U.S. Department of Health and Human Services

Chapter 4 - Security Assessment and Authorization

Part 10

Page	Section
Introduction	10-4.1
Purpose	10-4.1A
Background	10-4.1B
Scope	10-4.1C
Authority	10-4.1D
Acronyms and Definitions	10-4.2
Acronyms	10-4.2A
Definitions	10-4.2B
Policy	10-4.3
Procedures	10-4.4
CA-1 Security Assessment and Authorization Policies and Procedures	10-4.4A
CA-2 Security Assessments	10-4.4B
CA-3 System Interconnections	10-4.4C
CA-5 Plan of Action and Milestones	10-4.4D
CA-6 Security Authorization	10-4.4E
CA-7 Continuous Monitoring	10-4.4F
CA-8 Penetration Testing	10-4.4G
CA-9 Internal System Connections	10-4.4H
Responsibilities	10-4.5
The Director IHS	10-4.5A
The Chief Medical Officer, IHS	10-4.5B
Chief Information Officer, IHS	10-4.5C
IHS Chief Information Security Officer	10-4.5D
Senior Agency Privacy Official	10-4.5E
Authorizing Officials	10-4.5F
OIT Network Administrators	10-4.5G
OIT Cybersecurity Incident Response Team	10-4.5H
Area Information Systems Coordinator	10-4.5I
Supervisors	10-4.5J
System Owner	10-4.5K
Business Owner	10-4.5L
Security Control Assessor	10-4.5M

Exhibit	Description
Exhibit 10-4-A	Cybersecurity and Privacy Control Definitions Security Assessment and Authorization Controls
Exhibit 10-04-B	Security Assessment Plan Template
Exhibit 10-04-C	Security Agreement Summary
Exhibit 10-04-D	POA&M Template
Exhibit 10-04-E	Waiver Request Form

10-4.1 INTRODUCTION

Purpose. The purpose of this chapter is to establish Security Assessment and Authorization policies and procedures, consistent with applicable statutory and regulatory requirements and guidelines, to minimize vulnerabilities in the Indian Health Service (IHS) data and information systems and protect them against associated risks. Security control baselines are included in this chapter to ensure the IHS information systems adhere to security requirements defined by the National Institute of Standards and Technology (NIST).
Background. The IHS Information Technology (IT) infrastructure, network, systems and applications face cybersecurity threats, vulnerabilities, and risks every day. Included are both external and internal threats that leverage computer access to exploit sensitive information, which can have a negative impact on the IHS mission, as well as contribute to vulnerabilities in the United States’ national and economic security. The IHS is therefore responsible for safeguarding the information that it collects, records, transmits, and manages in the performance of its mission. Due to the threats to Agency information, Federal requirements establish the conditions and rules under which the IHS, IT systems and networks operate, to ensure the confidentiality, integrity, and availability of the information. The IHS must reduce risk and minimize the potential impact on its computing resources, data, funds, productivity, and reputation.
The NIST developed the Risk Management Framework (RMF), which is an integral part of implementing the Federal Information Security Modernization Act and NIST Special Publications (SPs) 800-30, “Guide for Conducting Risk Assessments,” 800-53A, “Assessing Security and Privacy Controls in Federal Information Systems and Organizations: Building Effective Assessment Plans,” and 800-18, “Guide for Developing Security Plans for Federal Information Systems,” and the publications of the Committee on National Security Systems.

