Skip to site content
U.S. Department of Health and Human Services
Indian Health Manual

Chapter 7 - Identification and Authentication

Part 10

Page Section
Introduction 10-7.1
Purpose 10-7.1A
Background 10-7.1B
Scope 10-7.1C
Authorities and Guidance 10-7.1D
Acronyms and Definitions 10-7.2
Acronyms 10-7.2A
Definitions 10-7.2B
Policy 10-7.3
Procedures 10-7.4
IA-1 Identification and Authentication Policy and Procedures 10-7.4A
IA-2 Identification and Authentication (Organizational Users) 10-7.4B
IA-3 Device Identification and Authentication 10-7.4C
IA-4 Identifier Management 10-7.4D
IA-5 Authenticator Management 10-7.4E
IA-6 Authenticator Feedback 10-7.4F
IA-7 Cryptographic Module Authentication 10-7.4G
IA-8 Identification and Authentication (Non-Organizational Users) 10-7.4H
Responsibilities 10-7.5
The Director IHS 10-7.5A
The Chief Medical Officer, IHS 10-7.5B
Chief Information Officer, IHS 10-7.5C
IHS Chief Information Security Officer 10-7.5D
Information System Security Officers 10-7.5E
System Owner 10-7.5F
Director, Division of Personnel Security and Ethics 10-7.5G
Director, Division of Administrative and Emergency Services 10-7.5H
Contracting Officer 10-7.5I
Supervisors 10-7.5J
Privileged Users 10-7.5K
Exhibit Description
Exhibit 10-7-A Cybersecurity and Privacy Control Definitions
"Identification and Authentication Controls"

10-7.1  INTRODUCTION

  1. Purpose. The purpose of this chapter is to establish information technology system identification and authentication (IA) policies and procedures consistent with applicable statutory and regulatory requirements and guidelines. The IA procedures provided in this policy help minimize vulnerabilities in the Indian Health Service (IHS) data and information systems by controlling access to such data and systems to protect them against associated risks related to unintended access by unauthorized users.

    The IA security control baselines that are included in this chapter will ensure the IHS information systems adhere to IA security requirements defined by the National Institute of Standards and Technology (NIST).

  2. Background. The IHS Information Technology (IT) infrastructure, network, systems, and applications face cybersecurity threats, vulnerabilities, and risks every day. Both external and internal threats that leverage computer access to exploit sensitive information can have a negative impact on the IHS mission, as well as the United States’ national and economic security. The IHS is therefore responsible for safeguarding the information that it collects, records, transmits, and manages in the performance of its mission. Due to the threats to Agency information, Federal requirements establish the conditions and rules under which the IHS IT systems and networks operate. These requirements ensure the confidentiality, integrity, and availability of the information. The IHS must reduce risk and minimize the potential impact on the IHS’s computing resources, data, funds, productivity, and reputation.

    Authentication of user identity is accomplished at the information system level (i.e., at system logon) through the use of passwords, remote access tokens, personal identity verification (PIV) cards, biometrics, or, in the case of multifactor authentication, some combination thereof. In addition, similar identification and authentication mechanisms are employed at the application level, to provide increased information security for the organization when necessary. Scalability, practicality, and security threats are simultaneously considered in balancing the need to provide ease of use with the need to protect IHS operations, assets, and individuals.

    In accordance with the NIST Special Publications (SPs) and security controls required by the Department of Health and Human Services (HHS) and the IHS, the IHS must establish electronic authentication mechanisms for system and application access for both local and remote users. The Office of Management and Budget (OMB) policy and the E-Government initiative for E-Authentication also stipulates that protecting nonpublic or privacy-related information may require authentication of public users of Federal information systems.

