1 line
No EOL
511 KiB
Text
1 line
No EOL
511 KiB
Text
<!DOCTYPE html><html lang="en"><head><meta charSet="utf-8"/><meta name="viewport" content="width=device-width, initial-scale=1"/><link rel="preload" as="image" href="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg" fetchPriority="high"/><link rel="stylesheet" href="/_next/static/css/ef46db3751d8e999.css" data-precedence="next"/><link rel="stylesheet" href="/_next/static/css/0759e90f4fecfde7.css" data-precedence="next"/><link rel="preload" as="script" fetchPriority="low" href="/_next/static/chunks/webpack-182b67d00f496f9d.js"/><script src="/_next/static/chunks/fd9d1056-ad09c71b7719f2fb.js" async=""></script><script src="/_next/static/chunks/23-260042deb5df7a88.js" async=""></script><script src="/_next/static/chunks/main-app-6de3c3100b91a0a9.js" async=""></script><script src="/_next/static/chunks/30-49b1c1429d73281d.js" async=""></script><script src="/_next/static/chunks/317-0f87feacc1712b2f.js" async=""></script><script src="/_next/static/chunks/223-bc9ed43510898bbb.js" async=""></script><script src="/_next/static/chunks/app/layout-9fc24027bc047aa2.js" async=""></script><script src="/_next/static/chunks/972-6e520d137ef194fb.js" async=""></script><script src="/_next/static/chunks/app/page-cc829e051925e906.js" async=""></script><script src="/_next/static/chunks/app/template-d264bab5e3061841.js" async=""></script><script src="/_next/static/chunks/e37a0b60-b74be3d42787b18d.js" async=""></script><script src="/_next/static/chunks/904-dbddf7494c3e6975.js" async=""></script><script src="/_next/static/chunks/549-c87c1c3bbacc319f.js" async=""></script><script src="/_next/static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js" async=""></script><link rel="preload" href="/assets/javascript/uswds-init.min.js" as="script"/><link rel="preload" href="/assets/javascript/uswds.min.js" as="script"/><title>HHS Policy for Rules of Behavior for Use of Information & IT Resources | CMS Information Security & Privacy Group</title><meta name="description" content="A document from the Department of Health & Human Services (HHS) that outlines requirements for individuals that access to HHS and CMS systems and information"/><link rel="canonical" href="https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources"/><meta name="google-site-verification" content="GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M"/><meta property="og:title" content="HHS Policy for Rules of Behavior for Use of Information & IT Resources | CMS Information Security & Privacy Group"/><meta property="og:description" content="A document from the Department of Health & Human Services (HHS) that outlines requirements for individuals that access to HHS and CMS systems and information"/><meta property="og:url" content="https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources"/><meta property="og:image:type" content="image/jpeg"/><meta property="og:image:width" content="1200"/><meta property="og:image:height" content="630"/><meta property="og:image" content="https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources/opengraph-image.jpg?a856d5522b751df7"/><meta property="og:type" content="website"/><meta name="twitter:card" content="summary_large_image"/><meta name="twitter:title" content="HHS Policy for Rules of Behavior for Use of Information & IT Resources | CMS Information Security & Privacy Group"/><meta name="twitter:description" content="A document from the Department of Health & Human Services (HHS) that outlines requirements for individuals that access to HHS and CMS systems and information"/><meta name="twitter:image:type" content="image/jpeg"/><meta name="twitter:image:width" content="1200"/><meta name="twitter:image:height" content="630"/><meta name="twitter:image" content="https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources/opengraph-image.jpg?a856d5522b751df7"/><link rel="icon" href="/favicon.ico" type="image/x-icon" sizes="48x48"/><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds-init.min.js",{}])</script><script src="/_next/static/chunks/polyfills-78c92fac7aa8fdd8.js" noModule=""></script></head><body><a class="usa-skipnav" href="#main">Skip to main content</a><section class="usa-banner" aria-label="Official website of the United States government"><div class="usa-accordion"><header class="usa-banner__header"><div class="usa-banner__inner"><div class="grid-col-auto"><img aria-hidden="true" alt="" loading="lazy" width="16" height="11" decoding="async" data-nimg="1" class="usa-banner__header-flag" style="color:transparent" srcSet="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=16&q=75 1x, /_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75 2x" src="/_next/image?url=%2Fassets%2Fimg%2Fus_flag_small.png&w=32&q=75"/></div><div class="grid-col-fill tablet:grid-col-auto" aria-hidden="true"><p class="usa-banner__header-text">An official website of the United States government</p><p class="usa-banner__header-action">Here's how you know</p></div><button type="button" class="usa-accordion__button usa-banner__button" aria-expanded="false" aria-controls="gov-banner-default-default"><span class="usa-banner__button-text">Here's how you know</span></button></div></header><div class="usa-banner__content usa-accordion__content" id="gov-banner-default-default" hidden=""><div class="grid-row grid-gap-lg"><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-dot-gov.3e9cb1b5.svg"/><div class="usa-media-block__body"><p><strong>Official websites use .gov</strong><br/>A <strong>.gov</strong> website belongs to an official government organization in the United States.</p></div></div><div class="usa-banner__guidance tablet:grid-col-6"><img role="img" alt="" aria-hidden="true" loading="lazy" width="40" height="40" decoding="async" data-nimg="1" class="usa-banner__icon usa-media-block__img" style="color:transparent" src="/_next/static/media/icon-https.e7f1a222.svg"/><div class="usa-media-block__body"><p><strong>Secure .gov websites use HTTPS</strong><br/>A <strong>lock</strong> (<span class="icon-lock"><svg xmlns="http://www.w3.org/2000/svg" width="52" height="64" viewBox="0 0 52 64" class="usa-banner__lock-image" role="img" aria-labelledby="banner-lock-description-default" focusable="false"><title id="banner-lock-title-default">Lock</title><desc id="banner-lock-description-default">Locked padlock icon</desc><path fill="#000000" fill-rule="evenodd" d="M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z"></path></svg></span>) or <strong>https://</strong> means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.</p></div></div></div></div></div></section><div class="usa-overlay"></div><header class="usa-header usa-header--extended"><div class="bg-primary-dark"><div class="usa-navbar"><div class="usa-logo padding-y-4 padding-right-3" id="CyberGeek-logo"><a title="CMS CyberGeek Home" href="/"><img alt="CyberGeek logo" fetchPriority="high" width="298" height="35" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a></div><button aria-label="Open menu" type="button" class="usa-menu-btn" data-cy="menu-button">Menu</button></div></div><nav aria-label="Primary navigation" class="usa-nav padding-0 desktop:width-auto bg-white grid-container float-none"><div class="usa-nav__inner"><button type="button" class="usa-nav__close margin-0"><img alt="Close" loading="lazy" width="24" height="24" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/close.1fafc2aa.svg"/></button><ul class="usa-nav__primary usa-accordion"><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="roles"><span>Roles</span></button><ul id="roles" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Roles</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/information-system-security-officer-isso">Information System Security Officer (ISSO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook"><span>ISSO Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos"><span>Getting started (for new ISSOs)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-mentorship-program"><span>ISSO Mentorship Program</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-system-security-officer-isso-handbook#training"><span>ISSO Training</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/data-guardian">Data Guardian</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/data-guardian-handbook"><span>Data Guardian Handbook</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cyber-risk-advisor-cra">Cyber Risk Advisor (CRA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters"><span>Risk Management Handbook (RMH)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/business-system-owner">Business / System Owner (BO/SO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity and Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/isso-service"><span>ISSO As A Service</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="compliance-authorization"><span>Compliance & Authorization</span></button><ul id="compliance-authorization" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Compliance & Authorization</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/authorization-operate-ato">Authorization to Operate (ATO)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato"><span>About ATO at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#types-of-authorizations"><span>Types of authorizations</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#ato-stakeholders"><span>ATO stakeholders</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/authorization-operate-ato#related-documents-and-resources"><span>ATO tools and resources</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-technical-reference-architecture-tra"><span>CMS Technical Reference Architecture (TRA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/learn/ongoing-authorization-oa">Ongoing Authorization (OA)</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa"><span>About OA at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa"><span>OA eligibility requirements</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Assessments & Audits</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/security-impact-analysis-sia"><span>Security Impact Analysis (SIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-audits"><span>System Audits</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="policy-guidance"><span>Policy & Guidance</span></button><ul id="policy-guidance" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Policy & Guidance</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/cms-policies-and-guidance">CMS Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-acceptable-risk-safeguards-ars"><span>CMS Acceptable Risk Safeguards (ARS)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2"><span>CMS Information Security and Privacy Policy (IS2P2)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-security-and-privacy-handbooks"><span>CMS Security and Privacy Handbooks</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-risk-management-framework-rmf"><span>CMS Risk Management Framework (RMF)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/email-encryption-requirements-cms"><span>CMS Email Encryption</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/federal-policies-and-guidance">Federal Policies and Guidance</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/national-institute-standards-and-technology-nist"><span>National Institute of Standards and Technology (NIST)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/federal-information-security-modernization-act-fisma"><span>Federal Information Security Modernization Act (FISMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/fedramp"><span>Federal Risk and Authorization Management Program (FedRAMP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="system-security"><span>System Security</span></button><ul id="system-security" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">System Security</span></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/application-security">Application Security</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/zero-trust"><span>Zero Trust</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/software-bill-materials-sbom"><span>Software Bill of Materials (SBOM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/security-operations">Security Operations</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir"><span>Incident Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header"><a href="/ispg/risk-management-and-reporting">Risk Management and Reporting</a></h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/plan-action-and-milestones-poam"><span>Plan of Action and Milestones (POA&M)</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="privacy"><span>Privacy</span></button><ul id="privacy" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Privacy</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Agreements</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-computer-matching-agreement-cma"><span>Computer Matching Agreement (CMA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-information-exchange-agreement-iea"><span>Information Exchange Agreement (IEA)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Activities</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/breach-response"><span>Breach Response</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/system-records-notice-sorn"><span>System of Records Notice (SORN)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Privacy Resources</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/ispg/privacy"><span>Privacy at CMS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-breach-response-handbook"><span>CMS Breach Response Handbook</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/health-insurance-portability-and-accountability-act-1996-hipaa"><span>Health Insurance Portability and Accessibility Act (HIPAA)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/policy-guidance/cms-privacy-impact-assessment-pia-handbook"><span>CMS Privacy Impact Assessment (PIA) Handbook</span></a></li></ul></section></div></li></ul></li><li class="usa-nav__primary-item"><button type="button" class="usa-accordion__button usa-nav__link font-family-serif text-medium tablet:text-no-wrap desktop:text-primary-vivid" aria-expanded="false" aria-controls="tools-services"><span>Tools & Services</span></button><ul id="tools-services" class="usa-nav__submenu usa-megamenu bg-white" hidden=""><li class="grid-row grid-gap-3 padding-bottom-6"><div class="usa-col text-center desktop:text-right text-normal position-relative nav-label"><span class="display-block font-heading-xl padding-top-2">Tools & Services</span></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Reporting & Compliance</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/isso-service"><span>ISSO As A Service</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-fisma-continuous-tracking-system-cfacts"><span>CFACTS</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cyber-risk-reports"><span>Cyber Risk Reports and Dashboards</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/continuous-diagnostics-and-mitigation-cdm"><span>Continuous Diagnostics and Mitigation (CDM)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">System Security</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/threat-modeling"><span>Threat Modeling</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cloud-services"><span>CMS Cloud Services</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cms-cybersecurity-integration-center-ccic"><span>CMS Cybersecurity Integration Center (CCIC)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="https://security.cms.gov/learn/cms-security-data-lake-sdl"><span>CMS Security Data Lake (SDL)</span></a></li></ul></section></div><div class="usa-col"><section><h3 class="usa-col__list-header list-header-margin">Tests & Assessments</h3><ul class="usa-nav__submenu-list"><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/cybersecurity-risk-assessment-program-csrap"><span>Cybersecurity Risk Assessment Program (CSRAP)</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/penetration-testing-pentesting"><span>Penetration Testing</span></a></li><li class="usa-nav__submenu-item font-sans-2xs"><a class="padding-x-0" href="/learn/privacy-impact-assessment-pia"><span>Privacy Impact Assessment (PIA)</span></a></li></ul></section></div></li></ul></li></ul><div class="usa-nav__secondary padding-left-2"><section aria-label="Header search box"><form class="usa-search usa-search--small" role="search" action="/search"><label class="usa-sr-only" for="header-search-box">Search</label><input class="usa-input search__input" id="header-search-box" type="search" name="ispg[query]"/><button aria-label="header search box button" class="usa-button" id="header-search-box-btn" type="submit"><svg aria-describedby="searchIcon" class="usa-icon" aria-hidden="true" focusable="false" role="img"><title id="searchIcon">Search</title><use href="/assets/img/sprite.svg#search"></use></svg></button></form></section></div></div></nav></header><main id="main"><div id="template"><!--$--><!--/$--><section class="hero hero--theme-library undefined"><div class="maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7"><div class="tablet:grid-container position-relative "><div class="hero__row grid-row grid-gap"><div class="tablet:grid-col-5 widescreen:position-relative"></div><div class="hero__column tablet:grid-col-7 flow padding-bottom-2"><h1 class="hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2">HHS Policy for Rules of Behavior for Use of Information & IT Resources</h1><p class="hero__description">A document from the Department of Health & Human Services (HHS) that outlines requirements for individuals that access to HHS and CMS systems and information</p><p class="font-sans-2xs line-height-sans-5 margin-bottom-0">Last reviewed<!-- -->: <!-- -->2/9/2023</p><div class="hero__meta radius-lg padding-x-2 padding-y-1 bg-white font-sans-2xs line-height-sans-5 display-inline-block text-primary-darker">Contact: <span class="text-bold">ISPG Policy Team</span><span class="hidden-mobile"> | </span><span class="break-mobile"><a href="mailto:CISO@cms.hhs.gov">CISO@cms.hhs.gov</a></span></div></div></div></div></div></section><div class="grid-container"><div class="grid-row grid-gap margin-top-5"><div class="tablet:grid-col-4"><nav class="table-of-contents overflow-y-auto overflow-x-hidden position-sticky top-3 padding-1 radius-lg shadow-2 display-none tablet:display-block" aria-label="Table of contents"><div class="text-uppercase text-bold border-bottom border-base-lighter padding-bottom-1">Table of Contents</div><p class="text-italic text-base font-sans-xs">No table of content entries to display.</p></nav></div><div class="tablet:grid-col-8"><section class="resource-collection radius-md padding-y-2 padding-x-3 bg-base-lightest"><h1 class="resource-collection__header h3 margin-top-0 margin-bottom-2">Related Resources</h1><div class="grid-row grid-gap-4"><div class="tablet:grid-col-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/policy-guidance/cms-information-systems-security-privacy-policy-is2p2">CMS Information Systems Security & Privacy Policy (IS2P2) </a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/policy-guidance/cms-acceptable-risk-safeguards-ars">CMS Acceptable Risk Safeguards (ARS)</a></div><div class="tablet:grid-col-4 margin-top-4 tablet:margin-top-0"><a class="text-no-underline text-bold" href="/learn/national-institute-standards-and-technology-nist">National Institute of Standards and Technology (NIST) </a></div></div></section><section><div class="text-block text-block--theme-library"><h2 id="m_4884422691552917800nature">1. Nature of Changes</h2><p>Version 1.0: released July 2013. First issuance of policy.</p><p>Version 2.0: released December 2016. Added new statements to:</p><ul type="disc"><li>Prohibit the use of personally owned devices and unapproved non-GFE to conduct HHS business.</li><li>Restrict personal social media use during official work duty.</li><li>Restrict the connection to public, unsecure Wi-Fi from GFE.</li><li>Prohibit the use of HHS e-mail address to create personal commercial accounts.</li></ul><p>Version 2.1: Released August 2017. As recommended by OpDivs in the first-round review, Policy for Personal Use of IT Resources was combined with the Rules of Behavior since the documents overlap.</p><p>Version 2.1: Released February 2018. Update to policy for use of personal email per Departmental recommendation.</p><p>Version 2.1: Released March 2018. Removed the policy requirement restricting the use of personal email from HHS/OpDiv networks per OCIO request.</p><p>Version 2.1: Released April 2018. Replaced Controlled Unclassified Information (CUI) with sensitive information per OGC and PIM recommendations.</p><p>Version 2.1: Released June 2018. Policy obtained NTEU clearance.</p><p>Version 2.2: Released May 2019. Changed Webmail access policy to only block access from public internet and encourage OpDivs to reduce its usage. Added requirement to restrict the use of personal email, storage services and devices that conduct HHS/OpDiv business and store HHS/OpDiv data.</p><p>Version 2.3: Released June 2019. Updated password requirement.</p><p>Version 3.0: Released February 2023. Updated to prohibit unauthenticated Bluetooth tethering without OpDiv approval, acceptable use of social media, provide general updates throughout document, and to ensure adherence to Executive Order 14028 as well as Office Management and Budget (OMB) Memorandum (M) M-22-09.</p><h2 id="m_4884422691552917800purpose">2. Purpose</h2><p>The <em>HHS Policy for Rules of Behavior for Use of Information and IT Resources (</em>hereafter known as <em>Policy</em>) defines the acceptable use of the Department of Health and Human Services (Department or HHS)/Operating Division (OpDiv) information and Information Technology (IT) resources and establishes the baseline requirements for developing Rules of Behavior (RoB) that all users, including privileged users, are required to sign prior to accessing HHS/OpDiv information systems and resources.</p><p>This document includes baseline requirements for three RoB categories: General Users, Privileged Users, and System Specific Users. These RoB categories provide baseline requirements and guidelines for implementation of each RoB category. This <em>Policy</em> also defines acceptable personal use of HHS/OpDiv information resources and restricts use of personal devices to conduct HHS/OpDiv business.</p><p>An OpDiv may customize this <em>Policy</em> and RoBs to include OpDiv specific information, create its own policy, or supplement the specified RoB provided that the OpDiv policy and RoBs are compliant with and at least as restrictive as the baseline policy and RoBs stated herein.</p><p>This <em>Policy</em> uses the term ‘sensitive information’ to refer to Personally Identifiable Information (PII)<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn1">1</a> (although other HHS policies may distinguish between PII and sensitive PII), Protected Health Information (PHI), financial records, business proprietary data, and any information marked Sensitive but Unclassified (SBU), Controlled Unclassified Information (CUI), etc.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn2">2</a></p><h2 id="m_4884422691552917800background">3. Background</h2><p>The executive branch of the federal government leverages hundreds of thousands of employees located in offices across the nation to serve the American people. Increasingly, the government is called upon to deliver additional services to a growing population that expects ever-increasing improvements in service delivery. The relationship between the executive branch and the employees who administer the functions of the government is based on trust. Consequently, employees are expected to follow rules and regulations and to be responsible for their own personal and professional conduct. The Standards of Ethical Conduct for Employees of the Executive Branch published by the U.S. Office of Government Ethics states that, “Employees must put forth honest effort in the performance of their duties” [5 C.F.R. § 2635.101(b)(5)].</p><p>The RoBs stated in this <em>Policy</em> include rules that govern the appropriate use and protection of all HHS/OpDiv information resources and help to ensure the security of IT equipment, systems, and data confidentiality, integrity, and availability. </p><h2 id="m_4884422691552917800scope">4. Scope</h2><p>This <em>Policy</em> applies to all OpDivs and other parties that conduct business for or on behalf of HHS (i.e., contractors, third-party service/storage providers, cloud service providers). This <em>Policy </em>applies to all users of HHS/OpDiv information and IT resources whether working at their primary duty station, teleworking, working at a satellite site or any other alternative workplaces, and/or while traveling.</p><p>An OpDiv must implement this <em>Policy</em> and these baseline requirements or alternatively, may create its own policy that is more restrictive but not less restrictive than this <em>Policy</em>. This <em>Policy</em> does not supersede any other applicable law or higher-level agency directive or policy guidance. </p><p>This <em>Policy </em>does not supersede any applicable law, higher-level agency directive, or existing labor management agreement as of the effective date of this<em> Policy</em>.</p><h2 id="m_4884422691552917800authorities">5. Authorities</h2><p>The following are the primary authoritative documents driving the requirements in this <em>Policy</em>:</p><ol type="A"><li>Federal Information Security Modernization Act of 2014 (FISMA), Pub. L. No. 113-283, 128 Stat. 3073, codified at 44 U.S.C. Chapter 35, Subchapter II.</li><li><em>HHS Policy for Information Security and Privacy Protection (IS2P)</em>, November 2021.</li><li>National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, <em>Guide for Developing Security Plans for Federal Information Systems</em>, February 2006.</li><li>NIST SP 800-37 Rev. 2, <em>Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy</em>, December 2018.</li><li>NIST SP 800-53 Rev. 5, <em>Security and Privacy Controls for Information Systems and Organizations</em>, December 2020.</li><li>Office of Management and Budget (OMB), Circular A-130, <em>Managing Information as a Strategic Resource</em>, July 2016.</li><li>Public Law 115-232 § 889, Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment, August 13, 2018.</li><li>5 U.S.C. § 552a (the Privacy Act of 1974, as amended).</li></ol><h2 id="m_4884422691552917800policy">6. Policy</h2><p>The following are the baseline requirements for implementing HHS or OpDiv RoBthat govern the appropriate use of HHS/OpDiv information systems and resources for all employees, contractors, and other personnel who have access to HHS/OpDiv information and information systems.</p><h3 id="m_48844226915529178006.1">6.1. Acceptable Use of HHS Information and IT Resources – OpDiv Requirements</h3><ol type="A"><li>OpDivs must ensure all users read and acknowledge the RoB as general users upon onboarding and annually thereafter. Additionally, users with significant security responsibilities must read and acknowledge the RoB as privileged users upon onboarding and annually thereafter (see baseline RoB for both general and privileged users in Appendix D.) OpDiv System Owners must define RoB for System Specific users as necessary. Acknowledgement is understood to mean that each RoB must contain a signature page on which the user acknowledges having read, understood, and agreed to abide by the RoB (general user, or privileged user). Electronic signatures are acceptable.</li><li>OpDivs must ensure that general users read and sign RoB before they are given access to HHS/OpDiv information and/or systems. Digital signature is encouraged for general users whose digital signature can be authenticated by a Personal Identity Verification (PIV) card or other similar card (such as Personal Identity Verification Interoperability (PIV-I) card, Derived Alternate Credential (DAC), or Common Access Card (CAC)); however, general users may physically sign.</li><li>OpDivs must inform general users of their responsibilities and the accountability of their actions while accessing HHS/OpDiv systems and using HHS/OpDiv information resources. (The RoB must state the consequences of behavior not consistent with the rules).</li><li>OpDivs must include the items covered in sections 6.2, 6.3, and 6.4 including teleworking, remote access, connection to the internet, use of copyrighted works, use of GFE, social media, and individual accountability. Sample RoBs are included in Appendix D.</li><li>OpDivs must ensure government furnished equipment distributed to for the purpose of conducting official government business including but not limited to: Personal Identity Verification (PIV) cards, mobile devices and cellular telephones, is surrendered, collected or reclaimed on or before the last day of employment or contract termination.</li><li>OpDivs must take steps to reduce the use of Webmail and allow access only when necessary. OpDivs will make the determination as to what is defined as necessary for their OpDiv.</li><li>OpDivs must implement technical controls to:<ol type="i"><li>Prohibit auto-forwarding of email</li><li>Block the use of HHS/OpDiv Webmail access from untrusted or unauthenticated public internet or implement compensating controls</li><li>Detect and block spam emails, and employ a capability within the official email application (such as a phishing email button) to expedite the reporting of suspected phishing emails to the OpDiv designated email incident response team</li><li>Appropriately secure mobile devices used for conducting HHS/OpDiv business</li><li>Ensure that rules regarding passwords are consistent with technical password features</li><li>Monitor user activities, system accounts and privileged user accounts</li><li>Disable unnecessary/unauthorized permissions, services, and system/user accounts.</li></ol></li><li>OpDivs must develop and implement system specific RoB when appropriate (see additional guidance in Appendix C). OpDivs must include in system specific RoB provisions that:<ol type="i"><li>Delineate responsibilities and expected behavior of all users with access to the system and state the consequences of behavior not consistent with the rules</li><li>Include limitations on altering data, searching databases, and divulging information<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn3">3</a></li><li>State appropriate limits on interconnections to other systems.</li></ol></li></ol><h3 id="m_48844226915529178006.2">6.2. Acceptable Use of HHS Information and IT Resources – General User Requirements</h3><ol type="A"><li>HHS/OpDiv permits personnel to have limited personal use of HHS/OpDiv information and IT resources, including HHS/OpDiv email, systems, instant messaging (IM) tools, and government-furnished equipment (GFE) (e.g., laptops, mobile devices, etc.) only when the personal use:<ol type="i"><li>Involves no more than minimal additional expense to the government</li><li>Is minimally disruptive to personnel productivity</li><li>Does not interfere with the mission or operations of HHS</li><li>Does not violate HHS/OpDiv security and privacy policies.</li></ol></li><li>HHS/OpDiv expects personnel to conduct themselves professionally in the workplace and to refrain from using GFE, email, third-party websites, and applications (TPWAs) (e.g., HHS/OpDiv social media sites and cloud services, etc.) and other HHS/OpDiv information resources for activities that are not related to any legitimate/officially sanctioned HHS/OpDiv business purpose, except for the limited personal use stated above. Personnel must not misuse HHS/OpDiv information and IT resources or conduct unapproved activities using HHS/OpDiv information and IT resources including, but not limited to:<ol type="i"><li>Engaging in activities that could cause congestion, delay, or disruption of service to any HHS/OpDiv information resource (e.g., sending chain letters via email, playing streaming videos, games, music, etc.)</li><li>Accessing, downloading and/or uploading illegal, illicit, or criminal content from/to the internet (e.g., pornographic or sexually explicit materials, information about illegal weapons, terrorism activities, or other illegal activities)</li><li>Accessing, downloading, or clicking on any untrusted hyperlinks or executable files without verifying source.</li><li> Conducting or supporting commercial “for-profit” activities, managing outside employment or business activity, or running a personal business</li><li>Engaging in any outside fund-raising, endorsing any product or service, lobbying, or engaging in partisan political activity</li><li>Using HHS/OpDiv information resources for activities that are inappropriate or offensive to fellow personnel or the public (e.g., hate speech or material that ridicules others on the basis of race, creed, religion, color, age, gender, disability, national origin, or sexual orientation)</li><li>Creating a website or uploading content to a TPWA, or social media website on behalf of HHS/OpDiv without proper official authorization.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn4">4</a> Proper official authorization' includes, for example, written approval from the HHS/OpDiv or OpDiv CISO or a designee</li><li>Connecting personal devices to HHS/OpDiv systems without proper official authorization</li><li>Using personal devices, non-HHS/OpDiv email, and unauthorized third-party systems, storage services, or applications (e.g., Dropbox, Google Docs, mobile applications, etc.) to store, transmit, or process HHS/OpDiv information, or to conduct HHS/OpDiv business without proper official authorization.</li><li>Automatically (auto) forwarding HHS/OpDiv email to both internal and external email sources or forwarding email/files that contain sensitive information to unauthorized systems and devices that are used for non-HHS/OpDiv and non-OpDiv business purposes<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn5">5</a></li><li>Accessing and using HHS/OpDiv Webmail without proper official authorization</li><li>Using an HHS/OpDiv email address and other information resources to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or website, and signing up for personal memberships that are not work related.</li></ol></li><li>HHS/OpDiv warns users of HHS/OpDiv information resources, systems and GFE that they should have no expectation of privacy while using them and that their usage may be monitored, recorded, and audited at any time; and that HHS/OpDiv information resources, systems and GFE must be used with the understanding that such use may not be secure, is not private, is not anonymous, and may be subject to disclosure under the Freedom of Information Act (FOIA), Privacy Act (5 U.S.C. § 552a) or other applicable legal authority.</li><li>HHS/OpDiv formally notifies users through the RoB that their electronic data communications and online activity may be monitored and disclosed to external law enforcement agencies or Department/OpDiv personnel at any time when related to the performance of duties. For example, after obtaining management approval, HHS/OpDiv authorized technical staff may employ monitoring tools in order to maximize the utilization of HHS/OpDiv resources.</li></ol><h3 id="m_48844226915529178006.3">6.3. Telework/Remote Work and GFE</h3><ol type="A"><li>HHS/OpDivs permit personnel to telework only when approved by management. Security of HHS/OpDiv information systems, equipment, and information, including PII, CUI and sensitive information, is just as important at a telework worksite as it is in an HHS/OpDiv building. HHS/OpDiv requires personnel to conduct themselves with the same professionalism remotely as is required in the formal workplace. HHS/OpDivs require personnel to safeguard any GFE provided by following these guidelines:<ol type="i"><li>Users can connect additional devices to GFE as necessary to conduct official government business with OpDiv approval if the devices are not on the prohibited vendor list.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn6">6</a></li><li>Users can connect GFE to printers with OpDiv approval.<ul type="square"><li>Printers must be connected to GFE via USB or other physical port. Wireless connections between GFE and printers require OpDiv approval.</li><li>Users must contact OpDiv Help Desks to have printer drivers installed on GFE prior to connecting the printer<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn7">7</a>.</li></ul></li><li>Users are prohibited from installing any software on GFE</li><li>Users are permitted to use their home Wi-Fi network to provide the connectivity for telework. Home networks must be set up in accordance with guidance from HHS/OpDiv or OpDivs<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn8">8</a></li><li>Users must keep Bluetooth turned off while not in use. <a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn9">9</a></li><li>Users are responsible for the protection of all sensitive data</li><li>Users must not take GFE outside of the US or its territories for regular teleworking. For official visit to foreign countries, adhere to the Department GFE Travel Restriction requirements.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn10">10</a></li></ol></li></ol><h3 id="m_48844226915529178006.4">6.4. Non-Compliance</h3><p>This<em> Policy</em> cannot account for every possible situation. Therefore, where this <em>Policy</em> does not provide explicit guidance, personnel must use their best judgment to apply the principles set forth in the standards for ethical conduct to guide their actions and to seek guidance when appropriate from the OpDiv Chief Information Officer (OpDiv CIO) or his/her designee.</p><p>Non-compliance with the requirements in this <em>Polic</em>y and the RoB may be cause for disciplinary and other actions for anyone who has logical access to data, digital resources, and computer networks, or physical access to the HHS/OpDiv enterprise network, data, and resources. Depending on the severity of the violation, consequences may include, but are not limited to, one or more of the following actions:</p><ol type="A"><li>Mandatory training</li><li>Reprimand</li><li>Suspension of access privileges</li><li>Revocation of access to federal information, information systems, IT resources and/or facilities</li><li>Deactivation of the accounts</li><li>Suspension without pay</li><li>Monetary fines</li><li>Removal or disbarment from work on federal contracts or projects</li><li>Termination of employment and/or</li><li>Criminal charges that may result in imprisonment</li><li>Potential removal of security clearances</li></ol><h2 id="m_4884422691552917800roles">7. Roles and Responsibilities</h2><h3 id="m_48844226915529178007.1">7.1. HHS Chief Information Officer (CIO)</h3><p>The HHS CIO or representative must:</p><ol type="A"><li>Ensure this <em>Policy</em> is disseminated and implemented Department-wide.</li><li>Ensure RoBsare developed, maintained, and implemented for all general users, privileged users, and information systems (when deemed applicable).</li></ol><h3 id="m_48844226915529178007.2">7.2. OpDiv CIO</h3><p>The OpDiv CIO or representative must:</p><ol type="A"><li>Ensure acceptable use of OpDiv information resources requirements is implemented throughout the OpDiv.</li><li>Ensure RoBs are developed, approved, maintained, and implemented for all general users, privileged users, and system-specific users (as applicable) OpDiv-wide.</li></ol><h3 id="m_48844226915529178007.3">7.3. HHS Chief Information Security Officer (CISO)</h3><p>The HHS CISO must:</p><ol type="A"><li>Ensure implementation of this <em>Policy.</em></li><li>Ensure all users read, acknowledge, and adhere to RoB for all three RoB categories (general users, privileged users, and system specific users) as applicable.</li><li>Approve or assign a designee to approve exceptions to RoBs, when required.</li><li>Ensure records are maintained for signed RoB forms.</li></ol><h3 id="m_48844226915529178007.4">7.4. OpDiv CISO</h3><p>The OpDiv CISO must:</p><ol type="A"><li>Implement this <em>Policy</em> or develop an OpDiv specific RoB.</li><li>Develop and implement OpDiv RoBs for general users, privileged users and system specific users, as applicable.</li><li>Ensure all users read, acknowledge, and adhere to RoB for all three RoB categories (general users, privileged users, and system specific users) as applicable.</li><li>Approve or assign a designee to approve exceptions to RoBs, when required.</li><li>Ensure records are maintained for signed RoB forms.</li></ol><h3 id="m_48844226915529178007.5">7.5. Managers and Supervisors</h3><p>The OpDiv managers and supervisors must:</p><ol type="A"><li>Inform users of their rights and responsibilities, including the information in this <em>Policy</em> to individual users.</li><li>Address inappropriate use by personnel who report to them and disseminate information to relevant stakeholders for the purpose of incident handling and investigations.</li><li>Receive and review reports of inappropriate use of IT resource from management officials and allow access to these reports to designated authorities, as applicable, in accordance with HHS/OpDiv stsandard operating procedures.</li><li>Notify, when appropriate, senior Department officials of inappropriate use and/or abuse of HHS/OpDiv IT resources.</li></ol><h3 id="m_48844226915529178007.6">7.6. System Owner (SO)</h3><p>The OpDiv SOs must:</p><ol type="A"><li>Delineate responsibilities and expected behavior of all users with access to the system and state the consequences of behavior not consistent with the rules.</li><li>Develop and appropriately disseminate system specific RoB when deemed applicable.</li><li>Ensure all users with access to the information system(s) under their purview read, acknowledge, and adhere to the general user RoB and system specific RoB (if deemed applicable) prior to obtaining access and at least annually thereafter.</li><li>Automate, to the extent possible, the security and privacy controls that are required to be implemented to protect systems and information.</li><li>Ensure all users with privileged access rights to the information system(s) under their purview read, acknowledge, and adhere to the privileged user RoB.</li><li>Review system specific RoB periodically and at least every three years.</li><li>Maintain records of all the signed system specific RoB.</li><li>In accordance with the Privacy Act, maintain an accounting of disclosures made by HHS/OpDiv of records about individuals retrieved by personal identifier, excluding only disclosures required by FOIA and disclosures to HHS officers and employees with need to know.</li><li>Promptly schedule records with the <a href="https://www.archives.gov/">National Archives and Records Administration (NARA)</a>, and promptly destroy records when eligible for destruction and no longer needed for HHS/OpDiv business.</li></ol><h3 id="m_48844226915529178007.7">7.7. Information and System User</h3><p>All users of HHS/OpDiv information, GFE and systems must:</p><ol type="A"><li>Read, understand, and acknowledge RoB initially upon onboarding or start of work and annually thereafter.</li><li>Always secure HHS/OpDiv information resources and assets they have access to or always entrusted with (e.g., while at their duty station, when traveling, teleworking, etc.).</li><li>Report any loss, compromise, and unauthorized use of HHS/OpDiv information and systems immediately upon discovery/detection in accordance with HHS/OpDiv policies.</li><li>Seek guidance from their supervisor and other officials if unclear about HHS/OpDiv security and privacy policies.</li></ol><h2 id="m_4884422691552917800information">8. Information and Assistance</h2><p>HHS Office of the Chief Information Officer is responsible for the development and management of this <em>Policy</em>. Questions, comments, suggestions, and requests for information about this <em>Policy</em> should be directed to <a href="mailto:HHSCybersecurityPolicy@hhs.gov">HHSCybersecurityPolicy@hhs.gov</a>.</p><h2 id="m_4884422691552917800effective-date">9. Effective Date and Implementation</h2><p>The effective date of this <em>Policy</em> is the date on which the policy is approved. This <em>Policy </em>must be reviewed, at a minimum, every three (3) years from the approval date.</p><p>The HHS CIO has the authority to grant a one (1) year extension of the <em>Policy</em>.</p><p>To archive this <em>Policy</em>, written approval must be granted by the HHS CIO.</p><h2 id="m_4884422691552917800approval">10. Approval</h2><p>/S/<br>Karl S. Mathias, Ph.D., HHS CIO</p><p>February 9, 2023</p><h2 id="m_4884422691552917800appendix-a">Appendix A: Procedures</h2><p><em>Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.</em></p><p>OpDivs may develop their specific procedures document(s) to implement this <em>Policy.</em></p><h2 id="m_4884422691552917800appendix-b">Appendix B: Standards</h2><p><em>Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.</em></p><p><strong>Standard Rules of Behavior</strong></p><p>HHS/OpDivs are responsible for implementing adequate security controls to ensure a high level of protection for all HHS/OpDiv information and IT resources commensurate with the level of risk. In addition, HHS/OpDivs must ensure that all employees, contractors, and other personnel using HHS/OpDiv information resources have the required knowledge and skills to appropriately use and protect HHS/OpDiv information and IT resources. All OpDivs may use the RoB included in Appendix D or may develop their own RoB provided compliance, at a minimum, meets the requirements of the HHS/OpDiv RoB.</p><ol type="A"><li>RoB<em>s </em>are provided for the following three categories:<ol type="i"><li>Appendix C includes supplemental RoB for specific systems</li><li>Appendix D contains the RoB for<ul type="square"><li>General Users and</li><li>Privileged Users</li></ul></li></ol></li><li>All HHS/OpDiv personnel (employees, contractors, interns, etc.) and any other individuals (for example, representatives of grantees, business partners, other agencies, or research institutions; FOIA requesters; members of the general public; etc.) who are granted access to HHS/OpDiv information and IT resources must read, acknowledge, and adhere to the HHS/OpDiv General User RoB prior to accessing and using HHS/OpDiv information resources and IT systems. The acknowledgment of the RoB, which affirms that all users have read and understand the HHS/OpDiv RoB, may be obtained by hardcopy written signature, electronic acknowledgement, or electronic signature. This acknowledgement must be completed at HHS/OpDiv onboarding or prior to the start of work on an HHS/OpDiv contract, grant, or other agreement, and at least annually thereafter, and/or in combination with the HHS/OpDiv information cybersecurity awareness training.</li><li>All privileged users (e.g., network/system administrators, developers, etc.) must read, acknowledge, and adhere to the HHS/OpDiv Privileged User RoB prior to obtaining a privileged user account and at least annually thereafter. The acknowledgment of the RoB, which affirms that privileged users have read and understand the HHS/OpDiv RoB for privileged users, may be obtained by either hardcopy written signature or by electronic acknowledgement or signature.</li><li>Per the HHS/OpDiv IS2P, OpDivs must develop and implement system specific RoB, when deemed advisable, to address system specific requirements to protect the system and information.</li><li>All RoB (General, Privileged, and System Specific) must be reviewed and if necessary, updated at least every three years.</li><li>Any exceptions to this RoB policy and specified RoB must be approved by the HHS/OpDiv, OpDiv CISO, or OpDiv CISO designee.</li></ol><h2 id="m_4884422691552917800appendix-c">Appendix C: Guidance</h2><p><em>Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library</em>.</p><p><strong>Supplemental Rules of Behavior for HHS/OpDiv Systems</strong></p><p>OpDivs are responsible for developing system specific RoB and for ensuring that users read, acknowledge, and adhere to them. A supplemental RoB must be created and developed for systems that require users to comply with rules beyond those contained in the RoB on Appendix D and Appendix E deemed applicable. In such cases, users must comply with ongoing requirements of each individual system to access and retain access (e.g., reading and acknowledging the RoB prior to access and re-acknowledging it each year) to the information system(s). OpDiv System Owners must document any additional system specific RoB and any recurring requirement to acknowledge the respective RoB in their system security plans.</p><p>Office of Management and Budget (OMB) Circular A-130 <em>Managing Information as a Strategic Resource</em>, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide<em> for Developing Security Plans for Federal Information Systems</em>, and NIST SP 800-53, Revision 5, <em>Security and Privacy Controls for Information Systems and Organizations</em> provide requirements for system specific rules of behavior. At a minimum, the system specific RoB must:</p><ol type="A"><li>Be in writing.</li><li>Delineate responsibilities for any expected user of the system and behavior of all users and must state the consequences of behavior which violates the rules.</li><li>State appropriate limits on interconnections to other systems and must define service provision and restoration priorities.</li><li>Cover such matters including, but not limited to, teleworking, dial-in access, connection to the internet, use of copyrighted works, unofficial use of Government equipment, assignment and limitation of system privileges, and individual accountability.</li><li>Reflect technical security controls (e.g., rules regarding passwords must be consistent with technical password features).</li><li>Include limitations on changing data, searching databases, or divulging information.</li><li>State that controls are in place to ensure individual accountability and separation of duties and to limit the processing privileges of individuals.