The RMF replaced the legacy Certification and Accreditation process as the unified cybersecurity framework for Federal agencies. The RMF process emphasizes:
1. Building information security capabilities into federal information systems through the application of security and privacy controls defined by NIST, the Department of Health and Human Services (HHS), Office of the Chief Information Officer (OCIO) and IHS security and privacy controls;
2. Maintaining awareness of the security and privacy state of information systems on an ongoing basis through continuous monitoring activities; and
3. Providing essential information to senior leaders to facilitate decisions regarding the acceptance of risk arising from the operation and use of information systems.
Key Security Assessment and Authorization (SA&A) activities are defined by the NIST family of SA&A (formerly known as Certification and Accreditation) controls and are employed to assist the IHS in managing and evaluating enterprise-level risks resulting from the operation of an information system. Such activities include:
1. Categorizing the information system,
2. Selecting a set of minimum security controls defined by NIST and based on the Federal Information Processing Standards (FIPS) 199 categorization,
3. Refining the security control set based on risk assessment,
4. Documenting security and privacy controls in the IHS system security and privacy plan,
5. Implementing the security and privacy controls in the system,
6. Assessing the security and privacy controls,
7. Determining Agency-level risk and risk acceptability,
8. Identifying, managing and mitigating weaknesses using a Plan of Action and Milestones (POA&M),
9. Authorizing the system to operate, and
10. Monitoring security and privacy controls on a continuous basis.
In accordance with FIPS 199, 200 and NIST SP 800-37 Rev. 2, the IHS manages system assessments and authorizations, which must conform to minimum security and privacy requirements, as defined by Federal policy.
Scope. This chapter applies to all IHS organizational components, including, but not limited to, Headquarters, Area Offices, and service units utilizing the IHS IT networks and systems, and contractual relationships involving the use of IHS IT resources. This includes all IHS systems and activities that involve storage, transmission, and/or processing of IHS information using IT resources. This chapter pertains to activities conducted in all IHS office locations while teleworking, on travel, or at other off-site locations. Agency officials must apply this chapter to contractor personnel, interns, externs, and other non government employees by incorporating such references into contracts, Security Agreements, and Memoranda of Understanding as conditions for using government-provided IT resources.
All facilities managed by contractors, Tribes, or Tribal organizations that have servers, workstations, tablets, or other mobile platforms that access the IHS network by means other than IHS public-facing websites and applications must follow this chapter, if applicable, in accordance with their security agreements, contracts, or compacts to reduce vulnerabilities and keep controls up to date.

Authority.

10-4.2 ACRONYMS AND DEFINITIONS

Acronyms.

(1)	AO	Authorizing Official
(2)	ATO	Authorization to Operate
(3)	CA	Certification and Accreditation (NIST Control Family identifier), now referred to as Security Assessment and Authorization (SA&A)
(4)	CIO	Federal Information Processing Standards
(5)	CISO	Chief Information Security Officer
(6)	c.e.	Control Enhancement
(7)	CSIRT	Cybersecurity Incident Response Team
(8)	DIS	Division of Information Security
(9)	FIPS	Federal Information Processing Standards
(10)	FIPS PUB	FIPS Publication
(11)	HHS	Department of Health and Human Services
(12)	IHS	Indian Health Service
(13)	IHM	Indian Health Manualt
(14)	ISA	Interconnection Security Agreement
(15)	ISSO	Information Systems Security Officer
(16)	IT	Information Technology
(17)	NIST	National Institute of Standards and Technology
(18)	OIT	Office of Information Technology
(19)	OMB	Office of Management and Budget
(20)	PII	Personally Identifiable Information
(21)	PHI	Protected Health Information
(22)	P.L.	Public Law
(23)	POA&M	Plan of Action and Milestones
(24)	RMF	Risk Management Framework
(25)	SA&A	Security Assessment and Authorization (formerly Certification and Accreditation [CA])
(26)	SAP	Security Assessment Plan
(27)	SAR	Security Assessment Report
(28)	SP	Special Publicationr
(29)	SSP	System Security Plan

Definitions..
1. Authorizing Official. A senior Federal official or executive with the authority to authorize (i.e., assume responsibility for) the operation of an information system, or the use of a designated set of common controls, at an acceptable level of risk to agency operations (including mission, functions, image, or reputation), agency assets, individuals, and other organizations.
2. Business Owner. For the purpose of this policy, a business owner is the person from the business/mission segment with business/mission ownership or fiduciary responsibilities. This person is responsible for day-to-day business aspects related to the implementation of the information security program or system, such as budgeting, staffing, and organizational priorities. Business Owners can be designated for one or more information systems, which collectively support a business/mission process.
3. Continuous Monitoring. Maintaining ongoing awareness of information security, vulnerabilities, and threats to support organizational risk decisions.
4. Information System. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
5. Risk Assessment. The process of identifying risks to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations resulting from the operation of an information system.
  As part of risk management, risk assessment incorporates threat and vulnerability analyses and considers mitigations provided by security and privacy controls planned or in place. Synonymous with risk analysis.
6. Risk Management. The process of managing risks to organizational operations (including mission, functions, image, reputation), organizational assets, individuals, and other organizations resulting from the operation of an information system, which includes:
  1. The conduct of a risk assessment;
  2. The implementation of a risk mitigation strategy; and
  3. Employment of techniques and procedures for the continuous monitoring of the security state of the information system.
7. Security (Control) Assessment. The testing and/or evaluation of the management, operational, and technical security controls in an information system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.
8. Security Authorization. The official management decision given by a senior organizational official to authorize operation of an information system and to explicitly accept the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, individuals, and other organizations, based on the implementation of an agreed-upon set of security controls. Synonymous with ATO.
9. Security Authorization Package. Documents the results of the security control assessment and provides the authorizing official with essential information needed to make a risk-based decision on whether to authorize operation of an information system or a designated set of common controls. The major components include: the system security and privacy plan; the security and privacy assessment report; and the plan of action and milestones.
10. System Owner. For the purpose of this policy, a system owner is defined as the official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.

