HHS Memo On FISMA and Grants by t8929128


									                  HHS Memo On FISMA and Grants
•   Secure One HHS
•   Memorandum
•   From: Jaren Doherty - Chief Information Security Officer
•   Sent: October 29, 2007
•   To: Operatng Division (OPDIV) Chief Information Officers (CIO)
•   Subject: Applicability of the Federal Information Security Management Act
    (FISMA) to Department of Health and Human Services (HHS) Grantees
•   The Federal Information Security Management Act (FISMA) of 2002 (44 U.S.C.
    3541 et seq.) was implemented in order to improve the security of federal
    information systems and federal information. While FISMA does not address
    applicability to grantees, annual FISMA reporting guidance released by the Office of
    Management and Budget (OMB) includes references to grantees and their
    responsibilities to protect the Federal Government's information. According to the
    most recent FISMA guidance, OMB Memorandum M-07-19, FY 2007 Reporting
    Instructions for the Federal Information Security Management Act and Agency
    Privacy Management -
•   FISMA's requirements follow agency information into any system which uses it or
    processes it on behalf of the agency. That is, when the ultimate responsibility and
    accountability for control of the information continues to reside with the agency,
    FISMA applies.
•   As such, FISMA applies to grantees only when they collect, store, process, transmit
    or use information on behalf of HHS or any of its component organizations.1
•   In all other cases, FISMA is not applicable to recipients of grants, including
    cooperative agreements with grantees. The grantee retains the original data and
    intellectual property, and is responsible for the security of this data, subject to all
    applicable laws protecting security, privacy and research. If and when information
    collected by a grantee is provided to HHS, responsibility for the protection of the
    HHS copy of the information is transferred to HHS and it becomes the agency's
    responsibility to protect that information and any derivative copies as required by
•   1 The term "on behalf of" indicates that only those entities that are acting, under
    agency principles, as agents, where HHS (or a component) is the principal, are
    covered by FISMA. While the legislative history and reports connected to FISMA
    provide little guidance on the meaning of "on behalf of," the House Report on one of
    FISMA's predecessors, the Computer Security Act of 1987, H.R. Rep. 100-153, pt. 1,
    states that "on behalf of" means that the entity is acting as a "direct extension of the
    federal government" and "to accomplish a federal government function". This point
    must be appropriately communicated, especially to study participants. For example,
    if a patient participates in a medical study, identification of the study as an HHS
    project (whether it is the case or not) could establish and expectation that the
    information is being gathered by or on behalf of HHS and will be adequately
    protected by HHS. Conversely, a study which identifies the grantee as the conductor
    of the study would not establish such an expectation.

To top