</li><li>State any other specific rules, limitation or restriction that may apply to the use of the system.</li><li>Include consequences for failing to comply with the breach reporting requirements as described in OMB M-17-12 and HHS/OpDiv policy.</li></ol><p>Finally, National Security Systems (NSS), as defined by the Federal Information Security Modernization Act of 2014 (FISMA), must independently or collectively implement their own system specific rules.</p><p><strong>Supplemental Rules of Behavior for Accessing Malicious Websites</strong></p><p>Users, employees, and contractors who have accessed malicious websites either knowingly or unknowingly will be considered as a security incident and will be required to undergo additional security training as directed by the office of the Chief Information Security Officer (CISO). Those users must take the Security Training or a refresher course on the following:</p><p>Phishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by designing as a trustworthy entity in an electronic communication. The following must be avoided:</p><ul type="disc"><li>clicking on links and suspicious attachments provided in email</li><li>submitting banking and password information via email</li><li>any email asking for personal information</li></ul><p>A ‘Hoax’ is often intended to cause embarrassment, or to provide social or political change by raising people’s awareness of something. Hoaxes should be addressed in the training because a lot of time and resources can be spent reading and forwarding hoax emails. Some hoaxes warn of a virus and tell users to delete valid and sometimes important system files.</p><p>Malware is the shortened version of the words ‘Malicious Software’. It refers to software programs designed to damage or do other unwanted actions on a computer system. Malware is broken into these categories:</p><p><strong>Viruses</strong>: A malicious software program that, when executed, replicates itself by modifying other computers programs and inserting its own code.</p><p><strong>Worms</strong>: A computer worm is a stand-alone malicious program that can self-replicate itself to uninfected computers.</p><p><strong>Trojans</strong>: A ‘Trojan’ or ‘Trojan Horse’ is any malicious computer program which misleads users of its true intent.</p><p><strong>Spyware</strong>: Spyware is software that aims to gather information about a person or organization without knowledge and reports to the software’s author.</p><p><strong>Adware</strong>: Adware is used to presents unwanted advertisements to the users of the computer.</p><h2 id="m_4884422691552917800appendix-d">Appendix D: Forms and Templates</h2><p><em>Please note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.</em></p><p><strong>1. Rules of Behavior for General Users</strong></p><p>These <em>Rules of Behavior (RoB) for General Users</em> apply to all HHS personnel (employees, contractors, interns, etc.) and any other individuals who are granted access to HHS/OpDiv information resources and IT systems. Users of HHS/OpDiv information, IT resources and information systems must read, acknowledge, and adhere to the following rules prior to accessing data and using HHS/OpDiv information and IT resources.</p><p><strong>1.1. HHS/OpDiv Information and IT Resources</strong></p><p>When using and accessing HHS/OpDiv information and IT resources, I understand that I must:</p><ol type="A"><li>Comply with federal laws, regulations, and HHS/OpDiv policies, standards, and procedures and that I must not violate, direct, or encourage others to violate HHS/OpDiv policies, standards, or procedures.</li><li>Not allow unauthorized use and access to HHS/OpDiv information and IT resources.</li><li>Not circumvent or bypass security safeguards, policies, systems’ configurations, or access control measures unless authorized in writing.</li><li>Limit personal use of information and IT resources so that it:<ol type="a"><li>Involves no more than minimal additional expense to the government</li><li>Is minimally disruptive to my personal productivity</li><li>Does not interfere with the mission or operations of HHS</li><li>Does not violate HHS/OpDiv security and privacy policies.</li></ol></li><li>Refrain from using GFE, email, third-party websites, and applications (TPWAs) (e.g., HHS/OpDiv social media sites and cloud services, etc.) and other HHS/OpDiv information resources for activities that are not related to any legitimate/officially sanctioned HHS/OpDiv business purpose, except for the limited personal use stated above.</li><li>Complete all mandatory training (e.g., security and privacy awareness, role-based training, etc.) when initially granted access to HHS/OpDiv systems and periodically thereafter as required by HHS/OpDiv policies.</li><li>Be accountable for my actions while accessing and using HHS/OpDiv information, information systems and IT resources.</li><li>Not reconfigure systems and modify GFE, install/load unauthorized/unlicensed software or make configuration changes without proper official authorization.</li><li>Properly secure all GFE, including laptops, mobile devices, and other equipment that store, process, and handle HHS/OpDiv information, when leaving them unattended either at the office and other work locations, such as home, hoteling space, etc. and while on travel. This includes locking workstations, laptops, storing GFE in a locked drawer, cabinet, or simply out of plain sight, and removing my PIV card from my workstation.</li><li>Must return all GFEs and Government issued PIV Card on or before last day of employment or contract termination.</li><li>Report all suspected and identified information security incidents and privacy breaches to the Helpdesk, HHS/OpDiv Computer Security Incident Response Center (CSIRC), or OpDiv Computer Security Incident Response Team (CSIRT) as soon as possible, without unreasonable delay and no later than within <em><strong>one (1) hour</strong></em> of occurrence/discovery.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn11">11</a></li></ol><p><strong>1.2. No Expectation of Privacy</strong></p><p>When using and accessing HHS/OpDiv information and IT resources, I understand that I would have no expectation of Privacy. I acknowledge the following:</p><ol type="A"><li>There would be no expectation of privacy when using HHS/OpDiv information resources, systems and GFE and may be monitored, recorded, and audited at any time.</li><li>My use any HHS/OpDiv information resources, systems and GFE is with the understanding that such use may not be secure, is not private, is not anonymous, and may be subject to disclosure under the Freedom of Information Act (FOIA), 5 U.S.C. § 552 or other applicable legal authority.</li><li>My electronic data communications and online activity may be monitored and disclosed to external law enforcement agencies or Department/OpDiv personnel when related to the performance of their duties at any time. For example, after obtaining management approval, HHS/OpDiv authorized technical staff may employ monitoring tools in order to maximize the utilization of HHS/OpDiv resources.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn12">12</a></li></ol><p><strong>1.3. Password Requirement</strong></p><p>When creating and managing my password, I understand that I must comply with the following baseline requirements:</p><ol type="A"><li>Comply with all HHS/OpDiv password requirements.</li><li>Create passwords with minimum of 15 characters.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn13">13</a></li><li>Not use common or compromised passwords.</li><li>Protect my passwords, Personal Identity Verification (PIV) card, Personal Identification Numbers (PIN) and other access credentials from disclosure and compromise.</li><li>Promptly change my password if I suspect or receive notification that it has been compromised.</li><li>Immediately select a new password upon account recovery.</li><li>Not use another person’s account, identity, password/passcode/PIN, or PIV card or allow others to use my GFE and/or other HHS/OpDiv information resources provided to me to perform my official work duties and tasks. This includes not sharing passwords or provide passwords to anyone, including system administrators.</li><li>Only use authorized credentials, including PIV card, to access HHS/OpDiv systems and facilities and will not attempt to bypass access control measures.</li><li>Select the PIV card to conduct HHS/OpDiv business whenever possible when both the PIV and password options are available for authentication.</li></ol><p><strong>1.4. Internet and Email</strong></p><p>When accessing and using the internet and email, I understand that I must:</p><ol type="A"><li>Not access HHS/OpDiv Webmail from the public internet.</li><li>Handle personal devices in the following manner:<ol type="a"><li>Not connecting personal devices to HHS/OpDiv systems without proper official authorization</li><li>Not conducting official HHS/OpDiv business using non-HHS/OpDiv email or personal online storage/service accounts without written authorization from HHS/OpDiv or OpDiv CISO or designee</li><li>Not using personal devices, non-HHS/OpDiv email, and unauthorized third-party systems, storage services, or applications (e.g., Dropbox, Google Docs, mobile applications, etc.) to store, transmit, process HHS/OpDiv information, and conduct HHS/OpDiv business without proper official authorization such as written approval from the HHS/OpDiv or OpDiv CISO or their designee.</li></ol></li><li>Not automatically (auto) forward HHS/OpDiv email to any internal and external email sources or forwarding email/files that contain HHS/OpDiv information to unauthorized systems and devices that are used for non-HHS/OpDiv and non-OpDiv business purposes.</li><li>Not use an HHS/OpDiv email address and other information resources to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or Website, and signing up for personal memberships that are not work related.</li><li>Not provide official HHS/OpDiv information to an unsolicited email if prohibited. If an email is received from any source requesting personal or organizational information or asking to verify accounts or security settings, I will report the incident to the Helpdesk and/or the CSIRC/ CSIRT immediately.</li><li>Only disseminate authorized HHS/OpDiv information related to my official job and duties at HHS/OpDiv to internal and external sources.</li><li>Not upload or disseminate information which is at odds with departmental missions or positions or without proper authorization, which could create the perception that the communication was made in my official capacity as a federal government employee or contractor.</li><li>Not connect GFE or contractor-owned equipment to unsecured Wi-Fi networks (e.g. airports, hotels, restaurants, etc.) and public Wi-Fi to conduct HHS/OpDiv business unless Wi-Fi access is at a minimum, protected with an unshared, unique user password access.</li></ol><p><strong>1.5. Data Protection</strong></p><p>When handling and accessing HHS/OpDiv information, I understand that I must:</p><ol type="A"><li>Take all necessary precautions to protect HHS/OpDiv information and IT assets, including but not limited to hardware, software, sensitive information, including but not limited to PII, PHI, federal records [media neutral], and other HHS/OpDiv information from unauthorized access, use, modification, destruction, theft, disclosure, loss, damage, or abuse, and in accordance with <a href="http://intranet.hhs.gov/it/cybersecurity/policies/index.html">HHS/OpDiv policies</a>.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn14">14</a></li><li>Protect sensitive information (e.g., sensitive information, such as confidential business information, PII, PHI, financial records, proprietary data, etc.) at rest (stored on laptops or other computing devices) regardless of media or format, from disclosure to unauthorized persons or groups. This includes, but is not limited to:<ol type="a"><li>Never store sensitive information in public folders, unauthorized devices/services or other unsecure physical or electronic locations</li><li>Always encrypt sensitive information at rest and in transit (transmitted via email, attachment, media, etc.)</li><li>Always disseminate passwords and encryption keys out of band (e.g., via text message, in person, or phone call) or store password and encryption keys separately from encrypted files, devices and data when sending encrypted emails or transporting encrypted media</li><li>Access or use sensitive information only when necessary to perform job functions, and do not access or use sensitive information for anything other than authorized purposes</li><li>Securely dispose of electronic media and papers that contain sensitive data when no longer needed, in accordance with the HHS/OpDiv Policy for Records Management and federal guidelines.</li></ol></li><li>Immediately report all suspected and known security incidents (e.g., GFE loss or compromise, violation of security policies, etc.), privacy breaches (e.g., loss, compromise, or unauthorized access, or use of PII/PHI), and suspicious activities to the Helpdesk and/or CSIRC/CSIRT at <a href="mailto:CSIRC@HHS.gov">CSIRC@HHS.gov</a> or call 1-866-646-7514 pursuant to HHS/OpDiv incident response policies and/or procedures.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn15">15</a></li><li>Not take permanently issued GFE devices with me during official foreign travel. Only carry loaner GFE (including mobile computing, phone, and storage devices) during official foreign travel. If there is a need to take GFE on personal foreign travel, submit a request and get approved by a designated government official within the OpDiv. Upon approval, obtain a loaner GFE and adhere to the HHS policy in the memorandum <a href="https://intranet.hhs.gov/about-hhs/national-security/policy/gfe-foreign-travel-2018">Use of Government Furnished Equipment (GFE) During Foreign Travel</a>. Additional requirements include:<ol type="a"><li>Reviewing Office of Security and Strategic Information (OSSI) requirements and the requirements within the <a href="https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides/memoranda">Memorandum on the Use of GFE During Foreign Travel</a> prior to traveling abroad with GFE or to conduct HHS/OpDiv business</li><li>Notifying my Personnel Security Representative (PSR) when there is a need to bring GFE on foreign travel (per requirements defined by the OSSI in accordance with the <a href="https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides/memoranda">Memorandum on the Use of GFE During Foreign Travel</a>).</li></ol></li></ol><p><strong>1.6. Privacy</strong></p><p>I understand that if I am working with PII, I must:</p><ol type="A"><li>Protect PII<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn16">16</a> from inappropriate disclosure, loss, or compromise.</li><li>Only collect, use, maintain, and disclose PII that is directly relevant and necessary to accomplish a legally authorized purpose.</li><li>Disclose PII only to those who need to know the information to execute their work and are authorized to receive it.</li><li>Comply with applicable legal and regulatory privacy safeguards. For example:<ol type="a"><li>Report suspected or confirmed breaches of PII in accordance with the <a href="https://intranet.hhs.gov/working-at-hhs/cybersecurity/hhs-policy-for-preparing-for-and-responding-to-a-pii-breach"><em>HHS/OpDiv Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII</em>)</a></li><li>Submit a privacy impact assessment (PIA) for systems or electronic information collections collecting PII.</li></ol></li><li>Be transparent about information policies and practices with respect to PII, provide clear and accessible notice regarding collection, use, maintenance, and disclosure of PII, and seek consent for the collection, use, and disclosure of PII as appropriate.</li><li>Enable individuals to access, correct, or amend their PII as appropriate, and ensure PII is accurate, relevant, timely and complete to guarantee fairness to individuals.</li><li>Not access PII unless specifically authorized and required as part of assigned duties.</li><li>Collect, use, and disclose PII only for the purposes for which it was collected and consistent with conditions set forth in stated privacy notices such as those provided to individuals at the point of data collection or published in the <a href="https://www.hhs.gov/foia/privacy/sorns/index.html">HHS' SORN website</a> (to include <a href="https://www.opm.gov/information-management/privacy-policy/privacy-references/sornguide.pdf">System of Records Notices [SORNs]</a>).</li><li>Maintain no record describing how an individual exercises his or her First Amendment rights, unless it is expressly authorized by statute or by the individual about whom the record is maintained, or is pertinent to and within the scope of an authorized law enforcement activity.</li><li>Consult with my OpDiv privacy program or Senior Official for Privacy (SOP)<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn17">17</a> before initiating or making significant changes<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn18">18</a> to a system or collection of PII.</li></ol><p><strong>1.7. Telework and GFE</strong></p><p>When teleworking, I understand that I must:</p><ol type="A"><li>Telework only when approved by management and conduct myself with the same professionalism remotely as required in the workplace.</li><li>Safeguard any GFE provided for telework.</li><li>Safeguard HHS/OpDiv information, equipment, including GFE. Protecting HHS/OpDiv information including PII, CUI and any sensitive information is just as important at a telework location as it is in an HHS/OpDiv building.</li><li>Only connect additional devices to GFE as necessary to conduct official government business with OpDiv approval, if the devices are not on the prohibited vendor list.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn19">19</a><ol type="a"><li>Only connect GFE to printers by opening a ticket with the helpdesk.</li><li>Contact OpDiv Help Desk to have drivers installed to GFE prior to connecting printer.</li><li>Connect printers to GFE via USB or other physical port. Wireless connections between GFE and printers may require OpDiv approval.</li></ol></li><li>Not install any software to GFE whether it is free or free downloadable unless authorized or approved.</li><li>Use my home Wi-Fi network to provide the connectivity for telework but my home networks must be set up in accordance with guidance from HHS/OpDiv or OpDiv;<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn20">20</a></li><li>Not connect hardware to GFE via Bluetooth unless necessary for official use must keep Bluetooth turned off and only turn on when needed.</li><li>Protect all sensitive information, including CUI and PII.</li></ol><p><strong>1.8. Strictly Prohibited Activities</strong></p><p>When using federal government systems and equipment, I must refrain from the following activities, which are strictly prohibited:</p><ol type="A"><li>Accessing any social media websites (such as YouTube, Twitter, Facebook, etc.) while utilizing GFE, unless required for official HHS/OpDiv business.</li><li>Accessing, downloading, or clicking on unknown links, particularly on social media sites such as “Malware Alert notices”.</li><li>Clicking on links or open attachments sent via email or text message Web links from untrusted sources and verify information from trusted sources before clicking attachments. I must report suspected phishing attempts using the Report Phishing button or forward suspicious emails as an attachment to <a href="mailto:Spam@hhs.gov">Spam@hhs.gov</a>.</li><li>Engaging in activities that could cause congestion, delay, or disruption of service to any HHS/OpDiv information resource (e.g., sending chain letters via email, playing streaming videos, games, music, etc.).</li><li>Accessing, downloading and/or uploading unethical, illegal, or criminal content from/to the internet (e.g., pornographic, and sexually explicit materials, illegal weapons, criminal and terrorism activities, and other illegal actions or activities).</li><li>Sending, retrieving, viewing, displaying, or printing sexually explicit, suggestive, or pornographic text or images, or other offensive material (e.g., vulgar material, racially offensive material, etc.).</li><li>Using non-public HHS/OpDiv data for private gain or to misrepresent myself or HHS/OpDiv or for any other unauthorized purpose.</li><li>Sending messages supporting or opposing partisan political activity as restricted under the <a href="https://osc.gov/Services/Pages/HatchAct.aspx">Hatch Act </a> and other federal laws and regulations.</li><li>Engaging in any outside fund-raising, endorsing any product or service, lobbying, or engaging in partisan political activity.</li><li>Using HHS/OpDiv information resources for activities that are inappropriate or offensive to fellow personnel or the public (e.g., hate speech or material that ridicules others on the basis of race, creed, religion, color, age, gender, disability, national origin, or sexual orientation).</li><li>Creating a website, TPWA, or social media site on behalf of HHS/OpDiv or uploading content to a website, TPWA, or social media site without proper official authorization.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn21">21</a></li><li>Sending or forwarding chain letters, e-mail spam, inappropriate messages, or unapproved newsletters and broadcast messages except when forwarding to report this activity to authorized recipients.</li><li>Using peer-to-peer (P2P) software except for secure tools approved in writing by the OpDiv CIO (or designee) to meet business or operational needs. </li><li>Creating and/or operating unapproved/unauthorized Web sites or services.</li><li>Using, storing, or distributing, unauthorized copyrighted or other intellectual property.</li><li>Using HHS/OpDiv information, systems, and devices to send or post threatening, harassing, intimidating, or abusive material about anyone in public or private messages or any forums.</li><li>Exceeding authorized access to sensitive information.</li><li>Using HHS/OpDiv GFE for commercial or for-profit activity, shopping, instant messaging (for unauthorized and non-work-related purposes), managing outside employment or business activity, or running personal business, playing games, gambling, watching movies, accessing unauthorized sites, or hacking.</li><li>Using an official HHS/OpDiv e-mail address to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or website, and signing up for personal memberships. Professional groups or memberships related to job duties at HHS/OpDiv are permissible.</li><li>Removing data or equipment from the agency premises without proper authorization.</li><li>Sharing, storing, or disclosing sensitive information with third-party organizations and/or using third-party applications (e.g., Drop Box, Evernote, iCloud, etc.) unless, in very limited circumstances, is authorized by HHS/OpDiv or OpDiv CISO or designee.</li><li>Storing sensitive data in external platforms, such as personal Google Docs.</li><li>Transporting, transmitting, e-mailing, texting, remotely accessing, or downloading sensitive information unless such action is explicitly permitted in writing by the manager or owner of such information and appropriate safeguards are in place per HHS/OpDiv policies concerning sensitive information.</li><li>Knowingly or willingly concealing, removing, mutilating, obliterating, falsifying, or destroying HHS/OpDiv information.</li><li>Accessing or visiting any unknown website(s) which may be infected with malware, responding to phishing emails, storing credentials in an unsecured location. This may cause to create an Incident and require having additional Awareness and Security training.</li><li>Using any file sharing program without agency’s permission.</li></ol><p><strong>Signature</strong></p><p>I have read the above <em>Rules of Behavior for General Users</em> and understand and agree to comply with the provisions stated herein. I understand that violations of these RoB or HHS/OpDiv information security policies and standards may result in disciplinary action and that these actions may include reprimand, suspensive of access privileges, revocation of access to federal information, IT resources, information systems, and/or facilities, deactivation of accounts, suspension without pay, monetary fines, termination of employment; removal or debarment from work on federal contracts or projects; criminal charges that may result in imprisonment.</p><p>I understand that exceptions to these RoB must be authorized in advance in writing by the designated authorizing officials. I also understand that violation of federal laws, such as the Privacy Act of 1974, copyright law, and 18 USC 2071, which the HHS/OpDiv RoB draw upon, can result in monetary fines and/or criminal charges that may result in imprisonment.</p><p>User’s Name:</p><p>(Print)</p><p>User’s Signature:</p><p>Date Signed:</p><p><strong>2. Rules of Behavior for Privileged Users</strong></p><p>The following <em>HHS/OpDiv Rules of Behavior (RoB) for Privileged Users</em> is an addendum to the <em>Rules of Behavior for General Users </em>and provides mandatory rules on the appropriate use and handling of HHS/OpDiv information technology (IT) resources for all HH privileged users, including federal employees, interns, contractors, and other staff who possess privileged access to HHS/OpDiv information systems.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn22">22</a> Privileged users have network accounts with elevated privileges that grant them greater access to IT resources than non-privileged users. These privileges are typically allocated to system, network, security, and database administrators, as well as other IT administrators.<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn23">23</a> The compromise of a privileged user account may expose HHS/OpDiv to a high-level of risk; therefore, privileged user accounts require additional safeguards.</p><p>A privileged user is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. System accounts and level of privilege vary dependent upon the role being fulfilled. A privileged user has the potential to compromise the three security objectives of confidentiality, integrity, and availability. Such users include, for example, security personnel or system administrators who are responsible for managing restricted physical locations or shared IT resources and have been granted permissions to create new user accounts, modify user privileges, as well as make system changes. Examples of privileged users include (but are not limited to):</p><ol type="A"><li>Application developer</li><li>Database administrator</li><li>Domain administrator</li><li>Data center operations personnel</li><li>IT tester/auditor</li><li>Helpdesk support and computer/system maintenance personnel</li><li>Network engineer</li><li>System administrator</li><li>Security Stewards</li></ol><p>Privileged users must read, acknowledge, and adhere to the RoB for Privileged User and any other HHS/OpDiv policy or guidance for privileged users, prior to obtaining access and using HHS/OpDiv information, IT resources and information systems and/or networks in a privileged role. The same signature acknowledgement process followed for the Appendix D, General User RoB, applies to the privileged user accounts. Each OpDiv must maintain a list of privileged users, the privileged accounts those users have access to, the permissions granted to each privileged account, and the authentication technology or combination of technologies required to use each privileged account<a href="https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn24">24</a>.</p><p><strong>Following is the RoB for a privileged user.</strong></p><p>I understand that as a privileged user, I must:</p><ol type="A"><li>Use privileged user accounts appropriately for their intended purpose and only when required for official duties.</li><li>Comply with all privileged user responsibilities in accordance with the HHS Policy for Information Security and Privacy Protection (IS2P) and any other applicable HHS and OpDiv policies.</li><li>Notify system owners immediately when privileged access is no longer required.</li><li>Properly protect all information, including media, hard copy reports and documentation as well as system information in a manner commensurate with the sensitivity of the information and securely dispose of information and GFE that are no longer needed in accordance with HHS/OpDiv sanitization policies.</li><li>Report all suspected or confirmed information security incidents and privacy breaches to the OpDiv Helpdesk, HHS/OpDiv CSIRC, or OpDiv CSIRT as soon as possible, without unreasonable delay and no later than within <em><strong>one (1) hour</strong></em> of occurrence/discovery.</li><li>Complete any specialized role-based security or privacy training as required before receiving privileged system access.</li></ol><p>I understand that as a privileged user, I must <strong>not:</strong></p><ol type="A"><li>Share privileged user account(s), password(s)/passcode(s)/PIV PINs, and other login credentials, including to other system administrators.</li><li>Conduct official HHS/OpDiv business using personal email or personal online storage account.</li><li>Use privileged user access to log into any system for non-elevated duties.</li><li>Install, modify, or remove any system hardware or software unless it is part of my job duties and the appropriate approvals have been obtained or with official written approval.</li><li>Access the internet for any reason while using my privileged account. This includes downloading of files (including patches or updates), etc.</li><li>Remove or destroy system audit logs or any other security, event log information unless authorized by appropriate official(s) in writing.</li><li>Tamper with audit logs of any kind. Note: In some cases, tampering can be considered evidence and can be a criminal offense punishable by fines and possible imprisonment.</li><li>Acquire, possess, trade, or use hardware or software tools that could be employed to evaluate, compromise, or bypass information systems security controls for unauthorized purposes.</li><li>Introduce unauthorized code, Trojan horse programs, malicious code, viruses, or other malicious software into HHS/OpDiv information systems or networks.</li><li>Knowingly write, code, compile, store, transmit, or transfer malicious software code, to include viruses, logic bombs, worms, and macro viruses.</li><li>Use privileged user account(s) for day-to-day communications and other non-privileged transactions and activities.</li><li>Elevate the privileges of any user without prior approval from the system owner.</li><li>Use privileged access to circumvent HHS/OpDiv policies or security controls.</li><li>Access information outside of the scope of my specific job responsibilities or expose non-public information to unauthorized individuals.</li><li>Use a privileged user account for web access except in support of administrative related activities.</li><li>Use any unknown website(s) which may be infected with malware and responding to phishing emails. If I use, I will report to OpDiv Helpdesk, HHS/OpDiv CSIRC, or OpDiv CSIRT as soon as possible, without unreasonable delay and no later than within <em><strong>one (1) hour</strong></em> of occurrence/discovery.</li><li>Use any file sharing program without HHS/OpDiv’s permission.</li><li>Modify security settings on system hardware or software without the approval of a system administrator and/or a system owner.</li><li>Use systems (either government issued or non-government) without the following protections in place to access sensitive HHS/OpDiv information:<ul type="circle"><li>Antivirus software with the latest updates</li><li>Anti-spyware and personal firewalls</li><li>A time-out function that requires re-authentication after no more than 30 minutes of inactivity on remote access</li><li>Approved encryption to protect sensitive information stored on recordable media, including laptops, USB drives, and external disks; or transmitted or downloaded via e-mail or remote connections.</li></ul></li></ol><p><strong>Signature</strong></p><p>I have read the above <em>Rules of Behavior (RoB) for Privileged User</em>s and understand and agree to comply with the provisions stated herein. I understand that violations of these RoB or HHS/OpDiv information security policies and standards may result in disciplinary action and that these actions may include reprimand, suspensive of access privileges, revocation of access to federal information, information systems, and/or facilities, deactivation of accounts, suspension without pay, monetary fines, termination of employment; removal or debarment from work on federal contracts or projects; criminal charges that may result in imprisonment. I understand that exceptions to these RoBmust be authorized in advance in writing by the designated authorizing official(s).</p><p>User’s Name:</p><p>(Print)</p><p>User’s Signature:</p><p>Date Signed:</p><h2 id="m_4884422691552917800appendix-e">Appendix E: References</h2><p><strong>Statutes</strong></p><ul type="disc"><li>Overview of the Privacy Act of 1974, 2020 Edition (<a href="http://justice.gov/">justice.gov</a>): <a href="https://www.justice.gov/Overview_2020/download">https://www.justice.gov/Overview_2020/download</a>.</li><li>Executive Order (EO) 13556, <em>Controlled Unclassified Information (CUI), </em>November 2010, <a href="https://www.govinfo.gov/content/pkg/FR-2010-11-09/pdf/2010-28360.pdf">https://www.govinfo.gov/content/pkg/FR-2010-11-09/pdf/2010-28360.pdf</a>.</li><li>EO 14028, <em>Improving the Nation's Cybersecurity</em>, May 2021, <a href="https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/">https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/</a>.</li><li>Federal Information Security Modernization Act of 2014 (FISMA), Pub. L. No. 113-283, 128 Stat. 3073, codified at 44 U.S.C. Chapter 35, Subchapter II, <a href="https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf">https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf</a>.</li></ul><p><strong>NIST Guidance</strong></p><ul type="disc"><li>National Institute of Standards and Technology (NIST) Special Publication (SP) 800-12 Revision 1, <em>An Introduction to Information Security</em>, June 2017, <a href="https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final">SP 800-12 Rev. 1, An Introduction to Information Security | CSRC (nist.gov)</a>.</li><li>NIST SP 800-18 Rev.1, <em>Guide for Developing Security Plans for Federal Information Systems</em>, February 2006, <a href="http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf">http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf</a>.</li><li>NIST SP 800-37 Revision 2, <em>Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy</em>, December 2018, <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf">Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (nist.gov)</a>.</li><li>NIST SP 800-53 Rev.5, <em>Security and Privacy Controls for Information Systems and Organizations</em>, December 2020, <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf</a>.</li><li>NIST SP 800-63B, <em>Digital Identity Guidelines: Authentication and Lifecycle Management</em>, March 2020, <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf</a>.</li><li>NIST SP 800-88 Rev.1, <em>Guidelines for Media Sanitization, </em>December 2014<em>,</em> <a href="http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf">http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf</a>.</li><li>NIST SP 800-137, <em>Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations</em>, September 2011, <a href="http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf">http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf</a>.</li><li>NIST SP 800-209,<em> Security Guidelines for Storage Infrastructure,</em> October, 2020, <a href="https://csrc.nist.gov/publications/detail/sp/800-209/final">https://csrc.nist.gov/publications/detail/sp/800-209/final</a>.</li><li>NIST White Paper, <em>Best Practices for Privileged User PIV Authentication,</em> April 21, 2016, <a href="http://csrc.nist.gov/publications/papers/2016/best-practices-privileged-user-piv-authentication.pdf">http://csrc.nist.gov/publications/papers/2016/best-practices-privileged-user-piv-authentication.pdf</a>.</li></ul><p><strong>OMB Circulars and Memoranda</strong></p><ul type="disc"><li>Office of Management and Budget (OMB) Circular A-123<em>, Management’s Responsibility for Enterprise Risk Management and Internal Control</em>, as amended, <a href="https://www.whitehouse.gov/omb/information-for-agencies/circulars">https://www.whitehouse.gov/omb/information-for-agencies/circulars</a>.</li><li>OMB Circular A-130, <em>Managing Information as a Strategic Resourc</em>e, July 2016, <a href="https://www.whitehouse.gov/omb/information-for-agencies/circulars">https://www.whitehouse.gov/omb/information-for-agencies/circulars</a>.</li><li>OMB M-17-09, <em>Management of High Value Assets</em>, December 2016, <a href="https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-09.pdf">Memorandum for Heads of Executive Departments and Agencies (whitehouse.gov)</a>.</li><li>OMB Memorandum M-17-12, <em>Preparing for and Responding to a Breach of Personally Identifiable Information</em>, January 2017, <a href="https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf">Memorandum for Heads of Executive Department and Agencies (whitehouse.gov)</a>.</li><li>OMB M-18-02, <em>Fiscal Year 2017-2018 Guidance on Federal Information Security and Privacy Management Requirements</em>,October 2017, <a href="https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/M-18-02%20%28final%29.pdf">M-18-02 (whitehouse.gov)</a>.</li><li>OMB M-22-09, <em>Moving the U.S. Government Toward Zero Trust Cybersecurity Principles</em>, January 2022, <a href="https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf">https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf</a>.</li></ul><p><strong>HHS Policies and Memoranda</strong></p><p>All HHS Policies may be found at <a href="https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides">https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides</a>. These policies may be updated, and the current version should be used.</p><ul type="disc"><li><em>HHS Policy and Plan for Preparing for and Responding to a Breach of PII</em>, May 2020.</li><li><em>HHS Policy Exception/Risk Based Exception Form, </em>July 2019.</li><li><em>HHS Standard for Encryption of Computing Devices and Information</em>, December 2016.</li><li><em>HHS Policy for Information Security and Privacy Protection (IS2P)</em>, November 2021.</li><li><em>Policy for Monitoring Employee Use of HHS IT Resources</em>, June 2013</li><li><em>Updated Department Standard Warning Banner</em>, November 2016.</li><li><em>Usage of Unauthorized External Information Systems to Conduct Department Business</em>, January 8, 2014.</li><li><em>Use of GFE during Foreign Travel</em>, February 2021</li></ul><h2 id="m_4884422691552917800glossary-acronyms">Glossary and Acronyms</h2><p><strong>Audit Log -</strong> A chronological record of information system activities, including records of system accesses and operations performed in each period. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-171</a>)</p><p><strong>Authentication -</strong> A process that provides assurance of the source and integrity of information that is communicated or stored, or that provides assurance of an entity’s identity. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-175A</a>)</p><p><strong>Backup (system backup)</strong> - The process of copying information or processing status to a redundant system, service, device, or medium that can provide the needed processing capability when needed. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-152</a>)</p><p><strong>Breach</strong> - The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses PII or (2) an authorized user accesses or potentially accesses PII for another than authorized purpose. (Source: <a href="https://osec.doc.gov/opog/privacy/Memorandums/OMB_M-17-12.pdf">OMB M-17-12</a>)</p><p><strong>Cloud Service -</strong> External service that enable convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-144</a>)</p><p><strong>Compromise</strong> - The unauthorized disclosure, modification, substitution or use of sensitive data (e.g., keying material and other security-related information). (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-175B</a>)</p><p><strong>Confidentiality</strong> - The property that sensitive information is not disclosed to unauthorized entities. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-175A</a>)</p><p><strong>Controlled Unclassified Information (CUI)</strong> - Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. (Source: <a href="https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information">Executive Order 13556</a>) <strong>Note: </strong>See sensitive information definition below.</p><p><strong>CUI Privacy</strong> – A category of CUI. Refers to personal information, or, in some cases, "personally identifiable information," as defined in OMB M-17-12, or "means of identification" as defined in 18 USC 1028(d)(7). (Source: NARA, <a href="https://www.archives.gov/cui/registry/category-list">CUI Registry</a>)<strong> </strong></p><p><strong>CUI Privacy-Health Information</strong> – A subcategory of CUI Privacy. As per 42 USC 1320d(4), "health information" means any information, whether oral or recorded in any form or medium, that (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. (Source: NARA, <a href="https://www.archives.gov/cui/registry/category-list">CUI Registry</a>)</p><p><strong>Direct Application Access</strong> - A high-level remote access architecture that allows teleworkers to access an individual application directly, without using remote access software. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST 800-46 Revision 2</a>)</p><p><strong>External Email Source </strong>– Defined as an email that is not an official HHS.gov email account. (Source: HHS-defined)</p><p><strong>External Information System (or component) </strong>– An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-53</a>; <a href="https://www.cnss.gov/CNSS/issuances/Instructions.cfm">CNSSI-4009</a>)</p><p><strong>Federal Information - </strong>Information created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government, in any medium or form. (Source: <a href="https://www.whitehouse.gov/omb/information-for-agencies/circulars">OMB Circular A-130</a>, <a href="https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf">OMB Memorandum M-17-12</a>)</p><p><strong>Federal Information System</strong> - An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-53 Revision 5</a>)</p><p><strong>Full Disk Encryption (FDE)</strong> - The process of encrypting all the data on the hard drive used to boot a computer, including the computer’s operating system, and permitting access to the data only after successful authentication with the full disk encryption product. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-111</a>)</p><p><strong>General Users</strong> - A user who has only general access to HHS information resources (not greater access to perform security relevant functions). (Source: HHS-defined)</p><p><strong>HHS Information Technology (IT) Assets </strong>- Defined as hardware, software, systems, services, and related technology assets used to execute work on behalf of HHS. (Source: HHS-defined)</p><p><strong>HHS Information Assets </strong>– Defined as any information created, developed, used for or on behalf of HHS. This includes information in electronic, paper, or another medium format. (Source: HHS-defined)</p><p><strong>Hoteling Space </strong>– Defined as a term that involves temporary or shared space for working and workstation usage. (Source: HHS-defined)</p><p><strong>Incident</strong> - An occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. (Source: <a href="https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf">OMB Memorandum M-17-12</a>)</p><p><strong>Information Resources</strong> - Information and related resources, such as personnel, equipment, funds, and information technology. (Source: <a href="https://www.govinfo.gov/app/details/USCODE-2011-title44/USCODE-2011-title44-chap35-subchapI-sec3502">44 U.S.C., Sec. 3502</a>, <a href="https://www.cnss.gov/CNSS/issuances/Instructions.cfm">CNSSI No. 4009</a>)</p><p><strong>Information System (IS) </strong>- A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information. Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. (Source: <a href="https://www.govinfo.gov/app/details/USCODE-2011-title44/USCODE-2011-title44-chap35-subchapI-sec3502">44 U.S.C. Sec 3502</a>, <a href="https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf">OMB Circular A-130</a>)</p><p><strong>Information Technology (IT)</strong> - Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. For purposes of this definition, such services or equipment if used by the agency directly or is used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use. (Source: <a href="https://www.whitehouse.gov/omb/information-for-agencies/circulars">OMB Circular A-130</a>)</p><p><strong>Integrity</strong> - The property that protected data has not been modified or deleted in an unauthorized and undetected manner. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-175A</a>)</p><p><strong>Logic Bomb</strong> - A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-12rev1</a>)</p><p><strong>Macro Virus</strong> - A specific type of computer virus that is encoded as a macro embedded in some document and activated when the document is handled. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-28ver1</a>)</p><p><strong>Media</strong> - Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-53 Revision 5</a>) <strong>Note: </strong>Also see Removable Media.</p><p><strong>Mobile Device</strong> - A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and E-readers. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-79-2</a>)</p><p><strong>Mobile Device Management - </strong>Mobile enterprise security technology used to address security requirements. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-163</a>)</p><p><strong>Mobile Hotspot</strong> - A mobile hotspot is an offering by various telecom providers to provide localized Wi-Fi. With a hotspot, an adapter or device allows computer users to connect to the internet from approved and/or unapproved locations. Mobile hotspots are advertised as an alternative to the traditional practice of logging onto a local area network or other wireless networks from a personal computer (PC). Although mobile hotspots could be used for other kinds of devices, they are most commonly associated with laptop computers because laptop computers are a type of "hybrid" device that may roam but doesn’t usually come with built-in mobile Wi-Fi. (Source: <a href="https://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering">https://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering</a>)</p><p><strong>Mobile Tethering -</strong> Mobile tethering is slightly different from a mobile hot spot and the mobile tethering must be approved by OpDivs. A tethering strategy involves connecting one device without Wi-Fi to another device that has Wi-Fi connectivity. For example, a user could tether a laptop to a smartphone through cabling or through a wireless connection. This would allow for using the computer on a connected basis. When tethering involves a wireless setup, it closely resembles a mobile hotspot. In fact, though, there are some fairly significant differences between tethering and hotspots in both design and implementation. While a mobile hotspot frequently serves multiple devices in a setup that looks like a local area network, tethering is a practice that has the connotation of being between only two devices. (Source: <a href="https://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering">https://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering</a>)</p><p><strong>Personal Identity Verification (PIV) Card</strong> -The physical artifact (e.g., identity card, “smart” card) issued to an applicant by an issuer contains stored identity markers or credentials (e.g., a photograph, cryptographic keys, digitized fingerprint representations) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable) (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-79 Revision 2</a>)</p><p><strong>Personally Identifiable Information (PII)</strong> - Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (Source: <a href="https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf">OMB M-17-12</a>, <a href="https://www.whitehouse.gov/omb/information-for-agencies/circulars">OMB Circular A-130</a>)</p><p><strong>Personally Owned Device</strong> A non-organization-controlled client device owned by an individual. These client devices are controlled by the owner, who is fully responsible for securing them and maintaining their security. (Source: Adapted from <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-46 Revision 2</a>).<strong> Note</strong>: Also referred to as a Bring Your Own Device (BYOD).</p><p><strong>Privacy Impact Assessment </strong>- An analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII in an electronic information system; and to examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns. A PIA is both an analysis and a formal document detailing the process and the outcome of the analysis. (Source: <a href="https://www.whitehouse.gov/omb/information-for-agencies/circulars">OMB Circular A-130</a>)</p><p><strong>Privileged User</strong> - A user who is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. Privileged users have network accounts with privileges that grant them greater access to IT resources than general (i.e., non-privileged) users have. These privileges are typically allocated to system, network, security, and database administrators, as well as another IT administrator. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-53 Revision 5</a>)</p><p><strong>Protected Health Information (PHI)</strong> - Individually identifiable health information (IIHI) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-122</a>)</p><p><strong>Remote Access</strong> - The ability for an organization’s users to access its non-public computing resources from external locations other than the organization’s facilities. (Source: <a href="https://www.cnss.gov/CNSS/issuances/Instructions.cfm">CNSSI 4009</a>) <strong>NOTE</strong>: Per <a href="https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final">NIST SP 800-53 Revision 5</a>, this also applies to a process acting on behalf of a user.</p><p><strong>Remote Access Method</strong> <strong>- </strong>Mechanisms that enable users to perform remote access. There are four types of remote access methods: tunneling, portals, remote desktop access, and direct application access. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-46 Revision 2</a>)</p><p><strong>Remote Desktop Access</strong> - A high-level remote access architecture that gives a teleworker the ability to remotely control a particular desktop computer at the organization, most often the user’s own computer at the organization’s office, from a telework client device. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-46 Revision 2</a>)</p><p><strong>Removable Media</strong> - Portable data storage medium that can be added to or removed from a computing device or network. Note: Examples include, but are not limited to: optical discs (CD, DVD, Blu-ray); external/removable hard drives; external/removable Solid-State Disk (SSD) drives; magnetic/optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external / removable disks (floppy, Zip, Jaz, Bernoulli, UMD). (Source: <a href="https://www.cnss.gov/CNSS/issuances/Instructions.cfm">CNSSI 4009</a>)</p><p><strong>Sanitize</strong> - A process to render access to Target Data on the media infeasible for a given level of effort. Clear, Purge, and Destroy are actions that can be taken to sanitize media. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-88 Revision 1</a>)</p><p><strong>Sanitization</strong> - A process to render access to target data on the media infeasible for a given level of effort. Clear, purge, and destroy are actions that can be taken to sanitize media. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-53 Revision 5</a>)</p><p><strong>Sensitive Information</strong> - Information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (Source: <a href="https://doi.org/10.6028/NIST.SP.800-150">NIST SP 800-150</a> under Sensitive Information from <a href="https://doi.org/10.6028/NIST.IR.7298r2">NISTIR 7298 Rev. 2</a>) (See Section 2 Purpose on page 4 for how "sensitive information" is applied within this policy)</p><p><strong>System of Records - </strong>A group of any records under the control of any agency from which information about an individual is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-122</a> and <a href="https://www.justice.gov/opcl/privacy-act-1974#:~:text=The%20Privacy%20Act%20of%201974,of%20records%20by%20federal%20agencies.">The Privacy Act of 1974, as amended, 5 U.S.C. § 552a(a)(5)</a>)</p><p><strong>System-Specific User -</strong> The user of a system that is subject to system-specific ROBs. (Source: HHS-defined)</p><p><strong>Telework</strong> - The ability for an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-46 Revision 2</a>)</p><p><strong>Telework Client Device -</strong> A PC or mobile device. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-46 Revision 2</a>)</p><p><strong>Third Party-Controlled Device</strong> - A client device controlled by a contractor, business partner, or vendor. These client devices are controlled by the remote worker’s employer who is ultimately responsible for securing the client devices and maintaining their security. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-46 Revision 2</a>)</p><p><strong>Unknown Device -</strong> A client device that is owned and controlled by other parties, such as a kiosk computer at hotels, and a PC or mobile device owned by friends and family. The device is labeled as “unknown” because there are no assurances regarding its security posture. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-46 Revision 2</a>)</p><p><strong>Virtual Disk Encryption</strong> - The process of encrypting a container, which can hold many files and folders, and permitting access to the data within the container only after proper authentication is provided. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-111</a>)</p><p><strong>Virtual Private Network (VPN)</strong> - A virtual network, built on top of existing physical networks that provides a secure communications tunnel for data and other information transmitted between networks. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-46 Revision 2</a>)</p><p><strong>Virus</strong> - A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. See malicious code. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-12rev1</a>)</p><p><strong>Worm</strong> - A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. See Malicious Code. (Source: <a href="https://csrc.nist.gov/glossary?index=N">NIST SP 800-12rev1</a>)</p><h3>Acronyms:</h3><p>CIO - Chief Information Officer</p><p>CISO - Chief Information Security Officer</p><p>CSIRC - Computer Security Incident Response Center</p><p>CSIRT - Computer Security Incident Response Team</p><p>CUI - Controlled Unclassified Information</p><p>EO - Executive Order</p><p>FISMA - Federal Information Security Modernization Act of 2014</p><p>HHS - Department of Health and Human Services</p><p>IS2P - Information Systems Security and Privacy Policy</p><p>ISCM - Information Security Continuous Monitoring</p><p>M - Memorandum</p><p>NARA - National Archives and Records Administration</p><p>NIST - National Institute of Standards and Technology</p><p>OCIO - Office of the Chief Information Officer</p><p>OIS - Office of Information Security</p><p>OMB - Office of Management and Budget</p><p>OpDiv - Operating Division</p><p>PHI - Protected Health Information</p><p>PII - Personally Identifiable Information</p><p>RoB - Rules of Behavior</p><p>SP - Special Publication</p><p>USB - Universal Serial Bus</p><h3>Endnotes</h3><p>[1] PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. OMB <em>Circular No. A-130, Managing Information as a Strategic Resource</em>, p. 21. Available at: <a href="https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf">Review-Doc-2016--466-1.docx (whitehouse.gov)</a>.</p><p>[2] CUI is defined in <a href="https://www.gpo.gov/fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf">Executive Order (EO) 13556</a>, <em>Controlled Unclassified Information (CUI)</em>. HHS currently does not have a CUI policy. There are numerous categories and subcategories of CUI listed in the National Archives and Records Administration (NARA) <a href="https://www.archives.gov/cui/registry/category-list">CUI Registry</a>. Examples of CUI categories include Privacy, Procurement and Acquisition, Proprietary Business Information, and Information Systems Vulnerability Information.</p><p>[3] See <em>Policy for Data Loss Prevention </em>available at: <a href="https://intranet.hhs.gov/working-at-hhs/cybersecurity/ocio-policies">https://intranet.hhs.gov/working-at-hhs/cybersecurity/ocio-policies</a>.</p><p>[4] All third-party web applications, social media sites, storage and cloud services must be authorized prior to use. Only authorized personnel can post only authorized content on public-facing websites and social media sites.</p><p>[5] See definition of sensitive information in the Glossary section.</p><p>[6] See Public Law 115–232, Section 889 Parts A and B (included in FAR 4.21) available at <a href="https://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf">https://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf</a>. Prohibition includes telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation, as well as video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities). For additional information and to verify any countries that are being sanctioned by the US, consult: <a href="https://www.treasury.gov/resource-center/sanctions/programs/pages/programs.aspx">https://www.treasury.gov/resource-center/sanctions/programs/pages/programs.aspx</a>. Also, consult the HHS Memorandum, <em>Implementation of the Section 889(a)(1)(B) Prohibition on Contracting with Entities Using Certain Telecommunications and Video Surveillance Services or Equipment</em>, July 29, 2020, available at <a href="https://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf">https://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf</a>.</p><p>[7] see CISA CAPACITY ENHANCEMENT GUIDE: Printing While Working Remotely, available at <a href="https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf">https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf</a>.</p><p>[8] For additional information, see <a href="https://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup">https://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup</a> as well as <a href="https://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks">https://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks</a>.</p><p>[9] Bluetooth is defined as “A wireless protocol that allows two similarly equipped devices to communicate with each other within a short distance (e.g., 30 ft.).” This includes headphones. and For additional information, see <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf</a> and <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-121r2-upd1.pdf">NIST SP 800-121 rev2</a>, available at <a href="https://csrc.nist.gov/publications/sp800">Search | CSRC (nist.gov)</a>.</p><p>[10] See the HHS memorandum <a href="https://intranet.hhs.gov/about-hhs/national-security/policy/gfe-foreign-travel-2018">Use of Government Furnished Equipment (GFE) During Foreign Travel</a></p><p>[11] CSIRC and IRT points of contact are available at: <a href="https://intranet.hhs.gov/about-hhs/org-chart/asa-offices/office-of-the-chief-information-officer-ocio/csirc">https://intranet.hhs.gov/about-hhs/org-chart/asa-offices/office-of-the-chief-information-officer-ocio/csirc</a>. Provide all necessary information that will help with the incident investigation.</p><p>[12] See the HHS memoranda <em>Policy for Monitoring Employee Use of HHS IT Resources</em> and <em>Updated Department Standard Warning Banner</em> available at <a href="https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides/memoranda">Memoranda | Community for HHS Intranet</a></p><p>[13] See <em>NIST SP 800-209 Security Guidelines for Storage Infrastructure,</em> available at <a href="https://csrc.nist.gov/publications/detail/sp/800-209/final">https://csrc.nist.gov/publications/detail/sp/800-209/final</a>.</p><p>[14] HHS/OpDiv IT assets are defined as hardware, software, systems, services, and related technology assets used to execute work on behalf of HHS. This definition is adapted from NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments, available at <a href="https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final">https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final</a>.</p><p>[15] Please review the <a href="https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf">OMB M-17-12</a> for the specific distinctions between incident response and breach response.</p><p>[16] Personally identifiable information (PII) is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Office of Management and Budget (OMB). (2016, July 27). <em>Circular No. A-130, Managing Information as a Strategic Resource</em>, p. 21. Available at: <a href="https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf">Review-Doc-2016--466-1.docx (whitehouse.gov)</a>.</p><p>[17] To contact your OpDiv SOP, visit <a href="https://www.hhs.gov/web/policies-and-standards/hhs-web-policies/privacy/index.html#HHS-Privacy-Officials">https://www.hhs.gov/web/policies-and-standards/hhs-web-policies/privacy/index.html#HHS-Privacy-Officials</a>.</p><p>[18] Examples of significant changes include, but are not limited to, changes to the way PII are managed in the system, new uses or sharing, and the merging of data sets.</p><p>[19] see CISA CAPACITY ENHANCEMENT GUIDE: Printing While Working Remotely, available at <a href="https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf">https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf</a>.</p><p>[20] For additional information, see <a href="https://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup">https://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup</a> as well as <a href="https://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks">https://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks</a>.</p><p>[21] All third-party web applications, social media sites, storage and cloud services must be authorized prior to use. Only authorized personnel can post only authorized content on public-facing websites and social media sites.</p><p>[22] Per NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, privileged roles include, for example, key management, network and system administration, database administration, and Web administration.</p><p>[23] OMB-16-04 available at <a href="https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-04.pdf">Review-Doc-2015-ITOR-315-1.docx (whitehouse.gov)</a><em>, </em>October 30, 2015.</p><p>[24] Per NIST White Paper, <em>Best Practices for Privileged User PIV Authentication,</em> April 21, 2016, available at <a href="https://csrc.nist.gov/publications/detail/white-paper/2016/04/21/best-practices-for-privileged-user-piv-authentication/final">https://csrc.nist.gov/publications/detail/white-paper/2016/04/21/best-practices-for-privileged-user-piv-authentication/final</a>.</p></div></section></div></div></div></div></main><footer class="usa-footer usa-footer--slim"><div class="grid-container"><div class="grid-row flex-align-end"><div class="grid-col"><div class="usa-footer__return-to-top"><a class="font-sans-xs" href="#">Return to top</a></div></div><div class="grid-col padding-bottom-2 padding-top-4 display-flex flex-justify-end"><a class="usa-button" href="/feedback">Give feedback</a></div></div></div><div class="usa-footer__primary-section"><div class="usa-footer__primary-container grid-row"><div class="tablet:grid-col-3"><a class="usa-footer__primary-link" href="/"><img alt="CyberGeek logo" loading="lazy" width="142" height="26" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/CyberGeek-logo.8e9bbd2b.svg"/></a><p class="usa-footer__logo-heading display-none tablet-lg:display-block">The official website of the CMS Information Security and Privacy Group (ISPG)</p></div><div class="tablet:grid-col-12 tablet-lg:grid-col-9"><nav class="usa-footer__nav" aria-label="Footer navigation,"><ul class="grid-row grid-gap"><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="/learn/about-ispg-cybergeek">What is CyberGeek?</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/privacy">Privacy policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/about-cms/information-systems/privacy/vulnerability-disclosure-policy">CMS Vulnerability Disclosure Policy</a></li><li class=" tablet:grid-col-3 desktop:grid-col-auto usa-footer__primary-content "><a class="usa-footer__primary-link" href="https://www.cms.gov/About-CMS/Agency-Information/Aboutwebsite/Policiesforaccessibility">Accessibility</a></li></ul></nav></div></div></div><div class="usa-footer__secondary-section"><div class="grid-container"><div class="usa-footer__logo grid-row grid-gap-2"><div class="mobile-lg:grid-col-3"><a href="https://www.cms.gov/"><img alt="CMS homepage" loading="lazy" width="124" height="29" decoding="async" data-nimg="1" style="color:transparent" src="/_next/static/media/cmsLogo.10a64ce4.svg"/></a></div><div class="mobile-lg:grid-col-7"><p class="font-sans-3xs line-height-sans-3">A federal government website managed and paid for by the U.S. Centers for Medicare & Medicaid Services.</p><address class="font-sans-3xs line-height-sans-3">7500 Security Boulevard, Baltimore, MD 21244</address></div></div></div></div></footer><script>(self.__next_s=self.__next_s||[]).push(["/assets/javascript/uswds.min.js",{}])</script><script src="/_next/static/chunks/webpack-182b67d00f496f9d.js" async=""></script><script>(self.__next_f=self.__next_f||[]).push([0]);self.__next_f.push([2,null])</script><script>self.__next_f.push([1,"1:HL[\"/_next/static/css/ef46db3751d8e999.css\",\"style\"]\n2:HL[\"/_next/static/css/0759e90f4fecfde7.css\",\"style\"]\n"])</script><script>self.__next_f.push([1,"3:I[5751,[],\"\"]\n6:I[9275,[],\"\"]\n8:I[1343,[],\"\"]\nb:I[6130,[],\"\"]\n7:[\"slug\",\"hhs-policy-rules-behavior-use-information-it-resources\",\"d\"]\nc:[]\n0:[\"$\",\"$L3\",null,{\"buildId\":\"m9SaS4P6zugJbBHpXSk5Y\",\"assetPrefix\":\"\",\"urlParts\":[\"\",\"policy-guidance\",\"hhs-policy-rules-behavior-use-information-it-resources\"],\"initialTree\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"hhs-policy-rules-behavior-use-information-it-resources\",\"d\"],{\"children\":[\"__PAGE__\",{}]}]}]},\"$undefined\",\"$undefined\",true],\"initialSeedData\":[\"\",{\"children\":[\"policy-guidance\",{\"children\":[[\"slug\",\"hhs-policy-rules-behavior-use-information-it-resources\",\"d\"],{\"children\":[\"__PAGE__\",{},[[\"$L4\",\"$L5\",null],null],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\",\"$7\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[null,[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\",\"policy-guidance\",\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L8\",null,{}],\"templateStyles\":\"$undefined\",\"templateScripts\":\"$undefined\",\"notFound\":\"$undefined\",\"notFoundStyles\":\"$undefined\"}]],null]},[[[[\"$\",\"link\",\"0\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/ef46db3751d8e999.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}],[\"$\",\"link\",\"1\",{\"rel\":\"stylesheet\",\"href\":\"/_next/static/css/0759e90f4fecfde7.css\",\"precedence\":\"next\",\"crossOrigin\":\"$undefined\"}]],\"$L9\"],null],null],\"couldBeIntercepted\":false,\"initialHead\":[null,\"$La\"],\"globalErrorComponent\":\"$b\",\"missingSlots\":\"$Wc\"}]\n"])</script><script>self.__next_f.push([1,"d:I[4080,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"\"]\ne:I[8173,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"Image\"]\nf:I[7529,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n11:I[231,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"\"]\n12:I[7303,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n13:I[8521,[\"489\",\"static/chunks/app/template-d264bab5e3061841.js\"],\"default\"]\n14:I[5922,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"972\",\"static/chunks/972-6e520d137ef194fb.js\",\"931\",\"static/chunks/app/page-cc829e051925e906.js\"],\"default\"]\n15:I[7182,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"default\"]\n16:I[4180,[\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"223\",\"static/chunks/223-bc9ed43510898bbb.js\",\"185\",\"static/chunks/app/layout-9fc24027bc047aa2.js\"],\"TealiumTagManager\"]\n10:Tdced,"])</script><script>self.__next_f.push([1,"{\"id\":\"mega-menu\",\"linkset\":{\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87},\"elements\":[{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}}],\"size\":87,\"tree\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Roles\",\"hierarchy\":[\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/information-system-security-officer-isso\",\"attributes\":{\"title\":\"Information System Security Officer (ISSO)\",\"hierarchy\":[\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook\",\"attributes\":{\"title\":\"ISSO Handbook\",\"hierarchy\":[\"0\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#getting-started-for-new-issos\",\"attributes\":{\"title\":\"Getting started (for new ISSOs)\",\"hierarchy\":[\"0\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-mentorship-program\",\"attributes\":{\"title\":\"ISSO Mentorship Program\",\"hierarchy\":[\"0\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-system-security-officer-isso-handbook#training\",\"attributes\":{\"title\":\"ISSO Training\",\"hierarchy\":[\"0\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/data-guardian\",\"attributes\":{\"title\":\"Data Guardian\",\"hierarchy\":[\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/data-guardian-handbook\",\"attributes\":{\"title\":\"Data Guardian Handbook\",\"hierarchy\":[\"0\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cyber-risk-advisor-cra\",\"attributes\":{\"title\":\"Cyber Risk Advisor (CRA)\",\"hierarchy\":[\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"0\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks#risk-management-handbook-rmh-chapters\",\"attributes\":{\"title\":\"Risk Management Handbook (RMH)\",\"hierarchy\":[\"0\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/business-system-owner\",\"attributes\":{\"title\":\"Business / System Owner (BO/SO)\",\"hierarchy\":[\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity and Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"0\",\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"0\",\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"0\",\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"0\",\"3\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Compliance \u0026 Authorization\",\"hierarchy\":[\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"Authorization to Operate (ATO)\",\"hierarchy\":[\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato\",\"attributes\":{\"title\":\"About ATO at CMS\",\"hierarchy\":[\"1\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#types-of-authorizations\",\"attributes\":{\"title\":\"Types of authorizations\",\"hierarchy\":[\"1\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#ato-stakeholders\",\"attributes\":{\"title\":\"ATO stakeholders\",\"hierarchy\":[\"1\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/authorization-operate-ato#related-documents-and-resources\",\"attributes\":{\"title\":\"ATO tools and resources\",\"hierarchy\":[\"1\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-technical-reference-architecture-tra\",\"attributes\":{\"title\":\"CMS Technical Reference Architecture (TRA)\",\"hierarchy\":[\"1\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"Ongoing Authorization (OA)\",\"hierarchy\":[\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa\",\"attributes\":{\"title\":\"About OA at CMS\",\"hierarchy\":[\"1\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/ongoing-authorization-oa#is-my-system-eligible-for-oa\",\"attributes\":{\"title\":\"OA eligibility requirements\",\"hierarchy\":[\"1\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"1\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Assessments \u0026 Audits\",\"hierarchy\":[\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"1\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"1\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"1\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/security-impact-analysis-sia\",\"attributes\":{\"title\":\"Security Impact Analysis (SIA)\",\"hierarchy\":[\"1\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-audits\",\"attributes\":{\"title\":\"System Audits\",\"hierarchy\":[\"1\",\"2\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Policy \u0026 Guidance\",\"hierarchy\":[\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/cms-policies-and-guidance\",\"attributes\":{\"title\":\"CMS Policies and Guidance\",\"hierarchy\":[\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\",\"attributes\":{\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"hierarchy\":[\"2\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\",\"attributes\":{\"title\":\"CMS Information Security and Privacy Policy (IS2P2)\",\"hierarchy\":[\"2\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-security-and-privacy-handbooks\",\"attributes\":{\"title\":\"CMS Security and Privacy Handbooks\",\"hierarchy\":[\"2\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-risk-management-framework-rmf\",\"attributes\":{\"title\":\"CMS Risk Management Framework (RMF)\",\"hierarchy\":[\"2\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/email-encryption-requirements-cms\",\"attributes\":{\"title\":\"CMS Email Encryption\",\"hierarchy\":[\"2\",\"0\",\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/federal-policies-and-guidance\",\"attributes\":{\"title\":\"Federal Policies and Guidance\",\"hierarchy\":[\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/national-institute-standards-and-technology-nist\",\"attributes\":{\"title\":\"National Institute of Standards and Technology (NIST)\",\"hierarchy\":[\"2\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/federal-information-security-modernization-act-fisma\",\"attributes\":{\"title\":\"Federal Information Security Modernization Act (FISMA)\",\"hierarchy\":[\"2\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/fedramp\",\"attributes\":{\"title\":\"Federal Risk and Authorization Management Program (FedRAMP)\",\"hierarchy\":[\"2\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"2\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/application-security\",\"attributes\":{\"title\":\"Application Security\",\"hierarchy\":[\"3\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"3\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/zero-trust\",\"attributes\":{\"title\":\"Zero Trust\",\"hierarchy\":[\"3\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"3\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/software-bill-materials-sbom\",\"attributes\":{\"title\":\"Software Bill of Materials (SBOM)\",\"hierarchy\":[\"3\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/security-operations\",\"attributes\":{\"title\":\"Security Operations\",\"hierarchy\":[\"3\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/risk-management-handbook-chapter-8-incident-response-ir\",\"attributes\":{\"title\":\"Incident Response\",\"hierarchy\":[\"3\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"3\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"3\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/risk-management-and-reporting\",\"attributes\":{\"title\":\"Risk Management and Reporting\",\"hierarchy\":[\"3\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"3\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports\",\"hierarchy\":[\"3\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/plan-action-and-milestones-poam\",\"attributes\":{\"title\":\"Plan of Action and Milestones (POA\u0026M)\",\"hierarchy\":[\"3\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy\",\"hierarchy\":[\"4\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Agreements\",\"hierarchy\":[\"4\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-computer-matching-agreement-cma\",\"attributes\":{\"title\":\"Computer Matching Agreement (CMA)\",\"hierarchy\":[\"4\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-information-exchange-agreement-iea\",\"attributes\":{\"title\":\"Information Exchange Agreement (IEA)\",\"hierarchy\":[\"4\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Activities\",\"hierarchy\":[\"4\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/breach-response\",\"attributes\":{\"title\":\"Breach Response\",\"hierarchy\":[\"4\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"4\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/system-records-notice-sorn\",\"attributes\":{\"title\":\"System of Records Notice (SORN)\",\"hierarchy\":[\"4\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Privacy Resources\",\"hierarchy\":[\"4\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/ispg/privacy\",\"attributes\":{\"title\":\"Privacy at CMS\",\"hierarchy\":[\"4\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-breach-response-handbook\",\"attributes\":{\"title\":\"CMS Breach Response Handbook\",\"hierarchy\":[\"4\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/health-insurance-portability-and-accountability-act-1996-hipaa\",\"attributes\":{\"title\":\"Health Insurance Portability and Accessibility Act (HIPAA)\",\"hierarchy\":[\"4\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/policy-guidance/cms-privacy-impact-assessment-pia-handbook\",\"attributes\":{\"title\":\"CMS Privacy Impact Assessment (PIA) Handbook\",\"hierarchy\":[\"4\",\"2\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tools \u0026 Services\",\"hierarchy\":[\"5\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Reporting \u0026 Compliance\",\"hierarchy\":[\"5\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/isso-service\",\"attributes\":{\"title\":\"ISSO As A Service\",\"hierarchy\":[\"5\",\"0\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-fisma-continuous-tracking-system-cfacts\",\"attributes\":{\"title\":\"CFACTS\",\"hierarchy\":[\"5\",\"0\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cyber-risk-reports\",\"attributes\":{\"title\":\"Cyber Risk Reports and Dashboards\",\"hierarchy\":[\"5\",\"0\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/continuous-diagnostics-and-mitigation-cdm\",\"attributes\":{\"title\":\"Continuous Diagnostics and Mitigation (CDM)\",\"hierarchy\":[\"5\",\"0\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"System Security\",\"hierarchy\":[\"5\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/threat-modeling\",\"attributes\":{\"title\":\"Threat Modeling\",\"hierarchy\":[\"5\",\"1\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cloud-services\",\"attributes\":{\"title\":\"CMS Cloud Services\",\"hierarchy\":[\"5\",\"1\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cms-cybersecurity-integration-center-ccic\",\"attributes\":{\"title\":\"CMS Cybersecurity Integration Center (CCIC)\",\"hierarchy\":[\"5\",\"1\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"https://security.cms.gov/learn/cms-security-data-lake-sdl\",\"attributes\":{\"title\":\"CMS Security Data Lake (SDL)\",\"hierarchy\":[\"5\",\"1\",\"3\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"\",\"attributes\":{\"title\":\"Tests \u0026 Assessments\",\"hierarchy\":[\"5\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/cybersecurity-risk-assessment-program-csrap\",\"attributes\":{\"title\":\"Cybersecurity Risk Assessment Program (CSRAP)\",\"hierarchy\":[\"5\",\"2\",\"0\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/penetration-testing-pentesting\",\"attributes\":{\"title\":\"Penetration Testing\",\"hierarchy\":[\"5\",\"2\",\"1\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]},{\"link\":{\"anchor\":\"/system/menu/mega-menu/linkset\",\"rel\":\"item\",\"href\":\"/learn/privacy-impact-assessment-pia\",\"attributes\":{\"title\":\"Privacy Impact Assessment (PIA)\",\"hierarchy\":[\"5\",\"2\",\"2\"],\"machine-name\":[\"mega-menu\"]}},\"children\":[]}]}]}]}"])</script><script>self.__next_f.push([1,"9:[\"$\",\"html\",null,{\"lang\":\"en\",\"children\":[[\"$\",\"head\",null,{\"children\":[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds-init.min.js\",\"strategy\":\"beforeInteractive\"}]}],[\"$\",\"body\",null,{\"children\":[[[\"$\",\"a\",null,{\"className\":\"usa-skipnav\",\"href\":\"#main\",\"children\":\"Skip to main content\"}],[\"$\",\"section\",null,{\"className\":\"usa-banner\",\"aria-label\":\"Official website of the United States government\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-accordion\",\"children\":[[\"$\",\"header\",null,{\"className\":\"usa-banner__header\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-banner__inner\",\"children\":[[\"$\",\"div\",null,{\"className\":\"grid-col-auto\",\"children\":[\"$\",\"$Le\",null,{\"aria-hidden\":\"true\",\"className\":\"usa-banner__header-flag\",\"src\":\"/assets/img/us_flag_small.png\",\"alt\":\"\",\"width\":\"16\",\"height\":\"11\"}]}],[\"$\",\"div\",null,{\"className\":\"grid-col-fill tablet:grid-col-auto\",\"aria-hidden\":\"true\",\"children\":[[\"$\",\"p\",null,{\"className\":\"usa-banner__header-text\",\"children\":\"An official website of the United States government\"}],[\"$\",\"p\",null,{\"className\":\"usa-banner__header-action\",\"children\":\"Here's how you know\"}]]}],[\"$\",\"button\",null,{\"type\":\"button\",\"className\":\"usa-accordion__button usa-banner__button\",\"aria-expanded\":\"false\",\"aria-controls\":\"gov-banner-default-default\",\"children\":[\"$\",\"span\",null,{\"className\":\"usa-banner__button-text\",\"children\":\"Here's how you know\"}]}]]}]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__content usa-accordion__content\",\"id\":\"gov-banner-default-default\",\"hidden\":true,\"children\":[\"$\",\"div\",null,{\"className\":\"grid-row grid-gap-lg\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-dot-gov.3e9cb1b5.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Official websites use .gov\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\".gov\"}],\" website belongs to an official government organization in the United States.\"]}]}]]}],[\"$\",\"div\",null,{\"className\":\"usa-banner__guidance tablet:grid-col-6\",\"children\":[[\"$\",\"$Le\",null,{\"className\":\"usa-banner__icon usa-media-block__img\",\"src\":{\"src\":\"/_next/static/media/icon-https.e7f1a222.svg\",\"height\":64,\"width\":64,\"blurWidth\":0,\"blurHeight\":0},\"role\":\"img\",\"alt\":\"\",\"aria-hidden\":\"true\",\"width\":\"40\",\"height\":\"40\"}],[\"$\",\"div\",null,{\"className\":\"usa-media-block__body\",\"children\":[\"$\",\"p\",null,{\"children\":[[\"$\",\"strong\",null,{\"children\":\"Secure .gov websites use HTTPS\"}],[\"$\",\"br\",null,{}],\"A \",[\"$\",\"strong\",null,{\"children\":\"lock\"}],\" (\",[\"$\",\"span\",null,{\"className\":\"icon-lock\",\"children\":[\"$\",\"svg\",null,{\"xmlns\":\"http://www.w3.org/2000/svg\",\"width\":\"52\",\"height\":\"64\",\"viewBox\":\"0 0 52 64\",\"className\":\"usa-banner__lock-image\",\"role\":\"img\",\"aria-labelledby\":\"banner-lock-description-default\",\"focusable\":\"false\",\"children\":[[\"$\",\"title\",null,{\"id\":\"banner-lock-title-default\",\"children\":\"Lock\"}],[\"$\",\"desc\",null,{\"id\":\"banner-lock-description-default\",\"children\":\"Locked padlock icon\"}],[\"$\",\"path\",null,{\"fill\":\"#000000\",\"fillRule\":\"evenodd\",\"d\":\"M26 0c10.493 0 19 8.507 19 19v9h3a4 4 0 0 1 4 4v28a4 4 0 0 1-4 4H4a4 4 0 0 1-4-4V32a4 4 0 0 1 4-4h3v-9C7 8.507 15.507 0 26 0zm0 8c-5.979 0-10.843 4.77-10.996 10.712L15 19v9h22v-9c0-6.075-4.925-11-11-11z\"}]]}]}],\") or \",[\"$\",\"strong\",null,{\"children\":\"https://\"}],\" means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.\"]}]}]]}]]}]}]]}]}]],[\"$\",\"$Lf\",null,{\"value\":\"$10\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-overlay\"}],[\"$\",\"header\",null,{\"className\":\"usa-header usa-header--extended\",\"children\":[[\"$\",\"div\",null,{\"className\":\"bg-primary-dark\",\"children\":[\"$\",\"div\",null,{\"className\":\"usa-navbar\",\"children\":[[\"$\",\"div\",null,{\"className\":\"usa-logo padding-y-4 padding-right-3\",\"id\":\"CyberGeek-logo\",\"children\":[\"$\",\"$L11\",null,{\"href\":\"/\",\"title\":\"CMS CyberGeek Home\",\"children\":[\"$\",\"$Le\",null,{\"src\":{\"src\":\"/_next/static/media/CyberGeek-logo.8e9bbd2b.svg\",\"height\":50,\"width\":425,\"blurWidth\":0,\"blurHeight\":0},\"alt\":\"CyberGeek logo\",\"width\":\"298\",\"height\":\"35\",\"priority\":true}]}]}],[\"$\",\"button\",null,{\"aria-label\":\"Open menu\",\"type\":\"button\",\"className\":\"usa-menu-btn\",\"data-cy\":\"menu-button\",\"children\":\"Menu\"}]]}]}],[\"$\",\"$L12\",null,{}]]}]]}],[\"$\",\"main\",null,{\"id\":\"main\",\"children\":[\"$\",\"$L6\",null,{\"parallelRouterKey\":\"children\",\"segmentPath\":[\"children\"],\"error\":\"$undefined\",\"errorStyles\":\"$undefined\",\"errorScripts\":\"$undefined\",\"template\":[\"$\",\"$L13\",null,{\"children\":[\"$\",\"$L8\",null,{}]}],\"templateStyles\":[],\"templateScripts\":[],\"notFound\":[\"$\",\"section\",null,{\"className\":\"hero hero--theme-content-not-found undefined\",\"children\":[[\"$\",\"$Le\",null,{\"alt\":\"404 page not found\",\"className\":\"hero__graphic\",\"priority\":true,\"src\":{\"src\":\"/_next/static/media/content-not-found-graphic.8f104f47.svg\",\"height\":551,\"width\":948,\"blurWidth\":0,\"blurHeight\":0}}],[\"$\",\"div\",null,{\"className\":\"maxw-widescreen margin-x-auto padding-x-2 desktop:padding-x-0 padding-top-4 padding-bottom-6 desktop:padding-y-7\",\"children\":[\"$\",\"div\",null,{\"className\":\"tablet:grid-container position-relative \",\"children\":[\"$\",\"div\",null,{\"className\":\"hero__row grid-row grid-gap\",\"children\":[[\"$\",\"div\",null,{\"className\":\"tablet:grid-col-5 widescreen:position-relative\",\"children\":[false,false]}],[\"$\",\"div\",null,{\"className\":\"hero__column tablet:grid-col-7 flow padding-bottom-2\",\"children\":[\"$undefined\",\"$undefined\",false,[\"$\",\"h1\",null,{\"className\":\"hero__heading margin-0 line-height-sans-3 desktop:line-height-sans-2\",\"children\":\"We can't find that page.\"}],\"$undefined\",\"$undefined\",false,[\"$\",\"div\",null,{\"children\":[[\"$\",\"div\",null,{\"className\":\"hero__description\",\"children\":[[\"The page you're looking for may have been moved or retired. You can\",\" \",[\"$\",\"$L11\",null,{\"href\":\"/\",\"children\":\"visit our home page\"}],\" or use the search box to find helpful resources.\"]]}],[\"$\",\"div\",null,{\"className\":\"margin-top-6 search-container\",\"children\":[\"$\",\"$L14\",null,{\"theme\":\"content-not-found\"}]}]]}],false]}],false,false]}]}]}]]}],\"notFoundStyles\":[]}]}],[\"$\",\"$L15\",null,{}],[\"$\",\"$L16\",null,{}],[\"$\",\"$Ld\",null,{\"src\":\"/assets/javascript/uswds.min.js\",\"strategy\":\"beforeInteractive\"}]]}]]}]\n"])</script><script>self.__next_f.push([1,"17:I[3055,[\"866\",\"static/chunks/e37a0b60-b74be3d42787b18d.js\",\"30\",\"static/chunks/30-49b1c1429d73281d.js\",\"317\",\"static/chunks/317-0f87feacc1712b2f.js\",\"904\",\"static/chunks/904-dbddf7494c3e6975.js\",\"549\",\"static/chunks/549-c87c1c3bbacc319f.js\",\"907\",\"static/chunks/app/policy-guidance/%5Bslug%5D/page-d95d3b4ebc8065f9.js\"],\"default\"]\n18:T1af13,"])</script><script>self.__next_f.push([1,"\u003ch2 id=\"m_4884422691552917800nature\"\u003e1. Nature of Changes\u003c/h2\u003e\u003cp\u003eVersion 1.0: released July 2013. First issuance of policy.\u003c/p\u003e\u003cp\u003eVersion 2.0: released December 2016. Added new statements to:\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003eProhibit the use of personally owned devices and unapproved non-GFE to conduct HHS business.\u003c/li\u003e\u003cli\u003eRestrict personal social media use during official work duty.\u003c/li\u003e\u003cli\u003eRestrict the connection to public, unsecure Wi-Fi from GFE.\u003c/li\u003e\u003cli\u003eProhibit the use of HHS e-mail address to create personal commercial accounts.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eVersion 2.1: Released August 2017. As recommended by OpDivs in the first-round review, Policy for Personal Use of IT Resources was combined with the Rules of Behavior since the documents overlap.\u003c/p\u003e\u003cp\u003eVersion 2.1: Released February 2018. Update to policy for use of personal email per Departmental recommendation.\u003c/p\u003e\u003cp\u003eVersion 2.1: Released March 2018. Removed the policy requirement restricting the use of personal email from HHS/OpDiv networks per OCIO request.\u003c/p\u003e\u003cp\u003eVersion 2.1: Released April 2018. Replaced Controlled Unclassified Information (CUI) with sensitive information per OGC and PIM recommendations.\u003c/p\u003e\u003cp\u003eVersion 2.1: Released June 2018. Policy obtained NTEU clearance.\u003c/p\u003e\u003cp\u003eVersion 2.2: Released May 2019. Changed Webmail access policy to only block access from public internet and encourage OpDivs to reduce its usage. Added requirement to restrict the use of personal email, storage services and devices that conduct HHS/OpDiv business and store HHS/OpDiv data.\u003c/p\u003e\u003cp\u003eVersion 2.3: Released June 2019. Updated password requirement.\u003c/p\u003e\u003cp\u003eVersion 3.0: Released February 2023. Updated to prohibit unauthenticated Bluetooth tethering without OpDiv approval, acceptable use of social media, provide general updates throughout document, and to ensure adherence to Executive Order 14028 as well as Office Management and Budget (OMB) Memorandum (M) M-22-09.\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800purpose\"\u003e2. Purpose\u003c/h2\u003e\u003cp\u003eThe\u0026nbsp;\u003cem\u003eHHS Policy for Rules of Behavior for Use of Information and IT Resources (\u003c/em\u003ehereafter known as\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e) defines the acceptable use of the Department of Health and Human Services (Department or HHS)/Operating Division (OpDiv) information and Information Technology (IT) resources and establishes the baseline requirements for developing Rules of Behavior (RoB) that all users, including privileged users, are required to sign prior to accessing HHS/OpDiv information systems and resources.\u003c/p\u003e\u003cp\u003eThis document includes baseline requirements for three RoB categories: General Users, Privileged Users, and System Specific Users. These RoB categories provide baseline requirements and guidelines for implementation of each RoB category. This\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;also defines acceptable personal use of HHS/OpDiv information resources and restricts use of personal devices to conduct HHS/OpDiv business.\u003c/p\u003e\u003cp\u003eAn OpDiv may customize this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;and RoBs to include OpDiv specific information, create its own policy, or supplement the specified RoB provided that the OpDiv policy and RoBs are compliant with and at least as restrictive as the baseline policy and RoBs stated herein.\u003c/p\u003e\u003cp\u003eThis\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;uses the term ‘sensitive information’ to refer to Personally Identifiable Information (PII)\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn1\" target=\"_blank\"\u003e1\u003c/a\u003e\u0026nbsp;(although other HHS policies may distinguish between PII and sensitive PII), Protected Health Information (PHI), financial records, business proprietary data, and any information marked Sensitive but Unclassified (SBU), Controlled Unclassified Information (CUI), etc.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn2\" target=\"_blank\"\u003e2\u003c/a\u003e\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800background\"\u003e3. Background\u003c/h2\u003e\u003cp\u003eThe executive branch of the federal government leverages hundreds of thousands of employees located in offices across the nation to serve the American people. Increasingly, the government is called upon to deliver additional services to a growing population that expects ever-increasing improvements in service delivery. The relationship between the executive branch and the employees who administer the functions of the government is based on trust. Consequently, employees are expected to follow rules and regulations and to be responsible for their own personal and professional conduct. The Standards of Ethical Conduct for Employees of the Executive Branch published by the U.S. Office of Government Ethics states that, “Employees must put forth honest effort in the performance of their duties” [5 C.F.R. § 2635.101(b)(5)].\u003c/p\u003e\u003cp\u003eThe RoBs stated in this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;include rules that govern the appropriate use and protection of all HHS/OpDiv information resources and help to ensure the security of IT equipment, systems, and data confidentiality, integrity, and availability.\u0026nbsp;\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800scope\"\u003e4. Scope\u003c/h2\u003e\u003cp\u003eThis\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;applies to all OpDivs and other parties that conduct business for or on behalf of HHS (i.e., contractors, third-party service/storage providers, cloud service providers). This\u0026nbsp;\u003cem\u003ePolicy\u0026nbsp;\u003c/em\u003eapplies to all users of HHS/OpDiv information and IT resources whether working at their primary duty station, teleworking, working at a satellite site or any other alternative workplaces, and/or while traveling.\u003c/p\u003e\u003cp\u003eAn OpDiv must implement this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;and these baseline requirements or alternatively, may create its own policy that is more restrictive but not less restrictive than this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e. This\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;does not supersede any other applicable law or higher-level agency directive or policy guidance.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis\u0026nbsp;\u003cem\u003ePolicy\u0026nbsp;\u003c/em\u003edoes not supersede any applicable law, higher-level agency directive, or existing labor management agreement as of the effective date of this\u003cem\u003e\u0026nbsp;Policy\u003c/em\u003e.\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800authorities\"\u003e5. Authorities\u003c/h2\u003e\u003cp\u003eThe following are the primary authoritative documents driving the requirements in this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eFederal Information Security Modernization Act of 2014 (FISMA), Pub. L. No. 113-283, 128 Stat. 3073, codified at 44 U.S.C. Chapter 35, Subchapter II.\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/em\u003e, November 2021.\u003c/li\u003e\u003cli\u003eNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-18,\u0026nbsp;\u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e, February 2006.\u003c/li\u003e\u003cli\u003eNIST SP 800-37 Rev. 2,\u0026nbsp;\u003cem\u003eRisk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u003c/em\u003e, December 2018.\u003c/li\u003e\u003cli\u003eNIST SP 800-53 Rev. 5,\u0026nbsp;\u003cem\u003eSecurity and Privacy Controls for Information Systems and Organizations\u003c/em\u003e, December 2020.\u003c/li\u003e\u003cli\u003eOffice of Management and Budget (OMB), Circular A-130,\u0026nbsp;\u003cem\u003eManaging Information as a Strategic Resource\u003c/em\u003e, July 2016.\u003c/li\u003e\u003cli\u003ePublic Law 115-232 § 889, Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment, August 13, 2018.\u003c/li\u003e\u003cli\u003e5 U.S.C. § 552a (the Privacy Act of 1974, as amended).\u003c/li\u003e\u003c/ol\u003e\u003ch2 id=\"m_4884422691552917800policy\"\u003e6. Policy\u003c/h2\u003e\u003cp\u003eThe following are the baseline requirements for implementing HHS or OpDiv RoBthat govern the appropriate use of HHS/OpDiv information systems and resources for all employees, contractors, and other personnel who have access to HHS/OpDiv information and information systems.\u003c/p\u003e\u003ch3 id=\"m_48844226915529178006.1\"\u003e6.1. Acceptable Use of HHS Information and IT Resources – OpDiv Requirements\u003c/h3\u003e\u003col type=\"A\"\u003e\u003cli\u003eOpDivs must ensure all users read and acknowledge the RoB as general users upon onboarding and annually thereafter. Additionally, users with significant security responsibilities must read and acknowledge the RoB as privileged users upon onboarding and annually thereafter (see baseline RoB for both general and privileged users in Appendix D.) OpDiv System Owners must define RoB for System Specific users as necessary. Acknowledgement is understood to mean that each RoB must contain a signature page on which the user acknowledges having read, understood, and agreed to abide by the RoB (general user, or privileged user). Electronic signatures are acceptable.\u003c/li\u003e\u003cli\u003eOpDivs must ensure that general users read and sign RoB before they are given access to HHS/OpDiv information and/or systems.\u0026nbsp; Digital signature is encouraged for general users whose digital signature can be authenticated by a Personal Identity Verification (PIV) card or other similar card (such as Personal Identity Verification Interoperability (PIV-I) card, Derived Alternate Credential (DAC), or Common Access Card (CAC)); however, general users may physically sign.\u003c/li\u003e\u003cli\u003eOpDivs must inform general users of their responsibilities and the accountability of their actions while accessing HHS/OpDiv systems and using HHS/OpDiv information resources. (The RoB must state the consequences of behavior not consistent with the rules).\u003c/li\u003e\u003cli\u003eOpDivs must include the items covered in sections 6.2, 6.3, and 6.4 including teleworking, remote access, connection to the internet, use of copyrighted works, use of GFE, social media, and individual accountability. Sample RoBs are included in Appendix D.\u003c/li\u003e\u003cli\u003eOpDivs must ensure government furnished equipment distributed to for the purpose of conducting official government business including but not limited to: Personal Identity Verification (PIV) cards, mobile devices and cellular telephones, is surrendered, collected or reclaimed on or before the last day of employment or contract termination.\u003c/li\u003e\u003cli\u003eOpDivs must take steps to reduce the use of Webmail and allow access only when necessary. OpDivs will make the determination as to what is defined as necessary for their OpDiv.\u003c/li\u003e\u003cli\u003eOpDivs must implement technical controls to:\u003col type=\"i\"\u003e\u003cli\u003eProhibit auto-forwarding of email\u003c/li\u003e\u003cli\u003eBlock the use of HHS/OpDiv Webmail access from untrusted or unauthenticated public internet or implement compensating controls\u003c/li\u003e\u003cli\u003eDetect and block spam emails, and employ a capability within the official email application (such as a phishing email button) to expedite the reporting of suspected phishing emails to the OpDiv designated email incident response team\u003c/li\u003e\u003cli\u003eAppropriately secure mobile devices used for conducting HHS/OpDiv business\u003c/li\u003e\u003cli\u003eEnsure that rules regarding passwords are consistent with technical password features\u003c/li\u003e\u003cli\u003eMonitor user activities, system accounts and privileged user accounts\u003c/li\u003e\u003cli\u003eDisable unnecessary/unauthorized permissions, services, and system/user accounts.