10-4.3 POLICY

In accordance with statutory, regulatory and Agency requirements, the IHS will regularly perform SA&As on every IHS system to ensure all systems are authorized to operate and capable of protecting the confidentiality, integrity, and availability of IHS data. The IHS must adhere to the SA&A standards developed in this chapter.

This policy governs the implementation of Manual Exhibit 10-04-A, IHS Cybersecurity and Privacy Control Definitions: Security Authorization & Assessment Controls and related CA controls.

10-4.4 PROCEDURES

The below security controls (i.e. standards and risk factors) are used to safeguard and protect the confidentiality, integrity, and availability of IHS systems, networks, and information. These baseline measures establish principles for SA&A, and will be managed and monitored on an ongoing basis. Many of the security controls listed below apply to systems categorized as High-, Moderate-, and Low-impact, in terms of the effect a security compromise would have on the Agency’s mission. Other controls apply only to Moderate and/or High-impact systems. Manual Exhibit 10-04-A presents all of the NIST 800-53 CA controls with an overlay of IHS and HHS specific assignments and additions. Personnel should refer to Manual Exhibit 10-04-A to implement the complete set of CA controls. Some controls include enhancements (c.e.’s) that are not specifically enumerated below. The c.e.’s are referenced for each procedure below and are specifically identified in Manual Exhibit 10-04-A, which is incorporated by reference into this policy.

The IHS will adhere to the following NIST 800-53 Rev 4, control requirements:

CA-1 Security Assessment and Authorization Policies and Procedures. The IHS CIO is responsible for ensuring the IHS meets Federal requirements to govern implementation of SA&A processes and associated security and privacy controls through the development of related policies, and procedures.

CA-2 Security Assessments. The OIT DIS is responsible for ensuring independent security assessments are performed for every IT system, in accordance with NIST 800-37 and 800-53A. See Manual Exhibit 10 04 B, “Security Assessment Plan Template,” for the IHS Security Assessment Plan (SAP) template, which contains options for assessment procedures.
Moderate and High security and privacy categorized systems must also meet CA 2, c.e.1. If the system is categorized as High, see also CA-2, c.e.2, and c.e.3.

CA-3 System Interconnections. The IHS Area Director, in cooperation with the Area ISSO, is responsible for requiring formal authorization for all connections to third-party information systems that reside outside of the IHS network and are owned, operated, and maintained by non-IHS entities. The IHS facilitates this authorization only through the use of approved ISAs and in accordance with NIST 800-47.
The ISAs must document the interface characteristics, security requirements, and the nature of the information communicated. The ISAs must be reviewed and updated annually or when significant changes to the system occur. See Manual Exhibit 10-04-C, “IHS Security Agreement Summary Template,” which identifies required considerations for interconnection. Please note that ISAs are not intended to address the legal basis to disclose information protected by Federal privacy. The ISA program staff must coordinate with the Privacy Officer to ensure the applicable requirements of privacy laws are addressed prior to interconnection or data sharing, when such activity involves PII/PHI. Moderate or High security categorized systems must also meet CA-3, c.e.5.

