Checklist and Certification for Minimum Level of Enhanced Safeguarding for Unclassified DoD Information

Processed in accordance with provisions H.XX. Requirements for Minimum Level of Enhanced Safeguarding for Unclassified DoD Information, F. . Checklist and Certification for Minimum Level of Enhanced Safeguarding for Unclassified DoD Information, and CDRL A Checklist and Certification for Minimum Level of Enhanced Safeguarding for Unclassified DoD Information, of Contract HT9402---.

Access Control
Ref # AC-2 Nomenclature Account Management Compliance Statement Yes Validation Method I Examine Compliance Date Activity Description IM-G0042- Account and Access Password Guideline IM-G0010- Technical Standards for eDirectory Directory Tree; IM-G0042.doc- Account and Access Password Guideline IM-G0010- Technical Standards for eDirectory Directory Tree; IM-G0042.doc- Account and Access Password Guideline IM-G0023-Local and Wide Area Network Security; IM-G0060-Router Security IM-G0010- Technical Standards for eDirectory Directory Tree; IM-G0042.doc- Account and Access Password Guideline IM-G0042.doc- Account and Access Password Guideline IM-G0028-Secure Computing Guideline IM-G0028-Secure Computing Guideline IM-G0049-Remote Access Guideline IM-G0049-Remote Access Guideline IM-G0017-Wireless Technologies Technical Standard IM-G0017-Wireless Technologies Technical Director Todd

AC-3

Access Enforcement

Yes Yes

Examine

AC-3(4) AC-4 AC-6 AC-7 AC-11 AC-11(1) AC-17 AC-17(2) AC-18 AC-18(1)

Access Enforcement Yes Information Flow Enforcement Yes Least Privilege Unsuccessful Login Attempts Session Lock Session Lock Remote Access Remote Access Wireless Access Wireless Access

Examine Examine Examine Yes Yes Yes Yes Yes Yes Yes Examine Examine Examine Test Test Test Test

TMA Form August 2011

Page 1

Standard AC-19 Access Control for Mobile Devices Yes Examine IM-G0028-Secure Computing Guideline

Awareness & Training

Ref # AT-2 Nomenclature Security Awareness Compliance Statement Yes Validation Approach Examine Compliance Date Activity Description IM-G0027-Information Security Management Plan; IM-G0028-Secure Computing Guideline Director GUY

Audit & Accounting

Ref # Nomenclature Compliance Statement Yes Validation Approach Compliance Date Activity Description IM-G0027-Information Security Management Plan; IM-G0061- Patient Information Access Audit Guideline IM-G0027-Information Security Management Plan IM-G0027-Information Security Management Plan; IM-G0061- Patient Information Access Audit Guideline; IM-G0059- Server and Host System Security; IM-QR-P0011- Audit Log and Retrieval Process for MEDITECH EMR; IM-QR-P0009- Audit Logging and Retrieval Process for PACS IM-G0027-Information Security Management Plan; IM-G0061- Patient Information Access Audit Guideline; IM-G0059- Server and Host System Security IM-G0027-Information Security Management Plan; IM-G0061- Patient Information Access Audit Guideline; IM-G0059- Server and Host System Security Director GUY

AU-2 AU-3

Auditable Events Yes Content of Audit Records Yes

Examine Examine

AU-6

Audit Review, Analysis & Reporting Yes Audit Review, Analysis & Reporting Yes Audit Reduction & Report Generation

Examine

AU-6(1)

Examine

AU-7

Examine

TMA Form August 2011

Page 2

Yes AU-8 AU-9 Time Stamps Protection of Audit Information Examine Yes Examine Yes AU-10 Non-Repudiation Yes AU-10(5) Non-Repudiation Examine Examine

IM-G0027-Information Security Management Plan IM-G0059- Server and Host System Security IM-G0071-Guidelines for Managing Digital (Certification Authority) Certificates; IMG0023-Local and Wide Area Network Security; IM-G0071-Guidelines for Managing Digital (Certification Authority) Certificates; IMG0023-Local and Wide Area Network Security;

Configuration Management
Ref # Nomenclature Compliance Statement Yes Validation Approach Compliance Date Activity Description IM-G0055-Technical Configuration Guideline; IM-G0067-User Policy Levels for Workstations; IM-G0059- Server and Host System Security IM-G0055-Technical Configuration Guideline; IM-G0059- Server and Host System Security; IM-G0067-User Policy Levels for Workstations; IM-G0055-Technical Configuration Guideline IM-G0031-Configuration Management Guideline; IM-G0031D1-Configuration Management Guideline Director BLAKE TODD

