U.S. Department of Health and Human Services

Part 10, Chapter 4: Manual Exhibit 10-4-A

Indian Health Service
Cybersecurity and Privacy Control Definitions
Security Assessment and Authorization Controls

National Institute of Standards and Technology (NIST) Special Publication (SP) 800-53, Revision 4, “Security and Privacy Controls for Federal Information Systems and Organizations,” provides a catalog of security and privacy controls and control enhancements that must be implemented for federal information systems.

Many of these controls and enhancements include specific parameters which must be defined by federal agencies. The Department of Health and Human Services (HHS) has defined roughly 50 percent of these parameters in the HHS-Office of the Chief Information Officer Policy for Information Systems Security and Privacy (IS2P). HHS directs Operating Divisions to inherit these parameters and develop their own definitions for the remaining 50 percent.

The Indian Health Service (IHS) Cybersecurity and Privacy Control Definitions (CPCD) specifies the IHS-defined security control parameters in compliance with HHS direction. The Federal Risk and Authorization Management Program parameters specifically applicable to cloud systems are located at https://www.fedramp.gov/documents/ .

The NIST 800-53, Rev 4 Security Assessment and Authorization (CA) family controls that were withdrawn or were not selected by HHS are not included in the table below. The NIST 800-53, Rev 4 controls are located at https://csrc.nist.gov/publications/detail/sp/800-53/rev-4/final [m]$.showExitDisclaimer()[/m.

