updates annually:

a. Formal, documented security assessment and authorization policies that address purpose, scope, roles, responsibilities, management commitment, coordination among HHS entities, and compliance;

b. Formal, documented procedures to facilitate the implementation of the security assessment and authorization policies and associated security assessment and authorization controls.

(12)

Table 4 Security Assessment and Authorization Controls Policy ID 6.1.1

Control ID

Control

CA-2 (1) Security Assessments

P1 The HHS organization:

a. Develops a security assessment plan that describes the scope of the assessment including:

- Security controls and control enhancements under assessment; - Assessment procedures to be used to determine security control effectiveness;

- Assessment environment, assessment team, and assessment roles and responsibilities;

b. Assesses the security controls in HHS information systems annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system;

c. Produces a security assessment report that documents the results of the assessment; and;

d. Provides the results of the security control assessment in writing to the authorizing official who is responsible for reviewing the assessment documentation.

(1) Employs an independent assessor or assessment team to conduct an assessment of the security controls in the HHS information systems. Additional Criteria:

{i} A security assessment of all security controls must be conducted for all newly implemented systems.

{ii} The HHS system owner notifies the appropriate personnel as defined within applicable business requirement document and change requests whenever updates are made to system security authorization artifacts or significant role changes occur (e.g.: system developer/maintainer, information system security analyst).

CA-3 Information System

Connections

a. Authorizes connections from the HHS information systems to other information systems outside of the authorization boundary through the use of Data Sharing Agreements;

b. Documents for each connection, the interface characteristics, security requirements, and the nature of the information communicated; and; c. Monitors the HHS component connections on an ongoing basis verifying enforcement of security requirements.

{i} Record each system interconnection in the HHS Information Systems Security Plan document and the HHS Information Systems Security Risk

(13)

Table 4 Security Assessment and Authorization Controls Policy ID 6.1.1

Control ID

Control

CA-5 Plan of Action and Milestones

a. Develops a plan of action and milestones (POA&M) for the information system to document the organization’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and;

b. Updates and submits existing POA&M on monthly bases until all the findings are resolved based on the findings from security controls assessments, security impact analyses, and continuous monitoring activities.

CA-6 Security Authorization

a. Identifies the HHS CISO, Agency IRM, Agency ISO’s as the approving officials for the HHS environment;

b. Ensures that the approving official authorizes the information system for processing before commencing operations; and;

c. Updates the security authorization: - At least annually for high risk assets;

- When substantial changes are made to the system;

- When changes in requirements result in the need to process data of a higher sensitivity;

- When changes occur to authorizing legislation or federal/state requirements;

- After the occurrence of a serious security violation which raises questions about the validity of an earlier security authorization; and; - Prior to expiration of a previous security authorization.

CA-7 Continuous Monitoring

P2 The HHS organization establishes a continuous monitoring strategy and implements a continuous monitoring program that includes:

a. A configuration management process for HHS and its constituent components;

b. A determination of the security impact of changes to HHS information systems and environment of operation;

c. Ongoing security control assessments in accordance with the continuous monitoring strategy; and;

d. Reporting the security state of the HHS information systems to appropriate organizational officials within annually.

(14)

6.1.2 (PL) Planning Policy and Its Controls

Policy: The HHS organization requires the development, documentation, periodic update, and implementation of security plans for information systems within the HHS environment. HHS organization requires that those security plans describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.

Table 5 lists the Planning (PL) controls for moderate impact systems.

Table 5 Planning Controls Policy ID 6.1.2

HHS Control

ID

Control

PL-1 Security Planning Policy and Procedures

P1 HHS organization develops, disseminates, and reviews/updates within annually:

a. A formal, documented security planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among HHS entities, and compliance;

b. Formal, documented procedures to facilitate the implementation of the security planning policy and associated security planning controls.

