Common use of Documenting Security Controls in the Security Design Plan (SDP Clause in Contracts

Documenting Security Controls in the Security Design Plan (SDP. ⮉ 6.2.1 When the SDP and Risk Assessment are Required ⮉ EIEPs must submit an SDP and a security risk assessment (RA) for evaluation when one or more of the following circumstances apply. The RA must be in electronic format. It must include discussion of the measures planned or implemented to mitigate risks identified by the RA and (as applicable) risks associated with the circumstances below: • to obtain approval for requested access to SSA-provided information for an initial agreement • to obtain approval to reestablish previously terminated access to SSA-provided data • to obtain approval to implement a new operating or security platform that will involve SSA-provided information • to obtain approval for significant changes to the EIEP’s organizational structure, technical processes, operational environment, data recovery capabilities, or security implementations planned or made since approval of their most recent SDP or of their most recent successfully completed security review • to confirm compliance when one or more security breaches or incidents involving SSA-provided information occurred since approval of the EIEP’s most recent SDP or of their most recent successfully completed security review • to document descriptions and explanations of measures implemented as the result of a data breach or security incident • to document descriptions and explanations of measures implemented to resolve non-compliancy issue(s) • to obtain a new approval after SSA revoked approval of the most recent SDP SSA may require a new SDP if changes occurred (other than those listed above) that may affect the terms of the EIEP’s information sharing agreement with SSA. An SDP must satisfactorily document the EIEP’s compliance with all of SSA’s SSRs in order to provide the minimum level of security acceptable to SSA for its EIEP’s access to SSA-provided information. EIEP’s must correct deficiencies identified through the evaluation of the SDP and submit a revised SDP that incorporates descriptions and explanations of the measures implemented to eliminate the deficiencies. SSA cannot grant access to SSA-provided information until the EIEP corrects the deficiencies, documents the SDP, and SSA approves the revisions. The EIEP will communicate the implementation of corrective actions to SSA on a regular basis. SSA will withhold final approval until the EIEP can rectify all deficiencies. SSA may revoke the approval of the EIEP’s SDP and its access to SSA-provided information if we learn the EIEP is non-compliant with one or more SSRs. The EIEP must submit a revised SDP, which incorporates descriptions and explanations of the measures the EIEP will implement to resolve the non-compliance issue(s). The EIEP must communicate the progress of corrective action(s) to SSA on a regular basis. SSA will consider the EIEP in non-compliant status until resolution of the issue(s), the EIEP’s SDP documents the corrections, and we approve the SDP. If, within a reasonable time as determined by SSA, the EIEP is unable to rectify a deficiency determined by SSA to present a substantial risk to SSA-provided information or to SSA, SSA will withhold approval of the SDP and discontinue the flow of SSA-provided information.

