Common use of Data and Communications Security Clause in Contracts

Data and Communications Security. (The Privacy Act of 1974, E-Government Act of 2002 (P.L. 107-347), and the Access Control (AC), Configuration Management (CM), Media Protection (MP), and System and Communication (SC) Families, NIST SP 800-53 rev. 4) SSA requires EIEPs to encrypt PII and SSA-provided information when transmitting across dedicated communications circuits between its systems, intrastate communications between its local office locations, and on the EIEP’s mobile computers, devices and removable media. The EIEP’s encryption methods must align with the Guidelines established by the National Institute of Standards and Technology (NIST). SSA recommends the Advanced Encryption Standard (AES) or Triple DES (Data Encryption Standard 3). Files encrypted for external users (when using tools such as Microsoft Word encryption,) require a key length of at least nine characters. SSA recommends that the key (also referred to as a password) contain both special characters and numbers. SSA supports the NIST Guidelines that requires the EIEP deliver the key so that it does not accompany the media. The EIEP must secure the key when not in use or unattended. SSA discourages the use of the public Internet for transmission of SSA- provided information. If, however, the EIEP uses the public Internet or other electronic communications, such as emails and faxes to transmit SSA-provided information, they must use a secure encryption protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS). SSA also recommends 256- bit encryption protocols or more secure methods such as Virtual Private Network technology. The EIEP should only send data to a secure address or device to which the EIEP can control and limit access to only specifically authorized individuals and/or processes. SSA recommends that EIEPs use Media Access Control (MAC) Filtering and Firewalls to protect access points from unauthorized devices attempting to connect to the network.

Data and Communications Security. (The Privacy Act of 1974, E-Government Act of 2002 (P.L. 107-347), and the Access Control (AC), Configuration Management (CM), Media Protection (MP), and System and Communication (SC) Families, NIST SP 800-53 rev. 4) SSA requires ⮉ EIEPs to must encrypt PII and SSA-provided information when transmitting across dedicated communications circuits between its systems, intrastate communications between its local office locations, and on the EIEP’s mobile computers, devices and removable media. The EIEP’s encryption methods must should align with the Guidelines Standards established by the National Institute of Standards and Technology (NIST). SSA recommends the Advanced Encryption Standard (AES) or Triple triple DES (Data Encryption Standard 3), if AES is unavailable, encryption method for securing SSA-provided information during transport. Files encrypted for external users (when using tools such as Microsoft Word WORD encryption,) require a key length of at least nine characters. SSA recommends We also recommend that the key (also referred to as a password) contain both special characters and numbersa number. SSA supports the NIST Guidelines requires that requires the EIEP deliver the key so that it the key does not accompany the media. The EIEP must secure the key when not in use or unattended. SSA discourages the use of the public Internet for transmission of SSA- SSA-provided information. If, If however, the EIEP uses the public Internet or other electronic communications, such as emails and faxes to transmit SSA-provided information, they must use a secure encryption protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS). SSA also recommends 256- 256-bit encryption protocols or more secure methods such as Virtual Private Network technology. The EIEP should only send data to a secure address or device to which the EIEP can control and limit access to only specifically authorized individuals and/or processes. SSA recommends that EIEPs use Media Access Control (MAC) Filtering and Firewalls to protect access points from unauthorized devices attempting to connect to the network. EIEPs should not retain SSA-provided information any longer than business purpose(s) dictate. The Information Exchange Agreement with SSA stipulates a time for data retention. The EIEP should delete, purge, destroy, or return SSA-provided information when the business purpose for retention no longer exists. The EIEP may not save or create separate files comprised solely of information provided by SSA. The EIEP may apply specific SSA-provided information to the EIEP’s matched record from a preexisting data source. Federal law prohibits duplication and redisclosure of SSA-provided information without written approval. The prohibition applies to both internal and external sources who do not have a “need-to-know2.” SSA recommends that EIEPs use either Trusted Platform Module (TPM) or Hardware Security Module (HSM) technology solutions to encrypt data at rest on hard drives and other data storage media. EIEPs must prevent unauthorized disclosure of SSA-provided information after they complete processing and after the EIEP no longer requires the information. The EIEP’s operational