1913 System and Communications Protection Policy
Department of Human Services |
Index: |
POL1913 |
|
Revised: |
06/02/2025 |
||
Next Review: |
06/02/2027 |
Subject: DHS Information Security Policies
Policy
This policy establishes the Enterprise System and Communications Protection Policy for managing risks from vulnerable system configurations, denial of service, data communication and transfer through the establishment of an effective System and Communications Protection program. The system and communications protection program helps DHS implement security best practices with regard to system configuration, data communication and transfer.
Authority
-
United States Department of Commerce National Institute for Standards and Technology (NIST)
-
United States Internal Revenue Service
-
United States Department of Health & Human Services – Administration of Children and Families (ACF), Office of Child Support Services (OCSS)
-
United States Department of Health & Human Services - Centers for Medicare & Medicaid Services (CMS)
-
Georgia Technology Authority
-
Social Security Administration
-
Federal Bureau Investigation (Criminal Justice Information Services)
References
-
Centers for Medicare & Medicaid Services, Volume II: Minimum Acceptable Risk Standards for Exchanges
-
Social Security Administration (“SSA”) Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration (“TSSR”)
-
ACF/OCSS - Security Agreement
Applicability
The scope of this policy is applicable to all Information Technology (IT) resources owned or operated by DHS. Any information, not specifically identified as the property of other parties, that is transmitted or stored on DHS IT resources (including email, messages, and files) is the property of DHS. All users (DHS employees, contractors, vendors, or others) of IT resources are responsible for adhering to this policy.
Responsibilities
DHS shall adopt the System and Communications Protection principles established in NIST SP 800-53 “System and Communications Protection,” Control Family guidelines, as the official policy for this domain. The following subsections outline the System and Communications Protection standards that constitute DHS policy. Each DHS Business System is then bound to this policy, and shall develop or adhere to a program plan which demonstrates compliance with the policy related the standards documented.
SC-1 System and Communications Protection Procedures
-
Develop, document, and disseminate to designated agency personnel:
-
All organizational level system and communications protection policy that:
-
Addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and
-
Is consistent with applicable laws, executive orders, directives, regulations, policies, standards, and guidelines; and
-
-
Procedures to facilitate the implementation of the system and communications protection policy and the associated controls.
-
-
Designate an agency official to manage the development, documentation, and dissemination of the system and communications protection policy and procedures; and
-
Review and update the current system and communications protection control:
-
Policy every one (1) year (or if there is a significant change); and
-
Procedures every one (1) year, (or when there is a significant change).
-
SC-2 Application Partitioning
Separate user functionality, including user interface services, from system management functionality.
SC-4 Information in Shared Resources
Prevent unauthorized and unintended information transfer via shared system resources.
SC-5 Denial of Service Protection
-
Protect against the effects of the following denial-of-service event types: at a minimum, Internet Control Message Protocol (ICMP) flood, SYN flood, slowloris, buffer overflow attack, and volume attack; and
-
Employ appropriate controls to achieve the denial-of-service objective. The Agency business unit leadership will consult with managed network service providers as appropriate to determine specific controls and types of denial-of-service events that will be addressed.
SC-5 (1) Restrict Ability to Attack Other Systems
Restrict the ability of individuals to launch the following denial-of-service attacks against other systems: organization-defined denial-of-service attacks.
SC-5 (2) Capacity, Bandwidth, and Redundancy
Manage capacity, bandwidth, or other redundancy to limit the effects of information flooding denial-of-service attacks.
SC-5 (3) Detection and Monitoring
-
Employ organization-defined monitoring tools to detect indicators of denial-of-service attacks against, or launched from, the system; and
-
Monitor organization-defined system resources to determine if sufficient resources exist to prevent effective denial of service attacks.
SC-7 Boundary Protection
-
Monitor and control communications at the external managed interfaces to the system and at key internal managed interfaces within the system;
-
Implement subnetworks for publicly accessible system components that are physically and logically separated from internal organizational networks; and
-
Connect to external networks or systems only through managed interfaces consisting of boundary protection devices arranged in accordance with an organizational security and privacy architecture.
SC-7 (4) External Telecommunications Services:
-
Implement a managed interface for each external telecommunication service;
-
Establish a traffic flow policy for each managed interface;
-
Protect the confidentiality and integrity of the information being transmitted across each interface;
-
Document each exception to the traffic flow policy with a supporting mission or business need and duration of that need;
-
Review exceptions to the traffic flow policy at a minimum quarterly and remove exceptions that are no longer supported by an explicit mission or business need;
-
Prevent unauthorized exchange of control plane traffic with external networks;
-
Publish information to enable remote networks to detect unauthorized control plane traffic from internal networks; and
-
Filter unauthorized control plane traffic from external networks.
SC-7 (5) Deny by Default – Allow by Exception:
Deny network communications traffic by default and allow network communications traffic by exception on information systems where CUI is accessed, processed, stored, or transmitted.
SC-7 (7) Prevent Split Tunneling for Remote Devices:
Prevent split tunneling for remote devices connecting to organizational systems unless the split tunnel is securely provisioned using:
-
Individual users shall not have the ability to configure split tunneling
-
Auditing must be performed semi-annually on each workstation with split tunneling enabled. Auditing must include:
-
Only those users authorized for split tunneling have it enabled in their user profile or policy object
-
There is a continued need for split tunneling for the user
-
Only the correct and authorized split tunneling configurations are present on the workstation
-
-
Host Checking is enabled and configured on the VPN server;
-
Ensure the OS is supported
-
Ensure that anti-malware is installed and up to date
-
The most current hotfixes are applied
-
Agency-defined additional parameters
-
SC-7 (8) Route Traffic to Authenticated Proxy Servers:
Route internal communications traffic to external networks through authenticated proxy servers at managed interfaces.
