U.S. Department of Health and Human Services
Indian Health Service: The Federal Health Program for American Indians and Alaska Natives
A - Z Index:

California Area Office logoCalifornia Area Office

Interconnection Security Agreement (ISA)

  • + Expand All
  • - Collapse All

Are we required to have an Information Systems Security Officer?

Yes, someone in your organization must have this title. It is not required that this be a separate position. For instance, someone in the IT department might be designated for this role, in addition to other duties. We require that you schedule security training for that individual, and document a daily security task list (review event logs, patch servers, etc.)

Why the ISA at this time?

The Interconnection Security Agreement is federally mandated for any system, contractor, agency that touches the federal network. This is a component of the Security Certification and Accreditation process - also federally mandated.

What is the background check? We have done a drug and background check for all tribal employees. Is this all we need to do?

IT personnel should have a Public Trust, Level 5 background check. Below are guidelines for determining the sensitivity levels for various personnel:

Position Sensitiity Designations/Access Codes Non-Sensitive Positions National Security Positions Public Trust Positions
Sensitivity Levels Level 1        Non-Sensitive

Level 2         Non-critical Sensitive

Level 2       Critical   Sensitive Level 2    Special Sensitive Level 5 Moderate Risk Level 6 High  Risk

The level of sensitivity of a position should be determined using the position description and the types of data and systems accessed by the employee in the performance of his/her duties. Ultimately, the determination of position sensitivity from an IT perspective is based on the type and degree of harm the individual could cause through misuse of the system. This potential for harm increases as the level of access to sensitive, financial, and/or classified information increases.

What are the "IHS training and awareness requirements?"

Security Awareness Training can be taken at this site:


It is required annually, and must be taken within 60 days of employment

Training ISSOs.
The training for ISSO's should include in-depth coverage of the threats and vulnerabilities related to their systems, techniques for detecting and reacting to incidents, and techniques for implementing Part 8, Chapter 12, "IT Security," Indian Health Service Manual in their environment. The IHS Manual can be found here:

Who are the "IHS SECURTY POC" and what are the contact paths?

Your IHS California Area Security Points of Contact (POC's) are:

Robert Gemmell, ISSO
Phone: (916) 930-3927 x326
Email: Robert.Gemmell@ihs.gov

Kelly Stephenson, Alternate ISSO
Phone: (916) 930-3927 x330
Email: kelly.stephenson@ihs.gov

Can we get a site specific explanation of the "interconnect" with IHS?

All sites are defined as having an "interconnect" because site users access highly sensitive data across a federal network. 

Are any data services offered by IHS such as off line backup or use auditing as required in the "Interconnection Security Agreement"?

Backup and auditing of the patient databases at the Sacramento location is conducted by IHS personnel. Backup and auditing at the sites is the responsibility of the site, but there are excellent Windows operating system tools and open source utilities available. 

Is there an explanation for all of the sections of the "Interconnection Security Agreement"?

The National Institute of Standards and Technology (NIST) special publication 800-47, Appendix A, discusses ISA's. The entire NIST 800 series can be found here:

http://csrc.nist.gov/publications/nistpubs/ Exit Disclaimer – You Are Leaving www.ihs.gov

What is the time frame to implement each of the requirements of the "ISA"?

As soon as possible. That having been said, The California Area Office will be doing annual testing in August, 2007 and risk assessment in September, 2007. That would probably be a good target to aim for. 

Define the type of encryption, or cryptographic modules we should use and where we get them.

We're not able to discuss the specifics of IHS encryption in an FAQ, but all router to router packets are encrypted. Beyond that, we recommend that file system encryption be implemented at all sites. There are excellent open source tools that are Federal Information Processing Standards (FIPS) compliant available to accomplish this. 

How do you suggest we audit/monitor our users? What software should we use and who pays for the software?

Systems Administrators at the sites should take advantage of the built in auditing and monitoring capabilities of the Windows server environment. The principle of "least access" should be implemented so that users are only able to access resources that are required for their work assignments.

Network monitoring at the router level is performed by IHS personnel. Deployment of proprietary monitoring software for the site LAN (your side of the router) is up to the site manager. 

Where do we find the awareness training site? How is it used? Is this a web site? Is it a paper test?

Security Awareness Training can be taken at this site:

http://www.isa.ihs.gov/ (If the site is down, there is a paper test.) 

What do you suggest we do to comply with the 24/7 requirement?

It's recommended that a best effort be made to assure that 24/7 contact is possible in the occasion of a security event. Remote sites without cell tower coverage should make home phone number's of responsible individuals known to the CAO IT staff.

An alternate to the System Administrator should be known to the CAO IT staff in the event that the System Administrator is not available. However, it is recommended that the System Administrator develop some method to access the system remotely. 

What is a "persistent connection"?

A persistent connection is defined as an uninterrupted stream of IP packets between the site router and the IHS network.

Do you have examples of the disaster recovery plan or the security plan so we have some idea what it should look like?

The NIST 800-34 document provides guidance for Contingency Plans. The NIST 800-18 addresses Security Plans. These documents can be found here:

http://csrc.nist.gov/publications/nistpubs/ Exit Disclaimer – You Are Leaving www.ihs.gov

Where can we find Non-Disclosure Agreements?

Templates can be found readily on-line. 

Our site hosts our own RPMS database - do we still need to sign an Interconnection Security Agreement?

If your site is on the federal network (in the 161.223.x.x IP range), or you have federal accounts for email or vpn, or in any other way access restricted federal resources, yes. 

Where can we get the definition of a "security incident"?

The NIST 800-61 provides guidance with defining security incidents. It can be found here:

http://csrc.nist.gov/publications/nistpubs/ Exit Disclaimer – You Are Leaving www.ihs.gov

This website may require you to download plug-ins to view all content.

usa.gov link   Accessibility · Disclaimer · FAQs · Website Privacy Policy · Plain Writing Act · Freedom of Information Act · HIPAA · No Fear · Glossary · Contact

Indian Health Service (HQ) - The Reyes Building, 801 Thompson Avenue, Ste. 400 - Rockville, MD 20852