Common use of Protection of Data Clause in Contracts

Protection of Data. The Contractor agrees to store and protect Data as described. i. Data at Rest: Data will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data. Access to the Data will be restricted to Authorized Users through the use of access control lists, a Unique User ID, and a Hardened Password, or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Systems that contain or provide access to Confidential Information must be located in an area that is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. ii. Data stored on Portable/Removable Media or Devices: • Confidential Information provided by HCA on Removable Media will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the Data. • HCA’s Data must not be stored by the Contractor on Portable Devices or Media unless specifically authorized within the Agreement. If so authorized, the Contractor must protect the Data by: o Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data; o Controlling access to the devices with a Unique User ID and Hardened Password or stronger authentication method such as a physical token or biometrics; o Keeping devices in locked storage when not in use; o Using check-in/check-out procedures when devices are shared; o Maintaining an inventory of devices; and o Ensuring that when being transported outside of a Secured Area, all devices containing Data are under the physical control of an Authorized User. iii. Paper Documents: Any paper records containing Confidential Information must be protected by storing the records in a Secured Area that is accessible only to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access.

Protection of Data. The Contractor agrees to store Data on one or more of the following media and protect the Data as described.: i. a. Hard disk drives. Data at Rest: stored on local workstation hard disks. Access to the Data will be encrypted with NIST 800-series approved algorithmsrestricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provides equal or greater security, such as biometrics or smart cards. Encryption keys The data on the drive will only be accessible to authenticated individuals that need to access it. That is, the data will be secured on the disk in such a way that other authenticated individuals that do not need access to the data will not have the ability to access it. Workstations with sensitive data stored on them will be tracked and protected independently their movements documented until the sensitive data is removed from the workstation. When the data is removed the date of its removal and method of its removal will be documented. Workstations hard drives that have contained sensitive data will be wiped with a method that will render the datadeleted information irretrievable. b. Network server disks. Data stored on hard disks mounted on network servers and made available through shared folders. Access to the Data will be restricted to Authorized Users through the use of access control lists, lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID, ID and a Hardened Password, Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Systems that contain or provide access Data on disks mounted to Confidential Information such servers must be located in an area that which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. For EXCHANGE Confidential Information stored on these disks, deleting unneeded Data is sufficient as long as the disks remain in a Secured Area and otherwise meet the requirements listed in the above paragraph. Destruction of the Data as outlined in Section 5. Data Disposition may be deferred until the disks are retired, replaced, or otherwise taken out of the Secured Area. c. Removable Media, including Optical discs (CDs or DVDs) in local workstation optical disc drives and which will not be transported out of a secure area. Sensitive or Confidential Data provided by the EXCHANGE on removable media, such as optical discs or USB drives, which will be used in local workstation optical disc drives or USB connections shall be encrypted with 128-bit AES encryption or better. When not in use for the contracted purpose, such discs must be locked in a drawer, cabinet or other container to which only authorized users have the key, combination or mechanism required to access the contents of the container. Workstations which access EXCHANGE Data on optical discs must be located in an area which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. iid. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers and which will not be transported out of a secure area. Data stored on Portable/Removable Media or Devices: • Confidential Information provided by HCA the EXCHANGE on Removable Media optical discs which will be attached to network servers shall be encrypted with NIST 800128-series approved algorithmsbit AES encryption or better. Encryption keys Access to Data on these discs will be stored and protected independently restricted to authorized users through the use of access control lists which will grant access only after the Data. • HCA’s Data must not be stored by the Contractor on Portable Devices or Media unless specifically authorized within the Agreement. If so authorized, the Contractor must protect the Data by: o Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data; o Controlling access user has been authenticated to the devices with network using a Unique User unique user ID and Hardened Password complex password or stronger other authentication method mechanisms which provide equal or greater security, such as a physical token biometrics or biometrics; o Keeping devices smart cards. Data on discs attached to such servers must be located in locked storage when not in use; o Using check-in/check-out procedures when devices are shared; o Maintaining an inventory of devices; and o Ensuring that when being transported outside area which is accessible only to authorized personnel, with access controlled through use of a Secured Areakey, all devices containing Data are under the physical control of an Authorized Usercard key, combination lock, or comparable mechanism. iiie. Paper documents. Paper Documents: Any All paper records containing Confidential Information must be protected by storing the records in a Secured Area that secure area which is only accessible only to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access. f. Access via remote terminal/workstation over the State Governmental Network (SGN) or WA Health Benefit Exchange network (EXCHANGE Network). Data accessed and used interactively over the SGN or EXCHANGE Network. Access to the Data will be controlled by EXCHANGE staff who will issue authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor shall have established and documented access termination procedures for existing staff with access to EXCHANGE Data. These procedures shall be provided to EXCHANGE staff upon request. The Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor, and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. g. Access via remote terminal/workstation over the Internet through Secure Access Washington. Data accessed and used interactively over the Internet. Access to the Data will be controlled by EXCHANGE staff who will issue remote access authentication credentials (e.g. a unique user ID and complex password) to authorized contractor staff. Contractor will notify EXCHANGE staff immediately whenever an authorized person in possession of such credentials is terminated or otherwise leaves the employ of the contractor and whenever a user’s duties change such that the user no longer requires access to perform work for this Contract. h. Data storage on portable devices or media. (1) EXCHANGE Data shall not be stored by the Contractor on portable devices or media unless specifically authorized within the Special Terms and Conditions of the contract. If so authorized, the Data shall be given the following protections: (a) Encrypt the Data with a key length of at least 128 bits using an industry standard algorithm (e.g., AES, Twofish, RC6, etc.) (b) Control access to devices with a unique user ID and password or stronger authentication method such as a physical token or biometrics. (c) Manually lock devices whenever they are left unattended and set devices to lock automatically after a period of inactivity, if this feature is available. Maximum period of inactivity is 20 minutes. Physically protect the portable device(s) and/or media by (d) Keeping them in locked storage when not in use (e) Using check-in/check-out procedures when they are shared, and (f) Taking frequent inventories (2) When being transported outside of a secure area, portable devices and media with confidential EXCHANGE Data must be under the physical control of contractor staff with authorization to access the Data. (3) Portable devices include any small computing device that can be transported. They include, but are not limited to; handhelds/PDAs/phones, Ultramobile PCs, flash memory devices (e.g. USB flash drives, personal media players), and laptop/notebook/tablet computers. (4) Portable media includes any Data storage that can be detached or removed from a computer and transported. They include, but are not limited to; optical media (e.g. CDs, DVDs), magnetic media (e.g. floppy disks, tape, Zip or Jaz disks), USB drives, or flash media (e.g. CompactFlash, SD, MMC).

