Security Certification and Compliance Review Programs. The primary statutory authority that supports the information contained in this document is the Federal Information Security Management Act (FISMA). FISMA became law as part of the Electronic Government Act of 2002. FISMA is the United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or manufactured threats. FISMA assigned the National Institute of Standards and Technology (NIST), a branch of the U.S. Department of Commerce, the responsibility to outline and define compliance with FISMA. Unless otherwise stated, all of SSA’s requirements mirror the NIST- defined management, operational, and technical controls listed in the various NIST Special Publications (SP) libraries of technical guidance documents. To gain electronic access to SSA-provided information, under the auspices of a data exchange agreement, EIEP’s must comply with SSA’s most current Technical System Security Requirements (hereafter referred to as TSSRs) to gain access to SSA-provided information. This document is synonymous with the Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration in the agreements. The TSSR specifies minimally acceptable levels of security standards and controls to protect SSA-provided information. SSA maintains the TSSR as a living document—subject to change--that addresses emerging threats, new attack methods and the development of new technology that potentially places SSA-provided information at risk. EIEPs may proactively ensure their ongoing compliance to the TSSR by periodically requesting the most current version from SSA. SSA will work with EIEPs to resolve deficiencies, which result from updates to the TSSRs. SSA refers to this process as Gap Analysis. EIEPs may proactively ensure their ongoing compliance with the TSSRs by periodically requesting the most current TSSR package from their SSA Point of Contact (POC) from the data exchange agreement. SSA’s standard for categorization of information (Moderate) and information systems is to provide appropriate levels of security according to risk level. Additions, deletions, or modification of security controls directly affect the level of security and due diligence SSA requires EIEPs use to mitigate risks. The emergence of new threats, attack methods, and the development of new technology warrants frequent reviews an...
Security Certification and Compliance Review Programs. (NIST SP 800-18 – System Security Plans and Planning (PL) Family, NIST SP 800-53 rev. 4) SSA’s security certification and compliance review programs are distinct processes. The certification program is a unique episodic process when an EIEP initially requests electronic access to SSA-provided information or makes substantive changes to existing exchange protocol, delivery method, infrastructure, or platform. The certification process entails two stages (refer to 6.1 for details) intended to ensure that management, operational, and technical security measures work as designed. SSA must ensure that the EIEPs fully conform to SSA’s security requirements at the time of certification and satisfy both stages of the certification process before SSA will permit online access to its data in a production environment. The compliance review program entails cyclical security review of the EIEP performed by, or on behalf of SSA. The purpose of the review is to to assess an EIEP’s conformance to SSA’s current security requirements at the time of the review engagement. The compliance review program applies to both online and batch access to SSA-provided information. Under the compliance review program, EIEPs are subject to ongoing and periodic security reviews by SSA. (THE REST OF THIS PAGE HAS BEEN LEFT BLANK INTENTIONALLY)