CM-2

Baseline Configuration Yes

Examine

12/1/2011

CM-6 CM-7

Configuration Settings Least Functionality Information Sys Component Inventory

Yes Yes

Examine Examine

12/1/2011 12/1/2011

CM-8

Examine

12/1/2011

Contingency Planning
Ref # CP-9 Nomenclature Information System Backup Compliance Statement Yes Validation Approach Examine Compliance Date 12/1/2011 Activity Description IM-G0043- Backup and storage management guideline; IM-G0020-Technical Standards for Director BLAKE

TMA Form August 2011

Page 3

Data Backup with Bridgehead; IM-P0033- System Data File Backup Request Procedure

Identification & Authentication

Ref # IA-2 Nomenclature User Identification & Authentication Yes IA-4 Identifier Management Yes IA-5 Authenticator Management Yes IA-5(1) Authenticator Management Test Test 12/1/2011 Examine 12/1/2011 Compliance Statement Yes Validation Approach Test 12/1/2011 Compliance Date 12/1/2011 Activity Description IM-G0027-Information Security Management Plan; IM-G0028-Secure Computing Guideline IM-G0027-Information Security Management Plan; IM-G0047-Logical (Data and Programs) Security Guideline IM-G0027-Information Security Management Plan; IM-G0047-Logical (Data and Programs) Security Guideline IM-G0027-Information Security Management Plan; IM-G0047-Logical (Data and Programs) Security Guideline Director TODD

TMA Form August 2011

Page 4

Incident Response
Ref # Nomenclature Compliance Statement Yes Validation Approach Compliance Date 12/1/2011 Activity Description IM Emergency Response Plan (HealthStream) computer-based training (CBT) course -provides a way to ensure that CHRISTUS IM associates who are responsible for responding, maintaining, and executing the recovery plans have an awareness and understanding of the program. IM-G0053-Incident and Problem Management Guideline; IM-P0120-Incident and Service Request Handling Procedure IM-G0053-Incident and Problem Management Guideline IM-G0053-Incident and Problem Management Guideline; IM-P0120-Incident and Service Request Handling Procedure Director GUY

IR-2

Incident Response Training Yes

Examine 12/1/2011 Examine Yes 12/1/2011 Examine Yes 12/1/2011 Examine

IR-4 IR-5

Incident Handling Incident Monitoring

IR-6

Incident Reporting

Maintenance
Ref # Nomenclature Compliance Statement Yes Validation Approach Compliance Date 12/1/2011 Activity Description IM-G0044-Vendor and Technical Support Access Guideline; IM-G0062-HIPAAS Sec Requirements Vendor Mgt Systems-guideline IM-G0044-Vendor and Technical Support Access Guideline; IM-G0062-HIPAAS Sec Requirements Vendor Mgt Systems-guideline IM-G0046-Physical Security Guideline How to Manage CHRISTUS Service Level Agreement Director BLAKE

MA-4

Remote Maintenance Yes

Interview 12/1/2011 Interview Interview

MA-4(6) MA-5

Remote Maintenance Maintenance Personnel

Yes Yes

12/1/2011 12/1/2011

MA-6

Timely Maintenance

Interview

Media Protection TMA Form August 2011 Page 5

Ref # MP-4

Nomenclature Media Storage

Compliance Statement Yes Yes

Validation Approach Examine

Compliance Date 12/1/2011

MP-6

Media Sanitization & Disposal

Interview

Activity Description IM-G0043-Backup and storage management IM-G0030-Software Decommissioning Guidelines; IM-P0020- Computing Equipment Disposal/Transfer Procedure; IM-P0020D1- Hard Drive Cleaning; IM-P0020F1- Asset/Transfer/Sale Agreement

Director BLAKE

Physical & Environmental Protection

Ref # PE-5 Nomenclature Access Control for Display Medium Compliance Statement Yes Yes Validation Approach Examine Compliance Date 12/1/2011 Activity Description IM-G0021-Information Security Guideline; IMG0046-Physical Security Guideline IM-G0046-Physical Security Guideline; IM-P019-Access to Regional Data Centers (RDCs); IM-P019D1-Access to Regional Data Centers Appendix; IM-P019F2-Vistor Log; IM-P0014- Physical Security and Access to Enterprise Data Centers; IM-P0014D1- Access Groups and Levels of Access; IM-P0014F1- Access Groups and Levels of Access Director BLAKE

