INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHS/FEMA and SBA agree to report and track incidents in accordance with the most recent, final version of NIST Special Publication 800-61.4 Upon detection of an incident related to this interconnection, the agency experiencing the incident will promptly notify the other agency's System Security Contact(s) below: ▪ DHS/FEMA will promptly notify the following contact at SBA simultaneously: SBA Office of Capital Access - Disaster Lending System Operations Center: (000) 000-0000, and SBA Office of Chief Information Officer (OCIO) Chief Information Security Officer, Xxxxxx Xxxxx, 000- 000-0000. ▪ SBA will promptly notify, the following contact at DHS/FEMA simultaneously: Information System Security Officer (ISSO), Recovery Technology Programs Division (RTPD), Disaster Assistance Improvement Program (DAIP) via email at: XXXX-Xxxxxxx-XXXX-XXXX@xxxx.xxx.xxx. 4 Xxxxxxxxx, P., Xxxxxx, T., Xxxxxx, X., & Xxxxxxxx, K. (2012, August). Computer Security Incident Handling Guide (Unit, Department of Commerce, National Institute of Standards and Technology). Retrieved from xxxx://xxxxxxx.xxxx.xxx.xxxxx 1bs/Special Publications/NIST.SP.800-61r2.pdf. B. If the federal agency experiencing the incident is unable to speak with the other federal agency's System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., outside of normal business hours), then the following contact information shall be used: C. If either DHS/FEMA and SBA experience an exposure of PII provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 "Preparing for and Responding to a Breach of Personally Identifiable Information" (January 3, 2017). D. Neither SBA nor FEMA shall be liable for any cause of action arising from the possession, control, or use by a State or local government of survivor/registrant PII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII. E. DHS/FEMA and SBA agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The agency that experienced the incident will also be responsible for following its internal established procedures, including: F. In the event of any incident arising from or in connection with this Agreement, each Agency will be responsible only for costs and/or litigation arising from a breach of the Agency's own systems or data; FEMA is responsible only for costs and litigation associated with breaches to FEMA systems or data and SBA is responsible only for breaches associated with SBA system or data.
Appears in 2 contracts
Samples: Computer Matching Agreement, Computer Matching Agreement
INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHS/FEMA FEMA, HUD, and SBA CDBG-DR xxxxxxxx agree to report and track incidents in accordance with the most recentcurrent, final version of NIST Special Publication 800-61.4 61. Upon detection of an incident related to this interconnection, the agency party experiencing the incident will promptly notify the other agency's source’s System Security Contact(s) Contacts below: ▪ DHS/:
1. FEMA and CDBG-DR xxxxxxxx will promptly notify the following contact at SBA simultaneouslyHUD: SBA Office of Capital Access - Disaster Lending System Operations Center: (HUD National Help Desk 0-000) -000-0000, .
2. HUD and SBA Office of Chief Information Officer (OCIO) Chief Information Security Officer, Xxxxxx Xxxxx, 000- 000CDBG-0000. ▪ SBA DR xxxxxxxx will promptly notify, notify the following contact at DHS/FEMA simultaneouslyFEMA: Information System Security Officer (ISSO), DAIP, Recovery Technology Programs Division (RTPD)) Product Delivery 2 Branch Chief, Disaster Assistance Improvement Program (DAIP) via email at: XXXX-Xxxxxxx-XXXX-XXXX@xxxx.xxx.xxx. 4 Xxxxxxxxx, P., Xxxxxx, T., Xxxxxx, X., & Xxxxxxx Xxxxxxxx, K. xxxxxxx.xxxxxxxx@xxxx.xxx.xxx, (2012, August). Computer Security Incident Handling Guide (Unit, Department of Commerce, National Institute of Standards and Technology). Retrieved from xxxx://xxxxxxx.xxxx.xxx.xxxxx 1bs/Special Publications/NIST.SP.800000) 000-61r2.pdf0000.
