Government Mandates Affecting Mobile Compliance

HSPD12 Compliance

What is HSPD-12?

Homeland Security Presidential Directive 12 (HSPD-12) was issued on August 12, 2004 by President George W. Bush.

HSPD-12 is a strategic initiative intended to enhance security, increase Government efficiency, reduce identity fraud, and protect personal privacy. HSPD-12 calls for a mandatory, government-wide standard for secure and reliable forms of ID issued by the federal government to its employees and employees of federal contractors for access to federally-controlled facilities and networks.

Based upon this directive, the National Institute for Standards and Technology (NIST) developed Federal Information Processing Standards Publication (FIPS Pub) 201 including a description of the minimum requirements for a Federal personal identification verification (PIV) system.

How does HSPD-12 affect my organization?

HSPD-12 extends to mobile devices; laptops, tablets and smartphones that access government networks or data or that receive, edit or view emails, data or websites owned, operated or originating from government entities.  All federal government employees and contractors MUST use the PIV credential for access to Federal applications requiring identity assurance, E-Authentication Assurance Level 2 or higher.  For more information, please refer to NIST Special Publication 800-63-2

What is OMB M-11-11?

This Memorandum reaffirmed the importance of the implementation of Homeland Security Presidential Directive 12 (HSPD-12) and the need to move quickly to an authentication and access control mechanism which is defined and used government wide.

OMB M-11-11 mandated that all new systems must be enabled to use PIV credentials, in accordance with NIST guidelines, prior to being made operational.  

How does OMB M-11-11 affect my organization?

Effective FY2012, all physical and logical access systems must use the PIV credentials for identity assurance and any mobile device procurements must ensure compliance with HSPD-12 policy and the Federal Acquisition Regulation for mobile authentication.

What is OMB M-04-04?

OMB M-04-04 provides E-Authentication Guidance for Federal Agencies and defines four levels of assurance, Levels 1 to 4, in terms of the consequences of authentication errors and misuse of credentials. Level 1 is the lowest assurance level and Level 4 is the highest.

How does OMB M-04-04 affect my organization?

Multi-factor authentication is required for mobile authentication using cyrptographic tokens (PIV, CAC, etc.) and PIN or biometric for acces to E-Authentication services Level 2, Level 3, and Level 4.

What is OMB M-06-16?

OMB M-06-16 is a memorandum issued by the United States Office of Management and Budget (OMB) outlining the recommended actions for all federal departments and agencies to properly safeguard information assets. It specifically directs all federal agencies and departments to "encrypt all data on mobile computers/devices..."

The recommendations within OMB M-06-16 are in addition to the recommendations supplied by the National Institute of Standards and Technology (NIST) for the protection of remote information. Read more about OMB M-06-16 by downloading the document found here: http://www.whitehouse.gov/OMB/memoranda/fy2006/m06-19.pdf

How does OMB M-06-16 affect my organization?

OMB M-06-16 requires all federal government agencies and departments to secure sensitive information that is accessed remotely or stored off-site. This includes information that is physically transported outside of an agency’s perimeter, including information transported on removable media (e.g., CDs, DVDs, flash drives) and portable mobile devices (e.g., tablets, smart phones, etc.). OMB M-06-16 also applies to sensitive information shared with outside organizations.

Therefore, if you are an agency or department that handles any type of sensitive information, such as Personally Identifiable Information (PII) or Personal Health Information (PHI), you need to ensure your method of protecting that information meets OMB M-06-16 compliance requirements.

What is DOD Directive 8100.2?

DODD 8100.2 Establishes policy and assigns responsibilities for the use of commercial wireless devices, services, and technologies in the DoD Global Information Grid (GIG).  Hereafter, the term "wireless" means commercial wireless devices, services, and technologies. 

Directs the development and use of a Knowledge Management (KM) process to promote the sharing of wireless technology capabilities, vulnerabilities, and vulnerability mitigation strategies throughout the Department of Defense. 

Promotes joint interoperability using open standards throughout the Department of Defense for commercial wireless services, devices, and technological implementations.

What is FIPS 140-2?

FIPS 140-2 is the current version of the Federal Information Processing Standardization 140 (FIPS 140) publication that specifies requirements for cryptography modules. The National Institute of Standards and Technology (NIST) issued the FIPS 140 series to uphold the standards that describe the United States Federal Government requirements that IT products should meet.

Read more about FIPS 140 by downloading the document found here:http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf

What is the HITECH Act?

In February of 2009, the Health Information Technology for Economic and Clinical Health (HITECH) Act went into effect. The HITECH Act applies to “HIPAA covered entities and their business associates that access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured protected health information…”

The various information security segments of the HITECH Act were developed to help organizations that handle Personal Health Information (PHI) prevent fraud, hacking, and other security threats by leveraging technology that can be used to render PHI unusable to unauthorized individuals. For more information about the HITECH Act, please visit:http://www.hhs.gov/ocr/privacy/hipaa/understanding/coveredentities/guidance_breachnotice.html

How does the HITECH Act affect my organization?

Any business associates of HIPAA-covered entities who provide transmission of protected health information and/or require access to that information are required to comply with regulations established by the HITECH Act. In addition, Personal Health Record (PHR) vendors who have contracts with entities covered by the HITECH Act are also required to meet HITECH Act compliance requirements. Entities required to meet HITECH Act compliance requirements include:

  • Medical transcriptionists
  • Contracted lab and radiology departments
  • Third-party billing agencies
  • Hospital couriers
  • Collection agencies
  • Pharmacies with hospital contracts
  • Consultants
  • Off-site storage facilities

What is HIPAA?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 established a set of security standards used to protect the confidentiality of Personal Health Information (PHI). Recent regulations and mandates from the Department of Health and Human Services apply to HIPAA covered entities and any of their business associates that “access, maintain, retain, modify, record, store, destroy, or otherwise hold, use, or disclose unsecured PHI.”

In addition to protecting medical records, prescription details, and personal information, the standards outlined in HIPAA are meant to improve the efficiency and effectiveness of the U.S. healthcare system by encouraging the use of electronic data exchange. To learn more about HIPAA and other health information privacy requirements, please visit:http://www.hhs.gov/ocr/privacy/

How does HIPAA affect my organization?

To improve the efficiency and effectiveness of the healthcare industry, vast amounts of patient information are being handled electronically. Therefore, there is an increased need for stronger data security. Patient information privacy laws, such as HIPAA, require that Protected Health Information (PHI) remain secure at all times. If your organization is responsible for handling any amount of PHI, you may be required to meet HIPAA compliance requirements. Or, if you are an associate of a HIPAA-covered entity, the recent Health Information Technology for Economic and Clinical Health (HITECH) Act applies to you.