PE-7

Visitor Control

Examine

12/1/2011

Program Management
Ref # Nomenclature Compliance Statement Validation Approach Compliance Date Activity Description IM-G0047-Logical (Data and Programs) Security Guideline; IM-G0022-Information Ownership, Maintenance and Data Sensitivity Classification; IM-G0055-Technical Configuration Guideline; IM-G0029-Risk Management Guideline Director GUY

PM-10

Security Authorization Process

Yes

Examine

12/1/2011

TMA Form August 2011

Page 6

TMA Form August 2011

Page 7

System & Comm Protection

Ref # SC-2 SC-4 SC-7 SC-7(2) Nomenclature Application Partitioning Yes Information Remnance Yes Boundary Protection Yes Boundary Protection Yes SC-9 Transmission Confidentiality Yes SC-9(1) Transmission Confidentiality Yes SC-13 Use of Cryptography Yes SC-13(1) Use of Cryptography Yes Select Method 12/1/2011 Select Method 12/1/2011 Examine 12/1/2011 Examine 12/1/2011 Test 12/1/2011 Test 12/1/2011 Examine 12/1/2011 Compliance Statement Yes Validation Approach Examine 12/1/2011 Compliance Date 12/1/2011 Activity Description IM-G0055-Technical Configuration Guideline; IM-G0059-Server and Host System Security; IM-G0059D1-Server and Host System Security IM-G0032-Practitioner Equipment and Software Provisioning Guideline IM-G0056-Internet DMZ Equipment;IM-G0060Router Security IM-G0056-Internet DMZ Equipment;IM-G0060Router Security IM-G0023-Local and Wide Area Network Security; IM-G0018-E-mail Encryption Using ZixCorps Virtual Private Messenger (VPM) IM-G0023-Local and Wide Area Network Security; IM-G0018-E-mail Encryption Using ZixCorps Virtual Private Messenger (VPM) IM-G0071-Guidelines for Managing Digital (Certification Authority) Certificates; IM-G0054-Acceptable Encryption; IM-G0049Remote Access Guideline IM-G0071-Guidelines for Managing Digital (Certification Authority) Certificates; IM-G0054-Acceptable Encryption; IM-G0049Remote Access Guideline IM-G0071-Guidelines for Managing Digital (Certification Authority) Certificates; IM-G0018-E-mail Encryption Using ZixCorps Virtual Private Messenger (VPM); IM-G0054-Acceptable Encryption; IM-G0049Remote Access Guideline IM-G0044-Vendor and Technical Support Access Guideline; 55350 - Data Loss Prevention - DLP - Device Encryption Director GUY BLAKE

SC-13(4) SC-15 SC-28

Use of Cryptography Yes Collaborative Computing Protection of Information at Rest Yes

Select Method 12/1/2011 Select Method 12/1/2011 Test

TMA Form August 2011

Page 8

System & Information Integrity

Ref # SI-2 Nomenclature Flaw Remediation Yes Compliance Statement Yes Examine 12/1/2011 Compliance Date 12/1/2011 Activity Description IM-G0029-Risk Management Guideline; IM-G0045-Virus Protection Guideline IM-G0045-Virus Protection Guideline; IM-P0122- Patch Vulnerability Response Procedure; IM-P0027-Virus Outbreak Management; IM-P0027F1-Virus Outbreak Management Report IM-P0059- Variance Reporting and Logging Procedure; IM-P0059F1- Information Management Variance Report Directors GUY

SI-3

Malicious Code Protection Yes Information System Monitoring

Examine 12/1/2011 Examine

SI-4

CERTIFICATION OF COMPLIANCE: I certify that I am an official representative for [insert name of contractor], that I have authority to sign this document and obligate [insert name of contractor] to the statements made in this document, and that I have personal knowledge of the matters to which this certification applies. I also certify that [insert name of contractor] is in compliance with the enhanced safeguarding requirements identified within the contract clause stated above and this document. Signature: Name: Title: Company: Date:

TMA Form August 2011

Page 9