Thomas Mitchell, OCIO/OD/NIH/HHS Raymond Dillon, OAMP/OD/NIH/HHS

Patients' Data on Stolen Laptop Identity Fraud Not Likely, NIH Says
By Ellen Nakashima and Rick Weiss Washington Post Staff Writers Monday, March 24, 2008; Page A01 A government laptop computer containing sensitive medical information on 2,500 patients enrolled in a National Institutes of Health study was stolen in February, potentially exposing seven years' worth of clinical trial data, including names, medical diagnoses and details of the patients' heart scans. The information was not encrypted, in violation of the government's datasecurity policy.. . "The shocking part here is we now have personally identifiable information -- name and age -- linked to clinical data," said Leslie Harris, executive director of the Center for Democracy and Technology. "If somebody does not want to share the fact that they're in a clinical trial or the fact they've got a heart disease, this is very, very serious. The risk of identity theft and of revealing highly personal information about your health are closely linked here."
FISMA - ISAO/ODCIO 2

What Youll Learn

The Problem
FISMA Legislation FISMAs applicability to grants and acquisitions How the acquisition arena has changed since 9/11. The Acquisition Team Security-related decisions in the acquisition process Recent OMB FISMA-related issuances

Current NIH information security-related acquisition

provisions and language

FISMA - ISAO/ODCIO

The Problem
External research community, grantees and contractors, perceives that FISMA information security requirements are being unevenly applied by and within Federal agencies. This perception was communicated to NIH Senior Management.
For example: Background Investigations Grant and Contract Information Security clauses

Whats Needed Provide current, consistent, accurate message to NIH staff involved in acquisitions.

FISMA Legislation
Federal Information Security Management Act (FISMA)
Each federal agency shall develop, document, and implement an agency-wide information security program to provide information security for the information and information systems that support the operations and assets of the agency, including those provided or managed by another agency, contractor, or other source
-- Federal Information Security Management Act of 2002
-- Title III of the e-Government Act of 2002

Purpose of Federal Information Security

To Ensure the Availability, Integrity, and Confidentiality of Federal:
Information (Data) Information Systems Information Technology (Networks & Computers)

FISMA Applicability to NIH Grants

FISMA applies to grantees only when they collect, store, process, transmit, or use information on behalf of HHS or any of its component organizations.
HHS Memo -- FISMA Applicability to Grants Note: Other Federal agencies may have different rules. e.g. VA

FISMA Applicability to NIH Acquisitions

FISMA applies to:
Contractors and subcontractors Federal information and Federal information systems

regardless of their location. (IT) equipment incidental to a Federal contract ** (Incidental IT equipment had been excluded under the Clinger-Cohen Act) Externally hosted web sites Clinical trials Services, e.g. consultants, programmers, maintenance

**Source OMB 2007 FISMA Reporting Instructions FAQ

9

FISMA Applicability to NIH Acquisitions (2)

FISMA applies to:
All acquisition types
Solicitations Contracts

BPAs
Purchase Orders Credit Card Purchases, etc.

FISMA - ISAO/ODCIO

10

Acquisition Policy, Guidance and Control

Typical Sources
New Sources
FAR & HHSAR HHS CIO HHS CISO NIH Senior Management HHS Security Policy Breach Reporting Policy Contract Security Guidance

Rules of Behavior ID Badges User Accounts Laptop Encryption

NIH CIO NIH CISO ITMC ORS

NIH Acquisitions OAMP AMC

M-07-18 M-07-17 M-06-17

OMB Memoranda

NIST

FIPS 199 FIPS 200 SP 800-53 SP 800-53A SP 800-60

11

The Acquisition Team

FISMA - ISAO/ODCIO

12

IC Acquisition Team
Project Officer Administrative Staff

Information Systems Security Officer

Privacy Officer

13

IC Project Officer
Categorizes data according to FIPS 199/NIST 800-60 Confidentiality, Availability, Integrity Assigns overall Information Security Level to project Determines Suitability Level (background investigation) for

contract staff working on project Communicates contract staff accessions & departures to Admin. Staff and ISSO Includes security requirements in acquisition Ensures that contract staff meets security-related training requirements Consults with IC ISSO on information security issues Conducts annual Risk Assessment -- FIPS 200/NIST 800-53 Conducts Privacy Impact Assessment
14

