Submission of the Latest Security Review Findings and Determination of Compliance with Part 95, SubPart F
ATTACHMENT: IM-93-1 ADP System Security Requirements and Review Process - Federal Guidelines
DATE: September 10, 2003
TO: State Agencies Administering the Child Support Enforcement Program under Title IV-D of the Social Security Act and Other Interested Individuals and Organizations
SUBJECT: Guidance to States Regarding Submission of the Latest Security Review Findings and Determination of Compliance with Part 95, SubPart F Requirements
PURPOSE: This action transmittal establishes the requirement for states to submit copies of their latest security review findings to the Office of Child Support Enforcement (OCSE). OCSE has been tasked to review and assess the status of states’ compliance with regulations defined at 45 CFR Part 95 Subpart F, Section 621. In order for OCSE to conduct this security assessment in a cost-effective manner, states are instructed to forward copies of their latest security review findings to OCSE and thereby limit the number of on-site security reviews conducted as described at 45 CFR Part 95 Section 621(f)(6). States are required to forward the most recent security review within sixty days of the date of this action transmittal.
BACKGROUND: State public assistance agencies are responsible for the security of all developmental or operational Federally-funded automatic data processing (ADP) systems. These systems are subject to the provisions of 45 CFR Part 95, Subpart F.
On February 7, 1990, the Department of Health and Human Services (DHHS) published final rules at 45 CFR Part 95, Subpart F and the Department of Agriculture, Food and Nutrition Service (FNS), published final rules at 7 CFR Part 277 in the Federal Register. See 55 FR 4364. These regulations became effective on May 8, 1990, and included new provisions establishing minimum standard requirements for the security of systems used to administer programs covered under these rules.
State Responsibility to Establish ADP Security Program
Under 45 CFR 95.621 each state is responsible for the security of all ADP projects under development and all operational systems used by state and local governments to administer programs covered under 45 CFR Part 95, Subpart F. This regulation requires state agencies to (1) determine the appropriate ADP security requirements based on recognized industry standards or standards governing security of Federal ADP systems and information processing; (2) implement appropriate security requirements; (3) establish security plans and, as appropriate, policies and procedures to address the areas of ADP security at 95.621(f)(2)(ii); (4) establish and maintain programs for conducting periodic risk analyses; and (5) conduct biennial ADP system security reviews of installations involved in the administration of DHHS programs which, at a minimum, includes evaluations of physical and data security operating procedures, and personnel practices. This requirement applies to all ADP systems used by state and local governments to administer programs covered under 45 CFR Part 95, Subpart F.
On January 10, 1991, the former Family Support Administration (FSA) and the Food and Nutrition Service (FNS) jointly issued Action Transmittal FSA-AT-91-2. That Action Transmittal established that biennial reviews for existing systems must be completed and reported to DHHS and FNS by October 1, 1992 and every two years thereafter. For new ADP applications, reviews must be conducted upon implementation and every two years thereafter. After completing the required biennial ADP system security review, heads of state agencies must provide a written summary of findings and a determination of compliance with the Part 95 ADP security requirements. In their reports to DHHS and FNS, states must include written summaries of their ADP security programs and action plans with the scheduled dates of milestones which, when the appropriate safeguards are properly implemented, will protect against identified threats. States also must certify compliance of their ADP Security Program in the following areas:
A. Physical security of ADP resources;
B. Equipment security to protect equipment from theft and unauthorized use;
C. Software and data security;
D. Telecommunications security;
E. Personnel security;
F. Contingency plans to meet critical processing needs in the event of short or long-term interruption of service;
G. Emergency preparedness; and
H. Designation of an Agency ADP Security Manager.
Guidance on the content of the security reviews is contained in OISM-IM-93-1, see attached.
On July 31, 1996, the Department of Health and Human Services (DHHS) published revised rules at 45 CFR Part 95, Subpart F. See 61 FR 39898. These regulations became effective October 1, 1996, and removed the requirement for states to provide the Department a written summary of the state’s findings and determination of compliance with the ADP security requirements defined at 45 CFR Part 95 Section 621 (f)(2) on a biennial basis. State agencies are still required to maintain reports of their biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site review.
We feel that this documentation is an important first step in obtaining data on state child support automated systems security with a potential next step in updating our security guidance or consolidating the multiple security reviews by IRS, SSA and OCSE currently conducted. Although it is not currently required to be addressed in the biennial security reviews, OCSE would also appreciate receiving information on each state’s ability to audit to the record level (i.e. ability to track which users are viewing the data on the screens, not just modifying key data elements) and encryption of child support data transmitted within the state. As you know, OCSE, SSA and IRS are involved in discussions regarding what levels of audit and security are sufficient for securing data by users of its data. IRS and SSA suggest auditing to the record level. For this reason, this information will be very helpful in addressing IRS and SSA audit findings.
In summary, states should submit their latest security review findings to Robin Rushton, Director, Division of State and Tribal Systems, Office of Child Support Enforcement 370 L’Enfant Promenade, S.W. Washington D.C. 20447 within 60 days of the effective date of this Action Transmittal. If you have any questions or difficulty complying with this requirement, please contact your OCSE systems analyst.
REFERENCES: 45 CFR Part 95 Subpart F, Section 621
ENCLOSURES: OISM Information Memorandum 93-1 dated October 1, 1992
Sherri Z. Heller, Ed.D.
Office of Child Support Enforcement