Note: This control does not apply to cloud-based systems. Federal Risk and Authorization Management Program (FedRAMP) requirements are established for Federal use of cloud-based systems. These requirements and others are provided in the HHS Memorandum on Cloud Computing and FedRAMP Guidance. (HHS Intranet link. If the link cannot be accessed, please contact Cybersecurity@ihs.gov)

CA-5 Plan of Action and Milestones. System Owners are responsible for ensuring a POA&M is developed as needed for their information systems in accordance with the HHS Plan of Action and Milestones Standard (HHS Intranet link. If the link cannot be accessed, please contact Cybersecurity@ihs.gov) in order to document planned remedial actions to reduce or eliminate known vulnerabilities.
System Owners will update milestones for addressing the deficiency at least quarterly and based on the findings from security and privacy controls assessments, risk assessments, and continuous monitoring activities. See Manual Exhibit 10- 04-D, “IHS POA&M Template,” which identifies required details for documenting and tracking weaknesses and vulnerabilities.

CA-6 Security Authorization. System owners will ensure each information system is authorized to operate before it enters production.
The AO provides a system ATO based upon the recommendation of the security assessor. The ATOs must be updated at least every three years or when there is a significant change that is likely to affect the security and privacy state of the information system.

CA-7 Continuous Monitoring. The IHS CISO will ensure a continuous monitoring strategy is developed and documented and a continuous monitoring program is implemented that employs, where possible, automated tools and mechanisms and includes:
1. Specific security performance metrics established by OIT;
2. System logs with real-time monitoring, annual security assessments and correlation, and analysis of assessment and monitoring data by independent assessors;
3. Necessary actions to respond to threats and incidents; and
4. Security status briefings to the IHS CISO or their designee.
All systems, IT devices, and components must be integrated into the continuous monitoring program and must be capable of generating system logs. Other specific IHS requirements for continuous monitoring can be found in continuous monitoring procedures and will be further defined as government wide continuous monitoring requirements are established.

Moderate or High security categorized systems must also meet CA-7, c.e.1.

CA-8 Penetration Testing. The OIT CSIRT will conduct penetration testing at least every two years on high-impact, high-profile, or high-risk systems or components, as identified by the IHS CIO, in accordance with NIST SP 800 115, Technical Guide to Information Security Testing and Assessment.
User session information and other PII captured or recorded during penetration testing must be properly secured with relevant privacy controls.

CA-9 Internal System Connections. The System Owner or Owners authorize internal connections of information system components (e.g., system connections to mobile devices, printers, and servers) prior to the connection being made. For each connection, document in the SSP the interface characteristics, security requirements, and the nature of the information communicated. For systems containing PII, also document privacy requirements related to collection authorities, compatibility for purpose and use, business need, and data protection.
For more information about CA-9 Internal System Connections refer to Manual Exhibit 10-04-A, “IHS Cybersecurity and Privacy Control Definitions: Security Assessment and Authorization Controls.”

10-4.5 RESPONSIBILITIES

Key personnel responsible for implementing the SA&A requirements are described below:

Director, IHS. The IHS Director is ultimately responsible for:
1. Ensuring that the IHS conforms to applicable laws and regulations,
2. Ensuring that IHS programs protect the privacy and security of IHS IT resources, and
3. Ensuring availability of funding to adequately support security and privacy efforts.

The IHS Chief Medical Officer. The Chief Medical Officer is responsible for:
1. Oversight of IHS programs to ensure they conform to applicable laws and regulations,
2. Overseeing IHS programs to ensure they meet requirements to protect the privacy and security of IHS IT resources, and
3. Overseeing IHS budgeting processes to ensure the IHS makes available adequate funding to support security and privacy efforts.

IHS Chief Information Officer. The Director OIT is designated as the IHS CIO and is delegated AO authority via the Administrative Delegation of Authority #52, Security of Information Technology Systems, which is filed and maintained consistent with applicable records management policies and procedures. The IHS CIO is responsible for:
1. Designating the Chief Information Security Officer,
2. Advising the IHS Director on security risk related matters, overseeing the management of the IHS IT security program,
3. Ensuring the development and maintenance of cybersecurity policies that support IHS compliance with Federal and Departmental requirements,
4. Ensuring the cybersecurity of all information stored, processed, or transmitted electronically, and the security and privacy of the associated IT resources,
5. Ensuring all cybersecurity controls stated in Part 10, “Cybersecurity” are implemented on all IHS systems,
6. Ensuring initial SA&A activities and ongoing Continuous Diagnostics and Mitigation activities are performed for all systems, and
7. Ensuring all OIT staff are properly trained for their respective duties and providing oversight for the performance of OIT programs.

