1910 Planning Policy

Georgia State Seal

Department of Human Services
Online Directives Information System

Index:

POL1910

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

To establish and implement policies and procedures to ensure proper planning controls to the information system and information technology resources and any associated applications covered by federal, state and all other applicable rules and regulations, including the requirements establishing, documenting, reviewing, modifying and terminating individuals’ right of access. Critical to achieving this objective is the implementation of controls that address each of the requirements stated in this policy.

Authority

  1. United States Department of Commerce National Institute for Standards and Technology (NIST)

  2. United States Internal Revenue Service

  3. United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)

  4. United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)

  5. Georgia Technology Authority

  6. Social Security Administration

  7. Federal Bureau Investigation (Criminal Justice Information Services)

References

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

Controlled Unclassified Information (CUI)

Controlled Unclassified Information (CUI) is information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended.

Responsibilities

DHS shall adopt the planning principles established in NIST SP 800-53 “Planning,” Control Family guidelines, as the official policy for this domain. The following subsections outline the planning standards that constitute this policy. Each DHS Business System is bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related to the standards documented.

PL-1 Security Planning Policy and Procedures

  1. Develop, document, and disseminate to designated agency personnel:

    1. All organizational level security planning policy that:

      1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

      2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and

    2. Procedures to facilitate the implementation of the security planning policy and the associated controls.

  2. Designate an agency official to manage the development, documentation, and dissemination of the physical and environmental protection policy and procedures; and

  3. Review and update the current security planning control:

    1. Policy every one (1) year (or if there is a significant change); and

    2. Procedures every one (1) year, (or when there is a significant change).

PL-2 System Security Plan and Privacy Plans

  1. The agency requires approved system security and privacy plans for all information systems that:

    1. Are consistent with the organization’s enterprise architecture;

    2. Explicitly define the constituent system components;

    3. Describe the operational context of the system in terms of mission and business processes;

    4. Identify the individuals that fulfill system roles and responsibilities;

    5. Identify the information types processed, stored, and transmitted by the system;

    6. Provide the security categorization of the system, including supporting rationale;

    7. Describe any specific threats to the system that are of concern to the organization;

    8. Provide the results of a privacy risk assessment for systems processing personally identifiable information;

    9. Describe the operational environment for the system and any dependencies on or connections to other systems or system components;

    10. Provide an overview of the security and privacy requirements for the system;

    11. Identify any relevant control baselines or overlays, if applicable;

    12. Describe the controls in place or planned for meeting the security and privacy requirements, including a rationale for any tailoring decisions;

    13. Include risk determinations for security and privacy architecture and design decisions;

    14. Include security-and privacy-related activities affecting the system that require planning and coordination with authorized agency personnel; and

    15. Are reviewed and approved by the authorizing official or designated representative prior to plan implementation. Distribute copies of the security and privacy plans and communicate subsequent changes to the plans to designated agency officials;

  2. Distribute copies of the plans and communicate subsequent changes to the plans to authorized agency personnel;

  3. Review the plans at a minimum annually (or as a result of a significant change);

  4. Update the plans to address changes to the system and environment of operation or problems identified during plan implementation or control assessments; and

  5. Protect the plans from unauthorized disclosure and modification.

IRS.1:

Include or reference a plan for media sanitization and disposition that addresses all system media and backups in the agency’s system security and privacy plans.

SSA.1

Organization’s security plan should include detail information specific to safeguarding SSA data

PL-4 Rules of Behavior

  1. Establish and provide to individuals requiring access to the system, the rules that describe their responsibilities and expected behavior for information and system usage, security, and privacy;

  2. Receive a signed acknowledgement from such individuals, indicating that they have read, understand, and agree to abide by the rules of behavior, before authorizing access to information and the information system;

  3. Review and update the rules of behavior at a minimum annually; and

  4. Require individuals who have acknowledged a previous version of the rules of behavior to read d. and re-acknowledge when the rules are revised or updated.

PL-4 (1) Social Media and Networking Restrictions:

Include in the rules of behavior, restrictions on:

  1. Use of social media, social networking sites, and external sites/applications;

  2. Posting organizational information on public websites; and

  3. Use of organization-provided identifiers (e.g., email addresses) and authentication secrets (e.g., passwords) for creating accounts on external sites/applications.

IRS.1:

Unless superseded by centrally-issued cross-agency policy, establish usage restrictions and implementation guidance for using Internet-supported technologies (e.g. Instant messaging) based on the potential for these technologies to cause damage or disruption to the information system or the agency’s accomplishment of its mission. Document the use of Internet-supporting technologies.

PL-8: Security and Privacy Architectures

  1. Develop security and privacy architectures for the system that:

    1. Describe the requirements and approach to be taken for protecting the confidentiality, integrity, and availability of organizational information;

    2. Describe the requirements and approach to be taken for processing personally identifiable information to minimize privacy risk to individuals;

    3. Describe how the architectures are integrated into and support the enterprise architecture; and

    4. Describe any assumptions about, and dependencies on, external systems and services;

  2. Review and update the architectures at a minimum annually to reflect changes in the enterprise architecture; and

  3. Reflect planned architecture changes in security and privacy plans, Concept of Operations (CONOPS), criticality analysis, organizational procedures, and procurements and acquisitions.

PL-8 (1) Defense-In-Depth:

Design the security and privacy architectures for the system using a defense-in-depth approach that:

  1. Allocates system communication and other relevant controls to information systems processing, storing, and transmitting CUI; and

  2. Ensures that the allocated controls operate in a coordinated and mutually reinforcing manner.

PL-11 Baseline Tailoring

Tailor the selected control baseline by applying specified tailoring actions.

History

Date Change User Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

  1. Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.

  2. Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.