1. HHS Memo On FISMA and Grants Secure One HHS
From: Jaren Doherty - Chief Information Security Officer
Sent: October 29, 2007
To: Operatng Division (OPDIV) Chief Information Officers (CIO)
Subject: Applicability of the Federal Information Security Management Act (FISMA) to Department of Health and Human Services (HHS) Grantees
The Federal Information Security Management Act (FISMA) of 2002 (44 U.S.C. 3541 et seq.) was implemented in order to improve the security of federal information systems and federal information. While FISMA does not address applicability to grantees, annual FISMA reporting guidance released by the Office of Management and Budget (OMB) includes references to grantees and their responsibilities to protect the Federal Government's information. According to the most recent FISMA guidance, OMB Memorandum M-07-19, FY 2007 Reporting Instructions for the Federal Information Security Management Act and Agency Privacy Management -
FISMA's requirements follow agency information into any system which uses it or processes it on behalf of the agency. That is, when the ultimate responsibility and accountability for control of the information continues to reside with the agency, FISMA applies.
As such, FISMA applies to grantees only when they collect, store, process, transmit or use information on behalf of HHS or any of its component organizations.1
In all other cases, FISMA is not applicable to recipients of grants, including cooperative agreements with grantees. The grantee retains the original data and intellectual property, and is responsible for the security of this data, subject to all applicable laws protecting security, privacy and research. If and when information collected by a grantee is provided to HHS, responsibility for the protection of the HHS copy of the information is transferred to HHS and it becomes the agency's responsibility to protect that information and any derivative copies as required by FISMA.
1 The term "on behalf of" indicates that only those entities that are acting, under agency principles, as agents, where HHS (or a component) is the principal, are covered by FISMA. While the legislative history and reports connected to FISMA provide little guidance on the meaning of "on behalf of," the House Report on one of FISMA's predecessors, the Computer Security Act of 1987, H.R. Rep. 100-153, pt. 1, states that "on behalf of" means that the entity is acting as a "direct extension of the federal government" and "to accomplish a federal government function". This point must be appropriately communicated, especially to study participants. For example, if a patient participates in a medical study, identification of the study as an HHS project (whether it is the case or not) could establish and expectation that the information is being gathered by or on behalf of HHS and will be adequately protected by HHS. Conversely, a study which identifies the grantee as the conductor of the study would not establish such an expectation.