Skip Navigation

 

Frequent Questions

Font Size Reduce Text SizeEnlarge Text Size     Print Send this page to printer     Download Reader  Download PDF readerHHS Home|HHS News|About HHS

OCIO Home > Policy

OCIO Home

About the OCIO

Policy

Information Collection / Paperwork Reduction Act

Records Management

Printing Management

Mail Management

Enterprise Architecture

Enterprise Performance Life Cycle

Capital Planning & Budget

IT Contracting & Purchasing

Enterprise Solutions

IT Security & Privacy

E-Government & President's Management Agenda

Plans & Reports

OCIO Site Map

HHS-OCIO-2008-0004.001S Standard Security Configurations Language in HHS Contracts

HHS Standard 2008-0004.001S

September 11, 2008


To implement Federal Acquisition Regulation (FAR) 39.101(d), Common Security Configurations, and Department of Health and Human Services (HHS) information security requirements, the following standard language shall be incorporated in solicitations and new contracts for the operation or acquisition of information technology systems. An approved HHS Department Information Security Policy/Standard Waiver [1] is required to deviate from the technical standard set forth below. This standard is effective immediately.

1. The Contractor shall ensure new systems are configured with the applicable Federal Desktop Core Configuration (FDCC) (http://nvd.nist.gov/fdcc/download_fdcc.cfm) and applicable configurations from http://checklists.nist.gov, as jointly identified by the Operating Division (OPDIV)/Staff Division (STAFFDIV) Contracting Officer’s Technical Representative (COTR) and the Chief Information Security Officer (CISO).

2. The Contractor shall ensure hardware and software installation, operation, maintenance, update, and/or patching will not alter the configuration settings specified in: (a) the FDCC (http://nvd.nist.gov/fdcc/index.cfm) [2]; and (b) other applicable configuration checklists as referenced above.

3. The Contractor shall ensure applications are fully functional and operate correctly on systems configured in accordance with the above configuration requirements.

4. The Contractor shall ensure applications designed for end users run in the standard user context without requiring elevated administrative privileges.

5. Federal Information Processing Standard 201 (FIPS-201)-compliant, Homeland Security Presidential Directive 12 (HSPD-12) card readers shall: (a) be included with the purchase of servers, desktops, and laptops; and (b) comply with FAR Subpart 4.13, Personal Identity Verification.

6. The Contractor shall ensure that all of its subcontractors (at all tiers) comply with the above requirements.

APPROVED BY & EFFECTIVE ON:


             /s/                                                                               September 11, 2008
Michael W. Carleton                                                                    Date
HHS Chief Information Officer and
Deputy Assistant Secretary for Information Technology

 

             /s/                                                                                September 11, 2008
Martin J. Brown                                                                          Date
HHS Senior Procurement Executive and
Deputy Assistant Secretary for Acquisition Management and Policy


[1] The HHS Departmental Information Security Policy/Standard Waiver form and process is available at http://intranet.hhs.gov/infosec/policies_memos.html.

[2] The Department has developed an HHS version of FDCC (henceforth HHS FDCC) for Windows XP™ and Vista™ to accommodate business and operational needs in the HHS environment. These settings are available at http://intranet.hhs.gov/infosec/guidance.html. When there is a compelling business or operational need to deviate from the FDCC, Operating Divisions (OPDIVs) and Staff Divisions (STAFFDIVs) may use the HHS FDCC settings instead of the Government-wide FDCC settings.
horizontal line

Frequent Questions | Contacting HHS | Accessibility | Privacy Policy | FOIA (Freedom of Information Act) | Disclaimers | Helping America's Youth

U.S. Department of Health & Human Services · 200 Independence Avenue, S.W. · Washington, D.C. 20201