Skip directly to search Skip directly to A to Z list Skip directly to navigation Skip directly to site content Skip directly to page options
CDC Home
Public Health Information Network (PHIN)

Requirements and Certification Criteria

PHIN Requirement #5 and Certification Criteria

PHIN Requirement:
PHIN REQUIREMENTS: FUNCTIONS OF ELECTRONIC INFORMATION SYSTEMS


CDC requires that each state or local health department—or its agent—
5. ensure that its electronic information systems that support PHIN requirements are secure and have the appropriate level of availability and the information contained is only accessed or used by authorized users for authorized purposes.

5.1. have an Internet connection available to support data exchange and PHIN interoperability initiatives.

5.2. implement administrative and physical safeguards that conform to current standards to prevent unauthorized access to, and use of, its information systems.

5.3. identify persons and other electronic information systems authorized to access its electronic information systems.

5.4. provide system access to authorized senders that conforms to current standards for securely exchanging messages and data.

5.5. maintain a record of all persons and electronic devices that access its electronic information systems and the actions taken during such access.

Certification Criteria:
Availability of information systems
5.1 Is an Internet connection available for components of the information system(s) that require Internet access?

5.2 Do the components of the information system(s) that support the PHIN requirements have the appropriate level of availability?
Security of information and information systems

5.3 Are the electronic information systems that support PHIN requirements secure, and have the appropriate auditing and safeguards to prevent unauthorized access and use?
[Access Control]

5.3.1 Does the organization (i) manage information system accounts, including establishing, activating, modifying, reviewing, disabling, and removing accounts, (ii) review information systems accounts at an organization-defined frequency, and (iii) perform risk analysis of access controls? [Source: NIST 800-53 AC-2, RA-3]

5.3.2 Does the organization employ access control policies (e.g., identity-based policies, role-based policies, ruled-based policies) and associated access enforcement mechanisms (e.g., access control lists, access control matrices, cryptography) to control access between users (or processes acting on behalf of users) and objects (e.g., devices, files, records, processes, programs, domains) in the information system? [Source: NIST 800-53 AC-3]

5.3.3 Does the information system enforce the most restrictive set of rights/privileges or accesses needed by users (or processes acting on behalf of users) for the performance of specified tasks? [Source: NIST 800-53 AC-6]

5.3.4 Does the information system enforce a limit to the number of consecutive invalid access attempts by a user (or processes acting on behalf of the user) during a defined time period? [Source: NIST 800-53 AC-7]

5.3.5 Does the information system display an approved, system use notification message, warning of unauthorized use and appropriate privacy and security notices, before granting system access? [Source: NIST 800-53 AC-8]

5.3.6 Does the organization authorize, document, monitor, and control all methods of access to the information system, including remote and system to system access? [Source: NIST 800-53 AC-4, AC-17, CA-3]

[Awareness and Training]

5.3.7 Does the organization provide basic security awareness training to all information system users (including managers and senior executives) before authorizing access to the system, if required by system changes, and at an organization defined frequency (at least annually) thereafter? [Source: NIST 800-53 AT-2]

[Audit and Accountability]

5.3.8 Does the organization define and periodically review and update the list of auditable events and generate audit records for those events? [Source: NIST 800-53 AU-2]

5.3.9 Does the information system capture sufficient information, including time stamps, in audit records to establish what events occurred, the sources of the events, and the outcomes of the events? [Source: NIST 800-53 AU-3, AU-8]

5.3.10 Does the organization regularly review/analyze audit records for indications of inappropriate or unusual activity, investigate suspicious activity or suspected violations, reports findings to appropriate officials, and takes necessary actions? [Source: NIST 800-53 AU-6]

5.3.11 Are automated mechanisms employed to immediately alert security personnel of inappropriate or unusual activities? [Source: NIST 800-53 AU-6]

5.3.12 Does the information system protect audit information and audit tools from unauthorized access, modification, and deletion? [Source: NIST 800-53 AU-9]

5.3.13 Does the organization retain audit logs for a defined period of time to provide support for after-the-fact investigations of security incidents and to meet regulatory and organizational information retention requirements? [Source: NIST 800-53 AC-11]

[Certification, Accreditation, and Security Assessments]

5.3.14 Does the organization conduct an assessment of the security controls in the information system at least annually, to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system? [Source: NIST 800-53 CA-2]

5.3.15 Does the organization develop and update a plan of actions and milestones for the information system that documents the organization’s planned, implemented, and evaluated remedial actions to correct any deficiencies noted during the assessment of the security controls and to reduce or eliminate known vulnerabilities in the system? [Source: NIST 800-53 CA-5]

5.3.16 Does the organization monitor the security controls in the information system on an ongoing basis? [Source: NIST 800-53 CA-7]

[Configuration Management]
5.3.17 Does the organization develop, document, and maintain a current, baseline configuration of the information system and an inventory of the system’s constituent components? [Source: NIST 800-53 CM-2]

