f is main acquisitions

7/28/2019 f is Main Acquisitions

1/37

1

Thomas Mitchell, OCIO/OD/NIH/HHSRaymond Dillon, OAMP/OD/NIH/HHS


2/37

FISMA - ISAO/ODCIO 2

Patients' Data on Stolen Laptop

Identity Fraud Not Likely, NIH Says

ByEllen Nakashima and Rick WeissWashington Post Staff WritersMonday, March 24, 2008; Page A01A government laptop computer containing sensitive medical information on2,500 patients enrolled in a National Institutes of Health study was stolenin February, potentially exposing seven years' worth of clinical trial data,including names, medical diagnoses and details of the patients' heart scans.The information was not encrypted, in violation of the government's data-security policy.. . "The shocking part here is we now have personally

identifiable information -- name and age -- linked to clinical data," said LeslieHarris, executive director of the Center for Democracy and Technology. "Ifsomebody does not want to share the fact that they're in a clinical trial or thefact they've got a heart disease, this is very, very serious. The risk of identitytheft and of revealing highly personal information about your health areclosely linked here."
http://projects.washingtonpost.com/staff/email/ellen+nakashima+and+rick+weiss/http://projects.washingtonpost.com/staff/email/ellen+nakashima+and+rick+weiss/


3/37

3

What Youll Learn

The Problem

FISMA Legislation

FISMAs applicability to grants and acquisitions How the acquisition arena has changed since 9/11.

The Acquisition Team

Security-related decisions in the acquisition process

Recent OMB FISMA-related issuances Current NIH information security-related acquisition

provisions and language



4/37

44

The Problem

External research community, grantees and contractors,perceives that FISMA information security requirements are

being unevenly applied by and within Federal agencies. Thisperception was communicated to NIH Senior Management.

For example:

Background Investigations

Grant and Contract Information Security clauses


5/37

55

Whats Needed

Provide current, consistent, accuratemessage to

NIH staff involved in acquisitions.


6/37

66

FISMA Legislation

Federal Information Security Management Act (FISMA)

Each federal agency shall develop, document, and

implement an agency-wide information security programto provide information security for the information andinformation systems that support the operations andassets of the agency, including those provided or managedby another agency, contractor, or other source

-- Federal Information Security Management Act of 2002-- Title III of the e-Government Act of 2002


7/3777

Purpose of Federal Information Security

To Ensure theAvailability,Integrity, and

Confidentialityof Federal:

Information (Data)

Information Systems

Information Technology (Networks & Computers)


8/3788

FISMA Applicability to NIH Grants

FISMA applies to grantees onlywhen they collect, store,process, transmit, or use information on behalf of HHS or

any of its component organizations.

HHS Memo -- FISMA Applicability to Grants

Note: Other Federal agencies may have different rules. e.g. VA
http://localhost/var/www/apps/conversion/tmp/scratch_5/HHS%20FISMA%20and%20Grants%20Memo.ppthttp://localhost/var/www/apps/conversion/tmp/scratch_5/HHS%20FISMA%20and%20Grants%20Memo.ppthttp://localhost/var/www/apps/conversion/tmp/scratch_5/HHS%20FISMA%20and%20Grants%20Memo.ppthttp://localhost/var/www/apps/conversion/tmp/scratch_5/HHS%20FISMA%20and%20Grants%20Memo.ppthttp://localhost/var/www/apps/conversion/tmp/scratch_5/HHS%20FISMA%20and%20Grants%20Memo.ppt


9/3799

FISMA Applicability to NIH Acquisitions

FISMA applies to: Contractors and subcontractors

Federal information and Federal information systems

regardless of their location. (IT) equipment incidental to a Federal contract **

(Incidental IT equipment had been excluded under theClinger-Cohen Act)

Externally hosted web sites Clinical trials

Services, e.g. consultants, programmers, maintenance

**Source OMB 2007 FISMA Reporting Instructions FAQ


10/3710

FISMA Applicability to NIH Acquisitions (2)

FISMA applies to:

All acquisition types

Solicitations

Contracts

BPAs

Purchase Orders

Credit Card Purchases, etc.



