Federal Requirements and Sensitive Information
The Early Childhood Learning and Knowledge Center (ECLKC) is categorized as a low-risk information system that includes personally identifiable information (PII). The PII within the ECLKC has further been categorized with a low confidentiality impact level using Federal Information Processing Standards (FIPS) 199 and National Institute of Standards and Technology (NIST) SP-800-60.
PII is data that can be used to distinguish or trace an individual's identity, either alone or when combined with other information that is linked or linkable to a specific individual. [Office of Management and Budget (OMB) Circular A-130 [PDF, 538KB]]
The FIPS 199 standard establishes security categories of information systems used by the federal government as part of risk assessment.
PII is referred to as "sensitive information," which requires security to protect its confidentiality, integrity, and availability. Sensitive information that is both at rest (e.g., on servers, mobile devices) or in transit (e.g., emails, communications using web traffic) must be protected using a FIPS 140-2 validated solution.
FIPS 140-2 is a U.S. government computer security standard used to approve cryptographic modules.
Responsibilities
The ECLKC Security Team is responsible for:
- The operations and maintenance of the ECLKC infrastructure
- Ensuring the Office of Head Start (OHS) cloud environment complies with U.S. Department of Health and Human Services (HHS) Federal Risk and Authorization Management Program (FedRAMP) privacy and security requirements
- The overall security assessment and authorization process (SA&A) for products hosted therein in accordance with established Administration for Children and Families (ACF) Office of the Chief Information Officer (OCIO) processes
- Identifying vulnerabilities within the web content and architecture of the ECLKC
- Creating a plan of action and milestones (POAM) for vulnerability remediation to ensure:
- Content and applications are Security Content Automation Protocol (SCAP) and FedRAMP compliant
- Vulnerabilities are addressed in a timely manner
Content creators are responsible for performing these activities for content and applications that are implemented outside of the OHS hosting environment. To the extent possible, all content and applications should be designed with the intention of hosting within the OHS cloud environment. The importance of providing details to your liaison upfront regarding the intended design of content and applications cannot be overstated.
For Content Creators
Content creators should strive to identify whether PII or other sensitive information is contained within the content they are creating. Content that includes PII or sensitive information must be identified and communicated to your liaison so a Privacy Threshold Analysis and Privacy Impact Assessment can be performed to determine its impact on the ECLKC's privacy categorization. If necessary, HHS Information Security and Privacy Policy (IS2P) requirements will need to be followed to ensure sensitive information is protected.
Content creators working with any kind of sensitive information should also become familiar with the HHS cybersecurity policies.
For Developers and Infrastructure Teams
Following these additional security tips will help to protect the information, data, and systems that provide support and resources to the Head Start community:
- Sanitize all user input, such as special and null characters, at both the client end and the server end. Sanitizing user input is especially critical when it is incorporated into scripts or structured query language statements.
- Implement cross-site scripting (XSS) and cross-site request forgery (XSRF) protections to protect the ECLKC, as well as our visitors.
- Audit third-party code and services (e.g., ads, analytics) to validate that no unexpected code is being delivered to the end user. You should weigh the pros and cons of vetting the third-party code and hosting it on the web server (as opposed to loading the code from the third party).
- Increase and optimize resource availability by configuring your caching. Optimizing resource availability increases the chance that a website will withstand unexpectedly high amounts of traffic during denial-of-service (DoS) attacks.
- Implement Hypertext Transfer Protocol Secure (HTTPS) and HTTP Strict Transport Security (HSTS). Website visitors expect their privacy to be protected. To ensure communications are encrypted, always enforce the use of HTTPS and HSTS where possible. Review further information and guidance on the HTTPS-Only Standard.
- Implement a Content Security Policy (CSP) to lessen the chances of an attacker successfully loading and running malicious JavaScript on an end user machine.
- Apply additional security measures, such as:
- Running static and dynamic security scans against the website code and system
- Deploying web application firewalls
- Leveraging content delivery networks to protect against malicious web traffic
- Providing load balancing and resilience against high amounts of traffic
Last Updated: March 11, 2024