  3. Scope. This chapter applies to all IHS organizational components, including, but not limited to, Headquarters, Area Offices, and Service Units utilizing the IHS IT network and systems, as well as contractual relationships, involving the use of IHS IT resources. This includes all IHS systems and activities involving storage, transmission, and/or processing of IHS information using IT resources. This chapter pertains to activities related to implementing identification and authentication security control mechanisms, as conducted by staff in all the IHS office locations, or while teleworking, on travel, or at other off-site locations. Agency officials must apply this chapter to the identification and authentication mechanisms for systems owned and operated by or on behalf of the IHS, as they pertain to controlling access by contractor personnel, interns, externs, and other non-Government employees by incorporating such references into contracts, Security Agreements, and Memoranda of Understanding as conditions for using Government-provided IT resources.
  4. Authorities, Guidance, and Standards of Reference.
    1. Statutes and Regulations:
      1. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Security Rule, 45 C.F.R. Parts 160 and 164 Exit Disclaimer: You Are Leaving www.ihs.gov 
      2. The Privacy Act of 1974, as amended, 5 U.S.C. § 552a Exit Disclaimer: You Are Leaving www.ihs.gov 
      3. Federal Information Security Management Act, P.L. 107-347, Title III, 2002 Exit Disclaimer: You Are Leaving www.ihs.gov 
      4. Federal Information Security Modernization Act, P.L. 113-283, 2014 Exit Disclaimer: You Are Leaving www.ihs.gov 
    2. Office of Management and Budget (OMB) Circulars and Memorandum:
      1. OMB Circular A-130, Managing Information as a Strategic Resource Exit Disclaimer: You Are Leaving www.ihs.gov 
      2. OMB Memorandum 04-04, E-Authentication Guidance for Federal Agencies Exit Disclaimer: You Are Leaving www.ihs.gov 
    3. Federal Information Processing Standards:
      1. Federal Information Processing Standards Publication (FIPS PUB) 201-3, Personal Identity Verification (PIV) of Federal Employees and Contractors Exit Disclaimer: You Are Leaving www.ihs.gov 
      2. FIPS PUB 140-3, Security Requirements for Cryptographic Modules Exit Disclaimer: You Are Leaving www.ihs.gov 
    4. National Institute of Standards and Technology:
      1. NIST SP 800-53, Security and Privacy Controls for Federal Information Systems and Organizations, 2015, as revised by NIST and required by HHS Exit Disclaimer: You Are Leaving www.ihs.gov 
      2. NIST SP 800-63-3, Digital Identity Guidelines, 2017, as revised by any successor guidance Exit Disclaimer: You Are Leaving www.ihs.gov 
      3. NIST SP 800-63A, Digital Identity Guidelines: Enrollment and Identity Proofing, 2017, as revised by any successor guidance Exit Disclaimer: You Are Leaving www.ihs.gov 
      4. NIST SP 800-63B, Digital Identity Guidelines: Authentication and Lifecycle Management, 2017, as revised by any successor guidance Exit Disclaimer: You Are Leaving www.ihs.gov 
      5. NIST SP 800-63C, Digital Identity Guidelines: Federation and Assertions, 2017, as revised by any successor guidance Exit Disclaimer: You Are Leaving www.ihs.gov 
      6. NIST SP 800-70, National Checklist Program for IT Products: Guidelines for Checklist Users and Developers, 2018, as revised by any successor guidance Exit Disclaimer: You Are Leaving www.ihs.gov 
      7. NIST SP 800-73-4, Interfaces for Personal Identity Verification, 2015, as revised by any successor guidance Exit Disclaimer: You Are Leaving www.ihs.gov 
      8. NIST SP 800-76-2, Biometric Specifications for Personal Identity Verification, 2013, as revised by any successor guidance Exit Disclaimer: You Are Leaving www.ihs.gov 
      9. NIST SP 800-78-4, Cryptographic Algorithms and Key Sizes for Personal Identity Verification, 2015, as revised by any successor guidance Exit Disclaimer: You Are Leaving www.ihs.gov 
      10. NIST SP 800-128, Guide for Security-Focused Configuration Management of Information Systems, 2011, as revised by any successor guidance Exit Disclaimer: You Are Leaving www.ihs.gov 
    5. Department of Health and Human Services Information Resources Management Policy:
      1. HHS Policy for Information Security and Privacy Protection, HHS-OCIO-OIS-2021-11-006, 2021 (available upon request from cybersecurity@ihs.gov))
      2. HHS Minimum Security Configuration Standards Guidance, October 5, 2017 (available upon request from cybersecurity@ihs.gov)
    6. Presidential Directives:

      Homeland Security Presidential Directive 12, Policy for a Common Identification Standard for Federal Employees and Contractors, 2004 Exit Disclaimer: You Are Leaving www.ihs.gov 

    7. Guidance:
      1. Committee on National Security Systems Instruction 1253F, Security Categorization and Control Selection for National Security Systems, Attachment 6, “Privacy Overlays,” April 23, 2015 Exit Disclaimer: You Are Leaving www.ihs.gov 
      2. IHS Delegation of Authority, Administrative #52, Security of Information Technology Systems, October 30, 2017

