Common use of SECURITY AND PRIVACY SAFEGUARDING REQUIREMENTS Clause in Contracts

SECURITY AND PRIVACY SAFEGUARDING REQUIREMENTS.

SECURITY AND PRIVACY SAFEGUARDING REQUIREMENTS. OCSE developed these safeguarding requirements based on the federal laws and requirements governing the protection of information referenced in Section I of this security addendum, as well as the Office of Child Support Enforcement Division of Federal Systems Security Requirements for Federal Agencies Receiving Federal Parent Locator Service Data. SSA was provided a copy of the Office of Child Support Enforcement Division of Federal Systems Security Requirements for Federal Agencies Receiving Federal Parent Locator Service Data, on July 14, 2015. Breach Reporting and Notification Responsibility; Security Authorization; and Audit Requirements. 1. SSA shall restrict access to, and disclosure of, the NDNH information to authorized personnel who need the NDNH information to perform their official duties in connection with the authorized purposes specified in this agreement.‌ 2. SSA shall establish and maintain ongoing management oversight and quality assurance program to ensure that only authorized personnel have access to NDNH information.‌ 3. SSA shall advise all authorized personnel who will access NDNH information of the confidentiality of the NDNH information, the safeguards required to protect the NDNH information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws.‌ 4. SSA shall deliver security and privacy awareness training to personnel with authorized access to NDNH information and the system that houses, processes, or transmits NDNH information. The training shall describe each user’s responsibility for proper use and protection of NDNH information, how to recognize and report potential indicators of insider threat, and the possible sanctions for misuse. All personnel must receive security and privacy awareness training prior to accessing NDNH information and at least annually thereafter. The training shall cover the other federal laws governing use and misuse of protected information.‌ 5. SSA personnel with authorized access to the NDNH information shall sign non-disclosure agreements, rules of behavior, or equivalent documents prior to‌ 6. SSA shall maintain records of authorized personnel with access to the NDNH information. The records shall contain a copy of each individual’s signed‌ 7. SSA shall have appropriate procedures in place to report security or privacy incidents, or suspected incidents involving NDNH information. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall report confirmed and suspected incidents, in either electronic or physical form to OCSE, as designated on this security addendum. The requirement for SSA to report confirmed or suspected incidents involving NDNH information to OCSE exists in addition to, not in lieu of, any SSA requirements to report to the United States Computer Emergency Readiness Team (US-CERT) or other reporting agencies.‌ 8. SSA shall prohibit the use of non-SSA furnished equipment to access NDNH information without specific written authorization for the equipment from the appropriate SSA representative.‌ 9. SSA shall require that personnel accessing NDNH information remotely (for example, telecommuting) adhere to all the security and privacy safeguarding requirements provided in this security addendum. SSA and non-SSA equipment shall have appropriate software with the latest updates to protect against attacks, including, at a minimum, current antivirus software and up-to-date system patches and other software patches. Prior to electronic connection to SSA resources, SSA shall scan the‌ 10. SSA shall implement an effective continuous monitoring strategy program that shall ensure the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing NDNH information. The continuous monitoring program shall include configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to SSA officials, as required.‌ 11. SSA shall maintain an asset inventory of all software and hardware components within the boundary of the information system housing the NDNH information. The inventory shall be at a level of granularity deemed necessary by SSA for internal tracking and reporting.‌ 12. SSA shall maintain a system security plan describing the security requirements for the system housing NDNH information and the security controls in place or planned for meeting those requirements. The system security plan shall describe the responsibilities and expected behavior of all individuals who access the system.‌ 13. SSA shall maintain a plan of action and milestones for the information system housing NDNH information to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. SSA shall update the plan of action and milestones as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities.‌ 14. SSA shall maintain a baseline configuration of the system housing NDNH information. The baseline configuration shall include information on system components (for example, standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture.‌ 15. SSA shall limit and control logical and physical access to NDNH information to only those personnel authorized for such access based on their official duties, and identified in the records maintained by SSA pursuant to number 6 and number 27 of this section. SSA shall prevent personnel from browsing case files not assigned to them by using technical controls or other compensating controls.‌ 16. SSA shall transmit and store all NDNH information provided pursuant to the agreement in a manner that safeguards the information and prohibits unauthorized access.‌ 17. SSA shall transfer and store NDNH information only on SSA owned portable digital media and mobile computing and communications devices that are encrypted at the disk or device level, using a FIPS 140-2 compliant product. See number 8 and number 18 of this section for additional information.‌ 18. SSA shall prohibit the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing NDNH information.‌ 19. SSA shall prohibit remote access to NDNH information, except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication, as required by OMB M-06-16. SSA shall control remote access through a limited number of managed access control points.‌ 20. SSA shall maintain a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction to its initiator, capture date and time of system events, and type of events. The audit trail system shall protect data and the audit tool from addition, modification, and deletion and should be regularly reviewed/analyzed for indications of inappropriate or unusual activity.‌ 21. SSA shall log each computer-readable data extract from any databases holding NDNH information and verify each extract has been erased within 90 days after completing required use. If SSA requires the extract for longer than 90 days to accomplish a purpose authorized pursuant to this agreement, SSA shall request permission, in writing, to keep the extract for a defined period of time, subject to OCSE written approval. SSA shall comply with the retention and disposition requirements in the agreement.‌ 22. SSA shall utilize a time-out function for remote access and mobile devices that‌ 23. SSA shall erase electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement.‌ 24. SSA shall implement a Network Access Control (also known as Network Admission Control (NAC)) solution in conjunction with a Virtual Private Network (VPN) option to enforce security policy compliance on all SSA and non-SSA remote devices that attempt to gain access to, or use, NDNH information. SSA shall use a NAC solution to authenticate, authorize, evaluate, and remediate remote wired and wireless users before they can access the network. The implemented NAC solution shall evaluate whether remote machines are compliant with security policies through host(s)’ integrity tests against predefined templates, such as patch level, service packs, antivirus, and personal firewall status, as well as custom-created checks tailored for the SSA enterprise environment. SSA shall disable functionality that allows automatic execution of code execution. The solution shall enforce security policies by blocking, isolating, or quarantining non-compliant devices from accessing the SSA network and resources while maintaining an audit record on users’ access and presence on the SSA network. See numbers 8 and 18 of this section for additional information.‌