Skip to content

Judicial Watch • 2453_Resp Recs 1 (pg.16)

2453_Resp Recs 1 (pg.16)

2453_Resp Recs 1 (pg.16)

Page 1: 2453_Resp Recs 1 (pg.16)

Category:FOIA Response

Number of Pages:1

Date Created:September 11, 2014

Date Uploaded to the Library:September 11, 2014

Tags:Healthcare.gov, 2453, obamacare, HHS, FOIA


File Scanned for Malware

Donate now to keep these documents public!

  • demand_answers

See Generated Text   ˅

Autogenerated text from PDF

CMS SENSITIVE INFORMATION -REQUIRES SPECIAL HANDLING 
Facilitated 

Finding  Finding Description  
Many FFM  Many FFM controls  
controls are  documented the  
described  security controls  
CFACTS  section ACTS  
"Not  have effectiveness  
Satisfied". "Not Satisfied".  
Security controls are  
not documented  
being fully  
implemented.  
FFM appears  FFM information have  contains financial and  
selected  privacy data.  
inappropriate  According RMH Volume Procedure  
Authenticatio  2.3 andRMH level.  Volume III Standard  
3.1; Privacy and  
financial data should protected 
Authentication Level controls.  
Control  FFM indicates many  
inheritance its controls are  
incorrectly  ''under the control  
documented  the Terremark"; ACTS.  however, these  
controls are not  
described inherited  
from the erremark  
data center within ACTS.  

Recommended 
Corrective Action 

Update the security controls ACTS. Use the Risk Management Handbook Volume Procedures 4.2 and 
5.6. 
Review the E-Authentication level FFM for both users and system administrators. Level the appropriate E-Authentication level, implement the appropriate controls and complete the e-Authentication workbook. Ensure system administrators
are cleared for positions trust. 
Review the FIPS 199 inheritance selections ACTS and either select the appropriate inheritance indicate the controls are solely 
the responsibility FFM. 
Attachment 
Risk  Due Date  
There the  February  
possibility that the  7,2014  
FFM security  
controls are  
ineffective.  
Ineffective  
controls not  
appropriately  
protect the  
confidentiality,  
integrity and  
availability data  
and present risk the CMS  
enterprise. (PL-2).  
TheE- February  
Authentication  7,2014  
level system  
determines the  
security controls  
and means when  
connecting  
system over  
from untrusted  
network. Use  
inappropriate  
controls exposes  
the enterprise  
additional risk.  
(RA-2).  

Unclear control February responsibility can 7,2014 lead controls not being appropriately implemented and lack accountability. (AU-1). 

CMS SENSITIVE INFORMATION -REQUIRES SPECIAL HANDLING