(15)

HHS Control

ID

Control

PL-2 System Security Plan

a. Develops security plans for HHS information systems that: - Are consistent with HHS’s enterprise architecture;

- Explicitly define the authorization boundary for the HHS information systems;

- Describe the operational context of HHS information systems in terms of missions and business processes;

- Provide the security categorization of the HHS information systems including supporting rationale;

- Describe the operational environment for HHS information systems; - Describe relationships with or connections to other information systems; - Provide an overview of the security requirements for HHS;

- Describe the security controls in place or planned for meeting those requirements including a rationale for the tailoring and supplementation decisions; and;

- Is reviewed and approved by the authorizing official or a designated representative prior to plan implementation.

b. Reviews the security plan for HHS information systems within annually; and;

c. Updates the plan, minimally every three (3) years, to address current conditions or whenever:

- There are significant changes to the information system/environment of operation that affect security;

- Problems are identified during plan implementation or security control assessments:

- When the data sensitivity level increases;

- After a serious security violation due to changes in the threat environment; or;

- Before the previous security authorization expires. Additional Criteria:

{iii} (For IRS FTI only) Develop and submit a Safeguard Procedures Report (SPR) that describes the procedures established and used by the HHS organization for ensuring the confidentiality of the information received from the IRS. This report is provided every six years or when significant changes occur in the safeguard program.

A Safeguard Activity Report (SAR advises the IRS of minor changes to the procedures or safeguards described in the SPR. It also advises the IRS of future actions that will affect HHS's current efforts to ensure the

confidentiality of IRS FTI, and finally, certifies that HHS is protecting IRS FTI pursuant to IRC Section 6103(p)(4) and HHS's own security requirements. This report is provided annually by September 30th. (Reference IRS Publication 1075, sections 7 & 8).

PL-4 Rules of Behavior

a. Establishes and makes readily available to all HHS users the rules that describe their responsibilities and expected behavior with regard to information, the information system, and network use. (Reference: Acceptable Use Policy (AUP)); and;

b. Receives signed acknowledgment from users indicating that they have read, understand, and agree to abide by the rules of behavior, before

(16)

HHS Control

ID

Control

PL-5 Privacy Impact Assessment

P3 The HHS organization conducts a privacy impact assessment on HHS information systems in accordance with OMB Memorandum 03-22. PL-6

Security-Related Activity Planning

P3 The HHS organization plans and coordinates security-related activities affecting the HHS information systems before conducting such activities in order to reduce the impact on operations (e.g.: its mission, functions, image, and reputation), assets, and individuals.

(17)

6.1.3 (PM) Program Management Policy and Its Controls

Policy: The HHS organization employs information security requirements that are independent of any particular information system and considered essential for managing the HHS security program.

Table 6 lists the Management (PM) controls for moderate impact systems.

Table 6 Program Management Controls Policy ID 6.1.3

HHS Control

ID

Control Name Priority Description of Control

PM-1 Information Security Program Plan

a. Develops and disseminates an organization-wide information system security program plan that:

i. Provides an overview of the requirements for the security program and a description of the security program management controls and common controls in place or planned for meeting those requirements.

ii. Provides sufficient information about the program management controls and common controls (including specification of parameters for any assignment and selection operations either explicitly or by reference) to enable an implementation that is unambiguously compliant with the intent of the plan and a determination of the risk to be incurred if the plan is implemented as intended.

iii. Includes roles, responsibilities, management commitment, coordination among organizational entities, and compliance. iv. Is approved by the HHS CISO, Agency IRM, and ISO with responsibility and accountability for the risk being incurred to organizational operations (including mission, functions, image, and reputation), organizational assets, and individuals.

b. Reviews the HHS-wide information security program plan annually; and;

c. Revises the plan to address organizational changes and problems identified during plan implementation or security control assessments.

PM-2 Senior Information Security Officer

P1 The HHS organization appoints a Chief Information Security Officer (CISO) with the mission and resources to coordinate, develop, implement, and maintain a HHS-wide information security program.

PM-3 Information Security

Resources

a. Ensures that all capital planning and investment requests include the resources needed to implement the information security program and documents all exceptions to this requirement;

b. Employs a business case and/or Exhibit 300/Exhibit 53 to record the resources required (Ref: SA-2); and

c. Ensures that information security resources are available for expenditure as planned.

PM-4 Plan of Action and Milestones Process

P1 The HHS organization implements a process for ensuring that plans of action and milestones for the security program and the associated organizational information systems are maintained and documents the remedial information security actions to mitigate

(18)

Table 6 Program Management Controls Policy ID 6.1.3

HHS Control

ID

PM-5 Information System Inventory

P1 The HHS organization develops and maintains inventories of Agency information systems.

PM-6 Information Security

Measures of Performance

P2 The HHS organization develops, monitors, and reports on the results of information security measures of performance.

PM-7 Enterprise Architecture

P1 The HHS organization develops enterprise architecture with consideration for information security and the resulting risk to HHS operations, assets, and individuals.