11/3711

Acquisition Policy, Guidance and Control

NIH Senior

Management

HHS CIO

HHS CISO

OAMP

AMC

NISTOMB

Memoranda

NIH CIO

NIH CISO

ITMC

ORS

FAR &

HHSAR

NIH

Acquisitions

11

FIPS 199

FIPS 200

SP 800-53

SP 800-53A

SP 800-60

M-07-18

M-07-17

M-06-17

HHS Security Policy

Breach Reporting Policy

Contract Security Guidance

Rules of Behavior

ID Badges

User Accounts

Laptop Encryption

Typical Sources

New Sources


12/37

12

The Acquisition Team



13/37

13

IC Acquisition Team

Project Officer

Administrative Staff Information Systems Security Officer

Privacy Officer


14/37

14

IC Project Officer

Categorizes data according to FIPS 199/NIST 800-60 Confidentiality, Availability, Integrity

Assigns overall Information Security Level to project

Determines Suitability Level (background investigation) for

contract staff working on project Communicates contract staff accessions & departures to Admin.

Staff and ISSO

Includes security requirements in acquisition

Ensures that contract staff meets security-related trainingrequirements

Consults with IC ISSO on information security issues

Conducts annual Risk Assessment -- FIPS 200/NIST 800-53

Conducts Privacy Impact Assessment


15/37

15

IC Administrative Staff

Ensure security measures are included in acquisitionpackage

Privacy Impact Assessment (confidentiality)

System of Records Number (SORN), if applicable

Disability Act requirements for web pages (availability)

Employee ID Badge issue and return

Consults with IC ISSO on information security issues Consults with Privacy Officer on privacy issues


16/37

16

Information Systems Security Officer

Reviews Security Requirements

Concurs with data categorization

Attests, in writing, that appropriate securityrequirements are included in acquisitions

Reviews security-related documents

800-53 Assessment, Security Plan, Continuity Plan, other C &A documents

Consults with Project Officer as needed duringacquisition execution to ensure applicable informationsecurity requirements are being met

Reports security-related incidents to NIH IRT.


17/37

17

IC Privacy Officer

Facilitates obtaining SORN if needed

Ensures Privacy requirements are met when PII is part

of the systemAnswers Privacy-related questions

Must be notified when there is a breach or suspectedbreach of a system containing PII

NIH Senior Official for Privacy is part of the NIHBreach Response Team



18/37

18

Security-related Decisions in the Acquisition Process



19/37

19

Security-related Decisions

Information Categorization

Level of security needed for the acquisition

Security Plan, Continuity & Disaster Recovery Plan, SystemTest and Evaluation, (ST&E)

Privacy impact assessment

Background investigations

Amount and type of information security training

System Certification System Owner SecurityOfficer

System Accreditation Security Officer CIO



20/37

20

Security-related Decisions (2) System location

Who supplies information security documentation

Security Plan, Annual System Security Assessment, RiskAssessment, Continuity Plan, other C&A documents

Security implementation (responsibility)

Remote Access requirements and equipment

Responsibility for Breach Notifications

Computer file encryption



21/37

21

OMB Memoranda



22/37


23/37

23

OMB M 07-18 (cont.)Where We Are

HHS OS and OPDIVS decided on an HHS standard Tested in CIT and in several ICs

IC staff commented on NIH adopted standards

FDCC standards approved by ITMC

Implementing


24/37

24

OMB M-07-16 Subject: Safeguarding Against and Responding to the

Breach of Personally Identifiable Information

Issued: May 22, 2007

Target Date: 120 days from Issue Date

Affects:All Federal Information and FederalInformation Systems (electronic or paper)

Must notify NIH CISO within one hour of discoveringsuspected and/or confirmed breaches of PIIdata/information.


25/37

25

OMB M-06-16

Subject: Protection of Sensitive Agency Information

Issued: June 23, 2006

Target Date: 45 days from issue date

Encrypt all data on mobile computers/devices which carryagency data unless data is determined to be non-sensitive,

in writing, by the Deputy Secretary or their designee. Allow remote access only with two-factor authentication

where one of the factors is provided by a device separatefrom the computer gaining access.



26/37

26

OMB M-06-16 (cont.)

Use a time-out function for remote access and mobiledevices, requiring user re-authentication after 30 minutes

inactivity Log all computer-readable data extracts from databases

holding sensitive information and verify each extractincluding sensitive data has been erased within 90 days or

that its use is still required



27/37

27

Acquisition Language



28/37

28

Acquisition Language - Prescriptions

1. Federal Information and Information Systems Security:Include when contractor/subcontractor personnel will (1) develop, (2)have the ability to access, or (3) host and/or maintain Federalinformation and/or Federal information system (s). For moreinformation see:

2. Personally Identifiable Information (PII):Include when contractor/subcontractor personnel will have access to,or use of, Personally Identifiable Information (PII), including instancesof remote access to or physical removal of such information beyondagency premises or control. For more information see:

3. Physical Access to a Federally-Controlled Facility:

Include when contractor/subcontractor personnel will have regular orprolonged physical access to a Federally-controlled facility. For moreinformation see:



29/37

29

Acquisition Language Background Investigations

Personnel Security ResponsibilitiesThe successful offeror shall be required to perform and document thefollowing actions:

Contractor Notification of New and Departing EmployeesRequiring Background Investigations

(1) The contractor shall notify the Contracting Officer, the Project

Officer, and the Security Investigation Reviewer within five workingdays before a new employee assumes a position that requires asuitability determination or when an employee with a securityclearance stops working under this acquisition. The government willinitiate a background investigation on new employees requiringsecurity clearances and will stop pending background investigationsfor employees that no longer work under this acquisition.

