Common use of BREACH REPORTING AND NOTIFICATION RESPONSIBILITY Clause in Contracts

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a breach or suspected breach of the information. Immediately upon discovery, and no later than one hour after discovery of the incident, SSA shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA is responsible for all reporting and notification activities and associated costs of breach remediation, including but not limited to: investigating the incident; communicating with US­ CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (2017); OMB Circular A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSAthe state agency, SSA the state agency is the responsible party in the event of a breach confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, and but in no case later than one hour after discovery of the incident, SSA the state agency shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE OCSE, as designated in this security addendum. SSA The state agency is responsible for all reporting and notification activities and associated costs of breach remediationactivities, including but not limited to: investigating the incident; communicating with US­ CERTrequired state government breach response officials; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity activity, as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A130 A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSAthe state agency, SSA the state agency is the responsible party in the event of a breach confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, and but in no case later than one hour after discovery of the incident, SSA shall the state agency must report confirmed and suspected incidents, in either electronic or physical form, to OCSE OCSE, as designated in this security addendum. SSA The state agency is responsible for all reporting and notification activities and associated costs of breach remediationactivities, including but not limited to: investigating the incident; communicating with US­ CERTrequired state government breach response officials; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity activity, as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A130 A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a breach confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, and but in no case later than one hour after discovery of the incident, SSA shall must report the confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA is responsible for all reporting and notification activities and associated costs of breach remediationactivities, including but not limited to: investigating the incident; communicating with US­ US- CERT; notifying individuals whose information is breached; notifying any third parties, parties including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17-M-17- 12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A130 A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Rev 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE OCSS to SSAHUD, SSA HUD is the responsible party in the event of a breach confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, and but in no case later than one hour after discovery of the incident, SSA shall HUD must report confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated the security team. Incident reporting contact information is in this security addendumaddendum (See section VIII). SSA HUD is responsible for all reporting and notification activities and associated costs of breach remediationactivities, including but not limited to: investigating the incident; communicating with US­ US-CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A130 A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSAHUD, SSA HUD is the responsible party in the event of a breach confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, and but in no case later than one hour after discovery of the incident, SSA HUD shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA HUD is responsible for all reporting and notification activities and associated costs of breach remediationactivities, including but not limited to: investigating the incident; communicating with US­ US-CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a breach confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, and but in no case later than one hour after discovery of the incident, SSA shall report the confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA is responsible for all reporting and notification activities and associated costs of breach remediationactivities, including but not limited to: investigating the incident; communicating with US­ US- CERT; notifying individuals whose information is breached; notifying any third parties, parties including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17-M-17- 12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A130 A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6IR-6 OCSE requires systems that process, transmit, or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 1.

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSAHUD, SSA HUD is the responsible party in the event of a breach confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, and but in no case later than one hour after discovery of the incident, SSA HUD shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA HUD is responsible for all reporting and notification activities and associated costs of breach remediationactivities, including but not limited to: investigating the incident; communicating with US­ US-CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a breach confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, and but in no case later than one hour after discovery of the incident, SSA shall must report confirmed and suspected incidents, in either electronic or physical form, incidents to OCSE as designated in this using the security addendummailbox address: ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇▇.▇▇▇. SSA is responsible for all reporting and notification activities and associated costs of breach remediationactivities, including but not limited to: investigating the incident; communicating with US­ US-CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A130 A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6IR-6 OCSE requires systems that process, transmit or store NDNH information to be granted authorization to operate following the guidelines in NIST 800-37 Revision 2, Risk Management Framework for Information Systems and Organizations: A System Life Cycle Approach for Security and Privacy.

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE OCSS to SSAHUD, SSA HUD is the responsible party in the event of a breach confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, and but in no case later than one hour after discovery of the incident, SSA shall HUD must report confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated OCSS security team. Incident reporting contact information is in this security addendumaddendum (See section VIII). SSA HUD is responsible for all reporting and notification activities and associated costs of breach remediationactivities, including but not limited to: investigating the incident; communicating with US­ US-CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A130 A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 45, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a confirmed or suspected breach or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, and but in no case later than one hour after discovery of the incident, SSA shall report the confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA is responsible for all reporting and notification activities and associated costs of breach remediationactivities, including but not limited to: investigating the incident; communicating with US­ US- CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; , correcting the vulnerability that allowed the breach; breach and any other activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (2017); OMB Circular A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6

BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of NDNH information from OCSE to SSA, SSA is the responsible party in the event of a breach confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, and but in no case later than one hour after discovery of the incident, SSA shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE as designated in this security addendum. SSA is responsible for all reporting and notification activities and associated costs of breach remediationactivities, including but not limited to: investigating the incident; communicating with US­ US-CERT; notifying individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; responding to congressional Congressional inquiries; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 4, IR-6