AHRQ Information Security and Privacy Program

The AHRQ Information Security and Privacy Program fosters an enterprise-wide secure and trusted environment in support of AHRQ's mission. AHRQ's program was established to help protect the Agency against potential information technology (IT) threats and vulnerabilities.  The program ensures compliance with Federal mandates and legislation, including the Federal Information Security Management Act and the President's Management Agenda. It also plays an important role in enabling the Agency's ability to provide mission-critical operations. 

• Information Security and Privacy Awareness Training.
• Incident Reporting.
• Points of Contact.
• Policy, Guidance, and Legislation Links.
• Privacy Impact Assessments and Resources Links.

Information Security & Privacy Awareness Training

Information security and privacy awareness training is mandatory for all Federal employees and contract personnel. The Department of Health and Human Services (HHS) mandates that all employees must complete information security training upon initial hiring and annually thereafter. AHRQ ensures that all Agency employees and contractors receive annual information security awareness training and role-based training in compliance with—

• Federal Information Security Management Act (FISMA) [PDF File, Plugin Software Help].
• National Institute of Standards and Technology (NIST) Special Publication 800-16 Rev.1, Information Security Training Requirements [PDF File, Plugin Software Help].

To comply with this training requirement, AHRQ developed an online Information Security and Privacy Awareness Training Module that is available on the Agency Intranet to AHRQ staff and contractors.

Additionally, HHS's Cybersecurity Program offers courses for Agency staff and contractors on —

• Privacy Awareness.
• Information Systems Security Awareness.

HHS's Cybersecurity Program also offers the following role-based training courses:

• Information Security for Executives.
• Information Security for IT Administrators.
• Information Security for Managers.

NIST's Computer Security Awareness, Training, and Education is also a resource for security training.

For more information on AHRQ information security and privacy training, send an Email to the AHRQ Information Security and Privacy Team (SecureAHRQ@ahrq.hhs.gov).

Incident Reporting

AHRQ defines a computer security incident as "a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard computer security practices," in accordance with NIST Special Publication 800-61 Rev. 2, Computer Security Incident Handling Guide [PDF File, Plugin Software Help].

If you suspect an information security or privacy related incident has occurred, send an Email immediately to the AHRQ Chief Information Security Officer (eric.colombel@ahrq.hhs.gov) or the AHRQ Information Security and Privacy Team (SecureAHRQ@ahrq.hhs.gov).

Points of Contact

• Chief Information Security Officer: Eric Colombel 
  • Email: eric.colombel@ahrq.hhs.gov
  • Phone: 301-427-1750.
• Senior Official for Privacy: Tim Erny
  • Email: tim.erny@ahrq.hhs.gov.
  • Phone: 301-427-1760.
• Information Security and Privacy Team
  • Email: SecureAHRQ@ahrq.hhs.gov.

Policy, Guidance, and Legislation

The following are links to information security policies, guidance, and legislation:

• HHS Cybersecurity Program Policy Page.
• E-Government Act of 2002 (U.S. Office of Management and Budget [PDF File, Plugin Software Help].
• Clinger-Cohen Act of 1996 (Chief Information Officers Council) [PDF File, Plugin Software Help].
• The Health Insurance Portability and Accountability Act of 1996.
• Computer Fraud and Abuse Act of 1986 (Department of Energy [PDF File, Plugin Software Help].
• Electronic Communications Privacy Act of 1986 (Department of Energy).
• Overview of The Privacy Act of 1974, May 2004 (Department of Justice).
• NIST Special Publications (800 Series).
• NIST SP 800-63 Rev. 1, Electronic Authentication Guideline [PDF File, Plugin Software Help].
• NIST SP 800-61 Rev. 2, Computer Security Incident Handling Guide [PDF File, Plugin Software Help].
• NIST SP 800-60 Rev. 1, Guide for Mapping Types of Information and Information Systems to Security Categories: (2 Volumes)—Volume 1: Guide [PDF File, Plugin Software Help].
  Volume 2: Appendices [PDF File, Plugin Software Help].
• NIST SP 800-53 Rev. 4, Security and Privacy Controls for Federal Information Systems and Organization.
• NIST SP 800-53A Rev. 1, Guide for Assessing the Security Controls in Federal Information Systems and Organizations, Building Effective Security Assessment Plans [PDF File, Plugin Software Help].
• NIST SP 800-37 Rev. 1, Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach [PDF File, Plugin Software Help].
• NIST SP 800-34 Rev. 1, Contingency Planning Guide for Federal Information Systems [PDF File, Plugin Software Help].
• NIST SP 800-30 Rev. 1, Guide for Conducting Risk Assessments [PDF File, Plugin Software Help].
• NIST SP 800-18 Rev. 1, Guide for Developing Security Plans for Federal Information Systems [PDF File, Plugin Software Help].
• NIST SP 800-16 Rev. 1, Information Security Training Requirements: A Role- and Performance-Based [PDF File, Plugin Software Help].

Privacy Impact Assessments and Resources

Titles II and III of the E-Government Act of 2002 (http://www.archives.gov/about/laws/egov-act-section-207.html) require Federal agencies to evaluate systems that collect personally identifiable information to determine that the privacy of this information is adequately protected. The links below provide information on privacy impact assessments on HHS systems and on third-party Web sites:

• HHS Privacy Impact Assessments and Resources.
• HHS Operating Divisions Privacy Impact Assessments and Third-Party Web sites and Applications Privacy Impact Assessments.