Department of Health and Human Service

Office of Information Security

Dr. Kevin CharestDepartment of Health and Human Services

Chief Information Security Officer

AgendaDepartment of Health and Human Services Office of Information Security

Establishment of a Governance Body - The HHS CISO Council

Building in Governance - The HHS Privacy Program

Applying the Governance Model to Enable Cloud Security

2

HHS consists of the Office of the Secretary (OS) and 10 decentralized Operating Divisions (OpDivs)

ACFAdministration for

Children & Families

ACLAdministration for Community Living

AHRQAgency for Healthcare

Research & Quality

CDCCenters for Disease Control & Prevention

CMSCenters for Medicare & Medicaid Services

FDAFood & Drug Administration

HRSAHealth Resources &

Services Administration

IHSIndian Health

Service

HHS Operating Divisions

NIHNational Institutes

of Health

SAMHSASubstance Abuse &

Mental Health Services Administration

Office of the Secretary

ASAAssistant Secretary for Administration

DABDepartmental Appeals Board

ASFRAssistant Secretary for Financial Resources and Technology

OGAOffice of Global Affairs

ASHAssistant Secretary for Health

OIGOffice of Inspector General

ASLAssistant Secretary for Legislation

OMHAOffice of Medicare Hearings and Appeals

ASPEAssistant Secretary for Planning and Evaluation

ONCOffice of the National Coordinator for Health IT

ASPRAssistant Secretary for Preparedness and Response

CFBNPCenter for Faith Based and Neighborhood Partnerships

ASPAAssistant Secretary for Public Affairs

OGCOffice of the General Counsel

The HHS Office of Information Security (OIS) is under the purview of the Assistant Secretary for Administration

OCROffice for Civil Rights

IEAIntergovernmental and External Affairs

3

Each Operating Division has a unique culture based on various missions, which drives their views on security and privacy

OpDiv NAME MISSION

Administration for Children & Families ACF is responsible for 60+ programs that promote the economic and social well-being of children, families and communities, including TANF, Head Start, etc.

Administration for Community LivingACL serves to maximize the independence, well-being, and health of older adults, people with disabilities across the lifespan, and their families and caregivers.

AHRQAgency for Healthcare Research &

Quality

AHRQ supports research on health care systems, health care quality and cost issues, access to health care, and effectiveness of medical treatments

CDCCenters for Disease Control &

Prevention

CDC provides a system of health surveillance to monitor and prevent disease outbreaks (including bioterrorism), implement disease prevention strategies, and maintain national health statistics

CMSCenters for Medicare & Medicaid

Services

CMS administers the Medicare and Medicaid programs, which provide health care to almost one in every three Americans

4

OpDiv NAME MISSION

FDA Food & Drug AdministrationFDA assures the safety of foods and cosmetics, and the safety and efficacy of pharmaceuticals, biological products, and medical devices

HRSAHealth Resources & Services

Administration

HRSA provides access to essential health care services for people who are low-income, uninsured or who live in neighborhoods where health care is scarce

IHS Indian Health Service Working with tribes, IHS provides health services to 1.8 million American Indians and Alaska Natives of more than 560 federally recognized tribes

NIH National Institutes of Health

NIH includes 27 separate health institutes and centers , supporting over 38,000 research projects nationwide Established: 1887, as the Hygienic Laboratory, Staten Island, N.Y. Headquarters: Bethesda, Md.

SAMHSASubstance Abuse & Mental Health

Services Administration

SAMHSA works to improve the quality and availability of substance abuse prevention, addiction treatment and mental health services

5

Each Operating Division has a unique culture based on various missions, which drives their views on security and privacy

The HHS Office of Information Security (OIS) oversees a decentralized information security environment

• An open, agile, and secure IT environment where security and privacy is a seamless component that enables HHS Programs and fosters transparency, economic growth, and scientific collaboration.

Vision

• To secure the Program by ensuring access to innovative technologies and thought leadership that enable Program objectives and allow HHS to provide better, more secure services to the public.

Mission

6

Establishment of a Governance Body

7

Establishment of a Governance Body - The HHS CISO Council

8

The HHS CISO Council provides a foundation for implementing information security governance under the current HHS operating model.

The CISO Council also:

– Addresses and evaluates information security needs of the Department;

– Establishes strategic vision and recommends operational actions that minimize the documentation of effort; ensure interoperability and transparency;

– Serve as a forum for reviewing risk-based decisions to improve the overall information security posture of HHS.

CISO Council Policy Collaboration Process The policy collaboration processes was developed to support the information security

Governance approach.

Goal: Use the CISO Council as a forum to build consensus and accelerate the policy review and approval process.

How the process works?

Intended Outcome: Policies are released into review that have already been vetted by authorized representatives of each OpDiv.

9

Policy forwarded for CISO Council review

two weeks prior to CISO Council

meeting.

CISO Council reviews draft policy

documents and comes to meetings

with input for discussion.

During the CISO Council meeting, the

CISO Council will determine group input and reach decisions on key

points.

