Skip to main content

HHS Policy for Rules of Behavior for Use of Information & IT Resources

A document from the Department of Health & Human Services (HHS) that outlines requirements for individuals that access to HHS and CMS systems and information

Last reviewed: 2/9/2023

Contact: ISPG Policy Team | CISO@cms.hhs.gov

Related Resources

CMS Information Systems Security & Privacy Policy (IS2P2)
CMS Acceptable Risk Safeguards (ARS)
National Institute of Standards and Technology (NIST)

1. Nature of Changes

Version 1.0: released July 2013. First issuance of policy.

Version 2.0: released December 2016. Added new statements to:

  • Prohibit the use of personally owned devices and unapproved non-GFE to conduct HHS business.
  • Restrict personal social media use during official work duty.
  • Restrict the connection to public, unsecure Wi-Fi from GFE.
  • Prohibit the use of HHS e-mail address to create personal commercial accounts.

Version 2.1: Released August 2017. As recommended by OpDivs in the first-round review, Policy for Personal Use of IT Resources was combined with the Rules of Behavior since the documents overlap.

Version 2.1: Released February 2018. Update to policy for use of personal email per Departmental recommendation.

Version 2.1: Released March 2018. Removed the policy requirement restricting the use of personal email from HHS/OpDiv networks per OCIO request.

Version 2.1: Released April 2018. Replaced Controlled Unclassified Information (CUI) with sensitive information per OGC and PIM recommendations.

Version 2.1: Released June 2018. Policy obtained NTEU clearance.

Version 2.2: Released May 2019. Changed Webmail access policy to only block access from public internet and encourage OpDivs to reduce its usage. Added requirement to restrict the use of personal email, storage services and devices that conduct HHS/OpDiv business and store HHS/OpDiv data.

Version 2.3: Released June 2019. Updated password requirement.

Version 3.0: Released February 2023. Updated to prohibit unauthenticated Bluetooth tethering without OpDiv approval, acceptable use of social media, provide general updates throughout document, and to ensure adherence to Executive Order 14028 as well as Office Management and Budget (OMB) Memorandum (M) M-22-09.

2. Purpose

The HHS Policy for Rules of Behavior for Use of Information and IT Resources (hereafter known as Policy) defines the acceptable use of the Department of Health and Human Services (Department or HHS)/Operating Division (OpDiv) information and Information Technology (IT) resources and establishes the baseline requirements for developing Rules of Behavior (RoB) that all users, including privileged users, are required to sign prior to accessing HHS/OpDiv information systems and resources.

This document includes baseline requirements for three RoB categories: General Users, Privileged Users, and System Specific Users. These RoB categories provide baseline requirements and guidelines for implementation of each RoB category. This Policy also defines acceptable personal use of HHS/OpDiv information resources and restricts use of personal devices to conduct HHS/OpDiv business.

An OpDiv may customize this Policy and RoBs to include OpDiv specific information, create its own policy, or supplement the specified RoB provided that the OpDiv policy and RoBs are compliant with and at least as restrictive as the baseline policy and RoBs stated herein.

This Policy uses the term ‘sensitive information’ to refer to Personally Identifiable Information (PII)1 (although other HHS policies may distinguish between PII and sensitive PII), Protected Health Information (PHI), financial records, business proprietary data, and any information marked Sensitive but Unclassified (SBU), Controlled Unclassified Information (CUI), etc.2

3. Background

The executive branch of the federal government leverages hundreds of thousands of employees located in offices across the nation to serve the American people. Increasingly, the government is called upon to deliver additional services to a growing population that expects ever-increasing improvements in service delivery. The relationship between the executive branch and the employees who administer the functions of the government is based on trust. Consequently, employees are expected to follow rules and regulations and to be responsible for their own personal and professional conduct. The Standards of Ethical Conduct for Employees of the Executive Branch published by the U.S. Office of Government Ethics states that, “Employees must put forth honest effort in the performance of their duties” [5 C.F.R. § 2635.101(b)(5)].

The RoBs stated in this Policy include rules that govern the appropriate use and protection of all HHS/OpDiv information resources and help to ensure the security of IT equipment, systems, and data confidentiality, integrity, and availability. 

4. Scope

This Policy applies to all OpDivs and other parties that conduct business for or on behalf of HHS (i.e., contractors, third-party service/storage providers, cloud service providers). This Policy applies to all users of HHS/OpDiv information and IT resources whether working at their primary duty station, teleworking, working at a satellite site or any other alternative workplaces, and/or while traveling.

An OpDiv must implement this Policy and these baseline requirements or alternatively, may create its own policy that is more restrictive but not less restrictive than this Policy. This Policy does not supersede any other applicable law or higher-level agency directive or policy guidance. 

This Policy does not supersede any applicable law, higher-level agency directive, or existing labor management agreement as of the effective date of this Policy.

5. Authorities

The following are the primary authoritative documents driving the requirements in this Policy:

  1. Federal Information Security Modernization Act of 2014 (FISMA), Pub. L. No. 113-283, 128 Stat. 3073, codified at 44 U.S.C. Chapter 35, Subchapter II.
  2. HHS Policy for Information Security and Privacy Protection (IS2P), November 2021.
  3. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Federal Information Systems, February 2006.
  4. NIST SP 800-37 Rev. 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy, December 2018.
  5. NIST SP 800-53 Rev. 5, Security and Privacy Controls for Information Systems and Organizations, December 2020.
  6. Office of Management and Budget (OMB), Circular A-130, Managing Information as a Strategic Resource, July 2016.
  7. Public Law 115-232 § 889, Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment, August 13, 2018.
  8. 5 U.S.C. § 552a (the Privacy Act of 1974, as amended).

6. Policy

The following are the baseline requirements for implementing HHS or OpDiv RoBthat govern the appropriate use of HHS/OpDiv information systems and resources for all employees, contractors, and other personnel who have access to HHS/OpDiv information and information systems.

6.1. Acceptable Use of HHS Information and IT Resources – OpDiv Requirements

  1. OpDivs must ensure all users read and acknowledge the RoB as general users upon onboarding and annually thereafter. Additionally, users with significant security responsibilities must read and acknowledge the RoB as privileged users upon onboarding and annually thereafter (see baseline RoB for both general and privileged users in Appendix D.) OpDiv System Owners must define RoB for System Specific users as necessary. Acknowledgement is understood to mean that each RoB must contain a signature page on which the user acknowledges having read, understood, and agreed to abide by the RoB (general user, or privileged user). Electronic signatures are acceptable.
  2. OpDivs must ensure that general users read and sign RoB before they are given access to HHS/OpDiv information and/or systems.  Digital signature is encouraged for general users whose digital signature can be authenticated by a Personal Identity Verification (PIV) card or other similar card (such as Personal Identity Verification Interoperability (PIV-I) card, Derived Alternate Credential (DAC), or Common Access Card (CAC)); however, general users may physically sign.
  3. OpDivs must inform general users of their responsibilities and the accountability of their actions while accessing HHS/OpDiv systems and using HHS/OpDiv information resources. (The RoB must state the consequences of behavior not consistent with the rules).
  4. OpDivs must include the items covered in sections 6.2, 6.3, and 6.4 including teleworking, remote access, connection to the internet, use of copyrighted works, use of GFE, social media, and individual accountability. Sample RoBs are included in Appendix D.
  5. OpDivs must ensure government furnished equipment distributed to for the purpose of conducting official government business including but not limited to: Personal Identity Verification (PIV) cards, mobile devices and cellular telephones, is surrendered, collected or reclaimed on or before the last day of employment or contract termination.
  6. OpDivs must take steps to reduce the use of Webmail and allow access only when necessary. OpDivs will make the determination as to what is defined as necessary for their OpDiv.
  7. OpDivs must implement technical controls to:
    1. Prohibit auto-forwarding of email
    2. Block the use of HHS/OpDiv Webmail access from untrusted or unauthenticated public internet or implement compensating controls
    3. Detect and block spam emails, and employ a capability within the official email application (such as a phishing email button) to expedite the reporting of suspected phishing emails to the OpDiv designated email incident response team
    4. Appropriately secure mobile devices used for conducting HHS/OpDiv business
    5. Ensure that rules regarding passwords are consistent with technical password features
    6. Monitor user activities, system accounts and privileged user accounts
    7. Disable unnecessary/unauthorized permissions, services, and system/user accounts.
  8. OpDivs must develop and implement system specific RoB when appropriate (see additional guidance in Appendix C). OpDivs must include in system specific RoB provisions that:
    1. Delineate responsibilities and expected behavior of all users with access to the system and state the consequences of behavior not consistent with the rules
    2. Include limitations on altering data, searching databases, and divulging information3
    3. State appropriate limits on interconnections to other systems.