B. If the federal agency party experiencing the incident is unable to speak with the other appropriate federal agency's ’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., for example: outside of normal business hours), then the following contact information shall will be used:
1. FEMA Security Operations Center (SOC): (000) 000-0000 or FEMA Helpdesk: 1-888- 457-3362
2. HUD Help Desk: (000) 000-0000.
C. If either DHS/FEMA and SBA or HUD experience an a potential or actual exposure of PII provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 "12, “Preparing for and Responding to a Breach of Personally Identifiable Information" ,” (January 3, 2017), and its agency breach response plan, or if the CDBG-DR xxxxxxx experienced the incident, it will comply with Section V.C. of OMB M-17-12. Upon detection of potential exposure of PII related to this Agreement, the agency experiencing the potential breach will promptly notify the other agency’s Privacy Office contacts below. CDBG-DR xxxxxxxx will notify both offices.
1. FEMA Privacy Office: (000) 000-0000 or XXXX-Xxxxxxx-Xxxxxxxxx@xxxx.xxx.xxx.
2. For security breaches, contact HUD National Help Desk at 0-000-000-0000.
D. Neither SBA nor FEMA shall All parties agree that a party will not be liable for any cause of action arising from the possession, control, or use by a State or local government of survivor/registrant PIIregistrant/policyholder PII by another party or another party’s agents, or for any loss, claim, damage damage, or liability, of whatsoever kind or nature, which may arise from or in connection with another party’s actions under this Agreement or the another party’s use of survivor/registrant registrant/policyholder PII.
E. DHS/FEMA FEMA, HUD, and SBA CDBG-DR xxxxxxxx agree to notify all the System Security Contact(s) Contacts named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a suspected or confirmed breach (or suspected breach) involving PII. The A federal agency that experienced the incident will also be responsible for following its internal established procedures, procedures including:
1. Notifying the proper organizations such as the United States Computer Emergency Readiness Team (US-CERT), the ISSOs, and other contacts listed in this document,
2. Conducting a breach and risk analysis and determining the need for notice and/or remediation to individuals affected by the loss, and
3. Providing such notice and credit monitoring to the affected individuals at no cost to the other federal agency if the analysis, conducted by the federal agency having experienced the incident, indicates that individual notice and credit monitoring are appropriate.
F. In the event of any an incident arising from or in connection with this Agreement, each Agency FEMA, HUD, and/or the CDBG-DR grantees will be responsible only for costs and/or and litigation arising from a breach of the Agency's their own systems (which may contain the other parties’ data) or data; . FEMA is responsible only for costs and litigation associated with breaches to FEMA systems (which may contain the other parties’ data) or data and SBA data; HUD is responsible only for breaches associated with SBA system HUD systems (which may contain the other parties’ data) or data; and all CDBG-DR xxxxxxxx are responsible only for breaches associated with their systems (which may contain the other parties’ data) or data.
Appears in 2 contracts
Samples: Computer Matching Agreement, Computer Matching Agreement
INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHS/FEMA and SBA HUD agree to report and track incidents in accordance with the most recentcurrent, final version of NIST Special Publication 800-61.4 61. Upon detection of an incident related to this interconnection, the agency experiencing the incident will promptly notify the other agency's ’s System Security Contact(s) Contacts below: ▪ DHS/.
1. FEMA will promptly notify the following contact at SBA HUD simultaneously: SBA Office of Capital Access - Disaster Lending System Operations Center: (HUD National Help Desk 0-000) -000-0000, and SBA Office of Chief Information Officer (OCIO) Chief Information Security Officer, Xxxxxx Xxxxx, 000- 000-0000.
2. ▪ SBA HUD will promptly notify, notify the following contact at DHS/FEMA simultaneously: Information System Security Officer (ISSO), DAIP, Recovery Technology Programs Division (RTPD)) Product Delivery 2 Branch Chief, Disaster Assistance Improvement Program Xxxxxxx Northern, xxxxxxx.xxxxxxxx@xxxx.xxx.xxx, (DAIP000) via email at: XXXX-Xxxxxxx-XXXX-XXXX@xxxx.xxx.xxx. 4 Xxxxxxxxx, P., Xxxxxx, T., Xxxxxx, X., & Xxxxxxxx, K. (2012, August). Computer Security Incident Handling Guide (Unit, Department of Commerce, National Institute of Standards and Technology). Retrieved from xxxx://xxxxxxx.xxxx.xxx.xxxxx 1bs/Special Publications/NIST.SP.800000-61r2.pdf0000.
