Security v1.0

Introduction

To build and maintain a resilient CCWIS in the face of cyberattacks and other data security threats, title IV-E agencies (agencies) need to implement a holistic information-security and risk-management approach that includes significant security controls to strengthen the technology system and the operating environment. Agencies need to manage and mitigate information security risk at the organizational and information systems level.

This self-assessment tool assists agencies with meeting security standards and goals when designing and developing CCWIS modules and systems.

Tool Format

This self-assessment tool is divided into sections as outlined on the chart below. Every question has a unique Element # for easy reference. Please refer to the instructions in Technical Bulletin #7 or contact your federal analyst if you have questions about the tool or a specific element.

In the Overview and Background Information section, agencies may collect information on the overall CCWIS (or collection of modules if appropriate) and its security environment. If a question is not applicable to the system or module you are evaluating, indicate “N/A” and provide a reason it is not applicable.

L.A.01 Date this assessment was completed.

L.A.02 Name of the CCWIS or module(s) included in this self-assessment.

L.A.03 Describe or attach documentation that details where the system code and data are hosted (such as on-premise, cloud, etc.). Documentation may include system boundary diagrams; inventories of hardware and software components used to transmit, process, or store CCWIS information; and policies and procedures that demonstrate approaches to physical and virtual security. Indicate the date(s) when the agency last updated the documentation.

L.A.04 Describe or attach documentation that details dedicated exchanges and data sharing between this CCWIS and other information systems, both within the agency and external to the agency, including ports, protocols, services utilized, and data shared. Artifacts may include documentation such as a network and data-flow diagram, system interconnection security agreements, and intra/inter-agency data sharing agreements.

L.A.05 Provide any additional comments as background regarding the security of your system or module.

In this section, the agency may document components, factors, and design elements of the functions(s) or exchanges that support the security goals of the CCWIS. If the agency has additional goals, please include them below and add new rows as needed. We encourage agencies to simplify their responses by referencing previously submitted documentation, such as APDs or attaching security plans, policies, and protocols.

If a goal is not applicable, indicate “N/A” and provide a reason.

Part 1 – Identification

Assess whether the agency has the organizational understanding to manage cybersecurity risk to the CCWIS and related assets and data.

Part 2 – Protection

Assess whether the agency has developed and implemented the appropriate safeguards to protect the integrity of the CCWIS and the data contained within from external and internal threats.

Part 3 – Monitoring and Detection

Assess whether the agency has developed and implemented the appropriate safeguards to identify the occurrence of a cybersecurity event associated with the CCWIS.

Part 4 – Response

Assess whether the agency has developed and implemented the appropriate procedures to take when a cybersecurity event associated with the CCWIS has been detected.

Part 5 – Recovery

Assess whether the agency has developed and implemented the appropriate activities to maintain plans for continuity of operations and to restore any system capabilities or services impaired due to a cybersecurity event or other interruption.

The Resources section describes security techniques and best practices agencies may wish to consider when creating and maintaining a secure CCWIS environment. Links provided are current at the time of publication. If a link is no longer valid, please communicate this to ACF.

Resource 1 – Risk Management

Resource 2 – Cybersecurity

Resource 3 – Encryption

Resource 4 – Password Management

Resource 5 – Multi-Factor Authentication (MFA)

Resource 6 – Defending Against Ransomware

Resource 7 – Phishing Awareness

Resource 8 – Data Breaches: Detection and Response

Resource 1 – Risk Management

Agencies may use the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF) to manage security and privacy risks. The RMF provides a dynamic and flexible approach to managing risk in diverse environments with complex and sophisticated threats, evolving missions and business functions, and changing system and organizational vulnerabilities.

• NIST SP 800-37 Rev. 2: Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy
  https://csrc.nist.gov/publications/detail/sp/800-37/rev-2/final
  This publication describes the RMF and provides guidelines for managing security and privacy risks and applying the RMF to information systems and organizations.

Resource 2 – Cybersecurity

State, Local, Tribal, and Territorial (SLTT) Resources

DHS offers a broad set of cybersecurity resources to SLTT governments.

• DHS Cybersecurity Services Catalog for SLTT Governments
  https://www.us-cert.gov/sites/default/files/c3vp/sltt/SLTT_Hands_On_Support.pdf
  This catalog lists and describes cybersecurity services available to the SLTT community. All services featured in the catalog are voluntary, non-binding, no cost, and available to stakeholders upon request.

• Assessments: Cyber Resilience Review (CRR)
  https://www.us-cert.gov/resources/assessments
  The Cyber Resilience Review (CRR) is provided on a voluntary, no-cost basis for SLTT governments. The CRR offers insights into an organization’s operational resilience and cybersecurity capabilities and can be conducted as a self-assessment or as an on-site session facilitated by DHS cybersecurity professionals.

Federal Risk and Authorization Management Program (FedRAMP)

The FedRAMP program provides U.S. government agencies with a standardized approach to security for cloud products and services. Agencies can benefit from this federal program by choosing a FedRAMP-compliant cloud-solution provider (CSP), which can save time and effort while improving security.

• FedRAMP Marketplace
  https://marketplace.fedramp.gov/
  The FedRAMP Marketplace website lists all products and all vendors that hold a FedRAMP designation.