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eOpDivs must develop and implement system specific RoB when appropriate (see additional guidance in Appendix C). OpDivs must include in system specific RoB provisions that:\u003col type=\"i\"\u003e\u003cli\u003eDelineate responsibilities and expected behavior of all users with access to the system and state the consequences of behavior not consistent with the rules\u003c/li\u003e\u003cli\u003eInclude limitations on altering data, searching databases, and divulging information\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn3\" target=\"_blank\"\u003e3\u003c/a\u003e\u003c/li\u003e\u003cli\u003eState appropriate limits on interconnections to other systems.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178006.2\"\u003e6.2. Acceptable Use of HHS Information and IT Resources – General User Requirements\u003c/h3\u003e\u003col type=\"A\"\u003e\u003cli\u003eHHS/OpDiv permits personnel to have limited personal use of HHS/OpDiv information and IT resources, including HHS/OpDiv email, systems, instant messaging (IM) tools, and government-furnished equipment (GFE) (e.g., laptops, mobile devices, etc.) only when the personal use:\u003col type=\"i\"\u003e\u003cli\u003eInvolves no more than minimal additional expense to the government\u003c/li\u003e\u003cli\u003eIs minimally disruptive to personnel productivity\u003c/li\u003e\u003cli\u003eDoes not interfere with the mission or operations of HHS\u003c/li\u003e\u003cli\u003eDoes not violate HHS/OpDiv security and privacy policies.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eHHS/OpDiv expects personnel to conduct themselves professionally in the workplace and to refrain from using GFE, email, third-party websites, and applications (TPWAs) (e.g., HHS/OpDiv social media sites and cloud services, etc.) and other HHS/OpDiv information resources for activities that are not related to any legitimate/officially sanctioned HHS/OpDiv business purpose, except for the limited personal use stated above.\u0026nbsp; Personnel must not misuse HHS/OpDiv information and IT resources or conduct unapproved activities using HHS/OpDiv information and IT resources including, but not limited to:\u003col type=\"i\"\u003e\u003cli\u003eEngaging in activities that could cause congestion, delay, or disruption of service to any HHS/OpDiv information resource (e.g., sending chain letters via email, playing streaming videos, games, music, etc.)\u003c/li\u003e\u003cli\u003eAccessing, downloading and/or uploading illegal, illicit, or criminal content from/to the internet (e.g., pornographic or sexually explicit materials, information about illegal weapons, terrorism activities, or other illegal activities)\u003c/li\u003e\u003cli\u003eAccessing, downloading, or clicking on any untrusted hyperlinks or executable files without verifying source.\u003c/li\u003e\u003cli\u003e\u0026nbsp;Conducting or supporting commercial “for-profit” activities, managing outside employment or business activity, or running a personal business\u003c/li\u003e\u003cli\u003eEngaging in any outside fund-raising, endorsing any product or service, lobbying, or engaging in partisan political activity\u003c/li\u003e\u003cli\u003eUsing HHS/OpDiv information resources for activities that are inappropriate or offensive to fellow personnel or the public (e.g., hate speech or material that ridicules others on the basis of race, creed, religion, color, age, gender, disability, national origin, or sexual orientation)\u003c/li\u003e\u003cli\u003eCreating a website or uploading content to a TPWA, or social media website \u0026nbsp;on behalf of HHS/OpDiv without proper official authorization.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn4\" target=\"_blank\"\u003e4\u003c/a\u003e\u0026nbsp;\u0026nbsp;Proper official authorization' includes, for example, written approval from the HHS/OpDiv or OpDiv CISO or a designee\u003c/li\u003e\u003cli\u003eConnecting personal devices to HHS/OpDiv systems without proper official authorization\u003c/li\u003e\u003cli\u003eUsing personal devices, non-HHS/OpDiv email, and unauthorized third-party systems, storage services, or applications (e.g., Dropbox, Google Docs, mobile applications, etc.) to store, transmit, or process HHS/OpDiv information, or to conduct HHS/OpDiv business without proper official authorization.\u003c/li\u003e\u003cli\u003eAutomatically (auto) forwarding HHS/OpDiv email to both internal and external email sources or forwarding email/files that contain sensitive information to unauthorized systems and devices that are used for non-HHS/OpDiv and non-OpDiv business purposes\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn5\" target=\"_blank\"\u003e5\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAccessing and using HHS/OpDiv Webmail without proper official authorization\u003c/li\u003e\u003cli\u003eUsing an HHS/OpDiv email address and other information resources to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or website, and signing up for personal memberships that are not work related.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eHHS/OpDiv warns users of HHS/OpDiv information resources, systems and GFE that they should have no expectation of privacy while using them and that their usage may be monitored, recorded, and audited at any time; and that HHS/OpDiv information resources, systems and GFE must be used with the understanding that such use may not be secure, is not private, is not anonymous, and may be subject to disclosure under the Freedom of Information Act (FOIA), Privacy Act (5 U.S.C. § 552a) or other applicable legal authority.\u003c/li\u003e\u003cli\u003eHHS/OpDiv formally notifies users through the RoB that their electronic data communications and online activity may be monitored and disclosed to external law enforcement agencies or Department/OpDiv personnel at any time when related to the performance of duties.\u0026nbsp; For example, after obtaining management approval, HHS/OpDiv authorized technical staff may employ monitoring tools in order to maximize the utilization of HHS/OpDiv resources.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178006.3\"\u003e6.3. Telework/Remote Work and GFE\u003c/h3\u003e\u003col type=\"A\"\u003e\u003cli\u003eHHS/OpDivs permit personnel to telework only when approved by management. Security of HHS/OpDiv information systems, equipment, and information, including PII, CUI and sensitive information, is just as important at a telework worksite as it is in an HHS/OpDiv building. HHS/OpDiv requires personnel to conduct themselves with the same professionalism remotely as is required in the formal workplace. HHS/OpDivs require personnel to safeguard any GFE provided by following these guidelines:\u003col type=\"i\"\u003e\u003cli\u003eUsers can connect additional devices to GFE as necessary to conduct official government business with OpDiv approval if the devices are not on the prohibited vendor list.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn6\" target=\"_blank\"\u003e6\u003c/a\u003e\u003c/li\u003e\u003cli\u003eUsers can connect GFE to printers with OpDiv approval.\u003cul type=\"square\"\u003e\u003cli\u003ePrinters must be connected to GFE via USB or other physical port. Wireless connections between GFE and printers require OpDiv approval.\u003c/li\u003e\u003cli\u003eUsers must contact OpDiv Help Desks to have printer drivers installed on GFE prior to connecting the printer\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn7\" target=\"_blank\"\u003e7\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eUsers are prohibited from installing any software on GFE\u003c/li\u003e\u003cli\u003eUsers are permitted to use their home Wi-Fi network to provide the connectivity for telework. Home networks must be set up in accordance with guidance from HHS/OpDiv or OpDivs\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn8\" target=\"_blank\"\u003e8\u003c/a\u003e\u003c/li\u003e\u003cli\u003eUsers must keep Bluetooth turned off while not in use.\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn9\" target=\"_blank\"\u003e9\u003c/a\u003e\u003c/li\u003e\u003cli\u003eUsers are responsible for the protection of all sensitive data\u003c/li\u003e\u003cli\u003eUsers must not take GFE outside of the US or its territories for regular teleworking. For official visit to foreign countries, adhere to the Department GFE Travel Restriction requirements.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn10\" target=\"_blank\"\u003e10\u003c/a\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178006.4\"\u003e6.4. Non-Compliance\u003c/h3\u003e\u003cp\u003eThis\u003cem\u003e\u0026nbsp;Policy\u003c/em\u003e\u0026nbsp;cannot account for every possible situation. Therefore, where this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;does not provide explicit guidance, personnel must use their best judgment to apply the principles set forth in the standards for ethical conduct to guide their actions and to seek guidance when appropriate from the OpDiv Chief Information Officer (OpDiv CIO) or his/her designee.\u003c/p\u003e\u003cp\u003eNon-compliance with the requirements in this\u0026nbsp;\u003cem\u003ePolic\u003c/em\u003ey and the RoB may be cause for disciplinary and other actions for anyone who has logical access to data, digital resources, and computer networks, or physical access to the HHS/OpDiv enterprise network, data, and resources. Depending on the severity of the violation, consequences may include, but are not limited to, one or more of the following actions:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eMandatory training\u003c/li\u003e\u003cli\u003eReprimand\u003c/li\u003e\u003cli\u003eSuspension of access privileges\u003c/li\u003e\u003cli\u003eRevocation of access to federal information, information systems, IT resources and/or facilities\u003c/li\u003e\u003cli\u003eDeactivation of the accounts\u003c/li\u003e\u003cli\u003eSuspension without pay\u003c/li\u003e\u003cli\u003eMonetary fines\u003c/li\u003e\u003cli\u003eRemoval or disbarment from work on federal contracts or projects\u003c/li\u003e\u003cli\u003eTermination of employment and/or\u003c/li\u003e\u003cli\u003eCriminal charges that may result in imprisonment\u003c/li\u003e\u003cli\u003ePotential removal of security clearances\u003c/li\u003e\u003c/ol\u003e\u003ch2 id=\"m_4884422691552917800roles\"\u003e7. Roles and Responsibilities\u003c/h2\u003e\u003ch3 id=\"m_48844226915529178007.1\"\u003e7.1. HHS Chief Information Officer (CIO)\u003c/h3\u003e\u003cp\u003eThe HHS CIO or representative must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eEnsure this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;is disseminated and implemented Department-wide.\u003c/li\u003e\u003cli\u003eEnsure RoBsare developed, maintained, and implemented for all general users, privileged users, and information systems (when deemed applicable).\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.2\"\u003e7.2. OpDiv CIO\u003c/h3\u003e\u003cp\u003eThe OpDiv CIO or representative must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eEnsure acceptable use of OpDiv information resources requirements is implemented throughout the OpDiv.\u003c/li\u003e\u003cli\u003eEnsure RoBs are developed, approved, maintained, and implemented for all general users, privileged users, and system-specific users (as applicable) OpDiv-wide.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.3\"\u003e7.3. HHS Chief Information Security Officer (CISO)\u003c/h3\u003e\u003cp\u003eThe HHS CISO must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eEnsure implementation of this\u0026nbsp;\u003cem\u003ePolicy.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eEnsure all users read, acknowledge, and adhere to RoB for all three RoB categories (general users, privileged users, and system specific users) as applicable.\u003c/li\u003e\u003cli\u003eApprove or assign a designee to approve exceptions to RoBs, when required.\u003c/li\u003e\u003cli\u003eEnsure records are maintained for signed RoB forms.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.4\"\u003e7.4. OpDiv CISO\u003c/h3\u003e\u003cp\u003eThe OpDiv CISO must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eImplement this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;or develop an OpDiv specific RoB.\u003c/li\u003e\u003cli\u003eDevelop and implement OpDiv RoBs for general users, privileged users and system specific users, as applicable.\u003c/li\u003e\u003cli\u003eEnsure all users read, acknowledge, and adhere to RoB for all three RoB categories (general users, privileged users, and system specific users) as applicable.\u003c/li\u003e\u003cli\u003eApprove or assign a designee to approve exceptions to RoBs, when required.\u003c/li\u003e\u003cli\u003eEnsure records are maintained for signed RoB forms.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.5\"\u003e7.5. Managers and Supervisors\u003c/h3\u003e\u003cp\u003eThe OpDiv managers and supervisors must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eInform users of their rights and responsibilities, including the information in this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;to individual users.\u003c/li\u003e\u003cli\u003eAddress inappropriate use by personnel who report to them and disseminate information to relevant stakeholders for the purpose of incident handling and investigations.\u003c/li\u003e\u003cli\u003eReceive and review reports of inappropriate use of IT resource from management officials and allow access to these reports to designated authorities, as applicable, in accordance with HHS/OpDiv stsandard operating procedures.\u003c/li\u003e\u003cli\u003eNotify, when appropriate, senior Department officials of inappropriate use and/or abuse of HHS/OpDiv IT resources.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.6\"\u003e7.6. System Owner (SO)\u003c/h3\u003e\u003cp\u003eThe OpDiv SOs must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eDelineate responsibilities and expected behavior of all users with access to the system and state the consequences of behavior not consistent with the rules.\u003c/li\u003e\u003cli\u003eDevelop and appropriately disseminate system specific RoB when deemed applicable.\u003c/li\u003e\u003cli\u003eEnsure all users with access to the information system(s) under their purview read, acknowledge, and adhere to the general user RoB and system specific RoB (if deemed applicable) prior to obtaining access and at least annually thereafter.\u003c/li\u003e\u003cli\u003eAutomate, to the extent possible, the security and privacy controls that are required to be implemented to protect systems and information.\u003c/li\u003e\u003cli\u003eEnsure all users with privileged access rights to the information system(s) under their purview read, acknowledge, and adhere to the privileged user RoB.\u003c/li\u003e\u003cli\u003eReview system specific RoB periodically and at least every three years.\u003c/li\u003e\u003cli\u003eMaintain records of all the signed system specific RoB.\u003c/li\u003e\u003cli\u003eIn accordance with the Privacy Act, maintain an accounting of disclosures made by HHS/OpDiv of records about individuals retrieved by personal identifier, excluding only disclosures required by FOIA and disclosures to HHS officers and employees with need to know.\u003c/li\u003e\u003cli\u003ePromptly schedule records with the\u0026nbsp;\u003ca href=\"https://www.archives.gov/\" target=\"_blank\"\u003eNational Archives and Records Administration (NARA)\u003c/a\u003e, and promptly destroy records when eligible for destruction and no longer needed for HHS/OpDiv business.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.7\"\u003e7.7. Information and System User\u003c/h3\u003e\u003cp\u003eAll users of HHS/OpDiv information, GFE and systems must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eRead, understand, and acknowledge RoB initially upon onboarding or start of work and annually thereafter.\u003c/li\u003e\u003cli\u003eAlways secure HHS/OpDiv information resources and assets they have access to or always entrusted with (e.g., while at their duty station, when traveling, teleworking, etc.).\u003c/li\u003e\u003cli\u003eReport any loss, compromise, and unauthorized use of HHS/OpDiv information and systems immediately upon discovery/detection in accordance with HHS/OpDiv policies.\u003c/li\u003e\u003cli\u003eSeek guidance from their supervisor and other officials if unclear about HHS/OpDiv security and privacy policies.\u003c/li\u003e\u003c/ol\u003e\u003ch2 id=\"m_4884422691552917800information\"\u003e8. Information and Assistance\u003c/h2\u003e\u003cp\u003eHHS Office of the Chief Information Officer is responsible for the development and management of this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e.\u0026nbsp; Questions, comments, suggestions, and requests for information about this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;should be directed to\u0026nbsp;\u003ca href=\"mailto:HHSCybersecurityPolicy@hhs.gov\" target=\"_blank\"\u003eHHSCybersecurityPolicy@hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800effective-date\"\u003e9. Effective Date and Implementation\u003c/h2\u003e\u003cp\u003eThe effective date of this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;is the date on which the policy is approved. This\u0026nbsp;\u003cem\u003ePolicy\u0026nbsp;\u003c/em\u003emust be reviewed, at a minimum, every three (3) years from the approval date.\u003c/p\u003e\u003cp\u003eThe HHS CIO has the authority to grant a one (1) year extension of the\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eTo archive this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e, written approval must be granted by the HHS CIO.\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800approval\"\u003e10. Approval\u003c/h2\u003e\u003cp\u003e/S/\u003cbr\u003eKarl S. Mathias, Ph.D., HHS CIO\u003c/p\u003e\u003cp\u003eFebruary 9, 2023\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800appendix-a\"\u003eAppendix A: Procedures\u003c/h2\u003e\u003cp\u003e\u003cem\u003ePlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eOpDivs may develop their specific procedures document(s) to implement this\u0026nbsp;\u003cem\u003ePolicy.\u003c/em\u003e\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800appendix-b\"\u003eAppendix B: Standards\u003c/h2\u003e\u003cp\u003e\u003cem\u003ePlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStandard Rules of Behavior\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eHHS/OpDivs are responsible for implementing adequate security controls to ensure a high level of protection for all HHS/OpDiv information and IT resources commensurate with the level of risk. In addition, HHS/OpDivs must ensure that all employees, contractors, and other personnel using HHS/OpDiv information resources have the required knowledge and skills to appropriately use and protect HHS/OpDiv information and IT resources. All OpDivs may use the RoB included in Appendix D or may develop their own RoB provided compliance, at a minimum, meets the requirements of the HHS/OpDiv RoB.\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eRoB\u003cem\u003es\u0026nbsp;\u003c/em\u003eare provided for the following three categories:\u003col type=\"i\"\u003e\u003cli\u003eAppendix C includes supplemental RoB for specific systems\u003c/li\u003e\u003cli\u003eAppendix D contains the RoB for\u003cul type=\"square\"\u003e\u003cli\u003eGeneral Users and\u003c/li\u003e\u003cli\u003ePrivileged Users\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eAll HHS/OpDiv personnel (employees, contractors, interns, etc.) and any other individuals (for example, representatives of grantees, business partners, other agencies, or research institutions; FOIA requesters; members of the general public; etc.) who are granted access to HHS/OpDiv information and IT resources must read, acknowledge, and adhere to the HHS/OpDiv General User RoB prior to accessing and using HHS/OpDiv information resources and IT systems. The acknowledgment of the RoB, which affirms that all users have read and understand the HHS/OpDiv RoB, may be obtained by hardcopy written signature, electronic acknowledgement, or electronic signature. This acknowledgement must be completed at HHS/OpDiv onboarding or prior to the start of work on an HHS/OpDiv contract, grant, or other agreement, and at least annually thereafter, and/or in combination with the HHS/OpDiv information cybersecurity awareness training.\u003c/li\u003e\u003cli\u003eAll privileged users (e.g., network/system administrators, developers, etc.) must read, acknowledge, and adhere to the HHS/OpDiv Privileged User RoB prior to obtaining a privileged user account and at least annually thereafter. The acknowledgment of the RoB, which affirms that privileged users have read and understand the HHS/OpDiv RoB for privileged users, may be obtained by either hardcopy written signature or by electronic acknowledgement or signature.\u003c/li\u003e\u003cli\u003ePer the HHS/OpDiv IS2P, OpDivs must develop and implement system specific RoB, when deemed advisable, to address system specific requirements to protect the system and information.\u003c/li\u003e\u003cli\u003eAll RoB (General, Privileged, and System Specific) must be reviewed and if necessary, updated at least every three years.\u003c/li\u003e\u003cli\u003eAny exceptions to this RoB policy and specified RoB must be approved by the HHS/OpDiv, OpDiv CISO, or OpDiv CISO designee.\u003c/li\u003e\u003c/ol\u003e\u003ch2 id=\"m_4884422691552917800appendix-c\"\u003eAppendix C: Guidance\u003c/h2\u003e\u003cp\u003e\u003cem\u003ePlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSupplemental Rules of Behavior for HHS/OpDiv Systems\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eOpDivs are responsible for developing system specific RoB and for ensuring that users read, acknowledge, and adhere to them. A supplemental RoB must be created and developed for systems that require users to comply with rules beyond those contained in the RoB on Appendix D and Appendix E deemed applicable. In such cases, users must comply with ongoing requirements of each individual system to access and retain access (e.g., reading and acknowledging the RoB prior to access and re-acknowledging it each year) to the information system(s). OpDiv System Owners must document any additional system specific RoB and any recurring requirement to acknowledge the respective RoB in their system security plans.\u003c/p\u003e\u003cp\u003eOffice of Management and Budget (OMB) Circular A-130\u0026nbsp;\u003cem\u003eManaging Information as a Strategic Resource\u003c/em\u003e, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide\u003cem\u003e\u0026nbsp;for Developing Security Plans for Federal Information Systems\u003c/em\u003e, and NIST SP 800-53, Revision 5,\u0026nbsp;\u003cem\u003eSecurity and Privacy Controls for Information Systems and Organizations\u003c/em\u003e\u0026nbsp;provide requirements for system specific rules of behavior. At a minimum, the system specific RoB must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eBe in writing.\u003c/li\u003e\u003cli\u003eDelineate responsibilities for any expected user of the system and behavior of all users and must state the consequences of behavior which violates the rules.\u003c/li\u003e\u003cli\u003eState appropriate limits on interconnections to other systems and must define service provision and restoration priorities.\u003c/li\u003e\u003cli\u003eCover such matters including, but not limited to, teleworking, dial-in access, connection to the internet, use of copyrighted works, unofficial use of Government equipment, assignment and limitation of system privileges, and individual accountability.\u003c/li\u003e\u003cli\u003eReflect technical security controls (e.g., rules regarding passwords must be consistent with technical password features).\u003c/li\u003e\u003cli\u003eInclude limitations on changing data, searching databases, or divulging information.\u003c/li\u003e\u003cli\u003eState that controls are in place to ensure individual accountability and separation of duties and to limit the processing privileges of individuals.\u003c/li\u003e\u003cli\u003eState any other specific rules, limitation or restriction that may apply to the use of the system.\u003c/li\u003e\u003cli\u003eInclude consequences for failing to comply with the breach reporting requirements as described in OMB M-17-12 and HHS/OpDiv policy.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eFinally, National Security Systems (NSS), as defined by the Federal Information Security Modernization Act of 2014 (FISMA), must independently or collectively implement their own system specific rules.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSupplemental Rules of Behavior for Accessing Malicious Websites\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eUsers, employees, and contractors who have accessed malicious websites either knowingly or unknowingly will be considered as a security incident and will be required to undergo additional security training as directed by the office of the Chief Information Security Officer (CISO). Those users must take the Security Training or a refresher course on the following:\u003c/p\u003e\u003cp\u003ePhishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by designing as a trustworthy entity in an electronic communication. The following must be avoided:\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003eclicking on links and suspicious attachments provided in email\u003c/li\u003e\u003cli\u003esubmitting banking and password information via email\u003c/li\u003e\u003cli\u003eany email asking for personal information\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eA ‘Hoax’ is often intended to cause embarrassment, or to provide social or political change by raising people’s awareness of something. Hoaxes should be addressed in the training because a lot of time and resources can be spent reading and forwarding hoax emails. Some hoaxes warn of a virus and tell users to delete valid and sometimes important system files.\u003c/p\u003e\u003cp\u003eMalware is the shortened version of the words ‘Malicious Software’. It refers to software programs designed to damage or do other unwanted actions on a computer system. Malware is broken into these categories:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eViruses\u003c/strong\u003e: A malicious software program that, when executed, replicates itself by modifying other computers programs and inserting its own code.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWorms\u003c/strong\u003e: A computer worm is a stand-alone malicious program that can self-replicate itself to uninfected computers.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTrojans\u003c/strong\u003e: A ‘Trojan’ or ‘Trojan Horse’ is any malicious computer program which misleads users of its true intent.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpyware\u003c/strong\u003e: Spyware is software that aims to gather information about a person or organization without knowledge and reports to the software’s author.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAdware\u003c/strong\u003e: Adware is used to presents unwanted advertisements to the users of the computer.\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800appendix-d\"\u003eAppendix D: Forms and Templates\u003c/h2\u003e\u003cp\u003e\u003cem\u003ePlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e1. Rules of Behavior for General Users\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThese\u0026nbsp;\u003cem\u003eRules of Behavior (RoB) for General Users\u003c/em\u003e\u0026nbsp;apply to all HHS personnel (employees, contractors, interns, etc.) and any other individuals who are granted access to HHS/OpDiv information resources and IT systems. Users of HHS/OpDiv information, IT resources and information systems must read, acknowledge, and adhere to the following rules prior to accessing data and using HHS/OpDiv information and IT resources.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e1.1. HHS/OpDiv Information and IT Resources\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen using and accessing HHS/OpDiv information and IT resources, I understand that I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eComply with federal laws, regulations, and HHS/OpDiv policies, standards, and procedures and that I must not violate, direct, or encourage others to violate HHS/OpDiv policies, standards, or procedures.\u003c/li\u003e\u003cli\u003eNot allow unauthorized use and access to HHS/OpDiv information and IT resources.\u003c/li\u003e\u003cli\u003eNot circumvent or bypass security safeguards, policies, systems’ configurations, or access control measures unless authorized in writing.\u003c/li\u003e\u003cli\u003eLimit personal use of information and IT resources so that it:\u003col type=\"a\"\u003e\u003cli\u003eInvolves no more than minimal additional expense to the government\u003c/li\u003e\u003cli\u003eIs minimally disruptive to my personal productivity\u003c/li\u003e\u003cli\u003eDoes not interfere with the mission or operations of HHS\u003c/li\u003e\u003cli\u003eDoes not violate HHS/OpDiv security and privacy policies.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eRefrain from using GFE, email, third-party websites, and applications (TPWAs) (e.g., HHS/OpDiv social media sites and cloud services, etc.) and other HHS/OpDiv information resources for activities that are not related to any legitimate/officially sanctioned HHS/OpDiv business purpose, except for the limited personal use stated above.\u003c/li\u003e\u003cli\u003eComplete all mandatory training (e.g., security and privacy awareness, role-based training, etc.) when initially granted access to HHS/OpDiv systems and periodically thereafter as required by HHS/OpDiv policies.\u003c/li\u003e\u003cli\u003eBe accountable for my actions while accessing and using HHS/OpDiv information, information systems and IT resources.\u003c/li\u003e\u003cli\u003eNot reconfigure systems and modify GFE, install/load unauthorized/unlicensed software or make configuration changes without proper official authorization.\u003c/li\u003e\u003cli\u003eProperly secure all GFE, including laptops, mobile devices, and other equipment that store, process, and handle HHS/OpDiv information, when leaving them unattended either at the office and other work locations, such as home, hoteling space, etc. and while on travel. This includes locking workstations, laptops, storing GFE in a locked drawer, cabinet, or simply out of plain sight, and removing my PIV card from my workstation.\u003c/li\u003e\u003cli\u003eMust return all GFEs and Government issued PIV Card on or before last day of employment or contract termination.\u003c/li\u003e\u003cli\u003eReport all suspected and identified information security incidents and privacy breaches to the Helpdesk, HHS/OpDiv Computer Security Incident Response Center (CSIRC), or OpDiv Computer Security Incident Response Team (CSIRT) as soon as possible, without unreasonable delay and no later than within\u0026nbsp;\u003cem\u003e\u003cstrong\u003eone (1) hour\u003c/strong\u003e\u003c/em\u003e\u0026nbsp;of occurrence/discovery.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn11\" target=\"_blank\"\u003e11\u003c/a\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.2. No Expectation of Privacy\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen using and accessing HHS/OpDiv information and IT resources, I understand that I would have no expectation of Privacy. I acknowledge the following:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eThere would be no expectation of privacy when using HHS/OpDiv information resources, systems and GFE and may be monitored, recorded, and audited at any time.\u003c/li\u003e\u003cli\u003eMy use any HHS/OpDiv information resources, systems and GFE is with the understanding that such use may not be secure, is not private, is not anonymous, and may be subject to disclosure under the Freedom of Information Act (FOIA), 5 U.S.C. § 552 or other applicable legal authority.\u003c/li\u003e\u003cli\u003eMy electronic data communications and online activity may be monitored and disclosed to external law enforcement agencies or Department/OpDiv personnel when related to the performance of their duties at any time.\u0026nbsp; For example, after obtaining management approval, HHS/OpDiv authorized technical staff may employ monitoring tools in order to maximize the utilization of HHS/OpDiv resources.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn12\" target=\"_blank\"\u003e12\u003c/a\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.3. Password Requirement\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen creating and managing my password, I understand that I must comply with the following baseline requirements:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eComply with all HHS/OpDiv password requirements.\u003c/li\u003e\u003cli\u003eCreate passwords with minimum of 15 characters.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn13\" target=\"_blank\"\u003e13\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNot use common or compromised passwords.\u003c/li\u003e\u003cli\u003eProtect my passwords, Personal Identity Verification (PIV) card, Personal Identification Numbers (PIN) and other access credentials from disclosure and compromise.\u003c/li\u003e\u003cli\u003ePromptly change my password if I suspect or receive notification that it has been compromised.\u003c/li\u003e\u003cli\u003eImmediately select a new password upon account recovery.\u003c/li\u003e\u003cli\u003eNot use another person’s account, identity, password/passcode/PIN, or PIV card or allow others to use my GFE and/or other HHS/OpDiv information resources provided to me to perform my official work duties and tasks. This includes not sharing passwords or provide passwords to anyone, including system administrators.\u003c/li\u003e\u003cli\u003eOnly use authorized credentials, including PIV card, to access HHS/OpDiv systems and facilities and will not attempt to bypass access control measures.\u003c/li\u003e\u003cli\u003eSelect the PIV card to conduct HHS/OpDiv business whenever possible when both the PIV and password options are available for authentication.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.4. Internet and Email\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen accessing and using the internet and email, I understand that I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eNot access HHS/OpDiv Webmail from the public internet.\u003c/li\u003e\u003cli\u003eHandle personal devices in the following manner:\u003col type=\"a\"\u003e\u003cli\u003eNot connecting personal devices to HHS/OpDiv systems without proper official authorization\u003c/li\u003e\u003cli\u003eNot conducting official HHS/OpDiv business using non-HHS/OpDiv email or personal online storage/service accounts without written authorization from HHS/OpDiv or OpDiv CISO or designee\u003c/li\u003e\u003cli\u003eNot using personal devices, non-HHS/OpDiv email, and unauthorized third-party systems, storage services, or applications (e.g., Dropbox, Google Docs, mobile applications, etc.) to store, transmit, process HHS/OpDiv information, and conduct HHS/OpDiv business without proper official authorization such as written approval from the HHS/OpDiv or OpDiv CISO or their designee.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eNot automatically (auto) forward HHS/OpDiv email to any internal and external email sources or forwarding email/files that contain HHS/OpDiv information to unauthorized systems and devices that are used for non-HHS/OpDiv and non-OpDiv business purposes.\u003c/li\u003e\u003cli\u003eNot use an HHS/OpDiv email address and other information resources to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or Website, and signing up for personal memberships that are not work related.\u003c/li\u003e\u003cli\u003eNot provide official HHS/OpDiv information to an unsolicited email if prohibited. If an email is received from any source requesting personal or organizational information or asking to verify accounts or security settings, I will report the incident to the Helpdesk and/or the CSIRC/ CSIRT immediately.\u003c/li\u003e\u003cli\u003eOnly disseminate authorized HHS/OpDiv information related to my official job and duties at HHS/OpDiv to internal and external sources.\u003c/li\u003e\u003cli\u003eNot upload or disseminate information which is at odds with departmental missions or positions or without proper authorization, which could create the perception that the communication was made in my official capacity as a federal government employee or contractor.\u003c/li\u003e\u003cli\u003eNot connect GFE or contractor-owned equipment to unsecured Wi-Fi networks (e.g. airports, hotels, restaurants, etc.) and public Wi-Fi to conduct HHS/OpDiv business unless Wi-Fi access is at a minimum, protected with an unshared, unique user password access.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.5. Data Protection\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen handling and accessing HHS/OpDiv information, I understand that I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eTake all necessary precautions to protect HHS/OpDiv information and IT assets, including but not limited to hardware, software, sensitive information, including but not limited to PII, PHI, federal records [media neutral], and other HHS/OpDiv information from unauthorized access, use, modification, destruction, theft, disclosure, loss, damage, or abuse, and in accordance with\u0026nbsp;\u003ca href=\"http://intranet.hhs.gov/it/cybersecurity/policies/index.html\" target=\"_blank\"\u003eHHS/OpDiv policies\u003c/a\u003e.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn14\" target=\"_blank\"\u003e14\u003c/a\u003e\u003c/li\u003e\u003cli\u003eProtect sensitive information (e.g., sensitive information, such as confidential business information, PII, PHI, financial records, proprietary data, etc.) at rest (stored on laptops or other computing devices) regardless of media or format, from disclosure to unauthorized persons or groups. This includes, but is not limited to:\u003col type=\"a\"\u003e\u003cli\u003eNever store sensitive information in public folders, unauthorized devices/services or other unsecure physical or electronic locations\u003c/li\u003e\u003cli\u003eAlways encrypt sensitive information at rest and in transit (transmitted via email, attachment, media, etc.)\u003c/li\u003e\u003cli\u003eAlways disseminate passwords and encryption keys out of band (e.g., via text message, in person, or phone call) or store password and encryption keys separately from encrypted files, devices and data when sending encrypted emails or transporting encrypted media\u003c/li\u003e\u003cli\u003eAccess or use sensitive information only when necessary to perform job functions, and do not access or use sensitive information for anything other than authorized purposes\u003c/li\u003e\u003cli\u003eSecurely dispose of electronic media and papers that contain sensitive data when no longer needed, in accordance with the HHS/OpDiv Policy for Records Management and federal guidelines.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eImmediately report all suspected and known security incidents (e.g., GFE loss or compromise, violation of security policies, etc.), privacy breaches (e.g., loss, compromise, or unauthorized access, or use of PII/PHI), and suspicious activities to the Helpdesk and/or CSIRC/CSIRT at\u0026nbsp;\u003ca href=\"mailto:CSIRC@HHS.gov\" target=\"_blank\"\u003eCSIRC@HHS.gov\u003c/a\u003e\u0026nbsp;or call 1-866-646-7514 pursuant to HHS/OpDiv incident response policies and/or procedures.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn15\" target=\"_blank\"\u003e15\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNot take permanently issued GFE devices with me during official foreign travel. Only carry loaner GFE (including mobile computing, phone, and storage devices) during official foreign travel. If there is a need to take GFE on personal foreign travel, submit a request and get approved by a designated government official within the OpDiv. Upon approval, obtain a loaner GFE and adhere to the HHS policy in the memorandum\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/about-hhs/national-security/policy/gfe-foreign-travel-2018\" target=\"_blank\"\u003eUse of Government Furnished Equipment (GFE) During Foreign Travel\u003c/a\u003e. Additional requirements include:\u003col type=\"a\"\u003e\u003cli\u003eReviewing Office of Security and Strategic Information (OSSI) requirements and the requirements within the\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides/memoranda\" target=\"_blank\"\u003eMemorandum on the Use of GFE During Foreign Travel\u003c/a\u003e\u0026nbsp;prior to traveling abroad with GFE or to conduct HHS/OpDiv business\u003c/li\u003e\u003cli\u003eNotifying my Personnel Security Representative (PSR) when there is a need to bring GFE on foreign travel (per requirements defined by the OSSI in accordance with the\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides/memoranda\" target=\"_blank\"\u003eMemorandum on the Use of GFE During Foreign Travel\u003c/a\u003e).\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.6. Privacy\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eI understand that if I am working with PII, I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eProtect PII\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn16\" target=\"_blank\"\u003e16\u003c/a\u003e\u0026nbsp;from inappropriate disclosure, loss, or compromise.\u003c/li\u003e\u003cli\u003eOnly collect, use, maintain, and disclose PII that is directly relevant and necessary to accomplish a legally authorized purpose.\u003c/li\u003e\u003cli\u003eDisclose PII only to those who need to know the information to execute their work and are authorized to receive it.\u003c/li\u003e\u003cli\u003eComply with applicable legal and regulatory privacy safeguards. For example:\u003col type=\"a\"\u003e\u003cli\u003eReport suspected or confirmed breaches of PII in accordance with the\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/hhs-policy-for-preparing-for-and-responding-to-a-pii-breach\" target=\"_blank\"\u003e\u003cem\u003eHHS/OpDiv Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII\u003c/em\u003e)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eSubmit a privacy impact assessment (PIA) for systems or electronic information collections collecting PII.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eBe transparent about information policies and practices with respect to PII, provide clear and accessible notice regarding collection, use, maintenance, and disclosure of PII, and seek consent for the collection, use, and disclosure of PII as appropriate.\u003c/li\u003e\u003cli\u003eEnable individuals to access, correct, or amend their PII as appropriate, and ensure PII is accurate, relevant, timely and complete to guarantee fairness to individuals.\u003c/li\u003e\u003cli\u003eNot access PII unless specifically authorized and required as part of assigned duties.\u003c/li\u003e\u003cli\u003eCollect, use, and disclose PII only for the purposes for which it was collected and consistent with conditions set\u0026nbsp;forth in stated privacy notices such as those provided to individuals at the point of data collection or published in the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/sorns/index.html\" target=\"_blank\"\u003eHHS' SORN website\u003c/a\u003e\u0026nbsp;\u0026nbsp;(to include\u0026nbsp;\u003ca href=\"https://www.opm.gov/information-management/privacy-policy/privacy-references/sornguide.pdf\" target=\"_blank\"\u003eSystem of Records Notices [SORNs]\u003c/a\u003e).\u003c/li\u003e\u003cli\u003eMaintain no record describing how an individual exercises his or her First Amendment rights, unless it is expressly authorized by statute or by the individual about whom the record is maintained, or is pertinent to and within the scope of an authorized law enforcement activity.\u003c/li\u003e\u003cli\u003eConsult with my OpDiv privacy program or Senior Official for Privacy (SOP)\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn17\" target=\"_blank\"\u003e17\u003c/a\u003e\u0026nbsp;before initiating or making significant changes\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn18\" target=\"_blank\"\u003e18\u003c/a\u003e\u0026nbsp;to a system or collection of PII.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.7. Telework and GFE\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen teleworking, I understand that I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eTelework only when approved by management and conduct myself with the same professionalism remotely as required in the workplace.\u003c/li\u003e\u003cli\u003eSafeguard any GFE provided for telework.\u003c/li\u003e\u003cli\u003eSafeguard HHS/OpDiv information, equipment, including GFE. Protecting HHS/OpDiv information including PII, CUI and any sensitive information is just as important at a telework location as it is in an HHS/OpDiv building.\u003c/li\u003e\u003cli\u003eOnly connect additional devices to GFE as necessary to conduct official government business with OpDiv approval, if the devices are not on the prohibited vendor list.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn19\" target=\"_blank\"\u003e19\u003c/a\u003e\u003col type=\"a\"\u003e\u003cli\u003eOnly connect GFE to printers by opening a ticket with the helpdesk.\u003c/li\u003e\u003cli\u003eContact OpDiv Help Desk to have drivers installed to GFE prior to connecting printer.\u003c/li\u003e\u003cli\u003eConnect printers to GFE via USB or other physical port. Wireless connections between GFE and printers may require OpDiv approval.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eNot install any software to GFE whether it is free or free downloadable unless authorized or approved.\u003c/li\u003e\u003cli\u003eUse my home Wi-Fi network to provide the connectivity for telework but my home networks must be set up in accordance with guidance from HHS/OpDiv or OpDiv;\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn20\" target=\"_blank\"\u003e20\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNot connect hardware to GFE via Bluetooth unless necessary for official use must keep Bluetooth turned off and only turn on when needed.\u003c/li\u003e\u003cli\u003eProtect all sensitive information, including CUI and PII.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.8. Strictly Prohibited Activities\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen using federal government systems and equipment, I must refrain from the following activities, which are strictly prohibited:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eAccessing any social media websites (such as YouTube, Twitter, Facebook, etc.) while utilizing GFE, unless required for official HHS/OpDiv business.\u003c/li\u003e\u003cli\u003eAccessing, downloading, or clicking on unknown links, particularly on social media sites such as “Malware Alert notices”.\u003c/li\u003e\u003cli\u003eClicking on links or open attachments sent via email or text message Web links from untrusted sources and verify information from trusted sources before clicking attachments. I must report suspected phishing attempts using the Report Phishing button or forward suspicious emails as an attachment to\u0026nbsp;\u003ca href=\"mailto:Spam@hhs.gov\" target=\"_blank\"\u003eSpam@hhs.gov\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eEngaging in activities that could cause congestion, delay, or disruption of service to any HHS/OpDiv information resource (e.g., sending chain letters via email, playing streaming videos, games, music, etc.).\u003c/li\u003e\u003cli\u003eAccessing, downloading and/or uploading unethical, illegal, or criminal content from/to the internet (e.g., pornographic, and sexually explicit materials, illegal weapons, criminal and terrorism activities, and other illegal actions or activities).\u003c/li\u003e\u003cli\u003eSending, retrieving, viewing, displaying, or printing sexually explicit, suggestive, or pornographic text or images, or other offensive material (e.g., vulgar material, racially offensive material, etc.).\u003c/li\u003e\u003cli\u003eUsing non-public HHS/OpDiv data for private gain or to misrepresent myself or HHS/OpDiv or for any other unauthorized purpose.\u003c/li\u003e\u003cli\u003eSending messages supporting or opposing partisan political activity as restricted under the\u0026nbsp;\u003ca href=\"https://osc.gov/Services/Pages/HatchAct.aspx\" target=\"_blank\"\u003eHatch Act\u0026nbsp;\u003c/a\u003e\u0026nbsp;and other federal laws and regulations.\u003c/li\u003e\u003cli\u003eEngaging in any outside fund-raising, endorsing any product or service, lobbying, or engaging in partisan political activity.\u003c/li\u003e\u003cli\u003eUsing HHS/OpDiv information resources for activities that are inappropriate or offensive to fellow personnel or the public (e.g., hate speech or material that ridicules others on the basis of race, creed, religion, color, age, gender, disability, national origin, or sexual orientation).\u003c/li\u003e\u003cli\u003eCreating a website, TPWA, or social media site on behalf of HHS/OpDiv or uploading content to a website, TPWA, or social media site without proper official authorization.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn21\" target=\"_blank\"\u003e21\u003c/a\u003e\u003c/li\u003e\u003cli\u003eSending or forwarding chain letters, e-mail spam, inappropriate messages, or unapproved newsletters and broadcast messages except when forwarding to report this activity to authorized recipients.\u003c/li\u003e\u003cli\u003eUsing peer-to-peer (P2P) software except for secure tools approved in writing by the OpDiv CIO (or designee) to meet business or operational needs.