5.3.18 Does the organization manage and monitor changes to the information system and conduct security impact analyses to determine the effects of the changes? [Source: NIST 800-53 CM-4]

5.3.19 Does the organization configure the security settings of information technology products to the most restrictive mode consistent with information system operational requirements? [Source: NIST 800-53 CM-6]

5.3.20 Does the organization configure the information system to provide only essential capabilities and specifically prohibit and/or restrict the use of unnecessary or insecure functions, ports, protocols and/or services? [Source: NIST 800-53 CM-7]

5.3.21 Does the organization develop, document, and maintain a current inventory of the components of the information system and relevant ownership information? [Source: NIST 800-53 CM-8]

[Contingency Planning]

5.3.22 Does the organization develop and implement a contingency plan for the information system addressing contingency roles, responsibilities, assigned individuals with contact information, and activities associated with restoring the system after a disruption or failure? [Source: NIST 800-53 CP-2]

5.3.23 Do designated officials within the organization review and approve the contingency plan and distribute copies of the plan to key contingency personnel? [Source: NIST 800-53 CP-2]

5.3.24 Does the organization test the contingency plan for the information system at least annually to determine the plan’s effectiveness and the organization’s readiness to execute the plan? [Source: NIST 800-53 CP-4]

5.3.25 Do appropriate officials within the organization review the contingency plan test results and initiate corrective actions? [Source: NIST 800-53 CP-4]

5.3.26 Does the organization review the contingency plan for the information system at least annually and revise the plan to address system/organizational changes or problems encountered during plan implementation, execution, or testing? [Source: NIST 800-53 CP-5]

5.3.27 Does the organization conduct backups of user-level and system-level information (including system state information) contained in the information system, perform test to ensure the reliability and integrity of the backups and stores backup information at an appropriately secured location? [Source: NIST 800-53 CP-9]

5.3.28 Does the organization employ mechanisms with supporting procedures to allow the information system to be recovered and reconstituted to the system’s original state after a disruption or failure? [Source: NIST 800-53 CP-10]

[Identification and Authentication]

5.3.29 Does the information system uniquely identify and authenticate users (or processes acting on behalf of users)? [Source: NIST 800-53 IA-2]

5.3.30 Does the organization manage user identifiers by: (i) uniquely identifying each user; (ii) verifying the identity of each user; (iii) receiving authorization to issue a user identifier from an appropriate organization official; (iv) ensuring that the user identifier is issued to the intended party; (v) disabling inactive user identifier; and (vi) archiving user identifiers? [Source: NIST 800-53 IA-4]

5.3.31 Does the organization manage information system authenticators (e.g., tokens, PKI certificates, biometrics, passwords, key cards) by: (i) defining initial authenticator content; (ii) establishing administrative procedures for initial authenticator distribution, for lost/compromised, or damaged authenticators, and for revoking authenticators; and (iii) changing default authenticators upon information system installation; and (iv) changing/refreshing authenticators periodically? [Source: NIST 800-53 IA-5]

5.3.32 Does the information system provide feedback to a user during an attempted authentication and that the feedback does not compromise the authentication mechanism (e.g. the system does not display passwords while being entered)? [Source: NIST 800-53 IA-6]

[Incident Response]

5.3.33 Does the organization implement an incident handling capability for security incidents that includes preparation, detection and analysis, containment, eradication, and recovery? [Source: NIST 800-53 IR-4]

5.3.34 Does the organization track and document information system security incidents on an ongoing basis? [Source: NIST 800-53 IR-5]

[Maintenance]

5.3.35 Does the organization schedule, perform, and document routine preventative and regular maintenance on the components of the information system in accordance with manufacturer or vendor specifications and/or organizational requirements? [Source: NIST 800-53 MA-2]

5.3.36 Does the organization obtain maintenance support and spare parts for key information system components in the event of a failure within a time period that supports the targeted level of availability? [Source: NIST 800-53 MA-6]

[Media Protection]

5.3.37 Does the organization (i) protect information system media, both digital and non-digital and, (ii) limit access to information on information system media to authorized users? [Source: NIST 800-53 MP-2, MP-4]

[Physical and Environmental Protection]

5.3.38 Does the organization develop and keep current lists of personnel with authorized access to facilities containing information systems (except for those areas within the facilities officially designated as publicly accessible) and issue appropriate authorization credentials (e.g., badges, identification cards, smart cards)? [Source: NIST 800-53 PE-2]

5.3.39 Do designated officials within the organization review and approve the access list and authorization credentials at least annually? [Source: NIST 800-53 PE-2]

5.3.40 Does the organization control all physical access points (including designated entry/exit points) to facilities containing information systems (except for those areas within the facilities officially designated as publicly accessible) and verify individual access authorizations before granting access to the facilities? [Source: NIST 800-53 PE-3]

