Common use of BREACH REPORTING AND NOTIFICATION RESPONSIBILITY Clause in Contracts

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to the state agency, the state agency is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, the state agency shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE, as designated in this security addendum. The state agency is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officials; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity, as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to the state agency, the state agency is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, the state agency shall must report confirmed and suspected incidents, in either electronic or physical form, to OCSE, as designated in this security addendum. The state agency is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officials; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity, as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to the state agencySSA, the state agency SSA is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, the state agency shall SSA must report confirmed and suspected incidents, in either electronic or physical form, incidents to OCSE, as designated in this OCSE using the security addendummailbox address: xxxxxxxxxxxx@xxx.xxx.xxx. The state agency SSA is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officialsUS-CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity, activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6IR-6 VI. SECURITY AUTHORIZATION OCSE requires systems that process, transmit or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to the state agencySSA, the state agency SSA is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA must report the state agency shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE, OCSE as designated in this security addendum. The state agency SSA is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officialsUS- CERT; notifying individuals whose information is breached; notifying any third parties, parties including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity, activity as required by OMB M-17-M-17- 12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6IR-6 VI. SECURITY AUTHORIZATION OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Rev 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to the state agencySSA, the state agency SSA is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, the state agency SSA shall report the confirmed and suspected incidents, in either electronic or physical form, to OCSE, OCSE as designated in this security addendum. The state agency SSA is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officialsUS- CERT; notifying individuals whose information is breached; notifying any third parties, parties including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity, activity as required by OMB M-17-M-17- 12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6IR-6 VI. SECURITY AUTHORIZATION OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1.

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to the state agencyHUD, the state agency HUD is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, the state agency HUD shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE, OCSE as designated in this security addendum. The state agency HUD is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officialsUS-CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity, activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to the state agencySSA, the state agency SSA is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, the state agency SSA shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE, OCSE as designated in this security addendum. The state agency SSA is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officialsUS-CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity, activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to the state agencySSA, the state agency SSA is the responsible party in the event of a confirmed or suspected breach or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, the state agency SSA shall report the confirmed and suspected incidents, in either electronic or physical form, to OCSE, OCSE as designated in this security addendum. The state agency SSA is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officialsUS- CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; , correcting the vulnerability that allowed the breach; breach and any other activity, activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to the state agencySSA, the state agency SSA is the responsible party in the event of a confirmed breach or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in and no case later than one hour after discovery of the incident, the state agency SSA shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE, OCSE as designated in this security addendum. The state agency SSA is responsible for all reporting and notification activitiesactivities and associated costs of breach remediation, including but not limited to: investigating the incident; communicating with required state government breach response officialsUS­ CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity, activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE OCSS to the state agencyHUD, the state agency HUD is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, the state agency shall HUD must report confirmed and suspected incidents, in either electronic or physical form, to OCSE, as designated the security team. Incident reporting contact information is in this security addendumaddendum (See section VIII). The state agency HUD is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officialsUS-CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity, activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to the state agencyHUD, the state agency HUD is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, the state agency HUD shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE, OCSE as designated in this security addendum. The state agency HUD is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officialsUS-CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity, activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6