PM-8 Critical Infrastructure Plan

P3 The HHS organization addresses information security issues in the development, documentation, and updating of a critical infrastructure and key resources protection plan.

PM-9 Risk Management Strategy

a. Develops a comprehensive strategy to manage risk to

organizational operations and assets, and individuals associated with the operation and use of information systems; and;

b. Implements that strategy consistently across the HHS organization.

PM-10 Security Authorization Process

a. Manages (i.e. documents, tracks, and reports) the security state of HHS information systems through security authorization processes;

b. Designates individuals to fulfill specific roles and responsibilities within the organizational risk management process; and;

c. Fully integrates the security authorization processes into the HHS-wide risk management program.

PM-11 Mission/Business Process

Definition

a. Defines mission/business processes with consideration for information security and the resulting risk to organizational operations, organizational assets, and individuals; and; b. Determines information protection needs arising from the defined mission/business processes and revises the processes as necessary, until an achievable set of protection needs is obtained. Additional Criteria:

[i] (For Federal Tax Information (FTI) only) Organizations are not allowed to make further disclosures of FTI to their agents or to a contractor unless authorized by statute. (See , IRS Publication 1075 Section. 11.1)

(19)

6.1.4 (RA) Risk Assessment Policy and Its Controls

Policy: The HHS organization requires that risks to HHS operations (including its mission, functions, image, or reputation), HHS assets, and individuals, resulting from the operation of HHS information systems and the associated processing, storage, or transmission of HHS information, are assessed.

Table 7 lists the Risk Assessment (RA) controls for moderate impact systems.

Table 7 Risk Assessment Controls Policy ID 6.1.4

HHS Control

ID

Control

RA-1 Risk Assessment Policy and Procedures

P1 The HHS organization develops, disseminates, and reviews/updates within annually:

a. A formal, documented risk assessment policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among HHS entities, and compliance;

b. Formal, documented procedures to facilitate the implementation of the risk assessment policy and associated risk assessment controls. RA-2 Security

Categorization

a. Categorizes information and HHS information systems in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance;

b. Documents the security categorization results (including supporting rationale) in the System security plan for the information system; and; c. Ensures the security categorization decision is reviewed and approved by the approving official or a designated representative. RA-3 Risk

Assessment

a. Conducts an assessment of risk, including the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, disruption, modification, or destruction of the HHS information systems and the information it processes, stores, or transmits;

b. Documents risk assessment results in accordance in a risk assessment report;

c. Reviews risk assessment results annually; and;

d. Updates the risk assessment annually or whenever there are significant changes to HHS information systems or environment of operation (including the identification of new threats and vulnerabilities), or other conditions that may impact the security or authorization state of the system.

[i] Risk assessment should be conducted for the information system based on the Agency defined methodology that includes the likelihood and magnitude of harm, from the unauthorized access, use, disclosure, modification, or destruction of the information system and the

(20)

Table 7 Risk Assessment Controls Policy ID 6.1.4

HHS Control

ID

Control

RA-5 (1) Vulnerability Scanning

a. Scans for vulnerabilities in HHS environment within every ninety (90) days and when new vulnerabilities potentially affecting the components are identified and reported;

b. Employs vulnerability scanning tools and techniques that promote interoperability among tools and automates parts of the vulnerability management process by using standards for:

- Enumerating platforms, software flaws, and improper configurations; - Formatting and making transparent checklists and test procedures; - Measuring vulnerability impact;

c. Analyzes vulnerability scan reports and results from security control assessments;

d. Remediates legitimate vulnerabilities based on the Agency defined risk prioritization in accordance with an organizational assessment of risk; and;

e. Shares information obtained from the vulnerability scanning process and security control assessments with designated personnel throughout HHS organization on a "need to know" basis to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies).

(1) Employs vulnerability scanning tools that include the capability to readily update the list of HHS component vulnerabilities scanned.

(21)

6.1.5 (SA) System and Services Acquisition Policy and Its Controls

Policy: The HHS organization (i) requires sufficient allocation of resources to adequately protect HHS information systems; (ii) employs system development life cycle processes that incorporate information security

considerations; (iii) employs software usage and installation restrictions; and (iv) requires that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from HHS. Table 8 lists the System and Services Acquisition (SA) controls for moderate impact systems.

