|ACF Home | Services | Working with ACF | Policy/Planning | About ACF | ACF News | HHS Home|
|Questions? | Privacy | Site Index | Contact Us | Download Reader | Print|
The ACF archive website is where you will find content and resources of historical or research interest. The archive includes information on budgets, programs, initiatives, policies and other historic documents. ACF archive content is NOT current information, is not being updated, and may contain broken links. The above Search does NOT search the current, updated ACF website. To find recent content, visit the ACF Website.
Administration for Children and Families
U.S. DEPARTMENT OF HEALTH AND HUMAN
|1. Log No.: OISM-IM-93-1||2. Issuance Date: October 1, 1992|
|3. Originating Office: Children's Bureau|
|TO:||State Public Assistance, Child Support Enforcement and Medicaid Agencies and other interested parties.|
|Subject:||ADP System Security Requirements and Review Process - Federal Guidelines|
|Related References:||45 CFR Part 95, Subpart F, Section 95.621|
|Purpose:||In order to assist States in meeting the security requirements of 45 CFR Part 95, DHHS is attaching a guidance document which provides a description of what we consider appropriate for a State to address in its written security summary of findings and determination of compliance with Part 95 requirements. This information is intended as guidance and is not to be used as an outline or checklist. Each State's security program is unique, possessing features necessitated by singular data processing environments.|
State public assistance agencies are responsible for the security of all developmental or operational Federally funded automatic data processing (ADP) systems. These systems are subject to the provisions of 45 CFR Part 95, Subpart F.
On February 7, 1990, the Department of Health and Human Services (DHHS) published final rules at 45 CFR Part 95, Subpart F and the Department of Agriculture, Food and Nutrition Service (FNS), published final rules at 7 CFR Part 277 in the Federal Register. See 55 FR 4364. These regulations became effective on May 8, 1990, and included new provisions for establishing minimum standard requirements for the security of systems used to administer programs covered under these rules.
State Responsibility to Establish ADP Security Program
Under 45 CFR 95.621 each State is responsible for the security of all ADP projects under development and all operational systems used by State and local governments to administer programs covered under 45 CFR Part 95, Subpart F. This regulation requires that State agencies shall (1) determine the appropriate ADP security requirements based on recognized industry standards or standards governing security of Federal ADP systems and information processing; (2) implement appropriate security requirements; (3) establish asecurity plan and, as appropriate, policies and procedures to address the areas of ADP security at 95.621(f)(2)(ii); (4) establish and maintain a program for conducting periodic risk analyses; and (5) conduct a biennial ADP system security review of installations involved in the administration of DHHS programs which, at a minimum, includes an evaluation of physical and data security operating procedures, and personnel practices. This requirement applies to all ADP systems used by State and local governments to administer programs covered under 45 CFR Part 95, Subpart F.
On January 10, 1991, the former Family Support Administration (FSA) and the Food and Nutrition Service (FNS) jointly issued Action Transmittal FSA-AT-91-2. That Action Transmittal established that biennial reviews for existing systems must be completed and reported to DHHS and FNS by October 1, 1992 and every two years thereafter.
State Responsibility to Conduct Biennial ADP System Security Review
The biennial reviews for existing systems must be completed and reported to DHHS and FNS by October 1, 1992 and every two years thereafter. For new ADP applications, reviews must be conducted upon implementation and every two years thereafter. After completing the required biennial ADP system security review, Heads of State agencies must provide a written summary of findings and a determination of compliance with the Part 95 ADP security requirements. In their reports to DHHS and FNS, States must include written summaries of their ADP security programs and action plans with the scheduled dates of milestones which, when the appropriate safeguards are properly implemented, will protect against identified threats. States also must certify compliance of their ADP Security Program in the following areas:
Funding for ADP security will generally be available at the regular administrative cost for operating State and local systems to administer programs covered under 45 CFR Part 95, Subpart F. As an exception, however, the statutes authorizing enhanced funding, sections 454(16)(c) and 402(a)(30) of the Social Security Act, specifically reference security as a requirement of the State. For example, these requirements are addressed within the review and approval of a FAMIS APD and enhanced funding will be provided for those automated procedures related to the security of this system.
Additional information on computer systems security can be obtained from sources such as the Computer Security Institute, Datapro Research Corporation, and the Information Systems Officers Association. Additionally, the National Institute of Standards and Technology (NIST) "Publications List 91" list may prove helpful. A copy of this list is attached to FSA-AT-91-2 dated January 10, 1991. It provides instructions for ordering specific publications from the U.S. Government Printing Office and the National Technical Information Service.
DHHS has already received some submissions and requests for clarification from States. It is the intent of this Information Memorandum to respond to requests from States for technical assistance in order to meet ADP systems security requirements. We have attached a guidance document that you may find useful when conducting reviews and preparing written summaries.
As this is the first time that State and local government entities have reported biennial reviews in accordance with this new regulation, we anticipate that the reports to HHS will be varied and informative. HHS welcomes any and all comments from State and local governments concerning this Information Memorandum and its attachment.
|Mail Plans To:||Ms. Naomi B. Marr, Director
Office of Information Systems Management
Administration for Children and Families, DHHS
Washington, D.C. 20447
|Telephone Inquiries To:||Jaren Doherty
Administration for Children and Families
for Children and Families