Protection of Data. ‌ The Contractor agrees to store and protect Data Confidential Information as described.: i. A. Data at Rest: : i. Data will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data. Access to the Data will be restricted to Authorized Users through the use of access control lists, a Unique User ID, and a Hardened Password, or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Systems that which contain or provide access to Confidential Information must be located in an area that is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. ii. B. Data stored on Portable/Removable Media or Devices: • : i. Confidential Information provided by HCA on Removable Media will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the Data. ii. • HCA’s Data data must not be stored by the Contractor on Portable Devices or Media unless specifically authorized within the AgreementContract. If so authorized, the Contractor must protect the Data by: o : a) Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data; o Controlling ; b) Control access to the devices with a Unique User ID and Hardened Password or stronger authentication method such as a physical token or biometrics; o ; c) Keeping devices in locked storage when not in use; o ; d) Using check-in/check-out procedures when devices are shared; o Maintaining ; e) Maintain an inventory of devices; and o Ensuring and C. Ensure that when being transported outside of a Secured Area, all devices containing with Data are under the physical control of an Authorized User. iiiD. Paper documents. Paper Documents: Any paper records containing Confidential Information must be protected by storing the records in a Secured Area that is accessible only to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access.

Protection of Data. ‌ The Contractor agrees to store and protect Data Confidential Information as described.: i. a. Data at Rest: : i. Data will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data. Access to the Data will be restricted to Authorized Users through the use of access control lists, a Unique User ID, and a Hardened Password, or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Systems that which contain or provide access to Confidential Information must be located in an area that is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. ii. Data stored on Portable/Removable Media or Devices: • : (A) Confidential Information provided by HCA on Removable Media will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the Data. • . (B) HCA’s Data data must not be stored by the Contractor on Portable Devices or Media unless specifically authorized within the AgreementDSA. If so authorized, the Contractor must protect the Data by: o : (1) Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data; o Controlling ; (2) Control access to the devices with a Unique User ID and Hardened Password or stronger authentication method such as a physical token or biometrics; o ; (3) Keeping devices in locked storage when not in use; o ; (4) Using check-in/check-out procedures when devices are shared; o Maintaining ; (5) Maintain an inventory of devices; and o Ensuring and (6) Ensure that when being transported outside of a Secured Area, all devices containing with Data are under the physical control of an Authorized User. iii. Paper Documents: Any paper records containing Confidential Information must be protected by storing the records in a Secured Area that is accessible only to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access.