Updates to the policy will be made based on outcome of CISO

Council meeting

Draft policy released into the informal,

preliminary review phase of the formal OCIO Policy Review

Process

Building Governance into the Program

10

The HHS Privacy Program has consistently aligned with the maturity of federal law and guidance to date

Section 208, E-Government Act of 2002

Section 522 of the Transportation, Treasury, Independent Agencies, and General Government Appropriations Act of 2005

CIO Council, Privacy Sub-Committee: “Best Practices: Elements of a Federal Privacy Program: (2010)

NIST 800-53, Appendix J: Privacy Controls released 2013

11

HHS creates privacy workstream in response to E-Government Act and OMB M-03-22.

HHS Privacy Program

HHS CIO creates the HHS PIRT to respond to incidents involving PII.

HHS develops the Information Security and Privacy Policy and Handbook, implementing CIO Council best practices.

HHS is in the process of conducting a compliance gap analysis and updating HHS policy to reflect Appendix J.

OMB releases M-06-22 and M-07-16 in 2006 and 2007

HHS CIO officially designated SAOP created in response to M-05-08.

The new HHS Privacy Policy identifies responsibilities for the SAOP and Privacy Practitioners throughout the Department

The following are the primary oversight activities of the HHS SAOP:

– Collaborates and coordinates with other privacy stakeholders (e.g., Privacy Act Officer, Privacy Policy Advisor and Operating Division (OpDiv) Senior Officials for Privacy) to implement compliance initiatives;

– Jointly with General Council, provides advice and guidance on proposed regulations/policies and issuing guidance;

– Coordinates with the Data Integrity Board and provides privacy guidance when reviewing HHS and OpDiv computer matching agreements; and

– Chairs monthly, weekly, and ad-hoc Privacy Incident Response Team (PIRT) meetings.

The HHS CISO and the OS CISO oversee many duties on behalf of the HHS SAOP given the inherent partnership between Information Security and Privacy.

12

HHS Privacy Program Structure

HHS CISO – Privacy Program Structure

1 Leadership and Policy

Compliance and Risk Management

Enterprise Privacy Integration

Privacy Incident Management

Privacy Training and Awareness

Assurance and Continuous Monitoring

2

3

4

5

6

13

The HHS Privacy Program is centralized under the HHS Senior Agency Official for Privacy

Frank BaitmanHHS Chief Information OfficerSenior Agency Official for Privacy

Kevin Charest, PhDHHS Chief Information Security Officer (CISO)

Johnny E. Davis Jr.HHS Deputy CISO,OS Deputy CISO

Maya Bernstein, JDPrivacy Policy Advisor

Operating Division Senior Officials for Privacy

Beth Kramer, JDHHS Privacy Act Officer

Julia White, JDHHS Privacy Director

Privacy Incident Response Team (PIRT)

HHS Privacy Program Showcase: Privacy Incident Response Team (PIRT) The HHS PIRT uses HHS Computer

Security Incident Response Center (CSIRC) daily and weekly reports to provide data for several privacy incident reports.

These reports:

– Facilitate PIRT oversight;

– Validate privacy incident/breach data;

– Provide consistent metrics for OpDiv Incident Response Teams (IRTs) and the PIRT; and

– Allow the PIRT to identify trends and communicate solutions.

Reports are reviewed by the SAOP to evaluate the risk to PII and to coordinate with OpDivs regarding an appropriate response.

14

Daily

• Daily CSIRC Incident Report• Daily interaction with OpDivs to close incidents.

Weekly

• Weekly CSIRC Privacy Incident Report • Weekly Breach Report• Weekly PIRT Meeting

Monthly

• Monthly PIRT Meeting• Monthly Incident Crosswalk

Quarterly• Quarterly OpDiv Incident Metrics

Annual

• Annual PIRT Report to the Risk Management and Financial Oversight Board

Applying the Governance Model

15

In response to Cloud First, and the HHS Cloud Strategy, OIS leveraged the Federal Risk and Authorization Management Program (FedRAMP) Authorization to Operate (ATO) process to integrate cloud security across HHS and develop a collaborative and transparent agency wide cloud security ATO process.

FedRAMP is a “perform once, use many times” framework to save on the cost, time, and staff required to conduct cloud security assessments.

The HHS OIS Cloud Security Team working with the FedRAMP PMO, and with sponsorship from HHS OCIO Leadership, collaborated with the HHS Operating Divisions to develop the HHS FedRAMP ATO Process.

HHS Agency ATO

16

Applying the Governance Model to Enable Cloud Security

FedRAMP Option Agency Option

FedRAMP ATO

Page 17

HHS OIS Cloud

Security Team

OpDiv 1

OpDiv 2

OpDiv 3Cloud

Service Provider

FedRAMP PMO

The HHS OIS Cloud Security Team was established and began collaborating with OpDivs, the FedRAMP PMO, and Cloud Service Providers to securely assess cloud solutions that could be used within HHS and other agencies.

Demonstrating Results through Governance and Stakeholder Engagement

Using this process, HHS was the first agency to grant a FedRAMP Agency ATO to a cloud service provider.

Contact Information

Dr. Kevin Charest

HHS Chief Information Security OfficerOffice of the Chief Information OfficerU.S. Department of Health and Human Services200 Independence AvenueWashington, DC 20201Kevin.Charest@HHS.gov

18