6.2. Acceptable Use of HHS Information and IT Resources – General User Requirements

  1. HHS/OpDiv permits personnel to have limited personal use of HHS/OpDiv information and IT resources, including HHS/OpDiv email, systems, instant messaging (IM) tools, and government-furnished equipment (GFE) (e.g., laptops, mobile devices, etc.) only when the personal use:
    1. Involves no more than minimal additional expense to the government
    2. Is minimally disruptive to personnel productivity
    3. Does not interfere with the mission or operations of HHS
    4. Does not violate HHS/OpDiv security and privacy policies.
  2. HHS/OpDiv expects personnel to conduct themselves professionally in the workplace and to refrain from using GFE, email, third-party websites, and applications (TPWAs) (e.g., HHS/OpDiv social media sites and cloud services, etc.) and other HHS/OpDiv information resources for activities that are not related to any legitimate/officially sanctioned HHS/OpDiv business purpose, except for the limited personal use stated above.  Personnel must not misuse HHS/OpDiv information and IT resources or conduct unapproved activities using HHS/OpDiv information and IT resources including, but not limited to:
    1. Engaging in activities that could cause congestion, delay, or disruption of service to any HHS/OpDiv information resource (e.g., sending chain letters via email, playing streaming videos, games, music, etc.)
    2. Accessing, downloading and/or uploading illegal, illicit, or criminal content from/to the internet (e.g., pornographic or sexually explicit materials, information about illegal weapons, terrorism activities, or other illegal activities)
    3. Accessing, downloading, or clicking on any untrusted hyperlinks or executable files without verifying source.
    4.  Conducting or supporting commercial “for-profit” activities, managing outside employment or business activity, or running a personal business
    5. Engaging in any outside fund-raising, endorsing any product or service, lobbying, or engaging in partisan political activity
    6. Using HHS/OpDiv information resources for activities that are inappropriate or offensive to fellow personnel or the public (e.g., hate speech or material that ridicules others on the basis of race, creed, religion, color, age, gender, disability, national origin, or sexual orientation)
    7. Creating a website or uploading content to a TPWA, or social media website  on behalf of HHS/OpDiv without proper official authorization.4  Proper official authorization' includes, for example, written approval from the HHS/OpDiv or OpDiv CISO or a designee
    8. Connecting personal devices to HHS/OpDiv systems without proper official authorization
    9. Using personal devices, non-HHS/OpDiv email, and unauthorized third-party systems, storage services, or applications (e.g., Dropbox, Google Docs, mobile applications, etc.) to store, transmit, or process HHS/OpDiv information, or to conduct HHS/OpDiv business without proper official authorization.
    10. Automatically (auto) forwarding HHS/OpDiv email to both internal and external email sources or forwarding email/files that contain sensitive information to unauthorized systems and devices that are used for non-HHS/OpDiv and non-OpDiv business purposes5
    11. Accessing and using HHS/OpDiv Webmail without proper official authorization
    12. Using an HHS/OpDiv email address and other information resources to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or website, and signing up for personal memberships that are not work related.
  3. HHS/OpDiv warns users of HHS/OpDiv information resources, systems and GFE that they should have no expectation of privacy while using them and that their usage may be monitored, recorded, and audited at any time; and that HHS/OpDiv information resources, systems and GFE must be used with the understanding that such use may not be secure, is not private, is not anonymous, and may be subject to disclosure under the Freedom of Information Act (FOIA), Privacy Act (5 U.S.C. § 552a) or other applicable legal authority.
  4. HHS/OpDiv formally notifies users through the RoB that their electronic data communications and online activity may be monitored and disclosed to external law enforcement agencies or Department/OpDiv personnel at any time when related to the performance of duties.  For example, after obtaining management approval, HHS/OpDiv authorized technical staff may employ monitoring tools in order to maximize the utilization of HHS/OpDiv resources.

6.3. Telework/Remote Work and GFE

  1. HHS/OpDivs permit personnel to telework only when approved by management. Security of HHS/OpDiv information systems, equipment, and information, including PII, CUI and sensitive information, is just as important at a telework worksite as it is in an HHS/OpDiv building. HHS/OpDiv requires personnel to conduct themselves with the same professionalism remotely as is required in the formal workplace. HHS/OpDivs require personnel to safeguard any GFE provided by following these guidelines:
    1. Users can connect additional devices to GFE as necessary to conduct official government business with OpDiv approval if the devices are not on the prohibited vendor list.6
    2. Users can connect GFE to printers with OpDiv approval.
      • Printers must be connected to GFE via USB or other physical port. Wireless connections between GFE and printers require OpDiv approval.
      • Users must contact OpDiv Help Desks to have printer drivers installed on GFE prior to connecting the printer7.
    3. Users are prohibited from installing any software on GFE
    4. Users are permitted to use their home Wi-Fi network to provide the connectivity for telework. Home networks must be set up in accordance with guidance from HHS/OpDiv or OpDivs8
    5. Users must keep Bluetooth turned off while not in use. 9
    6. Users are responsible for the protection of all sensitive data
    7. Users must not take GFE outside of the US or its territories for regular teleworking. For official visit to foreign countries, adhere to the Department GFE Travel Restriction requirements.10

6.4. Non-Compliance

This Policy cannot account for every possible situation. Therefore, where this Policy does not provide explicit guidance, personnel must use their best judgment to apply the principles set forth in the standards for ethical conduct to guide their actions and to seek guidance when appropriate from the OpDiv Chief Information Officer (OpDiv CIO) or his/her designee.

Non-compliance with the requirements in this Policy and the RoB may be cause for disciplinary and other actions for anyone who has logical access to data, digital resources, and computer networks, or physical access to the HHS/OpDiv enterprise network, data, and resources. Depending on the severity of the violation, consequences may include, but are not limited to, one or more of the following actions:

  1. Mandatory training
  2. Reprimand
  3. Suspension of access privileges
  4. Revocation of access to federal information, information systems, IT resources and/or facilities
  5. Deactivation of the accounts
  6. Suspension without pay
  7. Monetary fines
  8. Removal or disbarment from work on federal contracts or projects
  9. Termination of employment and/or
  10. Criminal charges that may result in imprisonment
  11. Potential removal of security clearances

7. Roles and Responsibilities

7.1. HHS Chief Information Officer (CIO)

The HHS CIO or representative must:

  1. Ensure this Policy is disseminated and implemented Department-wide.
  2. Ensure RoBsare developed, maintained, and implemented for all general users, privileged users, and information systems (when deemed applicable).

7.2. OpDiv CIO

The OpDiv CIO or representative must:

  1. Ensure acceptable use of OpDiv information resources requirements is implemented throughout the OpDiv.
  2. Ensure RoBs are developed, approved, maintained, and implemented for all general users, privileged users, and system-specific users (as applicable) OpDiv-wide.