\u0026nbsp;\u003c/li\u003e\u003cli\u003eCreating and/or operating unapproved/unauthorized Web sites or services.\u003c/li\u003e\u003cli\u003eUsing, storing, or distributing, unauthorized copyrighted or other intellectual property.\u003c/li\u003e\u003cli\u003eUsing HHS/OpDiv information, systems, and devices to send or post threatening, harassing, intimidating, or abusive material about anyone in public or private messages or any forums.\u003c/li\u003e\u003cli\u003eExceeding authorized access to sensitive information.\u003c/li\u003e\u003cli\u003eUsing HHS/OpDiv GFE for commercial or for-profit activity, shopping, instant messaging (for unauthorized and non-work-related purposes), managing outside employment or business activity, or running personal business, playing games, gambling, watching movies, accessing unauthorized sites, or hacking.\u003c/li\u003e\u003cli\u003eUsing an official HHS/OpDiv e-mail address to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or website, and signing up for personal memberships. Professional groups or memberships related to job duties at HHS/OpDiv are permissible.\u003c/li\u003e\u003cli\u003eRemoving data or equipment from the agency premises without proper authorization.\u003c/li\u003e\u003cli\u003eSharing, storing, or disclosing sensitive information with third-party organizations and/or using third-party applications (e.g., Drop Box, Evernote, iCloud, etc.) unless, in very limited circumstances, is authorized by HHS/OpDiv or OpDiv CISO or designee.\u003c/li\u003e\u003cli\u003eStoring sensitive data in external platforms, such as personal Google Docs.\u003c/li\u003e\u003cli\u003eTransporting, transmitting, e-mailing, texting, remotely accessing, or downloading sensitive information unless such action is explicitly permitted in writing by the manager or owner of such information and appropriate safeguards are in place per HHS/OpDiv policies concerning sensitive information.\u003c/li\u003e\u003cli\u003eKnowingly or willingly concealing, removing, mutilating, obliterating, falsifying, or destroying HHS/OpDiv information.\u003c/li\u003e\u003cli\u003eAccessing or visiting any unknown website(s) which may be infected with malware, responding to phishing emails, storing credentials in an unsecured location. This may cause to create an Incident and require having additional Awareness and Security training.\u003c/li\u003e\u003cli\u003eUsing any file sharing program without agency’s permission.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eSignature\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eI have read the above\u0026nbsp;\u003cem\u003eRules of Behavior for General Users\u003c/em\u003e\u0026nbsp;and understand and agree to comply with the provisions stated herein. I understand that violations of these RoB or HHS/OpDiv information security policies and standards may result in disciplinary action and that these actions may include reprimand, suspensive of access privileges, revocation of access to federal information, IT resources, information systems, and/or facilities, deactivation of accounts, suspension without pay, monetary fines, termination of employment; removal or debarment from work on federal contracts or projects; criminal charges that may result in imprisonment.\u003c/p\u003e\u003cp\u003eI understand that exceptions to these RoB must be authorized in advance in writing by the designated authorizing officials. I also understand that violation of federal laws, such as the Privacy Act of 1974, copyright law, and 18 USC 2071, which the HHS/OpDiv RoB draw upon, can result in monetary fines and/or criminal charges that may result in imprisonment.\u003c/p\u003e\u003cp\u003eUser’s Name:\u003c/p\u003e\u003cp\u003e(Print)\u003c/p\u003e\u003cp\u003eUser’s Signature:\u003c/p\u003e\u003cp\u003eDate Signed:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e2. Rules of Behavior for Privileged Users\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe following\u0026nbsp;\u003cem\u003eHHS/OpDiv Rules of Behavior (RoB) for Privileged Users\u003c/em\u003e\u0026nbsp;is an addendum to the\u0026nbsp;\u003cem\u003eRules of Behavior for General Users\u0026nbsp;\u003c/em\u003eand provides mandatory rules on the appropriate use and handling of HHS/OpDiv information technology (IT) resources for all HH privileged users, including federal employees, interns, contractors, and other staff who possess privileged access to HHS/OpDiv information systems.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn22\" target=\"_blank\"\u003e22\u003c/a\u003e\u0026nbsp;Privileged users have network accounts with elevated privileges that grant them greater access to IT resources than non-privileged users. These privileges are typically allocated to system, network, security, and database administrators, as well as other IT administrators.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn23\" target=\"_blank\"\u003e23\u003c/a\u003e\u0026nbsp;The compromise of a privileged user account may expose HHS/OpDiv to a high-level of risk; therefore, privileged user accounts require additional safeguards.\u003c/p\u003e\u003cp\u003eA privileged user is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. System accounts and level of privilege vary dependent upon the role being fulfilled. A privileged user has the potential to compromise the three security objectives of confidentiality, integrity, and availability. Such users include, for example, security personnel or system administrators who are responsible for managing restricted physical locations or shared IT resources and have been granted permissions to create new user accounts, modify user privileges, as well as make system changes. Examples of privileged users include (but are not limited to):\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eApplication developer\u003c/li\u003e\u003cli\u003eDatabase administrator\u003c/li\u003e\u003cli\u003eDomain administrator\u003c/li\u003e\u003cli\u003eData center operations personnel\u003c/li\u003e\u003cli\u003eIT tester/auditor\u003c/li\u003e\u003cli\u003eHelpdesk support and computer/system maintenance personnel\u003c/li\u003e\u003cli\u003eNetwork engineer\u003c/li\u003e\u003cli\u003eSystem administrator\u003c/li\u003e\u003cli\u003eSecurity Stewards\u003c/li\u003e\u003c/ol\u003e\u003cp\u003ePrivileged users must read, acknowledge, and adhere to the RoB for Privileged User and any other HHS/OpDiv policy or guidance for privileged users, prior to obtaining access and using HHS/OpDiv information, IT resources and information systems and/or networks in a privileged role. The same signature acknowledgement process followed for the Appendix D, General User RoB, applies to the privileged user accounts. Each OpDiv must maintain a list of privileged users, the privileged accounts those users have access to, the permissions granted to each privileged account, and the authentication technology or combination of technologies required to use each privileged account\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn24\" target=\"_blank\"\u003e24\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFollowing is the RoB for a privileged user.\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eI understand that as a privileged user, I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eUse privileged user accounts appropriately for their intended purpose and only when required for official duties.\u003c/li\u003e\u003cli\u003eComply with all privileged user responsibilities in accordance with the HHS Policy for Information Security and Privacy Protection (IS2P) and any other applicable HHS and OpDiv policies.\u003c/li\u003e\u003cli\u003eNotify system owners immediately when privileged access is no longer required.\u003c/li\u003e\u003cli\u003eProperly protect all information, including media, hard copy reports and documentation as well as system information in a manner commensurate with the sensitivity of the information and securely dispose of information and GFE that are no longer needed in accordance with HHS/OpDiv sanitization policies.\u003c/li\u003e\u003cli\u003eReport all suspected or confirmed information security incidents and privacy breaches to the OpDiv Helpdesk, HHS/OpDiv CSIRC, or OpDiv CSIRT as soon as possible, without unreasonable delay and no later than within\u0026nbsp;\u003cem\u003e\u003cstrong\u003eone (1) hour\u003c/strong\u003e\u003c/em\u003e\u0026nbsp;of occurrence/discovery.\u003c/li\u003e\u003cli\u003eComplete any specialized role-based security or privacy training as required before receiving privileged system access.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eI understand that as a privileged user, I must\u0026nbsp;\u003cstrong\u003enot:\u003c/strong\u003e\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eShare privileged user account(s), password(s)/passcode(s)/PIV PINs, and other login credentials, including to other system administrators.\u003c/li\u003e\u003cli\u003eConduct official HHS/OpDiv business using personal email or personal online storage account.\u003c/li\u003e\u003cli\u003eUse privileged user access to log into any system for non-elevated duties.\u003c/li\u003e\u003cli\u003eInstall, modify, or remove any system hardware or software unless it is part of my job duties and the appropriate approvals have been obtained or with official written approval.\u003c/li\u003e\u003cli\u003eAccess the internet for any reason while using my privileged account. This includes downloading of files (including patches or updates), etc.\u003c/li\u003e\u003cli\u003eRemove or destroy system audit logs or any other security, event log information unless authorized by appropriate official(s) in writing.\u003c/li\u003e\u003cli\u003eTamper with audit logs of any kind. Note: In some cases, tampering can be considered evidence and can be a criminal offense punishable by fines and possible imprisonment.\u003c/li\u003e\u003cli\u003eAcquire, possess, trade, or use hardware or software tools that could be employed to evaluate, compromise, or bypass information systems security controls for unauthorized purposes.\u003c/li\u003e\u003cli\u003eIntroduce unauthorized code, Trojan horse programs, malicious code, viruses, or other malicious software into HHS/OpDiv information systems or networks.\u003c/li\u003e\u003cli\u003eKnowingly write, code, compile, store, transmit, or transfer malicious software code, to include viruses, logic bombs, worms, and macro viruses.\u003c/li\u003e\u003cli\u003eUse privileged user account(s) for day-to-day communications and other non-privileged transactions and activities.\u003c/li\u003e\u003cli\u003eElevate the privileges of any user without prior approval from the system owner.\u003c/li\u003e\u003cli\u003eUse privileged access to circumvent HHS/OpDiv policies or security controls.\u003c/li\u003e\u003cli\u003eAccess information outside of the scope of my specific job responsibilities or expose non-public information to unauthorized individuals.\u003c/li\u003e\u003cli\u003eUse a privileged user account for web access except in support of administrative related activities.\u003c/li\u003e\u003cli\u003eUse any unknown website(s) which may be infected with malware and responding to phishing emails. If I use, I will report to OpDiv Helpdesk, HHS/OpDiv CSIRC, or OpDiv CSIRT as soon as possible, without unreasonable delay and no later than within\u0026nbsp;\u003cem\u003e\u003cstrong\u003eone (1) hour\u003c/strong\u003e\u003c/em\u003e\u0026nbsp;of occurrence/discovery.\u003c/li\u003e\u003cli\u003eUse any file sharing program without HHS/OpDiv’s permission.\u003c/li\u003e\u003cli\u003eModify security settings on system hardware or software without the approval of a system administrator and/or a system owner.\u003c/li\u003e\u003cli\u003eUse systems (either government issued or non-government) without the following protections in place to access sensitive HHS/OpDiv information:\u003cul type=\"circle\"\u003e\u003cli\u003eAntivirus software with the latest updates\u003c/li\u003e\u003cli\u003eAnti-spyware and personal firewalls\u003c/li\u003e\u003cli\u003eA time-out function that requires re-authentication after no more than 30 minutes of inactivity on remote access\u003c/li\u003e\u003cli\u003eApproved encryption to protect sensitive information stored on recordable media, including laptops, USB drives, and external disks; or transmitted or downloaded via e-mail or remote connections.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eSignature\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eI have read the above\u0026nbsp;\u003cem\u003eRules of Behavior (RoB) for Privileged User\u003c/em\u003es and understand and agree to comply with the provisions stated herein. I understand that violations of these RoB or HHS/OpDiv information security policies and standards may result in disciplinary action and that these actions may include reprimand, suspensive of access privileges, revocation of access to federal information, information systems, and/or facilities, deactivation of accounts, suspension without pay, monetary fines, termination of employment; removal or debarment from work on federal contracts or projects; criminal charges that may result in imprisonment. I understand that exceptions to these RoBmust be authorized in advance in writing by the designated authorizing official(s).\u003c/p\u003e\u003cp\u003eUser’s Name:\u003c/p\u003e\u003cp\u003e(Print)\u003c/p\u003e\u003cp\u003eUser’s Signature:\u003c/p\u003e\u003cp\u003eDate Signed:\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800appendix-e\"\u003eAppendix E: References\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eStatutes\u003c/strong\u003e\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003eOverview of the Privacy Act of 1974, 2020 Edition (\u003ca href=\"http://justice.gov/\" target=\"_blank\"\u003ejustice.gov\u003c/a\u003e):\u0026nbsp;\u003ca href=\"https://www.justice.gov/Overview_2020/download\" target=\"_blank\"\u003ehttps://www.justice.gov/Overview_2020/download\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eExecutive Order (EO) 13556,\u0026nbsp;\u003cem\u003eControlled Unclassified Information (CUI),\u0026nbsp;\u003c/em\u003eNovember 2010,\u0026nbsp;\u003ca href=\"https://www.govinfo.gov/content/pkg/FR-2010-11-09/pdf/2010-28360.pdf\" target=\"_blank\"\u003ehttps://www.govinfo.gov/content/pkg/FR-2010-11-09/pdf/2010-28360.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eEO 14028,\u0026nbsp;\u003cem\u003eImproving the Nation's Cybersecurity\u003c/em\u003e, May 2021,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\" target=\"_blank\"\u003ehttps://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eFederal Information Security Modernization Act of 2014 (FISMA), Pub. L. No. 113-283, 128 Stat. 3073, codified at 44 U.S.C. Chapter 35, Subchapter II,\u0026nbsp;\u003ca href=\"https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf\" target=\"_blank\"\u003ehttps://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eNIST Guidance\u003c/strong\u003e\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003eNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-12 Revision 1,\u0026nbsp;\u003cem\u003eAn Introduction to Information Security\u003c/em\u003e, June 2017,\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final\" target=\"_blank\"\u003eSP 800-12 Rev. 1, An Introduction to Information Security | CSRC (nist.gov)\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-18 Rev.1,\u0026nbsp;\u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e, February 2006,\u0026nbsp;\u003ca href=\"http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf\" target=\"_blank\"\u003ehttp://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-37 Revision 2,\u0026nbsp;\u003cem\u003eRisk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u003c/em\u003e, December 2018,\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf\" target=\"_blank\"\u003eRisk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (nist.gov)\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-53 Rev.5,\u0026nbsp;\u003cem\u003eSecurity and Privacy Controls for Information Systems and Organizations\u003c/em\u003e, December 2020,\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf\" target=\"_blank\"\u003ehttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-63B,\u0026nbsp;\u003cem\u003eDigital Identity Guidelines: Authentication and Lifecycle Management\u003c/em\u003e, March 2020,\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf\" target=\"_blank\"\u003ehttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-88 Rev.1,\u0026nbsp;\u003cem\u003eGuidelines for Media Sanitization,\u0026nbsp;\u003c/em\u003eDecember 2014\u003cem\u003e,\u003c/em\u003e\u0026nbsp;\u003ca href=\"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\" target=\"_blank\"\u003ehttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-137,\u0026nbsp;\u003cem\u003eInformation Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations\u003c/em\u003e, September 2011,\u0026nbsp;\u003ca href=\"http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf\" target=\"_blank\"\u003ehttp://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-209,\u003cem\u003e\u0026nbsp;Security Guidelines for Storage Infrastructure,\u003c/em\u003e\u0026nbsp;October, 2020,\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-209/final\" target=\"_blank\"\u003ehttps://csrc.nist.gov/publications/detail/sp/800-209/final\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST White Paper,\u0026nbsp;\u003cem\u003eBest Practices for Privileged User PIV Authentication,\u003c/em\u003e\u0026nbsp;April 21, 2016,\u0026nbsp;\u003ca href=\"http://csrc.nist.gov/publications/papers/2016/best-practices-privileged-user-piv-authentication.pdf\" target=\"_blank\"\u003ehttp://csrc.nist.gov/publications/papers/2016/best-practices-privileged-user-piv-authentication.pdf\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOMB Circulars and Memoranda\u003c/strong\u003e\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003eOffice of Management and Budget (OMB) Circular A-123\u003cem\u003e, Management’s Responsibility for Enterprise Risk Management and Internal Control\u003c/em\u003e, as amended,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003ehttps://www.whitehouse.gov/omb/information-for-agencies/circulars\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eOMB Circular A-130,\u0026nbsp;\u003cem\u003eManaging Information as a Strategic Resourc\u003c/em\u003ee, July 2016,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003ehttps://www.whitehouse.gov/omb/information-for-agencies/circulars\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eOMB M-17-09,\u0026nbsp;\u003cem\u003eManagement of High Value Assets\u003c/em\u003e, December 2016,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-09.pdf\" target=\"_blank\"\u003eMemorandum for Heads of Executive Departments and Agencies (whitehouse.gov)\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eOMB Memorandum M-17-12,\u0026nbsp;\u003cem\u003ePreparing for and Responding to a Breach of Personally Identifiable Information\u003c/em\u003e, January 2017,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf\" target=\"_blank\"\u003eMemorandum for Heads of Executive Department and Agencies (whitehouse.gov)\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eOMB M-18-02,\u0026nbsp;\u003cem\u003eFiscal Year 2017-2018 Guidance on Federal Information Security and Privacy Management Requirements\u003c/em\u003e,October 2017,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/M-18-02%20%28final%29.pdf\" target=\"_blank\"\u003eM-18-02 (whitehouse.gov)\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eOMB M-22-09,\u0026nbsp;\u003cem\u003eMoving the U.S. Government Toward Zero Trust Cybersecurity Principles\u003c/em\u003e, January 2022,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf\" target=\"_blank\"\u003ehttps://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eHHS Policies and Memoranda\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll HHS Policies may be found at\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides\u003c/a\u003e. These policies may be updated, and the current version should be used.\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003e\u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of PII\u003c/em\u003e, May 2020.\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Policy Exception/Risk Based Exception Form,\u0026nbsp;\u003c/em\u003eJuly 2019.\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Standard for Encryption of Computing Devices and Information\u003c/em\u003e, December 2016.\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/em\u003e, November 2021.\u003c/li\u003e\u003cli\u003e\u003cem\u003ePolicy for Monitoring Employee Use of HHS IT Resources\u003c/em\u003e, June 2013\u003c/li\u003e\u003cli\u003e\u003cem\u003eUpdated Department Standard Warning Banner\u003c/em\u003e, November 2016.\u003c/li\u003e\u003cli\u003e\u003cem\u003eUsage of Unauthorized External Information Systems to Conduct Department Business\u003c/em\u003e, January 8, 2014.\u003c/li\u003e\u003cli\u003e\u003cem\u003eUse of GFE during Foreign Travel\u003c/em\u003e, February 2021\u003c/li\u003e\u003c/ul\u003e\u003ch2 id=\"m_4884422691552917800glossary-acronyms\"\u003eGlossary and Acronyms\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eAudit Log -\u003c/strong\u003e\u0026nbsp;A chronological record of information system activities, including records of system accesses and operations performed in each period.\u0026nbsp; (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-171\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAuthentication -\u003c/strong\u003e\u0026nbsp;A process that provides assurance of the source and integrity of information that is communicated or stored, or that provides assurance of an entity’s identity. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-175A\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eBackup (system backup)\u003c/strong\u003e\u0026nbsp;- The process of copying information or processing status to a redundant system, service, device, or medium that can provide the needed processing capability when needed. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-152\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eBreach\u003c/strong\u003e\u0026nbsp;- The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses PII or (2) an authorized user accesses or potentially accesses PII for another than authorized purpose. (Source:\u0026nbsp;\u003ca href=\"https://osec.doc.gov/opog/privacy/Memorandums/OMB_M-17-12.pdf\" target=\"_blank\"\u003eOMB M-17-12\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCloud Service -\u003c/strong\u003e\u0026nbsp;External service that enable convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-144\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCompromise\u003c/strong\u003e\u0026nbsp;- The unauthorized disclosure, modification, substitution or use of sensitive data (e.g., keying material and other security-related information). (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-175B\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eConfidentiality\u003c/strong\u003e\u0026nbsp;- The property that sensitive information is not disclosed to unauthorized entities. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-175A\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eControlled Unclassified Information (CUI)\u003c/strong\u003e\u0026nbsp;- Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. (Source:\u0026nbsp;\u003ca href=\"https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information\" target=\"_blank\"\u003eExecutive Order 13556\u003c/a\u003e)\u0026nbsp;\u003cstrong\u003eNote:\u0026nbsp;\u003c/strong\u003eSee sensitive information definition below.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCUI Privacy\u003c/strong\u003e\u0026nbsp;– A category of CUI.\u0026nbsp; Refers to personal information, or, in some cases, \"personally identifiable information,\" as defined in OMB M-17-12, or \"means of identification\" as defined in 18 USC 1028(d)(7). (Source: NARA,\u0026nbsp;\u003ca href=\"https://www.archives.gov/cui/registry/category-list\" target=\"_blank\"\u003eCUI Registry\u003c/a\u003e)\u003cstrong\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCUI Privacy-Health Information\u003c/strong\u003e\u0026nbsp;– A subcategory of CUI Privacy. As per 42 USC 1320d(4), \"health information\" means any information, whether oral or recorded in any form or medium, that (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. (Source: NARA,\u0026nbsp;\u003ca href=\"https://www.archives.gov/cui/registry/category-list\" target=\"_blank\"\u003eCUI Registry\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDirect Application Access\u003c/strong\u003e\u0026nbsp;- A high-level remote access architecture that allows teleworkers to access an individual application directly, without using remote access software. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eExternal Email Source\u0026nbsp;\u003c/strong\u003e– Defined as an email that is not an official HHS.gov email account. (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eExternal Information System (or component)\u0026nbsp;\u003c/strong\u003e– An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-53\u003c/a\u003e;\u0026nbsp;\u003ca href=\"https://www.cnss.gov/CNSS/issuances/Instructions.cfm\" target=\"_blank\"\u003eCNSSI-4009\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal Information -\u0026nbsp;\u003c/strong\u003eInformation created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government, in any medium or form. (Source:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003eOMB Circular A-130\u003c/a\u003e,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf\" target=\"_blank\"\u003eOMB Memorandum M-17-12\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal Information System\u003c/strong\u003e\u0026nbsp;- An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-53 Revision 5\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFull Disk Encryption (FDE)\u003c/strong\u003e\u0026nbsp;- The process of encrypting all the data on the hard drive used to boot a computer, including the computer’s operating system, and permitting access to the data only after successful authentication with the full disk encryption product. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-111\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral Users\u003c/strong\u003e\u0026nbsp;- A user who has only general access to HHS information resources (not greater access to perform security relevant functions). (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHHS Information Technology (IT) Assets\u0026nbsp;\u003c/strong\u003e- Defined as hardware, software, systems, services, and related technology assets used to execute work on behalf of HHS. (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHHS Information Assets\u0026nbsp;\u003c/strong\u003e– Defined as any information created, developed, used for or on behalf of HHS. This includes information in electronic, paper, or another medium format. (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHoteling Space\u0026nbsp;\u003c/strong\u003e– Defined as a term that involves temporary or shared space for working and workstation usage. (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident\u003c/strong\u003e\u0026nbsp;- An occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. (Source:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf\" target=\"_blank\"\u003eOMB Memorandum M-17-12\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation Resources\u003c/strong\u003e\u0026nbsp;- Information and related resources, such as personnel, equipment, funds, and information technology. (Source:\u0026nbsp;\u003ca href=\"https://www.govinfo.gov/app/details/USCODE-2011-title44/USCODE-2011-title44-chap35-subchapI-sec3502\" target=\"_blank\"\u003e44 U.S.C., Sec. 3502\u003c/a\u003e,\u0026nbsp;\u003ca href=\"https://www.cnss.gov/CNSS/issuances/Instructions.cfm\" target=\"_blank\"\u003eCNSSI No. 4009\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation System (IS)\u0026nbsp;\u003c/strong\u003e- A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.\u0026nbsp; Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. (Source:\u0026nbsp;\u003ca href=\"https://www.govinfo.gov/app/details/USCODE-2011-title44/USCODE-2011-title44-chap35-subchapI-sec3502\" target=\"_blank\"\u003e44 U.S.C. Sec 3502\u003c/a\u003e,\u0026nbsp;\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\" target=\"_blank\"\u003eOMB Circular A-130\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation Technology (IT)\u003c/strong\u003e\u0026nbsp;- Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. For purposes of this definition, such services or equipment if used by the agency directly or is used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use. (Source:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003eOMB Circular A-130\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIntegrity\u003c/strong\u003e\u0026nbsp;- The property that protected data has not been modified or deleted in an unauthorized and undetected manner. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-175A\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLogic Bomb\u003c/strong\u003e\u0026nbsp;- A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-12rev1\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMacro Virus\u003c/strong\u003e\u0026nbsp;- A specific type of computer virus that is encoded as a macro embedded in some document and activated when the document is handled. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-28ver1\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMedia\u003c/strong\u003e\u0026nbsp;- Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-53 Revision 5\u003c/a\u003e)\u0026nbsp; \u003cstrong\u003eNote:\u0026nbsp;\u003c/strong\u003eAlso see Removable Media.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMobile Device\u003c/strong\u003e\u0026nbsp;- A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and E-readers. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-79-2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMobile\u0026nbsp;Device Management -\u0026nbsp;\u003c/strong\u003eMobile enterprise security technology used to address security requirements. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-163\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMobile Hotspot\u003c/strong\u003e\u0026nbsp;- A mobile hotspot is an offering by various telecom providers to provide localized Wi-Fi. With a hotspot, an adapter or device allows computer users to connect to the internet from approved and/or unapproved locations. Mobile hotspots are advertised as an alternative to the traditional practice of logging onto a local area network or other wireless networks from a personal computer (PC). Although mobile hotspots could be used for other kinds of devices, they are most commonly associated with laptop computers because laptop computers are a type of \"hybrid\" device that may roam but doesn’t usually come with built-in mobile Wi-Fi. (Source:\u0026nbsp;\u003ca href=\"https://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering\" target=\"_blank\"\u003ehttps://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMobile Tethering -\u003c/strong\u003e\u0026nbsp;Mobile tethering is slightly different from a mobile hot spot and the mobile tethering must be approved by OpDivs. A tethering strategy involves connecting one device without Wi-Fi to another device that has Wi-Fi connectivity. For example, a user could tether a laptop to a smartphone through cabling or through a wireless connection. This would allow for using the computer on a connected basis. When tethering involves a wireless setup, it closely resembles a mobile hotspot. In fact, though, there are some fairly significant differences between tethering and hotspots in both design and implementation. While a mobile hotspot frequently serves multiple devices in a setup that looks like a local area network, tethering is a practice that has the connotation of being between only two devices. (Source:\u0026nbsp;\u003ca href=\"https://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering\" target=\"_blank\"\u003ehttps://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePersonal Identity Verification (PIV) Card\u003c/strong\u003e\u0026nbsp;-The physical artifact (e.g., identity card, “smart” card) issued to an applicant by an issuer contains stored identity markers or credentials (e.g., a photograph, cryptographic keys, digitized fingerprint representations) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable) (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-79 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePersonally Identifiable Information (PII)\u003c/strong\u003e\u0026nbsp;- Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (Source:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf\" target=\"_blank\"\u003eOMB M-17-12\u003c/a\u003e,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003eOMB Circular A-130\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePersonally Owned Device\u003c/strong\u003e\u0026nbsp;A non-organization-controlled client device owned by an individual. These client devices are controlled by the owner, who is fully responsible for securing them and maintaining their security. (Source: Adapted from\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e).\u003cstrong\u003e\u0026nbsp;Note\u003c/strong\u003e: Also referred to as a Bring Your Own Device (BYOD).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivacy Impact Assessment\u0026nbsp;\u003c/strong\u003e- An analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII in an electronic information system; and to examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns.\u0026nbsp; A PIA is both an analysis and a formal document detailing the process and the outcome of the analysis. (Source:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003eOMB Circular A-130\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivileged User\u003c/strong\u003e\u0026nbsp;- A user who is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. Privileged users have network accounts with privileges that grant them greater access to IT resources than general (i.e., non-privileged) users have. These privileges are typically allocated to system, network, security, and database administrators, as well as another IT administrator. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-53 Revision 5\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProtected Health Information (PHI)\u003c/strong\u003e\u0026nbsp;- Individually identifiable health information (IIHI) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-122\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRemote Access\u003c/strong\u003e\u0026nbsp;- The ability for an organization’s users to access its non-public computing resources from external locations other than the organization’s facilities. (Source:\u0026nbsp;\u003ca href=\"https://www.cnss.gov/CNSS/issuances/Instructions.cfm\" target=\"_blank\"\u003eCNSSI 4009\u003c/a\u003e)\u0026nbsp;\u003cstrong\u003eNOTE\u003c/strong\u003e: Per\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\" target=\"_blank\"\u003eNIST SP 800-53 Revision 5\u003c/a\u003e, this also applies to a process acting on behalf of a user.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRemote Access Method\u003c/strong\u003e\u0026nbsp;\u003cstrong\u003e-\u0026nbsp;\u003c/strong\u003eMechanisms that enable users to perform remote access. There are four types of remote access methods: tunneling, portals, remote desktop access, and direct application access. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRemote Desktop Access\u003c/strong\u003e\u0026nbsp;- A high-level remote access architecture that gives a teleworker the ability to remotely control a particular desktop computer at the organization, most often the user’s own computer at the organization’s office, from a telework client device. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRemovable Media\u003c/strong\u003e\u0026nbsp;- Portable data storage medium that can be added to or removed from a computing device or network.\u0026nbsp; Note:\u0026nbsp; Examples include, but are not limited to: optical discs (CD, DVD, Blu-ray); external/removable hard drives; external/removable Solid-State Disk (SSD) drives; magnetic/optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external / removable disks (floppy, Zip, Jaz, Bernoulli, UMD). (Source:\u0026nbsp;\u003ca href=\"https://www.cnss.gov/CNSS/issuances/Instructions.cfm\" target=\"_blank\"\u003eCNSSI 4009\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSanitize\u003c/strong\u003e\u0026nbsp;- A process to render access to Target Data on the media infeasible for a given level of effort.\u0026nbsp; Clear, Purge, and Destroy are actions that can be taken to sanitize media. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-88 Revision 1\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSanitization\u003c/strong\u003e\u0026nbsp;- A process to render access to target data on the media infeasible for a given level of effort. Clear, purge, and destroy are actions that can be taken to sanitize media. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-53 Revision 5\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSensitive Information\u003c/strong\u003e\u0026nbsp;- Information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (Source:\u0026nbsp;\u003ca href=\"https://doi.org/10.6028/NIST.SP.800-150\" target=\"_blank\"\u003eNIST SP 800-150\u003c/a\u003e\u0026nbsp;under Sensitive Information from\u0026nbsp;\u003ca href=\"https://doi.org/10.6028/NIST.IR.7298r2\" target=\"_blank\"\u003eNISTIR 7298 Rev. 2\u003c/a\u003e) (See Section 2 Purpose on page 4 for how \"sensitive information\" is applied within this policy)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem of Records -\u0026nbsp;\u003c/strong\u003eA group of any records under the control of any agency from which information about an individual is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-122\u003c/a\u003e\u0026nbsp;and\u0026nbsp;\u003ca href=\"https://www.justice.gov/opcl/privacy-act-1974#:~:text=The%20Privacy%20Act%20of%201974,of%20records%20by%20federal%20agencies.\" target=\"_blank\"\u003eThe Privacy Act of 1974, as amended, 5 U.S.C. § 552a(a)(5)\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem-Specific User -\u003c/strong\u003e\u0026nbsp;The user of a system that is subject to system-specific ROBs. (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTelework\u003c/strong\u003e\u0026nbsp;- The ability for an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTelework Client Device -\u003c/strong\u003e\u0026nbsp;A PC or mobile device. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThird Party-Controlled Device\u003c/strong\u003e\u0026nbsp;- A client device controlled by a contractor, business partner, or vendor.\u0026nbsp; These client devices are controlled by the remote worker’s employer who is ultimately responsible for securing the client devices and maintaining their security. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eUnknown Device -\u003c/strong\u003e\u0026nbsp;A client device that is owned and controlled by other parties, such as a kiosk computer at hotels, and a PC or mobile device owned by friends and family. The device is labeled as “unknown” because there are no assurances regarding its security posture. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVirtual Disk Encryption\u003c/strong\u003e\u0026nbsp;- The process of encrypting a container, which can hold many files and folders, and permitting access to the data within the container only after proper authentication is provided. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-111\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVirtual Private Network (VPN)\u003c/strong\u003e\u0026nbsp;- A virtual network, built on top of existing physical networks that provides a secure communications tunnel for data and other information transmitted between networks. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVirus\u003c/strong\u003e\u0026nbsp;- A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. See malicious code. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-12rev1\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWorm\u003c/strong\u003e\u0026nbsp;- A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. See Malicious Code. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-12rev1\u003c/a\u003e)\u003c/p\u003e\u003ch3\u003eAcronyms:\u003c/h3\u003e\u003cp\u003eCIO - Chief Information Officer\u003c/p\u003e\u003cp\u003eCISO - Chief Information Security Officer\u003c/p\u003e\u003cp\u003eCSIRC - Computer Security Incident Response Center\u003c/p\u003e\u003cp\u003eCSIRT - Computer Security Incident Response Team\u003c/p\u003e\u003cp\u003eCUI - Controlled Unclassified Information\u003c/p\u003e\u003cp\u003eEO - Executive Order\u003c/p\u003e\u003cp\u003eFISMA - Federal Information Security Modernization Act of 2014\u003c/p\u003e\u003cp\u003eHHS - Department of Health and Human Services\u003c/p\u003e\u003cp\u003eIS2P - Information Systems Security and Privacy Policy\u003c/p\u003e\u003cp\u003eISCM - Information Security Continuous Monitoring\u003c/p\u003e\u003cp\u003eM - Memorandum\u003c/p\u003e\u003cp\u003eNARA - National Archives and Records Administration\u003c/p\u003e\u003cp\u003eNIST - National Institute of Standards and Technology\u003c/p\u003e\u003cp\u003eOCIO - Office of the Chief Information Officer\u003c/p\u003e\u003cp\u003eOIS - Office of Information Security\u003c/p\u003e\u003cp\u003eOMB - Office of Management and Budget\u003c/p\u003e\u003cp\u003eOpDiv - Operating Division\u003c/p\u003e\u003cp\u003ePHI - Protected Health Information\u003c/p\u003e\u003cp\u003ePII - Personally Identifiable Information\u003c/p\u003e\u003cp\u003eRoB - Rules of Behavior\u003c/p\u003e\u003cp\u003eSP - Special Publication\u003c/p\u003e\u003cp\u003eUSB - Universal Serial Bus\u003c/p\u003e\u003ch3\u003eEndnotes\u003c/h3\u003e\u003cp\u003e[1] PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. OMB\u0026nbsp;\u003cem\u003eCircular No. A-130, Managing Information as a Strategic Resource\u003c/em\u003e, p. 21. Available at:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf\" target=\"_blank\"\u003eReview-Doc-2016--466-1.docx (whitehouse.gov)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[2] CUI is defined in\u0026nbsp;\u003ca href=\"https://www.gpo.gov/fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf\" target=\"_blank\"\u003eExecutive Order (EO) 13556\u003c/a\u003e,\u0026nbsp;\u003cem\u003eControlled Unclassified Information (CUI)\u003c/em\u003e. HHS currently does not have a CUI policy. There are numerous categories and subcategories of CUI listed in the National Archives and Records Administration (NARA)\u0026nbsp;\u003ca href=\"https://www.archives.gov/cui/registry/category-list\" target=\"_blank\"\u003eCUI Registry\u003c/a\u003e. Examples of CUI categories include Privacy, Procurement and Acquisition, Proprietary Business Information, and Information Systems Vulnerability Information.\u003c/p\u003e\u003cp\u003e[3] See\u0026nbsp;\u003cem\u003ePolicy for Data Loss Prevention\u0026nbsp;\u003c/em\u003eavailable at:\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/ocio-policies\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/working-at-hhs/cybersecurity/ocio-policies\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[4] All third-party web applications, social media sites, storage and cloud services must be authorized prior to use. Only authorized personnel can post only authorized content on public-facing websites and social media sites.\u003c/p\u003e\u003cp\u003e[5] See definition of sensitive information in the Glossary section.\u003c/p\u003e\u003cp\u003e[6] See Public Law 115–232, Section 889 Parts A and B (included in FAR 4.21) available at\u0026nbsp;\u003ca href=\"https://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf\" target=\"_blank\"\u003ehttps://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf\u003c/a\u003e. Prohibition includes telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation, as well as video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities). For additional information and to verify any countries that are being sanctioned by the US, consult:\u0026nbsp;\u003ca href=\"https://www.treasury.gov/resource-center/sanctions/programs/pages/programs.aspx\" target=\"_blank\"\u003ehttps://www.treasury.gov/resource-center/sanctions/programs/pages/programs.aspx\u003c/a\u003e. Also, consult the HHS Memorandum,\u0026nbsp;\u003cem\u003eImplementation of the Section 889(a)(1)(B) Prohibition on Contracting with Entities Using Certain Telecommunications and Video Surveillance Services or Equipment\u003c/em\u003e, July 29, 2020, available at\u0026nbsp;\u003ca href=\"https://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf\" target=\"_blank\"\u003ehttps://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[7] see CISA CAPACITY ENHANCEMENT GUIDE: Printing While Working Remotely, available at\u0026nbsp;\u003ca href=\"https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf\" target=\"_blank\"\u003ehttps://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[8] For additional information, see\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup\u003c/a\u003e\u0026nbsp;as well as\u0026nbsp; \u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[9] Bluetooth is defined as “A wireless protocol that allows two similarly equipped devices to communicate with each other within a short distance (e.g., 30 ft.).” This includes headphones. and For additional information, see\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf\" target=\"_blank\"\u003ehttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf\u003c/a\u003e\u0026nbsp;and\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-121r2-upd1.pdf\" target=\"_blank\"\u003eNIST SP 800-121 rev2\u003c/a\u003e, available at\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/sp800\" target=\"_blank\"\u003eSearch | CSRC (nist.gov)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[10] See the HHS memorandum\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/about-hhs/national-security/policy/gfe-foreign-travel-2018\" target=\"_blank\"\u003eUse of Government Furnished Equipment (GFE) During Foreign Travel\u003c/a\u003e\u003c/p\u003e\u003cp\u003e[11] CSIRC and IRT points of contact are available at:\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/about-hhs/org-chart/asa-offices/office-of-the-chief-information-officer-ocio/csirc\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/about-hhs/org-chart/asa-offices/office-of-the-chief-information-officer-ocio/csirc\u003c/a\u003e. Provide all necessary information that will help with the incident investigation.\u003c/p\u003e\u003cp\u003e[12] See the HHS memoranda\u0026nbsp;\u003cem\u003ePolicy for Monitoring Employee Use of HHS IT Resources\u003c/em\u003e\u0026nbsp;and\u0026nbsp;\u003cem\u003eUpdated Department Standard Warning Banner\u003c/em\u003e\u0026nbsp;available at\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides/memoranda\" target=\"_blank\"\u003eMemoranda | Community for HHS Intranet\u003c/a\u003e\u003c/p\u003e\u003cp\u003e[13] See\u0026nbsp;\u003cem\u003eNIST SP 800-209\u0026nbsp;Security Guidelines for Storage Infrastructure,\u003c/em\u003e\u0026nbsp;available at\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-209/final\" target=\"_blank\"\u003ehttps://csrc.nist.gov/publications/detail/sp/800-209/final\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[14] HHS/OpDiv IT assets are defined as hardware, software, systems, services, and related technology assets used to execute work on behalf of HHS. This definition is adapted from NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments, available at\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final\" target=\"_blank\"\u003ehttps://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[15] Please review the\u0026nbsp;\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf\" target=\"_blank\"\u003eOMB M-17-12\u003c/a\u003e\u0026nbsp;for the specific distinctions between incident response and breach response.\u003c/p\u003e\u003cp\u003e[16] Personally identifiable information (PII) is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Office of Management and Budget (OMB). (2016, July 27).\u0026nbsp;\u003cem\u003eCircular No. A-130, Managing Information as a Strategic Resource\u003c/em\u003e, p. 21. Available at:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf\" target=\"_blank\"\u003eReview-Doc-2016--466-1.docx (whitehouse.gov)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[17] To contact your OpDiv SOP, visit\u0026nbsp;\u003ca href=\"https://www.hhs.gov/web/policies-and-standards/hhs-web-policies/privacy/index.html#HHS-Privacy-Officials\" target=\"_blank\"\u003ehttps://www.hhs.gov/web/policies-and-standards/hhs-web-policies/privacy/index.html#HHS-Privacy-Officials\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[18] Examples of significant changes include, but are not limited to, changes to the way PII are managed in the system, new uses or sharing, and the merging of data sets.\u003c/p\u003e\u003cp\u003e[19] see CISA CAPACITY ENHANCEMENT GUIDE: Printing While Working Remotely, available at\u0026nbsp;\u003ca href=\"https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf\" target=\"_blank\"\u003ehttps://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[20] For additional information, see\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup\u003c/a\u003e\u0026nbsp;as well as\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[21] All third-party web applications, social media sites, storage and cloud services must be authorized prior to use. Only authorized personnel can post only authorized content on public-facing websites and social media sites.\u003c/p\u003e\u003cp\u003e[22] Per NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, privileged roles include, for example, key management, network and system administration, database administration, and Web administration.