B. If the federal agency experiencing the incident is unable to speak with the other federal agency's ’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., for example: outside of normal business hours), then the following contact information shall will be used:.
1. FEMA Security Operations Center (SOC): (000) 000-0000 or FEMA Helpdesk: 1-888- 457-3362
2. HUD Help Desk: (000) 000-0000
C. If either DHS/FEMA and SBA or HUD experience an a potential or actual exposure of PII provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 "12, “Preparing for and Responding to a Breach of Personally Identifiable Information" personally identifiable information,” (January 3, 2017)) and its agency breach response plan. Upon detection of potential exposure of PII related to this Agreement, the agency experiencing the potential breach will promptly notify the other agency’s Privacy Office contacts below.
1. FEMA Privacy Office: (000) 000-0000 or XXXX-Xxxxxxx-Xxxxxxxxx@xxxx.xxx.xxx.
2. For security breaches, contact HUD National Help Desk at 0-000-000-0000.
D. Neither SBA HUD nor FEMA shall will be liable for any cause of action arising from the possession, control, or use by a State or local government of survivor/registrant PIIPII by an entity other than HUD or FEMA, or for any loss, claim, damage damage, or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII.
E. DHS/FEMA and SBA HUD agree to notify all the System Security Contact(s) Contacts named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a suspected or confirmed breach (or suspected breach) involving PII. The agency that experienced the incident will also be responsible for following its internal established procedures, procedures including:
1. Notifying the proper organizations such as the United States Computer Emergency Readiness Team (US-CERT), the ISSOs, and other contacts listed in this document,
2. Conducting a breach and risk analysis and determining the need for notice and/or remediation to individuals affected by the loss, and
3. Providing such notice and credit monitoring to the affected individuals at no cost to the other agency if the analysis, conducted by the agency having experienced the incident, indicates that individual notice and credit monitoring are appropriate.
F. In the event of any incident arising from or in connection with this Agreement, each Agency will be responsible only for costs and/or and litigation arising from a breach of the Agency's ’s own systems or data; . FEMA is responsible only for costs and litigation associated with breaches to FEMA systems or data data, and SBA HUD is responsible only for breaches associated with SBA HUD system or data.
Appears in 1 contract
Samples: Computer Matching Agreement
INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHS/FEMA 1. FISMA defines “incident” as “an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”
2. FCC, USAC, and SBA ED agree to report and track incidents in accordance with the most recent, final current version of NIST Special Publication 800OMB and Cybersecurity & Infrastructure Security Agency (CISA) (US-61.4 CERT) guidelines. Upon detection of an incident related to this interconnection, the agency Party experiencing the incident will promptly notify the other agency's Party’s System Security Contact(s) named below: ▪ DHS/FEMA • FCC or USAC will promptly notify the following contact contacts at SBA simultaneouslyED: SBA o Computer Security Issues Xxxxx Xxxxx, Acting FSA Chief Information Security Officer U.S. Department of Education, Federal Student Aid Technology Office of Capital Access - Disaster Lending System Operations Center000 Xxxxx Xxxxxx, XX, Xxxxxxxxxx, XX 00000-0000 Telephone: (000) 000-00000000 Email: Xxxxx.Xxxxx@xx.xxx o Systems Security Issues Folajimi “Xxxx” Xxxxxxx, and SBA Office System Owner’s Primary Representative Business Technical Lead, COD U.S. Department of Chief Information Officer Education, Program Support Management Services 000 Xxxxx Xxxxxx, XX, Xxxxxxxxxx, XX 00000-0000 Telephone: (OCIO000) Chief Information Security Officer, Xxxxxx Xxxxx, 000- 000-0000. ▪ SBA 0000 Email: Xxxxxxxx.Xxxxxxx@xx.xxx Balaji Mysore, ISSO, COD U.S. Department of Education, Federal Student Aid Technology Office 000 Xxxxx Xxxxxx, XX, Xxxxxxxxxx, XX 00000-0000 Telephone: (000) 000-0000 Email: Xxxxxx.Xxxxxx@xx.xxx • ED will promptly notify, notify the following contact contacts at DHS/FEMA USAC simultaneously: Information System o USAC Privacy Team: xxxxxxx@xxxx.xxx o USAC Systems Security Officer Team: xxxxxxxx@xxxx.xxx • As soon as possible after notifying ED of an incident, or receiving notification of an incident from ED, FCC or USAC will report the incident to the FCC’s Network Security Operations Center (ISSO), Recovery Technology Programs Division NSOC) at XXXX@xxx.xxx or (RTPD), Disaster Assistance Improvement Program 000) 000-0000 within one (DAIP1) via email at: XXXX-Xxxxxxx-XXXX-XXXX@xxxx.xxx.xxx. 4 Xxxxxxxxx, P., Xxxxxx, T., Xxxxxx, X., & Xxxxxxxx, K. (2012, August). Computer Security Incident Handling Guide (Unit, Department hour of Commerce, National Institute of Standards and Technology). Retrieved from xxxx://xxxxxxx.xxxx.xxx.xxxxx 1bs/Special Publications/NIST.SP.800-61r2.pdfnotification.