(2) New employees: Provide the name, position title, e-mail address, andphone number of the new employee. Provide the name, position titleand suitability level held by the former incumbent. If the employee isfilling a new position, provide a description of the position and thegovernment will determine the appropriate security level.


30/37

30

Acquisition Language Background Investigations

Personnel Security Responsibilities

The successful offeror shall be required to perform and document thefollowing actions:

Contractor Notification of New and Departing Employees RequiringBackground Investigations

(3) Departing employees:

Provide the name, position title, and security clearance level held byor pending for the individual.

Perform and document the actions identified in the "Contractor

Employee Separation Checklist", of this acquisition, when acontractor/subcontractor employee terminates work under thisacquisition. All documentation shall be made available to the ProjectOfficer and/or Contracting Officer upon request.


31/37

31

Acquisition Language -- Self Assessment

NIST SP 800-53 Self-Assessment

If the offeror proposes to (1) develop a Federal informationsystem at the contractors/subcontractors facility or (2) host or

maintain a Federal information system at thecontractors/subcontractors facility, they must include in the"Information Security" part of its Technical Proposal, acompleted Self-Assessment required by NIST SP 800-53,Recommended Security Controls for Federal Information

Systems. NIST 800-53 assesses information security assuranceof the offeror's internal systems security. This assessment isbased on the Federal IT Security Assessment Framework andNIST SP 800-53 at:


32/37

32

Acquisition Language Data Breach

Loss and/or Disclosure of Personally Identifiable Information(PII) Notification of Data Breach

The successful offeror shall be responsible for reporting allincidents involving the loss and/or disclosure of PII in

electronic or physical form. Notification shall be made to theNIH CISO within one hour of discovering the incident by usingone of the following two forms:

NIH PII Spillage Reporthttp://irm.cit.nih.gog/security/PII_SpillageReport.doc

NIH Lost or Stolen Assets Reporthttp://irm.cit.nih.gov/security/Lost_or_Stolen.doc

The notification requirements do not distinguish betweensuspected and confirmed breaches.
http://irm.cit.nih.gog/security/PII_SpillageReport.dochttp://irm.cit.nih.gov/security/Lost_or_Stolen.dochttp://irm.cit.nih.gov/security/Lost_or_Stolen.dochttp://irm.cit.nih.gog/security/PII_SpillageReport.doc


33/37

33

Acquisition Language Data Encryption

The following policy applies to all contractor/subcontractorlaptop computers containing HHS data at rest and/or HHSdata in transit.

All laptop computers shall be secured using a FederalInformation Processing Standard (FIPS) 140-2 compliant

whole-disk encryption solution. The cryptographic moduleused by an encryption or other cryptographic product shall betested and validated under the Cryptographic ModuleValidation Program to confirm compliance with therequirements of FIPS PUB 140-2 (as amended). For additionalinformation, refer to http://csrc.nist.gov/cryptval.

All data at rest and in transit, unless the data is determined tobe non-sensitive in writing by the NIH CIO or his/herdesignee, shall be encrypted using a FIPS 140-2 compliantproduct. Data at rest includes all HHS data regardless ofwhere it is stored..
http://csrc.nist.gov/cryptvalhttp://csrc.nist.gov/cryptvalhttp://csrc.nist.gov/cryptval


34/37

34

Acquisition Language Other

Vulnerability Scanning

Federal Desktop Core Configurations (FDCC)

Software Patch security System Administration privilege

Encryption keys and key recovery

Non-disclosure when offerors must access sensitive

information to respond to an RFP Rules of Behavior

Security Training


35/37

35

FISMA In Acquisitions

Summary

FISMA affects all acquisition types

Many organizations develop information securityregs.

Be consistent when applying security language

Acquisition team communication is essential

Keep abreast of new information security

requirements Security decisions can affect acquisition cost

If you dont know, ask, dont guess

The only real constant is change

Reasonableness test


36/37

36


Questions?



37/37


Contacts

Thomas Mitchell, OCIO [email protected]

and

Raymond Dillon, OAMP [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]

f is main acquisitions

Documents