processes must ensure that no residual SSA-provided information remains on the hard drives of user’s workstations after the user exits the application(s) that use SSA-provided information. If the EIEP must send a computer, hard drive, or other computing or storage device offsite for repair, the EIEP must have a non-disclosure clause in their contract with the vendor. If the EIEP used the item in connection with a business process that involved SSA-provided information and the vendor will retrieve or may view SSA-provided information during servicing, SSA reserves the right to inspect 2 Need-to-know - access to the information must be necessary for the conduct of one's official duties. the EIEP’s vendor contract. The EIEP must remove SSA-provided information from electronic devices before sending it to an external vendor for service. SSA expects the EIEP to render it unrecoverable or destroy the electronic device if they do not need to recover the data. The same applies to excessed, donated, or sold equipment placed into the custody of another organization. To sanitize media, the EIEP should use one of the following methods: • Overwriting Overwrite utilities can only be used on working devices. Overwriting is appropriate only for devices designed for multiple reads and writes. The EIEP should overwrite disk drives, magnetic tapes, floppy disks, USB flash drives, and other rewriteable media. The overwrite utility must completely overwrite the media. SSA recommends the use of purging media sanitization to make the data irretrievable and to protect data against laboratory attacks or forensics. Please refer to Definitions for more information regarding Media Sanitization). Reformatting the media does not overwrite the data. • Degaussing Degaussing is a sanitization method for magnetic media (e.g., disk drives, tapes, floppies, etc.). Degaussing is not effective for purging non-magnetic media (e.g., optical discs). Degaussing requires a certified tool designed for particular types of media. Certification of the tool is required to ensure that the magnetic flux applied to the media is strong enough to render the information irretrievable. The degaussing process must render data on the media irretrievable by a laboratory attack or laboratory forensic procedures (refer to Definitions for more information regarding Media Sanitization). • Physical destruction Physical destruction is the method when degaussing or over-writing cannot be accomplished (for example, CDs, floppies, DVDs, damaged tapes, hard drives, damaged USB flash drives, etc.). Examples of physical destruction include shredding, pulverizing, and burning. State agencies may retain SSA-provided information in hardcopy only if required to fulfill evidentiary requirements, provided the agencies retire such data in accordance with applicable state laws governing retention of records. The EIEP must control print media containing SSA-provided information to restrict its access to authorized employees who need such access to perform their official duties. EIEPs must destroy print media containing SSA-provided information in a secure manner when it is no longer required for business purposes. The EIEP should destroy paper documents that contain SSA-provided information by burning, pulping, shredding, macerating, or other similar means that ensure the information is unrecoverable. NOTE: Hand tearing or lining through documents to obscure information does not meet SSA’s requirements for appropriate destruction of PII. The EIEP must employ measures to ensure that communications and data furnished to SSA contain no viruses or other malware.

Data and Communications Security. (The Privacy Act of 1974, E-Government Act of 2002 (P.L. 107-347), and the Access Control (AC), Configuration Management (CM), Media Protection (MP), and System and Communication (SC) Families, NIST SP 800-53 rev. 4) SSA requires  EIEPs to must encrypt PII and SSA-provided information when transmitting across dedicated communications circuits between its systems, intrastate communications between its local office locations, and on the EIEP’s mobile computers, devices and removable media. The EIEP’s encryption methods must should align with the Guidelines Standards established by the National Institute of Standards and Technology (NIST). SSA recommends the Advanced Encryption Standard (AES) or Triple triple DES (Data Encryption Standard 3), if AES is unavailable, encryption method for securing SSA-provided information during transport. Files encrypted for external users (when using tools such as Microsoft Word WORD encryption,) require a key length of at least nine characters. SSA recommends We also recommend that the key (also referred to as a password) contain both special characters and numbersa number. SSA supports the NIST Guidelines requires that requires the EIEP deliver the key so that it the key does not accompany the media. The EIEP must secure the key when not in use or unattended. SSA discourages the use of the public Internet for transmission of SSA- SSA-provided information. If, If however, the EIEP uses the public Internet or other electronic communications, such as emails and faxes to transmit SSA-provided information, they must use a secure encryption