B. 3. If the federal agency Party experiencing the incident is unable to cannot speak with the other federal agency's Party’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., outside of normal business hours), then the following this contact information shall be used:
C. If either DHS/FEMA and SBA experience an exposure of PII provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 "Preparing for and Responding to a Breach of Personally Identifiable Information" (January 3, 2017).
D. Neither SBA nor FEMA shall be liable for any cause of action arising from the possession, control, or use by a State or local government of survivor/registrant PII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII.
E. DHS/FEMA and SBA agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The agency that experienced the incident will also be responsible for following its internal established procedures, including:
F. In the event of any incident arising from or in connection with this Agreement, each Agency will be responsible only for costs and/or litigation arising from a breach of the Agency's own systems or data; FEMA is responsible only for costs and litigation associated with breaches to FEMA systems or data and SBA is responsible only for breaches associated with SBA system or data.: • USAC
Appears in 1 contract
Samples: Computer Matching Agreement
INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHS/FEMA and SBA HUD agree to report and track incidents in accordance with the most recentcurrent, final version of NIST Special Publication 800-61.4 61. Upon detection of an incident related to this interconnection, the agency experiencing the incident will promptly notify the other agency's ’s System Security Contact(s) Contacts below: ▪ DHS/.
1. FEMA will promptly notify the following contact at SBA HUD simultaneously: SBA Office of Capital Access - Disaster Lending System Operations Center: (HUD National Help Desk 0-000) -000-0000, and SBA Office of Chief Information Officer (OCIO) Chief Information Security Officer, Xxxxxx Xxxxx, 000- 000-0000.
2. ▪ SBA XXX will promptly notify, notify the following contact at DHS/FEMA simultaneously: Information System Security Officer (ISSO), DAIP, Recovery Technology Programs Division (RTPD)) Product Delivery 2 Branch Chief, Disaster Assistance Improvement Program (DAIP) via email at: XXXX-Xxxxxxx-XXXX-XXXX@xxxx.xxx.xxx. 4 Xxxxxxxxx, P., Xxxxxx, T., Xxxxxx, X., & Xxxxxxx Xxxxxxxx, K. xxxxxxx.xxxxxxxx@xxxx.xxx.xxx, (2012, August). Computer Security Incident Handling Guide (Unit, Department of Commerce, National Institute of Standards and Technology). Retrieved from xxxx://xxxxxxx.xxxx.xxx.xxxxx 1bs/Special Publications/NIST.SP.800000) 000-61r2.pdf0000.
B. If the federal agency experiencing the incident is unable to speak with the other federal agency's ’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., for example: outside of normal business hours), then the following contact information shall will be used:.
1. FEMA Security Operations Center (SOC): (000) 000-0000 or FEMA Helpdesk: 1-888- 457-3362
2. HUD Help Desk: (000) 000-0000
C. If either DHS/FEMA and SBA or HUD experience an a potential or actual exposure of PII provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 "12, “Preparing for and Responding to a Breach of Personally Identifiable Information" personally identifiable information,” (January 3, 2017)) and its agency breach response plan. Upon detection of potential exposure of PII related to this Agreement, the agency experiencing the potential breach will promptly notify the other agency’s Privacy Office contacts below.