IC Administrative Staff
Ensure security measures are included in acquisition

package
Privacy Impact Assessment (confidentiality) System of Records Number (SORN), if applicable Disability Act requirements for web pages (availability) Employee ID Badge issue and return Consults with IC ISSO on information security issues

Consults with Privacy Officer on privacy issues

15

Information Systems Security Officer

Reviews Security Requirements Concurs with data categorization Attests, in writing, that appropriate security requirements are included in acquisitions Reviews security-related documents

800-53 Assessment, Security Plan, Continuity Plan, other C & A documents

Consults with Project Officer as needed during

acquisition execution to ensure applicable information security requirements are being met Reports security-related incidents to NIH IRT.
16

IC Privacy Officer
Facilitates obtaining SORN if needed
Ensures Privacy requirements are met when PII is part

of the system Answers Privacy-related questions Must be notified when there is a breach or suspected breach of a system containing PII NIH Senior Official for Privacy is part of the NIH Breach Response Team

FISMA - ISAO/ODCIO

17

Security-related Decisions in the Acquisition Process

FISMA - ISAO/ODCIO

18

Security-related Decisions
Information Categorization Level of security needed for the acquisition

Security Plan, Continuity & Disaster Recovery Plan, System Test and Evaluation, (ST&E)

Privacy impact assessment

Background investigations Amount and type of information security training System Certification System Owner Security

Officer System Accreditation Security Officer CIO

FISMA - ISAO/ODCIO 19

Security-related Decisions (2)

System location Who supplies information security documentation

Security Plan, Annual System Security Assessment, Risk Assessment, Continuity Plan, other C&A documents

Security implementation (responsibility)

Remote Access requirements and equipment Responsibility for Breach Notifications Computer file encryption

FISMA - ISAO/ODCIO

20

OMB Memoranda

FISMA - ISAO/ODCIO

21

OMB M-07-18 June 1, 2007

Ensuring New Acquisitions Include Common Security Configurations
Target Date: 2/1/2008 Windows XP and Windows Vista Operating Systems, and

IE-7 operating on XP or Vista Federal Desktop Core Configurations (FDCC) Standard installation, operation, maintenance, update, and/or patching of software shall not alter configurations settings from the approved FDCC configuration Applications (software systems) designed for normal end users shall run without elevated system administrator privileges Part 39 of the FAR will be revised to incorporate requirements when acquiring technology

22

OMB M 07-18 (cont.)

Where We Are
HHS OS and OPDIVS decided on an HHS standard Tested in CIT and in several ICs IC staff commented on NIH adopted standards FDCC standards approved by ITMC Implementing

23

OMB M-07-16
Subject: Safeguarding Against and Responding to the

Breach of Personally Identifiable Information Issued: May 22, 2007 Target Date: 120 days from Issue Date Affects: All Federal Information and Federal Information Systems (electronic or paper) Must notify NIH CISO within one hour of discovering suspected and/or confirmed breaches of PII data/information.
24

OMB M-06-16
Subject: Protection of Sensitive Agency Information Issued: June 23, 2006 Target Date: 45 days from issue date
Encrypt all data on mobile computers/devices which carry

agency data unless data is determined to be non-sensitive, in writing, by the Deputy Secretary or their designee. Allow remote access only with two-factor authentication where one of the factors is provided by a device separate from the computer gaining access.
FISMA - ISAO/ODCIO 25

OMB M-06-16 (cont.)

Use a time-out function for remote access and mobile

devices, requiring user re-authentication after 30 minutes inactivity Log all computer-readable data extracts from databases holding sensitive information and verify each extract including sensitive data has been erased within 90 days or that its use is still required

FISMA - ISAO/ODCIO

26

Acquisition Language

FISMA - ISAO/ODCIO

27

Acquisition Language - Prescriptions

Federal Information and Information Systems Security: Include when contractor/subcontractor personnel will (1) develop, (2) have the ability to access, or (3) host and/or maintain Federal information and/or Federal information system (s). For more information see: 2. Personally Identifiable Information (PII): Include when contractor/subcontractor personnel will have access to, or use of, Personally Identifiable Information (PII), including instances of remote access to or physical removal of such information beyond agency premises or control. For more information see: 3. Physical Access to a Federally-Controlled Facility: Include when contractor/subcontractor personnel will have regular or prolonged physical access to a Federally-controlled facility. For more information see:
1.

