|
|
|
|
PROGRAM
MANAGEMENT
# |
Key
Outputs |
FY 2004
Actual |
FY 2005
Actual |
FY 2006 |
FY 2007 |
FY 2008
Target |
FY 2009
Target |
Target |
Actual |
Target |
Actual |
Long-Term Objective:
Strategically manage information technology
to support programs. |
35.
VII.
B.1. |
Information Technology
Management: Ensure Critical Infrastructure
Protection.
A. Perimeter Protection |
Implemented encrypted incident response reporting and updated security alert/event
tracking software. |
Implemented
an updated security
program
plan that
incorporated
a compre-
hensive suite
of security
services and included improved incident
response, security monitoring
and risk management capabilities. |
Complete
the redesign
of the security monitoring/net-work auditing
/incident detection capability to ensure
compatibility
to the
modified IT infrastructure |
Monitoring/
auditing was redesigned to incorporate
an additional monitoring
and incident detection tool (Securify)
which complies with
HHS EA needs.
In addition, there
is now 24/7 monitoring supported by
an agreement
with the NIH. |
Implement a self-defending network strategy
that includes Internet filtering, redundant
firewalls, intrusion prevention and detection
devices, and Virtual Private Network (VPN)
devices. |
Improved overall security posture and
compliance levels through implementation
of customized and streamlined policies
on various IPS/IDS devices and installation
of ISS Proventia Enterprise Vulnerability
Scanner, ISS Real Secure Server Sensors, and
Arcsight for event correlation. |
Extend security monitoring/ network auditing/
incident detection capabilities
to include dedicated monitors on individual,
high-risk servers and devices. |
Operate a cyber protection
and incident handling center to conduct
real-time assessment of current network
vulnerabilities and remediation
of network perimeters. |
B. Risk Assessment |
Performed annual self-assessments and
re-certified ten (10) mission critical/essential
systems. |
Performed annual self-assessments, privacy
impact assessments, security
reviews, and ensured
security plans were in place
for all nine (9) mission
critical/
essential systems (one system
removed from list). |
Complete Certification
and Accreditation (C&A) for two
(2) new HRSA systems and complete
annual re-certification efforts on ten
(10) HRSA mission
critical/
essential systems. |
Completed
100% of planned C&A activities
for FY2006, including the testing of contingency
plans and
system testing
and evaluation (ST&E) for all HRSA
FISMA systems. |
Complete
recertification for four (4) major applications
and general support systems, perform
annual security reviews for three (3)
HRSA major applications, and determine
security requirements for 100% of all
new IT investments. |
Completed
four (4) full Certification
and Accreditations and performed annual
security reviews on fourteen (14) other
HRSA systems. |
Complete annual security reviews for ten
(10) HRSA major applications, and determine
security requirements for 100% of all
new IT investments |
Complete Certification and Accreditation
for twenty (20) HRSA systems. |
# |
Key
Outputs |
FY
2004
Actual |
FY
2005
Actual |
FY 2006 |
FY 2007 |
FY
2008
Target |
FY
2009
Target |
Target |
Actual |
Target |
Actual |
35.
VII.
B.1 |
C. Security Awareness
Training |
Developed
and implemented new awareness training
module and trained 84% of HRSA staff. |
Developed
and implemented updated awareness module
and trained 96% of HRSA staff. Based on
existing requirements, 100% of staff assigned
specific security duties were trained
and a new awareness and training program
plan was developed to address newly defined
requirements. |
Develop
and deploy a training module for Information
System Security Officers (ISSOs) and successfully
complete annual security awareness training
for 95% of HRSA staff. |
100%
of HRSA staff completed the web-based
Security Awareness training module; 100%
of FISMA system ISSO’s completed HRSA
training. |
Full
participation in Security Awareness Training
by 100% of HRSA Staff, specialized security
training for 100% of HRSA staff identified
to have significant security responsibilities,
and participation of Executive Awareness
Training by 100% of HRSA executive staff. |
100%
completion rate for HRSA Executives and
those staff identified to have significant
security responsibilities. 99.9% completion
rate for Security Awareness training of
HRSA staff. |
Full participation
in Security Awareness Training by 100%
of HRSA Staff, specialized security training
for 100% of HRSA staff identified to have
significant security responsibilities,
and participation of Executive Awareness
Training by 100% of HRSA executive staff. |
Full participation
in Security Awareness Training by 100%
of HRSA Staff, specialized security training
for 100% of HRSA staff identified to have
significant security responsibilities,
and participation of Executive Awareness
Training by 100% of HRSA executive staff. |
Long-Term Objective: Foster and lead
a high-quality, well-trained workforce. |
35.VII.A.1. |
Strategic Management of
Human Capital Initiative: As part of
a management review; HRSA will implement
a Delayering Management and Streamlining
Organizational Plan. |
Broad-ranging organizational package published
in Federal Register. |
Developed proposal to consolidate health
information technology activities. |
Continue with implementation of streamlining
efforts. |
Established Office of Health Information
Technology (12//05). |
Continue with implementation of streamlining
efforts. |
Established the Bureau of Clinician Recruitment
and Service. |
Continue with implementation of streamlining
efforts |
Continue with implementation of streamlining
efforts |
35.VII.A.2. |
Strategic Management of
Human Capital Initiative: Implement the
HRSA Scholars Program |
41 scholars |
18 |
50 |
51 |
55 |
62 |
NA |
NA |
Appropriated
Amounts
($ Millions) |
$148.5 |
$147.1 |
|
$144.4 |
|
$146.3 |
$141.1 |
$141.1 |
INTRODUCTION
These performance measures link to HRSA’s Strategic
Plan goal to achieve excellence in management and
to the specific objectives to strategically manage
information technology to support programs, and foster
and lead a high-quality, well-trained workforce.