10-7.2  ACRONYMS AND DEFINITIONS

  1. Acronyms.
    (1)ALTAlternate Logical Token
    (2)c.e.Control Enhancement
    (3)CISOChief Information Security Officer
    (4)FIPSFederal Information Processing Standards
    (5)HHSDepartment of Health and Human Services
    (6)IAIdentification and Authentication
    (7)IHMIndian Health Manual
    (8)IHSIndian Health Service
    (9)ISSOInformation Systems Security Officer
    (10)ITInformation Technology
    (11)NISTNational Institute of Standards and Technology
    (12)OITOffice of Information Technology
    (13)OMBOffice of Management and Budget
    (14)PHIProtected Health Information
    (15)PIIPersonally Identifiable Information
    (16)PIVPersonal Identity Verification
    (17)PKIPublic Key Infrastructure
    (18)P.L.Public Law
    (19)SPSpecial Publication
    (20)SSNSocial Security Number
  2. Definitions..
    (1)ALT Card. A two-factor authentication mechanism for privileged users, which is used in addition to one's PIV card to provide logical access to an administrator account.
    (2)E-Authentication. The process of establishing confidence in user identities electronically presented to an information system.
    (3)Identification and Authentication. The information system uniquely identifies and authenticates system users (or processes acting on behalf of users) for all accesses.
    (4)Information System. A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.
    (5)Multifactor Authentication. Authentication using two or more different factors to achieve authentication. Factors include, but are not limited to: (i) something you know (e.g., password/PIN); (ii) something you have (e.g., identification device, token); or (iii) something you are (e.g., biometric).
    (6)Network Account. A digital identity for an information system user that is created and stored on a network server to provide access to resources across that network.
    (7)Non-organizational User. A user who is not affiliated with the IHS (including public users).
    (8)Organizational User. An IHS employee or an individual the IHS deems to have equivalent status of an employee including, for example, contractor, guest researcher, individual detailed from another organization. Policy and procedures for granting equivalent status of employees to individuals may include need-to-know, relationship to the organization, and citizenship.
    (9)Public Key Infrastructure. A support service to the PIV system that provides the cryptographic keys needed to perform digital signature-based identity verification and to protect communications and storage of sensitive data within identity cards, ALT logic, and the verification system.
    (10)Privileged Account. A user who, by virtue of function and/or seniority, has been allocated powers within the computer system that are significantly greater than those available to the majority of users.
    (11)System Owner. For the purpose of this policy, a system owner is defined as the Agency official responsible for the overall procurement, development, integration, modification, or operation and maintenance of an information system.

10-7.3  POLICY

In accordance with statutory, regulatory, and Agency requirements, the IHS IT systems and applications must employ automated mechanisms to identify and authenticate users. The specific Federal and Agency requirements for such IA mechanisms are enumerated in the Cybersecurity and Privacy Control Definitions for IA Controls, which is provided in the IHS Cybersecurity and Privacy Control Definitions Identification and Authentication Controls (Manual Exhibit 10-07-A).

The IHS must adhere to this chapter, which governs the implementation of the IA security controls and standards outlined in Manual Exhibit 10-07-A. (Note this policy is not meant to meet the requirement of 45 CFR 164.514(d) which is a separate Role Based Access Control requirement).

10-7.4  PROCEDURES

In accordance with Federal, departmental, and Agency requirements, the IHS IT systems and applications must employ automated mechanisms to identify and authenticate users.

The below security controls (i.e. standards and risk factors) are used to safeguard and protect the confidentiality, integrity, and availability of the IHS systems, networks, and information. These baseline measures establish principles for IA and will be managed and monitored on an ongoing basis. Many of the security controls listed below apply to systems categorized as High-, Moderate-, and Low-impact, in terms of the effect a security compromise would have on the Agency’s mission. Other controls apply only to Moderate-and/or High-impact systems. Manual Exhibit 10-07-A presents all of the federally required IA controls further specified and tailored to the unique organizational requirements of the IHS. Personnel should refer to Manual Exhibit 10-07-A to implement the complete set of IA controls. Some controls include enhancements (c.e.’s) that are not specifically enumerated below. The c.e.’s are referenced for each procedure below and are specifically identified in the Manual Exhibit 10-07-A, which is incorporated by reference into this policy.

