Here you will find policies, procedures, and training requirements for DHS contractors whose solicitations and contracts include the special clauses Safeguarding of Sensitive Information (MARCH 2015) and Information Technology Security and Privacy Training (MARCH 2015). These special clauses are explained in Homeland Security Acquisition Regulation Class Deviation 15-01: Safeguarding of Sensitive Information.
Information Security Policy
DHS Management Directive (MD) 11042.1 establishes policy regarding the identification and safeguarding of sensitive but unclassified information originating within DHS. It also applies to other sensitive but unclassified information received by DHS from other government and non‑government entities.
MD 11056.1 establishes DHS policy regarding the recognition, identification, and safeguarding of Sensitive Security Information (SSI). This MD is applicable to all persons who are permanently or temporarily assigned, attached, detailed to, employed, or under contract with DHS.
Information Technology Security Policy
- DHS Sensitive Systems Policy Directive 4300A: Articulates the DHS Information Security Program policies for DHS sensitive systems and systems that process sensitive information for DHS.
- DHS 4300A Sensitive Systems Handbook: Provides specific techniques and procedures for implementing the requirements of the DHS Information Security Program for DHS sensitive systems and systems that process sensitive information for DHS.
- Attachment G- Rules of Behavior: Informs users of DHS information technology equipment and systems of their responsibilities and that they will be held accountable for their actions while they are accessing DHS systems and using DHS/contractor IT resources capable of accessing, storing, receiving, or transmitting sensitive information. The DHS Rules of Behavior apply to every DHS employee and DHS support contractor.
- Security Authorization Process Guide: Defines the Security Authorization process for DHS sensitive systems and systems operated by contractors that process sensitive information for DHS.
- DHS Security Authorization Templates: Provides DHS contractors with access to templates for all of the Security Authorization documentation required by special clause Safeguarding of Sensitive Information (MARCH 2015). Use of these templates is mandatory.
- Fiscal Year 2017 DHS Information Security Performance Plan: Defines performance requirements, priorities, and overall goals for all DHS sensitive systems and systems that process sensitive information.
- Information System Security Officer (ISSO) Guide: Provides Information System Security Officers with techniques, procedures, and useful tips for implementing the requirements of the DHS Information Security Program for DHS sensitive systems and systems that process sensitive information for DHS.
- TSA Information Assurance (IA) Handbook: Provides the policies and requirements of the Transportation Security Administration (TSA) Management Directive (MD) 1400.3, Information Technology Security by establishing guidance applicable to the use, development, and maintenance of TSA Information Technology (IT) assets, networks, and systems.
Personnel Security Policy
DHS Instruction Handbook 121-01-007 Department of Homeland Security Personnel Suitability and Security Program: Establishes procedures, program responsibilities, minimum standards, and reporting protocols for DHS’s Personnel Suitability and Security Program. It does not prohibit any DHS Component from exceeding the requirements. This Instruction implements the authority of the Chief Security Officer (CSO) under DHS Directive 121 -01.
Privacy Incident Handling Guidance: Establishes DHS policy for responding to privacy incidents by providing procedures to follow upon the detection or discovery of a suspected or confirmed incident involving Personally Identifiable Information.
Safeguarding Sensitive Personally Identifiable Information Handbook: Provides best practices and DHS policy requirements to prevent a privacy incident involving Personally Identifiable Information during all stages of the information lifecycle.
Information Technology Security Awareness Training
Provides guidance for online conduct and proper use of information technology. The Challenge presents cybersecurity and information systems security awareness instructional topics through first-person simulations and mini-game challenges that allow the user to practice and review cybersecurity concepts in an interactive manner. The training takes approximately one (1) hour to complete. Completion of the training is required before access to DHS systems can be provided.
Under Department of Defense Employees, select Start/Continue New CyberAwareness Challenge Department of Defense Version.
Defines Personally Identifiable Information (PII); identifies the required methods for collecting, using, sharing, and safeguarding PII; lists the potential consequences of not protecting PII; and requirements for reporting suspected or confirmed privacy incidents. The training takes approximately one (1) hour to complete. Completion of the training is required before access to PII can be provided.