Skip to site content
U.S. Department of Health and Human Services
Indian Health Manual

Chapter 3 - Audit and Accountability

Part 3 - Audit and Accountability

Title Section
Introduction 10-3.1
        Purpose 10-3.1A
        Background 10-3.1B
        Scope 10-3.1C
        Authorities, Guidance, and Standards of Reference 10-3.1D
Acronyms and Definitions 10-3.2
        Acronyms 10-3.2A
        Definitions 10-3.2B
Policy 10-3.3
Procedures 10-3.4
        AU-1 Audit and Accountability 10-3.4A
        AU-2 Audit Events 10-3.4B
        AU-3 Content of Audit Records 10-3.4C
        AU-4 Audit Storage Capacity 10-3.4D
        AU-5 Response to Audit Processing Failures 10-3.4E
        AU-6 Audit Review, Analysis, and Reporting 10-3.4F
        AU-7 Audit Reduction and Report Generation 10-3.4G
        AU-8 Time Stamps 10-3.4H
        AU-9 Protection of Audit Information 10-3.4I
        AU-10 Non-Repudiation 10-3.4J
        AU-11 Audit Record Retention 10-3.4K
        AU-12 Audit Generation 10-3.4L
Responsibilities 10-3.5
        The Director, IHS 10-3.5A
        The Chief Medical Officer, IHS 10-3.5B
        The Chief Information Officer, IHS 10-3.5C
        The Chief Information Security Officer, IHS 10-3.5D
        Cybersecurity Incident Response Team 10-3.5E
        Information System Security Officers 10-3.5F
        System Owner 10-3.5G
        Business Owner 10-3.5H
        System Administrators 10-3.5I
Manual Exhibits Description
Manual Exhibit 10-3-A [PDF - 225 KB] Cybersecurity and Privacy Control Definitions
10-3.1 INTRODUCTION.
  1. Purpose.   The purpose of this chapter is to establish audit and accountability (AU) policies and procedures for the Indian Health Service (IHS) information technology systems, consistent with applicable statutory and regulatory requirements and guidelines. The AU procedures provided in this policy help to minimize vulnerabilities in the IHS data and information systems by establishing requirements for maintaining a record of information system application and user activity on computer and information systems, including healthcare network systems, telehealth, telemedicine, electronic health records, and biomedical devices.

    The AU security control baselines that are included in this chapter will ensure activity is monitored and attributable, and that such records are maintained in accordance with record retention requirements. These baselines adhere to AU security requirements defined by the National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53.
  2. Background.   The IHS is responsible for safeguarding information that it collects, records, transmits, and manages in the performance of its mission by reducing risk and minimizing the potential negative impact on computing resources, sensitive data, funds, productivity, and public health reputation.

    Event logs are generated by many sources, including security software (e.g., antivirus software, firewalls, and intrusion detection and prevention systems), operating systems, and applications. The types of events that must be flagged for logging are specified in accordance with the system’s Federal Information Processing Standards (FIPS) 199 security categorization. The retention and analysis of log events can help to ensure adequate security measures and appropriate due diligence is performed with regard to the IHS data security.

    In accordance with the Federal Information Security Modernization Act, National Archives and Records Administration (NARA) General Records Schedule (GRS), NIST SP 800-53, and NIST SP 800-92, the Agency is required to collect, analyze, and protect this event data, as well as take investigative action when appropriate. This prevents the loss or misuse of or unauthorized access to information, which could adversely affect the ability of the IHS to accomplish its mission.