1. FEMA Privacy Office: (000) 000-0000 or XXXX-Xxxxxxx-Xxxxxxxxx@xxxx.xxx.xxx.
2. For security breaches, contact HUD National Help Desk at 0-000-000-0000.
D. Neither SBA HUD nor FEMA shall will be liable for any cause of action arising from the possession, control, or use by a State or local government of survivor/registrant PIIPII by an entity other than HUD or FEMA, or for any loss, claim, damage damage, or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII.
E. DHS/FEMA and SBA HUD agree to notify all the System Security Contact(s) Contacts named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a suspected or confirmed breach (or suspected breach) involving PII. The agency that experienced the incident will also be responsible for following its internal established procedures, procedures including:
1. Notifying the proper organizations such as the United States Computer Emergency Readiness Team (US-CERT), the ISSOs, and other contacts listed in this document,
2. Conducting a breach and risk analysis and determining the need for notice and/or remediation to individuals affected by the loss, and
3. Providing such notice and credit monitoring to the affected individuals at no cost to the other agency if the analysis, conducted by the agency having experienced the incident, indicates that individual notice and credit monitoring are appropriate.
F. In the event of any incident arising from or in connection with this Agreement, each Agency will be responsible only for costs and/or and litigation arising from a breach of the Agency's ’s own systems or data; . FEMA is responsible only for costs and litigation associated with breaches to FEMA systems or data data, and SBA HUD is responsible only for breaches associated with SBA HUD system or data.
Appears in 1 contract
Samples: Computer Matching Agreement
INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHS/FEMA VA and SBA agree to report and track incidents in accordance with the most recent, final version of NIST Special Publication 800-61.4 61, Rev.
2.1 Upon detection of an incident related to this interconnection, the agency experiencing the incident will promptly notify the other agency's System Security Contact(s) below: ▪ DHS/FEMA VA will promptly notify the following contact at SBA simultaneouslySBA: SBA Office of Capital Access - Disaster Lending System Operations Center: (000) 000-0000, and SBA Office of Chief Information Officer (OCIO) Chief Information Security Officer and Deputy Chief Information Officer, Mr. Xxxxxx Xxxxx, Xxxxx 000- 000-00000000 and SBA Security Operations Center: 202-205- 0101. ▪ SBA will promptly notifynotify xxx@xx.xxx, and the following contact contacts at DHS/FEMA VA simultaneously:
i. VA Privacy Officer, Xxxx Xxxxxx: (000) 000-0000, xxxx.xxxxxx@xx.xxx
ii. VA Chief Information System Security Officer Officer, Xxxxxxx Xxxxxxxx: (ISSO)202) 270- 1878, Recovery Technology Programs Division (RTPD)xxxxxxx.xxxxxxxx@xx.xxx
iii. Veterans Benefits Administration, Disaster Assistance Improvement Program (DAIP) via email atPrivacy Office: XXXX-Xxxxxxx-XXXX-XXXX@xxxx.xxx.xxx. 4 Xxxxxxxxx, P., Xxxxxx, T., Xxxxxx, X., & Xxxxxxxx, K. (2012, August). Computer Security Incident Handling Guide (Unit, Department of Commerce, National Institute of Standards and Technology). Retrieved from xxxx://xxxxxxx.xxxx.xxx.xxxxx 1bs/Special Publications/NIST.SP.800-61r2.pdf.xxxxxxx.xxxxxxx@xx.xxx
B. If the federal agency experiencing the incident is unable to speak with the other federal agency's System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., outside of normal business hours), then the following contact information shall be used:
C. If either DHS/FEMA VA and SBA experience an exposure of PII personally identifiable information (PII) provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 "Preparing for and Responding to a Breach of Personally Identifiable Information" (January 3, 2017).
D. Neither SBA nor FEMA shall be liable for any cause of action arising from the possession, control, or use by a State or local government of survivor/registrant PII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII.