protocol such as Secure Socket Layer (SSL) or Transport Layer Security (TLS). SSA also recommends 256- 256-bit encryption protocols or more secure methods such as Virtual Private Network technology. The EIEP should only send data to a secure address or device to which the EIEP can control and limit access to only specifically authorized individuals and/or processes. SSA recommends that EIEPs use Media Access Control (MAC) Filtering and Firewalls to protect access points from unauthorized devices attempting to connect to the network. EIEPs should not retain SSA-provided information any longer than business purpose(s) dictate. The Information Exchange Agreement with SSA stipulates a time for data retention. The EIEP should delete, purge, destroy, or return SSA-provided information when the business purpose for retention no longer exists. The EIEP may not save or create separate files comprised solely of information provided by SSA. The EIEP may apply specific SSA-provided information to the EIEP’s matched record from a preexisting data source. Federal law prohibits duplication and redisclosure of SSA-provided information without written approval. The prohibition applies to both internal and external sources who do not have a “need-to-know2.” SSA recommends that EIEPs use either Trusted Platform Module (TPM) or Hardware Security Module (HSM) technology solutions to encrypt data at rest on hard drives and other data storage media. EIEPs must prevent unauthorized disclosure of SSA-provided information after they complete processing and after the EIEP no longer requires the information. The EIEP’s operational processes must ensure that no residual SSA-provided information remains on the hard drives of user’s workstations after the user exits the application(s) that use SSA-provided information. If the EIEP must send a computer, hard drive, or other computing or storage device offsite for repair, the EIEP must have a non-disclosure clause in their contract with the vendor. If the EIEP used the item in connection with a business process that involved SSA-provided information and the vendor will retrieve or may view SSA-provided information during servicing, SSA reserves the right to inspect 2 Need-to-know - access to the information must be necessary for the conduct of one's official duties. the EIEP’s vendor contract. The EIEP must remove SSA-provided information from electronic devices before sending it to an external vendor for service. SSA expects the EIEP to render it unrecoverable or destroy the electronic device if they do not need to recover the data. The same applies to excessed, donated, or sold equipment placed into the custody of another organization. To sanitize media, the EIEP should use one of the following methods:  Overwriting Overwrite utilities can only be used on working devices. Overwriting is appropriate only for devices designed for multiple reads and writes. The EIEP should overwrite disk drives, magnetic tapes, floppy disks, USB flash drives, and other rewriteable media. The overwrite utility must completely overwrite the media. SSA recommends the use of purging media sanitization to make the data irretrievable and to protect data against laboratory attacks or forensics. Please refer to Definitions for more information regarding Media Sanitization). Reformatting the media does not overwrite the data.  Degaussing Degaussing is a sanitization method for magnetic media (e.g., disk drives, tapes, floppies, etc.). Degaussing is not effective for purging non-magnetic media (e.g., optical discs). Degaussing requires a certified tool designed for particular types of media. Certification of the tool is required to ensure that the magnetic flux applied to the media is strong enough to render the information irretrievable. The degaussing process must render data on the media irretrievable by a laboratory attack or laboratory forensic procedures (refer to Definitions for more information regarding Media Sanitization).  Physical destruction Physical destruction is the method when degaussing or over-writing cannot be accomplished (for example, CDs, floppies, DVDs, damaged tapes, hard drives, damaged USB flash drives, etc.). Examples of physical destruction include shredding, pulverizing, and burning. State agencies may retain SSA-provided information in hardcopy only if required to fulfill evidentiary requirements, provided the agencies retire such data in accordance with applicable state laws governing retention of records. The EIEP must control print media containing SSA-provided information to restrict its access to authorized employees who need such access to perform their official duties. EIEPs must destroy print media containing SSA-provided information in a secure manner when it is no longer required for business purposes. The EIEP should destroy paper documents that contain SSA-provided information by burning, pulping, shredding, macerating, or other similar means that ensure the information is unrecoverable. NOTE: Hand tearing or lining through documents to obscure information does not meet SSA’s requirements for appropriate destruction of PII. The EIEP must employ measures to ensure that communications and data furnished to SSA contain no viruses or other malware.