  3. Scope.   This chapter applies to all of the IHS organizational components, including, but not limited to, Headquarters, Area Offices, and Service Units utilizing the IHS information technology (IT) networks and systems as well as contractual relationships involving the use of the IHS IT resources. This includes all systems and activities that involve storage, transmission, and/or processing of information on behalf of the IHS. This chapter pertains to activities related to implementing AU security control mechanisms, as conducted by staff in all of the IHS office locations, or while teleworking, on travel, or at other off-site locations. Agency officials must apply this chapter to the AU mechanisms for systems owned and operated by or on behalf of the IHS, as they pertain to auditing and accounting for system activities. With regards to contractual relationships involving the use of IHS IT resources, program officials including CORs or other representatives are responsible for advising contracting officers as part of acquisition planning, to incorporate the guidance and instructions delineated in this policy into contracts or other arrangements as conditions for using Government-provided IT resources. When applicable, contracting officers and their representatives are responsible for incorporating the guidance and instructions delineated in this policy into contracts or other arrangements as conditions for using Government-provided IT resources.
  4. Authorities, Guidance and Standards of Reference.  
    1. Statutes and Regulations:
      1. Computer Fraud and Abuse Act, P.L. 99-474, 1986
      2. Federal Information Security Modernization Act of 2014, P.L. 113-283
      3. Presidential and Federal Records Act Amendments of 2014, Pub. L. No. 113-187, 128 Stat. 2003 (codified as amended in scattered sections of 44 U.S.C.) (amending Federal Records Act of 1950, 64 Stat. 583)
      4. Title 36, Code of Federal Regulations, Chapter XII, Subchapter B, “Records Management,” 2009
      5. Health Insurance Portability and Accountability Act (HIPAA), Security Rule, 45 C F R. Parts 160 and 164
    2. Office of Management and Budget (OMB) Circular A-130, “Managing Information as a Strategic Resource”
    3. NIST Special Publications:
      1. NIST SP 800-53, Rev. 4, Security and Privacy Controls for Federal Information Systems and Organizations, 2015, as revised by any successor guidance
      2. NIST SP 800-92, Guide to Computer Security Log Management, 2006, as revised by any successor guidance
      3. NIST SP 800-61, Rev. 2, Computer Security Incident Handling Guide, 2012, as revised by any successor guidance
    4. Department of Health and Human Services (HHS) Office of the Chief Information Officer (OCIO) Policy: HHS Policy for Information Security and Privacy Protection, HHS-OCIO-OIS-2021-11-006 , November 18, 2021 (HHS Intranet link. If the link cannot be accessed, please contact Cybersecurity@ihs.gov for a copy of the policy.)
    5. Committee on National Security Systems Instruction 1253F, Security Categorization and Control Selection for National Security Systems, Attachment 6, “Privacy Overlays,” 2015
    6. Homeland Security Presidential Directive 12: “Policy for a Common Identification Standard for Federal Employees and Contractors,” 2004
    7. IHS Delegation of Authority, Administrative #52, Security of Information Technology Systems, 2017
10-3.2 ACRONYMS AND DEFINITIONS.
  1. Acronyms.

    (1)    AU Audit and Accountability
    (2)    AO Authorizing Official
    (3)    c.e. Control Enhancement
    (4)     CSIRT Cybersecurity Incident Response Team
    (5)    CIO Chief Information Officer
    (6)    CISO Chief Information Security Officer

    (7)    DIS Division of Information Security
    (8)    FIPS Federal Information Processing Standards
    (9)    GRS General Records Schedule
    (10)   HHS Department of Health and Human Services
    (11)    IHM Indian Health Manual
    (12)    IHS Indian Health Service
    (13)    ISSO Information System Security Officer
    (14)    IT Information Technology
    (15)    NARA National Archives and Records Administration
    (16)    NIST National Institute of Standards and Technology
    (17)    OIT Office of Information Technology
    (18)    OMB Office of Management and Budget
    (19)    PL Public Law
    (20)    SP Special Publication
  2. Definitions.
    1. General Records Schedule.  The Archivist of the United States issues the GRS to provide disposition authority for records common to several or all agencies of the Federal Government. These schedules authorize agencies, after specified periods of time, to either destroy temporary records or transfer permanent records to the NARA.
    2. Event.  An event is any observable occurrence in a system and/or network. Events sometimes indicate that an incident is occurring. For additional information on events, incidents and incident response please see the IHS Policy on Establishing an Incident Response Capability .
    3. Event Log.  An event log provides information about network traffic and stores these events for retrieval by IT staff or automated security systems. Event logs help network administrators manage various system aspects such as security, performance, and transparency.
    4. Non-Repudiation.  Non-repudiation is assurance that the sender of information is provided with proof of delivery and the recipient is provided with proof of the sender’s identity, so neither can later deny having processed the information. The IHS obtains non-repudiation services by employing various techniques or mechanisms (e.g., digital signatures, digital message receipts).
    5. Packet Sniffing/Packet Sniffer.  Packet sniffing is the practice of gathering, collecting, and logging some or all packets that pass through a computer network. A network administrator can use the collected data for a wide variety of purposes like monitoring bandwidth and traffic. A packet sniffer, sometimes called a packet analyzer, is software that observes and records network traffic.
    3. 10-3.3 POLICY.

