Common use of INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES Clause in Contracts

INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHS/FEMA and HUD agree to report and track incidents in accordance with the most current, final version of NIST Special Publication 800-61.2 Upon detection of an incident related to this interconnection, the agency experiencing the incident will promptly notify the other agency’s System Security Contact(s) below: • DHS/FEMA will promptly notify the following contact at HUD simultaneously: REAC Office within the Office of Public and Indian Housing. • HUD will promptly notify the following contact at DHS/FEMA simultaneously: Information System Security Officer (ISSO), Recovery Technology Programs Division (RTPD), Disaster Assistance Improvement Program (DAIP). B. If the federal agency experiencing the incident is unable to speak with the other federal agency’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., outside of normal business hours), then the following contact information shall be used: C. If either DHS/FEMA and HUD experience an exposure or of personally identifiable information (PII) provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 “Preparing for and Responding to a Breach of Personally Identifiable Information” (January 3, 2017) and its agency breach response plan. D. Neither HUD nor FEMA shall be liable for any cause of action arising from the possession, control, or use of survivor/registrant PII by an entity other than HUD or FEMA, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII.

INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHS/FEMA and HUD agree to report and track incidents in accordance with the most current, final version of NIST Special Publication 800-61.2 53. Upon detection of an incident related to this interconnection, the agency experiencing the incident will promptly notify the other agency’s System Security Contact(s) below: • DHS/FEMA will promptly notify the following contact at HUD simultaneously: REAC Office within the Office of Public and Indian Housing. • HUD will promptly notify the following contact at DHS/FEMA simultaneously: Information System Security Officer (ISSO), Recovery Technology Programs Division (RTPD), Disaster Assistance Improvement Program (DAIP). B. If the federal agency experiencing the incident is unable to speak with the other federal agency’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., outside of normal business hours), then the following contact information shall be used:: • FEMA Security Operations Center (SOC): (000) 000-0000 OR FEMA Helpdesk: 0-000-000-0000 • HUD Help Desk: (000) 000-0000 C. If either DHS/FEMA and HUD experience an exposure or a loss of personally identifiable information (PII) provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17M-06-12 19, “Preparing Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security into IT Investment” (July 12, 2006), and XXX X-00-00, “Safeguarding Against and Responding to a the Breach of Personally Identifiable Information” (January 3May 22, 2017) and its agency breach response plan2007). D. Neither HUD nor FEMA shall not be liable to the State or to any third person for any cause of action arising from the possession, control, or use by State of survivor/registrant PII by an entity other than HUD or FEMAPII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII. Nothing in this section shall be construed as a waiver of sovereign immunity against suits by third persons against State. E. DHS/FEMA and HUD agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The agency that experienced the incident will also be responsible for following its internal established procedures, including: ▪ Notifying the proper organizations (e.g., United States Computer Emergency Readiness Team (US-CERT), the ISSOs, and other contacts listed in this document); ▪ Conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; ▪ Providing such notice and credit monitoring at no cost to the other agency, if the analysis conducted by the agency having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. F. In the event of any incident arising from or in connection with this Agreement, each Agency will be responsible only for costs and/or litigation arising from a breach of the Agency’s own systems; FEMA is responsible only for costs and litigation associated with breaches to FEMA systems and HUD is responsible only for breaches associated with HUD systems. Notwithstanding whether the privacy incident is the result of a negligent or intentional act or omission, each Agency agrees to pay for any and all costs associated with a breach of its facilities, including costs and attorneys’ fees, and to reimburse the United States, HUD, or FEMA and any of their officers and employees in full for any adverse judgments against them. FEMA shall not be liable to HUD or to any third person for any cause of action arising from the possession, control, or use by HUD of survivor/registrant PII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII. HUD shall not be liable to FEMA or to any third person for any cause of action arising from the possession, control, or use by FEMA of applicant PII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII. Nothing in this section shall be construed as a waiver of sovereign immunity against suits by third persons.

INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHS/FEMA and HUD SBA agree to report and track incidents in accordance with the most currentrecent, final version of NIST Special Publication 800-61.2 61.4 Upon detection of an incident related to this interconnection, the agency experiencing the incident will promptly notify the other agency’s 's System Security Contact(s) below: • ▪ DHS/FEMA will promptly notify the following contact at HUD SBA simultaneously: REAC SBA Office within the for Disaster Assistance - Disaster Credit Management System (DCMS) Operations Center: (000) 000-0000, SBA Office of Public and Indian HousingChief Information Officer (OCIO) Chief Information Security Officer: 000-000-0000. • HUD ▪ SBA will promptly notify notify, the following contact at DHS/FEMA simultaneously: Information System Security Officer (ISSO), Recovery Technology Programs Division (RTPD), Disaster Assistance Improvement Program (DAIP). B. If the federal agency experiencing the incident is unable to speak with the other federal agency’s 's System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., outside of normal business hours), then the following contact information shall be used: C. If either DHS/FEMA and HUD SBA experience an exposure or of personally identifiable information (PII) provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 “"Preparing for and Responding to a Breach of Personally Identifiable Information” " (January 3, 2017) and its agency breach response plan). D. Neither HUD SBA nor FEMA shall be liable for any cause of action arising from the possession, control, or use by a State or local government of survivor/registrant PII by an entity other than HUD or FEMAPII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII. E. DHS/FEMA and SBA agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The agency that experienced the incident will also be responsible for following its internal established procedures, including: F. In the event of any incident arising from or in connection with this Agreement, each Agency will be responsible only for costs and/or litigation arising from a breach of the Agency's own systems or data; FEMA is responsible only for costs and litigation associated with breaches to FEMA systems or data and SBA is responsible only for breaches associated with SBA system or data.

INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES. A. DHS/FEMA and HUD SBA agree to report and track incidents in accordance with the most current, final version of NIST Special Publication 800-61.2 61.4 Upon detection of an incident related to this interconnection, the agency experiencing the incident will promptly notify the other agency’s System Security Contact(s) below: • DHS/FEMA will promptly notify the following contact at HUD simultaneously: REAC Office within the Office of Public and Indian Housing. • HUD will promptly notify the following contact at DHS/FEMA simultaneously: Information System Security Officer (ISSO), Recovery Technology Programs Division (RTPD), Disaster Assistance Improvement Program (DAIP).: B. If the federal agency experiencing the incident is unable to speak with the other federal agency’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical (e.g., outside of normal business hours), then the following contact information shall be used: C. If either DHS/FEMA and HUD SBA experience an exposure or of personally identifiable information (PII) provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and security requirements set forth by OMB M-17-12 “Preparing for and Responding to a Breach of Personally Identifiable Information” (January 3, 2017) and its agency breach response plan). D. Neither HUD SBA nor FEMA shall be liable for any cause of action arising from the possession, control, or use by a State or local government of survivor/registrant PII by an entity other than HUD or FEMAPII, or for any loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in connection with this Agreement or the use of survivor/registrant PII. E. DHS/FEMA and SBA agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The agency that experienced the incident will also be responsible for following its internal established procedures, including: F. In the event of any incident arising from or in connection with this Agreement, each Agency will be responsible only for costs and/or litigation arising from a breach of the Agency’s own systems or data; FEMA is responsible only for costs and litigation associated with breaches to FEMA systems or data and SBA is responsible only for breaches associated with SBA system or data.