SC-7 (9) Restrict Threatening Outgoing Communications Traffic:
-
Detect and deny outgoing communications traffic posing a threat to external systems; and
-
Audit the identity of internal users associated with denied communications.
SC-7 (10) Prevent Exfiltration:
-
Prevent the exfiltration of information; and
-
Conduct exfiltration tests at least semi-annually.
SC-7 (11) Restrict Incoming Communications Traffic:
Only allow incoming communications from agency-defined authorized sources to be routed to agency-defined authorized destinations.
SC-7 (12) Host-Based Protection:
Implement firewalls , Host Intrusion Prevention System (HIPS) and Host Intrusion Detection systems (HIDS) at access points and end user equipment as appropriate.
SC-7 (15) Networked Privileged Accesses:
Route networked, privileged accesses through a dedicated, managed interface for purposes of access control and auditing.
SC-7 (18) Fail Secure:
Prevent systems from entering unsecure states in the event of an operations failure of a boundary protection area.
SC-7 (24) Personally Identifiable Information
For systems that process Personally Identifiable Information (CUI):
-
Apply the following processing rules to data elements of CUI: processing rules for compliance with ACA, Privacy Act, and other applicable CUI processing laws and regulations.
-
Monitor for permitted processing at the external interfaces to the system and at key internal boundaries within the system;
-
Document each processing exception; and
-
Review and remove exceptions that are no longer supported.
SC-7 (29) Separate Subnets to Isolate Functions
Implement physically or logically separate subnetworks to isolate organization-defined critical system components and functions.
IRS.1:
Agencies shall implement and manage boundary protection (typically using firewalls) at trust boundaries. Each trust boundary shall be monitored and communications across each boundary shall be controlled.
IRS.2:
Agencies must block known malicious sites (inbound or outbound), as identified to the agency from US-CERT, MS-ISAC or other sources, at each Internet Access Point (unless explicit instructions are provided to agencies not to block specific sites). Blocking is to be accomplished within two business days following release of such sites.
SC-8 Transmission Confidentiality and Integrity
Protect the confidentiality and integrity of transmitted information.
SC-8 (1) Cryptographic Protection:
Implement cryptographic mechanisms to prevent unauthorized disclosure of information and detect changes to information during transmission.
SC-10 Network Disconnect
Terminate the network connection associated with a communications session at the end of the session or after 30 minutes of inactivity.
SC-12 Cryptographic Key Establishment and Management
The agency must establish and manage cryptographic keys when cryptography is employed within the system in accordance with the following key management requirements: NIST SP 800-57, Recommendation for Key Management, for key generation, distribution, storage, access, and destruction.
SC-13 Cryptographic Protection
-
Determine the cryptographic uses; and
-
Implement the following types of cryptography required for each specified cryptographic use: Latest FIPS-140 validated encryption mechanism, NIST 800-52, Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations, Encryption in transit (payload encryption). Use of SHA-1 for digital signatures is prohibited.
SC-15 Collaborative Computing Devices
-
Prohibit remote activation of collaborative computing devices and applications with the following exceptions: users are notified by signage of the presence of such devices; and
-
Provide an explicit indication of use to users physically present at the devices.
SC-17 Public Key Infrastructure Certificates
-
Issue public key certificates under an agency-defined certificate authority or obtain public key certificates from an approved service provider; and
-
Include only approved trust anchors in trust stores or certificate stores managed by the organization.
SC-18 Mobile Code
-
Define acceptable and unacceptable mobile code and mobile code technologies; and
-
Authorize, monitor, and control the use of mobile code within the system.
SC-20 Secure Name/Address Resolution Service (Authoritative Source)
-
Provide additional data origin authentication and integrity verification artifacts along with the authoritative name resolution data the system returns in response to external name/address resolution queries; and
-
Provide the means to indicate the security status of child zones and (if the child supports secure resolution services) to enable verification of a chain of trust among parent and child domains, when operating as part of a distributed, hierarchical namespace.
SC-21 Secure Name/Address Resolution Service (Recursive or CachingResolver)
Request and perform data origin authentication and data integrity verification on the name/address resolution responses the system receives from authoritative sources.
SC-22 Architecture and Provisioning for Name/Address Resolution Service
Ensure the systems that collectively provide name/address resolution service for an organization are fault-tolerant and implement internal and external role separation.
SC-23 Session Authenticity
Protect the authenticity of communications sessions.
SC-23 (1) Invalidate Session Identifies at Logout:
Invalidate session identifiers upon user logout or other session termination.
SC-28 Protection of Information at Rest
Protect the confidentiality and integrity of the following information at rest: .. Controlled Unclassified Information .. b. IT System-related information (e.g., configurations, rule sets);
Evaluation
The Office of Information Technology (OIT), upon recommendation of the DHS Chief Information Security Officer (CISO), evaluates this policy annually by:
-
Comparing its content and intent to evolving regulatory compliance standards imposed upon the Agency, such as, IRS 1075, NIST 800-53, and CMS MARS-E.
-
Addressing any deficiencies or gaps discovered during periodic audits conducted by Georgia DOAA or other regulatory bodies, such as, IRS, CMS, SSA, FBI, etc.