    In accordance with statutory, regulatory, and Agency requirements, the IHS IT systems and applications (e.g., hardware, software, firmware, documentation, or a combination thereof), including healthcare network systems, telehealth, telemedicine, electronic health records, and biomedical devices, must include the AU requirements defined below, in accordance with the designated FIPS 199 system category found in the System Security Plan.

    The specific Federal and Agency requirements for such AU mechanisms are enumerated in the Cybersecurity and Privacy Control Definitions for AU Controls, which are provided in Exhibit 10-03-A, “Indian Health Service Cybersecurity and Privacy Control Definitions Audit and Accountability Controls.”

    The IHS must adhere to this chapter, which governs the implementation of the AU security controls and standards outlined in Exhibit 10-03-A.

    10-3.4 PROCEDURES.

    In accordance with Federal, Departmental, and Agency requirements, the IHS IT systems and applications must employ automated mechanisms to audit and account for activities performed by systems, users, and processes acting on behalf of users.

    The below security controls (i.e., standards and risk factors) are used to safeguard and protect the confidentiality, integrity, and availability of the IHS systems, networks, and information. These baseline measures establish principles for AU and will be managed and monitored on an ongoing basis. Many of the security controls listed below apply to systems categorized as High-, Moderate-, and Low-impact, in terms of the effect a security compromise would have on the Agency’s mission. Other controls apply only to Moderate- and/or High-impact systems. Manual Exhibit 10-03-A presents all of the federally required AU controls further specified and tailored to the unique organizational requirements of the IHS. Personnel should refer to exhibit 10-03-A to implement the complete set of AU controls.

    Some controls include control enhancements (c.e.) that are not specifically enumerated below. The c.e. are referenced for each procedure below and are specifically identified in the IHM Part 10, Chapter 3, Exhibit 10-03-A, which is incorporated by reference into this policy.

    The IHS will adhere to the following NIST 800-53 Rev 4 control requirements as revised by NIST and required by HHS:

    1. AU-1 Audit and Accountability. The IHS CIO is responsible for ensuring the IHS meets Federal requirements to govern implementation of AU processes and associated security and privacy controls through the development of this and other related policies and procedures.
    2. AU-2 Audit Events. The System Owner ensures each information system generates audit records within the system for, at a minimum, the following events (as applicable):
      1. Server alerts and error messages;
      2. User log-on and log-off (successful or unsuccessful);
      3. System administration activities;
      4. Modification of privileges and access;
      5. Start up and shut down;
      6. Modifications to the application;
      7. Application alerts and error messages;
      8. Configuration changes;
      9. Account creation, modification, or deletion;
      10. Read access to sensitive information;
      11. Modification to sensitive information;
      12. Printing sensitive information; and
      13. Unsuccessful log-on attempts that result in a locked account/node.
      The IHS must establish processes whereby designated responsible parties audit the events above at least weekly, in accordance with the HHS policy on Minimum Security Audit Standards. The IHS must also establish processes to review its list of required auditable events annually to ensure that auditing is sufficient and relevant. These duties generally fall to the system ISSO or their local designee.

      Note: This is the minimum set of events that IHS must audit, but IHS System Owners, or applicable organizational components are free to expand this list if desired based on organizational risk. When automated auditing is not feasible, IHS will use alternative manual methods. The Area or local ISSO will provide guidance for requesting alternative manual methods if an automated method is not feasible.
    3. AU-3 Content of Audit Records. System administrators configure the IHS systems to generate audit records containing information that establishes what type of event occurred, when and where it occurred, the source of the event, the outcome, and the identity of any individuals or subjects associated with the event.

