Implementing FISMA In Acquisitions

1
Implementing FISMA In Acquisitions

• Thomas Mitchell, OCIO/OD/NIH/HHS
• Raymond Dillon, OAMP/OD/NIH/HHS

2
Patients' Data on Stolen LaptopIdentity Fraud
Not Likely, NIH Says By Ellen Nakashima and Rick
Weiss Washington Post Staff Writers Monday,
March 24, 2008 Page A01 A government laptop
computer containing sensitive medical information
on 2,500 patients enrolled in a National
Institutes of Health study was stolen in
February, potentially exposing seven years' worth
of clinical trial data, including names, medical
diagnoses and details of the patients' heart
scans. The information was not encrypted, in
violation of the government's data-security
policy.. . "The shocking part here is we now
have personally identifiable information -- name
and age -- linked to clinical data," said Leslie
Harris, executive director of the Center for
Democracy and Technology. "If somebody does not
want to share the fact that they're in a clinical
trial or the fact they've got a heart disease,
this is very, very serious. The risk of identity
theft and of revealing highly personal
information about your health are closely linked
here."
3
What Youll Learn

• The Problem
• FISMA Legislation
• FISMAs applicability to grants and acquisitions
• How the acquisition arena has changed since 9/11.
• The Acquisition Team
• Security-related decisions in the acquisition
  process
• Recent OMB FISMA-related issuances
• Current NIH information security-related
  acquisition provisions and language

3
4
The Problem

• External research community, grantees and
  contractors, perceives that FISMA information
  security requirements are being unevenly applied
  by and within Federal agencies. This perception
  was communicated to NIH Senior Management.
• For example
• Background Investigations
• Grant and Contract Information Security clauses

4
5
Whats Needed

• Provide current, consistent, accurate message to
  NIH staff involved in acquisitions.

5
6
FISMA Legislation

• Federal Information Security Management Act
  (FISMA)
• Each federal agency shall develop, document,
  and implement an agency-wide information security
  program to provide information security for the
  information and information systems that support
  the operations and assets of the agency,
  including those provided or managed by another
  agency, contractor, or other source
• -- Federal Information Security Management
  Act of 2002
• -- Title III of the e-Government Act of 2002

6
7
Purpose of Federal Information Security

• To Ensure the Availability, Integrity, and
  Confidentiality of Federal
• Information (Data)
• Information Systems
• Information Technology (Networks Computers)

7
8
FISMA Applicability to NIH Grants

• FISMA applies to grantees only when they
  collect, store, process, transmit, or use
  information on behalf of HHS or any of its
  component organizations.
• HHS Memo -- FISMA Applicability to Grants
• Note Other Federal agencies may have different
  rules. e.g. VA

8
9
FISMA Applicability to NIH Acquisitions

• FISMA applies to
• Contractors and subcontractors
• Federal information and Federal information
  systems regardless of their location.
• (IT) equipment incidental to a Federal
  contract
• (Incidental IT equipment had been excluded under
  the Clinger-Cohen Act)
• Externally hosted web sites
• Clinical trials
• Services, e.g. consultants, programmers,
  maintenance
• Source OMB 2007 FISMA Reporting Instructions
  FAQ

9
10
FISMA Applicability to NIH Acquisitions (2)

• FISMA applies to
• All acquisition types
• Solicitations
• Contracts
• BPAs
• Purchase Orders
• Credit Card Purchases, etc.

10
11
Acquisition Policy, Guidance and Control
HHS Security Policy Breach Reporting Policy
Contract Security Guidance
Typical Sources
New Sources
Rules of Behavior ID Badges User Accounts Laptop
Encryption
FIPS 199 FIPS 200 SP 800-53 SP 800-53A SP
800-60
M-07-18 M-07-17 M-06-17
11
12
FISMA In Acquisitions

• The Acquisition Team

12
13
IC Acquisition Team

• Project Officer
• Administrative Staff
• Information Systems Security Officer
• Privacy Officer

14
IC Project Officer

• Categorizes data according to FIPS 199/NIST
  800-60
• Confidentiality, Availability, Integrity
• Assigns overall Information Security Level to
  project
• Determines Suitability Level (background
  investigation) for contract staff working on
  project
• Communicates contract staff accessions
  departures to Admin. Staff and ISSO
• Includes security requirements in acquisition
• Ensures that contract staff meets
  security-related training requirements
• Consults with IC ISSO on information security
  issues
• Conducts annual Risk Assessment -- FIPS 200/NIST
  800-53
• Conducts Privacy Impact Assessment