Table 8 System and Services Acquisition Controls Policy ID 6.1.5

HHS Control

ID

SA-1 System and Services

Acquisition Policy and Procedures

a. A formal, documented system and services acquisition policy that includes information security considerations and that addresses purpose, scope, roles, responsibilities, management commitment, coordination among HHS entities, and compliance;

b. Formal, documented procedures to facilitate the implementation of the system and services acquisition policy and associated system and services acquisition controls.

SA-2 Allocation of Resources

a. Includes a determination of information security requirements for the HHS information systems in mission/business process planning; b. Determines, documents, and allocates the resources required to protect the HHS information systems as part of its capital planning and investment control process; and;

c. Establishes a discrete line item in HHS programming and budgeting documentation for the implementation and management of information systems security.

SA-3 Life Cycle Support

a. Manages the HHS information systems using a system

development life cycle methodology that includes information security considerations;

b. Defines and documents HHS component security roles and responsibilities throughout the system development life cycle; and; c. Identifies individuals having HHS component security roles and responsibilities.

(22)

HHS Control

ID

SA-4 (1) (4)

Acquisitions P2 The HHS organization includes the following requirements and/or specifications, explicitly or by reference, in HHS component acquisition contracts based on an assessment of risk and in accordance with applicable federal/state laws, executive orders, directives, policies, regulations, and standards:

a. Security functional requirements/specifications; b. Security-related documentation requirements; and;

c. Developmental and evaluation-related assurance requirements. (1) Requires in acquisition documents that vendors/contractors provide information describing the functional properties of the security controls to be employed within the information system, information system components, or information system services in sufficient detail to permit analysis and testing of the controls.

(4) Ensures that each HHS component acquired is explicitly assigned to an information system, and that the owner of the system

acknowledges this assignment. Additional Criteria:

{i} Each contract and Statement of Work (SOW) that requires development or access to HHS information includes language requiring adherence to HHS security policies and standards, defines security roles and responsibilities, and receives approval from the HHS CISO, Agency IRM and Agency ISO’s.

(23)

HHS Control

ID

SA-5 (1) (3) Information System Documentation P3 The HHS organization:

a. Obtains, protects as required, and makes available to authorized personnel, administrator documentation for the information system that describes:

- Secure configuration, installation, and operation of the information system;

- Effective use and maintenance of security features/functions; and; - Known vulnerabilities regarding configuration and use of

administrative (i.e., privileged) functions;

b. Obtains, protects as required, and makes available to authorized personnel, user documentation for the HHS information systems that describes:

- User-accessible security features/functions and how to effectively use those security features/functions;

- Methods for user interaction with the information system, which enables individuals to use the system in a more secure manner; and;

- User responsibilities in maintaining the security of the information and information system; and;

c. Documents attempts to obtain HHS component documentation when such documentation is either unavailable or nonexistent. (1) Obtains, protects as required, and makes available to authorized personnel vendor/manufacturer documentation that describes the functional properties of the security controls employed within HHS information systems with sufficient detail to permit analysis and testing.

(3) Obtains, protects as required, and makes available to authorized personnel vendor/manufacturer documentation that describes the high-level design of the HHS information systems in terms of subsystems and implementation details of the security controls

employed within the system with sufficient detail to permit analysis and testing.

{i} Develop and update system documentation as necessary to describe the system and to specify the purpose, technical operation, access, maintenance, and required training for administrators and users.

{ii} Update documentation when system functions and processes change and include date and version number on all formal system documentation.

{iii} (For Protected Health Information (PHI) only) Retain

documentation of policies and procedures relating to HIPAA 164.306 for six (6) years from the date of its creation or the date when it was last in effect, whichever is later. (See: HIPAA 164.316(b). and SP800-66).

{iv} (For Federal Tax Information (FTI) only) When FTI is incorporated into a data warehouse, apply the controls described in IRS

Pubulication.1075, Exhibit 7, in addition to those specified in other controls.

(24)

HHS Control

ID

SA-6 Software Usage

Restrictions

a. Uses software and associated documentation in accordance with contract agreements and copyright laws;

b. Employs tracking systems for software and associated

documentation protected by quantity licenses to control copying and distribution; and;

c. Controls and documents the use of peer-to-peer file sharing technology to ensure that this capability is not used for the

unauthorized distribution, display, performance, or reproduction of copyrighted work.