7.3. HHS Chief Information Security Officer (CISO)

The HHS CISO must:

  1. Ensure implementation of this Policy.
  2. Ensure all users read, acknowledge, and adhere to RoB for all three RoB categories (general users, privileged users, and system specific users) as applicable.
  3. Approve or assign a designee to approve exceptions to RoBs, when required.
  4. Ensure records are maintained for signed RoB forms.

7.4. OpDiv CISO

The OpDiv CISO must:

  1. Implement this Policy or develop an OpDiv specific RoB.
  2. Develop and implement OpDiv RoBs for general users, privileged users and system specific users, as applicable.
  3. Ensure all users read, acknowledge, and adhere to RoB for all three RoB categories (general users, privileged users, and system specific users) as applicable.
  4. Approve or assign a designee to approve exceptions to RoBs, when required.
  5. Ensure records are maintained for signed RoB forms.

7.5. Managers and Supervisors

The OpDiv managers and supervisors must:

  1. Inform users of their rights and responsibilities, including the information in this Policy to individual users.
  2. Address inappropriate use by personnel who report to them and disseminate information to relevant stakeholders for the purpose of incident handling and investigations.
  3. Receive and review reports of inappropriate use of IT resource from management officials and allow access to these reports to designated authorities, as applicable, in accordance with HHS/OpDiv stsandard operating procedures.
  4. Notify, when appropriate, senior Department officials of inappropriate use and/or abuse of HHS/OpDiv IT resources.

7.6. System Owner (SO)

The OpDiv SOs must:

  1. Delineate responsibilities and expected behavior of all users with access to the system and state the consequences of behavior not consistent with the rules.
  2. Develop and appropriately disseminate system specific RoB when deemed applicable.
  3. Ensure all users with access to the information system(s) under their purview read, acknowledge, and adhere to the general user RoB and system specific RoB (if deemed applicable) prior to obtaining access and at least annually thereafter.
  4. Automate, to the extent possible, the security and privacy controls that are required to be implemented to protect systems and information.
  5. Ensure all users with privileged access rights to the information system(s) under their purview read, acknowledge, and adhere to the privileged user RoB.
  6. Review system specific RoB periodically and at least every three years.
  7. Maintain records of all the signed system specific RoB.
  8. In accordance with the Privacy Act, maintain an accounting of disclosures made by HHS/OpDiv of records about individuals retrieved by personal identifier, excluding only disclosures required by FOIA and disclosures to HHS officers and employees with need to know.
  9. Promptly schedule records with the National Archives and Records Administration (NARA), and promptly destroy records when eligible for destruction and no longer needed for HHS/OpDiv business.

7.7. Information and System User

All users of HHS/OpDiv information, GFE and systems must:

  1. Read, understand, and acknowledge RoB initially upon onboarding or start of work and annually thereafter.
  2. Always secure HHS/OpDiv information resources and assets they have access to or always entrusted with (e.g., while at their duty station, when traveling, teleworking, etc.).
  3. Report any loss, compromise, and unauthorized use of HHS/OpDiv information and systems immediately upon discovery/detection in accordance with HHS/OpDiv policies.
  4. Seek guidance from their supervisor and other officials if unclear about HHS/OpDiv security and privacy policies.

8. Information and Assistance

HHS Office of the Chief Information Officer is responsible for the development and management of this Policy.  Questions, comments, suggestions, and requests for information about this Policy should be directed to HHSCybersecurityPolicy@hhs.gov.

9. Effective Date and Implementation

The effective date of this Policy is the date on which the policy is approved. This Policy must be reviewed, at a minimum, every three (3) years from the approval date.

The HHS CIO has the authority to grant a one (1) year extension of the Policy.

To archive this Policy, written approval must be granted by the HHS CIO.

10. Approval

/S/
Karl S. Mathias, Ph.D., HHS CIO

February 9, 2023

Appendix A: Procedures

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

OpDivs may develop their specific procedures document(s) to implement this Policy.

Appendix B: Standards

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

Standard Rules of Behavior

HHS/OpDivs are responsible for implementing adequate security controls to ensure a high level of protection for all HHS/OpDiv information and IT resources commensurate with the level of risk. In addition, HHS/OpDivs must ensure that all employees, contractors, and other personnel using HHS/OpDiv information resources have the required knowledge and skills to appropriately use and protect HHS/OpDiv information and IT resources. All OpDivs may use the RoB included in Appendix D or may develop their own RoB provided compliance, at a minimum, meets the requirements of the HHS/OpDiv RoB.

  1. RoBare provided for the following three categories:
    1. Appendix C includes supplemental RoB for specific systems
    2. Appendix D contains the RoB for
      • General Users and
      • Privileged Users
  2. All HHS/OpDiv personnel (employees, contractors, interns, etc.) and any other individuals (for example, representatives of grantees, business partners, other agencies, or research institutions; FOIA requesters; members of the general public; etc.) who are granted access to HHS/OpDiv information and IT resources must read, acknowledge, and adhere to the HHS/OpDiv General User RoB prior to accessing and using HHS/OpDiv information resources and IT systems. The acknowledgment of the RoB, which affirms that all users have read and understand the HHS/OpDiv RoB, may be obtained by hardcopy written signature, electronic acknowledgement, or electronic signature. This acknowledgement must be completed at HHS/OpDiv onboarding or prior to the start of work on an HHS/OpDiv contract, grant, or other agreement, and at least annually thereafter, and/or in combination with the HHS/OpDiv information cybersecurity awareness training.
  3. All privileged users (e.g., network/system administrators, developers, etc.) must read, acknowledge, and adhere to the HHS/OpDiv Privileged User RoB prior to obtaining a privileged user account and at least annually thereafter. The acknowledgment of the RoB, which affirms that privileged users have read and understand the HHS/OpDiv RoB for privileged users, may be obtained by either hardcopy written signature or by electronic acknowledgement or signature.
  4. Per the HHS/OpDiv IS2P, OpDivs must develop and implement system specific RoB, when deemed advisable, to address system specific requirements to protect the system and information.
  5. All RoB (General, Privileged, and System Specific) must be reviewed and if necessary, updated at least every three years.
  6. Any exceptions to this RoB policy and specified RoB must be approved by the HHS/OpDiv, OpDiv CISO, or OpDiv CISO designee.

Appendix C: Guidance

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

Supplemental Rules of Behavior for HHS/OpDiv Systems

OpDivs are responsible for developing system specific RoB and for ensuring that users read, acknowledge, and adhere to them. A supplemental RoB must be created and developed for systems that require users to comply with rules beyond those contained in the RoB on Appendix D and Appendix E deemed applicable. In such cases, users must comply with ongoing requirements of each individual system to access and retain access (e.g., reading and acknowledging the RoB prior to access and re-acknowledging it each year) to the information system(s). OpDiv System Owners must document any additional system specific RoB and any recurring requirement to acknowledge the respective RoB in their system security plans.

Office of Management and Budget (OMB) Circular A-130 Managing Information as a Strategic Resource, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide for Developing Security Plans for Federal Information Systems, and NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations provide requirements for system specific rules of behavior. At a minimum, the system specific RoB must:

  1. Be in writing.
  2. Delineate responsibilities for any expected user of the system and behavior of all users and must state the consequences of behavior which violates the rules.
  3. State appropriate limits on interconnections to other systems and must define service provision and restoration priorities.
  4. Cover such matters including, but not limited to, teleworking, dial-in access, connection to the internet, use of copyrighted works, unofficial use of Government equipment, assignment and limitation of system privileges, and individual accountability.
  5. Reflect technical security controls (e.g., rules regarding passwords must be consistent with technical password features).
  6. Include limitations on changing data, searching databases, or divulging information.
  7. State that controls are in place to ensure individual accountability and separation of duties and to limit the processing privileges of individuals.
  8. State any other specific rules, limitation or restriction that may apply to the use of the system.
  9. Include consequences for failing to comply with the breach reporting requirements as described in OMB M-17-12 and HHS/OpDiv policy.