Protection of Data. The Contractor Regents agrees to store data on one or more of the following media and protect Data the data as described.: i. Data at Rest: Data will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data1) Workstation Hard disk drives. Access to the Data data stored on local workstation hard disks will be restricted to Authorized Users authorized users by requiring logon to the local workstation using a unique user ID and complex password. If the workstation is located in an unsecured physical location the hard drive will be encrypted to protect Probation data in the event the device is stolen. 2) Network server disks. Access to data stored on hard disks mounted on network servers and made available through shared folders will be restricted to authorized users through the use of access control listslists which will grant access only after the authorized user has authenticated to the network using a unique user ID and complex password. Backup copies for disaster recovery purposes will be encrypted if recorded to removable media. 3) Optical discs (e.g., CDs, DVDs, Blu-Rays) in local workstation optical disc drives. Data provided by Probation on optical discs will be used in local workstation optical disc drives and will not be transported out of a Unique User IDsecure area. When not in use for the purposes authorized by the DSA, and such discs must be locked in a Hardened Passworddrawer, cabinet or other authentication mechanisms container to which provide equal only authorized users have the key, combination or greater security, such as biometrics or smart cardsmechanism required to access the contents of the container. Systems that contain or provide Workstations which access to Confidential Information must Probation data on optical discs will be located in an area that which is accessible only to authorized personnelindividuals, with access controlled through use of a key, card key, combination lock, or comparable mechanism. ii4) Optical discs (e.g., CDs, DVDs, Blu-Rays) in drives or jukeboxes attached to servers. Access to data provided by Probation on optical discs which will be attached to network servers, and which will not be transported out of a secure area will be restricted to authorized users through the use of access control lists which will grant access only after the authorized user has authenticated to the network using a unique user ID and complex password or other authentication mechanisms which provide equal or greater security. Data stored on Portable/Removable Media or Devices: • Confidential Information provided by HCA on Removable Media discs attached to such servers will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the Data. • HCA’s Data must not be stored by the Contractor on Portable Devices or Media unless specifically authorized within the Agreement. If so authorized, the Contractor must protect the Data by: o Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data; o Controlling access to the devices with a Unique User ID and Hardened Password or stronger authentication method such as a physical token or biometrics; o Keeping devices located in locked storage when not in use; o Using check-in/check-out procedures when devices are shared; o Maintaining an inventory of devices; and o Ensuring that when being transported outside of a Secured Area, all devices containing Data are under the physical control of an Authorized User. iii. Paper Documents: Any paper records containing Confidential Information must be protected by storing the records in a Secured Area that area which is accessible only to authorized personnel. When not in useindividuals with access controlled through use of a key, such records must be stored in a locked containercard key, such as a file cabinet, locking drawercombination lock, or safe, to which only authorized persons have accesscomparable mechanism.

Protection of Data. a. The Contractor agrees to store Data on one or more of the following medias and protect the Data as described.: i. (1) Hard disk drives Data at Rest: Data will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data. Access on local workstation hard disks, access to the Data will be restricted to Authorized Users through User(s) by requiring logon to the use of access control lists, local workstation using a Unique User ID, ID and a Hardened Password, Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Systems that contain or provide . (2) Network server disks (a) Data stored on hard disks mounted on network servers and made available through shared folders, access to Confidential Information the Data will be restricted to Authorized Users through the use of access control lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. (b) Data on disks mounted to such servers must be located in an area that which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. ii. (3) Optical discs (CDs or DVDs) in local workstation optical disc drives (a) Data stored on Portable/Removable Media or Devices: • Confidential Information provided by HCA DCYF on Removable Media optical discs which will be encrypted used in local workstation optical disc drives and which will not be transported out of a Secure Area, when not in use for the contracted purpose, such discs must be Stored in a Secure Area. (b) Workstations that are capable of accessing Data from optical discs must be located in an area which is accessible only to authorized personnel, with NIST 800-series approved algorithms. Encryption keys access controlled through use of a key, card key, combination lock, or comparable mechanism. (4) Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers (a) Data provided by DCYF on optical discs that will be stored and protected independently of the Data. • HCA’s Data must attached to network servers will not be stored by the Contractor transported out of a Secure Area. (b) Access to Data on Portable Devices or Media unless specifically authorized within the Agreement. If so authorized, the Contractor must protect the Data by: o Encrypting with NIST 800-series approved algorithms. Encryption keys these discs will be stored and protected independently restricted to Authorized Users through the use of access control lists which will grant access only after the data; o Controlling access Authorized User has authenticated to the devices with network using a Unique User ID and Hardened Password or stronger other authentication method mechanisms which provide equal or greater security, such as a physical token biometrics or biometrics; o Keeping devices smart cards. (c) Data on discs attached to such servers must be located in locked storage when not in use; o Using check-in/check-out procedures when devices are shared; o Maintaining an inventory of devices; and o Ensuring that when being transported outside area which is accessible only to authorized personnel, with access controlled through use of a Secured Areakey, all devices containing Data are under the physical control of an Authorized Usercard key, combination lock, or comparable mechanism. iii. (5) Paper Documents: Any documents (a) All paper records containing Confidential Information documents must be protected by storing the records in a Secured Area that Secure Area, with access controlled through the use of a key, card key, combination lock, or comparable mechanism, and which is only accessible only to authorized personnel. . (b) When not in usebeing transported outside of a Secure Area, such records paper documents must be under the physical control of Contractor staff with authorization to access the Data. (c) Paper documents will not be secured or stored in a locked containermotor vehicle any time a staff member is away from the motor vehicle. NOTE: The use of a lock box, such as other lockable storage container or a file cabinetnon-lockable storage container stored in a vehicle does not override this requirement. (d) Paper documents will be retained in a Secure Area, locking drawer, per the State of Washington records retention requirements. (6) Data storage on portable devices or safe, to which only authorized persons have access.media