SA-7 User-Installed Software

P2 The HHS organization: enforces explicit rules governing the installation of software by users.

{i} Prohibits users from downloading or installing software, unless explicitly authorized, in writing, by the Agency IRM, ISO or the HHS CISO or his/her designated representative. If authorized, explicit rules govern the installation of software by users.

{ii} If user-installed software is authorized, enforce the documented authorizations and prohibitions.

SA-8 Security Engineering Principles

P2 The HHS organization applies information system security engineering principles in the specification, design, development, implementation, and modification of the HHS networking, operating system, and database components.

[i] A documented set of security design principles and coding standards exists and shall be followed by HHS developers. [ii] The documented set of security design principles shall be consistent with NIST SP 800-27.

[iii] The design documentation covers many aspects of the HHS design but also documents the minimal security requirements for FTI, external interfaces, roles, access for the roles defined, and any unique security requirements.

(25)

HHS Control

ID

SA-9 External Information System Services

a. Requires that providers of external information system services comply with organizational information security requirements and employ appropriate security controls in accordance with applicable federal laws, executive orders, directives, policies, regulations, standards, and guidance;

b. Defines and documents government oversight and user roles and responsibilities with regard to external information system services; and;

c. Monitors security control compliance by external service providers. Additional Criteria:

{i} Prohibits service providers from outsourcing any system function outside the U.S. or its territories for Medicaid Data.

{ii}(For Protected Health Information (PHI) only) A covered entity under HIPAA may permit a business associate to create, receive, maintain, or transmit ePHI on the covered entity's behalf only if the covered entity obtains satisfactory assurances, in accordance with HIPAA regulations. Such assurances must be documented and meet the requirements set forth in HIPAA regulations. (See HIPAA 164.308(b) and 164.314(a).)

SA-10 Developer Configuration Management

P1 The HHS organization requires that HHS developers/integrators: a. Perform configuration management during HHS information system design, development, implementation, and operation;

b. Manage and control changes to HHS information systems; c. Implement only organization-approved changes;

d. Document approved changes to HHS information systems; and; e. Track security flaws and flaw resolution.

SA-11 Developer Security Testing

P1 The HHS organization requires that HHS information system component developers/integrators, in consultation with associated security personnel (including security engineers):

a. Create and implement a security test and evaluation plan in accordance with, but not limited to, the current HHS procedures; b. Implement a verifiable flaw remediation process to correct

weaknesses and deficiencies identified during the security testing and evaluation process; and;

c. Document the results of the security testing/evaluation and flaw remediation processes.

([i]) HHS information systems should be tested for security flaws on a periodic basis using automated vulnerability scanning methods, or manual control testing, or a combination of both.

[ii] Test results are documented and security flaws found during the test should be entered into a tracking system and monitored for mitigation.

[iii] Agency systems/Applications should be tested for security flaws prior to release in production using manual or automated techniques or a combination of both.

(26)

6.2 Operational Controls

The Operational program class of controls (safeguards or countermeasures) for an information system is primarily controls that are implemented and executed by people, as opposed to systems. This class has nine control families: Awareness Training (AT), Configuration Management (CM), Contingency Planning (CP), Incident Response (IR), Maintenance (MA), Media Protection (MP), Personnel Security (PS), Physical and Environmental Protection (PE), and System and Information Integrity (SI).

6.2.1 (AT) Awareness and Training Policy and Its Controls

Policy: The HHS organization(i) requires that users of HHS information systems are made aware of the security risks associated with their activities and of the applicable laws, executive orders, directives, policies, standards, instructions, regulations, or procedures related to the security of HHS information systems; and (ii) requires that HHS personnel are complying with Agency security awareness training requirements.

Table 9 lists the Awareness and Training (AT) controls for moderate impact systems. Table 9 Awareness and Training Controls Policy ID 6.2.1

HHS Control

ID

Control

AT-1 Security Awareness and Training Policy and Procedures

a. A formal, documented security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance;

b. Formal, documented procedures to facilitate the implementation of the system and communications protection policy and associated system and communications protection controls.

AT-2 Security Awareness

P2 The HHS organization verifies that HHS users (including managers, senior executives, and contractors) receive basic security awareness training provided by HHSC as part of initial training for new users prior to accessing any system’s information, when required by system changes, and annually thereafter.

AT-3 Security Training

P1 The HHS Organization provides role-based security-related training: (i) before authorizing access to the system or performing assigned duties; (ii) when required by system changes; and (iii) refresher training annually thereafter.