Finally, National Security Systems (NSS), as defined by the Federal Information Security Modernization Act of 2014 (FISMA), must independently or collectively implement their own system specific rules.

Supplemental Rules of Behavior for Accessing Malicious Websites

Users, employees, and contractors who have accessed malicious websites either knowingly or unknowingly will be considered as a security incident and will be required to undergo additional security training as directed by the office of the Chief Information Security Officer (CISO). Those users must take the Security Training or a refresher course on the following:

Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by designing as a trustworthy entity in an electronic communication. The following must be avoided:

  • clicking on links and suspicious attachments provided in email
  • submitting banking and password information via email
  • any email asking for personal information

A ‘Hoax’ is often intended to cause embarrassment, or to provide social or political change by raising people’s awareness of something. Hoaxes should be addressed in the training because a lot of time and resources can be spent reading and forwarding hoax emails. Some hoaxes warn of a virus and tell users to delete valid and sometimes important system files.

Malware is the shortened version of the words ‘Malicious Software’. It refers to software programs designed to damage or do other unwanted actions on a computer system. Malware is broken into these categories:

Viruses: A malicious software program that, when executed, replicates itself by modifying other computers programs and inserting its own code.

Worms: A computer worm is a stand-alone malicious program that can self-replicate itself to uninfected computers.

Trojans: A ‘Trojan’ or ‘Trojan Horse’ is any malicious computer program which misleads users of its true intent.

Spyware: Spyware is software that aims to gather information about a person or organization without knowledge and reports to the software’s author.

Adware: Adware is used to presents unwanted advertisements to the users of the computer.

Appendix D: Forms and Templates

Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.

1. Rules of Behavior for General Users

These Rules of Behavior (RoB) for General Users apply to all HHS personnel (employees, contractors, interns, etc.) and any other individuals who are granted access to HHS/OpDiv information resources and IT systems. Users of HHS/OpDiv information, IT resources and information systems must read, acknowledge, and adhere to the following rules prior to accessing data and using HHS/OpDiv information and IT resources.

1.1. HHS/OpDiv Information and IT Resources

When using and accessing HHS/OpDiv information and IT resources, I understand that I must:

  1. Comply with federal laws, regulations, and HHS/OpDiv policies, standards, and procedures and that I must not violate, direct, or encourage others to violate HHS/OpDiv policies, standards, or procedures.
  2. Not allow unauthorized use and access to HHS/OpDiv information and IT resources.
  3. Not circumvent or bypass security safeguards, policies, systems’ configurations, or access control measures unless authorized in writing.
  4. Limit personal use of information and IT resources so that it:
    1. Involves no more than minimal additional expense to the government
    2. Is minimally disruptive to my personal productivity
    3. Does not interfere with the mission or operations of HHS
    4. Does not violate HHS/OpDiv security and privacy policies.
  5. Refrain from using GFE, email, third-party websites, and applications (TPWAs) (e.g., HHS/OpDiv social media sites and cloud services, etc.) and other HHS/OpDiv information resources for activities that are not related to any legitimate/officially sanctioned HHS/OpDiv business purpose, except for the limited personal use stated above.
  6. Complete all mandatory training (e.g., security and privacy awareness, role-based training, etc.) when initially granted access to HHS/OpDiv systems and periodically thereafter as required by HHS/OpDiv policies.
  7. Be accountable for my actions while accessing and using HHS/OpDiv information, information systems and IT resources.
  8. Not reconfigure systems and modify GFE, install/load unauthorized/unlicensed software or make configuration changes without proper official authorization.
  9. Properly secure all GFE, including laptops, mobile devices, and other equipment that store, process, and handle HHS/OpDiv information, when leaving them unattended either at the office and other work locations, such as home, hoteling space, etc. and while on travel. This includes locking workstations, laptops, storing GFE in a locked drawer, cabinet, or simply out of plain sight, and removing my PIV card from my workstation.
  10. Must return all GFEs and Government issued PIV Card on or before last day of employment or contract termination.
  11. Report all suspected and identified information security incidents and privacy breaches to the Helpdesk, HHS/OpDiv Computer Security Incident Response Center (CSIRC), or OpDiv Computer Security Incident Response Team (CSIRT) as soon as possible, without unreasonable delay and no later than within one (1) hour of occurrence/discovery.11

1.2. No Expectation of Privacy

When using and accessing HHS/OpDiv information and IT resources, I understand that I would have no expectation of Privacy. I acknowledge the following:

  1. There would be no expectation of privacy when using HHS/OpDiv information resources, systems and GFE and may be monitored, recorded, and audited at any time.
  2. My use any HHS/OpDiv information resources, systems and GFE is with the understanding that such use may not be secure, is not private, is not anonymous, and may be subject to disclosure under the Freedom of Information Act (FOIA), 5 U.S.C. § 552 or other applicable legal authority.
  3. My electronic data communications and online activity may be monitored and disclosed to external law enforcement agencies or Department/OpDiv personnel when related to the performance of their duties at any time.  For example, after obtaining management approval, HHS/OpDiv authorized technical staff may employ monitoring tools in order to maximize the utilization of HHS/OpDiv resources.12

1.3. Password Requirement

When creating and managing my password, I understand that I must comply with the following baseline requirements:

  1. Comply with all HHS/OpDiv password requirements.
  2. Create passwords with minimum of 15 characters.13
  3. Not use common or compromised passwords.
  4. Protect my passwords, Personal Identity Verification (PIV) card, Personal Identification Numbers (PIN) and other access credentials from disclosure and compromise.
  5. Promptly change my password if I suspect or receive notification that it has been compromised.
  6. Immediately select a new password upon account recovery.
  7. Not use another person’s account, identity, password/passcode/PIN, or PIV card or allow others to use my GFE and/or other HHS/OpDiv information resources provided to me to perform my official work duties and tasks. This includes not sharing passwords or provide passwords to anyone, including system administrators.
  8. Only use authorized credentials, including PIV card, to access HHS/OpDiv systems and facilities and will not attempt to bypass access control measures.
  9. Select the PIV card to conduct HHS/OpDiv business whenever possible when both the PIV and password options are available for authentication.

1.4. Internet and Email

When accessing and using the internet and email, I understand that I must:

  1. Not access HHS/OpDiv Webmail from the public internet.
  2. Handle personal devices in the following manner:
    1. Not connecting personal devices to HHS/OpDiv systems without proper official authorization
    2. Not conducting official HHS/OpDiv business using non-HHS/OpDiv email or personal online storage/service accounts without written authorization from HHS/OpDiv or OpDiv CISO or designee
    3. Not using personal devices, non-HHS/OpDiv email, and unauthorized third-party systems, storage services, or applications (e.g., Dropbox, Google Docs, mobile applications, etc.) to store, transmit, process HHS/OpDiv information, and conduct HHS/OpDiv business without proper official authorization such as written approval from the HHS/OpDiv or OpDiv CISO or their designee.
  3. Not automatically (auto) forward HHS/OpDiv email to any internal and external email sources or forwarding email/files that contain HHS/OpDiv information to unauthorized systems and devices that are used for non-HHS/OpDiv and non-OpDiv business purposes.
  4. Not use an HHS/OpDiv email address and other information resources to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or Website, and signing up for personal memberships that are not work related.
  5. Not provide official HHS/OpDiv information to an unsolicited email if prohibited. If an email is received from any source requesting personal or organizational information or asking to verify accounts or security settings, I will report the incident to the Helpdesk and/or the CSIRC/ CSIRT immediately.
  6. Only disseminate authorized HHS/OpDiv information related to my official job and duties at HHS/OpDiv to internal and external sources.
  7. Not upload or disseminate information which is at odds with departmental missions or positions or without proper authorization, which could create the perception that the communication was made in my official capacity as a federal government employee or contractor.
  8. Not connect GFE or contractor-owned equipment to unsecured Wi-Fi networks (e.g. airports, hotels, restaurants, etc.) and public Wi-Fi to conduct HHS/OpDiv business unless Wi-Fi access is at a minimum, protected with an unshared, unique user password access.

