The following are Information Technology (IT) Policy documents for the Department of Homeland Security.
All Files, ZIP - Provides the overall policy and structure for acquisition management within DHS, and establishes the Department's Acquisition Lifecycle Framework (ALF), Acquisition Review Process (ARP), and Acquisition Review Board (ARB).
Acquisition Management Directive - Provides the overall policy and structure for acquisition management within DHS, and establishes the Department's Acquisition Lifecycle Framework (ALF), Acquisition Review Process (ARP), and Acquisition Review Board (ARB).
Agile Development and Delivery for Information Technology - Provides the scope, definitions, roles and responsibilities, and procedures to establish an agile framework for the development of IT acquisitions within DHS.
Capital Planning and Investment Control - This directive establishes the Department of Homeland Security (DHS) policy for IT Capital Planning and Investment Control (CPIC) and Portfolio Management.
Digital Government Strategy - Establishes the policies and responsibilities for the governance of digital services within the DHS Digital Government Strategy.
DHS Digital Transformation- Establishes the Department of Homeland Security (DHS) policy regarding Digital Transformation, and formalizes the roles of the DHS Digital Service and the DHS Office of the Chief Technology Officer regarding Digital Transformation.
DHS Reusable and Open Source Software (OSS) Framework - This policy establishes the DHS policy on open source software development and publication and communicates responsibilities to the organization for compliance with M-16-21, the Office of Management and Budget’s (OMB) Federal Source Code Policy: Achieving Efficiency, Transparency, and Innovation through Reusable and Open Source Software requirements.
DHS Transition to Internet Protocol Version 6 (IPv6) - This policy defines the Department of Homeland Security (DHS) activities and provides roles and responsibilities to ensure compliance with the Office of Management and Budget (OMB) Memorandum M-21-07, “Completing the Transition to Internet Protocol Version 6 (IPv6).”
Enterprise Architecture Management - This Directive establishes the Department of Homeland Security (DHS) policy on Enterprise Architecture (EA) and defines related roles and responsibilities for ensuring compliance with legislative and executive level guidance on EA.
Enterprise Data Management Policy - Provides for the management of Enterprise Data and how Enterprise Data is data created, managed, or maintained within DHS that shared among multiple DHS entities.
Enterprise Information Technology Configuration Management - This Directive applies throughout DHS and to enterprise data center CM program personnel that manage and control unclassified IT systems and subsystems. This document provides the minimum level of CM requirements. DHS Components and enterprise data center CM program personnel may supplement this Directive to protect their compartmental data and infrastructure.
Information Quality - This Directive establishes the Department of Homeland Security (DHS) policies and responsibilities for ensuring and maximizing the quality, utility, objectivity, and integrity of disseminated information.
Information Sharing Environment Technology Program - This Directive establishes the Department of Homeland Security (DHS) information technology (IT) program for the DHS Information Sharing Environment (DHS ISE).
Information Technology Asset Management and Refresh - This Directive establishes the Department of Homeland Security (DHS) policy regarding Information Technology (IT) management and recapitalization to ensure that IT infrastructure assets are secure, trustworthy, efficient, and resilient in support of missions and business operations.
Information Technology Integration and Management - Establishes the authorities, responsibilities, and policies of the DHS Chief Information Officer and Components’ Chief Information Officers regarding information technology integration and management.
Information Technology Security Program - Establishes policy regarding the Information Technology (IT) Security Program and assigns the responsibilities for the integration and management of the IT Security Program’s policies, methodologies, tools, and reviews.
Office of Accessible Systems and Technology - The Department of Homeland Security (DHS) considers accessibility to Electronic and Information Technology (EIT) for all employees and external customers, including those with disabilities, a priority. This Management Directive (MD) establishes the Section 508 Program Management Office (PMO) within the Office of the Chief Information Officer (CIO) and establishes policy regarding EIT accessibility.
Portfolio Management - Provides the responsibilities and policies for the management of information technology (IT) investments using portfolio management processes, methodologies, and techniques.
Systems Engineering Life Cycle - Provides a guidebook for implementation of the Systems Engineering Life Cycle. The SELC is applicable to all DHS programs and projects whose purpose is to deliver a DHS capability.