\u003c/p\u003e\u003cp\u003e[23] OMB-16-04 available at\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-04.pdf\" target=\"_blank\"\u003eReview-Doc-2015-ITOR-315-1.docx (whitehouse.gov)\u003c/a\u003e\u003cem\u003e,\u0026nbsp;\u003c/em\u003eOctober 30, 2015.\u003c/p\u003e\u003cp\u003e[24] Per NIST White Paper,\u0026nbsp;\u003cem\u003eBest Practices for Privileged User PIV Authentication,\u003c/em\u003e\u0026nbsp;April 21, 2016, available at\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/white-paper/2016/04/21/best-practices-for-privileged-user-piv-authentication/final\" target=\"_blank\"\u003ehttps://csrc.nist.gov/publications/detail/white-paper/2016/04/21/best-practices-for-privileged-user-piv-authentication/final\u003c/a\u003e.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"19:T1af13,"])</script><script>self.__next_f.push([1,"\u003ch2 id=\"m_4884422691552917800nature\"\u003e1. Nature of Changes\u003c/h2\u003e\u003cp\u003eVersion 1.0: released July 2013. First issuance of policy.\u003c/p\u003e\u003cp\u003eVersion 2.0: released December 2016. Added new statements to:\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003eProhibit the use of personally owned devices and unapproved non-GFE to conduct HHS business.\u003c/li\u003e\u003cli\u003eRestrict personal social media use during official work duty.\u003c/li\u003e\u003cli\u003eRestrict the connection to public, unsecure Wi-Fi from GFE.\u003c/li\u003e\u003cli\u003eProhibit the use of HHS e-mail address to create personal commercial accounts.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eVersion 2.1: Released August 2017. As recommended by OpDivs in the first-round review, Policy for Personal Use of IT Resources was combined with the Rules of Behavior since the documents overlap.\u003c/p\u003e\u003cp\u003eVersion 2.1: Released February 2018. Update to policy for use of personal email per Departmental recommendation.\u003c/p\u003e\u003cp\u003eVersion 2.1: Released March 2018. Removed the policy requirement restricting the use of personal email from HHS/OpDiv networks per OCIO request.\u003c/p\u003e\u003cp\u003eVersion 2.1: Released April 2018. Replaced Controlled Unclassified Information (CUI) with sensitive information per OGC and PIM recommendations.\u003c/p\u003e\u003cp\u003eVersion 2.1: Released June 2018. Policy obtained NTEU clearance.\u003c/p\u003e\u003cp\u003eVersion 2.2: Released May 2019. Changed Webmail access policy to only block access from public internet and encourage OpDivs to reduce its usage. Added requirement to restrict the use of personal email, storage services and devices that conduct HHS/OpDiv business and store HHS/OpDiv data.\u003c/p\u003e\u003cp\u003eVersion 2.3: Released June 2019. Updated password requirement.\u003c/p\u003e\u003cp\u003eVersion 3.0: Released February 2023. Updated to prohibit unauthenticated Bluetooth tethering without OpDiv approval, acceptable use of social media, provide general updates throughout document, and to ensure adherence to Executive Order 14028 as well as Office Management and Budget (OMB) Memorandum (M) M-22-09.\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800purpose\"\u003e2. Purpose\u003c/h2\u003e\u003cp\u003eThe\u0026nbsp;\u003cem\u003eHHS Policy for Rules of Behavior for Use of Information and IT Resources (\u003c/em\u003ehereafter known as\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e) defines the acceptable use of the Department of Health and Human Services (Department or HHS)/Operating Division (OpDiv) information and Information Technology (IT) resources and establishes the baseline requirements for developing Rules of Behavior (RoB) that all users, including privileged users, are required to sign prior to accessing HHS/OpDiv information systems and resources.\u003c/p\u003e\u003cp\u003eThis document includes baseline requirements for three RoB categories: General Users, Privileged Users, and System Specific Users. These RoB categories provide baseline requirements and guidelines for implementation of each RoB category. This\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;also defines acceptable personal use of HHS/OpDiv information resources and restricts use of personal devices to conduct HHS/OpDiv business.\u003c/p\u003e\u003cp\u003eAn OpDiv may customize this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;and RoBs to include OpDiv specific information, create its own policy, or supplement the specified RoB provided that the OpDiv policy and RoBs are compliant with and at least as restrictive as the baseline policy and RoBs stated herein.\u003c/p\u003e\u003cp\u003eThis\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;uses the term ‘sensitive information’ to refer to Personally Identifiable Information (PII)\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn1\" target=\"_blank\"\u003e1\u003c/a\u003e\u0026nbsp;(although other HHS policies may distinguish between PII and sensitive PII), Protected Health Information (PHI), financial records, business proprietary data, and any information marked Sensitive but Unclassified (SBU), Controlled Unclassified Information (CUI), etc.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn2\" target=\"_blank\"\u003e2\u003c/a\u003e\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800background\"\u003e3. Background\u003c/h2\u003e\u003cp\u003eThe executive branch of the federal government leverages hundreds of thousands of employees located in offices across the nation to serve the American people. Increasingly, the government is called upon to deliver additional services to a growing population that expects ever-increasing improvements in service delivery. The relationship between the executive branch and the employees who administer the functions of the government is based on trust. Consequently, employees are expected to follow rules and regulations and to be responsible for their own personal and professional conduct. The Standards of Ethical Conduct for Employees of the Executive Branch published by the U.S. Office of Government Ethics states that, “Employees must put forth honest effort in the performance of their duties” [5 C.F.R. § 2635.101(b)(5)].\u003c/p\u003e\u003cp\u003eThe RoBs stated in this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;include rules that govern the appropriate use and protection of all HHS/OpDiv information resources and help to ensure the security of IT equipment, systems, and data confidentiality, integrity, and availability.\u0026nbsp;\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800scope\"\u003e4. Scope\u003c/h2\u003e\u003cp\u003eThis\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;applies to all OpDivs and other parties that conduct business for or on behalf of HHS (i.e., contractors, third-party service/storage providers, cloud service providers). This\u0026nbsp;\u003cem\u003ePolicy\u0026nbsp;\u003c/em\u003eapplies to all users of HHS/OpDiv information and IT resources whether working at their primary duty station, teleworking, working at a satellite site or any other alternative workplaces, and/or while traveling.\u003c/p\u003e\u003cp\u003eAn OpDiv must implement this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;and these baseline requirements or alternatively, may create its own policy that is more restrictive but not less restrictive than this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e. This\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;does not supersede any other applicable law or higher-level agency directive or policy guidance.\u0026nbsp;\u003c/p\u003e\u003cp\u003eThis\u0026nbsp;\u003cem\u003ePolicy\u0026nbsp;\u003c/em\u003edoes not supersede any applicable law, higher-level agency directive, or existing labor management agreement as of the effective date of this\u003cem\u003e\u0026nbsp;Policy\u003c/em\u003e.\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800authorities\"\u003e5. Authorities\u003c/h2\u003e\u003cp\u003eThe following are the primary authoritative documents driving the requirements in this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eFederal Information Security Modernization Act of 2014 (FISMA), Pub. L. No. 113-283, 128 Stat. 3073, codified at 44 U.S.C. Chapter 35, Subchapter II.\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/em\u003e, November 2021.\u003c/li\u003e\u003cli\u003eNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-18,\u0026nbsp;\u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e, February 2006.\u003c/li\u003e\u003cli\u003eNIST SP 800-37 Rev. 2,\u0026nbsp;\u003cem\u003eRisk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u003c/em\u003e, December 2018.\u003c/li\u003e\u003cli\u003eNIST SP 800-53 Rev. 5,\u0026nbsp;\u003cem\u003eSecurity and Privacy Controls for Information Systems and Organizations\u003c/em\u003e, December 2020.\u003c/li\u003e\u003cli\u003eOffice of Management and Budget (OMB), Circular A-130,\u0026nbsp;\u003cem\u003eManaging Information as a Strategic Resource\u003c/em\u003e, July 2016.\u003c/li\u003e\u003cli\u003ePublic Law 115-232 § 889, Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment, August 13, 2018.\u003c/li\u003e\u003cli\u003e5 U.S.C. § 552a (the Privacy Act of 1974, as amended).\u003c/li\u003e\u003c/ol\u003e\u003ch2 id=\"m_4884422691552917800policy\"\u003e6. Policy\u003c/h2\u003e\u003cp\u003eThe following are the baseline requirements for implementing HHS or OpDiv RoBthat govern the appropriate use of HHS/OpDiv information systems and resources for all employees, contractors, and other personnel who have access to HHS/OpDiv information and information systems.\u003c/p\u003e\u003ch3 id=\"m_48844226915529178006.1\"\u003e6.1. Acceptable Use of HHS Information and IT Resources – OpDiv Requirements\u003c/h3\u003e\u003col type=\"A\"\u003e\u003cli\u003eOpDivs must ensure all users read and acknowledge the RoB as general users upon onboarding and annually thereafter. Additionally, users with significant security responsibilities must read and acknowledge the RoB as privileged users upon onboarding and annually thereafter (see baseline RoB for both general and privileged users in Appendix D.) OpDiv System Owners must define RoB for System Specific users as necessary. Acknowledgement is understood to mean that each RoB must contain a signature page on which the user acknowledges having read, understood, and agreed to abide by the RoB (general user, or privileged user). Electronic signatures are acceptable.\u003c/li\u003e\u003cli\u003eOpDivs must ensure that general users read and sign RoB before they are given access to HHS/OpDiv information and/or systems.\u0026nbsp; Digital signature is encouraged for general users whose digital signature can be authenticated by a Personal Identity Verification (PIV) card or other similar card (such as Personal Identity Verification Interoperability (PIV-I) card, Derived Alternate Credential (DAC), or Common Access Card (CAC)); however, general users may physically sign.\u003c/li\u003e\u003cli\u003eOpDivs must inform general users of their responsibilities and the accountability of their actions while accessing HHS/OpDiv systems and using HHS/OpDiv information resources. (The RoB must state the consequences of behavior not consistent with the rules).\u003c/li\u003e\u003cli\u003eOpDivs must include the items covered in sections 6.2, 6.3, and 6.4 including teleworking, remote access, connection to the internet, use of copyrighted works, use of GFE, social media, and individual accountability. Sample RoBs are included in Appendix D.\u003c/li\u003e\u003cli\u003eOpDivs must ensure government furnished equipment distributed to for the purpose of conducting official government business including but not limited to: Personal Identity Verification (PIV) cards, mobile devices and cellular telephones, is surrendered, collected or reclaimed on or before the last day of employment or contract termination.\u003c/li\u003e\u003cli\u003eOpDivs must take steps to reduce the use of Webmail and allow access only when necessary. OpDivs will make the determination as to what is defined as necessary for their OpDiv.\u003c/li\u003e\u003cli\u003eOpDivs must implement technical controls to:\u003col type=\"i\"\u003e\u003cli\u003eProhibit auto-forwarding of email\u003c/li\u003e\u003cli\u003eBlock the use of HHS/OpDiv Webmail access from untrusted or unauthenticated public internet or implement compensating controls\u003c/li\u003e\u003cli\u003eDetect and block spam emails, and employ a capability within the official email application (such as a phishing email button) to expedite the reporting of suspected phishing emails to the OpDiv designated email incident response team\u003c/li\u003e\u003cli\u003eAppropriately secure mobile devices used for conducting HHS/OpDiv business\u003c/li\u003e\u003cli\u003eEnsure that rules regarding passwords are consistent with technical password features\u003c/li\u003e\u003cli\u003eMonitor user activities, system accounts and privileged user accounts\u003c/li\u003e\u003cli\u003eDisable unnecessary/unauthorized permissions, services, and system/user accounts.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eOpDivs must develop and implement system specific RoB when appropriate (see additional guidance in Appendix C). OpDivs must include in system specific RoB provisions that:\u003col type=\"i\"\u003e\u003cli\u003eDelineate responsibilities and expected behavior of all users with access to the system and state the consequences of behavior not consistent with the rules\u003c/li\u003e\u003cli\u003eInclude limitations on altering data, searching databases, and divulging information\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn3\" target=\"_blank\"\u003e3\u003c/a\u003e\u003c/li\u003e\u003cli\u003eState appropriate limits on interconnections to other systems.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178006.2\"\u003e6.2. Acceptable Use of HHS Information and IT Resources – General User Requirements\u003c/h3\u003e\u003col type=\"A\"\u003e\u003cli\u003eHHS/OpDiv permits personnel to have limited personal use of HHS/OpDiv information and IT resources, including HHS/OpDiv email, systems, instant messaging (IM) tools, and government-furnished equipment (GFE) (e.g., laptops, mobile devices, etc.) only when the personal use:\u003col type=\"i\"\u003e\u003cli\u003eInvolves no more than minimal additional expense to the government\u003c/li\u003e\u003cli\u003eIs minimally disruptive to personnel productivity\u003c/li\u003e\u003cli\u003eDoes not interfere with the mission or operations of HHS\u003c/li\u003e\u003cli\u003eDoes not violate HHS/OpDiv security and privacy policies.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eHHS/OpDiv expects personnel to conduct themselves professionally in the workplace and to refrain from using GFE, email, third-party websites, and applications (TPWAs) (e.g., HHS/OpDiv social media sites and cloud services, etc.) and other HHS/OpDiv information resources for activities that are not related to any legitimate/officially sanctioned HHS/OpDiv business purpose, except for the limited personal use stated above.\u0026nbsp; Personnel must not misuse HHS/OpDiv information and IT resources or conduct unapproved activities using HHS/OpDiv information and IT resources including, but not limited to:\u003col type=\"i\"\u003e\u003cli\u003eEngaging in activities that could cause congestion, delay, or disruption of service to any HHS/OpDiv information resource (e.g., sending chain letters via email, playing streaming videos, games, music, etc.)\u003c/li\u003e\u003cli\u003eAccessing, downloading and/or uploading illegal, illicit, or criminal content from/to the internet (e.g., pornographic or sexually explicit materials, information about illegal weapons, terrorism activities, or other illegal activities)\u003c/li\u003e\u003cli\u003eAccessing, downloading, or clicking on any untrusted hyperlinks or executable files without verifying source.\u003c/li\u003e\u003cli\u003e\u0026nbsp;Conducting or supporting commercial “for-profit” activities, managing outside employment or business activity, or running a personal business\u003c/li\u003e\u003cli\u003eEngaging in any outside fund-raising, endorsing any product or service, lobbying, or engaging in partisan political activity\u003c/li\u003e\u003cli\u003eUsing HHS/OpDiv information resources for activities that are inappropriate or offensive to fellow personnel or the public (e.g., hate speech or material that ridicules others on the basis of race, creed, religion, color, age, gender, disability, national origin, or sexual orientation)\u003c/li\u003e\u003cli\u003eCreating a website or uploading content to a TPWA, or social media website \u0026nbsp;on behalf of HHS/OpDiv without proper official authorization.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn4\" target=\"_blank\"\u003e4\u003c/a\u003e\u0026nbsp;\u0026nbsp;Proper official authorization' includes, for example, written approval from the HHS/OpDiv or OpDiv CISO or a designee\u003c/li\u003e\u003cli\u003eConnecting personal devices to HHS/OpDiv systems without proper official authorization\u003c/li\u003e\u003cli\u003eUsing personal devices, non-HHS/OpDiv email, and unauthorized third-party systems, storage services, or applications (e.g., Dropbox, Google Docs, mobile applications, etc.) to store, transmit, or process HHS/OpDiv information, or to conduct HHS/OpDiv business without proper official authorization.\u003c/li\u003e\u003cli\u003eAutomatically (auto) forwarding HHS/OpDiv email to both internal and external email sources or forwarding email/files that contain sensitive information to unauthorized systems and devices that are used for non-HHS/OpDiv and non-OpDiv business purposes\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn5\" target=\"_blank\"\u003e5\u003c/a\u003e\u003c/li\u003e\u003cli\u003eAccessing and using HHS/OpDiv Webmail without proper official authorization\u003c/li\u003e\u003cli\u003eUsing an HHS/OpDiv email address and other information resources to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or website, and signing up for personal memberships that are not work related.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eHHS/OpDiv warns users of HHS/OpDiv information resources, systems and GFE that they should have no expectation of privacy while using them and that their usage may be monitored, recorded, and audited at any time; and that HHS/OpDiv information resources, systems and GFE must be used with the understanding that such use may not be secure, is not private, is not anonymous, and may be subject to disclosure under the Freedom of Information Act (FOIA), Privacy Act (5 U.S.C. § 552a) or other applicable legal authority.\u003c/li\u003e\u003cli\u003eHHS/OpDiv formally notifies users through the RoB that their electronic data communications and online activity may be monitored and disclosed to external law enforcement agencies or Department/OpDiv personnel at any time when related to the performance of duties.\u0026nbsp; For example, after obtaining management approval, HHS/OpDiv authorized technical staff may employ monitoring tools in order to maximize the utilization of HHS/OpDiv resources.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178006.3\"\u003e6.3. Telework/Remote Work and GFE\u003c/h3\u003e\u003col type=\"A\"\u003e\u003cli\u003eHHS/OpDivs permit personnel to telework only when approved by management. Security of HHS/OpDiv information systems, equipment, and information, including PII, CUI and sensitive information, is just as important at a telework worksite as it is in an HHS/OpDiv building. HHS/OpDiv requires personnel to conduct themselves with the same professionalism remotely as is required in the formal workplace. HHS/OpDivs require personnel to safeguard any GFE provided by following these guidelines:\u003col type=\"i\"\u003e\u003cli\u003eUsers can connect additional devices to GFE as necessary to conduct official government business with OpDiv approval if the devices are not on the prohibited vendor list.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn6\" target=\"_blank\"\u003e6\u003c/a\u003e\u003c/li\u003e\u003cli\u003eUsers can connect GFE to printers with OpDiv approval.\u003cul type=\"square\"\u003e\u003cli\u003ePrinters must be connected to GFE via USB or other physical port. Wireless connections between GFE and printers require OpDiv approval.\u003c/li\u003e\u003cli\u003eUsers must contact OpDiv Help Desks to have printer drivers installed on GFE prior to connecting the printer\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn7\" target=\"_blank\"\u003e7\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003cli\u003eUsers are prohibited from installing any software on GFE\u003c/li\u003e\u003cli\u003eUsers are permitted to use their home Wi-Fi network to provide the connectivity for telework. Home networks must be set up in accordance with guidance from HHS/OpDiv or OpDivs\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn8\" target=\"_blank\"\u003e8\u003c/a\u003e\u003c/li\u003e\u003cli\u003eUsers must keep Bluetooth turned off while not in use.\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn9\" target=\"_blank\"\u003e9\u003c/a\u003e\u003c/li\u003e\u003cli\u003eUsers are responsible for the protection of all sensitive data\u003c/li\u003e\u003cli\u003eUsers must not take GFE outside of the US or its territories for regular teleworking. For official visit to foreign countries, adhere to the Department GFE Travel Restriction requirements.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn10\" target=\"_blank\"\u003e10\u003c/a\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178006.4\"\u003e6.4. Non-Compliance\u003c/h3\u003e\u003cp\u003eThis\u003cem\u003e\u0026nbsp;Policy\u003c/em\u003e\u0026nbsp;cannot account for every possible situation. Therefore, where this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;does not provide explicit guidance, personnel must use their best judgment to apply the principles set forth in the standards for ethical conduct to guide their actions and to seek guidance when appropriate from the OpDiv Chief Information Officer (OpDiv CIO) or his/her designee.\u003c/p\u003e\u003cp\u003eNon-compliance with the requirements in this\u0026nbsp;\u003cem\u003ePolic\u003c/em\u003ey and the RoB may be cause for disciplinary and other actions for anyone who has logical access to data, digital resources, and computer networks, or physical access to the HHS/OpDiv enterprise network, data, and resources. Depending on the severity of the violation, consequences may include, but are not limited to, one or more of the following actions:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eMandatory training\u003c/li\u003e\u003cli\u003eReprimand\u003c/li\u003e\u003cli\u003eSuspension of access privileges\u003c/li\u003e\u003cli\u003eRevocation of access to federal information, information systems, IT resources and/or facilities\u003c/li\u003e\u003cli\u003eDeactivation of the accounts\u003c/li\u003e\u003cli\u003eSuspension without pay\u003c/li\u003e\u003cli\u003eMonetary fines\u003c/li\u003e\u003cli\u003eRemoval or disbarment from work on federal contracts or projects\u003c/li\u003e\u003cli\u003eTermination of employment and/or\u003c/li\u003e\u003cli\u003eCriminal charges that may result in imprisonment\u003c/li\u003e\u003cli\u003ePotential removal of security clearances\u003c/li\u003e\u003c/ol\u003e\u003ch2 id=\"m_4884422691552917800roles\"\u003e7. Roles and Responsibilities\u003c/h2\u003e\u003ch3 id=\"m_48844226915529178007.1\"\u003e7.1. HHS Chief Information Officer (CIO)\u003c/h3\u003e\u003cp\u003eThe HHS CIO or representative must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eEnsure this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;is disseminated and implemented Department-wide.\u003c/li\u003e\u003cli\u003eEnsure RoBsare developed, maintained, and implemented for all general users, privileged users, and information systems (when deemed applicable).\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.2\"\u003e7.2. OpDiv CIO\u003c/h3\u003e\u003cp\u003eThe OpDiv CIO or representative must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eEnsure acceptable use of OpDiv information resources requirements is implemented throughout the OpDiv.\u003c/li\u003e\u003cli\u003eEnsure RoBs are developed, approved, maintained, and implemented for all general users, privileged users, and system-specific users (as applicable) OpDiv-wide.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.3\"\u003e7.3. HHS Chief Information Security Officer (CISO)\u003c/h3\u003e\u003cp\u003eThe HHS CISO must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eEnsure implementation of this\u0026nbsp;\u003cem\u003ePolicy.\u003c/em\u003e\u003c/li\u003e\u003cli\u003eEnsure all users read, acknowledge, and adhere to RoB for all three RoB categories (general users, privileged users, and system specific users) as applicable.\u003c/li\u003e\u003cli\u003eApprove or assign a designee to approve exceptions to RoBs, when required.\u003c/li\u003e\u003cli\u003eEnsure records are maintained for signed RoB forms.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.4\"\u003e7.4. OpDiv CISO\u003c/h3\u003e\u003cp\u003eThe OpDiv CISO must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eImplement this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;or develop an OpDiv specific RoB.\u003c/li\u003e\u003cli\u003eDevelop and implement OpDiv RoBs for general users, privileged users and system specific users, as applicable.\u003c/li\u003e\u003cli\u003eEnsure all users read, acknowledge, and adhere to RoB for all three RoB categories (general users, privileged users, and system specific users) as applicable.\u003c/li\u003e\u003cli\u003eApprove or assign a designee to approve exceptions to RoBs, when required.\u003c/li\u003e\u003cli\u003eEnsure records are maintained for signed RoB forms.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.5\"\u003e7.5. Managers and Supervisors\u003c/h3\u003e\u003cp\u003eThe OpDiv managers and supervisors must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eInform users of their rights and responsibilities, including the information in this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;to individual users.\u003c/li\u003e\u003cli\u003eAddress inappropriate use by personnel who report to them and disseminate information to relevant stakeholders for the purpose of incident handling and investigations.\u003c/li\u003e\u003cli\u003eReceive and review reports of inappropriate use of IT resource from management officials and allow access to these reports to designated authorities, as applicable, in accordance with HHS/OpDiv stsandard operating procedures.\u003c/li\u003e\u003cli\u003eNotify, when appropriate, senior Department officials of inappropriate use and/or abuse of HHS/OpDiv IT resources.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.6\"\u003e7.6. System Owner (SO)\u003c/h3\u003e\u003cp\u003eThe OpDiv SOs must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eDelineate responsibilities and expected behavior of all users with access to the system and state the consequences of behavior not consistent with the rules.\u003c/li\u003e\u003cli\u003eDevelop and appropriately disseminate system specific RoB when deemed applicable.\u003c/li\u003e\u003cli\u003eEnsure all users with access to the information system(s) under their purview read, acknowledge, and adhere to the general user RoB and system specific RoB (if deemed applicable) prior to obtaining access and at least annually thereafter.\u003c/li\u003e\u003cli\u003eAutomate, to the extent possible, the security and privacy controls that are required to be implemented to protect systems and information.\u003c/li\u003e\u003cli\u003eEnsure all users with privileged access rights to the information system(s) under their purview read, acknowledge, and adhere to the privileged user RoB.\u003c/li\u003e\u003cli\u003eReview system specific RoB periodically and at least every three years.\u003c/li\u003e\u003cli\u003eMaintain records of all the signed system specific RoB.\u003c/li\u003e\u003cli\u003eIn accordance with the Privacy Act, maintain an accounting of disclosures made by HHS/OpDiv of records about individuals retrieved by personal identifier, excluding only disclosures required by FOIA and disclosures to HHS officers and employees with need to know.\u003c/li\u003e\u003cli\u003ePromptly schedule records with the\u0026nbsp;\u003ca href=\"https://www.archives.gov/\" target=\"_blank\"\u003eNational Archives and Records Administration (NARA)\u003c/a\u003e, and promptly destroy records when eligible for destruction and no longer needed for HHS/OpDiv business.\u003c/li\u003e\u003c/ol\u003e\u003ch3 id=\"m_48844226915529178007.7\"\u003e7.7. Information and System User\u003c/h3\u003e\u003cp\u003eAll users of HHS/OpDiv information, GFE and systems must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eRead, understand, and acknowledge RoB initially upon onboarding or start of work and annually thereafter.\u003c/li\u003e\u003cli\u003eAlways secure HHS/OpDiv information resources and assets they have access to or always entrusted with (e.g., while at their duty station, when traveling, teleworking, etc.).\u003c/li\u003e\u003cli\u003eReport any loss, compromise, and unauthorized use of HHS/OpDiv information and systems immediately upon discovery/detection in accordance with HHS/OpDiv policies.\u003c/li\u003e\u003cli\u003eSeek guidance from their supervisor and other officials if unclear about HHS/OpDiv security and privacy policies.\u003c/li\u003e\u003c/ol\u003e\u003ch2 id=\"m_4884422691552917800information\"\u003e8. Information and Assistance\u003c/h2\u003e\u003cp\u003eHHS Office of the Chief Information Officer is responsible for the development and management of this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e.\u0026nbsp; Questions, comments, suggestions, and requests for information about this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;should be directed to\u0026nbsp;\u003ca href=\"mailto:HHSCybersecurityPolicy@hhs.gov\" target=\"_blank\"\u003eHHSCybersecurityPolicy@hhs.gov\u003c/a\u003e.\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800effective-date\"\u003e9. Effective Date and Implementation\u003c/h2\u003e\u003cp\u003eThe effective date of this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e\u0026nbsp;is the date on which the policy is approved. This\u0026nbsp;\u003cem\u003ePolicy\u0026nbsp;\u003c/em\u003emust be reviewed, at a minimum, every three (3) years from the approval date.\u003c/p\u003e\u003cp\u003eThe HHS CIO has the authority to grant a one (1) year extension of the\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e.\u003c/p\u003e\u003cp\u003eTo archive this\u0026nbsp;\u003cem\u003ePolicy\u003c/em\u003e, written approval must be granted by the HHS CIO.\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800approval\"\u003e10. Approval\u003c/h2\u003e\u003cp\u003e/S/\u003cbr\u003eKarl S. Mathias, Ph.D., HHS CIO\u003c/p\u003e\u003cp\u003eFebruary 9, 2023\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800appendix-a\"\u003eAppendix A: Procedures\u003c/h2\u003e\u003cp\u003e\u003cem\u003ePlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.\u003c/em\u003e\u003c/p\u003e\u003cp\u003eOpDivs may develop their specific procedures document(s) to implement this\u0026nbsp;\u003cem\u003ePolicy.\u003c/em\u003e\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800appendix-b\"\u003eAppendix B: Standards\u003c/h2\u003e\u003cp\u003e\u003cem\u003ePlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eStandard Rules of Behavior\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eHHS/OpDivs are responsible for implementing adequate security controls to ensure a high level of protection for all HHS/OpDiv information and IT resources commensurate with the level of risk. In addition, HHS/OpDivs must ensure that all employees, contractors, and other personnel using HHS/OpDiv information resources have the required knowledge and skills to appropriately use and protect HHS/OpDiv information and IT resources. All OpDivs may use the RoB included in Appendix D or may develop their own RoB provided compliance, at a minimum, meets the requirements of the HHS/OpDiv RoB.\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eRoB\u003cem\u003es\u0026nbsp;\u003c/em\u003eare provided for the following three categories:\u003col type=\"i\"\u003e\u003cli\u003eAppendix C includes supplemental RoB for specific systems\u003c/li\u003e\u003cli\u003eAppendix D contains the RoB for\u003cul type=\"square\"\u003e\u003cli\u003eGeneral Users and\u003c/li\u003e\u003cli\u003ePrivileged Users\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eAll HHS/OpDiv personnel (employees, contractors, interns, etc.) and any other individuals (for example, representatives of grantees, business partners, other agencies, or research institutions; FOIA requesters; members of the general public; etc.) who are granted access to HHS/OpDiv information and IT resources must read, acknowledge, and adhere to the HHS/OpDiv General User RoB prior to accessing and using HHS/OpDiv information resources and IT systems. The acknowledgment of the RoB, which affirms that all users have read and understand the HHS/OpDiv RoB, may be obtained by hardcopy written signature, electronic acknowledgement, or electronic signature. This acknowledgement must be completed at HHS/OpDiv onboarding or prior to the start of work on an HHS/OpDiv contract, grant, or other agreement, and at least annually thereafter, and/or in combination with the HHS/OpDiv information cybersecurity awareness training.\u003c/li\u003e\u003cli\u003eAll privileged users (e.g., network/system administrators, developers, etc.) must read, acknowledge, and adhere to the HHS/OpDiv Privileged User RoB prior to obtaining a privileged user account and at least annually thereafter. The acknowledgment of the RoB, which affirms that privileged users have read and understand the HHS/OpDiv RoB for privileged users, may be obtained by either hardcopy written signature or by electronic acknowledgement or signature.\u003c/li\u003e\u003cli\u003ePer the HHS/OpDiv IS2P, OpDivs must develop and implement system specific RoB, when deemed advisable, to address system specific requirements to protect the system and information.\u003c/li\u003e\u003cli\u003eAll RoB (General, Privileged, and System Specific) must be reviewed and if necessary, updated at least every three years.\u003c/li\u003e\u003cli\u003eAny exceptions to this RoB policy and specified RoB must be approved by the HHS/OpDiv, OpDiv CISO, or OpDiv CISO designee.\u003c/li\u003e\u003c/ol\u003e\u003ch2 id=\"m_4884422691552917800appendix-c\"\u003eAppendix C: Guidance\u003c/h2\u003e\u003cp\u003e\u003cem\u003ePlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library\u003c/em\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSupplemental Rules of Behavior for HHS/OpDiv Systems\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eOpDivs are responsible for developing system specific RoB and for ensuring that users read, acknowledge, and adhere to them. A supplemental RoB must be created and developed for systems that require users to comply with rules beyond those contained in the RoB on Appendix D and Appendix E deemed applicable. In such cases, users must comply with ongoing requirements of each individual system to access and retain access (e.g., reading and acknowledging the RoB prior to access and re-acknowledging it each year) to the information system(s). OpDiv System Owners must document any additional system specific RoB and any recurring requirement to acknowledge the respective RoB in their system security plans.\u003c/p\u003e\u003cp\u003eOffice of Management and Budget (OMB) Circular A-130\u0026nbsp;\u003cem\u003eManaging Information as a Strategic Resource\u003c/em\u003e, National Institute of Standards and Technology (NIST) Special Publication (SP) 800-18, Guide\u003cem\u003e\u0026nbsp;for Developing Security Plans for Federal Information Systems\u003c/em\u003e, and NIST SP 800-53, Revision 5,\u0026nbsp;\u003cem\u003eSecurity and Privacy Controls for Information Systems and Organizations\u003c/em\u003e\u0026nbsp;provide requirements for system specific rules of behavior. At a minimum, the system specific RoB must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eBe in writing.\u003c/li\u003e\u003cli\u003eDelineate responsibilities for any expected user of the system and behavior of all users and must state the consequences of behavior which violates the rules.\u003c/li\u003e\u003cli\u003eState appropriate limits on interconnections to other systems and must define service provision and restoration priorities.\u003c/li\u003e\u003cli\u003eCover such matters including, but not limited to, teleworking, dial-in access, connection to the internet, use of copyrighted works, unofficial use of Government equipment, assignment and limitation of system privileges, and individual accountability.\u003c/li\u003e\u003cli\u003eReflect technical security controls (e.g., rules regarding passwords must be consistent with technical password features).\u003c/li\u003e\u003cli\u003eInclude limitations on changing data, searching databases, or divulging information.\u003c/li\u003e\u003cli\u003eState that controls are in place to ensure individual accountability and separation of duties and to limit the processing privileges of individuals.\u003c/li\u003e\u003cli\u003eState any other specific rules, limitation or restriction that may apply to the use of the system.\u003c/li\u003e\u003cli\u003eInclude consequences for failing to comply with the breach reporting requirements as described in OMB M-17-12 and HHS/OpDiv policy.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eFinally, National Security Systems (NSS), as defined by the Federal Information Security Modernization Act of 2014 (FISMA), must independently or collectively implement their own system specific rules.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSupplemental Rules of Behavior for Accessing Malicious Websites\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eUsers, employees, and contractors who have accessed malicious websites either knowingly or unknowingly will be considered as a security incident and will be required to undergo additional security training as directed by the office of the Chief Information Security Officer (CISO). Those users must take the Security Training or a refresher course on the following:\u003c/p\u003e\u003cp\u003ePhishing is the attempt to obtain sensitive information such as usernames, passwords, and credit card details by designing as a trustworthy entity in an electronic communication. The following must be avoided:\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003eclicking on links and suspicious attachments provided in email\u003c/li\u003e\u003cli\u003esubmitting banking and password information via email\u003c/li\u003e\u003cli\u003eany email asking for personal information\u003c/li\u003e\u003c/ul\u003e\u003cp\u003eA ‘Hoax’ is often intended to cause embarrassment, or to provide social or political change by raising people’s awareness of something. Hoaxes should be addressed in the training because a lot of time and resources can be spent reading and forwarding hoax emails. Some hoaxes warn of a virus and tell users to delete valid and sometimes important system files.\u003c/p\u003e\u003cp\u003eMalware is the shortened version of the words ‘Malicious Software’. It refers to software programs designed to damage or do other unwanted actions on a computer system. Malware is broken into these categories:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eViruses\u003c/strong\u003e: A malicious software program that, when executed, replicates itself by modifying other computers programs and inserting its own code.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWorms\u003c/strong\u003e: A computer worm is a stand-alone malicious program that can self-replicate itself to uninfected computers.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTrojans\u003c/strong\u003e: A ‘Trojan’ or ‘Trojan Horse’ is any malicious computer program which misleads users of its true intent.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSpyware\u003c/strong\u003e: Spyware is software that aims to gather information about a person or organization without knowledge and reports to the software’s author.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAdware\u003c/strong\u003e: Adware is used to presents unwanted advertisements to the users of the computer.\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800appendix-d\"\u003eAppendix D: Forms and Templates\u003c/h2\u003e\u003cp\u003e\u003cem\u003ePlease note that this appendix is subject to change at any time. The current version of this Policy will always reside in the OCIO Policy Library.\u003c/em\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e1. Rules of Behavior for General Users\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThese\u0026nbsp;\u003cem\u003eRules of Behavior (RoB) for General Users\u003c/em\u003e\u0026nbsp;apply to all HHS personnel (employees, contractors, interns, etc.) and any other individuals who are granted access to HHS/OpDiv information resources and IT systems. Users of HHS/OpDiv information, IT resources and information systems must read, acknowledge, and adhere to the following rules prior to accessing data and using HHS/OpDiv information and IT resources.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e1.1. HHS/OpDiv Information and IT Resources\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen using and accessing HHS/OpDiv information and IT resources, I understand that I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eComply with federal laws, regulations, and HHS/OpDiv policies, standards, and procedures and that I must not violate, direct, or encourage others to violate HHS/OpDiv policies, standards, or procedures.\u003c/li\u003e\u003cli\u003eNot allow unauthorized use and access to HHS/OpDiv information and IT resources.\u003c/li\u003e\u003cli\u003eNot circumvent or bypass security safeguards, policies, systems’ configurations, or access control measures unless authorized in writing.\u003c/li\u003e\u003cli\u003eLimit personal use of information and IT resources so that it:\u003col type=\"a\"\u003e\u003cli\u003eInvolves no more than minimal additional expense to the government\u003c/li\u003e\u003cli\u003eIs minimally disruptive to my personal productivity\u003c/li\u003e\u003cli\u003eDoes not interfere with the mission or operations of HHS\u003c/li\u003e\u003cli\u003eDoes not violate HHS/OpDiv security and privacy policies.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eRefrain from using GFE, email, third-party websites, and applications (TPWAs) (e.g., HHS/OpDiv social media sites and cloud services, etc.) and other HHS/OpDiv information resources for activities that are not related to any legitimate/officially sanctioned HHS/OpDiv business purpose, except for the limited personal use stated above.\u003c/li\u003e\u003cli\u003eComplete all mandatory training (e.g., security and privacy awareness, role-based training, etc.) when initially granted access to HHS/OpDiv systems and periodically thereafter as required by HHS/OpDiv policies.\u003c/li\u003e\u003cli\u003eBe accountable for my actions while accessing and using HHS/OpDiv information, information systems and IT resources.\u003c/li\u003e\u003cli\u003eNot reconfigure systems and modify GFE, install/load unauthorized/unlicensed software or make configuration changes without proper official authorization.\u003c/li\u003e\u003cli\u003eProperly secure all GFE, including laptops, mobile devices, and other equipment that store, process, and handle HHS/OpDiv information, when leaving them unattended either at the office and other work locations, such as home, hoteling space, etc. and while on travel. This includes locking workstations, laptops, storing GFE in a locked drawer, cabinet, or simply out of plain sight, and removing my PIV card from my workstation.\u003c/li\u003e\u003cli\u003eMust return all GFEs and Government issued PIV Card on or before last day of employment or contract termination.\u003c/li\u003e\u003cli\u003eReport all suspected and identified information security incidents and privacy breaches to the Helpdesk, HHS/OpDiv Computer Security Incident Response Center (CSIRC), or OpDiv Computer Security Incident Response Team (CSIRT) as soon as possible, without unreasonable delay and no later than within\u0026nbsp;\u003cem\u003e\u003cstrong\u003eone (1) hour\u003c/strong\u003e\u003c/em\u003e\u0026nbsp;of occurrence/discovery.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn11\" target=\"_blank\"\u003e11\u003c/a\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.2. No Expectation of Privacy\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen using and accessing HHS/OpDiv information and IT resources, I understand that I would have no expectation of Privacy. I acknowledge the following:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eThere would be no expectation of privacy when using HHS/OpDiv information resources, systems and GFE and may be monitored, recorded, and audited at any time.\u003c/li\u003e\u003cli\u003eMy use any HHS/OpDiv information resources, systems and GFE is with the understanding that such use may not be secure, is not private, is not anonymous, and may be subject to disclosure under the Freedom of Information Act (FOIA), 5 U.S.C. § 552 or other applicable legal authority.\u003c/li\u003e\u003cli\u003eMy electronic data communications and online activity may be monitored and disclosed to external law enforcement agencies or Department/OpDiv personnel when related to the performance of their duties at any time.\u0026nbsp; For example, after obtaining management approval, HHS/OpDiv authorized technical staff may employ monitoring tools in order to maximize the utilization of HHS/OpDiv resources.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn12\" target=\"_blank\"\u003e12\u003c/a\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.3. Password Requirement\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen creating and managing my password, I understand that I must comply with the following baseline requirements:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eComply with all HHS/OpDiv password requirements.\u003c/li\u003e\u003cli\u003eCreate passwords with minimum of 15 characters.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn13\" target=\"_blank\"\u003e13\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNot use common or compromised passwords.\u003c/li\u003e\u003cli\u003eProtect my passwords, Personal Identity Verification (PIV) card, Personal Identification Numbers (PIN) and other access credentials from disclosure and compromise.\u003c/li\u003e\u003cli\u003ePromptly change my password if I suspect or receive notification that it has been compromised.\u003c/li\u003e\u003cli\u003eImmediately select a new password upon account recovery.\u003c/li\u003e\u003cli\u003eNot use another person’s account, identity, password/passcode/PIN, or PIV card or allow others to use my GFE and/or other HHS/OpDiv information resources provided to me to perform my official work duties and tasks. This includes not sharing passwords or provide passwords to anyone, including system administrators.\u003c/li\u003e\u003cli\u003eOnly use authorized credentials, including PIV card, to access HHS/OpDiv systems and facilities and will not attempt to bypass access control measures.\u003c/li\u003e\u003cli\u003eSelect the PIV card to conduct HHS/OpDiv business whenever possible when both the PIV and password options are available for authentication.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.4. Internet and Email\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen accessing and using the internet and email, I understand that I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eNot access HHS/OpDiv Webmail from the public internet.\u003c/li\u003e\u003cli\u003eHandle personal devices in the following manner:\u003col type=\"a\"\u003e\u003cli\u003eNot connecting personal devices to HHS/OpDiv systems without proper official authorization\u003c/li\u003e\u003cli\u003eNot conducting official HHS/OpDiv business using non-HHS/OpDiv email or personal online storage/service accounts without written authorization from HHS/OpDiv or OpDiv CISO or designee\u003c/li\u003e\u003cli\u003eNot using personal devices, non-HHS/OpDiv email, and unauthorized third-party systems, storage services, or applications (e.g., Dropbox, Google Docs, mobile applications, etc.) to store, transmit, process HHS/OpDiv information, and conduct HHS/OpDiv business without proper official authorization such as written approval from the HHS/OpDiv or OpDiv CISO or their designee.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eNot automatically (auto) forward HHS/OpDiv email to any internal and external email sources or forwarding email/files that contain HHS/OpDiv information to unauthorized systems and devices that are used for non-HHS/OpDiv and non-OpDiv business purposes.\u003c/li\u003e\u003cli\u003eNot use an HHS/OpDiv email address and other information resources to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or Website, and signing up for personal memberships that are not work related.\u003c/li\u003e\u003cli\u003eNot provide official HHS/OpDiv information to an unsolicited email if prohibited. If an email is received from any source requesting personal or organizational information or asking to verify accounts or security settings, I will report the incident to the Helpdesk and/or the CSIRC/ CSIRT immediately.\u003c/li\u003e\u003cli\u003eOnly disseminate authorized HHS/OpDiv information related to my official job and duties at HHS/OpDiv to internal and external sources.\u003c/li\u003e\u003cli\u003eNot upload or disseminate information which is at odds with departmental missions or positions or without proper authorization, which could create the perception that the communication was made in my official capacity as a federal government employee or contractor.