Documenting Security Controls in the Security Design Plan (SDP. ⮉ 6.2.1 When the SDP and Risk Assessment are Required ⮉  EIEPs must submit an SDP and a security risk assessment (RA) for evaluation when one or more of the following circumstances apply. The RA must be in electronic format. It must include discussion of the measures planned or implemented to mitigate risks identified by the RA and (as applicable) risks associated with the circumstances below: •  to obtain approval for requested access to SSA-provided information for an initial agreement •  to obtain approval to reestablish previously terminated access to SSA-provided data •  to obtain approval to implement a new operating or security platform that will involve SSA-provided information •  to obtain approval for significant changes to the EIEP’s organizational structure, technical processes, operational environment, data recovery capabilities, or security implementations planned or made since approval of their most recent SDP or of their most recent successfully completed security review •  to confirm compliance when one or more security breaches or incidents involving SSA-provided information occurred since approval of the EIEP’s most recent SDP or of their most recent successfully completed security review •  to document descriptions and explanations of measures implemented as the result of a data breach or security incident •  to document descriptions and explanations of measures implemented to resolve non-compliancy issue(s) •  to obtain a new approval after SSA revoked approval of the most recent SDP SSA may require a new SDP if changes occurred (other than those listed above) that may affect the terms of the EIEP’s information sharing agreement with SSA. An SDP must satisfactorily document the EIEP’s compliance with all of SSA’s SSRs in order to provide the minimum level of security acceptable to SSA for its EIEP’s access to SSA-provided information. EIEP’s must correct deficiencies identified through the evaluation of the SDP and submit a revised SDP that incorporates descriptions and explanations of the measures implemented to eliminate the deficiencies. SSA cannot grant access to SSA-provided information until the EIEP corrects the deficiencies, documents the SDP, and SSA approves the revisions. The EIEP will communicate the implementation of corrective actions to SSA on a regular basis. SSA will withhold final approval until the EIEP can rectify all deficiencies. SSA may revoke the approval of the EIEP’s SDP and its access to SSA-provided information if we learn the EIEP is non-compliant with one or more SSRs. The EIEP must submit a revised SDP, which incorporates descriptions and explanations of the measures the EIEP will implement to resolve the non-compliance issue(s). The EIEP must communicate the progress of corrective action(s) to SSA on a regular basis. SSA will consider the EIEP in non-compliant status until resolution of the issue(s), the EIEP’s SDP documents the corrections, and we approve the SDP. If, within a reasonable time as determined by SSA, the EIEP is unable to rectify a deficiency determined by SSA to present a substantial risk to SSA-provided information or to SSA, SSA will withhold approval of the SDP and discontinue the flow of SSA-provided information.

Documenting Security Controls in the Security Design Plan (SDP. ⮉ 6.2.1 When the SDP and Risk Assessment are Required ⮉  EIEPs must submit an SDP and a security risk assessment (RA) for evaluation when one or more of the following circumstances apply. The RA must be in electronic format. It must include discussion of the measures planned or implemented to mitigate risks identified by the RA and (as applicable) risks associated with the circumstances below: •  to obtain approval for requested access to SSA-provided information for an initial agreement •  to obtain approval to reestablish previously terminated access to SSA-provided data •  to obtain approval to implement a new operating or security platform that will involve SSA-provided information •  to obtain approval for significant changes to the EIEP’s organizational structure, technical processes, operational environment, data recovery capabilities, or security implementations planned or made since approval of their most recent SDP or of their most recent successfully completed security review •  to confirm compliance when one or more security breaches or incidents involving SSA-provided information occurred since approval of the EIEP’s most recent SDP or of their most recent successfully completed security review •  to document descriptions and explanations of measures implemented as the result of a data breach or security incident •  to document descriptions and explanations of measures implemented to resolve non-compliancy issue(s) •  to obtain a new approval after SSA revoked approval of the most recent SDP SSA may require a new SDP if changes occurred (other than those listed above) that may affect the terms of the EIEP’s information sharing agreement with SSA. An SDP must satisfactorily document the EIEP’s compliance with all of SSA’s SSRs in order to provide the minimum level of security acceptable to SSA for its EIEP’s access to SSA-provided information. EIEP’s must correct deficiencies identified through the evaluation of the SDP and submit a revised SDP that incorporates descriptions and explanations of the measures implemented to eliminate the deficiencies. SSA cannot grant access to SSA-provided information until the EIEP corrects the deficiencies, documents the SDP, and SSA approves the revisions. The EIEP will communicate the implementation of corrective actions to SSA on a regular basis. SSA will withhold final approval until the EIEP can rectify all deficiencies. SSA may revoke the approval of the EIEP’s SDP and its access to SSA-provided information if we learn the EIEP is non-compliant with one or more SSRs. The EIEP must submit a revised SDP, which incorporates descriptions and explanations of the measures the EIEP will implement to resolve the non-compliance issue(s). The EIEP must communicate the progress of corrective action(s) to SSA on a regular basis. SSA will consider the EIEP in non-compliant status until resolution of the issue(s), the EIEP’s SDP documents the corrections, and we approve the SDP. If, within a reasonable time as determined by SSA, the EIEP is unable to rectify a deficiency determined by SSA to present a substantial risk to SSA-provided information or to SSA, SSA will withhold approval of the SDP and discontinue the flow of SSA-provided information.