1.5. Data Protection

When handling and accessing HHS/OpDiv information, I understand that I must:

  1. Take all necessary precautions to protect HHS/OpDiv information and IT assets, including but not limited to hardware, software, sensitive information, including but not limited to PII, PHI, federal records [media neutral], and other HHS/OpDiv information from unauthorized access, use, modification, destruction, theft, disclosure, loss, damage, or abuse, and in accordance with HHS/OpDiv policies.14
  2. Protect sensitive information (e.g., sensitive information, such as confidential business information, PII, PHI, financial records, proprietary data, etc.) at rest (stored on laptops or other computing devices) regardless of media or format, from disclosure to unauthorized persons or groups. This includes, but is not limited to:
    1. Never store sensitive information in public folders, unauthorized devices/services or other unsecure physical or electronic locations
    2. Always encrypt sensitive information at rest and in transit (transmitted via email, attachment, media, etc.)
    3. Always disseminate passwords and encryption keys out of band (e.g., via text message, in person, or phone call) or store password and encryption keys separately from encrypted files, devices and data when sending encrypted emails or transporting encrypted media
    4. Access or use sensitive information only when necessary to perform job functions, and do not access or use sensitive information for anything other than authorized purposes
    5. Securely dispose of electronic media and papers that contain sensitive data when no longer needed, in accordance with the HHS/OpDiv Policy for Records Management and federal guidelines.
  3. Immediately report all suspected and known security incidents (e.g., GFE loss or compromise, violation of security policies, etc.), privacy breaches (e.g., loss, compromise, or unauthorized access, or use of PII/PHI), and suspicious activities to the Helpdesk and/or CSIRC/CSIRT at CSIRC@HHS.gov or call 1-866-646-7514 pursuant to HHS/OpDiv incident response policies and/or procedures.15
  4. Not take permanently issued GFE devices with me during official foreign travel. Only carry loaner GFE (including mobile computing, phone, and storage devices) during official foreign travel. If there is a need to take GFE on personal foreign travel, submit a request and get approved by a designated government official within the OpDiv. Upon approval, obtain a loaner GFE and adhere to the HHS policy in the memorandum Use of Government Furnished Equipment (GFE) During Foreign Travel. Additional requirements include:
    1. Reviewing Office of Security and Strategic Information (OSSI) requirements and the requirements within the Memorandum on the Use of GFE During Foreign Travel prior to traveling abroad with GFE or to conduct HHS/OpDiv business
    2. Notifying my Personnel Security Representative (PSR) when there is a need to bring GFE on foreign travel (per requirements defined by the OSSI in accordance with the Memorandum on the Use of GFE During Foreign Travel).

1.6. Privacy

I understand that if I am working with PII, I must:

  1. Protect PII16 from inappropriate disclosure, loss, or compromise.
  2. Only collect, use, maintain, and disclose PII that is directly relevant and necessary to accomplish a legally authorized purpose.
  3. Disclose PII only to those who need to know the information to execute their work and are authorized to receive it.
  4. Comply with applicable legal and regulatory privacy safeguards. For example:
    1. Report suspected or confirmed breaches of PII in accordance with the HHS/OpDiv Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII)
    2. Submit a privacy impact assessment (PIA) for systems or electronic information collections collecting PII.
  5. Be transparent about information policies and practices with respect to PII, provide clear and accessible notice regarding collection, use, maintenance, and disclosure of PII, and seek consent for the collection, use, and disclosure of PII as appropriate.
  6. Enable individuals to access, correct, or amend their PII as appropriate, and ensure PII is accurate, relevant, timely and complete to guarantee fairness to individuals.
  7. Not access PII unless specifically authorized and required as part of assigned duties.
  8. Collect, use, and disclose PII only for the purposes for which it was collected and consistent with conditions set forth in stated privacy notices such as those provided to individuals at the point of data collection or published in the HHS' SORN website  (to include System of Records Notices [SORNs]).
  9. Maintain no record describing how an individual exercises his or her First Amendment rights, unless it is expressly authorized by statute or by the individual about whom the record is maintained, or is pertinent to and within the scope of an authorized law enforcement activity.
  10. Consult with my OpDiv privacy program or Senior Official for Privacy (SOP)17 before initiating or making significant changes18 to a system or collection of PII.

1.7. Telework and GFE

When teleworking, I understand that I must:

  1. Telework only when approved by management and conduct myself with the same professionalism remotely as required in the workplace.
  2. Safeguard any GFE provided for telework.
  3. Safeguard HHS/OpDiv information, equipment, including GFE. Protecting HHS/OpDiv information including PII, CUI and any sensitive information is just as important at a telework location as it is in an HHS/OpDiv building.
  4. Only connect additional devices to GFE as necessary to conduct official government business with OpDiv approval, if the devices are not on the prohibited vendor list.19
    1. Only connect GFE to printers by opening a ticket with the helpdesk.
    2. Contact OpDiv Help Desk to have drivers installed to GFE prior to connecting printer.
    3. Connect printers to GFE via USB or other physical port. Wireless connections between GFE and printers may require OpDiv approval.
  5. Not install any software to GFE whether it is free or free downloadable unless authorized or approved.
  6. Use my home Wi-Fi network to provide the connectivity for telework but my home networks must be set up in accordance with guidance from HHS/OpDiv or OpDiv;20
  7. Not connect hardware to GFE via Bluetooth unless necessary for official use must keep Bluetooth turned off and only turn on when needed.
  8. Protect all sensitive information, including CUI and PII.

1.8. Strictly Prohibited Activities

When using federal government systems and equipment, I must refrain from the following activities, which are strictly prohibited:

  1. Accessing any social media websites (such as YouTube, Twitter, Facebook, etc.) while utilizing GFE, unless required for official HHS/OpDiv business.
  2. Accessing, downloading, or clicking on unknown links, particularly on social media sites such as “Malware Alert notices”.
  3. Clicking on links or open attachments sent via email or text message Web links from untrusted sources and verify information from trusted sources before clicking attachments. I must report suspected phishing attempts using the Report Phishing button or forward suspicious emails as an attachment to Spam@hhs.gov.
  4. Engaging in activities that could cause congestion, delay, or disruption of service to any HHS/OpDiv information resource (e.g., sending chain letters via email, playing streaming videos, games, music, etc.).
  5. Accessing, downloading and/or uploading unethical, illegal, or criminal content from/to the internet (e.g., pornographic, and sexually explicit materials, illegal weapons, criminal and terrorism activities, and other illegal actions or activities).
  6. Sending, retrieving, viewing, displaying, or printing sexually explicit, suggestive, or pornographic text or images, or other offensive material (e.g., vulgar material, racially offensive material, etc.).
  7. Using non-public HHS/OpDiv data for private gain or to misrepresent myself or HHS/OpDiv or for any other unauthorized purpose.
  8. Sending messages supporting or opposing partisan political activity as restricted under the Hatch Act  and other federal laws and regulations.
  9. Engaging in any outside fund-raising, endorsing any product or service, lobbying, or engaging in partisan political activity.
  10. Using HHS/OpDiv information resources for activities that are inappropriate or offensive to fellow personnel or the public (e.g., hate speech or material that ridicules others on the basis of race, creed, religion, color, age, gender, disability, national origin, or sexual orientation).
  11. Creating a website, TPWA, or social media site on behalf of HHS/OpDiv or uploading content to a website, TPWA, or social media site without proper official authorization.21
  12. Sending or forwarding chain letters, e-mail spam, inappropriate messages, or unapproved newsletters and broadcast messages except when forwarding to report this activity to authorized recipients.
  13. Using peer-to-peer (P2P) software except for secure tools approved in writing by the OpDiv CIO (or designee) to meet business or operational needs. 
  14. Creating and/or operating unapproved/unauthorized Web sites or services.
  15. Using, storing, or distributing, unauthorized copyrighted or other intellectual property.
  16. Using HHS/OpDiv information, systems, and devices to send or post threatening, harassing, intimidating, or abusive material about anyone in public or private messages or any forums.
  17. Exceeding authorized access to sensitive information.
  18. Using HHS/OpDiv GFE for commercial or for-profit activity, shopping, instant messaging (for unauthorized and non-work-related purposes), managing outside employment or business activity, or running personal business, playing games, gambling, watching movies, accessing unauthorized sites, or hacking.
  19. Using an official HHS/OpDiv e-mail address to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or website, and signing up for personal memberships. Professional groups or memberships related to job duties at HHS/OpDiv are permissible.
  20. Removing data or equipment from the agency premises without proper authorization.
  21. Sharing, storing, or disclosing sensitive information with third-party organizations and/or using third-party applications (e.g., Drop Box, Evernote, iCloud, etc.) unless, in very limited circumstances, is authorized by HHS/OpDiv or OpDiv CISO or designee.
  22. Storing sensitive data in external platforms, such as personal Google Docs.
  23. Transporting, transmitting, e-mailing, texting, remotely accessing, or downloading sensitive information unless such action is explicitly permitted in writing by the manager or owner of such information and appropriate safeguards are in place per HHS/OpDiv policies concerning sensitive information.
  24. Knowingly or willingly concealing, removing, mutilating, obliterating, falsifying, or destroying HHS/OpDiv information.
  25. Accessing or visiting any unknown website(s) which may be infected with malware, responding to phishing emails, storing credentials in an unsecured location. This may cause to create an Incident and require having additional Awareness and Security training.
  26. Using any file sharing program without agency’s permission.