FISMA - ISAO/ODCIO

28

Acquisition Language Background Investigations

Personnel Security Responsibilities The successful offeror shall be required to perform and document the following actions: Contractor Notification of New and Departing Employees Requiring Background Investigations (1) The contractor shall notify the Contracting Officer, the Project Officer, and the Security Investigation Reviewer within five working days before a new employee assumes a position that requires a suitability determination or when an employee with a security clearance stops working under this acquisition. The government will initiate a background investigation on new employees requiring security clearances and will stop pending background investigations for employees that no longer work under this acquisition. (2) New employees: Provide the name, position title, e-mail address, and phone number of the new employee. Provide the name, position title and suitability level held by the former incumbent. If the employee is filling a new position, provide a description of the position and the government will determine the appropriate security level.
29

Acquisition Language Background Investigations

Personnel Security Responsibilities The successful offeror shall be required to perform and document the following actions:
Contractor Notification of New and Departing Employees Requiring Background Investigations

(3) Departing employees: Provide the name, position title, and security clearance level held by or pending for the individual. Perform and document the actions identified in the "Contractor Employee Separation Checklist", of this acquisition, when a contractor/subcontractor employee terminates work under this acquisition. All documentation shall be made available to the Project Officer and/or Contracting Officer upon request.

30

Acquisition Language -- Self Assessment

NIST SP 800-53 Self-Assessment If the offeror proposes to (1) develop a Federal information system at the contractors/subcontractors facility or (2) host or maintain a Federal information system at the contractors/subcontractors facility, they must include in the "Information Security" part of its Technical Proposal, a completed Self-Assessment required by NIST SP 800-53, Recommended Security Controls for Federal Information Systems. NIST 800-53 assesses information security assurance of the offeror's internal systems security. This assessment is based on the Federal IT Security Assessment Framework and NIST SP 800-53 at:
31

Acquisition Language Data Breach

Loss and/or Disclosure of Personally Identifiable Information

(PII) Notification of Data Breach The successful offeror shall be responsible for reporting all incidents involving the loss and/or disclosure of PII in electronic or physical form. Notification shall be made to the NIH CISO within one hour of discovering the incident by using one of the following two forms: NIH PII Spillage Report http://irm.cit.nih.gog/security/PII_SpillageReport.doc NIH Lost or Stolen Assets Report http://irm.cit.nih.gov/security/Lost_or_Stolen.doc The notification requirements do not distinguish between suspected and confirmed breaches.
32

Acquisition Language Data Encryption

The following policy applies to all contractor/subcontractor laptop computers containing HHS data at rest and/or HHS data in transit. All laptop computers shall be secured using a Federal Information Processing Standard (FIPS) 140-2 compliant whole-disk encryption solution. The cryptographic module used by an encryption or other cryptographic product shall be tested and validated under the Cryptographic Module Validation Program to confirm compliance with the requirements of FIPS PUB 140-2 (as amended). For additional information, refer to http://csrc.nist.gov/cryptval.

All data at rest and in transit, unless the data is determined to be non-sensitive in writing by the NIH CIO or his/her designee, shall be encrypted using a FIPS 140-2 compliant product. Data at rest includes all HHS data regardless of where it is stored..
33

Acquisition Language Other

Vulnerability Scanning
Federal Desktop Core Configurations (FDCC) Software Patch security System Administration privilege Encryption keys and key recovery Non-disclosure when offerors must access sensitive

information to respond to an RFP Rules of Behavior Security Training

34

FISMA In Acquisitions Summary

FISMA affects all acquisition types
Many organizations develop information security

regs. Be consistent when applying security language Acquisition team communication is essential Keep abreast of new information security requirements Security decisions can affect acquisition cost If you dont know, ask, dont guess The only real constant is change Reasonableness test

35

FISMA In Acquisitions

Questions?

FISMA - ISAO/ODCIO

36

FISMA In Acquisitions Contacts

Thomas Mitchell, OCIO

mitchell@mail.nih.gov

and
Raymond Dillon, OAMP dillonr@mail.nih.gov

37