5.3.41 Does the organization also control access to areas officially designated as publicly accessible, as appropriate, in accordance with the organization’s assessment of risk? [Source: NIST 800-53 PE-3]

5.3.42 Does the organization control physical access to information systems by authenticating visitors before authorizing access to facilities or areas other than areas designated as publicly accessible and escorts visitors and monitors visitor activity, when required? [Source: NIST 800-53 PE-7]

[Planning]

5.3.43 Does the organization develop, implement and maintain a security plan for the information system that provides an overview of the security requirements for the system and a description of the security controls in place or planned for meeting those requirements and do designated officials within the organization review and approve the plan? [Source: NIST 800-53 PL-2]

[Personnel Security]

5.3.44 Does the organization complete appropriate access agreements (e.g., nondisclosure agreements, acceptable use agreements, rules of behavior, conflict-of-interest agreements) for individuals requiring access to organizational information and information systems before authorizing access? [Source: NIST 800-53 PS-6]

[Risk Assessment]

5.3.45 Does the organization categorize the information system and the information processed, stored, or transmitted by the system in accordance with FIPS 199 and documents the results (including supporting rationale) in the system security plan and do designated senior-level officials within the organization review and approve the security categorizations? [Source: NIST 800-53 RA-2]

5.3.46 Does the organization conduct assessments of the risk and magnitude of harm that could result from the unauthorized access, use, disclosure, disruption, modification, or destruction of information and information systems that support the operations and assets of the agency? [Source: NIST 800-53 RA-3]

5.3.47 Does the organization update the risk assessment periodically or whenever there are significant changes to the information system, the facilities where the system resides, or other conditions that may impact the security or accreditation status of the system? [Source: NIST 800-53 RA-4]

5.3.48 Does the organization use appropriate vulnerability scanning tools and techniques to scan for vulnerabilities in the information system periodically or when significant new vulnerabilities affecting the system are identified and reported? [Source: NIST 800-53 RA-5]

[System and Communications Protection]

5.3.49 Does the information system protect against or limit the effects of denial of service attacks? [Source: NIST 800-53 SC-5]

5.3.50 Does the information system monitor and control communications at the external boundary of the information system and at key internal boundaries within the system? [Source: NIST 800-53 SC-7]

5.3.51 Does the organization physically allocate publicly accessible information system components to separate subnetworks with separate, physical network interfaces (Publicly accessible information system components include, for example, public web servers)? [Source: NIST 800-53 SC-7]

5.3.52 Does the organization prevent public access into the organization’s internal networks except as appropriately mediated? [Source: NIST 800-53 SC-7]

5.3.53 Does the information system protect the confidentiality of transmitted information? [Source: NIST 800-53 SC-9]

5.3.54 If cryptography is employed within the information system, does the system perform all cryptographic operations (including key generation) using FIPS 140-2 validated cryptographic modules operating in approved modes of operation? [Source: NIST 800-53 SC-13]

5.3.55 Does the information system provide mechanisms to protect the authenticity of communications sessions? [Source: NIST 800-53 SC-23]

[System and Information Integrity]

5.3.56 Does the organization identify, report, and correct information system flaws? [Source: NIST 800-53 SI-2]

5.3.57 Does the information system implement malicious code protection (e.g. virus protection software) that includes a capability for automatic updates? [Source: NIST 800-53 SI-3]

5.3.58 Does the organization employ tools and techniques to monitor events on the information system, detect attacks, and provide identification of unauthorized use of the system and monitor outbound communications for unusual or unauthorized activities indicating the presence of malware (e.g. malicious code, spyware, adware)? [Source: NIST 800-53 SI-4]







 
CDC 24/7 – Saving Lives. Protecting People. Saving Money Through Prevention. Learn More About How CDC Works For You…
CDC Vital Signs™ – Learn about the latest public health data. Read CDC Vital Signs™…

 

Contact Us:
  • Public Health Information Network (PHIN)
    1600 Clifton Rd
    Atlanta, GA 30333
  • 1-800-532-9929
    (770-454-4863)
    TTY: (888) 232-6348
    24 Hours/Every Day
  • PHINTECH@CDC.GOV
USA.gov: The U.S. Government's Official Web PortalDepartment of Health and Human Services
Centers for Disease Control and Prevention   1600 Clifton Road Atlanta, GA 30329-4027, USA
800-CDC-INFO (800-232-4636) TTY: (888) 232-6348 - Contact CDC–INFO
A-Z Index
  1. A
  2. B
  3. C
  4. D
  5. E
  6. F
  7. G
  8. H
  9. I
  10. J
  11. K
  12. L
  13. M
  14. N
  15. O
  16. P
  17. Q
  18. R
  19. S
  20. T
  21. U
  22. V
  23. W
  24. X
  25. Y
  26. Z
  27. #