f is main acquisitions
TRANSCRIPT
-
7/28/2019 f is Main Acquisitions
1/37
1
Thomas Mitchell, OCIO/OD/NIH/HHSRaymond Dillon, OAMP/OD/NIH/HHS
-
7/28/2019 f is Main Acquisitions
2/37
FISMA - ISAO/ODCIO 2
Patients' Data on Stolen Laptop
Identity Fraud Not Likely, NIH Says
ByEllen Nakashima and Rick WeissWashington Post Staff WritersMonday, March 24, 2008; Page A01A government laptop computer containing sensitive medical information on2,500 patients enrolled in a National Institutes of Health study was stolenin February, potentially exposing seven years' worth of clinical trial data,including names, medical diagnoses and details of the patients' heart scans.The information was not encrypted, in violation of the government's data-security policy.. . "The shocking part here is we now have personally
identifiable information -- name and age -- linked to clinical data," said LeslieHarris, executive director of the Center for Democracy and Technology. "Ifsomebody does not want to share the fact that they're in a clinical trial or thefact they've got a heart disease, this is very, very serious. The risk of identitytheft and of revealing highly personal information about your health areclosely linked here."
http://projects.washingtonpost.com/staff/email/ellen+nakashima+and+rick+weiss/http://projects.washingtonpost.com/staff/email/ellen+nakashima+and+rick+weiss/ -
7/28/2019 f is Main Acquisitions
3/37
3
What Youll Learn
The Problem
FISMA Legislation
FISMAs applicability to grants and acquisitions How the acquisition arena has changed since 9/11.
The Acquisition Team
Security-related decisions in the acquisition process
Recent OMB FISMA-related issuances Current NIH information security-related acquisition
provisions and language
FISMA - ISAO/ODCIO 3
-
7/28/2019 f is Main Acquisitions
4/37
44
The Problem
External research community, grantees and contractors,perceives that FISMA information security requirements are
being unevenly applied by and within Federal agencies. Thisperception was communicated to NIH Senior Management.
For example:
Background Investigations
Grant and Contract Information Security clauses
-
7/28/2019 f is Main Acquisitions
5/37
55
Whats Needed
Provide current, consistent, accuratemessage to
NIH staff involved in acquisitions.
-
7/28/2019 f is Main Acquisitions
6/37
66
FISMA Legislation
Federal Information Security Management Act (FISMA)
Each federal agency shall develop, document, and
implement an agency-wide information security programto provide information security for the information andinformation systems that support the operations andassets of the agency, including those provided or managedby another agency, contractor, or other source
-- Federal Information Security Management Act of 2002-- Title III of the e-Government Act of 2002
-
7/28/2019 f is Main Acquisitions
7/3777
Purpose of Federal Information Security
To Ensure theAvailability,Integrity, and
Confidentialityof Federal:
Information (Data)
Information Systems
Information Technology (Networks & Computers)
-
7/28/2019 f is Main Acquisitions
8/3788
FISMA Applicability to NIH Grants
FISMA applies to grantees onlywhen they collect, store,process, transmit, or use information on behalf of HHS or
any of its component organizations.
HHS Memo -- FISMA Applicability to Grants
Note: Other Federal agencies may have different rules. e.g. VA
http://localhost/var/www/apps/conversion/tmp/scratch_5/HHS%20FISMA%20and%20Grants%20Memo.ppthttp://localhost/var/www/apps/conversion/tmp/scratch_5/HHS%20FISMA%20and%20Grants%20Memo.ppthttp://localhost/var/www/apps/conversion/tmp/scratch_5/HHS%20FISMA%20and%20Grants%20Memo.ppthttp://localhost/var/www/apps/conversion/tmp/scratch_5/HHS%20FISMA%20and%20Grants%20Memo.ppthttp://localhost/var/www/apps/conversion/tmp/scratch_5/HHS%20FISMA%20and%20Grants%20Memo.ppt -
7/28/2019 f is Main Acquisitions
9/3799
FISMA Applicability to NIH Acquisitions
FISMA applies to: Contractors and subcontractors
Federal information and Federal information systems
regardless of their location. (IT) equipment incidental to a Federal contract **
(Incidental IT equipment had been excluded under theClinger-Cohen Act)
Externally hosted web sites Clinical trials
Services, e.g. consultants, programmers, maintenance
**Source OMB 2007 FISMA Reporting Instructions FAQ
-
7/28/2019 f is Main Acquisitions
10/3710
FISMA Applicability to NIH Acquisitions (2)
FISMA applies to:
All acquisition types
Solicitations
Contracts
BPAs
Purchase Orders
Credit Card Purchases, etc.