15
IC Administrative Staff

• Ensure security measures are included in
  acquisition package
• Privacy Impact Assessment (confidentiality)
• System of Records Number (SORN), if applicable
• Disability Act requirements for web pages
  (availability)
• Employee ID Badge issue and return
• Consults with IC ISSO on information security
  issues
• Consults with Privacy Officer on privacy issues

16
Information Systems Security Officer

• Reviews Security Requirements
• Concurs with data categorization
• Attests, in writing, that appropriate security
  requirements are included in acquisitions
• Reviews security-related documents
• 800-53 Assessment, Security Plan, Continuity
  Plan, other C A documents
• Consults with Project Officer as needed during
  acquisition execution to ensure applicable
  information security requirements are being met
• Reports security-related incidents to NIH IRT.

17
IC Privacy Officer

• Facilitates obtaining SORN if needed
• Ensures Privacy requirements are met when PII is
  part of the system
• Answers Privacy-related questions
• Must be notified when there is a breach or
  suspected breach of a system containing PII
• NIH Senior Official for Privacy is part of the
  NIH Breach Response Team

17
18
FISMA In Acquisitions

• Security-related Decisions in the Acquisition
  Process

18
19
Security-related Decisions

• Information Categorization
• Level of security needed for the acquisition
• Security Plan, Continuity Disaster Recovery
  Plan, System Test and Evaluation, (STE)
• Privacy impact assessment
• Background investigations
• Amount and type of information security training
• System Certification System Owner ? Security
  Officer
• System Accreditation Security Officer ? CIO

19
20
Security-related Decisions (2)

• System location
• Who supplies information security documentation
• Security Plan, Annual System Security Assessment,
  Risk Assessment, Continuity Plan, other CA
  documents
• Security implementation (responsibility)
• Remote Access requirements and equipment
• Responsibility for Breach Notifications
• Computer file encryption

20
21
FISMA In Acquisitions

• OMB Memoranda

21
22
OMB M-07-18 June 1, 2007

• Ensuring New Acquisitions Include Common Security
  Configurations
• Target Date 2/1/2008
• Windows XP and Windows Vista Operating Systems,
  and
• IE-7 operating on XP or Vista
• Federal Desktop Core Configurations (FDCC)
• Standard installation, operation, maintenance,
  update, and/or patching of software shall not
  alter configurations settings from the approved
  FDCC configuration
• Applications (software systems) designed for
  normal end users shall run without elevated
  system administrator privileges
• Part 39 of the FAR will be revised to incorporate
  requirements when acquiring technology

22
23
OMB M 07-18 (cont.)

• Where We Are
• HHS OS and OPDIVS decided on an HHS standard
• Tested in CIT and in several ICs
• IC staff commented on NIH adopted standards
• FDCC standards approved by ITMC
• Implementing

24
OMB M-07-16

• Subject Safeguarding Against and Responding to
  the Breach of Personally Identifiable Information
• Issued May 22, 2007
• Target Date 120 days from Issue Date
• Affects All Federal Information and Federal
  Information Systems (electronic or paper)
• Must notify NIH CISO within one hour of
  discovering suspected and/or confirmed breaches
  of PII data/information.

25
OMB M-06-16

• Subject Protection of Sensitive Agency
  Information
• Issued June 23, 2006
• Target Date 45 days from issue date
• Encrypt all data on mobile computers/devices
  which carry agency data unless data is determined
  to be non-sensitive, in writing, by the Deputy
  Secretary or their designee.
• Allow remote access only with two-factor
  authentication where one of the factors is
  provided by a device separate from the computer
  gaining access.

25
26
OMB M-06-16 (cont.)

• Use a time-out function for remote access and
  mobile devices, requiring user re-authentication
  after 30 minutes inactivity
• Log all computer-readable data extracts from
  databases holding sensitive information and
  verify each extract including sensitive data has
  been erased within 90 days or that its use is
  still required

26
27
FISMA In Acquisitions

• Acquisition Language

27
28
Acquisition Language - Prescriptions

• 1. Federal Information and Information Systems
  Security
• Include when contractor/subcontractor personnel
  will (1) develop, (2) have the ability to access,
  or (3) host and/or maintain Federal information
  and/or Federal information system (s). For more
  information see
• 2. Personally Identifiable Information (PII)
• Include when contractor/subcontractor personnel
  will have access to, or use of, Personally
  Identifiable Information (PII), including
  instances of remote access to or physical removal
  of such information beyond agency premises or
  control. For more information see
• 3. Physical Access to a Federally-Controlled
  Facility
• Include when contractor/subcontractor personnel
  will have regular or prolonged physical access to
  a Federally-controlled facility. For more
  information see