Signature

I have read the above Rules of Behavior for General Users and understand and agree to comply with the provisions stated herein. I understand that violations of these RoB or HHS/OpDiv information security policies and standards may result in disciplinary action and that these actions may include reprimand, suspensive of access privileges, revocation of access to federal information, IT resources, information systems, and/or facilities, deactivation of accounts, suspension without pay, monetary fines, termination of employment; removal or debarment from work on federal contracts or projects; criminal charges that may result in imprisonment.

I understand that exceptions to these RoB must be authorized in advance in writing by the designated authorizing officials. I also understand that violation of federal laws, such as the Privacy Act of 1974, copyright law, and 18 USC 2071, which the HHS/OpDiv RoB draw upon, can result in monetary fines and/or criminal charges that may result in imprisonment.

User’s Name:

(Print)

User’s Signature:

Date Signed:

2. Rules of Behavior for Privileged Users

The following HHS/OpDiv Rules of Behavior (RoB) for Privileged Users is an addendum to the Rules of Behavior for General Users and provides mandatory rules on the appropriate use and handling of HHS/OpDiv information technology (IT) resources for all HH privileged users, including federal employees, interns, contractors, and other staff who possess privileged access to HHS/OpDiv information systems.22 Privileged users have network accounts with elevated privileges that grant them greater access to IT resources than non-privileged users. These privileges are typically allocated to system, network, security, and database administrators, as well as other IT administrators.23 The compromise of a privileged user account may expose HHS/OpDiv to a high-level of risk; therefore, privileged user accounts require additional safeguards.

A privileged user is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. System accounts and level of privilege vary dependent upon the role being fulfilled. A privileged user has the potential to compromise the three security objectives of confidentiality, integrity, and availability. Such users include, for example, security personnel or system administrators who are responsible for managing restricted physical locations or shared IT resources and have been granted permissions to create new user accounts, modify user privileges, as well as make system changes. Examples of privileged users include (but are not limited to):

  1. Application developer
  2. Database administrator
  3. Domain administrator
  4. Data center operations personnel
  5. IT tester/auditor
  6. Helpdesk support and computer/system maintenance personnel
  7. Network engineer
  8. System administrator
  9. Security Stewards

Privileged users must read, acknowledge, and adhere to the RoB for Privileged User and any other HHS/OpDiv policy or guidance for privileged users, prior to obtaining access and using HHS/OpDiv information, IT resources and information systems and/or networks in a privileged role. The same signature acknowledgement process followed for the Appendix D, General User RoB, applies to the privileged user accounts. Each OpDiv must maintain a list of privileged users, the privileged accounts those users have access to, the permissions granted to each privileged account, and the authentication technology or combination of technologies required to use each privileged account24.

Following is the RoB for a privileged user.

I understand that as a privileged user, I must:

  1. Use privileged user accounts appropriately for their intended purpose and only when required for official duties.
  2. Comply with all privileged user responsibilities in accordance with the HHS Policy for Information Security and Privacy Protection (IS2P) and any other applicable HHS and OpDiv policies.
  3. Notify system owners immediately when privileged access is no longer required.
  4. Properly protect all information, including media, hard copy reports and documentation as well as system information in a manner commensurate with the sensitivity of the information and securely dispose of information and GFE that are no longer needed in accordance with HHS/OpDiv sanitization policies.
  5. Report all suspected or confirmed information security incidents and privacy breaches to the OpDiv Helpdesk, HHS/OpDiv CSIRC, or OpDiv CSIRT as soon as possible, without unreasonable delay and no later than within one (1) hour of occurrence/discovery.
  6. Complete any specialized role-based security or privacy training as required before receiving privileged system access.

I understand that as a privileged user, I must not:

  1. Share privileged user account(s), password(s)/passcode(s)/PIV PINs, and other login credentials, including to other system administrators.
  2. Conduct official HHS/OpDiv business using personal email or personal online storage account.
  3. Use privileged user access to log into any system for non-elevated duties.
  4. Install, modify, or remove any system hardware or software unless it is part of my job duties and the appropriate approvals have been obtained or with official written approval.
  5. Access the internet for any reason while using my privileged account. This includes downloading of files (including patches or updates), etc.
  6. Remove or destroy system audit logs or any other security, event log information unless authorized by appropriate official(s) in writing.
  7. Tamper with audit logs of any kind. Note: In some cases, tampering can be considered evidence and can be a criminal offense punishable by fines and possible imprisonment.
  8. Acquire, possess, trade, or use hardware or software tools that could be employed to evaluate, compromise, or bypass information systems security controls for unauthorized purposes.
  9. Introduce unauthorized code, Trojan horse programs, malicious code, viruses, or other malicious software into HHS/OpDiv information systems or networks.
  10. Knowingly write, code, compile, store, transmit, or transfer malicious software code, to include viruses, logic bombs, worms, and macro viruses.
  11. Use privileged user account(s) for day-to-day communications and other non-privileged transactions and activities.
  12. Elevate the privileges of any user without prior approval from the system owner.
  13. Use privileged access to circumvent HHS/OpDiv policies or security controls.
  14. Access information outside of the scope of my specific job responsibilities or expose non-public information to unauthorized individuals.
  15. Use a privileged user account for web access except in support of administrative related activities.
  16. Use any unknown website(s) which may be infected with malware and responding to phishing emails. If I use, I will report to OpDiv Helpdesk, HHS/OpDiv CSIRC, or OpDiv CSIRT as soon as possible, without unreasonable delay and no later than within one (1) hour of occurrence/discovery.
  17. Use any file sharing program without HHS/OpDiv’s permission.
  18. Modify security settings on system hardware or software without the approval of a system administrator and/or a system owner.
  19. Use systems (either government issued or non-government) without the following protections in place to access sensitive HHS/OpDiv information:
    • Antivirus software with the latest updates
    • Anti-spyware and personal firewalls
    • A time-out function that requires re-authentication after no more than 30 minutes of inactivity on remote access
    • Approved encryption to protect sensitive information stored on recordable media, including laptops, USB drives, and external disks; or transmitted or downloaded via e-mail or remote connections.