FISMA - ISAO/ODCIO 10
-
7/28/2019 f is Main Acquisitions
11/3711
Acquisition Policy, Guidance and Control
NIH Senior
Management
HHS CIO
HHS CISO
OAMP
AMC
NISTOMB
Memoranda
NIH CIO
NIH CISO
ITMC
ORS
FAR &
HHSAR
NIH
Acquisitions
11
FIPS 199
FIPS 200
SP 800-53
SP 800-53A
SP 800-60
M-07-18
M-07-17
M-06-17
HHS Security Policy
Breach Reporting Policy
Contract Security Guidance
Rules of Behavior
ID Badges
User Accounts
Laptop Encryption
Typical Sources
New Sources
-
7/28/2019 f is Main Acquisitions
12/37
12
The Acquisition Team
FISMA - ISAO/ODCIO 12
-
7/28/2019 f is Main Acquisitions
13/37
13
IC Acquisition Team
Project Officer
Administrative Staff Information Systems Security Officer
Privacy Officer
-
7/28/2019 f is Main Acquisitions
14/37
14
IC Project Officer
Categorizes data according to FIPS 199/NIST 800-60 Confidentiality, Availability, Integrity
Assigns overall Information Security Level to project
Determines Suitability Level (background investigation) for
contract staff working on project Communicates contract staff accessions & departures to Admin.
Staff and ISSO
Includes security requirements in acquisition
Ensures that contract staff meets security-related trainingrequirements
Consults with IC ISSO on information security issues
Conducts annual Risk Assessment -- FIPS 200/NIST 800-53
Conducts Privacy Impact Assessment
-
7/28/2019 f is Main Acquisitions
15/37
15
IC Administrative Staff
Ensure security measures are included in acquisitionpackage
Privacy Impact Assessment (confidentiality)
System of Records Number (SORN), if applicable
Disability Act requirements for web pages (availability)
Employee ID Badge issue and return
Consults with IC ISSO on information security issues Consults with Privacy Officer on privacy issues
-
7/28/2019 f is Main Acquisitions
16/37
16
Information Systems Security Officer
Reviews Security Requirements
Concurs with data categorization
Attests, in writing, that appropriate securityrequirements are included in acquisitions
Reviews security-related documents
800-53 Assessment, Security Plan, Continuity Plan, other C &A documents
Consults with Project Officer as needed duringacquisition execution to ensure applicable informationsecurity requirements are being met
Reports security-related incidents to NIH IRT.