AT-4 Security Training Records

P1 The HHS Organization:

a. Documents and monitors individual information system security training activities including basic security awareness training and specific information system security training; and;

(27)

6.2.2 (CM) Configuration Management Policy and Its Controls

Policy: The HHS organization (i) establishes and maintains baseline configurations and inventories of HHS information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establishes and enforces security configuration settings for information technology products employed in HHS information systems.

Table 10 lists the Configuration Management (CM) controls for moderate impact systems. Table 10 Configuration Management Controls Policy ID 6.2.2 HHS

Control ID

Control

CM-1 Configuration Management Policy and Procedures

a. A formal, documented configuration management policy that addresses purpose, scope, roles, responsibilities, management commitment,

coordination among HHS entities, and compliance;

b. Formal, documented procedures to facilitate the implementation of the configuration management policy and associated configuration

management controls. CM-2 (1) (3) (4) Baseline Configuration P1 The HHS organization:

a. Develops, documents, and maintains under configuration control, a current baseline configuration of the HHS information systems.

(1) Reviews and updates the baseline configuration of HHS information systems:

(a) At least once annually;

(b) When required due to major system changes/upgrades and; (c) As an integral part of HHS component installations and upgrades. (3) Retains older versions of baseline configurations as deemed necessary to support rollback.

(4) The HHS organization:

(a) Develops and maintains an Agency-defined list of software programs not authorized (black list) to execute on the information system.

(b) Employs an allow-all, deny-by-exception authorization policy to identify software allowed to execute on HHS information security components. CM-3 (2) Configuration Change Control P1 The HHS organization:

a. Determines the types of changes to the HHS information systems that are configuration controlled;

b. Approves configuration-controlled changes to HHS with explicit consideration for security impact analyses;

c. Documents approved configuration-controlled changes to the system; d. Retains and reviews records of configuration-controlled changes to the system;

e. Audits activities associated with configuration-controlled changes to the system; and;

f. Coordinates and provides oversight for configuration change control activities through HHS change control board that convenes at least monthly or as needed.

(2) The HHS organization tests, validates, and documents changes to HHS before implementing the changes on the operational system.

(28)

Table 10 Configuration Management Controls Policy ID 6.2.2 HHS

Control ID

Control

CM-4 Security Impact Analysis

P3 The HHS organization analyzes changes to the HHS information system components to determine potential security impacts prior to change implementation.

CM-5 Access Restrictions for Change

P2 The HHS organization defines documents, approves, and enforces physical and logical access restrictions associated with changes to HHS. Additional Criteria:

[i] The configuration management repository access permissions are reviewed at least every three months.

[ii]. Records reflecting all such changes are generated, reviewed, and retained. CM-6 (3) Configuration Settings P1 The HHS organization:

a. Establishes and documents mandatory configuration settings for information technology products employed within the HHS information systems using the latest security configuration guidelines Data Center Services (DCS ) Master System Security Plan (MSSP) technical specification document.

b. Implements the configuration settings;

c. Identifies, documents, and approves exceptions from the mandatory configuration settings for individual components within HHS information systems based on explicit operational requirements; and;

d. Monitors and controls changes to the configuration settings in accordance with HHS policies and procedures.

(3) Incorporates detection of unauthorized, security-relevant configuration changes into the incident response capability to ensure that such detected events are tracked, monitored, corrected, and available for historical purposes.

[i] The Agency establishes and documents mandatory security configuration settings for HHS information systems.

CM-7 (1)

Least Functionality

a. Configures the HHS information systems to provide only essential capabilities and specifically prohibits or restricts the use of functions, ports, protocols, and/or services.

(1)Reviews HHS information systems within annually to identify and eliminate unnecessary functions, ports, protocols, and/or services. Additional Criteria:

{i} A list of specifically needed system services, ports, and network protocols should be maintained and documented in the system security

(29)

Table 10 Configuration Management Controls Policy ID 6.2.2 HHS

Control ID

Control

CM-8 (1) (5) Information System Component Inventory

P1 The HHS organization develops, documents, and maintains an inventory of HHS information systems that:

a. Accurately reflects current HHS information system components; (e.g. desktops, laptops, servers, network equipment (routers, switches, firewalls, etc.), printers, storage area networks, voiceover-IP telephones, etc. The inventory of information system components includes detail such as make, model, OS, type, model, serial number, physical location, owner, and machine name).

b. Is consistent with the authorization boundary of the HHS organization; c. Is at the level of granularity deemed necessary for tracking and reporting;

d. Includes manufacturer, model/type, serial number, version number, location (i.e. physical location and logical position within the HHS architecture, and ownership; and;

e. Is available for review and audit by designated HHS officials.