TechStat Accountability Sessions - Provides the policy for TechStat Accountability Sessions (TechStats).
DHS IT is governed by the DHS 4300A Sensitive Systems Policy and related Directives, which provide specific techniques and procedures for implementing the requirements of DHS Information Security Programs for DHS sensitive systems and systems that process information for DHS. This includes FICAM related guidance, controls, and requirements for DHS Enterprise and Component systems and services.
- DHS Sensitive Systems Policy Directive 4300A
- 4300A Handbook Attachment W - Roles and Responsibilities
- DHS Directive Number 121-03 Revision 1
- DHS OCIO Strategic Plan and Roadmap
- DHS Enterprise Architecture Management
- Transition Timeline and Instructions – Updates to DHS Security Controls Rev.5
Identity, Credential, and Access Management (ICAM) ICAM is governed through the ICAM Executive Steering Committee (ESC), which is co-chaired by both the DHS Chief Information Officer (CIO) and DHS Chief Security Officer (CSO). Orders and direction of the ESC are monitored, managed, and carried out to closure through the ICAM Strategic Advisory Team (ISAT) which is co-chaired by both ICAM program offices from OCIO (ISB) and OCSO (ESSD). As needed, sub- working groups and integrated project teams (IPT) are established to focus on specific ICAM requirements, issues, solutions, or tasks and results are reported back through governance – through the ISAT and up to the ICAM ESC. Each governance body is chartered and receives participation from all DHS Component Agencies.
- ICAM Executive Steering Committee (ESC) Charter
- ICAM Strategic Advisory Team (ISAT) Charter
- CIO Governance Board Membership List
DHS 4300A Sensitive Systems Handbook DHS IT is governed by the DHS 4300A Sensitive Systems Policy Directive and supporting attachment documents that address granular requirements, controls, and policies for handling specific IT/ICAM services, systems, and information. As of September 20, 2022, the DHS 4300A Policy Directive was rewritten around the NIST SP 800-53, Revision 5 Control Families and requirements of E. O. 14028 rescinding the legacy 4300A Handbook and replacing it with the new series of 4300A Attachments. With regards to Digital Identity Risk Management, the DHS Enterprise and Component Agencies adapted the provisions of the DHS 4300A, its new attachments, and complementary internal directives as follows to address identity risks.
- DHS Sensitive Systems Policy Directive 4300A
- 4300A Handbook Attachment AA – Cybersecurity Service Provider (CSP) Program
- 4300A Handbook Attachment B – Information System Waiver and Risk Acceptance Requests
- 4300A Handbook Attachment CC – DHS Controls Baseline
- 4300A Handbook Attachment G – Rules of Behavior
- 4300A Handbook Attachment F - Incident Response
- 4300A Handbook Attachment I - Sensitive Mobile Devices
- 4300A Handbook Attachment M – Tailoring NIST 800-53 Security Controls
- 4300A Handbook Attachment N – Interconnection Security Agreements
- 4300A Handbook Attachment R – Compliance Framework for CFO Designated Systems
- 4300A Handbook Attachment S – Compliance Framework for Privacy Systems
- 4300 A Handbook Attachment U – Public Key Infrastructure Instruction
- 4300A Handbook Attachment V – Privacy Instruction
- 4300A Handbook Attachment Y– DHS Risk Management Framework for Sensitive Systems
- 4300A Handbook Attachment Z – Electronic Signature Use, Acceptance, and Implementation Guidance
- DHS Directive Number 121-03 Revision 1
- Timeline and Instructions – Updates to DHS Security Controls Rev.5
Common Identification Standard for DHS Employees, Contractors, Visitors, and Affiliates This Directive establishes the Department of Homeland Security (OHS) framework for enterprise policy, responsibilities, and requirements regarding governance and implementation of Homeland Security Presidential Directive 12 (HSPD-12) and authorized authoritative credentials.
Risk Management Fundamentals: Homeland Security Risk Management Doctrine This doctrine serves as an authoritative statement regarding the principles and process of homeland security risk management and what they mean to homeland security planning and execution.