Compliance Testing and Audit
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT (HIPAA)
The U.S. Health Insurance Portability and Accountability Act of 1996 (HIPAA) consists of two sections.
HIPAA Title I mandates protection of health insurance coverage for people who lose or change jobs.
HIPAA Title II provides for administrative simplification, requiring the development of standards for the electronic exchange of health care information, the protection of the privacy of personal health information and the establishment of security requirements to protect that information.
The Sarbanes–Oxley Act, also known as the 'Public Company Accounting Reform and Investor Protection Act' (in the Senate) and 'Corporate and Auditing Accountability and Responsibility Act' (in the House) and commonly called Sarbanes–Oxley, Sarbox or SoX, is a United States federal law enacted on July 30, 2002, which set new or enhanced standards for all U.S. public company boards, management and public accounting firms.
In early 2015 the Federal Chief Information Officers (CIO) Council and the Chief Acquisition Officers (CAO) Council created a working group to review current contract clauses and information technology (IT) acquisition policies and practices around contractor and subcontractor information system security. This interagency group was comprised of senior experts in acquisition, security, and contract management and their recommendations are included in this guidance to Federal agencies on implementing strengthened cybersecurity protections in Federal acquisitions.
We released this proposed guidance for public feedback on the open source platform GitHub to signal transparency in Federal policymaking and to reach a broad audience of stakeholders to assist in further enhancing this guidance. Similar public feedback processes for other OMB initiatives have been very successful in engaging and obtaining the views of the technology and security communities. OMB’s goal in this period of public feedback was to allow for a better understanding of the perspectives of the broader community and to identify areas for improvement to make this guidance even more meaningful and effective.
The intent of the proposed guidance is to take major steps toward implementing strengthened cybersecurity protections in Federal acquisitions and therefore mitigating the risk of potential incidents in the future. This proposed guidance also describes steps that agencies should take to perform better business due diligence to support risk management throughout the entire lifespan of an outsourced capability.
In an effort to address this problem, the Department of Commerce National Institute of Standards and Technology has released a draft version of NIST Special Publication 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations [pdf].
The new NIST guidance is directed at contractors that already have information technology infrastructure and associated security policies and practices in place. The final version of Special Publication 800-171 will attempt to synthesize the federal government’s recommendations to ensure the confidentiality of sensitive federal information stored on contractor computers and information systems. Special Publication 800-171 is part of a three-part plan that will ultimately make these recommendations mandatory. The other parts include a rule proposed by the National Archives and Records Administration—currently under review by OMB—and the eventual adoption of a FAR clause that will apply the requirements of the NARA rule and Special Publication 800-171 to all federal contracts.
Special Publication 800-171 sets forth fourteen specific security objectives. In brief, these recommendations are:
- ACCESS CONTROL: Limit information system access to authorized users.
- AWARENESS AND TRAINING: Ensure that managers and users of organizational information systems are made aware of the security risks and ensure that personnel are adequately trained.
- AUDIT AND ACCOUNTABILITY: Create information system audit records to enable the reporting of unlawful, unauthorized, or inappropriate information system activity; and ensure that the actions of individual users can be traced to be held accountable for their actions.
- CONFIGURATION MANAGEMENT: Establish baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation); and establish security configuration settings for technology products.
- IDENTIFICATION AND AUTHENTICATION: Identify information system users and authenticate (or verify) the identities of those users as a prerequisite to allowing access.
- INCIDENT RESPONSE: Establish an operational incident-handling capability for organizational information systems; and track, document, and report incidents to appropriate authorities.
- MAINTENANCE: Perform periodic maintenance on organizational information systems; and provide effective controls on the tools and personnel used to conduct maintenance.
- MEDIA PROTECTION: Protect information system media containing CUI, both paper and digital; and limit access to CUI on information system media to authorized users.
- PHYSICAL PROTECTION: Limit physical access to organizational information systems, equipment, and the respective operating environments to authorized individuals.
- PERSONNEL SECURITY: Screen individuals prior to authorizing access to information systems containing CUI.
- RISK ASSESSMENT: Periodically assess the risk to organizational operations, assets, and individuals.
- SECURITY ASSESSMENT: Periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; develop and implement plans of action designed to correct deficiencies.
- SYSTEM AND COMMUNICATIONS PROTECTION: Monitor, control, and protect organizational communications (i.e., information transmitted or received by information systems).
- SYSTEM AND INFORMATION INTEGRITY: Identify, report, and correct information and information system flaws in a timely manner; and provide protection from malicious code.
Each recommendation contains a more detailed checklist of requirements that contractors will be able to use to meet the security objective. In many cases, the requirements and objectives will overlap with security processes that contractors already have in place.