Signature

I have read the above Rules of Behavior (RoB) for Privileged Users and understand and agree to comply with the provisions stated herein. I understand that violations of these RoB or HHS/OpDiv information security policies and standards may result in disciplinary action and that these actions may include reprimand, suspensive of access privileges, revocation of access to federal information, information systems, and/or facilities, deactivation of accounts, suspension without pay, monetary fines, termination of employment; removal or debarment from work on federal contracts or projects; criminal charges that may result in imprisonment. I understand that exceptions to these RoBmust be authorized in advance in writing by the designated authorizing official(s).

User’s Name:

(Print)

User’s Signature:

Date Signed:

Appendix E: References

Statutes

NIST Guidance

OMB Circulars and Memoranda

HHS Policies and Memoranda

All HHS Policies may be found at https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides. These policies may be updated, and the current version should be used.

  • HHS Policy and Plan for Preparing for and Responding to a Breach of PII, May 2020.
  • HHS Policy Exception/Risk Based Exception Form, July 2019.
  • HHS Standard for Encryption of Computing Devices and Information, December 2016.
  • HHS Policy for Information Security and Privacy Protection (IS2P), November 2021.
  • Policy for Monitoring Employee Use of HHS IT Resources, June 2013
  • Updated Department Standard Warning Banner, November 2016.
  • Usage of Unauthorized External Information Systems to Conduct Department Business, January 8, 2014.
  • Use of GFE during Foreign Travel, February 2021

Glossary and Acronyms

Audit Log - A chronological record of information system activities, including records of system accesses and operations performed in each period.  (Source: NIST SP 800-171)

Authentication - A process that provides assurance of the source and integrity of information that is communicated or stored, or that provides assurance of an entity’s identity. (Source: NIST SP 800-175A)

Backup (system backup) - The process of copying information or processing status to a redundant system, service, device, or medium that can provide the needed processing capability when needed. (Source: NIST SP 800-152)

Breach - The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses PII or (2) an authorized user accesses or potentially accesses PII for another than authorized purpose. (Source: OMB M-17-12)

Cloud Service - External service that enable convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction. (Source: NIST SP 800-144)

Compromise - The unauthorized disclosure, modification, substitution or use of sensitive data (e.g., keying material and other security-related information). (Source: NIST SP 800-175B)

Confidentiality - The property that sensitive information is not disclosed to unauthorized entities. (Source: NIST SP 800-175A)

Controlled Unclassified Information (CUI) - Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. (Source: Executive Order 13556Note: See sensitive information definition below.

CUI Privacy – A category of CUI.  Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7). (Source: NARA, CUI Registry)   

CUI Privacy-Health Information – A subcategory of CUI Privacy. As per 42 USC 1320d(4), "health information" means any information, whether oral or recorded in any form or medium, that (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. (Source: NARA, CUI Registry)

Direct Application Access - A high-level remote access architecture that allows teleworkers to access an individual application directly, without using remote access software. (Source: NIST 800-46 Revision 2)

External Email Source – Defined as an email that is not an official HHS.gov email account. (Source: HHS-defined)

External Information System (or component) – An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. (Source: NIST SP 800-53CNSSI-4009)

Federal Information - Information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government, in any medium or form. (Source: OMB Circular A-130OMB Memorandum M-17-12)

Federal Information System - An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (Source: NIST SP 800-53 Revision 5)

Full Disk Encryption (FDE) - The process of encrypting all the data on the hard drive used to boot a computer, including the computer’s operating system, and permitting access to the data only after successful authentication with the full disk encryption product. (Source: NIST SP 800-111)

General Users - A user who has only general access to HHS information resources (not greater access to perform security relevant functions). (Source: HHS-defined)

HHS Information Technology (IT) Assets - Defined as hardware, software, systems, services, and related technology assets used to execute work on behalf of HHS. (Source: HHS-defined)

HHS Information Assets – Defined as any information created, developed, used for or on behalf of HHS. This includes information in electronic, paper, or another medium format. (Source: HHS-defined)

Hoteling Space – Defined as a term that involves temporary or shared space for working and workstation usage. (Source: HHS-defined)

Incident - An occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. (Source: OMB Memorandum M-17-12)

Information Resources - Information and related resources, such as personnel, equipment, funds, and information technology. (Source: 44 U.S.C., Sec. 3502CNSSI No. 4009)

Information System (IS) - A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.  Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. (Source: 44 U.S.C. Sec 3502OMB Circular A-130)

Information Technology (IT) - Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. For purposes of this definition, such services or equipment if used by the agency directly or is used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use. (Source: OMB Circular A-130)

Integrity - The property that protected data has not been modified or deleted in an unauthorized and undetected manner. (Source: NIST SP 800-175A)

Logic Bomb - A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. (Source: NIST SP 800-12rev1)

Macro Virus - A specific type of computer virus that is encoded as a macro embedded in some document and activated when the document is handled. (Source: NIST SP 800-28ver1)

Media - Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system. (Source: NIST SP 800-53 Revision 5Note: Also see Removable Media.

Mobile Device - A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and E-readers. (Source: NIST SP 800-79-2)

Mobile Device Management - Mobile enterprise security technology used to address security requirements. (Source: NIST SP 800-163)

Mobile Hotspot - A mobile hotspot is an offering by various telecom providers to provide localized Wi-Fi. With a hotspot, an adapter or device allows computer users to connect to the internet from approved and/or unapproved locations. Mobile hotspots are advertised as an alternative to the traditional practice of logging onto a local area network or other wireless networks from a personal computer (PC). Although mobile hotspots could be used for other kinds of devices, they are most commonly associated with laptop computers because laptop computers are a type of "hybrid" device that may roam but doesn’t usually come with built-in mobile Wi-Fi. (Source: https://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering)

Mobile Tethering - Mobile tethering is slightly different from a mobile hot spot and the mobile tethering must be approved by OpDivs. A tethering strategy involves connecting one device without Wi-Fi to another device that has Wi-Fi connectivity. For example, a user could tether a laptop to a smartphone through cabling or through a wireless connection. This would allow for using the computer on a connected basis. When tethering involves a wireless setup, it closely resembles a mobile hotspot. In fact, though, there are some fairly significant differences between tethering and hotspots in both design and implementation. While a mobile hotspot frequently serves multiple devices in a setup that looks like a local area network, tethering is a practice that has the connotation of being between only two devices. (Source: https://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering)

Personal Identity Verification (PIV) Card -The physical artifact (e.g., identity card, “smart” card) issued to an applicant by an issuer contains stored identity markers or credentials (e.g., a photograph, cryptographic keys, digitized fingerprint representations) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable) (Source: NIST SP 800-79 Revision 2)

Personally Identifiable Information (PII) - Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (Source: OMB M-17-12OMB Circular A-130)

Personally Owned Device A non-organization-controlled client device owned by an individual. These client devices are controlled by the owner, who is fully responsible for securing them and maintaining their security. (Source: Adapted from NIST SP 800-46 Revision 2). Note: Also referred to as a Bring Your Own Device (BYOD).

Privacy Impact Assessment - An analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII in an electronic information system; and to examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns.  A PIA is both an analysis and a formal document detailing the process and the outcome of the analysis. (Source: OMB Circular A-130)

Privileged User - A user who is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. Privileged users have network accounts with privileges that grant them greater access to IT resources than general (i.e., non-privileged) users have. These privileges are typically allocated to system, network, security, and database administrators, as well as another IT administrator. (Source: NIST SP 800-53 Revision 5)

Protected Health Information (PHI) - Individually identifiable health information (IIHI) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. (Source: NIST SP 800-122)

Remote Access - The ability for an organization’s users to access its non-public computing resources from external locations other than the organization’s facilities. (Source: CNSSI 4009NOTE: Per NIST SP 800-53 Revision 5, this also applies to a process acting on behalf of a user.

