Administrative Controls. The Contractor must have the following controls in place: a. A documented security policy governing the secure use of its computer network and systems, and which defines sanctions that may be applied to Contractor staff for violating that policy. b. Any data center security controls must meet or exceed those expected by the Federal Information Security Management Act (FISMA) for low to moderate impact systems as described in FIPS 199 and 200, and in the most current release of National Institute of Standards and Technology (NIST) Special Publications SP800- 53, including all other referenced NIST publications. c. Contractor warrants that all data collected, processed, routed, and/or stored by or through the service, or third-party service providers, remains at all times within the United States. d. If the Data shared under this agreement is classified as Category 4, the Contractor must be aware of and compliant with the applicable legal or regulatory requirements for that Category 4 Data. e. If Confidential Information shared under this agreement is classified as Category 4, the Contractor must have a documented risk assessment for the system(s) housing the Category 4 Data.
Appears in 3 contracts
Sources: Business Associate Agreement, Contract, Contract