The IHS will adhere to the following NIST 800-53 Rev 4, control requirements:

  1. IA-1 Identification and Authentication Policy and Procedures. The IHS Chief Information Officer (CIO) is responsible for ensuring the IHS meets Federal requirements to govern implementation of IA processes and associated security and privacy controls through the development of this and other related policies such as those in Part 10 – Cybersecurity and the IHS Homeland Security Presidential Directive -12 Policy (Part 5 Chapter 30).
  2. IA-2 Identification and Authentication (Organizational Users). The System Owner ensures applicable systems and applications uniquely identify and authenticate IHS users.

    In accordance with the IHS Homeland Security Presidential Directive – 12 policy (Part 5, Chapter 30):

    1. The IHS primarily utilizes a PIV card for multifactor authentications. The PIV cards are used for both local and remote access to the network by non-privileged accounts.
    2. The IHS employs multifactor authentication ALT cards with specific user parameters set by the System Administrators for both local and remote access to the network by privileged accounts.
    3. The IHS ensures systems accept and electronically verify PIV and ALT card credentials.

    For remote access, the information system will enable multifactor authentication by a device that is independent of the system gaining access. That device must meet requirements of OMB Memorandum 04-04, E-Authentication Guidance for Federal agencies and Federal Information Processing Standards or successor guidance.

    Moderate and High security categorized systems must also meet IA-2, c.e.2, c.e.3, c.e.8, and c.e.11. If the system is categorized as High, see also IA-2, c.e.4 and c.e.9.

  3. IA-3 Device Identification and Authentication. Network administrators identify and authenticate applicable systems prior to establishing their connection to the network. Such systems must use shared information (media access control or internet protocol (IP) address) and access control lists to control network access. If the system provides authentication, it must comply with OMB E-Authentication requirements.
  4. IA-4 Identifier Management. System Owners restrict the use of Social Security Numbers (SSN) or partial SSNs as system identifiers, and ensure access to or action involving PII or PHI is attributable to a unique individual.

    The IHS must manage information system identifiers by executing each of the following actions:

    1. Receiving authorization from individuals responsible for account management to assign an individual, group, role, or device identifier;
    2. Selecting and assigning an identifier that identifies an individual, group, role, or device according to the respective systems account naming conventions;
    3. Preventing reuse of identifiers for three (3) years; and
    4. Disabling the identifier after the assigned time frame, as determined by system category, or local procedures by System Administrators.
  5. IA-5 Authenticator Management. System Administrators validate all PKI authentication requests using Online Certificate Status Protocol or Certificate Revocation List, to ensure that the certificate has not been revoked.

    Per OMB E-Authentication requirements, the IHS must manage information system authenticators by:

    1. Verifying, as part of the initial authenticator distribution, the identity of the individual, group, role, or device receiving the authenticator;
    2. Establishing initial authenticator content;
    3. Ensuring that authenticators have sufficient strength of mechanism for their intended use, for example, password complexity or token quality requirements;
    4. Establishing and implementing administrative procedures for initial authenticator distribution (e.g., communicating passwords for encrypted files via a separate communication session rather than via the transmission of files themselves, such as sending one email with an encrypted file, and another email with the file password, etc.), for lost/compromised or damaged authenticators, and for revoking authenticators;
    5. Changing default content of authenticators prior to information system installation;
    6. Establishing minimum and maximum lifetime restrictions and reuse conditions for authenticators;
    7. Changing/refreshing authenticators at the following intervals:
      1. Passwords – no longer than every 60 days, immediately in the event of known or suspected compromise, and immediately upon system installation (e.g. default or vendor-supplied passwords);
      2. PIV Compliant Access Cards – no longer than every five (5) years and nine (9) months;
      3. PKI certificates issued in accordance with Federal PKI Common Policy – no longer than every three (3) years; and
      4. Timeframes for other authenticators specific to individual systems are determined locally by the respective System Owner.
    8. Protecting authenticator content from unauthorized disclosure and modification;
    9. Having devices implement specific security safeguards to protect authenticators, and requiring individuals, via the IHS Rules of Behavior, to take precautions to protect authentication methods; and
    10. Changing authenticators for group/role accounts when membership to those accounts changes.

    The IHS systems must enforce requirements for password-, PKI-, and token-based authentication, per system category and Agency policy.

    For additional requirements, see IA-5, c.e.1 and c.e.11. If the system is categorized as Moderate or High, see also IA-5, c.e.2 and c.e.3.