-
7/28/2019 f is Main Acquisitions
17/37
17
IC Privacy Officer
Facilitates obtaining SORN if needed
Ensures Privacy requirements are met when PII is part
of the systemAnswers Privacy-related questions
Must be notified when there is a breach or suspectedbreach of a system containing PII
NIH Senior Official for Privacy is part of the NIHBreach Response Team
FISMA - ISAO/ODCIO 17
-
7/28/2019 f is Main Acquisitions
18/37
18
Security-related Decisions in the Acquisition Process
FISMA - ISAO/ODCIO 18
-
7/28/2019 f is Main Acquisitions
19/37
19
Security-related Decisions
Information Categorization
Level of security needed for the acquisition
Security Plan, Continuity & Disaster Recovery Plan, SystemTest and Evaluation, (ST&E)
Privacy impact assessment
Background investigations
Amount and type of information security training
System Certification System Owner SecurityOfficer
System Accreditation Security Officer CIO
FISMA - ISAO/ODCIO 19
-
7/28/2019 f is Main Acquisitions
20/37
20
Security-related Decisions (2) System location
Who supplies information security documentation
Security Plan, Annual System Security Assessment, RiskAssessment, Continuity Plan, other C&A documents
Security implementation (responsibility)
Remote Access requirements and equipment
Responsibility for Breach Notifications
Computer file encryption
FISMA - ISAO/ODCIO 20
-
7/28/2019 f is Main Acquisitions
21/37
21
OMB Memoranda
FISMA - ISAO/ODCIO 21
-
7/28/2019 f is Main Acquisitions
22/37
-
7/28/2019 f is Main Acquisitions
23/37
23
OMB M 07-18 (cont.)Where We Are
HHS OS and OPDIVS decided on an HHS standard Tested in CIT and in several ICs
IC staff commented on NIH adopted standards
FDCC standards approved by ITMC
Implementing
-
7/28/2019 f is Main Acquisitions
24/37
24
OMB M-07-16 Subject: Safeguarding Against and Responding to the
Breach of Personally Identifiable Information
Issued: May 22, 2007
Target Date: 120 days from Issue Date
Affects:All Federal Information and FederalInformation Systems (electronic or paper)
Must notify NIH CISO within one hour of discoveringsuspected and/or confirmed breaches of PIIdata/information.
-
7/28/2019 f is Main Acquisitions
25/37
25
OMB M-06-16
Subject: Protection of Sensitive Agency Information
Issued: June 23, 2006
Target Date: 45 days from issue date
Encrypt all data on mobile computers/devices which carryagency data unless data is determined to be non-sensitive,
in writing, by the Deputy Secretary or their designee. Allow remote access only with two-factor authentication
where one of the factors is provided by a device separatefrom the computer gaining access.
FISMA - ISAO/ODCIO 25
-
7/28/2019 f is Main Acquisitions
26/37
26
OMB M-06-16 (cont.)
Use a time-out function for remote access and mobiledevices, requiring user re-authentication after 30 minutes
inactivity Log all computer-readable data extracts from databases
holding sensitive information and verify each extractincluding sensitive data has been erased within 90 days or
that its use is still required
FISMA - ISAO/ODCIO 26
-
7/28/2019 f is Main Acquisitions
27/37
27
Acquisition Language
FISMA - ISAO/ODCIO 27
-
7/28/2019 f is Main Acquisitions
28/37
28
Acquisition Language - Prescriptions
1. Federal Information and Information Systems Security:Include when contractor/subcontractor personnel will (1) develop, (2)have the ability to access, or (3) host and/or maintain Federalinformation and/or Federal information system (s). For moreinformation see:
2. Personally Identifiable Information (PII):Include when contractor/subcontractor personnel will have access to,or use of, Personally Identifiable Information (PII), including instancesof remote access to or physical removal of such information beyondagency premises or control. For more information see:
3. Physical Access to a Federally-Controlled Facility:
Include when contractor/subcontractor personnel will have regular orprolonged physical access to a Federally-controlled facility. For moreinformation see:
FISMA - ISAO/ODCIO 28
-
7/28/2019 f is Main Acquisitions
29/37
29
Acquisition Language Background Investigations
Personnel Security ResponsibilitiesThe successful offeror shall be required to perform and document thefollowing actions:
Contractor Notification of New and Departing EmployeesRequiring Background Investigations
(1) The contractor shall notify the Contracting Officer, the Project
Officer, and the Security Investigation Reviewer within five workingdays before a new employee assumes a position that requires asuitability determination or when an employee with a securityclearance stops working under this acquisition. The government willinitiate a background investigation on new employees requiringsecurity clearances and will stop pending background investigationsfor employees that no longer work under this acquisition.
(2) New employees: Provide the name, position title, e-mail address, andphone number of the new employee. Provide the name, position titleand suitability level held by the former incumbent. If the employee isfilling a new position, provide a description of the position and thegovernment will determine the appropriate security level.
-
7/28/2019 f is Main Acquisitions
30/37
30
Acquisition Language Background Investigations
Personnel Security Responsibilities
The successful offeror shall be required to perform and document thefollowing actions:
Contractor Notification of New and Departing Employees RequiringBackground Investigations
(3) Departing employees:
Provide the name, position title, and security clearance level held byor pending for the individual.
