Common use of Minimum Standard for Data at Rest and Data in Motion Clause in Contracts

Minimum Standard for Data at Rest and Data in Motion. Contractor must, at a minimum, comply, in its treatment of Protected Information, with National Institute of Standards and Technology (NIST) Special Publication 800-53 Moderate Level Control. Notwithstanding this requirement, Contractor acknowledges that it must fully comply with each additional obligation contained in this policy. If data is protected health information or electronic protected health information, as defined in the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH) and regulations implementing these Acts (see 45 CFR Parts 160 and 164), it must be secured in accordance with “Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” available on the United States Department of Health and Human Services (HHS) website xxxx://xxx.xxx.xxx/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html, or at Volume 74 of the Federal Register, beginning at page 42742. That guidance from the HHS states that valid encryption processes for protected health information data at rest (e.g., protected health information resting on a server), must be consistent with the NIST Special Publication 800-111, Guide for Storage Encryption Technologies for End User Devices. Valid encryption processes for protected health information data in motion (e.g., transmitted through a network) are those which comply with NIST Special Publications 800- 52, Guidelines for the Selection and Use of Transport Layer Security Implementation; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.

Minimum Standard for Data at Rest and Data in Motion. Contractor must, at a minimum, comply, in its treatment of Protected Information, with National Institute of Standards and Technology (NIST) Special Publication 800-53 Moderate Level Control. Notwithstanding this requirement, Contractor acknowledges that it must fully comply with each additional obligation contained in this policy. If data is protected health information or electronic protected health information, as defined in the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH) and regulations implementing these Acts (see 45 CFR Parts 160 and 164), it must be secured in accordance with “Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” available on the United States Department of Health and Human Services (HHS) website website: xxxx://xxx.xxx.xxx/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html), or at Volume 74 of the Federal Register, beginning at page 42742. That guidance from the HHS states that valid encryption processes for protected health information data at rest (e.g., protected health information resting on a server), must be consistent with the NIST Special Publication 800-111, Guide for Storage Encryption Technologies for End User Devices. Valid encryption processes for protected health information data in motion (e.g., transmitted through a network) are those which comply with NIST Special Publications 800- 800-52, Guidelines for the Selection and Use of Transport Layer Security Implementation; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.

Minimum Standard for Data at Rest and Data in Motion. Contractor must, at a minimum, comply, in its treatment of Protected Information, with National Institute of Standards and Technology (NIST) Special Publication 800-53 Moderate Level Control. Notwithstanding this requirement, Contractor acknowledges that it must fully comply with each additional obligation contained in this policy. If data is protected health information or electronic protected health information, as defined in the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH) and regulations implementing these Acts (see 45 CFR Parts 160 and 164), it must be secured in accordance with “Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” available on the United States Department of Health and Human Services (HHS) website xxxx://xxx.xxx.xxx/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html, or at Volume 74 of the Federal Register, beginning at page 4274242741. That guidance from the HHS states that valid encryption processes for protected health information data at rest (e.g., protected health information resting on a server), must be consistent with the NIST Special Publication 800-111, Guide for Storage Encryption Technologies for End User Devices. Valid encryption processes for protected health information data in motion (e.g., transmitted through a network) are those which comply with NIST Special Publications 800- 52, Guidelines for the Selection and Use of Transport Layer Security Implementation; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.

Minimum Standard for Data at Rest and Data in Motion. Contractor Auditor must, at a minimum, comply, in its treatment of Protected Information, with National Institute of Standards and Technology (NIST) Special Publication 800-53 Moderate Level Control. Notwithstanding this requirement, Contractor Auditor acknowledges that it must fully comply with each additional obligation contained in this policy. If data is protected health information or electronic protected health information, as defined in the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH) and regulations implementing these Acts (see 45 CFR Parts 160 and 164), it must be secured in accordance with “Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” available on the United States Department of Health and Human Services (HHS) website xxxx://xxx.xxx.xxx/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html, or at Volume 74 of the Federal Register, beginning at page 42742. That guidance from the HHS states that valid encryption processes for protected health information data at rest (e.g., protected health information resting on a server), must be consistent with the NIST Special Publication 800-111, Guide for Storage Encryption Technologies for End User Devices. Valid encryption processes for protected health information data in motion (e.g., transmitted through a network) are those which comply with NIST Special Publications 800- 800-52, Guidelines for the Selection and Use of Transport Layer Security Implementation; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.

Minimum Standard for Data at Rest and Data in Motion. Contractor must, at a minimum, comply, in its treatment of Protected Information, with National Institute of Standards and Technology (NIST) Special Publication 800-53 Moderate Level Control. Notwithstanding this requirement, Contractor acknowledges that it must fully comply with each additional obligation contained in this policy. If data is protected health information or electronic protected health information, as defined in the Health Insurance Portability and Accountability Act and Health Information Technology for Economic and Clinical Health Act (HIPAA/HITECH) and regulations implementing these Acts (see 45 CFR Parts 160 and 164), it must be secured in accordance with “Guidance Specifying the Technologies and Methodologies that Render Protected Health Information Unusable, Unreadable, or Indecipherable to Unauthorized Individuals,” available on the United States Department of Health and Human Services (HHS) website (xxxx://xxx.xxx.xxx/ocr/privacy/hipaa/administrative/breachnotificationrule/index.html), or at Volume 74 of the Federal Register, beginning at page 42742. That guidance from the HHS states that valid encryption processes for protected health information data at rest (e.g., protected health information resting on a server), must be consistent with the NIST Special Publication 800-111, Guide for Storage Encryption Technologies for End User Devices. Valid encryption processes for protected health information data in motion (e.g., transmitted through a network) are those which comply with NIST Special Publications 800- 800-52, Guidelines for the Selection and Use of Transport Layer Security Implementation; 800-77, Guide to IPsec VPNs; or 800-113, Guide to SSL VPNs, or others which are Federal Information Processing Standards (FIPS) 140-2 validated.