  6. IA-6 Authenticator Feedback. System Administrators ensure information systems obscure feedback of authentication information during the authentication process to protect the information from possible exploitation/use by unauthorized individuals. This may include displaying asterisks when users type passwords into input devices, or displaying feedback for a very limited time before fully obscuring it.
  7. IA-7 Cryptographic Module Authentication. System Administrators employ the necessary mechanisms suitable for authentication to a cryptographic module that meet the requirements of applicable Federal laws, Executive Orders, directives, policies, regulations, standards, and guidance for such authentication. This includes all FIPS 140-3 levels approved cryptographic module for systems processing or storing PII/PHI.
  8. IA-8 Identification and Authentication (Non-Organizational Users). System Administrators ensure applicable information systems uniquely identify and authenticate non-organizational users (or processes acting on behalf of non-organizational users), including Tribal entities, prior to allowing access to systems and networks. Use PIV or Common Access Control credentials or other Federal Identity, Credential, and Access Management approved path discovery and validation products for logical access authentication mechanisms. This control does not apply to information technology resources provided specifically for public consumption, such as public-facing webpages.
    Related control enhancements for the IHS systems can be found in Exhibit 10-7-A. See IA-7, c.e.1 – 4.

10-7.5  RESPONSIBILITIES

Key personnel responsible for implementing the Identification and Authentication requirements are described below:

  1. Director, IHS. The IHS Director is ultimately responsible for:
    1. Ensuring that the IHS executes programs in conformance with applicable laws, regulations, and HHS identified NIST guidance;
    2. Ensuring that the IHS develops programs protecting the privacy and security of IHS IT resources; and
    3. Ensuring availability of funding to adequately support security efforts.
  2. Chief Medical Officer, IHS. The Chief Medical Officer is ultimately responsible for:
    1. Overseeing IHS IT resources and ensuring privacy and security of IHS IT systems;
    2. Overseeing IHS programs to ensure they meet requirements to protect the privacy and security of the IHS IT resources;
    3. Assuring the need for adequate funding to support security efforts is highlighted in the IHS budgeting processes ; and
  3. Chief Information Officer, IHS. The Director OIT is designated as the IHS CIO and is delegated AO authority by the IHS Director via the Administrative Delegation of Authority, #52, “Security of Information Technology Systems,” which is filed and maintained consistent with applicable records management policies and procedures. The IHS CIO is responsible for:
    1. Designating the Chief Information Security Officer;
    2. Advising the IHS Director on security risk related matters and overseeing the management of the IHS IT security program;
    3. Ensuring the development of cybersecurity policies that support the IHS compliance with Federal and Departmental requirements;
    4. Ensuring the cybersecurity of all information stored, processed, or transmitted electronically, and the security of the associated IT resources;
    5. Ensuring all cybersecurity controls stated in the Indian Health Manual, Part 10 – Cybersecurity are implemented on all IHS systems; and
    6. Ensuring all OIT staff are properly trained for their respective duties and providing oversight for the performance of OIT programs.
  4. IHS Chief Information Security Officer. The Director, Division of Information Security, OIT, is designated by the IHS Chief Information Officer as the CISO, and serves as the Agency focal point to direct and oversee the Cybersecurity Programs within the Agency. The CISO is responsible for assuring identification and authentication requirements are implemented and compliant with Federal mandates.
  5. Information System Security Officers. The ISSOs serve as the Cybersecurity Program main point of contact for cybersecurity guidance and support for the organizational unit or systems for which they are responsible. The ISSOs are responsible for:
    1. Implementing and enforcing cybersecurity policies and procedures;
    2. Responding to cybersecurity incidents, including reported system failures or attempts to gain unauthorized access, and escalating incidents as necessary to the Cybersecurity Incident Response Team;
    3. Maintaining cybersecurity documentation, such as system configuration plans, security authorization package documents and related artifacts, system guidelines and technical notes, local procedures, etc. Documentation will be maintained in accordance with the IHS Records Management Policy;
    4. Ensuring compliance monitoring and reporting is conducted for operating units and systems within their area of responsibility, and taking action to ensure compliance issues are resolved;
    5. Ensuring that all software, hardware, and firmware that creates, receives, maintains, or transmits IHS information is implemented in compliance with the security requirements in this policy and that they continue to comply with the security requirements throughout their lifecycle. ISSOs work with the OIT staff to support and maintain the identification and authentication program locally;
    6. Ensuring that all users have been appropriately approved for access prior to being provided digital identification and authentication mechanisms;
    7. Implementing the logical access requirements associated with Homeland Security Presidential Directive -12 within the organizational unit and systems for which they are responsible;
    8. Approving user requests for ALT cards for privileged users;
    9. Providing cybersecurity guidance and technical assistance to operating units tasked with analyzing, evaluating, and approving all identification and authentication mechanisms on systems for which they are responsible for;
    10. Directing activities for identifier and authenticator management for systems for which they are responsible;
    11. Coordinating control reviews and evaluating the adequacy of technical IA controls for organizational units and systems for which they are responsible;
    12. Maintaining a tracking system and records concerning the implementation of required IA controls on IT systems for which they are responsible. This includes retaining training records and rules of behavior acceptance for privileged and non-privileged users, in accordance with the records management policy and PII security requirements;
    13. Ensuring an E-Authentication risk assessment is conducted in accordance with OMB Memorandum 04-04 to determine the appropriate IA security controls required for system authorization, as defined by the NIST 800-63, per the assessed risk;
    14. Ensuring an E-Authentication risk assessment is conducted in accordance with OMB Memorandum 04-04 to determine the appropriate IA security controls required for system authorization, as defined by the NIST 800-63, per the assessed risk;
    15. Monitoring changes in hardware, software, telecommunications, facilities, and user requirements to ensure security is not compromised or degraded; and
    16. Referring all incidents involving an identification and authentication security violation, such as theft of PIV cards or multifactor authentication mechanisms, sharing of credentials, breach of sensitive information, or violation of other cybersecurity policy to the IHS Cybersecurity Incident Response Team and the IHS Privacy Officer for investigation.
  6. System Owner. Ownership of responsibility for information and/or information processing resources may be assigned to an organization, a position, or a specific individual. The System Owner is responsible for addressing the operational interests of the user community and for ensuring compliance with information security requirements. The System Owner is specifically responsible for the following:
    1. Determining the sensitivity of the resources for which they are responsible;
    2. Determining the appropriate level of required physical, technical, and managerial security controls consistent with system categorization and all Federal laws, regulations, HHS and IHS directives;
    3. Ensuring the identification and authentication requirements of the system are maintained at an adequate level to protect the confidentiality, integrity, and availability of the system and data through regular system audits; and
    4. Monitoring compliance and periodically reevaluating previously specified levels of system and data sensitivity and protection.
  7. Director, Division of Personnel Security and Ethics. The Director, Division of Personnel Security and Ethics is responsible for initiating and adjudicating the appropriate completed background investigations for Federal employees and contractors.
  8. Director, Division of Administrative and Emergency Services. The Director, Division of Administrative and Emergency Services ensures that all background investigation requirements are completed through the Division of Personnel Security and Ethics prior to issuing a PIV card.
  9. Contracting Officer. Each Contracting Officer or his/her contract officer’s representative (COR) is responsible for the following:
    1. Ensuring compliance with all contractor clearance requirements;
    2. Ensuring contractors undergo appropriate access requests processes prior to gaining access to any system;
    3. Ensuring contractor staff demonstrate appropriate business needs prior to being granted remote access (e.g., Least Privilege);
    4. Ensuring contractor staff are provided appropriate identification and authentication mechanisms when accessing network resources.
  10. Supervisors. Supervisors are responsible for:
    1. Ensuring their employees are aware of and observe all the security requirements of the data, facilities, and hardware/software they use; and
    2. Ensuring compliance with all requirements for resource access, including the protection of credentials, completion of required trainings, and assurance of least privilege.
  11. Privileged Users. Users requiring privileged access as a matter of their job functions (e.g., domain administrators, network administrators, System Administrators and other users who have privileged access to one or more systems on the network) have elevated access and additional responsibilities for managing IHS user accounts and the organization's systems and data. Such users may be specifically responsible for:
    1. Establishing and managing authorized user accounts for systems, including configuring access controls to enable authorized access and removing authorizations when access is no longer needed;
    2. Administering user identification or authentication mechanisms for all systems, including network-enabled medical devices and other electronic equipment that contain IHS data;
    3. Coordinating with their ISSO to enable technical controls such as those that enforce password requirements, set permissions, perform security management functions, and coordinate or perform preventive and corrective maintenance for the system;
    4. Documenting and reporting any identified vulnerabilities to their ISSO immediately upon detection;
    5. Reporting to their ISSO all system failures or unauthorized attempts to gain access to the information system; and
    6. Completing role-based training related to privileged use and agreeing to the privileged user rules of behavior within 60 days of being granted privileged access to the system and annually thereafter.