28
29
Acquisition Language Background Investigations

• Personnel Security Responsibilities
• The successful offeror shall be required to
  perform and document the following actions
• Contractor Notification of New and Departing
  Employees Requiring Background Investigations
• (1) The contractor shall notify the Contracting
  Officer, the Project Officer, and the Security
  Investigation Reviewer within five working days
  before a new employee assumes a position that
  requires a suitability determination or when an
  employee with a security clearance stops working
  under this acquisition. The government will
  initiate a background investigation on new
  employees requiring security clearances and will
  stop pending background investigations for
  employees that no longer work under this
  acquisition.
• (2) New employees Provide the name, position
  title, e-mail address, and phone number of the
  new employee. Provide the name, position title
  and suitability level held by the former
  incumbent. If the employee is filling a new
  position, provide a description of the position
  and the government will determine the appropriate
  security level.

30
Acquisition Language Background Investigations

• Personnel Security Responsibilities
• The successful offeror shall be required to
  perform and document the following actions
• Contractor Notification of New and Departing
  Employees Requiring Background Investigations
• (3) Departing employees
• Provide the name, position title, and security
  clearance level held by or pending for the
  individual.
• Perform and document the actions identified in
  the "Contractor Employee Separation Checklist",
  of this acquisition, when a contractor/subcontract
  or employee terminates work under this
  acquisition. All documentation shall be made
  available to the Project Officer and/or
  Contracting Officer upon request.

31
Acquisition Language -- Self Assessment

• NIST SP 800-53 Self-Assessment
• If the offeror proposes to (1) develop a Federal
  information system at the contractors/subcontract
  ors facility or (2) host or maintain a Federal
  information system at the contractors/subcontract
  ors facility, they must include in the
  "Information Security" part of its Technical
  Proposal, a completed Self-Assessment required by
  NIST SP 800-53, Recommended Security Controls for
  Federal Information Systems. NIST 800-53
  assesses information security assurance of the
  offeror's internal systems security. This
  assessment is based on the Federal IT Security
  Assessment Framework and NIST SP 800-53 at

32
Acquisition Language Data Breach

• Loss and/or Disclosure of Personally Identifiable
  Information (PII) Notification of Data Breach
• The successful offeror shall be responsible for
  reporting all incidents involving the loss and/or
  disclosure of PII in electronic or physical form.
  Notification shall be made to the NIH CISO
  within one hour of discovering the incident by
  using one of the following two forms
• NIH PII Spillage Report http//irm.cit.nih.gog/se
  curity/PII_SpillageReport.doc
• NIH Lost or Stolen Assets Report
  http//irm.cit.nih.gov/security/Lost_or_Stolen.doc
  
• The notification requirements do not distinguish
  between suspected and confirmed breaches.

33
Acquisition Language Data Encryption

• The following policy applies to all
  contractor/subcontractor laptop computers
  containing HHS data at rest and/or HHS data in
  transit.
• All laptop computers shall be secured using a
  Federal Information Processing Standard (FIPS)
  140-2 compliant whole-disk encryption solution.
  The cryptographic module used by an encryption or
  other cryptographic product shall be tested and
  validated under the Cryptographic Module
  Validation Program to confirm compliance with the
  requirements of FIPS PUB 140-2 (as amended). For
  additional information, refer to
  http//csrc.nist.gov/cryptval.
• All data at rest and in transit, unless the data
  is determined to be non-sensitive in writing by
  the NIH CIO or his/her designee, shall be
  encrypted using a FIPS 140-2 compliant product.
  Data at rest includes all HHS data regardless of
  where it is stored..

34
Acquisition Language Other

• Vulnerability Scanning
• Federal Desktop Core Configurations (FDCC)
• Software Patch security
• System Administration privilege
• Encryption keys and key recovery
• Non-disclosure when offerors must access
  sensitive information to respond to an RFP
• Rules of Behavior
• Security Training

35
FISMA In AcquisitionsSummary

• FISMA affects all acquisition types
• Many organizations develop information security
  regs.
• Be consistent when applying security language
• Acquisition team communication is essential
• Keep abreast of new information security
  requirements
• Security decisions can affect acquisition cost
• If you dont know, ask, dont guess
• The only real constant is change
• Reasonableness test

36
FISMA In Acquisitions

• Questions?

36
37
FISMA In Acquisitions Contacts

• Thomas Mitchell, OCIO mitchell_at_mail.nih.gov
• and
• Raymond Dillon, OAMP dillonr_at_mail.nih.gov

37