E. DHS/FEMA VA and SBA agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The agency that experienced the incident will also be responsible for following its internal established procedures, including:
F. In including: ▪ Notifying the event of any incident arising from or proper organizations (e.g., United States Computer Emergency Readiness Team (US-CERT), the ISSOs, and other contacts listed in connection with this Agreement, each Agency will be responsible only for costs and/or litigation arising from document); ▪ Conducting a breach and risk analysis, and making a determination of the Agency's own systems or dataneed for notice and/or remediation to individuals affected by the loss; FEMA is responsible only for costs ▪ Providing such notice and litigation associated with breaches credit monitoring to FEMA systems or data the affected individuals at no cost to the other agency, if the analysis conducted by the agency having experienced the loss incident indicates that individual notice and SBA is responsible only for breaches associated with SBA system or datacredit monitoring are appropriate.
Appears in 1 contract
Samples: Computer Matching Agreement
INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHSCMS and the FCC/FEMA and SBA USAC agree to report and track security and privacy incidents in accordance with the most recent, final version current Department of NIST Special Publication 800Homeland Security and the United States Computer Emergency Readiness Team (US-61.4 CERT) guidelines. Upon detection of an incident related to this interconnection, the agency Party experiencing the incident will promptly notify the other agency's Party’s System Security Contact(s) named below: ▪ DHSFCC/FEMA USAC will promptly notify this contact at CMS: the CMS IT Service Desk by telephone at (000) 000-0000 or 0-000-000-0000 or via email notification at xxx_xx_xxxxxxx_xxxx@xxx.xxx.xxx within one (1) hour after discovery of the incident. CMS will promptly notify the following contact FCC/USAC by sending an email to xxxxxxxx@xxxx.xxx to activate USAC’s Incident Response Team and notifying simultaneously one of these contacts at SBA simultaneouslythe FCC/USAC: SBA Office USAC Privacy Officer, Xxxxxxxx Xxxxxxxx, (000) 000-0000 or USAC Director of Capital Access - Disaster Lending System Operations Center: Information Security, (000) 000-0000.
B. As soon as possible after receiving a notification of an incident from CMS, and SBA Office of Chief Information Officer USAC will report the incident to the FCC’s Network Security Operations Center (OCIONSOC) Chief Information Security Officer, Xxxxxx Xxxxx, 000- at xxxx@xxx.xxx or (000) 000-0000. ▪ SBA will promptly notify, In the following contact at DHS/FEMA simultaneously: Information System Security Officer (ISSO), Recovery Technology Programs Division (RTPD), Disaster Assistance Improvement Program (DAIP) via email at: XXXX-Xxxxxxx-XXXX-XXXX@xxxx.xxx.xxx. 4 Xxxxxxxxx, P., Xxxxxx, T., Xxxxxx, X., & Xxxxxxxx, K. (2012, August). Computer Security Incident Handling Guide (Unit, Department event of Commerce, National Institute of Standards and Technology). Retrieved from xxxx://xxxxxxx.xxxx.xxx.xxxxx 1bs/Special Publications/NIST.SP.800-61r2.pdf.
B. If the federal agency experiencing the incident is unable to speak with the other federal agency's System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., outside of normal business hours), then the following contact information shall be used:
C. If either DHS/FEMA and SBA experience an exposure a loss of PII provided under the terms of this Agreement, the federal agency Party that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 "12, “Preparing for and Responding to a Breach of Personally Identifiable Information" ” (January 3, 2017).
D. Neither SBA nor FEMA shall be liable for any cause of action arising from C. CMS and the possession, control, or use by a State or local government of survivorFCC/registrant PII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII.
E. DHS/FEMA and SBA USAC agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The agency Party that experienced the incident will also be responsible for following its internal established procedures, including:: ▪ Notifying the proper organizations (e.g., United States Computer Emergency Readiness Team (US-CERT), the Information Systems Security Officers (ISSOs), and other contacts listed in this document); ▪ Conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; and ▪ Providing such notice and credit monitoring at no cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate.
F. D. In the event of any incident arising from or in connection with this Agreement, each Agency Party will be responsible only for costs and/or litigation arising from a breach of the Agency's Party’s own systems or data; FEMA systems. FCC/USAC is responsible only for costs and litigation associated with breaches to FEMA systems or data FCC/USAC systems, and SBA CMS is responsible only for breaches associated with SBA system CMS systems. FCC/USAC shall not be liable to CMS or datato any third person for any cause of action arising from the possession, control, or use by CMS of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or the use of applicant or subscriber PII. CMS shall not be liable to FCC/USAC, or to any third person for any cause of action arising from the possession, control, or use by FCC/USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or the using applicant or subscriber PII.