(1) Updates the inventory of HHS information systems as an integral part of component installations, removals, and updates.

(5) Verifies that all components within the authorization boundary of the HHS organization are either inventoried as a part of the system or recognized by another system as a component within that system. Additional Criteria:

[i] The inventory should be kept current through periodic manual inventory checks or a network monitoring tool automatically maintains the inventory. [ii] The network should be monitored for deviations from the expected inventory of assets on the network, and security and/or operations personnel are alerted when deviations or unauthorized hosts are discovered.

CM-9 Configuration Management Plan

P2 The HHS organization develops, documents, and implements a configuration management plan for the HHS information systems that: a. Addresses roles, responsibilities, and configuration management processes and procedures;

b. Defines the configuration items for HHS and when in the system development life cycle the configuration items are placed under configuration management; and;

c. Establishes the means for identifying configuration items throughout the system development life cycle and a process for managing the

(30)

6.2.3 (CP) Contingency Planning Policy and Its Controls

Policy: The HHS organization establishes, maintains, and effectively implements plans for emergency response, backup operations, and post-disaster recovery for HHS information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.

Table 11 lists the Contingency Planning (CP) controls that are for moderate impact systems. Table 11 Contingency Planning Controls Policy ID 6.2.3

HHS Control

ID

CP-1 Contingency Planning Policy and Procedures

a. A formal, documented contingency planning policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among HHS entities, and compliance; b. Formal, documented procedures to facilitate the implementation of the contingency planning policy and associated contingency planning controls.

CP-2 (1) Contingency Plan / Continuity of Operations Plan

a. Develops a contingency plan (CP) or Continuity of Operations Plan (COOP) for HHS information systems that:

- Identifies essential HHS missions and business functions and associated contingency requirements;

- Provides recovery objectives, restoration priorities, and metrics; - Addresses contingency roles, responsibilities, assigned

individuals with contact information;

- Addresses maintaining essential HHS missions and business functions despite a HHS disruption, compromise, or failure; - Addresses eventual, full HHS restoration without deterioration of the security measures originally planned and implemented; and;

- Is reviewed and approved by designated officials within the HHS organization;

b. Distributes copies of the COOP to key contingency personnel (identified by name and/or by role) and organizational elements; c. Coordinates contingency planning activities with incident handling activities;

d. Reviews the COOP for the HHS information systems annually. e. Revises the COOP to address changes to the HHS organization, HHS information systems, or environment of operation and

problems encountered during COOP implementation, execution, or testing; and;

f. Communicates COOP changes to key contingency personnel (identified by name and/or by role) and others as defined in the

(31)

Table 11 Contingency Planning Controls Policy ID 6.2.3

HHS Control

ID

CP-4 (1) Contingency Plan Testing and Exercises

a. Tests and/or exercises the contingency plan for the mission critical HHS information systems annually using defined tests and/or exercises such as the tabletop test in accordance with the current COOP procedure to determine the plan’s effectiveness and HHS’s readiness to execute the plan; and;

b. Documents and reviews the contingency plan test/exercise results and initiates reasonable and appropriate corrective actions to close or reduce the impact of contingency plan failures and deficiencies.

(1) Coordinates contingency plan testing and/or exercises with HHS elements responsible for related plans.

CP-6 (1) (3)

Alternate Storage Site

a. Establishes an alternate storage site including necessary agreements to permit the storage and recovery of HHS backup information.

(1) Identifies an alternate storage site that is separated from the primary storage site so as not to be susceptible to the same hazards.

(3) Identifies potential accessibility problems to the alternate storage site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

CP-7 (1) (2) (3) (5) Alternate Processing Site P2 The HHS organization:

a. Establishes an alternate processing site including necessary agreements to permit the resumption of HHS operations for essential HHS missions and business functions within an Agency defined period consistent with recovery time objective when the primary processing capabilities are unavailable; and;

b. Ensures that equipment and supplies required to resume operations are available at the alternate site or contracts are in place to support delivery to the site in time to support the Agency defined time period for restoration of service.

