1911 Security Assessment and Authorization Policy

Department of Human Services
Online Directives Information System

Index:

POL1911

Revised:

06/02/2025

Next Review:

06/02/2027

Subject: DHS Information Security Policies

Policy

This policy establishes the Enterprise Security Assessment and Authorization Policy, for managing risks from inadequate security assessment, authorization, and continuous monitoring of company information assets through the establishment of an effective security planning program. The security planning program helps DHS implement security best practices with regards to enterprise security assessment, authorization, and continuous monitoring.

Authority

United States Department of Commerce National Institute for Standards and Technology (NIST)
United States Internal Revenue Service
United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)
United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)
Georgia Technology Authority
Social Security Administration
Federal Bureau Investigation (Criminal Justice Information Services)

References

United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-53 Security and Privacy Controls for Federal Information Systems and Organizations, Revision 5, September 2020
United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-100 “Information Security Handbook: A Guide for Managers” March 2007
United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-37 “Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy” Revision 2 December 2018
United States Department of Commerce National Institute for Standards and Technology (NIST) Special Publication 800-115 “Technical Guide to Information Security Testing and Assessment” September 2008
Georgia Technology Authority Enterprise Information Security Policy
United States Internal Revenue Service, IRS Publication 1075 Tax Information Security Guidelines For Federal, State and Local Agencies Safeguards for Protecting Federal Tax Returns and Return Information
Centers for Medicare & Medicaid Services, Volume II: Minimum Acceptable Risk Standards for Exchanges
Social Security Administration (“SSA”) Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration (“TSSR”)
Criminal Justice Information Services Security Policy
ACF/OCSS - Security Agreement

Applicability

The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.

Definitions

Plan of Action and Milestones (POA&M): A POA&M is a remedial action plan (the process of accepting or resolving a risk) which helps the agency to identify and assess information system security and privacy weaknesses, set priorities, and monitor progress toward mitigating the weaknesses.

Responsibilities

DHS shall adopt the Security Assessment and Authorization principles established in NIST SP 800-53 “Security Assessment and Authorization,” Control Family guidelines, as the official policy for this domain. The following subsections outline the Security Assessment and Authorization standards that constitute this policy. Each DHS Business System is then bound to this policy and shall develop or adhere to a program plan which demonstrates compliance with the policy related to the standards documented.

CA-1 Security Assessment and Authorization Procedures

Develop, document, and disseminate to designated agency personnel:
1. All organizational level security assessment and authorization policy that:
  1. Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
  2. Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
2. Procedures to facilitate the implementation of the security assessment and authorization policy and the associated controls.
Designate an agency official to manage the development, documentation, and dissemination of the security assessment and authorization policy and procedures; and
Review and update the current security assessment and authorization control:
1. Policy every one (1) year (or if there is a significant change); and
2. Procedures every one (1) year, (or when there is a significant change).

CA-2 Control Assessments

Select the appropriate assessor or assessment team for the type of assessment to be conducted;
Develop a control assessment plan that describes the scope of the assessment including:
1. Controls and control enhancements under assessment;
2. Assessment procedures to be used to determine control effectiveness; and
3. Assessment environment, assessment team, and assessment roles and responsibilities;
Ensure the control assessment plan is reviewed and approved by the authorizing official or designated representative prior to conducting the assessment;
Assess the controls in the system and its environment of operation annually to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting established security and privacy requirements;
Produce a control assessment report that document the results of the assessment; and
Provide the results of the control assessment within thirty (30) days after its completion in writing, to agency’s Authorizing Official (AO) or the Authorizing Official Designated Representative responsible for the system and personnel responsible for reviewing the assessment documentation, and updating system security documentation where necessary to reflect any changes to the system.

CA-2 (1) Independent Assessors:

Employ independent assessors or assessment teams to conduct control assessments.

CA-3 Information Exchange

Approve and manage the exchange of information between the system and other systems using Interconnection Security Agreements (ISAs),information exchange security agreements, memoranda of understanding or agreement (MOU/MOA), service level agreements (SLA), user agreements, nondisclosure agreements (NDA), or other exchange agreement.
Document, as part of each exchange agreement, the interface characteristics, security and privacy requirements, controls, and responsibilities for each system, and the impact level of the information communicated; and
Review and update the agreements at least every one (1) year;
Document an Organization-specific data flow diagram that shows how CUI data is transmitted to the organization.

CA-5 Plan of Action and Milestones

Develop a plan of action and milestones for the system to document the planned remediation actions of the agency to correct weaknesses or deficiencies noted during the assessment of the controls and to reduce or eliminate known vulnerabilities in the system; and
Update existing plan of action and milestones on a quarterly basis, at a minimum, based on the findings from control assessments, independent audits or reviews, and continuous monitoring activities.

IRS.1:

Agencies must ensure that the individual and/or office responsible for correcting each weakness is identified in the appropriate POA&M.

IRS.2:

Agencies must enter all new weaknesses into appropriate POA&Ms within two (2) months for weaknesses identified during assessments.

CA-6 Authorization

Assign a senior official as the authorizing official for the system;
Assign a senior official as the authorizing official for common controls available for inheritance by organizational systems;
Ensure that the authorizing official for the system, before commencing operations:
1. Accepts the use of common controls inherited by the system; and
2. Authorizes the system to operate;
Ensure that the authorizing official for common controls authorizes the use of those controls for inheritance by organizational systems;
Update the authorizations whenever there is a significant change to the system, or every three (3) years, whichever occurs first.

CA-7 Continuous Monitoring

Develop a system-level continuous monitoring strategy and implement continuous monitoring in accordance with the organization-level continuous monitoring strategy that includes:

Establishing the following system-level metrics to be monitored based on the organization security and privacy goals and in accordance with the organization-level continuous monitoring strategy;
Establishing at least once a month scans for operating system, databases, and web applications for monitoring and no less than at least every one (1) year for assessment of control effectiveness;
Ongoing control assessments in accordance with the continuous monitoring strategy;
Ongoing monitoring of system, organization-defined metrics, and Social Security Administration (SSA) data security controls in accordance with the continuous monitoring strategy;
Correlation and analysis of information generated by control assessments and monitoring;
Response actions to address results of the analysis of control assessment and monitoring information; and
Reporting the security and privacy status of the system to agency-defined personnel monthly, at a minimum.

CA-7 (1) Independent Assessors:

Employ independent assessors assessment teams to monitor the controls in the system on an ongoing basis.

CA-7 (4) Risk Monitoring:

Ensure risk monitoring is an integral part of the continuous monitoring strategy that includes the following:

Effectiveness monitoring;
Compliance monitoring; and
Change monitoring.

CA-8: Penetration Testing

Conduct penetration testing every one (1) year on the CUI environment or system components as agreed with the penetration testers in the Rules of Engagement.

CA-8(1): Independent Penetration Agent or Team

The organization employs an independent penetration agent or penetration team to perform penetration testing on the information system or system components.

CA-9: Internal System Connections

Authorize internal connections of information system components or classes of components to the system;
Document, for each internal connection, the interface characteristics, security and privacy requirements, and the nature of the information communicated;
Terminate internal system connections after issuance of an order by the organization’s Chief Information Officer (CIO), Chief Information Security Officer (CISO), or senior privacy official and when such internal system connections no longer support the organization’s missions or business functions; and
Review annually the continued need for each internal connection.

CA-9 (1) Compliance Checks:

Perform security and privacy compliance checks on constituent system components prior to the establishment of the internal connection.

History

Date

Change

User

Version

Evaluation

The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:

Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.
Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.