State public assistance agencies are responsible for the security of all developmental or operational Federally funded automatic data processing (ADP) systems. These systems are subject to the provisions of 45 CFR Part 95, Subpart F.

On February 7, 1990, the Department of Health and Human Services (DHHS) published final rules at 45 CFR Part 95, Subpart F and the Department of Agriculture, Food and Nutrition Service (FNS), published final rules at 7 CFR Part 277 in the Federal Register. See 55 FR 4364. These regulations became effective on May 8, 1990, and included new provisions for establishing minimum standard requirements for the security of systems used to administer programs covered under these rules.

State Responsibility to Establish ADP Security Program

Under 45 CFR 95.621 each State is responsible for the security of all ADP projects under development and all operational systems used by State and local governments to administer programs covered under 45 CFR Part 95, Subpart F. This regulation requires that State agencies shall (1) determine the appropriate ADP security requirements based on recognized industry standards or standards governing security of Federal ADP systems and information processing; (2) implement appropriate security requirements; (3) establish asecurity plan and, as appropriate, policies and procedures to address the areas of ADP security at 95.621(f)(2)(ii); (4) establish and maintain a program for conducting periodic risk analyses; and (5) conduct a biennial ADP system security review of installations involved in the administration of DHHS programs which, at a minimum, includes an evaluation of physical and data security operating procedures, and personnel practices. This requirement applies to all ADP systems used by State and local governments to administer programs covered under 45 CFR Part 95, Subpart F.

On January 10, 1991, the former Family Support Administration (FSA) and the Food and Nutrition Service (FNS) jointly issued Action Transmittal FSA-AT-91-2. That Action Transmittal established that biennial reviews for existing systems must be completed and reported to DHHS and FNS by October 1, 1992 and every two years thereafter.

State Responsibility to Conduct Biennial ADP System Security Review

The biennial reviews for existing systems must be completed and reported to DHHS and FNS by October 1, 1992 and every two years thereafter. For new ADP applications, reviews must be conducted upon implementation and every two years thereafter. After completing the required biennial ADP system security review, Heads of State agencies must provide a written summary of findings and a determination of compliance with the Part 95 ADP security requirements. In their reports to DHHS and FNS, States must include written summaries of their ADP security programs and action plans with the scheduled dates of milestones which, when the appropriate safeguards are properly implemented, will protect against identified threats. States also must certify compliance of their ADP Security Program in the following areas:

1. Physical security of ADP resources;

2. Equipment security to protect equipment from theft and unauthorized use;

3. Software and data security;

4. Telecommunications security;

5. Personnel security;

6. Contingency plans to meet critical processing needs in the event of short or long-term interruption of service;

7. Emergency preparedness; and

8. Designation of an Agency ADP Security Manager.

Funding for ADP security will generally be available at the regular administrative cost for operating State and local systems to administer programs covered under 45 CFR Part 95, Subpart F. As an exception, however, the statutes authorizing enhanced funding, sections 454(16)(c) and 402(a)(30) of the Social Security Act, specifically reference security as a requirement of the State. For example, these requirements are addressed within the review and approval of a FAMIS APD and enhanced funding will be provided for those automated procedures related to the security of this system.

Information Sources

Additional information on computer systems security can be obtained from sources such as the Computer Security Institute, Datapro Research Corporation, and the Information Systems Officers Association. Additionally, the National Institute of Standards and Technology (NIST) "Publications List 91" list may prove helpful. A copy of this list is attached to FSA-AT-91-2 dated January 10, 1991. It provides instructions for ordering specific publications from the U.S. Government Printing Office and the National Technical Information Service.

DHHS has already received some submissions and requests for clarification from States. It is the intent of this Information Memorandum to respond to requests from States for technical assistance in order to meet ADP systems security requirements. We have attached a guidance document that you may find useful when conducting reviews and preparing written summaries.

As this is the first time that State and local government entities have reported biennial reviews in accordance with this new regulation, we anticipate that the reports to HHS will be varied and informative. HHS welcomes any and all comments from State and local governments concerning this Information Memorandum and its attachment.