Part 8 - Information Resources Management
Chapter 15 -
- Purpose. The purpose of this chapter is to establish Indian Health Service (IHS) policy for planning, establishing, maintaining, and terminating interconnections between IHS information technology systems (IHS IT systems) and information technology systems (IT systems) that are owned or operated by other entities.
- Background. This chapter governs all interconnections between IHS IT systems and IT systems that are owned or operated by other entities. Other entities for which an interconnection agreement is required include, but may not be limited to, other Federal agencies States, contractors, grantees, Tribes, and Tribal entities carrying out contracts or compacts under the Indian Self-Determination and Education Assistance Act, Public Law (P.L.) 93-638, as amended.
- Policy. It is IHS policy that a Memorandum of Understanding (MOU) and an Interconnection Security Agreement (ISA) must be in place with any entity before the entity accesses or interconnects with the IHS computer systems. The ISA must be consistent with guidance issued by the National Institute of Standards and Technology (NIST).
- Scope. All Tribal IT or Urban IT systems that will be connected to the IHS network, regardless of the nature of the connection, require both an MOU (see Manual Exhibit 8-15-A) and an ISA (see Manual Exhibit 8-15-B through 8-15-D) to be submitted and approved prior to activation of the connection. Other entities will continue to use the ISA located here.
- The MOU delineates the high-level responsibilities of each entity that owns the interconnected systems.
- The ISA provides security control information for the interconnection.
- Authorities. To protect its information resources, including ISAs, the IHS implements and administers an information security program in compliance with, but not limited to, the following applicable regulations:
- Federal Information Security Management Act (FISMA) of 2002, 44 U.S.C. 3541.
- Office of Management and Budget (OMB) Circular A-130, “Management of Federal Information Resources,” Appendix III, dated November 28, 2000.
- Grance, Tim, Joan Hash, Steven Peck, Jonathan Smith, and Karen Korow-Diks. “Security Guide for Interconnecting Information Technology Systems,” NIST Special Publication 800-47,NIST U.S. Department of Commerce, August 2002.
- Accreditation. The formal authorization for system operation by the accrediting (management) official.
- Certification. The formal process for testing components or systems against a specified set of security requirements.
- Interconnection Security Agreement. An agreement establishing the technical requirements for the interconnection between the entities that own and operate the IT systems.
- Memorandum of Understanding. A management agreement that defines the responsibilities of both entities for establishing, operating, and securing the interconnection.
- System Interconnection. Two or more IT systems connected to share data and other information resources.
8-15.2 CERTIFICATION AND ACCREDITATION
The certification and accreditation (C&A) of an entity’s IT system, which may be necessary before it is connected to IHS information systems, is carried out according to Federal C&A guidelines. The Designated Accrediting Authority (DAA) (or other authorizing management official) certifies that the IT system may operate for a specific purpose using a defined set of safeguards at an acceptable level of risk. For FISMA reporting purposes, Tribal and Urban Indian sites do not operate on behalf of the Federal government and, therefore, are not required to perform C&As. However, an IHS-owned (or any government-owned) server at any Tribal or Urban sites is subject to FISMA requirements. Therefore, a security certification and accreditation must be conducted for the system (including network and servers) within the defined system scope.
- Designated Accrediting Authority. The DAA officially certifies (accredits) an organization’s IT system. The DAA approves or disapproves all ISA under their authority, and issues appropriate accreditation prior to interconnection. The DAA for ISA accreditation may be delegated.
- Area Director. The Area Director authorized to disconnect any IT system must provide written notice to the entity who owns or operates the disconnected IT system within five days of an emergency disconnect.
- Chief Information Security Officer. The Chief Information Security Officer (CISO) is responsible for the following:
- coordinating with Area Information Systems Security Officers (ISSO) and other personnel to account for, track, review, and properly document all interconnections and information sharing instances.
- coordinating with appropriate Area and system ISSOs to develop, execute, and maintain ISA for each system-to-system interconnection or shared information instance involving multiple Areas or systems operated by the Albuquerque IHS Office of Information Technology (OIT).
- Area Information Systems Security Officer. The Area ISSO is responsible for the following:
- developing, executing, and maintaining the ISA for each system-to-system interconnection or information sharing instance within the Area;
- coordinating with the IHS outside facility and system ISSO to ensure all interconnections and information sharing instances are accounted for, tracked, and documented;
- serving as the contact for Area ISA information security;
- coordinating with the IHS and appropriate facility and system ISSO for ISAs that affect multiple Areas; and
- coordinating with system or facility ISSO to conduct interconnection control reviews.
- System Information System Security Officer. The System ISSO is responsible for the following:
- developing, executing, and maintaining system-to-system ISA for interconnections and/or information sharing systems when multiple Areas or the Albuquerque systems OIT are involved;
- coordinating with other systems and appropriate Area or facility ISSO to review interconnection controls when multiple Areas or Albuquerque systems OIT are involved;
- coordinating with IHS and other system ISSO or appropriate personnel to ensure all interconnections and information sharing instances are accounted for, tracked, and documented; and
- serving as the Agency information security contact for ISA that affect multiple Areas.
- Planning the Interconnection. The System or Area ISSO examines all relevant technical, security, and administrative issues, documenting management, operation, and use of the interconnection in the IHS proposed ISA and MOU. If other organization’s systems store, process, or transmit Federal information, the ISSO requires C&A, informs the Information System Owner (ISO) of any recommended modifications, and arranges for the C&A before implementing the ISA. The appropriate DAA or his/her authorized designee must authorize the ISA before it is operational.