IHS Chief Information Security Officer. The Director, Division of Information Security, serves as the Agency CISO and focal point to direct and oversee the Cybersecurity Program within the Agency. Designations must be in writing, filed, and maintained consistent with applicable records management policies and procedures. The IHS CISO is responsible for:
1. Leading the IHS cybersecurity program and promoting proper cybersecurity and privacy practices,
2. Monitoring, evaluating, and reporting, as required by statutory and regulatory provisions, to the CIO on the status and adequacy of the IHS cybersecurity programs administered by the Area Offices and service units,
3. Ensuring initial SA&A activities and ongoing Continuous Diagnostics and Mitigation activities are performed for all major applications and systems,
4. Ensuring a continuous monitoring strategy for all IHS systems is established and implemented, ensuring cybersecurity performance metrics are set for all IHS systems, and
5. Advises the CIO on security risk related matters.

Senior Agency Privacy Officials. The IHS Senior Agency Privacy Official is responsible for:
1. Coordinating with the DIS Review Board in reviewing waiver requests. Advising DIS staff on privacy concerns for waiver requests during the bi-weekly review board meetings,
2. Reviewing assessments and recommending any changes regarding PII and PHI possible vulnerabilities, and
3. Evaluating and assessing the privacy controls specified in Appendix J of NIST 800-53, Revision 4. Once the privacy controls have been evaluated and assessed, the Senior Agency Privacy Official will provide a recommendation for system authorization to the IHS CIO.

Authorizing Official. The AO determines, based on IHS organizational priorities, the appropriate allocation of resources dedicated to the protection of the information systems supporting the organization's missions and business functions. The AO also issues security authorization decisions and formally assumes responsibility for operating an information system at an acceptable level of risk. In conjunction with the IHS Delegation of Authority, Administrative #52, the IHS CIO or the IHS CISO, as the Agency’s AO, is specifically responsible for:
1. Ensuring each information system is properly assessed and authorized based on its environment of operation, security impact levels, and required security controls, and ensuring records are maintained for all information system authorizations under his/her purview,
2. Reviewing the security authorization packages (including system security plans, security assessment reports, and other risk-related documents) and deciding whether or not to authorize a system for operation based on the residual risks associated with that system,
3. Reviewing and approving system security plans, security agreements for interconnection and data sharing with business associates and Tribal partners, and POA&Ms as required,
4. Determining the tolerable level of risk associated with operations of a system,
5. Evaluating threats and vulnerabilities to information systems to determine the risk to organizational operations, assets, individuals, or other organizations. Based on this determination, the AO decides whether the risk is acceptable or additional safeguards are needed,
6. Determining whether significant changes in the information systems or operating environment require re-authorization,
7. Denying an ATO or halting operations for a system in the event an unacceptable risk exists,
8. Reviewing the security status reports prepared by the CSIRT, ISSOs, and other responsible IT staff on an ongoing basis and determining whether the risk remains acceptable,
9. Developing a continuous monitoring strategy and implementing a continuous monitoring program,
10. The security and privacy of all IHS information while it is being processed, transmitted and/or stored electronically and for the security and privacy of the resources associated with these functions,
11. Ensuring security and privacy controls are appropriately applied to the IHS systems for the protection of privacy and to ensure the confidentiality, integrity, and availability of information,
12. Reviewing and signing all Agency SARs,
13. Providing senior level governance and requirements for the entire RMF, and
14. Short-term acceptance of risk through the security policy waiver process. When conditions exist that prevent compliance with a specific security and privacy policy a facility may submit a request for a temporary waiver or exception to the requirements of an IHS cybersecurity policy. The requestor must submit the waiver request in writing using the DIS Waiver Request Form found in Manual Exhibit 10-04-E, “Waiver Request Form.” Requests can be submitted to cybersecurity@ihs.gov.

OIT Network Administrators. The enterprise IT administrators in the HQ Division of Information Technology Operations, Enterprise Technology Services, are responsible for design, management, support, auditing and reporting of enterprise HQ IT resources.
The Enterprise Technology Services designs, configures, and manages Area/facility system environments and the entire enterprise client management environment.