\u003c/li\u003e\u003cli\u003eNot connect GFE or contractor-owned equipment to unsecured Wi-Fi networks (e.g. airports, hotels, restaurants, etc.) and public Wi-Fi to conduct HHS/OpDiv business unless Wi-Fi access is at a minimum, protected with an unshared, unique user password access.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.5. Data Protection\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen handling and accessing HHS/OpDiv information, I understand that I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eTake all necessary precautions to protect HHS/OpDiv information and IT assets, including but not limited to hardware, software, sensitive information, including but not limited to PII, PHI, federal records [media neutral], and other HHS/OpDiv information from unauthorized access, use, modification, destruction, theft, disclosure, loss, damage, or abuse, and in accordance with\u0026nbsp;\u003ca href=\"http://intranet.hhs.gov/it/cybersecurity/policies/index.html\" target=\"_blank\"\u003eHHS/OpDiv policies\u003c/a\u003e.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn14\" target=\"_blank\"\u003e14\u003c/a\u003e\u003c/li\u003e\u003cli\u003eProtect sensitive information (e.g., sensitive information, such as confidential business information, PII, PHI, financial records, proprietary data, etc.) at rest (stored on laptops or other computing devices) regardless of media or format, from disclosure to unauthorized persons or groups. This includes, but is not limited to:\u003col type=\"a\"\u003e\u003cli\u003eNever store sensitive information in public folders, unauthorized devices/services or other unsecure physical or electronic locations\u003c/li\u003e\u003cli\u003eAlways encrypt sensitive information at rest and in transit (transmitted via email, attachment, media, etc.)\u003c/li\u003e\u003cli\u003eAlways disseminate passwords and encryption keys out of band (e.g., via text message, in person, or phone call) or store password and encryption keys separately from encrypted files, devices and data when sending encrypted emails or transporting encrypted media\u003c/li\u003e\u003cli\u003eAccess or use sensitive information only when necessary to perform job functions, and do not access or use sensitive information for anything other than authorized purposes\u003c/li\u003e\u003cli\u003eSecurely dispose of electronic media and papers that contain sensitive data when no longer needed, in accordance with the HHS/OpDiv Policy for Records Management and federal guidelines.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eImmediately report all suspected and known security incidents (e.g., GFE loss or compromise, violation of security policies, etc.), privacy breaches (e.g., loss, compromise, or unauthorized access, or use of PII/PHI), and suspicious activities to the Helpdesk and/or CSIRC/CSIRT at\u0026nbsp;\u003ca href=\"mailto:CSIRC@HHS.gov\" target=\"_blank\"\u003eCSIRC@HHS.gov\u003c/a\u003e\u0026nbsp;or call 1-866-646-7514 pursuant to HHS/OpDiv incident response policies and/or procedures.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn15\" target=\"_blank\"\u003e15\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNot take permanently issued GFE devices with me during official foreign travel. Only carry loaner GFE (including mobile computing, phone, and storage devices) during official foreign travel. If there is a need to take GFE on personal foreign travel, submit a request and get approved by a designated government official within the OpDiv. Upon approval, obtain a loaner GFE and adhere to the HHS policy in the memorandum\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/about-hhs/national-security/policy/gfe-foreign-travel-2018\" target=\"_blank\"\u003eUse of Government Furnished Equipment (GFE) During Foreign Travel\u003c/a\u003e. Additional requirements include:\u003col type=\"a\"\u003e\u003cli\u003eReviewing Office of Security and Strategic Information (OSSI) requirements and the requirements within the\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides/memoranda\" target=\"_blank\"\u003eMemorandum on the Use of GFE During Foreign Travel\u003c/a\u003e\u0026nbsp;prior to traveling abroad with GFE or to conduct HHS/OpDiv business\u003c/li\u003e\u003cli\u003eNotifying my Personnel Security Representative (PSR) when there is a need to bring GFE on foreign travel (per requirements defined by the OSSI in accordance with the\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides/memoranda\" target=\"_blank\"\u003eMemorandum on the Use of GFE During Foreign Travel\u003c/a\u003e).\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.6. Privacy\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eI understand that if I am working with PII, I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eProtect PII\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn16\" target=\"_blank\"\u003e16\u003c/a\u003e\u0026nbsp;from inappropriate disclosure, loss, or compromise.\u003c/li\u003e\u003cli\u003eOnly collect, use, maintain, and disclose PII that is directly relevant and necessary to accomplish a legally authorized purpose.\u003c/li\u003e\u003cli\u003eDisclose PII only to those who need to know the information to execute their work and are authorized to receive it.\u003c/li\u003e\u003cli\u003eComply with applicable legal and regulatory privacy safeguards. For example:\u003col type=\"a\"\u003e\u003cli\u003eReport suspected or confirmed breaches of PII in accordance with the\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/hhs-policy-for-preparing-for-and-responding-to-a-pii-breach\" target=\"_blank\"\u003e\u003cem\u003eHHS/OpDiv Policy and Plan for Preparing for and Responding to a Breach of Personally Identifiable Information (PII\u003c/em\u003e)\u003c/a\u003e\u003c/li\u003e\u003cli\u003eSubmit a privacy impact assessment (PIA) for systems or electronic information collections collecting PII.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eBe transparent about information policies and practices with respect to PII, provide clear and accessible notice regarding collection, use, maintenance, and disclosure of PII, and seek consent for the collection, use, and disclosure of PII as appropriate.\u003c/li\u003e\u003cli\u003eEnable individuals to access, correct, or amend their PII as appropriate, and ensure PII is accurate, relevant, timely and complete to guarantee fairness to individuals.\u003c/li\u003e\u003cli\u003eNot access PII unless specifically authorized and required as part of assigned duties.\u003c/li\u003e\u003cli\u003eCollect, use, and disclose PII only for the purposes for which it was collected and consistent with conditions set\u0026nbsp;forth in stated privacy notices such as those provided to individuals at the point of data collection or published in the\u0026nbsp;\u003ca href=\"https://www.hhs.gov/foia/privacy/sorns/index.html\" target=\"_blank\"\u003eHHS' SORN website\u003c/a\u003e\u0026nbsp;\u0026nbsp;(to include\u0026nbsp;\u003ca href=\"https://www.opm.gov/information-management/privacy-policy/privacy-references/sornguide.pdf\" target=\"_blank\"\u003eSystem of Records Notices [SORNs]\u003c/a\u003e).\u003c/li\u003e\u003cli\u003eMaintain no record describing how an individual exercises his or her First Amendment rights, unless it is expressly authorized by statute or by the individual about whom the record is maintained, or is pertinent to and within the scope of an authorized law enforcement activity.\u003c/li\u003e\u003cli\u003eConsult with my OpDiv privacy program or Senior Official for Privacy (SOP)\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn17\" target=\"_blank\"\u003e17\u003c/a\u003e\u0026nbsp;before initiating or making significant changes\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn18\" target=\"_blank\"\u003e18\u003c/a\u003e\u0026nbsp;to a system or collection of PII.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.7. Telework and GFE\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen teleworking, I understand that I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eTelework only when approved by management and conduct myself with the same professionalism remotely as required in the workplace.\u003c/li\u003e\u003cli\u003eSafeguard any GFE provided for telework.\u003c/li\u003e\u003cli\u003eSafeguard HHS/OpDiv information, equipment, including GFE. Protecting HHS/OpDiv information including PII, CUI and any sensitive information is just as important at a telework location as it is in an HHS/OpDiv building.\u003c/li\u003e\u003cli\u003eOnly connect additional devices to GFE as necessary to conduct official government business with OpDiv approval, if the devices are not on the prohibited vendor list.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn19\" target=\"_blank\"\u003e19\u003c/a\u003e\u003col type=\"a\"\u003e\u003cli\u003eOnly connect GFE to printers by opening a ticket with the helpdesk.\u003c/li\u003e\u003cli\u003eContact OpDiv Help Desk to have drivers installed to GFE prior to connecting printer.\u003c/li\u003e\u003cli\u003eConnect printers to GFE via USB or other physical port. Wireless connections between GFE and printers may require OpDiv approval.\u003c/li\u003e\u003c/ol\u003e\u003c/li\u003e\u003cli\u003eNot install any software to GFE whether it is free or free downloadable unless authorized or approved.\u003c/li\u003e\u003cli\u003eUse my home Wi-Fi network to provide the connectivity for telework but my home networks must be set up in accordance with guidance from HHS/OpDiv or OpDiv;\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn20\" target=\"_blank\"\u003e20\u003c/a\u003e\u003c/li\u003e\u003cli\u003eNot connect hardware to GFE via Bluetooth unless necessary for official use must keep Bluetooth turned off and only turn on when needed.\u003c/li\u003e\u003cli\u003eProtect all sensitive information, including CUI and PII.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003e1.8. Strictly Prohibited Activities\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eWhen using federal government systems and equipment, I must refrain from the following activities, which are strictly prohibited:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eAccessing any social media websites (such as YouTube, Twitter, Facebook, etc.) while utilizing GFE, unless required for official HHS/OpDiv business.\u003c/li\u003e\u003cli\u003eAccessing, downloading, or clicking on unknown links, particularly on social media sites such as “Malware Alert notices”.\u003c/li\u003e\u003cli\u003eClicking on links or open attachments sent via email or text message Web links from untrusted sources and verify information from trusted sources before clicking attachments. I must report suspected phishing attempts using the Report Phishing button or forward suspicious emails as an attachment to\u0026nbsp;\u003ca href=\"mailto:Spam@hhs.gov\" target=\"_blank\"\u003eSpam@hhs.gov\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eEngaging in activities that could cause congestion, delay, or disruption of service to any HHS/OpDiv information resource (e.g., sending chain letters via email, playing streaming videos, games, music, etc.).\u003c/li\u003e\u003cli\u003eAccessing, downloading and/or uploading unethical, illegal, or criminal content from/to the internet (e.g., pornographic, and sexually explicit materials, illegal weapons, criminal and terrorism activities, and other illegal actions or activities).\u003c/li\u003e\u003cli\u003eSending, retrieving, viewing, displaying, or printing sexually explicit, suggestive, or pornographic text or images, or other offensive material (e.g., vulgar material, racially offensive material, etc.).\u003c/li\u003e\u003cli\u003eUsing non-public HHS/OpDiv data for private gain or to misrepresent myself or HHS/OpDiv or for any other unauthorized purpose.\u003c/li\u003e\u003cli\u003eSending messages supporting or opposing partisan political activity as restricted under the\u0026nbsp;\u003ca href=\"https://osc.gov/Services/Pages/HatchAct.aspx\" target=\"_blank\"\u003eHatch Act\u0026nbsp;\u003c/a\u003e\u0026nbsp;and other federal laws and regulations.\u003c/li\u003e\u003cli\u003eEngaging in any outside fund-raising, endorsing any product or service, lobbying, or engaging in partisan political activity.\u003c/li\u003e\u003cli\u003eUsing HHS/OpDiv information resources for activities that are inappropriate or offensive to fellow personnel or the public (e.g., hate speech or material that ridicules others on the basis of race, creed, religion, color, age, gender, disability, national origin, or sexual orientation).\u003c/li\u003e\u003cli\u003eCreating a website, TPWA, or social media site on behalf of HHS/OpDiv or uploading content to a website, TPWA, or social media site without proper official authorization.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn21\" target=\"_blank\"\u003e21\u003c/a\u003e\u003c/li\u003e\u003cli\u003eSending or forwarding chain letters, e-mail spam, inappropriate messages, or unapproved newsletters and broadcast messages except when forwarding to report this activity to authorized recipients.\u003c/li\u003e\u003cli\u003eUsing peer-to-peer (P2P) software except for secure tools approved in writing by the OpDiv CIO (or designee) to meet business or operational needs.\u0026nbsp;\u003c/li\u003e\u003cli\u003eCreating and/or operating unapproved/unauthorized Web sites or services.\u003c/li\u003e\u003cli\u003eUsing, storing, or distributing, unauthorized copyrighted or other intellectual property.\u003c/li\u003e\u003cli\u003eUsing HHS/OpDiv information, systems, and devices to send or post threatening, harassing, intimidating, or abusive material about anyone in public or private messages or any forums.\u003c/li\u003e\u003cli\u003eExceeding authorized access to sensitive information.\u003c/li\u003e\u003cli\u003eUsing HHS/OpDiv GFE for commercial or for-profit activity, shopping, instant messaging (for unauthorized and non-work-related purposes), managing outside employment or business activity, or running personal business, playing games, gambling, watching movies, accessing unauthorized sites, or hacking.\u003c/li\u003e\u003cli\u003eUsing an official HHS/OpDiv e-mail address to create personal commercial accounts for the purpose of receiving notifications (e.g., sales discounts, marketing, etc.), setting up a personal business or website, and signing up for personal memberships. Professional groups or memberships related to job duties at HHS/OpDiv are permissible.\u003c/li\u003e\u003cli\u003eRemoving data or equipment from the agency premises without proper authorization.\u003c/li\u003e\u003cli\u003eSharing, storing, or disclosing sensitive information with third-party organizations and/or using third-party applications (e.g., Drop Box, Evernote, iCloud, etc.) unless, in very limited circumstances, is authorized by HHS/OpDiv or OpDiv CISO or designee.\u003c/li\u003e\u003cli\u003eStoring sensitive data in external platforms, such as personal Google Docs.\u003c/li\u003e\u003cli\u003eTransporting, transmitting, e-mailing, texting, remotely accessing, or downloading sensitive information unless such action is explicitly permitted in writing by the manager or owner of such information and appropriate safeguards are in place per HHS/OpDiv policies concerning sensitive information.\u003c/li\u003e\u003cli\u003eKnowingly or willingly concealing, removing, mutilating, obliterating, falsifying, or destroying HHS/OpDiv information.\u003c/li\u003e\u003cli\u003eAccessing or visiting any unknown website(s) which may be infected with malware, responding to phishing emails, storing credentials in an unsecured location. This may cause to create an Incident and require having additional Awareness and Security training.\u003c/li\u003e\u003cli\u003eUsing any file sharing program without agency’s permission.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eSignature\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eI have read the above\u0026nbsp;\u003cem\u003eRules of Behavior for General Users\u003c/em\u003e\u0026nbsp;and understand and agree to comply with the provisions stated herein. I understand that violations of these RoB or HHS/OpDiv information security policies and standards may result in disciplinary action and that these actions may include reprimand, suspensive of access privileges, revocation of access to federal information, IT resources, information systems, and/or facilities, deactivation of accounts, suspension without pay, monetary fines, termination of employment; removal or debarment from work on federal contracts or projects; criminal charges that may result in imprisonment.\u003c/p\u003e\u003cp\u003eI understand that exceptions to these RoB must be authorized in advance in writing by the designated authorizing officials. I also understand that violation of federal laws, such as the Privacy Act of 1974, copyright law, and 18 USC 2071, which the HHS/OpDiv RoB draw upon, can result in monetary fines and/or criminal charges that may result in imprisonment.\u003c/p\u003e\u003cp\u003eUser’s Name:\u003c/p\u003e\u003cp\u003e(Print)\u003c/p\u003e\u003cp\u003eUser’s Signature:\u003c/p\u003e\u003cp\u003eDate Signed:\u003c/p\u003e\u003cp\u003e\u003cstrong\u003e2. Rules of Behavior for Privileged Users\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eThe following\u0026nbsp;\u003cem\u003eHHS/OpDiv Rules of Behavior (RoB) for Privileged Users\u003c/em\u003e\u0026nbsp;is an addendum to the\u0026nbsp;\u003cem\u003eRules of Behavior for General Users\u0026nbsp;\u003c/em\u003eand provides mandatory rules on the appropriate use and handling of HHS/OpDiv information technology (IT) resources for all HH privileged users, including federal employees, interns, contractors, and other staff who possess privileged access to HHS/OpDiv information systems.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn22\" target=\"_blank\"\u003e22\u003c/a\u003e\u0026nbsp;Privileged users have network accounts with elevated privileges that grant them greater access to IT resources than non-privileged users. These privileges are typically allocated to system, network, security, and database administrators, as well as other IT administrators.\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn23\" target=\"_blank\"\u003e23\u003c/a\u003e\u0026nbsp;The compromise of a privileged user account may expose HHS/OpDiv to a high-level of risk; therefore, privileged user accounts require additional safeguards.\u003c/p\u003e\u003cp\u003eA privileged user is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. System accounts and level of privilege vary dependent upon the role being fulfilled. A privileged user has the potential to compromise the three security objectives of confidentiality, integrity, and availability. Such users include, for example, security personnel or system administrators who are responsible for managing restricted physical locations or shared IT resources and have been granted permissions to create new user accounts, modify user privileges, as well as make system changes. Examples of privileged users include (but are not limited to):\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eApplication developer\u003c/li\u003e\u003cli\u003eDatabase administrator\u003c/li\u003e\u003cli\u003eDomain administrator\u003c/li\u003e\u003cli\u003eData center operations personnel\u003c/li\u003e\u003cli\u003eIT tester/auditor\u003c/li\u003e\u003cli\u003eHelpdesk support and computer/system maintenance personnel\u003c/li\u003e\u003cli\u003eNetwork engineer\u003c/li\u003e\u003cli\u003eSystem administrator\u003c/li\u003e\u003cli\u003eSecurity Stewards\u003c/li\u003e\u003c/ol\u003e\u003cp\u003ePrivileged users must read, acknowledge, and adhere to the RoB for Privileged User and any other HHS/OpDiv policy or guidance for privileged users, prior to obtaining access and using HHS/OpDiv information, IT resources and information systems and/or networks in a privileged role. The same signature acknowledgement process followed for the Appendix D, General User RoB, applies to the privileged user accounts. Each OpDiv must maintain a list of privileged users, the privileged accounts those users have access to, the permissions granted to each privileged account, and the authentication technology or combination of technologies required to use each privileged account\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-rules-behavior-use-information-and-it-resources#_ftn24\" target=\"_blank\"\u003e24\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFollowing is the RoB for a privileged user.\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eI understand that as a privileged user, I must:\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eUse privileged user accounts appropriately for their intended purpose and only when required for official duties.\u003c/li\u003e\u003cli\u003eComply with all privileged user responsibilities in accordance with the HHS Policy for Information Security and Privacy Protection (IS2P) and any other applicable HHS and OpDiv policies.\u003c/li\u003e\u003cli\u003eNotify system owners immediately when privileged access is no longer required.\u003c/li\u003e\u003cli\u003eProperly protect all information, including media, hard copy reports and documentation as well as system information in a manner commensurate with the sensitivity of the information and securely dispose of information and GFE that are no longer needed in accordance with HHS/OpDiv sanitization policies.\u003c/li\u003e\u003cli\u003eReport all suspected or confirmed information security incidents and privacy breaches to the OpDiv Helpdesk, HHS/OpDiv CSIRC, or OpDiv CSIRT as soon as possible, without unreasonable delay and no later than within\u0026nbsp;\u003cem\u003e\u003cstrong\u003eone (1) hour\u003c/strong\u003e\u003c/em\u003e\u0026nbsp;of occurrence/discovery.\u003c/li\u003e\u003cli\u003eComplete any specialized role-based security or privacy training as required before receiving privileged system access.\u003c/li\u003e\u003c/ol\u003e\u003cp\u003eI understand that as a privileged user, I must\u0026nbsp;\u003cstrong\u003enot:\u003c/strong\u003e\u003c/p\u003e\u003col type=\"A\"\u003e\u003cli\u003eShare privileged user account(s), password(s)/passcode(s)/PIV PINs, and other login credentials, including to other system administrators.\u003c/li\u003e\u003cli\u003eConduct official HHS/OpDiv business using personal email or personal online storage account.\u003c/li\u003e\u003cli\u003eUse privileged user access to log into any system for non-elevated duties.\u003c/li\u003e\u003cli\u003eInstall, modify, or remove any system hardware or software unless it is part of my job duties and the appropriate approvals have been obtained or with official written approval.\u003c/li\u003e\u003cli\u003eAccess the internet for any reason while using my privileged account. This includes downloading of files (including patches or updates), etc.\u003c/li\u003e\u003cli\u003eRemove or destroy system audit logs or any other security, event log information unless authorized by appropriate official(s) in writing.\u003c/li\u003e\u003cli\u003eTamper with audit logs of any kind. Note: In some cases, tampering can be considered evidence and can be a criminal offense punishable by fines and possible imprisonment.\u003c/li\u003e\u003cli\u003eAcquire, possess, trade, or use hardware or software tools that could be employed to evaluate, compromise, or bypass information systems security controls for unauthorized purposes.\u003c/li\u003e\u003cli\u003eIntroduce unauthorized code, Trojan horse programs, malicious code, viruses, or other malicious software into HHS/OpDiv information systems or networks.\u003c/li\u003e\u003cli\u003eKnowingly write, code, compile, store, transmit, or transfer malicious software code, to include viruses, logic bombs, worms, and macro viruses.\u003c/li\u003e\u003cli\u003eUse privileged user account(s) for day-to-day communications and other non-privileged transactions and activities.\u003c/li\u003e\u003cli\u003eElevate the privileges of any user without prior approval from the system owner.\u003c/li\u003e\u003cli\u003eUse privileged access to circumvent HHS/OpDiv policies or security controls.\u003c/li\u003e\u003cli\u003eAccess information outside of the scope of my specific job responsibilities or expose non-public information to unauthorized individuals.\u003c/li\u003e\u003cli\u003eUse a privileged user account for web access except in support of administrative related activities.\u003c/li\u003e\u003cli\u003eUse any unknown website(s) which may be infected with malware and responding to phishing emails. If I use, I will report to OpDiv Helpdesk, HHS/OpDiv CSIRC, or OpDiv CSIRT as soon as possible, without unreasonable delay and no later than within\u0026nbsp;\u003cem\u003e\u003cstrong\u003eone (1) hour\u003c/strong\u003e\u003c/em\u003e\u0026nbsp;of occurrence/discovery.\u003c/li\u003e\u003cli\u003eUse any file sharing program without HHS/OpDiv’s permission.\u003c/li\u003e\u003cli\u003eModify security settings on system hardware or software without the approval of a system administrator and/or a system owner.\u003c/li\u003e\u003cli\u003eUse systems (either government issued or non-government) without the following protections in place to access sensitive HHS/OpDiv information:\u003cul type=\"circle\"\u003e\u003cli\u003eAntivirus software with the latest updates\u003c/li\u003e\u003cli\u003eAnti-spyware and personal firewalls\u003c/li\u003e\u003cli\u003eA time-out function that requires re-authentication after no more than 30 minutes of inactivity on remote access\u003c/li\u003e\u003cli\u003eApproved encryption to protect sensitive information stored on recordable media, including laptops, USB drives, and external disks; or transmitted or downloaded via e-mail or remote connections.\u003c/li\u003e\u003c/ul\u003e\u003c/li\u003e\u003c/ol\u003e\u003cp\u003e\u003cstrong\u003eSignature\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eI have read the above\u0026nbsp;\u003cem\u003eRules of Behavior (RoB) for Privileged User\u003c/em\u003es and understand and agree to comply with the provisions stated herein. I understand that violations of these RoB or HHS/OpDiv information security policies and standards may result in disciplinary action and that these actions may include reprimand, suspensive of access privileges, revocation of access to federal information, information systems, and/or facilities, deactivation of accounts, suspension without pay, monetary fines, termination of employment; removal or debarment from work on federal contracts or projects; criminal charges that may result in imprisonment. I understand that exceptions to these RoBmust be authorized in advance in writing by the designated authorizing official(s).\u003c/p\u003e\u003cp\u003eUser’s Name:\u003c/p\u003e\u003cp\u003e(Print)\u003c/p\u003e\u003cp\u003eUser’s Signature:\u003c/p\u003e\u003cp\u003eDate Signed:\u003c/p\u003e\u003ch2 id=\"m_4884422691552917800appendix-e\"\u003eAppendix E: References\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eStatutes\u003c/strong\u003e\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003eOverview of the Privacy Act of 1974, 2020 Edition (\u003ca href=\"http://justice.gov/\" target=\"_blank\"\u003ejustice.gov\u003c/a\u003e):\u0026nbsp;\u003ca href=\"https://www.justice.gov/Overview_2020/download\" target=\"_blank\"\u003ehttps://www.justice.gov/Overview_2020/download\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eExecutive Order (EO) 13556,\u0026nbsp;\u003cem\u003eControlled Unclassified Information (CUI),\u0026nbsp;\u003c/em\u003eNovember 2010,\u0026nbsp;\u003ca href=\"https://www.govinfo.gov/content/pkg/FR-2010-11-09/pdf/2010-28360.pdf\" target=\"_blank\"\u003ehttps://www.govinfo.gov/content/pkg/FR-2010-11-09/pdf/2010-28360.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eEO 14028,\u0026nbsp;\u003cem\u003eImproving the Nation's Cybersecurity\u003c/em\u003e, May 2021,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\" target=\"_blank\"\u003ehttps://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eFederal Information Security Modernization Act of 2014 (FISMA), Pub. L. No. 113-283, 128 Stat. 3073, codified at 44 U.S.C. Chapter 35, Subchapter II,\u0026nbsp;\u003ca href=\"https://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf\" target=\"_blank\"\u003ehttps://www.congress.gov/113/plaws/publ283/PLAW-113publ283.pdf\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eNIST Guidance\u003c/strong\u003e\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003eNational Institute of Standards and Technology (NIST) Special Publication (SP) 800-12 Revision 1,\u0026nbsp;\u003cem\u003eAn Introduction to Information Security\u003c/em\u003e, June 2017,\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-12/rev-1/final\" target=\"_blank\"\u003eSP 800-12 Rev. 1, An Introduction to Information Security | CSRC (nist.gov)\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-18 Rev.1,\u0026nbsp;\u003cem\u003eGuide for Developing Security Plans for Federal Information Systems\u003c/em\u003e, February 2006,\u0026nbsp;\u003ca href=\"http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf\" target=\"_blank\"\u003ehttp://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-18r1.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-37 Revision 2,\u0026nbsp;\u003cem\u003eRisk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy\u003c/em\u003e, December 2018,\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-37r2.pdf\" target=\"_blank\"\u003eRisk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy (nist.gov)\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-53 Rev.5,\u0026nbsp;\u003cem\u003eSecurity and Privacy Controls for Information Systems and Organizations\u003c/em\u003e, December 2020,\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf\" target=\"_blank\"\u003ehttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-63B,\u0026nbsp;\u003cem\u003eDigital Identity Guidelines: Authentication and Lifecycle Management\u003c/em\u003e, March 2020,\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf\" target=\"_blank\"\u003ehttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-63b.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-88 Rev.1,\u0026nbsp;\u003cem\u003eGuidelines for Media Sanitization,\u0026nbsp;\u003c/em\u003eDecember 2014\u003cem\u003e,\u003c/em\u003e\u0026nbsp;\u003ca href=\"http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\" target=\"_blank\"\u003ehttp://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-137,\u0026nbsp;\u003cem\u003eInformation Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations\u003c/em\u003e, September 2011,\u0026nbsp;\u003ca href=\"http://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf\" target=\"_blank\"\u003ehttp://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-137.pdf\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST SP 800-209,\u003cem\u003e\u0026nbsp;Security Guidelines for Storage Infrastructure,\u003c/em\u003e\u0026nbsp;October, 2020,\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-209/final\" target=\"_blank\"\u003ehttps://csrc.nist.gov/publications/detail/sp/800-209/final\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eNIST White Paper,\u0026nbsp;\u003cem\u003eBest Practices for Privileged User PIV Authentication,\u003c/em\u003e\u0026nbsp;April 21, 2016,\u0026nbsp;\u003ca href=\"http://csrc.nist.gov/publications/papers/2016/best-practices-privileged-user-piv-authentication.pdf\" target=\"_blank\"\u003ehttp://csrc.nist.gov/publications/papers/2016/best-practices-privileged-user-piv-authentication.pdf\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eOMB Circulars and Memoranda\u003c/strong\u003e\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003eOffice of Management and Budget (OMB) Circular A-123\u003cem\u003e, Management’s Responsibility for Enterprise Risk Management and Internal Control\u003c/em\u003e, as amended,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003ehttps://www.whitehouse.gov/omb/information-for-agencies/circulars\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eOMB Circular A-130,\u0026nbsp;\u003cem\u003eManaging Information as a Strategic Resourc\u003c/em\u003ee, July 2016,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003ehttps://www.whitehouse.gov/omb/information-for-agencies/circulars\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eOMB M-17-09,\u0026nbsp;\u003cem\u003eManagement of High Value Assets\u003c/em\u003e, December 2016,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-09.pdf\" target=\"_blank\"\u003eMemorandum for Heads of Executive Departments and Agencies (whitehouse.gov)\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eOMB Memorandum M-17-12,\u0026nbsp;\u003cem\u003ePreparing for and Responding to a Breach of Personally Identifiable Information\u003c/em\u003e, January 2017,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf\" target=\"_blank\"\u003eMemorandum for Heads of Executive Department and Agencies (whitehouse.gov)\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eOMB M-18-02,\u0026nbsp;\u003cem\u003eFiscal Year 2017-2018 Guidance on Federal Information Security and Privacy Management Requirements\u003c/em\u003e,October 2017,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/M-18-02%20%28final%29.pdf\" target=\"_blank\"\u003eM-18-02 (whitehouse.gov)\u003c/a\u003e.\u003c/li\u003e\u003cli\u003eOMB M-22-09,\u0026nbsp;\u003cem\u003eMoving the U.S. Government Toward Zero Trust Cybersecurity Principles\u003c/em\u003e, January 2022,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf\" target=\"_blank\"\u003ehttps://www.whitehouse.gov/wp-content/uploads/2022/01/M-22-09.pdf\u003c/a\u003e.\u003c/li\u003e\u003c/ul\u003e\u003cp\u003e\u003cstrong\u003eHHS Policies and Memoranda\u003c/strong\u003e\u003c/p\u003e\u003cp\u003eAll HHS Policies may be found at\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides\u003c/a\u003e. These policies may be updated, and the current version should be used.\u003c/p\u003e\u003cul type=\"disc\"\u003e\u003cli\u003e\u003cem\u003eHHS Policy and Plan for Preparing for and Responding to a Breach of PII\u003c/em\u003e, May 2020.\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Policy Exception/Risk Based Exception Form,\u0026nbsp;\u003c/em\u003eJuly 2019.\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Standard for Encryption of Computing Devices and Information\u003c/em\u003e, December 2016.\u003c/li\u003e\u003cli\u003e\u003cem\u003eHHS Policy for Information Security and Privacy Protection (IS2P)\u003c/em\u003e, November 2021.\u003c/li\u003e\u003cli\u003e\u003cem\u003ePolicy for Monitoring Employee Use of HHS IT Resources\u003c/em\u003e, June 2013\u003c/li\u003e\u003cli\u003e\u003cem\u003eUpdated Department Standard Warning Banner\u003c/em\u003e, November 2016.\u003c/li\u003e\u003cli\u003e\u003cem\u003eUsage of Unauthorized External Information Systems to Conduct Department Business\u003c/em\u003e, January 8, 2014.\u003c/li\u003e\u003cli\u003e\u003cem\u003eUse of GFE during Foreign Travel\u003c/em\u003e, February 2021\u003c/li\u003e\u003c/ul\u003e\u003ch2 id=\"m_4884422691552917800glossary-acronyms\"\u003eGlossary and Acronyms\u003c/h2\u003e\u003cp\u003e\u003cstrong\u003eAudit Log -\u003c/strong\u003e\u0026nbsp;A chronological record of information system activities, including records of system accesses and operations performed in each period.\u0026nbsp; (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-171\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eAuthentication -\u003c/strong\u003e\u0026nbsp;A process that provides assurance of the source and integrity of information that is communicated or stored, or that provides assurance of an entity’s identity. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-175A\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eBackup (system backup)\u003c/strong\u003e\u0026nbsp;- The process of copying information or processing status to a redundant system, service, device, or medium that can provide the needed processing capability when needed. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-152\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eBreach\u003c/strong\u003e\u0026nbsp;- The loss of control, compromise, unauthorized disclosure, unauthorized acquisition, or any similar occurrence where (1) a person other than an authorized user accesses or potentially accesses PII or (2) an authorized user accesses or potentially accesses PII for another than authorized purpose. (Source:\u0026nbsp;\u003ca href=\"https://osec.doc.gov/opog/privacy/Memorandums/OMB_M-17-12.pdf\" target=\"_blank\"\u003eOMB M-17-12\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCloud Service -\u003c/strong\u003e\u0026nbsp;External service that enable convenient, on-demand network access to a shared pool of configurable computing resources (e.g., networks, servers, storage, applications, and services) that can be rapidly provisioned and released with minimal management effort or cloud provider interaction. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-144\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCompromise\u003c/strong\u003e\u0026nbsp;- The unauthorized disclosure, modification, substitution or use of sensitive data (e.g., keying material and other security-related information). (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-175B\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eConfidentiality\u003c/strong\u003e\u0026nbsp;- The property that sensitive information is not disclosed to unauthorized entities. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-175A\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eControlled Unclassified Information (CUI)\u003c/strong\u003e\u0026nbsp;- Information that requires safeguarding or dissemination controls pursuant to and consistent with applicable law, regulations, and government-wide policies but is not classified under Executive Order 13526 or the Atomic Energy Act, as amended. (Source:\u0026nbsp;\u003ca href=\"https://obamawhitehouse.archives.gov/the-press-office/2010/11/04/executive-order-13556-controlled-unclassified-information\" target=\"_blank\"\u003eExecutive Order 13556\u003c/a\u003e)\u0026nbsp;\u003cstrong\u003eNote:\u0026nbsp;\u003c/strong\u003eSee sensitive information definition below.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCUI Privacy\u003c/strong\u003e\u0026nbsp;– A category of CUI.\u0026nbsp; Refers to personal information, or, in some cases, \"personally identifiable information,\" as defined in OMB M-17-12, or \"means of identification\" as defined in 18 USC 1028(d)(7). (Source: NARA,\u0026nbsp;\u003ca href=\"https://www.archives.gov/cui/registry/category-list\" target=\"_blank\"\u003eCUI Registry\u003c/a\u003e)\u003cstrong\u003e\u0026nbsp;\u0026nbsp;\u0026nbsp;\u003c/strong\u003e\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eCUI Privacy-Health Information\u003c/strong\u003e\u0026nbsp;– A subcategory of CUI Privacy. As per 42 USC 1320d(4), \"health information\" means any information, whether oral or recorded in any form or medium, that (A) is created or received by a health care provider, health plan, public health authority, employer, life insurer, school or university, or health care clearinghouse; and (B) relates to the past, present, or future physical or mental health or condition of an individual, the provision of health care to an individual, or the past, present, or future payment for the provision of health care to an individual. (Source: NARA,\u0026nbsp;\u003ca href=\"https://www.archives.gov/cui/registry/category-list\" target=\"_blank\"\u003eCUI Registry\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eDirect Application Access\u003c/strong\u003e\u0026nbsp;- A high-level remote access architecture that allows teleworkers to access an individual application directly, without using remote access software. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eExternal Email Source\u0026nbsp;\u003c/strong\u003e– Defined as an email that is not an official HHS.gov email account. (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eExternal Information System (or component)\u0026nbsp;\u003c/strong\u003e– An information system or component of an information system that is outside of the authorization boundary established by the organization and for which the organization typically has no direct control over the application of required security controls or the assessment of security control effectiveness. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-53\u003c/a\u003e;\u0026nbsp;\u003ca href=\"https://www.cnss.gov/CNSS/issuances/Instructions.cfm\" target=\"_blank\"\u003eCNSSI-4009\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal Information -\u0026nbsp;\u003c/strong\u003eInformation created, collected, processed, maintained, disseminated, disclosed, or disposed of by or for the Federal Government, in any medium or form. (Source:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003eOMB Circular A-130\u003c/a\u003e,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf\" target=\"_blank\"\u003eOMB Memorandum M-17-12\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFederal Information System\u003c/strong\u003e\u0026nbsp;- An information system used or operated by an executive agency, by a contractor of an executive agency, or by another organization on behalf of an executive agency. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-53 Revision 5\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eFull Disk Encryption (FDE)\u003c/strong\u003e\u0026nbsp;- The process of encrypting all the data on the hard drive used to boot a computer, including the computer’s operating system, and permitting access to the data only after successful authentication with the full disk encryption product. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-111\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eGeneral Users\u003c/strong\u003e\u0026nbsp;- A user who has only general access to HHS information resources (not greater access to perform security relevant functions). (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHHS Information Technology (IT) Assets\u0026nbsp;\u003c/strong\u003e- Defined as hardware, software, systems, services, and related technology assets used to execute work on behalf of HHS. (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHHS Information Assets\u0026nbsp;\u003c/strong\u003e– Defined as any information created, developed, used for or on behalf of HHS. This includes information in electronic, paper, or another medium format. (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eHoteling Space\u0026nbsp;\u003c/strong\u003e– Defined as a term that involves temporary or shared space for working and workstation usage. (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIncident\u003c/strong\u003e\u0026nbsp;- An occurrence that (1) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (2) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies. (Source:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf\" target=\"_blank\"\u003eOMB Memorandum M-17-12\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation Resources\u003c/strong\u003e\u0026nbsp;- Information and related resources, such as personnel, equipment, funds, and information technology. (Source:\u0026nbsp;\u003ca href=\"https://www.govinfo.gov/app/details/USCODE-2011-title44/USCODE-2011-title44-chap35-subchapI-sec3502\" target=\"_blank\"\u003e44 U.S.C., Sec. 3502\u003c/a\u003e,\u0026nbsp;\u003ca href=\"https://www.cnss.gov/CNSS/issuances/Instructions.cfm\" target=\"_blank\"\u003eCNSSI No. 4009\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation System (IS)\u0026nbsp;\u003c/strong\u003e- A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.\u0026nbsp; Note: Information systems also include specialized systems such as industrial/process controls systems, telephone switching and private branch exchange (PBX) systems, and environmental control systems. (Source:\u0026nbsp;\u003ca href=\"https://www.govinfo.gov/app/details/USCODE-2011-title44/USCODE-2011-title44-chap35-subchapI-sec3502\" target=\"_blank\"\u003e44 U.S.C. Sec 3502\u003c/a\u003e,\u0026nbsp;\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/OMB/circulars/a130/a130revised.pdf\" target=\"_blank\"\u003eOMB Circular A-130\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eInformation Technology (IT)\u003c/strong\u003e\u0026nbsp;- Any services, equipment, or interconnected system(s) or subsystem(s) of equipment, that are used in the automatic acquisition, storage, analysis, evaluation, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by the agency. For purposes of this definition, such services or equipment if used by the agency directly or is used by a contractor under a contract with the agency that requires its use; or to a significant extent, its use in the performance of a service or the furnishing of a product. Information technology includes computers, ancillary equipment (including imaging peripherals, input, output, and storage devices necessary for security and surveillance), peripheral equipment designed to be controlled by the central processing unit of a computer, software, firmware and similar procedures, services (including cloud computing and help-desk services or other professional services which support any point of the life cycle of the equipment or service), and related resources. Information technology does not include any equipment that is acquired by a contractor incidental to a contract which does not require its use. (Source:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003eOMB Circular A-130\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eIntegrity\u003c/strong\u003e\u0026nbsp;- The property that protected data has not been modified or deleted in an unauthorized and undetected manner. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-175A\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eLogic Bomb\u003c/strong\u003e\u0026nbsp;- A piece of code intentionally inserted into a software system that will set off a malicious function when specified conditions are met. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-12rev1\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMacro Virus\u003c/strong\u003e\u0026nbsp;- A specific type of computer virus that is encoded as a macro embedded in some document and activated when the document is handled. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-28ver1\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMedia\u003c/strong\u003e\u0026nbsp;- Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (but not including display media) onto which information is recorded, stored, or printed within an information system. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-53 Revision 5\u003c/a\u003e)\u0026nbsp; \u003cstrong\u003eNote:\u0026nbsp;\u003c/strong\u003eAlso see Removable Media.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMobile Device\u003c/strong\u003e\u0026nbsp;- A portable computing device that: (i) has a small form factor such that it can easily be carried by a single individual; (ii) is designed to operate without a physical connection (e.g., wirelessly transmit or receive information); (iii) possesses local, non-removable or removable data storage; and (iv) includes a self-contained power source. Mobile devices may also include voice communication capabilities, on-board sensors that allow the devices to capture information, and/or built-in features for synchronizing local data with remote locations. Examples include smart phones, tablets, and E-readers. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-79-2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMobile\u0026nbsp;Device Management -\u0026nbsp;\u003c/strong\u003eMobile enterprise security technology used to address security requirements. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-163\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMobile Hotspot\u003c/strong\u003e\u0026nbsp;- A mobile hotspot is an offering by various telecom providers to provide localized Wi-Fi. With a hotspot, an adapter or device allows computer users to connect to the internet from approved and/or unapproved locations. Mobile hotspots are advertised as an alternative to the traditional practice of logging onto a local area network or other wireless networks from a personal computer (PC). Although mobile hotspots could be used for other kinds of devices, they are most commonly associated with laptop computers because laptop computers are a type of \"hybrid\" device that may roam but doesn’t usually come with built-in mobile Wi-Fi. (Source:\u0026nbsp;\u003ca href=\"https://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering\" target=\"_blank\"\u003ehttps://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eMobile Tethering -\u003c/strong\u003e\u0026nbsp;Mobile tethering is slightly different from a mobile hot spot and the mobile tethering must be approved by OpDivs. A tethering strategy involves connecting one device without Wi-Fi to another device that has Wi-Fi connectivity. For example, a user could tether a laptop to a smartphone through cabling or through a wireless connection. This would allow for using the computer on a connected basis. When tethering involves a wireless setup, it closely resembles a mobile hotspot. In fact, though, there are some fairly significant differences between tethering and hotspots in both design and implementation. While a mobile hotspot frequently serves multiple devices in a setup that looks like a local area network, tethering is a practice that has the connotation of being between only two devices. (Source:\u0026nbsp;\u003ca href=\"https://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering\" target=\"_blank\"\u003ehttps://www.techopedia.com/7/30061/networking/what-is-the-difference-between-a-mobile-hotspot-and-tethering\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePersonal Identity Verification (PIV) Card\u003c/strong\u003e\u0026nbsp;-The physical artifact (e.g., identity card, “smart” card) issued to an applicant by an issuer contains stored identity markers or credentials (e.g., a photograph, cryptographic keys, digitized fingerprint representations) so that the claimed identity of the cardholder can be verified against the stored credentials by another person (human readable and verifiable) or an automated process (computer readable and verifiable) (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-79 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePersonally Identifiable Information (PII)\u003c/strong\u003e\u0026nbsp;- Information that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. (Source:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2017/m-17-12_0.pdf\" target=\"_blank\"\u003eOMB M-17-12\u003c/a\u003e,\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003eOMB Circular A-130\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePersonally Owned Device\u003c/strong\u003e\u0026nbsp;A non-organization-controlled client device owned by an individual. These client devices are controlled by the owner, who is fully responsible for securing them and maintaining their security. (Source: Adapted from\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e).