Resource 3 – Encryption

Encrypting information for transmission or storage protects the information from unauthorized disclosure and modification. Agencies should encrypt sensitive information both in transit and at rest. Cryptographic mechanisms implemented to protect information integrity include cryptographic hash functions, checksums, and message authentication codes.

• NIST Special Publication 800-175B, Rev 1: Guideline for Using Cryptographic Standards in the Federal Government: Cryptographic Mechanisms
  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-175Br1.pdf
  This NIST publication details federal encryption standards and guidelines, cryptographic algorithms and services, and key management standards. Agencies can implement recommendations to ensure that their encryption mechanisms follow best practices.

• NIST Special Publication 800-52, Rev 2: Guidelines for the Selection, Configuration, and Use of Transport Layer Security (TLS) Implementations
  https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-52r2.pdf
  Transport Layer Security (TLS) provides mechanisms to protect data during electronic dissemination across the internet. This document guides the selection and configuration of TLS protocol implementations while effectively using Federal Information Processing Standards (FIPS) and NIST-recommended cryptographic algorithms.

Resource 4 – Password Management

Traditional password management guidelines have been shown to cause problems and NIST guidelines include recommendations that differ from previous advice. For example, instead of enforcing strict password composition requirements, NIST now recommends screening passwords against lists of commonly used or compromised passwords because users employ predictable methods for satisfying composition rules, which limits their benefit. NIST also recommends against forcing users to change passwords periodically because users often choose a new password by applying a set of common transformations to their old password, and this provides a false sense of security.

• NIST SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management
  https://pages.nist.gov/800-63-3/sp800-63b.html
  This publication includes a comprehensive list of best practices for password management, and the supplemental FAQ addresses many common questions.

• List of passwords previously exposed in data breaches
  https://haveibeenpwned.com/Passwords
  This website maintains a list of more than 600 million real-world passwords previously exposed in data breaches. The list is freely available for download and can also be searched using the provided k-anonymity API.

Resource 5 – Multifactor Authentication (MFA)

Using multifactor authentication enhances security by making it more difficult for attackers to gain access even if they correctly guess an account password. MFA provides a strong defense against many types of attacks, including phishing, malware, and brute force attacks.

MFA requires the use of more than one distinct authentication factor to achieve authentication, and the factors fall into three categories: something you know (such as a password or PIN), something you have (such as a smart card or hardware token), or something you are (such as a fingerprint).

• Selecting and Safely Using Multifactor Authentication Services
  https://media.defense.gov/2020/Sep/22/2002502665/-1/-1/0/CSI_MULTIFACTOR_AUTHENTICATION_SOLUTIONS_UOO17091520.PDF

This whitepaper identifies criteria for government agencies to consider when researching MFA services.

• NIST SP 800-63B: Digital Identity Guidelines: Authentication and Lifecycle Management
  https://pages.nist.gov/800-63-3/sp800-63b.html
  This publication provides a comprehensive list of authenticators, including detailed descriptions and information about their strengths and usability considerations.

Resource 6 – Defending Against Ransomware

Ransomware and other destructive malware can alter or destroy critical data, rendering it unusable and causing the complete shutdown of business operations. Ransomware incidents increased sharply in 2019, disrupting hundreds of government agencies, educational institutions, and healthcare providers. Defending against these increasingly sophisticated attacks requires preparation before an incident occurs to help mitigate their impact.

• NIST SP 1800-25: Data Integrity: Identifying and Protecting Assets Against Ransomware and Other Destructive Events
  https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/identify-protect
  These draft guidelines include a "how to" guide to implement best practices to identify assets and vulnerabilities and have defenses in place to reduce the impact of destructive attacks.

• NIST SP 1800-26: Data Integrity: Detecting and Responding to Ransomware and Other Destructive Events
  https://www.nccoe.nist.gov/projects/building-blocks/data-integrity/detect-respond
  These draft guidelines include a "how to" guide to implement best practices to quickly detect and mitigate data corruption incidents and reduce their potential impact.

Resource 7 – Phishing Awareness

Phishing refers to a type of social engineering attack that uses deceptive emails to trick people into revealing sensitive information, such as account credentials, leading to malware installation and data loss. Raising user awareness is vital in defending against phishing attacks, and simulated phishing emails based on real-world threats provide a key method to train users to know what to look for and how to report it.

• No Phishing beyond This Point
  https://www.ncbi.nlm.nih.gov/pmc/articles/PMC6605070/
  This paper describes guidelines for implementing simulated phishing based on four years of data gathered by a NIST research team in a real-world work environment, which revealed that the more the context of the email seems relevant to a person’s life or job responsibilities, the harder it is for them to recognize it as a phishing attack.

Resource 8 – Data Breaches: Detection and Response

States, tribes, and local agencies are responsible for the security of information within child welfare information systems and should proactively mitigate risks associated with the inadvertent loss or unapproved disclosure of confidential information. As title IV-E child welfare information systems mature and government agencies continue to face significant security threats, the need to review and implement comprehensive data security programs is paramount. Agencies are encouraged to formalize data breach response plans to continually monitor and assess protocols, confidentiality requirements, system vulnerabilities, and risk mitigation strategies.

• ACYF-CB-IM-15-04: State and Tribal Child Welfare Information Systems, Information Security Data Breach Response Plans

https://www.acf.hhs.gov/cb/resource/im1504

Key management practices title IV-E agencies may consider when developing plans to detect or respond to data breaches.