Control ID	Control Title	Control Description	IHS Minimum Requirement by System Category
Control ID	Control Title	Control Description	Low	Moderate	High
Security Assessment and Authorization (CA)
CA-1	Security Assessment and Authorization Policies and Procedures	IHS: Develops, documents, and disseminates to all IHS personnel (via IHS.gov websites) for IHS-wide policies/procedures, and to all system personnel for individual systems as required by the System Owner or designee: A Security Assessment and Authorization (SA&A) policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance (Note: IHS covers this control by establishing IHM Part 10, Cybersecurity); and Procedures to facilitate the implementation of the SA&A policy and associated security assessment and authorization controls; and Per IHM Part 1, Chapter 1, “Indian Health Service Manual System,” reviews the SA&A policy at least every two years and submits to the Division of Management Policy and Internal Control for revision when needed. Reviews the SA&A standard operating procedures at least every three years and updates the procedures when needed.	Selected	Selected	Selected
CA-2	Security Assessments	IHS: Develops a security assessment plan that describes the scope of the assessment, including: Security controls and control enhancements under assessment; Assessment procedures to be used to determine security control effectiveness; and Assessment environment, assessment team, and assessment roles and responsibilities; Assesses the security controls in the information system and its environment of operation within the scope of the assessment plan, as defined by the Authorizing Official (AO) or their representative, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security requirements; Produces a security assessment report that documents the results of the assessment; and Provides the results of the security control assessment to the Information Systems Security Officer, System Owner, and/or others designated by the System Owner, as well as all signees on the Security Assessment Report.	Selected	Selected	Selected
CA-2 c.e.1	Independent Assessors	IHS employs independent assessors or assessment teams with IHS-defined parameters of independence. Note: The AO determines (i) the required level of assessor independence based on the security categorization of the information system and/or the ultimate risk to organizational operations and assets, and to individuals; and (ii) if the level of assessor independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a credible, risk-based decision.	Not Selected	Selected	Selected
CA-2 c.e.2	Specialized Assessments	IHS includes, as part of security control assessments, penetration testing at least once every two years, in compliance with CA-8.	Not selected	Not selected	Selected
CA-2 c.e.3	External Organizations	IHS accepts the results of an assessment of IHS information systems performed by a certified independent assessor when the assessment meets all Federal Information Security Modernization Act, Office of Management and Budget, Federal Information Processing Standards (FIPS), NIST, HHS, and IHS standards.	Not selected	Not selected	Selected
CA-3	System Inter-connections	IHS: Authorizes connections to third-party information systems that reside outside the IHS network and are owned, operated, and maintained by non-IHS entities, only through the use of approved Interconnection Security Agreements (ISAs); Documents, for each interconnection with systems not on the federal network, the interface characteristics, security requirements, and the nature of the information communicated; and Reviews and, if necessary, updates ISAs at least every year and whenever significant changes are implemented that can affect the security state of the information system or that could impact the validity of the agreement. Note: This control does not apply to cloud computing systems.	Selected	Selected	Selected
		IHS also considers the following actions: Obtain written authorization from management (e.g., AO or designated representative) before connecting to external information systems. Consider that the terms and conditions of an ISA or data sharing agreement do not conflict with or otherwise contradict HHS and IHS information technology security and privacy policies, procedures, controls, and standards; applicable legislation, regulation, or guidance; or other contractual obligations. Ensure that system interconnection channels are securely configured commensurate with the required level of confidentiality and integrity of the data being exchanged. Obtain authorization from the external System Owner if the IHS organization intends to use, modify, or disclose the external system’s information in a manner not authorized by the agreement.
CA-3 c.e.5	Restrictions on External System Connections	IHS employs a deny-all, permit-by-exception (i.e., whitelisting) policy for allowing IHS information systems to connect to external information systems.	Not selected	Selected	Selected
CA-5	Plan of Action and Milestones	IHS: Develops a plan of action and milestones (POA&M) for the information system, in accordance with the HHS Standard for POA&M Management and Reporting, to document the IHS’s planned remedial actions to correct weaknesses or deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system; and Updates existing POA&Ms at least quarterly based on the findings from security control assessments, security impact analyses, and continuous monitoring activities.	Selected	Selected	Selected
CA-6	Security Authorization	IHS: Assigns the Chief Information Officer (CIO) as the authorizing official for IHS information systems; Ensures that the authorizing official authorizes the information system for processing before commencing operations; and Updates the security authorization at least every three years or when there is a significant change that is likely to affect the security state of that information system.	Selected	Selected	Selected
CA-7	Continuous Monitoring	IHS develops a continuous monitoring strategy and implements a continuous monitoring program that includes: Establishment of specific metrics to be monitored based on IHS security goals and objectives, and in accordance with the basic requirements set forth in NIST SP 800-137; Establishment of real-time monitoring and at-least-annual assessments of monitoring procedures, based on IHS security goals and objectives supporting such monitoring; Ongoing security control assessments in accordance with the IHS-specific continuous monitoring strategy; Ongoing security status monitoring of IHS-defined metrics in accordance with the IHS-specific continuous monitoring strategy; Correlation and analysis of security-related information generated by assessments and monitoring; Response with actions to address results of the analysis of security-related information; and Reporting the security status of IHS and the information system to the CIO, or their designee(s).	Selected	Selected	Selected
CA-7 c.e.1	Independent Assessment	The Cybersecurity Incident Response Team performs scans on all networked devices on an ongoing basis. Areas will also employ independent assessors, assessment teams, and continuous monitoring data reviewers to monitor the IHS-defined security control parameters for IHS information systems. Note: The AO determines (i) the required level of assessor independence based on the security categorization of the information system and/or the ultimate risk to IHS operations and assets, and to individuals; and (ii) if the level of assessor independence is sufficient to provide confidence that the assessment results produced are sound and can be used to make a credible, risk-based decision.	Not Selected	Selected	Selected
CA-8	Penetration Testing	IHS conducts penetration testing at least every two years on FIPS 199 high-impact, high-profile (e.g., public-facing or highly visible), or high-risk systems, as identified by the IHS AO.	Not Selected	Not Selected	Selected
CA-9	Internal System Connections	IHS: Authorizes internal connections of information system components, agreed to by the system owner or owners, prior to the connection being made to the information system; and System owners’ documents, for each internal connection, the interface characteristics, security requirements, and the nature of the information communicated in the system security plan. Note: This control applies to connections between IHS information systems and (separate) constituent system components (i.e., intra-system connections) including, for example, system connections with mobile devices, notebook/desktop computers, printers, copiers, facsimile machines, scanners, sensors, and servers. The IHS can authorize each individual internal connection, or internal connections for a class of components (e.g., all digital printers, scanners, and copiers with a specified processing, storage, and transmission capability; or all smart phones with a specific baseline configuration).	Selected	Selected	Selected