      Audit record content that may satisfy the requirement of this control includes, for example, time stamps, source and destination addresses, user/process identifiers, event descriptions, success/fail indications, filenames involved, and access control or flow control rules invoked.

      Moderate- and High-security categorized systems must also meet AU-3, c.e.1. If the system is categorized as High, see also AU-3, c.e.2.
    4. AU-4 Audit Storage Capacity. System administrators configure information systems to allocate sufficient log record storage capacity to avoid exceeding maximum capacity. System administrators must consider the types of auditing to be performed and the audit processing requirements when allocating audit storage to reduce the likelihood of exceeding capacity and the potential loss or reduction of auditing capability.

      Note: Adequate storage means the capacity to support storing audit records as required in AU–11. Please see 10-3.4K, AU-11 Audit Records Retention for further information.
    5. AU-5 Response to Audit Processing Failures. System administrators configure the IHS systems to alert security staff, as well as other appropriate personnel designated by the System Owner, of audit failures. Such failures must be investigated for mitigation by appropriate staff, such as by security team members, system administrators, or other technical IT staff.

      Note: Designated personnel must include any stakeholder or system personnel that will be directly affected by or responsible for addressing the failure. Audit processing failures can include software/hardware errors, failures in the audit capturing mechanisms, and/or reaching or exceeding audit storage capacity.

      Moderate- and High-security categorized systems must also meet AU-5. c.e.1 and c.e.2.
    6. AU-6 Audit Review, Analysis, and Reporting. Local and Area ISSOs ensure System Owners or their designees review and analyze information system audit records for indications of inappropriate or unusual activity at least weekly. If these reviews uncover unusual events, the System Owner must report them to the IHS CSIRT at incident@ihs.gov and the local ISSO.

      Moderate- and High-security categorized systems must also meet AU-6, c.e.1 and c.e.3. For systems categorized as High, see also AU-6, c.e.5 and c.e.6.
    7. AU-7 Audit Reduction and Report Generation. System administrators configure the IHS information systems to provide event logging that includes an audit reduction and report generation capability and supports on-demand audit review, analysis, reporting requirements, and after-the-fact investigations of cybersecurity incidents. System administrators will configure the original content or time ordering of audit records to avoid tampering or alteration.

      Moderate- and High-security categorized systems must also meet AU-7, c.e.1.
    8. AU-8 Time Stamps. System administrators configure the IHS information systems to provide time stamps in event logging that include both date and time, expressed in Coordinated Universal Time or Greenwich Mean Time. Moderate- and High-security categorized systems must also meet AU-8, c.e.1.
    9. AU-9 Protection of Audit Information. System Owners and administrators must protect audit information (e.g., audit records, audit settings, and audit reports needed to successfully audit the IHS information system activity) and audit tools from unauthorized access, modification, and/or deletion. This includes configuring automated system protections and using logical and physical access control measures, as appropriate.

      Moderate- and High-security categorized systems must also meet AU-9, c.e.4. If the system is categorized as High, see also AU-9, c.e.2 and c.e.3.
    10. AU-10 Non-Repudiation. System administrators configure information systems to protect against an individual’s (or process acting on behalf of an individual’s) falsely denying having performed any of the following actions:
      1. Account Creation Modification;
      2. System Shutdown;
      3. Data Modification;
      4. Account Deletion; and
      5. Location Change
      Non-repudiation is achieved through the use of authentication mechanisms, such as unique login credentials and two-factor authentication. Information systems must enable multifactor authentication, such as by Personal Identify Verification cards, per Homeland Security Presidential Directive 12.

