Common use of Recommended Security Controls for Federal Information Systems Clause in Contracts

Recommended Security Controls for Federal Information Systems. The PMA acknowledges that the use of unsecured telecommunications, including the Internet, to transmit individually identifiable, bidder identifiable or deducible information derived from the shared file(s) is prohibited. Further, the PMA agrees that the data must not be physically moved, transmitted, or disclosed in any way from or by the Data Custodians’ site(s) to an entity not listed on the IEA or DRA without written approval from CMS unless such movement, transmission or disclosure is required by a law. For example, CMS expects the PMA to, at minimum: Protect PII and PHI that is furnished by CMS under this Agreement from loss, theft or inadvertent disclosure; Ensure that laptops and other electronic devices/media containing PII or PHI are encrypted and password-protected; and, Send emails containing PII or PHI only if encrypted and being sent to and being received by e-mail addresses of persons authorized to receive such information. CMS reserves the right to conduct onsite inspections to monitor compliance with this Agreement and the corresponding DRA until such time CMS Data is destroyed and/or the CMS DRA is terminated. In signing this agreement and the corresponding DRA, the PMA attests that the requested data will be maintained, used, and disclosed only in a manner that is in accordance with the requirements of this agreement and the corresponding CMS DRA.