Appears in 1 contract
Samples: Computer Matching Agreement
INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHS/FEMA 1. FISMA defines “incident” as “an occurrence that (A) actually or imminently jeopardizes, without lawful authority, the integrity, confidentiality, or availability of information or an information system; or (B) constitutes a violation or imminent threat of violation of law, security policies, security procedures, or acceptable use policies.”
2. FCC, USAC, and SBA ED agree to report and track incidents in accordance with the most recent, final current version of NIST Special Publication 800OMB and Cybersecurity & Infrastructure Security Agency (CISA) (US-61.4 CERT) guidelines. Upon detection of an incident related to this interconnection, the agency Party experiencing the incident will promptly notify the other agency's Party’s System Security Contact(s) named below: ▪ DHS/FEMA • FCC or USAC will promptly notify the following contact contacts at SBA simultaneouslyED: SBA o Computer Security Issues Xxxxx Xxxxx, Acting FSA Chief Information Security Officer U.S. Department of Education, Federal Student Aid Technology Office of Capital Access - Disaster Lending System Operations Center830 First Street, NE, Washington, DC 00000-0000 Telephone: (000) 000-00000000 Email: Xxxxx.Xxxxx@xx.xxx o Systems Security Issues Folajimi “Xxxx” Ayodele, and SBA Office System Owner’s Primary Representative Business Technical Lead, COD U.S. Department of Chief Information Officer Education, Program Support Management Services 830 First Street, NE, Washington, DC 00000-0000 Telephone: (OCIO000) Chief Information Security Officer, Xxxxxx Xxxxx, 000- 000-0000. ▪ SBA 0000 Email: Xxxxxxxx.Xxxxxxx@xx.xxx Balaji Mysore, ISSO, COD U.S. Department of Education, Federal Student Aid Technology Office 830 First Street, NE, Washington, DC 00000-0000 Telephone: (000) 000-0000 Email: Xxxxxx.Xxxxxx@xx.xxx • XX will promptly notify, notify the following contact contacts at DHS/FEMA USAC simultaneously: Information System o USAC Privacy Team: xxxxxxx@xxxx.xxx o USAC Systems Security Officer Team: xxxxxxxx@xxxx.xxx • As soon as possible after notifying ED of an incident, or receiving notification of an incident from ED, FCC or USAC will report the incident to the FCC’s Network Security Operations Center (ISSO), Recovery Technology Programs Division NSOC) at XXXX@xxx.xxx or (RTPD), Disaster Assistance Improvement Program 000) 000-0000 within one (DAIP1) via email at: XXXX-Xxxxxxx-XXXX-XXXX@xxxx.xxx.xxx. 4 Xxxxxxxxx, P., Xxxxxx, T., Xxxxxx, X., & Xxxxxxxx, K. (2012, August). Computer Security Incident Handling Guide (Unit, Department hour of Commerce, National Institute of Standards and Technology). Retrieved from xxxx://xxxxxxx.xxxx.xxx.xxxxx 1bs/Special Publications/NIST.SP.800-61r2.pdfnotification.
B. 3. If the federal agency Party experiencing the incident is unable to cannot speak with the other federal agency's Party’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., outside of normal business hours), then the following this contact information shall be used:
C. If either DHS/FEMA and SBA experience an exposure of PII provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 "Preparing for and Responding to a Breach of Personally Identifiable Information" (January 3, 2017).
D. Neither SBA nor FEMA shall be liable for any cause of action arising from the possession, control, or use by a State or local government of survivor/registrant PII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII.
E. DHS/FEMA and SBA agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The agency that experienced the incident will also be responsible for following its internal established procedures, including:
F. In the event of any incident arising from or in connection with this Agreement, each Agency will be responsible only for costs and/or litigation arising from a breach of the Agency's own systems or data; FEMA is responsible only for costs and litigation associated with breaches to FEMA systems or data and SBA is responsible only for breaches associated with SBA system or data.: • USAC
Appears in 1 contract
Samples: Computer Matching Agreement