\u003cstrong\u003e\u0026nbsp;Note\u003c/strong\u003e: Also referred to as a Bring Your Own Device (BYOD).\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivacy Impact Assessment\u0026nbsp;\u003c/strong\u003e- An analysis of how information is handled to ensure handling conforms to applicable legal, regulatory, and policy requirements regarding privacy; to determine the risks and effects of creating, collecting, using, processing, storing, maintaining, disseminating, disclosing, and disposing of PII in an electronic information system; and to examine and evaluate protections and alternate processes for handling information to mitigate potential privacy concerns.\u0026nbsp; A PIA is both an analysis and a formal document detailing the process and the outcome of the analysis. (Source:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/omb/information-for-agencies/circulars\" target=\"_blank\"\u003eOMB Circular A-130\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003ePrivileged User\u003c/strong\u003e\u0026nbsp;- A user who is authorized (and therefore, trusted) to perform security-relevant functions that ordinary users are not authorized to perform. Privileged users have network accounts with privileges that grant them greater access to IT resources than general (i.e., non-privileged) users have. These privileges are typically allocated to system, network, security, and database administrators, as well as another IT administrator. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-53 Revision 5\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eProtected Health Information (PHI)\u003c/strong\u003e\u0026nbsp;- Individually identifiable health information (IIHI) that is transmitted by electronic media, maintained in electronic media, or transmitted or maintained in any other form or medium. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-122\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRemote Access\u003c/strong\u003e\u0026nbsp;- The ability for an organization’s users to access its non-public computing resources from external locations other than the organization’s facilities. (Source:\u0026nbsp;\u003ca href=\"https://www.cnss.gov/CNSS/issuances/Instructions.cfm\" target=\"_blank\"\u003eCNSSI 4009\u003c/a\u003e)\u0026nbsp;\u003cstrong\u003eNOTE\u003c/strong\u003e: Per\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-53/rev-5/final\" target=\"_blank\"\u003eNIST SP 800-53 Revision 5\u003c/a\u003e, this also applies to a process acting on behalf of a user.\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRemote Access Method\u003c/strong\u003e\u0026nbsp;\u003cstrong\u003e-\u0026nbsp;\u003c/strong\u003eMechanisms that enable users to perform remote access. There are four types of remote access methods: tunneling, portals, remote desktop access, and direct application access. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRemote Desktop Access\u003c/strong\u003e\u0026nbsp;- A high-level remote access architecture that gives a teleworker the ability to remotely control a particular desktop computer at the organization, most often the user’s own computer at the organization’s office, from a telework client device. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eRemovable Media\u003c/strong\u003e\u0026nbsp;- Portable data storage medium that can be added to or removed from a computing device or network.\u0026nbsp; Note:\u0026nbsp; Examples include, but are not limited to: optical discs (CD, DVD, Blu-ray); external/removable hard drives; external/removable Solid-State Disk (SSD) drives; magnetic/optical tapes; flash memory devices (USB, eSATA, Flash Drive, Thumb Drive); flash memory cards (Secure Digital, CompactFlash, Memory Stick, MMC, xD); and other external / removable disks (floppy, Zip, Jaz, Bernoulli, UMD). (Source:\u0026nbsp;\u003ca href=\"https://www.cnss.gov/CNSS/issuances/Instructions.cfm\" target=\"_blank\"\u003eCNSSI 4009\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSanitize\u003c/strong\u003e\u0026nbsp;- A process to render access to Target Data on the media infeasible for a given level of effort.\u0026nbsp; Clear, Purge, and Destroy are actions that can be taken to sanitize media. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-88 Revision 1\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSanitization\u003c/strong\u003e\u0026nbsp;- A process to render access to target data on the media infeasible for a given level of effort. Clear, purge, and destroy are actions that can be taken to sanitize media. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-53 Revision 5\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSensitive Information\u003c/strong\u003e\u0026nbsp;- Information, the loss, misuse, or unauthorized access to or modification of, that could adversely affect the national interest or the conduct of federal programs, or the privacy to which individuals are entitled under 5 U.S.C. Section 552a (the Privacy Act), but that has not been specifically authorized under criteria established by an Executive Order or an Act of Congress to be kept classified in the interest of national defense or foreign policy. (Source:\u0026nbsp;\u003ca href=\"https://doi.org/10.6028/NIST.SP.800-150\" target=\"_blank\"\u003eNIST SP 800-150\u003c/a\u003e\u0026nbsp;under Sensitive Information from\u0026nbsp;\u003ca href=\"https://doi.org/10.6028/NIST.IR.7298r2\" target=\"_blank\"\u003eNISTIR 7298 Rev. 2\u003c/a\u003e) (See Section 2 Purpose on page 4 for how \"sensitive information\" is applied within this policy)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem of Records -\u0026nbsp;\u003c/strong\u003eA group of any records under the control of any agency from which information about an individual is retrieved by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-122\u003c/a\u003e\u0026nbsp;and\u0026nbsp;\u003ca href=\"https://www.justice.gov/opcl/privacy-act-1974#:~:text=The%20Privacy%20Act%20of%201974,of%20records%20by%20federal%20agencies.\" target=\"_blank\"\u003eThe Privacy Act of 1974, as amended, 5 U.S.C. § 552a(a)(5)\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eSystem-Specific User -\u003c/strong\u003e\u0026nbsp;The user of a system that is subject to system-specific ROBs. (Source: HHS-defined)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTelework\u003c/strong\u003e\u0026nbsp;- The ability for an organization’s employees, contractors, business partners, vendors, and other users to perform work from locations other than the organization’s facilities. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eTelework Client Device -\u003c/strong\u003e\u0026nbsp;A PC or mobile device. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eThird Party-Controlled Device\u003c/strong\u003e\u0026nbsp;- A client device controlled by a contractor, business partner, or vendor.\u0026nbsp; These client devices are controlled by the remote worker’s employer who is ultimately responsible for securing the client devices and maintaining their security. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eUnknown Device -\u003c/strong\u003e\u0026nbsp;A client device that is owned and controlled by other parties, such as a kiosk computer at hotels, and a PC or mobile device owned by friends and family. The device is labeled as “unknown” because there are no assurances regarding its security posture. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVirtual Disk Encryption\u003c/strong\u003e\u0026nbsp;- The process of encrypting a container, which can hold many files and folders, and permitting access to the data within the container only after proper authentication is provided. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-111\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVirtual Private Network (VPN)\u003c/strong\u003e\u0026nbsp;- A virtual network, built on top of existing physical networks that provides a secure communications tunnel for data and other information transmitted between networks. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-46 Revision 2\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eVirus\u003c/strong\u003e\u0026nbsp;- A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk. See malicious code. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-12rev1\u003c/a\u003e)\u003c/p\u003e\u003cp\u003e\u003cstrong\u003eWorm\u003c/strong\u003e\u0026nbsp;- A self-replicating, self-propagating, self-contained program that uses networking mechanisms to spread itself. See Malicious Code. (Source:\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/glossary?index=N\" target=\"_blank\"\u003eNIST SP 800-12rev1\u003c/a\u003e)\u003c/p\u003e\u003ch3\u003eAcronyms:\u003c/h3\u003e\u003cp\u003eCIO - Chief Information Officer\u003c/p\u003e\u003cp\u003eCISO - Chief Information Security Officer\u003c/p\u003e\u003cp\u003eCSIRC - Computer Security Incident Response Center\u003c/p\u003e\u003cp\u003eCSIRT - Computer Security Incident Response Team\u003c/p\u003e\u003cp\u003eCUI - Controlled Unclassified Information\u003c/p\u003e\u003cp\u003eEO - Executive Order\u003c/p\u003e\u003cp\u003eFISMA - Federal Information Security Modernization Act of 2014\u003c/p\u003e\u003cp\u003eHHS - Department of Health and Human Services\u003c/p\u003e\u003cp\u003eIS2P - Information Systems Security and Privacy Policy\u003c/p\u003e\u003cp\u003eISCM - Information Security Continuous Monitoring\u003c/p\u003e\u003cp\u003eM - Memorandum\u003c/p\u003e\u003cp\u003eNARA - National Archives and Records Administration\u003c/p\u003e\u003cp\u003eNIST - National Institute of Standards and Technology\u003c/p\u003e\u003cp\u003eOCIO - Office of the Chief Information Officer\u003c/p\u003e\u003cp\u003eOIS - Office of Information Security\u003c/p\u003e\u003cp\u003eOMB - Office of Management and Budget\u003c/p\u003e\u003cp\u003eOpDiv - Operating Division\u003c/p\u003e\u003cp\u003ePHI - Protected Health Information\u003c/p\u003e\u003cp\u003ePII - Personally Identifiable Information\u003c/p\u003e\u003cp\u003eRoB - Rules of Behavior\u003c/p\u003e\u003cp\u003eSP - Special Publication\u003c/p\u003e\u003cp\u003eUSB - Universal Serial Bus\u003c/p\u003e\u003ch3\u003eEndnotes\u003c/h3\u003e\u003cp\u003e[1] PII is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. OMB\u0026nbsp;\u003cem\u003eCircular No. A-130, Managing Information as a Strategic Resource\u003c/em\u003e, p. 21. Available at:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf\" target=\"_blank\"\u003eReview-Doc-2016--466-1.docx (whitehouse.gov)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[2] CUI is defined in\u0026nbsp;\u003ca href=\"https://www.gpo.gov/fdsys/pkg/FR-2010-11-09/pdf/2010-28360.pdf\" target=\"_blank\"\u003eExecutive Order (EO) 13556\u003c/a\u003e,\u0026nbsp;\u003cem\u003eControlled Unclassified Information (CUI)\u003c/em\u003e. HHS currently does not have a CUI policy. There are numerous categories and subcategories of CUI listed in the National Archives and Records Administration (NARA)\u0026nbsp;\u003ca href=\"https://www.archives.gov/cui/registry/category-list\" target=\"_blank\"\u003eCUI Registry\u003c/a\u003e. Examples of CUI categories include Privacy, Procurement and Acquisition, Proprietary Business Information, and Information Systems Vulnerability Information.\u003c/p\u003e\u003cp\u003e[3] See\u0026nbsp;\u003cem\u003ePolicy for Data Loss Prevention\u0026nbsp;\u003c/em\u003eavailable at:\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/ocio-policies\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/working-at-hhs/cybersecurity/ocio-policies\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[4] All third-party web applications, social media sites, storage and cloud services must be authorized prior to use. Only authorized personnel can post only authorized content on public-facing websites and social media sites.\u003c/p\u003e\u003cp\u003e[5] See definition of sensitive information in the Glossary section.\u003c/p\u003e\u003cp\u003e[6] See Public Law 115–232, Section 889 Parts A and B (included in FAR 4.21) available at\u0026nbsp;\u003ca href=\"https://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf\" target=\"_blank\"\u003ehttps://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf\u003c/a\u003e. Prohibition includes telecommunications equipment produced by Huawei Technologies Company or ZTE Corporation, as well as video surveillance and telecommunications equipment produced by Hytera Communications Corporation, Hangzhou Hikvision Digital Technology Company, or Dahua Technology Company (or any subsidiary or affiliate of such entities). For additional information and to verify any countries that are being sanctioned by the US, consult:\u0026nbsp;\u003ca href=\"https://www.treasury.gov/resource-center/sanctions/programs/pages/programs.aspx\" target=\"_blank\"\u003ehttps://www.treasury.gov/resource-center/sanctions/programs/pages/programs.aspx\u003c/a\u003e. Also, consult the HHS Memorandum,\u0026nbsp;\u003cem\u003eImplementation of the Section 889(a)(1)(B) Prohibition on Contracting with Entities Using Certain Telecommunications and Video Surveillance Services or Equipment\u003c/em\u003e, July 29, 2020, available at\u0026nbsp;\u003ca href=\"https://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf\" target=\"_blank\"\u003ehttps://www.congress.gov/115/plaws/publ232/PLAW-115publ232.pdf\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[7] see CISA CAPACITY ENHANCEMENT GUIDE: Printing While Working Remotely, available at\u0026nbsp;\u003ca href=\"https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf\" target=\"_blank\"\u003ehttps://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[8] For additional information, see\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup\u003c/a\u003e\u0026nbsp;as well as\u0026nbsp; \u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[9] Bluetooth is defined as “A wireless protocol that allows two similarly equipped devices to communicate with each other within a short distance (e.g., 30 ft.).” This includes headphones. and For additional information, see\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf\" target=\"_blank\"\u003ehttps://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-101r1.pdf\u003c/a\u003e\u0026nbsp;and\u0026nbsp;\u003ca href=\"https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-121r2-upd1.pdf\" target=\"_blank\"\u003eNIST SP 800-121 rev2\u003c/a\u003e, available at\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/sp800\" target=\"_blank\"\u003eSearch | CSRC (nist.gov)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[10] See the HHS memorandum\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/about-hhs/national-security/policy/gfe-foreign-travel-2018\" target=\"_blank\"\u003eUse of Government Furnished Equipment (GFE) During Foreign Travel\u003c/a\u003e\u003c/p\u003e\u003cp\u003e[11] CSIRC and IRT points of contact are available at:\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/about-hhs/org-chart/asa-offices/office-of-the-chief-information-officer-ocio/csirc\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/about-hhs/org-chart/asa-offices/office-of-the-chief-information-officer-ocio/csirc\u003c/a\u003e. Provide all necessary information that will help with the incident investigation.\u003c/p\u003e\u003cp\u003e[12] See the HHS memoranda\u0026nbsp;\u003cem\u003ePolicy for Monitoring Employee Use of HHS IT Resources\u003c/em\u003e\u0026nbsp;and\u0026nbsp;\u003cem\u003eUpdated Department Standard Warning Banner\u003c/em\u003e\u0026nbsp;available at\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/working-at-hhs/cybersecurity/policies-standards-memoranda-guides/memoranda\" target=\"_blank\"\u003eMemoranda | Community for HHS Intranet\u003c/a\u003e\u003c/p\u003e\u003cp\u003e[13] See\u0026nbsp;\u003cem\u003eNIST SP 800-209\u0026nbsp;Security Guidelines for Storage Infrastructure,\u003c/em\u003e\u0026nbsp;available at\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-209/final\" target=\"_blank\"\u003ehttps://csrc.nist.gov/publications/detail/sp/800-209/final\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[14] HHS/OpDiv IT assets are defined as hardware, software, systems, services, and related technology assets used to execute work on behalf of HHS. This definition is adapted from NIST SP 800-30, Revision 1, Guide for Conducting Risk Assessments, available at\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final\" target=\"_blank\"\u003ehttps://csrc.nist.gov/publications/detail/sp/800-30/rev-1/final\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[15] Please review the\u0026nbsp;\u003ca href=\"https://obamawhitehouse.archives.gov/sites/default/files/omb/memoranda/2017/m-17-12_0.pdf\" target=\"_blank\"\u003eOMB M-17-12\u003c/a\u003e\u0026nbsp;for the specific distinctions between incident response and breach response.\u003c/p\u003e\u003cp\u003e[16] Personally identifiable information (PII) is information that can be used to distinguish or trace an individual’s identity, either alone or when combined with other information that is linked or linkable to a specific individual. Office of Management and Budget (OMB). (2016, July 27).\u0026nbsp;\u003cem\u003eCircular No. A-130, Managing Information as a Strategic Resource\u003c/em\u003e, p. 21. Available at:\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/circulars/A130/a130revised.pdf\" target=\"_blank\"\u003eReview-Doc-2016--466-1.docx (whitehouse.gov)\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[17] To contact your OpDiv SOP, visit\u0026nbsp;\u003ca href=\"https://www.hhs.gov/web/policies-and-standards/hhs-web-policies/privacy/index.html#HHS-Privacy-Officials\" target=\"_blank\"\u003ehttps://www.hhs.gov/web/policies-and-standards/hhs-web-policies/privacy/index.html#HHS-Privacy-Officials\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[18] Examples of significant changes include, but are not limited to, changes to the way PII are managed in the system, new uses or sharing, and the merging of data sets.\u003c/p\u003e\u003cp\u003e[19] see CISA CAPACITY ENHANCEMENT GUIDE: Printing While Working Remotely, available at\u0026nbsp;\u003ca href=\"https://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf\" target=\"_blank\"\u003ehttps://www.cisa.gov/sites/default/files/publications/CISA_CEG_Printing_While_Working_Remotely_508C_1.pdf\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[20] For additional information, see\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/news/blog-posts/cybercare/home-network-security-annual-checkup\u003c/a\u003e\u0026nbsp;as well as\u0026nbsp;\u003ca href=\"https://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks\" target=\"_blank\"\u003ehttps://intranet.hhs.gov/policy/hhs-policy-for-securing-wireless-local-area-networks\u003c/a\u003e.\u003c/p\u003e\u003cp\u003e[21] All third-party web applications, social media sites, storage and cloud services must be authorized prior to use. Only authorized personnel can post only authorized content on public-facing websites and social media sites.\u003c/p\u003e\u003cp\u003e[22] Per NIST SP 800-53, Revision 5, Security and Privacy Controls for Information Systems and Organizations, privileged roles include, for example, key management, network and system administration, database administration, and Web administration.\u003c/p\u003e\u003cp\u003e[23] OMB-16-04 available at\u0026nbsp;\u003ca href=\"https://www.whitehouse.gov/wp-content/uploads/legacy_drupal_files/omb/memoranda/2016/m-16-04.pdf\" target=\"_blank\"\u003eReview-Doc-2015-ITOR-315-1.docx (whitehouse.gov)\u003c/a\u003e\u003cem\u003e,\u0026nbsp;\u003c/em\u003eOctober 30, 2015.\u003c/p\u003e\u003cp\u003e[24] Per NIST White Paper,\u0026nbsp;\u003cem\u003eBest Practices for Privileged User PIV Authentication,\u003c/em\u003e\u0026nbsp;April 21, 2016, available at\u0026nbsp;\u003ca href=\"https://csrc.nist.gov/publications/detail/white-paper/2016/04/21/best-practices-for-privileged-user-piv-authentication/final\" target=\"_blank\"\u003ehttps://csrc.nist.gov/publications/detail/white-paper/2016/04/21/best-practices-for-privileged-user-piv-authentication/final\u003c/a\u003e.\u003c/p\u003e"])</script><script>self.__next_f.push([1,"1c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}\n1b:{\"self\":\"$1c\"}\n1f:[\"menu_ui\",\"scheduler\"]\n1e:{\"module\":\"$1f\"}\n22:[]\n21:{\"available_menus\":\"$22\",\"parent\":\"\"}\n23:{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}\n20:{\"menu_ui\":\"$21\",\"scheduler\":\"$23\"}\n1d:{\"langcode\":\"en\",\"status\":true,\"dependencies\":\"$1e\",\"third_party_settings\":\"$20\",\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}\n1a:{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":\"$1b\",\"attributes\":\"$1d\"}\n26:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}\n25:{\"self\":\"$26\"}\n27:{\"display_name\":\"jcallan - retired\"}\n24:{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":\"$25\",\"attributes\":\"$27\"}\n2a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}\n29:{\"self\":\"$2a\"}\n2b:{\"display_name\":\"meg - retired\"}\n28:{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":\"$29\",\"attributes\":\"$2b\"}\n2e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e?resourceVersion=id%3A96\"}\n2d:{\"self\":\"$2e\"}\n30:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n2f:{\"drupal_internal__tid\":96,\"drupal_internal__revision_id\":96,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:12:16+00:00\",\"status\":true,\"name\":\"Policy Documents\",\"description\":null,\"weight\":4,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translat"])</script><script>self.__next_f.push([1,"ion_affected\":true,\"path\":\"$30\"}\n34:{\"drupal_internal__target_id\":\"resource_type\"}\n33:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":\"$34\"}\n36:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/vid?resourceVersion=id%3A96\"}\n37:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/relationships/vid?resourceVersion=id%3A96\"}\n35:{\"related\":\"$36\",\"self\":\"$37\"}\n32:{\"data\":\"$33\",\"links\":\"$35\"}\n3a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/revision_user?resourceVersion=id%3A96\"}\n3b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/relationships/revision_user?resourceVersion=id%3A96\"}\n39:{\"related\":\"$3a\",\"self\":\"$3b\"}\n38:{\"data\":null,\"links\":\"$39\"}\n42:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n41:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$42\"}\n40:{\"help\":\"$41\"}\n3f:{\"links\":\"$40\"}\n3e:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":\"$3f\"}\n3d:[\"$3e\"]\n44:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/parent?resourceVersion=id%3A96\"}\n45:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/relationships/parent?resourceVersion=id%3A96\"}\n43:{\"related\":\"$44\",\"self\":\"$45\"}\n3c:{\"data\":\"$3d\",\"links\":\"$43\"}\n31:{\"vid\":\"$32\",\"revision_user\":\"$38\",\"parent\":\"$3c\"}\n2c:{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"links\":\"$2d\",\"attributes\":\"$2f\",\"relationships\":\"$31\"}\n48:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}\n47:{\"self\":\"$48\"}\n4a:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n49:{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"lan"])</script><script>self.__next_f.push([1,"gcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$4a\"}\n4e:{\"drupal_internal__target_id\":\"roles\"}\n4d:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$4e\"}\n50:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"}\n51:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}\n4f:{\"related\":\"$50\",\"self\":\"$51\"}\n4c:{\"data\":\"$4d\",\"links\":\"$4f\"}\n54:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"}\n55:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}\n53:{\"related\":\"$54\",\"self\":\"$55\"}\n52:{\"data\":null,\"links\":\"$53\"}\n5c:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n5b:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$5c\"}\n5a:{\"help\":\"$5b\"}\n59:{\"links\":\"$5a\"}\n58:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$59\"}\n57:[\"$58\"]\n5e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"}\n5f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}\n5d:{\"related\":\"$5e\",\"self\":\"$5f\"}\n56:{\"data\":\"$57\",\"links\":\"$5d\"}\n4b:{\"vid\":\"$4c\",\"revision_user\":\"$52\",\"parent\":\"$56\"}\n46:{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":\"$47\",\"attributes\":\"$49\",\"relationships\":\"$4b\"}\n62:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVers"])</script><script>self.__next_f.push([1,"ion=id%3A81\"}\n61:{\"self\":\"$62\"}\n64:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n63:{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$64\"}\n68:{\"drupal_internal__target_id\":\"roles\"}\n67:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$68\"}\n6a:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"}\n6b:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}\n69:{\"related\":\"$6a\",\"self\":\"$6b\"}\n66:{\"data\":\"$67\",\"links\":\"$69\"}\n6e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"}\n6f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}\n6d:{\"related\":\"$6e\",\"self\":\"$6f\"}\n6c:{\"data\":null,\"links\":\"$6d\"}\n76:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n75:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$76\"}\n74:{\"help\":\"$75\"}\n73:{\"links\":\"$74\"}\n72:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$73\"}\n71:[\"$72\"]\n78:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"}\n79:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}\n77:{\"related\":\"$78\",\"self\":\"$79\"}\n70:{\"data\":\"$71\",\"links\":\"$77\"}\n65:{\"vid\":\"$66\",\"revision_user\":\"$6c\",\"parent\":\"$70\"}\n60:{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":\"$61\",\"attributes\":\"$63\",\"rel"])</script><script>self.__next_f.push([1,"ationships\":\"$65\"}\n7c:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}\n7b:{\"self\":\"$7c\"}\n7e:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n7d:{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$7e\"}\n82:{\"drupal_internal__target_id\":\"roles\"}\n81:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$82\"}\n84:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"}\n85:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}\n83:{\"related\":\"$84\",\"self\":\"$85\"}\n80:{\"data\":\"$81\",\"links\":\"$83\"}\n88:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"}\n89:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}\n87:{\"related\":\"$88\",\"self\":\"$89\"}\n86:{\"data\":null,\"links\":\"$87\"}\n90:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\n8f:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$90\"}\n8e:{\"help\":\"$8f\"}\n8d:{\"links\":\"$8e\"}\n8c:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$8d\"}\n8b:[\"$8c\"]\n92:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"}\n93:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}\n91:{\"related\":\"$92\",\"self\":\"$93\"}\n8a:{\"data\":\"$8b\",\"links\":\"$91\"}\n7f:{\"v"])</script><script>self.__next_f.push([1,"id\":\"$80\",\"revision_user\":\"$86\",\"parent\":\"$8a\"}\n7a:{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":\"$7b\",\"attributes\":\"$7d\",\"relationships\":\"$7f\"}\n96:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}\n95:{\"self\":\"$96\"}\n98:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\n97:{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$98\"}\n9c:{\"drupal_internal__target_id\":\"roles\"}\n9b:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$9c\"}\n9e:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"}\n9f:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}\n9d:{\"related\":\"$9e\",\"self\":\"$9f\"}\n9a:{\"data\":\"$9b\",\"links\":\"$9d\"}\na2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"}\na3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}\na1:{\"related\":\"$a2\",\"self\":\"$a3\"}\na0:{\"data\":null,\"links\":\"$a1\"}\naa:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\na9:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$aa\"}\na8:{\"help\":\"$a9\"}\na7:{\"links\":\"$a8\"}\na6:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$a7\"}\na5:[\"$a6\"]\nac:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"}\nad:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b"])</script><script>self.__next_f.push([1,"0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}\nab:{\"related\":\"$ac\",\"self\":\"$ad\"}\na4:{\"data\":\"$a5\",\"links\":\"$ab\"}\n99:{\"vid\":\"$9a\",\"revision_user\":\"$a0\",\"parent\":\"$a4\"}\n94:{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":\"$95\",\"attributes\":\"$97\",\"relationships\":\"$99\"}\nb0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}\naf:{\"self\":\"$b0\"}\nb2:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\nb1:{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$b2\"}\nb6:{\"drupal_internal__target_id\":\"roles\"}\nb5:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":\"$b6\"}\nb8:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"}\nb9:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}\nb7:{\"related\":\"$b8\",\"self\":\"$b9\"}\nb4:{\"data\":\"$b5\",\"links\":\"$b7\"}\nbc:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"}\nbd:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}\nbb:{\"related\":\"$bc\",\"self\":\"$bd\"}\nba:{\"data\":null,\"links\":\"$bb\"}\nc4:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\nc3:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$c4\"}\nc2:{\"help\":\"$c3\"}\nc1:{\"links\":\"$c2\"}\nc0:{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":\"$c1\"}\nbf:[\"$c0\"]\nc6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-4"])</script><script>self.__next_f.push([1,"8b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"}\nc7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}\nc5:{\"related\":\"$c6\",\"self\":\"$c7\"}\nbe:{\"data\":\"$bf\",\"links\":\"$c5\"}\nb3:{\"vid\":\"$b4\",\"revision_user\":\"$ba\",\"parent\":\"$be\"}\nae:{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":\"$af\",\"attributes\":\"$b1\",\"relationships\":\"$b3\"}\nca:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38?resourceVersion=id%3A21\"}\nc9:{\"self\":\"$ca\"}\ncc:{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}\ncb:{\"drupal_internal__tid\":21,\"drupal_internal__revision_id\":21,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:35+00:00\",\"status\":true,\"name\":\"Federal Policy \u0026 Guidance\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":\"$cc\"}\nd0:{\"drupal_internal__target_id\":\"topics\"}\ncf:{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":\"$d0\"}\nd2:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/vid?resourceVersion=id%3A21\"}\nd3:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/vid?resourceVersion=id%3A21\"}\nd1:{\"related\":\"$d2\",\"self\":\"$d3\"}\nce:{\"data\":\"$cf\",\"links\":\"$d1\"}\nd6:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/revision_user?resourceVersion=id%3A21\"}\nd7:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/revision_user?resourceVersion=id%3A21\"}\nd5:{\"related\":\"$d6\",\"self\":\"$d7\"}\nd4:{\"data\":null,\"links\":\"$d5\"}\nde:{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}\ndd:{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":\"$de\"}\ndc:{\"help\":\"$dd\"}\ndb:{\"links\":\"$dc\"}\nda:"])</script><script>self.__next_f.push([1,"{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":\"$db\"}\nd9:[\"$da\"]\ne0:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/parent?resourceVersion=id%3A21\"}\ne1:{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/parent?resourceVersion=id%3A21\"}\ndf:{\"related\":\"$e0\",\"self\":\"$e1\"}\nd8:{\"data\":\"$d9\",\"links\":\"$df\"}\ncd:{\"vid\":\"$ce\",\"revision_user\":\"$d4\",\"parent\":\"$d8\"}\nc8:{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"links\":\"$c9\",\"attributes\":\"$cb\",\"relationships\":\"$cd\"}\n"])</script><script>self.__next_f.push([1,"5:[\"$\",\"$L17\",null,{\"content\":{\"data\":{\"type\":\"node--library\",\"id\":\"c96c8b0f-cb5f-43a8-a945-0aaaada9e242\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242?resourceVersion=id%3A5776\"}},\"attributes\":{\"drupal_internal__nid\":1145,\"drupal_internal__vid\":5776,\"langcode\":\"en\",\"revision_timestamp\":\"2024-08-05T16:03:58+00:00\",\"status\":true,\"title\":\"HHS Policy for Rules of Behavior for Use of Information \u0026 IT Resources\",\"created\":\"2023-02-09T15:23:43+00:00\",\"changed\":\"2024-08-05T16:03:58+00:00\",\"promote\":false,\"sticky\":false,\"default_langcode\":true,\"revision_translation_affected\":true,\"moderation_state\":\"published\",\"path\":{\"alias\":\"/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources\",\"pid\":997,\"langcode\":\"en\"},\"rh_action\":null,\"rh_redirect\":null,\"rh_redirect_response\":null,\"rh_redirect_fallback_action\":null,\"publish_on\":null,\"unpublish_on\":null,\"body\":{\"value\":\"$18\",\"format\":\"body_text\",\"processed\":\"$19\",\"summary\":\"\"},\"field_contact_email\":\"CISO@cms.hhs.gov\",\"field_contact_name\":\"ISPG Policy Team\",\"field_last_reviewed\":\"2023-02-09\",\"field_related_resources\":[{\"uri\":\"entity:node/601\",\"title\":\"CMS Information Systems Security \u0026 Privacy Policy (IS2P2) \",\"options\":[],\"url\":\"/policy-guidance/cms-information-systems-security-privacy-policy-is2p2\"},{\"uri\":\"entity:node/631\",\"title\":\"CMS Acceptable Risk Safeguards (ARS)\",\"options\":[],\"url\":\"/policy-guidance/cms-acceptable-risk-safeguards-ars\"},{\"uri\":\"entity:node/381\",\"title\":\"National Institute of Standards and Technology (NIST) \",\"options\":[],\"url\":\"/learn/national-institute-standards-and-technology-nist\"}],\"field_short_description\":{\"value\":\"A document from the Department of Health \u0026 Human Services (HHS) that outlines requirements for individuals that access to HHS and CMS systems and information\",\"format\":\"plain_text\",\"processed\":\"\u003cp\u003eA document from the Department of Health \u0026amp; Human Services (HHS) that outlines requirements for individuals that access to HHS and CMS systems and information\u003c/p\u003e\\n\"}},\"relationships\":{\"node_type\":{\"data\":{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"meta\":{\"drupal_internal__target_id\":\"library\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/node_type?resourceVersion=id%3A5776\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/relationships/node_type?resourceVersion=id%3A5776\"}}},\"revision_uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"meta\":{\"drupal_internal__target_id\":159}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/revision_uid?resourceVersion=id%3A5776\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/relationships/revision_uid?resourceVersion=id%3A5776\"}}},\"uid\":{\"data\":{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"meta\":{\"drupal_internal__target_id\":26}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/uid?resourceVersion=id%3A5776\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/relationships/uid?resourceVersion=id%3A5776\"}}},\"field_resource_type\":{\"data\":{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"meta\":{\"drupal_internal__target_id\":96}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/field_resource_type?resourceVersion=id%3A5776\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/relationships/field_resource_type?resourceVersion=id%3A5776\"}}},\"field_roles\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"meta\":{\"drupal_internal__target_id\":66}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"meta\":{\"drupal_internal__target_id\":81}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"meta\":{\"drupal_internal__target_id\":61}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"meta\":{\"drupal_internal__target_id\":76}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"meta\":{\"drupal_internal__target_id\":71}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/field_roles?resourceVersion=id%3A5776\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/relationships/field_roles?resourceVersion=id%3A5776\"}}},\"field_topics\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"meta\":{\"drupal_internal__target_id\":21}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/field_topics?resourceVersion=id%3A5776\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node/library/c96c8b0f-cb5f-43a8-a945-0aaaada9e242/relationships/field_topics?resourceVersion=id%3A5776\"}}}}},\"included\":[{\"type\":\"node_type--node_type\",\"id\":\"ab4b0312-f678-40b9-ae06-79025f52ff43\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/node_type/node_type/ab4b0312-f678-40b9-ae06-79025f52ff43\"}},\"attributes\":{\"langcode\":\"en\",\"status\":true,\"dependencies\":{\"module\":[\"menu_ui\",\"scheduler\"]},\"third_party_settings\":{\"menu_ui\":{\"available_menus\":[],\"parent\":\"\"},\"scheduler\":{\"expand_fieldset\":\"when_required\",\"fields_display_mode\":\"vertical_tab\",\"publish_enable\":false,\"publish_past_date\":\"error\",\"publish_past_date_created\":false,\"publish_required\":false,\"publish_revision\":false,\"publish_touch\":false,\"show_message_after_update\":true,\"unpublish_enable\":false,\"unpublish_required\":false,\"unpublish_revision\":false}},\"name\":\"Library page\",\"drupal_internal__type\":\"library\",\"description\":\"Use \u003ci\u003eLibrary pages\u003c/i\u003e to publish CMS Security and Privacy Handbooks or other long-form policy and guidance documents.\",\"help\":null,\"new_revision\":true,\"preview_mode\":1,\"display_submitted\":true}},{\"type\":\"user--user\",\"id\":\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/4420e728-6dc2-4022-bf8d-5bd1329e5e64\"}},\"attributes\":{\"display_name\":\"jcallan - retired\"}},{\"type\":\"user--user\",\"id\":\"dca2c49b-4a12-4d5f-859d-a759444160a4\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/user/user/dca2c49b-4a12-4d5f-859d-a759444160a4\"}},\"attributes\":{\"display_name\":\"meg - retired\"}},{\"type\":\"taxonomy_term--resource_type\",\"id\":\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e?resourceVersion=id%3A96\"}},\"attributes\":{\"drupal_internal__tid\":96,\"drupal_internal__revision_id\":96,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:12:16+00:00\",\"status\":true,\"name\":\"Policy Documents\",\"description\":null,\"weight\":4,\"changed\":\"2023-03-10T19:04:03+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"3a0127c4-ee06-41ed-8239-f796f6d78eb3\",\"meta\":{\"drupal_internal__target_id\":\"resource_type\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/vid?resourceVersion=id%3A96\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/relationships/vid?resourceVersion=id%3A96\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/revision_user?resourceVersion=id%3A96\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/relationships/revision_user?resourceVersion=id%3A96\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--resource_type\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/parent?resourceVersion=id%3A96\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/resource_type/b0b05061-d7be-493e-ac18-ee2f1fcd772e/relationships/parent?resourceVersion=id%3A96\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"9d999ae3-b43c-45fb-973e-dffe50c27da5\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5?resourceVersion=id%3A66\"}},\"attributes\":{\"drupal_internal__tid\":66,\"drupal_internal__revision_id\":66,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:26+00:00\",\"status\":true,\"name\":\"Cyber Risk Advisor (CRA)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:26+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/vid?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/vid?resourceVersion=id%3A66\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/revision_user?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/revision_user?resourceVersion=id%3A66\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/parent?resourceVersion=id%3A66\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/9d999ae3-b43c-45fb-973e-dffe50c27da5/relationships/parent?resourceVersion=id%3A66\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26?resourceVersion=id%3A81\"}},\"attributes\":{\"drupal_internal__tid\":81,\"drupal_internal__revision_id\":81,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:09:11+00:00\",\"status\":true,\"name\":\"Data Guardian\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:09:11+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/vid?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/vid?resourceVersion=id%3A81\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/revision_user?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/revision_user?resourceVersion=id%3A81\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/parent?resourceVersion=id%3A81\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/a2b33f6a-8172-4862-9c0e-6e5076b6cf26/relationships/parent?resourceVersion=id%3A81\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab?resourceVersion=id%3A61\"}},\"attributes\":{\"drupal_internal__tid\":61,\"drupal_internal__revision_id\":61,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:12+00:00\",\"status\":true,\"name\":\"Information System Security Officer (ISSO)\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:12+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/vid?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/vid?resourceVersion=id%3A61\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/revision_user?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/revision_user?resourceVersion=id%3A61\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/parent?resourceVersion=id%3A61\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/7a18463d-b0fc-474f-8536-ad7db1b2e5ab/relationships/parent?resourceVersion=id%3A61\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"f591f442-c0b0-4b8e-af66-7998a3329f34\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34?resourceVersion=id%3A76\"}},\"attributes\":{\"drupal_internal__tid\":76,\"drupal_internal__revision_id\":76,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:55+00:00\",\"status\":true,\"name\":\"System / Business Owner\",\"description\":null,\"weight\":0,\"changed\":\"2022-08-02T23:08:55+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/vid?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/vid?resourceVersion=id%3A76\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/revision_user?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/revision_user?resourceVersion=id%3A76\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/parent?resourceVersion=id%3A76\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/f591f442-c0b0-4b8e-af66-7998a3329f34/relationships/parent?resourceVersion=id%3A76\"}}}}},{\"type\":\"taxonomy_term--roles\",\"id\":\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e?resourceVersion=id%3A71\"}},\"attributes\":{\"drupal_internal__tid\":71,\"drupal_internal__revision_id\":71,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:08:42+00:00\",\"status\":true,\"name\":\"System Teams\",\"description\":null,\"weight\":0,\"changed\":\"2024-08-02T21:29:47+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"a89af840-d1f0-4a08-9f15-7b1cb71c3e35\",\"meta\":{\"drupal_internal__target_id\":\"roles\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/vid?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/vid?resourceVersion=id%3A71\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/revision_user?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/revision_user?resourceVersion=id%3A71\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--roles\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/parent?resourceVersion=id%3A71\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/roles/feb4e85d-429e-48b0-92f0-3d2da2c5056e/relationships/parent?resourceVersion=id%3A71\"}}}}},{\"type\":\"taxonomy_term--topics\",\"id\":\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\",\"links\":{\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38?resourceVersion=id%3A21\"}},\"attributes\":{\"drupal_internal__tid\":21,\"drupal_internal__revision_id\":21,\"langcode\":\"en\",\"revision_created\":\"2022-08-02T23:05:35+00:00\",\"status\":true,\"name\":\"Federal Policy \u0026 Guidance\",\"description\":null,\"weight\":3,\"changed\":\"2023-03-10T19:04:22+00:00\",\"default_langcode\":true,\"revision_translation_affected\":true,\"path\":{\"alias\":null,\"pid\":null,\"langcode\":\"en\"}},\"relationships\":{\"vid\":{\"data\":{\"type\":\"taxonomy_vocabulary--taxonomy_vocabulary\",\"id\":\"73f89dec-123f-4c8c-9a97-d025a2b0e5cf\",\"meta\":{\"drupal_internal__target_id\":\"topics\"}},\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/vid?resourceVersion=id%3A21\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/vid?resourceVersion=id%3A21\"}}},\"revision_user\":{\"data\":null,\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/revision_user?resourceVersion=id%3A21\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/revision_user?resourceVersion=id%3A21\"}}},\"parent\":{\"data\":[{\"type\":\"taxonomy_term--topics\",\"id\":\"virtual\",\"meta\":{\"links\":{\"help\":{\"href\":\"https://www.drupal.org/docs/8/modules/json-api/core-concepts#virtual\",\"meta\":{\"about\":\"Usage and meaning of the 'virtual' resource identifier.\"}}}}}],\"links\":{\"related\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/parent?resourceVersion=id%3A21\"},\"self\":{\"href\":\"https://cybergeek.cms.gov/jsonapi/taxonomy_term/topics/b61c7b1f-0882-4fac-bf13-02c68b56fd38/relationships/parent?resourceVersion=id%3A21\"}}}}}],\"includedMap\":{\"ab4b0312-f678-40b9-ae06-79025f52ff43\":\"$1a\",\"4420e728-6dc2-4022-bf8d-5bd1329e5e64\":\"$24\",\"dca2c49b-4a12-4d5f-859d-a759444160a4\":\"$28\",\"b0b05061-d7be-493e-ac18-ee2f1fcd772e\":\"$2c\",\"9d999ae3-b43c-45fb-973e-dffe50c27da5\":\"$46\",\"a2b33f6a-8172-4862-9c0e-6e5076b6cf26\":\"$60\",\"7a18463d-b0fc-474f-8536-ad7db1b2e5ab\":\"$7a\",\"f591f442-c0b0-4b8e-af66-7998a3329f34\":\"$94\",\"feb4e85d-429e-48b0-92f0-3d2da2c5056e\":\"$ae\",\"b61c7b1f-0882-4fac-bf13-02c68b56fd38\":\"$c8\"}}}]\n"])</script><script>self.__next_f.push([1,"a:[[\"$\",\"meta\",\"0\",{\"name\":\"viewport\",\"content\":\"width=device-width, initial-scale=1\"}],[\"$\",\"meta\",\"1\",{\"charSet\":\"utf-8\"}],[\"$\",\"title\",\"2\",{\"children\":\"HHS Policy for Rules of Behavior for Use of Information \u0026 IT Resources | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"3\",{\"name\":\"description\",\"content\":\"A document from the Department of Health \u0026 Human Services (HHS) that outlines requirements for individuals that access to HHS and CMS systems and information\"}],[\"$\",\"link\",\"4\",{\"rel\":\"canonical\",\"href\":\"https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources\"}],[\"$\",\"meta\",\"5\",{\"name\":\"google-site-verification\",\"content\":\"GMZIwBDJgz_o_JYUB2GpJazkrs7P85BaWDsoCjxF32M\"}],[\"$\",\"meta\",\"6\",{\"property\":\"og:title\",\"content\":\"HHS Policy for Rules of Behavior for Use of Information \u0026 IT Resources | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"7\",{\"property\":\"og:description\",\"content\":\"A document from the Department of Health \u0026 Human Services (HHS) that outlines requirements for individuals that access to HHS and CMS systems and information\"}],[\"$\",\"meta\",\"8\",{\"property\":\"og:url\",\"content\":\"https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources\"}],[\"$\",\"meta\",\"9\",{\"property\":\"og:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"10\",{\"property\":\"og:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"11\",{\"property\":\"og:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"12\",{\"property\":\"og:image\",\"content\":\"https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"meta\",\"13\",{\"property\":\"og:type\",\"content\":\"website\"}],[\"$\",\"meta\",\"14\",{\"name\":\"twitter:card\",\"content\":\"summary_large_image\"}],[\"$\",\"meta\",\"15\",{\"name\":\"twitter:title\",\"content\":\"HHS Policy for Rules of Behavior for Use of Information \u0026 IT Resources | CMS Information Security \u0026 Privacy Group\"}],[\"$\",\"meta\",\"16\",{\"name\":\"twitter:description\",\"content\":\"A document from the Department of Health \u0026 Human Services (HHS) that outlines requirements for individuals that access to HHS and CMS systems and information\"}],[\"$\",\"meta\",\"17\",{\"name\":\"twitter:image:type\",\"content\":\"image/jpeg\"}],[\"$\",\"meta\",\"18\",{\"name\":\"twitter:image:width\",\"content\":\"1200\"}],[\"$\",\"meta\",\"19\",{\"name\":\"twitter:image:height\",\"content\":\"630\"}],[\"$\",\"meta\",\"20\",{\"name\":\"twitter:image\",\"content\":\"https://security.cms.gov/policy-guidance/hhs-policy-rules-behavior-use-information-it-resources/opengraph-image.jpg?a856d5522b751df7\"}],[\"$\",\"link\",\"21\",{\"rel\":\"icon\",\"href\":\"/favicon.ico\",\"type\":\"image/x-icon\",\"sizes\":\"48x48\"}]]\n"])</script><script>self.__next_f.push([1,"4:null\n"])</script></body></html> |