Protection of Data. The Contractor Subcontractor agrees to store Data on one or more of the following media and protect the Data as described.: i. a. Hard disk drives. For Data at Rest: stored on local workstation hard disks, access to the Data will be encrypted with NIST 800-series approved algorithmsrestricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. b. Network server disks. Encryption keys will be For Data stored on hard disks mounted on network servers and protected independently of the data. Access made available through shared folders, access to the Data will be restricted to Authorized Users through the use of access control lists, lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID, ID and a Hardened Password, Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Systems that contain or provide access Data on disks mounted to Confidential Information such servers must be located in an area that which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. iic. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data stored provided on Portable/Removable Media or Devices: • Confidential Information provided by HCA on Removable Media optical discs which will be encrypted used in local workstation optical disc drives, and which will not be transported out of a Secure Area. When not in use for the contracted purpose, such discs must be Stored in a Secure Area. Workstations which access Data on optical discs must be located in an area which is accessible only to authorized personnel, with NIST 800-series approved algorithmsaccess controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Encryption keys Data provided on optical discs which will be stored attached to network servers and protected independently of the Data. • HCA’s Data must which will not be stored by the Contractor transported out of a Secure Area. Access to Data on Portable Devices or Media unless specifically authorized within the Agreement. If so authorized, the Contractor must protect the Data by: o Encrypting with NIST 800-series approved algorithms. Encryption keys these discs will be stored and protected independently restricted to Authorized Users through the use of access control lists which will grant access only after the data; o Controlling access Authorized User has authenticated to the devices with network using a Unique User ID and Hardened Password or stronger other authentication method mechanisms which provide equal or greater security, such as a physical token biometrics or biometrics; o Keeping devices in locked storage when not in use; o Using check-in/check-out procedures when devices are shared; o Maintaining an inventory of devices; and o Ensuring that when being transported outside of a Secured Area, all devices containing smart cards. Data are under the physical control of an Authorized User. iii. Paper Documents: Any paper records containing Confidential Information on discs attached to such servers must be protected by storing the records located in a Secured Area that an area which is accessible only to authorized personnel. When not in use, such records must be stored in with access controlled through use of a locked containerkey, such as a file cabinetcard key, locking drawercombination lock, or safe, to which only authorized persons have accesscomparable mechanism.