(1) Identifies an alternate processing site that is separated from the primary processing site so as not to be susceptible to the same hazards.

(2) Identifies potential accessibility problems to the alternate processing site in the event of an area-wide disruption or disaster and outlines explicit mitigation actions.

(3) Develops alternate processing site agreements that contain priority-of-service provisions in accordance with HHS’s availability requirements.

(5) Ensures that the alternate processing site provides information security measures equivalent to that of the primary site.

(32)

HHS Control

ID

CP-8 (1) (2)

Telecommunications Services

P3 The HHS organization establishes alternate telecommunications services including necessary agreements to permit the resumption of HHS information systems operations for essential HHS

organization missions and business functions within an Agency defined time period when the primary telecommunications capabilities are unavailable.

(1) The HHS organization:

(a) Develops primary and alternate telecommunications service agreements that contain priority-of-service provisions in

accordance with HHS’s availability requirements; and;

(b) Requests Telecommunications Service Priority (TSP) for all telecommunications services used for national security

emergency preparedness in the event that the primary and/or alternate telecommunications services are provided by a common carrier.

(2) Obtains alternate telecommunications services with

consideration for reducing the likelihood of sharing a single point of failure with primary telecommunications services.

CP-9 (1) Information System Backup

a. Conducts backups of user-level information contained in HHS information systems: full backups weekly, incremental or differential backups daily;

b. Conducts backups of system-level information contained in HHS information systems: full backups weekly, incremental or differential backups daily;

c. Conducts backups of HHS documentation including security-related documentation full backups weekly, incremental or differential backups daily; and;

d. Protects the confidentiality and integrity of backup information at the storage location.

(1) Tests backup information following each backup to verify media reliability and information integrity.

{i} Backups to include user-level and system-level information (including system state information). Three (3) generations of backups (full plus all related incremental or differential backups) are stored off-site. Log off-site and on-site backups with name, date, time and action.

{ii} (For (HHS Restricted and Confidential Information only) Ensure that a current, retrievable, copy of HHS Restricted and Confidential Information is available before movement of servers.

(33)

HHS Control

ID

CP-10 (2) (3) Information System Recovery and Reconstitution P2 The HHS organization:

a. Provides for the recovery and reconstitution of HHS to a known state after a disruption, compromise, or failure.

(2) HHS information systems implement transaction recovery for systems that are transaction-based.

(3) The HHS organization provides compensating security controls to address circumstances that inhibit recovery and reconstitution to a known state.

{i} Recovery and reconstitution for HHS information systems includes, but is not limited to:

(a) Resetting all system parameters (either default or organization-established),

(b) Reinstalling patches,

(c) Reestablishing configuration settings,

(d) Reinstalling application and system software, and; (e) Testing the system fully.

(34)

6.2.4 (IR) Incident Response Policy and Its Controls

Policy: The HHS organization (i) establishes an operational incident handling capability for HHS information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) tracks, documents, and reports incidents to appropriate HHS and HHSC officials and/or authorities.

Table 12 lists the Incident Response (IR) controls for moderate impact systems.

Table 12 Incident Response Controls Policy ID 6.2.4

HHS Control

ID

Control

IR-1 Incident Response Policy and Procedures

P2 The HHS organization develops, disseminates, and reviews/updates within annually:

a. A formal, documented incident response policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among HHS entities, and compliance;

b. Formal, documented procedures to facilitate the implementation of the incident response policy and associated incident response controls. IR-2 Incident

Response Training

a. Trains personnel in their incident response roles and responsibilities with respect to HHS information systems; and;

b. Provides refresher training within annually. IR-3 Incident

Response Testing and Exercises

P1 The HHS organization tests and/or exercises the incident response capability for the HHS information systems within annually using reviews, analyses, and simulations to determine the incident response effectiveness and documents the results.

[i] The Agency defines incident response tests/exercises that contain procedures for the following:

- Detecting unauthorized FTI access;

- Reporting unauthorized FTI access to IRS, TIGTA, and internal Agency incident response team.

[ii]. The Agency tests/exercises the incident response capability for FTI related security violations (e.g. simulated successful unauthorized access to FTI) at least annually.

Note: The incident response tests/exercise should be different from any testing activities perform as part of Disaster Recovery or Contingency Planning.

[iii] The Agency documents the results of incident response tests/exercises.