Remote Access Method Mechanisms that enable users to perform remote access. There are four types of remote access methods: tunneling, portals, remote desktop access, and direct application access. (Source: NIST SP 800-46 Revision 2)

Remote Desktop Access - A high-level remote access architecture that gives a teleworker the ability to remotely control a particular desktop computer at the organization, most often the user’s own computer at the organization’s office, from a telework client device. (Source: NIST SP 800-46 Revision 2)

Removable Media - Portable data storage medium that can be added to or removed from a computing device or network.  Note:  Examples include, but are not limited to: optical discs (CD, DVD, Blu-ray); external/removable hard drives; external/removable Solid-State Disk (SSD) drives; magnetic/optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external / removable disks (floppy, Zip, Jaz, Bernoulli, UMD). (Source: CNSSI 4009)

Sanitize - A process to render access to Target Data on the media infeasible for a given level of effort.  Clear, Purge, and Destroy are actions that can be taken to sanitize media. (Source: NIST SP 800-88 Revision 1)

Sanitization - A process to render access to target data on the media infeasible for a given level of effort. Clear, purge, and destroy are actions that can be taken to sanitize media. (Source: NIST SP 800-53 Revision 5)

Sensitive Information - Information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (Source: NIST SP 800-150 under Sensitive Information from NISTIR 7298 Rev. 2) (See Section 2 Purpose on page 4 for how "sensitive information" is applied within this policy)

System of Records - A group of any records under the control of any agency from which information about an individual is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (Source: NIST SP 800-122 and The Privacy Act of 1974, as amended, 5 U.S.C. § 552a(a)(5))

System-Specific User - The user of a system that is subject to system-specific ROBs. (Source: HHS-defined)

Telework - The ability for an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. (Source: NIST SP 800-46 Revision 2)

Telework Client Device - A PC or mobile device. (Source: NIST SP 800-46 Revision 2)

Third Party-Controlled Device - A client device controlled by a contractor, business partner, or vendor.  These client devices are controlled by the remote worker’s employer who is ultimately responsible for securing the client devices and maintaining their security. (Source: NIST SP 800-46 Revision 2)

Unknown Device - A client device that is owned and controlled by other parties, such as a kiosk computer at hotels, and a PC or mobile device owned by friends and family. The device is labeled as “unknown” because there are no assurances regarding its security posture. (Source: NIST SP 800-46 Revision 2)

Virtual Disk Encryption - The process of encrypting a container, which can hold many files and folders, and permitting access to the data within the container only after proper authentication is provided. (Source: NIST SP 800-111)

Virtual Private Network (VPN) - A virtual network, built on top of existing physical networks that provides a secure communications tunnel for data and other information transmitted between networks. (Source: NIST SP 800-46 Revision 2)

Virus - A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. See malicious code. (Source: NIST SP 800-12rev1)

Worm - A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. See Malicious Code. (Source: NIST SP 800-12rev1)

Acronyms:

CIO - Chief Information Officer

CISO - Chief Information Security Officer

CSIRC - Computer Security Incident Response Center

CSIRT - Computer Security Incident Response Team

CUI - Controlled Unclassified Information

EO - Executive Order

FISMA - Federal Information Security Modernization Act of 2014

HHS - Department of Health and Human Services

IS2P - Information Systems Security and Privacy Policy

ISCM - Information Security Continuous Monitoring

M - Memorandum

NARA - National Archives and Records Administration

NIST - National Institute of Standards and Technology

OCIO - Office of the Chief Information Officer

OIS - Office of Information Security

OMB - Office of Management and Budget

OpDiv - Operating Division

PHI - Protected Health Information

PII - Personally Identifiable Information

RoB - Rules of Behavior

SP - Special Publication

USB - Universal Serial Bus

Endnotes

[1] PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. OMB Circular No. A-130, Managing Information as a Strategic Resource, p. 21. Available at: Review-Doc-2016--466-1.docx (whitehouse.gov).

[2] CUI is defined in Executive Order (EO) 13556Controlled Unclassified Information (CUI). HHS currently does not have a CUI policy. There are numerous categories and subcategories of CUI listed in the National Archives and Records Administration (NARA) CUI Registry. Examples of CUI categories include Privacy, Procurement and Acquisition, Proprietary Business Information, and Information Systems Vulnerability Information.

[3] See Policy for Data Loss Prevention available at: https://intranet.hhs.gov/working-at-hhs/cybersecurity/ocio-policies.

[4] All third-party web applications, social media sites, storage and cloud services must be authorized prior to use. Only authorized personnel can post only authorized content on public-facing websites and social media sites.

[5] See definition of sensitive information in the Glossary section.

[6] See Public Law 115–232, Section 889 Parts A and B (included in FAR 4.21) available at https://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf. Prohibition includes telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation, as well as video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities). For additional information and to verify any countries that are being sanctioned by the US, consult: https://www.treasury.gov/resource-center/sanctions/programs/pages/programs.aspx. Also, consult the HHS Memorandum, Implementation of the Section 889(a)(1)(B) Prohibition on Contracting with Entities Using Certain Telecommunications and Video Surveillance Services or Equipment, July 29, 2020, available at https://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf.

[7] see CISA CAPACITY ENHANCEMENT GUIDE: Printing While Working Remotely, available at https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf.

[8] For additional information, see https://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup as well as  https://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks.

[9] Bluetooth is defined as “A wireless protocol that allows two similarly equipped devices to communicate with each other within a short distance (e.g., 30 ft.).” This includes headphones. and For additional information, see https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf and NIST SP 800-121 rev2, available at Search | CSRC (nist.gov).

[10] See the HHS memorandum Use of Government Furnished Equipment (GFE) During Foreign Travel

[11] CSIRC and IRT points of contact are available at: https://intranet.hhs.gov/about-hhs/org-chart/asa-offices/office-of-the-chief-information-officer-ocio/csirc. Provide all necessary information that will help with the incident investigation.

[12] See the HHS memoranda Policy for Monitoring Employee Use of HHS IT Resources and Updated Department Standard Warning Banner available at Memoranda | Community for HHS Intranet

[13] See NIST SP 800-209 Security Guidelines for Storage Infrastructure, available at https://csrc.nist.gov/publications/detail/sp/800-209/final.

[14] HHS/OpDiv IT assets are defined as hardware, software, systems, services, and related technology assets used to execute work on behalf of HHS. This definition is adapted from NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments, available at https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final.

[15] Please review the OMB M-17-12 for the specific distinctions between incident response and breach response.

[16] Personally identifiable information (PII) is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Office of Management and Budget (OMB). (2016, July 27). Circular No. A-130, Managing Information as a Strategic Resource, p. 21. Available at: Review-Doc-2016--466-1.docx (whitehouse.gov).

[17] To contact your OpDiv SOP, visit https://www.hhs.gov/web/policies-and-standards/hhs-web-policies/privacy/index.html#HHS-Privacy-Officials.

[18] Examples of significant changes include, but are not limited to, changes to the way PII are managed in the system, new uses or sharing, and the merging of data sets.

[19] see CISA CAPACITY ENHANCEMENT GUIDE: Printing While Working Remotely, available at https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf.

[20] For additional information, see https://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup as well as https://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks.

[21] All third-party web applications, social media sites, storage and cloud services must be authorized prior to use. Only authorized personnel can post only authorized content on public-facing websites and social media sites.

[22] Per NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, privileged roles include, for example, key management, network and system administration, database administration, and Web administration.

[23] OMB-16-04 available at Review-Doc-2015-ITOR-315-1.docx (whitehouse.gov)October 30, 2015.

[24] Per NIST White Paper, Best Practices for Privileged User PIV Authentication, April 21, 2016, available at https://csrc.nist.gov/publications/detail/white-paper/2016/04/21/best-practices-for-privileged-user-piv-authentication/final.