Protection of Data. The Contractor Indian Nation agrees to store Data on one or more of the following media and protect the Data as described.: i. a. Hard disk drives. Data at Rest: stored on local workstation hard disks. Access to the Data will be encrypted with NIST 800-series approved algorithmsrestricted to Authorized User(s) by requiring logon to the local workstation using a Unique User ID and Hardened Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. b. Network server disks. Encryption keys will be Data stored on hard disks mounted on network servers and protected independently of the datamade available through shared folders. Access to the Data will be restricted to Authorized Users through the use of access control lists, lists which will grant access only after the Authorized User has authenticated to the network using a Unique User ID, ID and a Hardened Password, Password or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Systems that contain or provide access Data on disks mounted to Confidential Information such servers must be located in an area that which is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. iic. Optical discs (CDs or DVDs) in local workstation optical disc drives. Data stored on Portable/Removable Media or Devices: • Confidential Information provided by HCA DSHS on Removable Media optical discs which will be encrypted used in local workstation optical disc drives and which will not be transported out of a Secured Area. When not in use for the agreed purpose, such discs must be locked in a drawer, cabinet or other container to which only Authorized Users have the key, combination or mechanism required to access the contents of the container. Workstations which access DSHS Data on optical discs must be located in an area which is accessible only to authorized personnel, with NIST 800-series approved algorithmsaccess controlled through use of a key, card key, combination lock, or comparable mechanism. d. Optical discs (CDs or DVDs) in drives or jukeboxes attached to servers. Encryption keys Data provided by DSHS on optical discs which will be stored attached to network servers and protected independently of the Data. • HCA’s Data must which will not be stored by the Contractor transported out of a Secured Area. Access to Data on Portable Devices or Media unless specifically authorized within the Agreement. If so authorized, the Contractor must protect the Data by: o Encrypting with NIST 800-series approved algorithms. Encryption keys these discs will be stored and protected independently restricted to Authorized Users through the use of access control lists which will grant access only after the data; o Controlling access Authorized User has authenticated to the devices with network using a Unique User ID and Hardened Password or stronger other authentication method mechanisms which provide equal or greater security, such as a physical token biometrics or biometrics; o Keeping devices smart cards. Data on discs attached to such servers must be located in locked storage when not in use; o Using check-in/check-out procedures when devices are shared; o Maintaining an inventory of devices; and o Ensuring that when being transported outside area which is accessible only to authorized personnel, with access controlled through use of a Secured Areakey, all devices containing Data are under the physical control of an Authorized Usercard key, combination lock, or comparable mechanism. iiie. Paper documents. Paper Documents: Any paper records containing Confidential Information must be protected by storing the records in a Secured Area that which is only accessible only to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access.

Protection of Data. The Contractor agrees to store and protect Data as described. i. 5.2.3.1 Data at Rest: Data will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data. Access to the Data will be restricted to Authorized Users through the use of access control lists, a Unique User ID, and a Hardened Password, or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Systems that contain or provide access to Confidential Information must be located in an area that is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. ii. 5.2.3.2 Data stored on Portable/Removable Media or Devices: • Devices Confidential Information provided by SBHASO or HCA on Removable Media will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the Data. • HCA’s Data must not be stored by the Contractor on Portable Devices or Media unless specifically authorized within the AgreementContract. If so authorized, the Contractor must protect the Data by: o : a. Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data; o ; b. Controlling access to the devices with a Unique User ID and Hardened Password or stronger authentication method such as a physical token or biometrics; o ; c. Keeping devices in locked storage when not in use; o ; d. Using check-in/check-out procedures when devices are shared; o ; e. Maintaining an inventory of devices; and o and f. Ensuring that when being transported outside of a Secured Area, all devices containing Data are under the physical control of an Authorized User. iii. Paper Documents: Any paper records containing Confidential Information must be protected by storing the records in a Secured Area that is accessible only to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access.

Protection of Data. The Contractor Receiving Party agrees to store and protect Data Confidential Information as described.: i. a. Data at Rest: : i. Data will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data. Access to the Data will be restricted to Authorized Users through the use of access control lists, a Unique User ID, and a Hardened Password, or other authentication mechanisms which provide equal or greater security, such as biometrics or smart cards. Systems that which contain or provide access to Confidential Information must be located in an area that is accessible only to authorized personnel, with access controlled through use of a key, card key, combination lock, or comparable mechanism. ii. Data stored on Portable/Removable Media or Devices: • : A. Confidential Information provided by HCA on Removable Media will be encrypted with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the Data. • . B. HCA’s Data data must not be stored by the Contractor Receiving Party on Portable Devices or Media unless specifically authorized within the AgreementDSA. If so authorized, the Contractor Receiving Party must protect the Data by: o : 1. Encrypting with NIST 800-series approved algorithms. Encryption keys will be stored and protected independently of the data; o Controlling ; 2. Control access to the devices with a Unique User ID and Hardened Password or stronger authentication method such as a physical token or biometrics; o ; 3. Keeping devices in locked storage when not in use; o ; 4. Using check-in/check-out procedures when devices are shared; o Maintaining ; 5. Maintain an inventory of devices; and o Ensuring and 6. Ensure that when being transported outside of a Secured Area, all devices containing with Data are under the physical control of an Authorized User. iii. Paper Documents: Any paper records containing Confidential Information must be protected by storing the records in a Secured Area that is accessible only to authorized personnel. When not in use, such records must be stored in a locked container, such as a file cabinet, locking drawer, or safe, to which only authorized persons have access.