OIT Cybersecurity Incident Response Team. The CSIRT implements and manages the IHS Continuous Monitoring Program and responds to any incidents or alerts, and audits security controls on information systems. Additional CSIRT tasks include:
1. Performing penetration testing, as appropriate,
2. Reviewing system security plans,
3. Providing continuous monitoring briefings, security status briefings to the IHS CIO or their designee, and
4. Coordinating privacy breaches with the Privacy Act Officer.

Area Information Systems Coordinator. The Area Information Systems Coordinator, in coordination with Area property officers, is responsible for ensuring ownership is assigned for all IT resources within the operating unit (i.e., hardware, software, data, telecommunications, etc.) located in their respective geographic location. In addition, Area Information Systems Coordinators, as well as Area Directors are responsible for authorizing security agreements and for ensuring ISAs are in place for all interconnections between external parties and IHS organizations within their Area.

Information System Security Officers. The ISSOs are the Information Security Program advisors to the users and managers within their area of responsibility and are the main point of contact for implementing adequate cybersecurity requirements. The ISSOs are responsible for acting upon audit, logging reports, and ensuring systems are operated, maintained, and disposed of in accordance with security policies and procedures, as outlined in the security authorization package.
In close coordination with the System Owner, the ISSOs play an active role in monitoring a system and its environment of operation, managing and controlling changes to the system, and assessing the security impact of those changes. In addition, ISSOs are specifically responsible for:
1. Establishing and maintaining an up-to-date list of all IT systems within their area of responsibility. The ISSOs must review the systems at least annually to ensure that unnecessary functions, ports, protocols, and/or services have been restricted, and that only essential capabilities are being used,
2. Acting as the central point of contact for SA&A of all IT systems within their area of responsibility, and ensuring that all security requirements are implemented during development of each system and prior to giving start up authorization,
3. Supporting development and review of security documentation (SSPs, Security Agreements, POA&Ms, Risk Assessments, etc.) for all systems within their area of responsibility and ensuring all cybersecurity-related documentation for the system is current and accessible per established SA&A roles. This includes preparing the security authorization package for final approval initially, and every three years or when major changes occur to the system, whichever occurs first,
4. Ensuring ISAs are developed and authorized for all interconnections between external parties and IHS organizations within their area of responsibility,
5. Reviewing and commenting on individual system security plans and ensuring that all corrective actions are completed. Specific requirements for system security plans are contained in the SSP template, see NIST SP 800-18, Guide for Developing Security Plans for Federal Information Systems,
6. Managing the development, execution, and maintenance of Interconnection Security Agreements, including liaising between Headquarters teams and the external party seeking the interconnection to ensure Privacy Act requirements are met, facilitating Area approvals, and executing the annual review and renewal process,
7. Maintaining a tracking system of the above listed required security controls and authorization status for all IT systems within their area of responsibility,
8. Ensuring contingency and disaster recovery plans are developed, maintained in an up-to-date condition, and tested at least annually. Requirements for contingency and disaster recovery plans are contained in the Disaster Recovery Plan,
9. Acting as the central point of contact for their area of responsibility for any type of IT-related incidents or violations and investigating or initiating an investigation of any incident or violation. Maintaining records, in accordance with the record management policies and regulations, and reports, and disseminating information on potential threats to System Owners,
10. Assisting application managers and users in establishing and implementing the appropriate security safeguards as required in the HHS Information Security Policy and NIST 800-53 to protect hardware and data from improper use or abuse,
11. Monitoring and assessing changes to the system, its environment, and operational needs that could affect the security authorization. If the change is considered significant to the security of the system, the ISSOs must notify appropriate personnel, including system stakeholders and the security control assessors,
12. Ensuring enhancements to existing systems provide equivalent or improved security features and safeguards,
13. Conducting periodic reviews of the information system to ensure it is deployed and operated in accordance with the agreed upon security controls, as documented in the SSP, and ensuring suitable corrective actions are taken when necessary, and
14. Reviewing IT-related procurement specifications for hardware, software, or services to ensure they include adequate security requirements and/or specifications commensurate with the sensitivity of the system. Information Technology related procurement matters will be coordinated with the Office of Management Services, Division of Acquisitions Policy.