      For more on identification and authentication management, see IHM Part 10, Chapter 7, “Identification and Authentication.”
    11. AU-11 Audit Record Retention. System Owners employ audit record retention requirements to ensure that the IHS can retrieve long-term audit records generated by the IHS information systems as defined by:
      1. NARA GRS 3.2, "Information Systems Security Records"
      2. NARA GRS 4.2, "Information Access and Protection Records"
      The IHS preserves records required for litigation holds as specified in the IHS Records Management Policy - Part 5, Chapter 15.
    12. AU-12 Audit Generation. ISSOs and/or System Owners and their designees select which events will be audited by specific components of the information system, to include, at a minimum, events defined in AU-2. Audit records will be generated for the events defined in AU-2 with the content defined in AU-3. High-security categorized systems must also meet AU-12, c.e.1 and c.e.3.
    10-3.5 RESPONSIBILITIES.

    Key personnel responsible for implementing the AU requirements are described below.

    1. The Director, IHS. The Director, IHS is ultimately responsible for ensuring that:
      1. The IHS executes programs in conformance with applicable laws and regulations;
      2. The IHS programs protect the privacy and security of the IHS IT resources; and
      3. The availability of funding to adequately support security efforts.
    2. The Chief Medical Officer, IHS. The Chief Medical Officer, IHS is ultimately responsible for the following:
      1. Overseeing the IHS IT resources and ensuring privacy and security of IHS IT systems;
      2. Overseeing the IHS programs to ensure they meet requirements to protect the privacy and security of the IHS IT resources; and
      3. Overseeing the IHS budgeting processes to ensure the IHS makes available adequate funding to support security efforts.
    3. The Chief Information Officer, IHS. The CIO, IHS is delegated AO authority by the IHS Director via the Administrative Delegation of Authority, #52, “Security of Information Technology Systems,” which is filed and maintained consistent with applicable records management policies and procedures. The IHS CIO is responsible for the following:
      1. Designating the Chief Information Security Officer;
      2. Advising the IHS Director on security risk related matters and overseeing the management of the IHS IT security program;
      3. Ensuring the development of cybersecurity policies that support the IHS compliance with Federal and Departmental requirements;
      4. Ensuring the cybersecurity of all information stored, processed, or transmitted electronically, and the security of the associated IT resources;
      5. Ensuring all cybersecurity controls stated in the IHM, Part 10, “Cybersecurity,” are implemented on all of the IHS systems; and
      6. Ensuring all OIT staff are properly trained for their respective duties and providing oversight for the performance of OIT programs.
    4. The Chief Information Security Officer, IHS. The Director, DIS, OIT, is designated by the IHS CIO as the CISO. This designee serves as the Agency focal point to direct and oversee the Cybersecurity Program within the IHS. The CISO is responsible for assuring AU requirements are implemented and compliant with Federal mandates.
    5. Cybersecurity Incident Response Team. The CSIRT responds to any malicious virus incidents and patch-related alerts. The CSIRT is responsible for the following:
      1. Defining response time for audit alerts and remediation;
      2. Defining remediation actions for audit incident types;
      3. Responding to support requests for audit events;
      4. Sending remediation reports to the OIT and Areas/facilities; and
      5. Establishing digital forensics workstations, to include malware analysis and packet sniffers, to ensure accurate forensic review.
      NOTE: The IHM, Part 10, Chapter 8, “Incident Response,” includes the incident response policy, which further outlines the CSIRT responsibilities.
    6. Information System Security Officers. The ISSOs serve as the Cybersecurity Program main points of contact for cybersecurity guidance and support for the organizational unit(s) or systems for which they are responsible. The ISSOs are responsible for the following:
      1. Implementing and enforcing cybersecurity policies and procedures;
      2. Ensuring compliance monitoring and reporting is conducted for operating units and systems within their area of responsibility, and taking action to ensure compliance issues are resolved;
      3. Maintaining a tracking system and records concerning implementation of required AU controls on IT systems for which they are responsible. This includes retaining training records and rules of behavior acceptance for privileged and non-privileged users, in accordance with the records management policy and Personally Identifiable Information security requirements;
      4. Reviewing and acting on audit and logging reports provided by system administrators, and reporting any suspected security vulnerabilities or incidents to the CSIRT for final action;
      5. Providing cybersecurity guidance and technical assistance to operating units with analyzing, evaluating, and approving all AU mechanisms on systems for which they are responsible;