- Establishing the Interconnection. Before an entity external to the IHS connects to any IHS System, an ISA must be in place and appropriate security controls must be implemented or configured. Entities with existing interconnections will have 12 months from the date this chapter is issued to implement the required ISA and MOU.
- Maintaining the Interconnection. The interconnection must be maintained to ensure that it operates properly and securely.
- The interconnection is properly maintained and security controls must remain effective in agreement with the MOU.
- Equipment used to operate the interconnection must be maintained as agreed upon in the ISA, to ensure the integrity and availability of the connection.
- Security controls for the interconnection must be reviewed at least annually or whenever a significant change occurs, to ensure they are operating properly and are providing appropriate levels of protection.
- Audit logs must be reviewed by one or both entities on at least a semi-annual basis to detect and track unusual or suspicious activity across the inter-connection that might indicate intrusions or internal abuse.
- Automated tools can be used to scan for anomalies.
- System administrators should periodically review logs to search for patterns unrecognized by automated tools.
- Contingency planning, training, testing, and exercises should be coordinated to minimize the impact of disruptions that could damage the connected systems or jeopardize the confidentiality and integrity of shared data.
- Planned Disconnection. The Area Director must approve of any IT system disconnection of a Tribe or Urban organization. Written notice, under the signature of the Area Director, shall be provided to the external party 30 calendar days prior to disconnecting. The notice should describe the reasons for the disconnection and the actions required to reconnect. A minimum of 30 calendar days shall be provided from date of acknowledgement before termination of the connection unless otherwise agreed upon by both parties. If there is no intention of re-establishing the interconnection, the ISA and MOU are considered to be terminated.
- Emergency Disconnection. If the IHS detects an attack, intrusion attempt, or other contingency that exploits or jeopardizes the connected systems or their data, the IHS CISO, their designated representative, or the ISSO acting as the information security point of contact for the interconnection may direct staff to terminate the interconnection without providing written notice to the other party.
The IHS will attempt to obtain a verbal acknowledgement from the Tribe or Urban organization of the emergency disconnection prior to disconnection unless obtaining the acknowledgement causes undo delay and results in unacceptable risk. A written notice describing the reasons for the emergency disconnection shall be provided within five business days whether or not a verbal acknowledgement was provided. The Area Director is responsible for providing the written notification.
- Restoration. The IHS may choose to restore the system interconnection after it has been terminated. Based on the cause and duration of the disconnection, the Area Director authorizes the restoration of all planned and emergency disconnects. If the interconnection has been terminated for more than 90 days, both parties shall perform a risk assessment and reexamine all relevant planning and implementation issues and develop and sign a new ISA and MOU. The DAA or designated delegate authorizes the restoration of all planned and emergency disconnects.
8-15.5 INSTRUCTIONS - TRIBAL/URBAN ISA AND MOU
- Interconnection Security Agreements. Created jointly by the IHS and Tribal or Urban organizations, Interconnection Security Agreements (ISA) outline the responsibilities and expectations associated with system interconnection. These agreements specify technical and security requirements and controls each party should implement to ensure secure systems and Federal compliance. Agreements should be completed as early in the system’s development as possible, making any changes that arise from the agreement easier to incorporate later. A person from one of the entities takes the lead for completing the ISA described below; however, that person does not determine which questions in Section 2 of the interconnection apply to the other system. The majority of Tribal interconnections fall into one of three types. For this reason, three different ISA templates have been developed. (See Manual Exhibits 8-15-B through 8-15-D.) The ISA templates are located here. The three ISA sections follow:
- Section 1 - Interconnection Statement of Requirements. Section 1 includes a summary description of the interconnection’s purpose and expected benefit.
- Section 2 - Systems Security Considerations. Section 2 includes security requirements and details. A technical representative from each organization that understands the system chooses security issues and ISA requirements. Both parties must agree on the items included in this section, although one system’s security requirements may not apply to the other system. For answers to questions about developing the ISA, refer to NIST Special Publication 800-47, “Security Guide for Interconnecting Information Technology Systems.”
- Section 3 - Topological Drawing (Network Diagram). Section 3 contains a network diagram illustrating the interconnection. (Example diagrams are also provided in each ISA template.)
- Memorandum of Understanding. The MOU outlines the business and legal requirements necessary to support the business relations between the two entities. The MOU should not include technical details about the interconnection, which is the function of the ISA.
- Background. Nearly all information technology systems exchange data with other systems as a core function in support of their missions. These interconnections, however, inevitably introduce new risks. The IHS has a duty to maintain the confidentiality, integrity, and availability of the information in its custody. There is a delicate balance between exchanging information vital to a system and protecting that information.
- Roles and Responsibilities. Following are the responsibilities of key participants involved in drafting and negotiating an ISA.
- Designated Accrediting Authority A DAA approves or disapproves all ISAs. The DAA for ISA accreditation may be delegated.
- Chief Information Security Officer. The CISO coordinates with Area and System ISSO the development, execution, and maintenance of the ISA.
- Area Information Systems Security Officer. The Area ISSO develops, executes, and maintains each ISA for his/her Area and serves as Area contact for information security.
- System Information System Security Officer. The System ISSO develops, executes, and maintains ISA interconnections and/or information-sharing systems that involve multiple Areas or the OIT. The System ISSO serves as the Agency information security contact for ISAs that affect multiple Areas.
- Connection Requirement. An ISA and an MOU must be submitted to the DAA before the Tribal or Urban IT systems will be connected to the IHS network.
- Timeframe for Implementation.
- New connections. An ISA must be in place before all new system interconnections are activated.
- Existing connections. Tribal or Urban entities that have an existing system interconnection to IHS will have 1 year from the effective date of this chapter to comply with this procedure. After this date, the interconnection will be reviewed for possible disconnection.