Common use of General System Security Design and Operating Environment Clause in Contracts

General System Security Design and Operating Environment. EIEPs must provide descriptions and explanations of their overall system design, configuration, security features, and operational environment and include explanations of how they conform to SSA’s requirements. Explanations must include the following: o Descriptions of the operating environment(s) in which the EIEP will utilize, maintain, and transmit SSA-provided information o Descriptions of the business process(es) in which the EIEP will use SSA-provided information o Descriptions of the physical safeguards employed to ensure that unauthorized personnel cannot access SSA-provided information and details of how the EIEP keeps audit information pertaining to the use and access to SSA-provided information and associated applications readily available o Descriptions of electronic safeguards, methods, and procedures for protecting the EIEP’s network infrastructure and for protecting SSA-provided information while in transit, in use within a process or application, and at rest (stored or not in use) o Descriptions of how the EIEP prevents unauthorized retrieval of SSA-provided information by computer, remote terminal, or other means, including descriptions of security software other than access control software (e.g., security patch and anti- malware software installation and maintenance, etc.) o Descriptions of how the configurations of devices (e.g., servers, workstations, and portable devices) involving SSA-provided information comply with recognized industry standards and SSA’s system security requirements o Description of how the EIEP implements adequate security controls (e.g., passwords enforcing sufficient construction strength to defeat or minimize risk-based identified vulnerabilities)

General System Security Design and Operating Environment.  EIEPs must provide descriptions and explanations of their overall system design, configuration, security features, and operational environment and include explanations of how they conform to SSA’s requirements. Explanations must include the following: o Descriptions of the operating environment(s) in which the EIEP will utilize, maintain, and transmit SSA-provided information o Descriptions of the business process(es) in which the EIEP will use SSA-provided information o Descriptions of the physical safeguards employed to ensure that unauthorized personnel cannot access SSA-provided information and details of how the EIEP keeps audit information pertaining to the use and access to SSA-provided information and associated applications readily available o Descriptions of electronic safeguards, methods, and procedures for protecting the EIEP’s network infrastructure and for protecting SSA-provided information while in transit, in use within a process or application, and at rest (stored or not in use) o Descriptions of how the EIEP prevents unauthorized retrieval of SSA-provided information by computer, remote terminal, or other means, including descriptions of security software other than access control software (e.g., security patch and anti- malware software installation and maintenance, etc.) o Descriptions of how the configurations of devices (e.g., servers, workstations, and portable devices) involving SSA-provided information comply with recognized industry standards and SSA’s system security requirements o Description of how the EIEP implements adequate security controls (e.g., passwords enforcing sufficient construction strength to defeat or minimize risk-based identified vulnerabilities)