Perform and document the actions identified in the "Contractor
Employee Separation Checklist", of this acquisition, when acontractor/subcontractor employee terminates work under thisacquisition. All documentation shall be made available to the ProjectOfficer and/or Contracting Officer upon request.
-
7/28/2019 f is Main Acquisitions
31/37
31
Acquisition Language -- Self Assessment
NIST SP 800-53 Self-Assessment
If the offeror proposes to (1) develop a Federal informationsystem at the contractors/subcontractors facility or (2) host or
maintain a Federal information system at thecontractors/subcontractors facility, they must include in the"Information Security" part of its Technical Proposal, acompleted Self-Assessment required by NIST SP 800-53,Recommended Security Controls for Federal Information
Systems. NIST 800-53 assesses information security assuranceof the offeror's internal systems security. This assessment isbased on the Federal IT Security Assessment Framework andNIST SP 800-53 at:
-
7/28/2019 f is Main Acquisitions
32/37
32
Acquisition Language Data Breach
Loss and/or Disclosure of Personally Identifiable Information(PII) Notification of Data Breach
The successful offeror shall be responsible for reporting allincidents involving the loss and/or disclosure of PII in
electronic or physical form. Notification shall be made to theNIH CISO within one hour of discovering the incident by usingone of the following two forms:
NIH PII Spillage Reporthttp://irm.cit.nih.gog/security/PII_SpillageReport.doc
NIH Lost or Stolen Assets Reporthttp://irm.cit.nih.gov/security/Lost_or_Stolen.doc
The notification requirements do not distinguish betweensuspected and confirmed breaches.
http://irm.cit.nih.gog/security/PII_SpillageReport.dochttp://irm.cit.nih.gov/security/Lost_or_Stolen.dochttp://irm.cit.nih.gov/security/Lost_or_Stolen.dochttp://irm.cit.nih.gog/security/PII_SpillageReport.doc -
7/28/2019 f is Main Acquisitions
33/37
33
Acquisition Language Data Encryption
The following policy applies to all contractor/subcontractorlaptop computers containing HHS data at rest and/or HHSdata in transit.
All laptop computers shall be secured using a FederalInformation Processing Standard (FIPS) 140-2 compliant
whole-disk encryption solution. The cryptographic moduleused by an encryption or other cryptographic product shall betested and validated under the Cryptographic ModuleValidation Program to confirm compliance with therequirements of FIPS PUB 140-2 (as amended). For additionalinformation, refer to http://csrc.nist.gov/cryptval.
All data at rest and in transit, unless the data is determined tobe non-sensitive in writing by the NIH CIO or his/herdesignee, shall be encrypted using a FIPS 140-2 compliantproduct. Data at rest includes all HHS data regardless ofwhere it is stored..
http://csrc.nist.gov/cryptvalhttp://csrc.nist.gov/cryptvalhttp://csrc.nist.gov/cryptval -
7/28/2019 f is Main Acquisitions
34/37
34
Acquisition Language Other
Vulnerability Scanning
Federal Desktop Core Configurations (FDCC)
Software Patch security System Administration privilege
Encryption keys and key recovery
Non-disclosure when offerors must access sensitive
information to respond to an RFP Rules of Behavior
Security Training
-
7/28/2019 f is Main Acquisitions
35/37
35
FISMA In Acquisitions
Summary
FISMA affects all acquisition types
Many organizations develop information securityregs.
Be consistent when applying security language
Acquisition team communication is essential
Keep abreast of new information security
requirements Security decisions can affect acquisition cost
If you dont know, ask, dont guess
The only real constant is change
Reasonableness test
-
7/28/2019 f is Main Acquisitions
36/37
36
FISMA In Acquisitions
Questions?
FISMA - ISAO/ODCIO 36
-
7/28/2019 f is Main Acquisitions
37/37
FISMA In Acquisitions
Contacts
Thomas Mitchell, OCIO [email protected]
and
Raymond Dillon, OAMP [email protected]
mailto:[email protected]:[email protected]:[email protected]:[email protected]