Skip Navigation

 

Frequent Questions

Font Size Reduce Text SizeEnlarge Text Size     Print Send this page to printer     Download Reader  Download PDF readerHHS Home|HHS News|About HHS

OCIO Home > Policy

OCIO Home

About the OCIO

Policy

Information Collection / Paperwork Reduction Act

Records Management

Printing Management

Mail Management

Enterprise Architecture

Enterprise Performance Life Cycle

Capital Planning & Budget

IT Contracting & Purchasing

Enterprise Solutions

IT Security & Privacy

E-Government & President's Management Agenda

Plans & Reports

OCIO Site Map

HHS-OCIO Standard for the Segregation of Development/Test Environments from Production

HHS Standard 2008-0003.002S

August 7, 2008

 

The following is effective immediately.

1. All test and development systems [1] shall, at a minimum, be physically or logically segregated from production systems, for example, by using a firewall or router with an access control list (ACL).

    Informative: It is preferable that all testing be conducted in a test or a development environment. However, the Department understands that there may be instances where a system, for example a system with a mixed life cycle, must undergo additional testing once in production. Testing in a production environment does not reclassify a system as a test or development system. This standard does not seek to prohibit required testing in a production environment.

2. HHS data that is categorized as Moderate or High according to the National Institute of Standards and Technology (NIST) Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems, shall not reside in or transmit through test or development systems unless the test/development system(s) employ security controls equivalent to that of the production system. System owners shall obtain written authorization in the form of an HHS Department Information Security Policy/Standard Waiver if compliance with this standard is not feasible or technically possible, or if deviation from this standard is necessary to support a mission or business function. Please refer to the waiver form for additional details.[2]



APPROVED BY & EFFECTIVE ON:

                                      /s/                                                 August 7, 2008
Michael W. Carleton                                                                Date
HHS Chief Information Officer



[1] Test and development systems are those systems that have not reached Phase 4 (Operation or Maintenance) of the System Development Life Cycle, as described in Table 2-1 of NIST SP 800-30, Risk Management Guide for Information Technology Systems.

[2]The HHS Departmental Information Security Policy/Standard Waiver form and process is available at http://intranet.hhs.gov/infosec/policies_memos.html.
horizontal line

Frequent Questions | Contacting HHS | Accessibility | Privacy Policy | FOIA (Freedom of Information Act) | Disclaimers | Helping America's Youth

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201