System Owner. The System Owner is designated by the CISO and has ultimate responsibility for the operation and success of the system and for addressing the operational interests of the user community (i.e., users who require access to the information system to satisfy mission, business, or operational need). Designation must be in writing, filed, and maintained consistent with applicable records management practices and policies. System owners ensure compliance with cybersecurity requirements in accordance with the HHS and IHS policy, including ensuring the system(s) is officially authorized to operate. In coordination with the ISSO, the System Owner is specifically responsible for:
1. Establishing a security categorization for the system,
2. Selecting and implementing the security controls for the information system and documenting the controls in the security plan,
3. Ensuring the development, maintenance, evaluation, and update of the system security plan on a regular basis. See Exhibit 10-04-B for the IHS “Security Assessment Plan” template,
4. Working with the ISSO to initiate SA&A activities, ensuring that the necessary resources are available for the SA&A effort, and providing the required system access, information, and documentation to the security control assessor,
5. Reviewing and signing approval on system security authorization package documentation, including the SAP and SAR,
6. Developing a strategy for continuous monitoring of security controls,
7. Ensuring that the system is deployed and operated in accordance with the agreed-upon security controls,
8. Evaluating and authorizing all internal interconnections between their system and other IHS systems,
9. Developing POA&Ms in response to findings and recommendations of the SAR,
10. Addressing deficiencies noted in risk assessments, POA&Ms, and continuous monitoring activities,
11. After mitigating or remediating vulnerabilities, assembling the security authorization package and submitting it to the Security Control Assessors for adjudication,
12. Determining the security impact of proposed or actual changes to the system/environment,
13. Implementing a decommissioning strategy, when needed, to remove the system from service,
14. Overseeing activities related to procurement, funding, development, modification, operation, and maintenance of the information system in coordination with the Office of Finance and Accounting, and
15. Ensuring that the system adheres to all Enterprise Performance Life Cycle requirements and acquisition processes in accordance with Federal law and HHS policy.

Business Owner. The Business Owner is designated by the IHS CISO and provides input to System Owner’s regarding the security categorization, requirements, and controls for the systems where the information is processed, stored, or transmitted. Business Owners are specifically responsible for:
1. Providing input to the System Owner regarding:
  1. Sensitivity of information under the information System Owner’s purview;
  2. Impact levels associated with the confidentiality, integrity, and availability of the data, especially when additional security concerns suggest higher-than-the-baseline impact levels;
  3. Unique requirements for managing the data (e.g., incident response, information contamination to other systems/media, and unique audit requirements); and
  4. Whether foreign nationals may access the System Owner’s data.
2. Reviewing and signing the SAP.
Security Control Assessor. The security control assessor is an individual or group independent of the system owner, who is responsible for conducting a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system. The required level of assessor independence is determined by the AO based on specific conditions of the security control assessment. Security control assessors are specifically responsible for:
1. Developing, reviewing, and approving a plan (the SAP) to assess security controls,
2. Conducting a full assessment of the SSP to help ensure that the plan establishes a set of security controls for the information system that meets the NIST security requirements, to enable re-authorization every three years,
3. Conducting, in accordance with the SSP, a comprehensive assessment of the management, operational, and technical security controls employed within or inherited by an information system to determine the extent to which they are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system,
4. Evaluating threats and vulnerabilities to information systems to ascertain the need for additional safeguards,
5. Reporting and recommending corrective actions to the system owner, to address identified vulnerabilities,
6. Preparing the final SAR containing the findings from the assessment, and submitting it to the system owner and AO for review and approval,
7. Assessing the severity of weaknesses or deficiencies discovered in the information system and its operating environment, and documenting all identified risks in the IHS POA&Ms,
8. Reviewing POA&Ms to ensure identified weaknesses are documented, and that planned mitigation strategies and timelines are acceptable and on track. Assessors also provide recommendations to the AO regarding matters related to the POA&M,
9. Finalizing all necessary security assessment documentation for security authorization package, gaining the System Owner’s signature on the security authorization package, and submitting the package to the AO with recommendations for security authorization,
10. Assessing proposed changes to information systems, their environment of operation, and mission needs that could affect system authorization, and
11. Assessing all technical, management, and operational security controls employed within and inherited by the information system, as defined by the SSP in accordance with NIST 800-53-based requirements for High-, Moderate-, and Low-impact systems, which are described in this policy. At the time of this writing NIST 800-53 is on revision 4. As future versions of NIST 800-53 are released the IHS Cybersecurity policies will be updated.