Common use of BREACH REPORTING AND NOTIFICATION RESPONSIBILITY Clause in Contracts

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall report the confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with US- CERT; notifying individuals whose information is breached; notifying any third parties including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17- 12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1.

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall must report the confirmed and suspected incidents, in either electronic or physical form, incidents to OCSE as designated in this using the security addendummailbox address: xxxxxxxxxxxx@xxx.xxx.xxx. SSA is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with US- US-CERT; notifying individuals whose information is breached; notifying any third parties parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6 OCSE requires systems that process, transmit, transmit or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 12, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a confirmed or suspected breach or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall report the confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with US- CERT; notifying individuals whose information is breached; notifying any third parties parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; , correcting the vulnerability that allowed the breach; breach and any other activity as required by OMB M-17- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1.IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall report the confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with US- US-CERT; notifying individuals whose information is breached; notifying any third parties parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1.IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSAHUD, SSA HUD is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA HUD shall report the confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA HUD is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with US- US-CERT; notifying individuals whose information is breached; notifying any third parties parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1.IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE OCSS to SSAHUD, SSA HUD is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall HUD must report the confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated the security team. Incident reporting contact information is in this security addendumaddendum (See section VIII). SSA HUD is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with US- US-CERT; notifying individuals whose information is breached; notifying any third parties parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1.IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSAthe state agency, SSA the state agency is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall the state agency must report the confirmed and suspected incidents, in either electronic or physical form, to OCSE OCSE, as designated in this security addendum. SSA The state agency is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with US- CERTrequired state government breach response officials; notifying individuals whose information is breached; notifying any third parties parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity activity, as required by OMB M-17- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1.IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a confirmed breach or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in and no case later than one hour after discovery of the incident, SSA shall report the confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA is responsible for all reporting and notification activitiesactivities and associated costs of breach remediation, including but not limited to: investigating the incident; communicating with US- US­ CERT; notifying individuals whose information is breached; notifying any third parties parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1.IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSAHUD, SSA HUD is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA HUD shall report the confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA HUD is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with US- US-CERT; notifying individuals whose information is breached; notifying any third parties parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1.IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSAthe state agency, SSA the state agency is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA the state agency shall report the confirmed and suspected incidents, in either electronic or physical form, to OCSE OCSE, as designated in this security addendum. SSA The state agency is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with US- CERTrequired state government breach response officials; notifying individuals whose information is breached; notifying any third parties parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity activity, as required by OMB M-17- M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1.IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall must report the confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with US- CERT; notifying individuals whose information is breached; notifying any third parties including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17- 12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1Rev 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.