DISCUSSION OF TARGETS AND RESULTS
35.VII.B.1. Information Technology Management:
Ensure Critical Infrastructure Protection.
HRSA continues to administer a diligent Critical
Infrastructure Protection (CIP) program that includes,
among other efforts, a strong emphasis on perimeter
protection, incident response, risk assessment, and
security awareness training. Legislation such as
the Federal Information Security Management Act (FISMA)
imposes significant computer security requirements
including periodic assessments of security risks to
information systems and data supporting its critical
operations.
HRSA will monitor the performance of the CIP and
Information Systems Security Program through the following
measures:
A. Perimeter Protection: HRSA will protect
the perimeter and network boundaries by implementing
the appropriate network intrusion infrastructure to
detect and mitigate improper network violations.
In FY 06, monitoring/auditing was redesigned to incorporate
an additional monitoring and incident detection tool
(Securify) which complies with HHS EA needs. In addition,
there is now 24/7 monitoring supported by an agreement
with the NIH. In FY 07, HRSA Improved overall security
posture and compliance levels through implementation
of customized and streamlined policies on various
IPS/IDS devices and installation of ISS Proventia
Enterprise Vulnerability Scanner, ISS Real Secure
Server Sensors, and Arcsight for event correlation.
FY 09 Goal: HRSA will implement and operate a cyber
protection and incident handling center to conduct
real-time assessment of current network vulnerabilities
and remediation of network perimeters.
B. Risk Assessment:
As defined by OMB Circular A-130 and integral to the
IT security program, HRSA will broaden risk assessment
efforts for Agency information systems and networks.
During FY 06, HRSA completed annual self-assessments,
privacy impact assessments, security reviews, and
security plans for all Agency FISMA mission critical/essential
systems. During FY 07, completed four (4) full Certification
and Accreditations and performed annual security reviews
on fourteen (14) other HRSA systems. FY 09 Goal:
complete Certification and Accreditation (C&A)
for twenty (20) HRSA systems.
C. Security Awareness
Training: In addition to security education and
outreach efforts, HRSA will expand the security awareness
training program for Agency employees, and other program
staff with unique information security responsibilities.
In FY 07, HRSA successfully reported a 100% completion
rate for HRSA Executives and those staff identified
to have significant security responsibilities and
a 99.9% completion rate for Security Awareness training
of HRSA staff. FY 09 Goal: HRSA will have full
participation in Security Awareness Training by 100%
of HRSA Staff, specialized security training for 100%
of HRSA staff identified to have significant security
responsibilities, and participation of Executive Awareness
Training by 100% of HRSA executive staff.
35.VII.A.1. Strategic Management of Human
Capital Initiative: As part of a management review,
HRSA will implement a Delayering Management and Streamlining
Organizational Plan.
HRSA continues to focus its efforts to consolidate
and re-deploy staff to more effectively support the
President’s Management Agenda and accomplish the mission
and goals of the Department and HRSA. By the end
of December 2001, HRSA had accomplished the following:
1) Created a Citizen-Centered Agency; 2) Realigned
Health Professions Programs into one Bureau and created
a mission centered Primary Care Bureau; 3) Streamlined
the Office of the Administrator; 4) Consolidated Information
Technology (IT) functions; and 5) Consolidated Legislative
and Public Affairs staff within HRSA, with appropriate
reporting relationships to OS.
During FY 02 and FY 03, HRSA accomplished the following
restructuring efforts:
1) Completed the restructuring of its financial
management functions. These functions were formerly
performed by the Office of Management and Program
Support and HRSA’s four Bureaus. They have all been
consolidated; and 2) Completed a reorganization plan
that was announced in the Federal Register on January
7, 2003, which restructured the grants function within
HRSA. During FY 04, a substantial Agency restructuring
package was published in the Federal Register on September
21, 2004. This eliminated a variety of levels, created
an Office of Federal Assistance Management which consolidated
the grants activity within HRSA, and realigned administrative
and financial management activities in the Office
of Administration and Financial Management. During
FY 06, HRSA created an Office of Health Information
Technology, which was formally established with a
Federal Register notice. During FY 07, HRSA consolidated
a variety of Health Professions loan repayment and
obligated scholarship programs into a Bureau of Clinician
Recruitment and Services. (April 18, 2007 Federal
Register)
35.VII.A.2. Strategic Management of Human Capital
Initiative: Implement the HRSA Scholars Program.
To assist in accomplishing the President’s Strategic
Management of Human Capital Initiative, HRSA has developed
the HRSA Scholars Program. This program will increase
career development opportunities and develop a new
approach to hiring staff-experienced professionals
and young graduates. It has components for workforce
planning, outreach and recruitment, hiring, recruiting
incentives, training, developing and mentoring, and
evaluation. This approach focuses on bringing in
honor students at the GS-5, 7 and 9 levels.
During FY 01, the HRSA Scholars Program was developed
and implemented. Forty-eight Scholars were hired.
In FY 02 and FY 03 the numbers of scholars were 53
and 43, respectively.
For FY 04, 41 HRSA Scholars were brought on board.
In FY 05, an additional 18 scholars were brought on
board. This initiative was originally a five-year
initiative (FY 01- FY 05), but an additional class
was added. The FY 06 target was set at a level of
50 Scholars. Fifty-one (51) scholars were brought
on board in FY 06. In FY 07, 62 scholars were added,
exceeding the target of 55. There is no target for
FY 09.
The HRSA Scholars Program served as a model for
the HHS Emerging Leaders Program. Additionally, HRSA
is a full participant in the HHS Emerging Leaders
Program. Of the first class of 65, HRSA took 5 positions.
This represents about 7.7% of the total HHS class,
although HRSA represents only 3.2% of the HHS workforce.
|