      6. Assisting the System Owner, Business Owner, and CISO in ensuring that the IHS uses security-event monitoring technologies for all systems and networks;
      7. Assisting the System Owner, Business Owner, and CISO in analyzing audit logs with the frequency defined by the CISO, and monitoring the types of assistance that users request;
      8. Coordinating with the System Owner, Business Owner, and CISO in developing, documenting, implementing, and reporting audit records to all pertinent personnel;
      9. Coordinating with the System Owner, Business Owner, and CISO in responding to information security data calls, audit requests, and reporting;
      10. Reviewing audit trails for all organizational components or systems for which they are responsible to ensure compliance with the IHS policies, procedures, and standards;
      11. Reviewing auditable events and cybersecurity incident information and requirements to determine changes required to protect the information system;
      12. Reviewing and approving requests for system and computer access, software and hardware purchases, and audit changes; and
      13. Reviewing audit reports of information systems for which they are responsible to ensure that the IHS has restricted unnecessary functions, ports, protocols, and/or services, and uses only essential capabilities.
      Note: The IHS will follow incident response capability procedures contained in the IHM, Part 10, Chapter 8, “Incident Response,” when an incident occurs.
    7. System Owner. The System Owner is the Agency/Area official responsible for the overall procurement, development, integration, modification, or operation and maintenance of the information system. System Owners are responsible for the following:
      1. Identifying and documenting AU items;
      2. Determining the sensitivity of the resources for which they are responsible;
      3. Determining the appropriate level of required AU controls, consistent with system categorization and all Federal laws, regulations, and HHS and IHS directives;
      4. Ensuring, through regular system audits, that AU requirements of the system are maintained at an adequate level to help protect the system and data;
      5. Implementing and maintaining audit trails for their systems and ensuring auditable events are sufficient to protect the information system;
      6. Capturing sufficient information in audit records to establish the occurrence, sources, and outcome of events;
      7. Allocating sufficient audit record storage capacity to prevent such capacity from being exceeded;
      8. Ensuring the information system automatically alerts appropriate officials when there is an audit failure or when storage capacity is close to being reached;
      9. Reviewing and analyzing logs and records;
      10. Investigating any suspicious cybersecurity activity or suspected violations, and reporting to the CSIRT and local ISSO;
      11. Ensuring log management staff are trained in their responsibilities;
      12. Monitoring compliance and periodically reevaluating previously specified levels of system and data sensitivity and protection;
      13. Reviewing the procedures governing their environment(s) annually; and
      14. Assigning system administrator responsibilities to appropriate personnel.
    8. Business Owner. The Business Owner is the Agency/Area official from the business/mission segment with business/mission ownership or fiduciary responsibilities. This person is responsible for day-to-day business aspects related to the implementation of the information security program or system, such as budgeting, staffing, and organizational priorities. Business Owners are responsible for the following:
      1. Identifying and documenting AU items;
      2. Assisting System Owners with implementing and maintaining appropriate auditable events for the information resources for which they are responsible; and
      3. Reviewing auditable events for needed changes.
    9. System Administrators. System Administrators are responsible for the following:
      1. Identifying and documenting AU items;
      2. Configuring audit logs to capture important events in the IHS systems;
      3. Configuring systems to generate log reports as frequently as defined by the system’s security categorization, and submitting the reports to the System Owner;
      4. Analyzing system performance for potential security problems;
      5. Ensuring appropriate auditing requirements are implemented and enforced for all systems or networks under their authority;
      6. Ensuring appropriate auditing requirements are tested on at least an annual basis for all systems or networks under their authority;
      7. Examining unresolved system vulnerabilities and determining which corrective action(s) or additional safeguards are necessary to mitigate the vulnerabilities;
      8. Ensuring all IT systems are configured in accordance with the most recent Federal system security configuration guidance;
      9. Investigating any suspicious activity or suspected policy violations and reporting to the System Owner, CSIRT, and local ISSO; and
      10. Establishing appropriate backup procedures and ensuring they are reviewed annually.