BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Except as otherwise provided in Section V of the security agreement, in the case of a confirmed or suspected data breach involving FPLS information, the organization providing information system services agrees to report the breach immediately upon discovery, but in no case later than one hour after discovery of the incident, to the OCSS security mailbox, ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇▇.▇▇▇. See Security Agreement, Section V, for additional information. Upon disclosure of FPLS information from OCSS to the state agency, the state agency is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, the state agency must report confirmed or suspected incidents, in either electronic or physical form, to the OCSS security mailbox. The state agency is responsible for all reporting and notification activities, including but not limited to: investigating the incident; communicating with required state government breach response officials; notifying by U.S. mail all individuals whose information is breached; notifying any third parties, including the media; notifying any other public and private sector agencies involved; responding to inquiries about the breach; resolving all issues surrounding the information breach; performing any follow-up activities; correcting the vulnerability that allowed the breach; and any other activity, as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 5, IR-6 The organization providing information system services must protect the FPLS information and state child support program information and segregate it from the provider’s infrastructure to ensure that only authorized personnel have access to the FPLS information and state child support program information. OCSS reserves the right to audit the state agency and any organization providing information system services to the state agency or to make other provisions to ensure that the state agency is maintaining adequate safeguards to protect the FPLS information and child support program information. Audits ensure that the security policies, practices, and procedures required by OCSS are in place and assess the completeness, authenticity, reliability, accuracy, and security of information and the systems used to process the data within the state child support agency and any organization providing information system services to the state agency. Policy/Requirements Traceability: OMB M-23-03, Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements, December 2, 2022; OMB Circular A-130, Appendix I; 45 C.F.R. §§ 95.621(a)-(c), and 305.60 The organization providing information system services may choose to use cloud computing to distribute services over broader architectures. The organization must leverage vendors and services only when all FPLS information physically resides in systems located within the United States and all support and services of the system that may facilitate FPLS access must be done from the U.S., its possessions, and territories. The cloud service provider must be Federal Risk and Authorization Management Program (FedRAMP) certified in order to meet federal security requirements for cloud-based computing or data storage solutions. Cloud implementations are defined by the service model and deployment model used. Software as a Service, Platform as a Service, and Infrastructure as a Service are examples of cloud service models for cloud implementation. The deployment models may include private cloud, community cloud, public cloud, and hybrid cloud. Data security requirements as defined below still must be met regardless of the type of cloud implementation chosen.
Appears in 1 contract
Sources: Security Agreement
BREACH REPORTING AND NOTIFICATION RESPONSIBILITY. Upon disclosure of FPLS information from OCSE or disclosure of CS program information from another state or tribe to the state CS agency, the state CS agency is the responsible party in the event of a breach or suspected breach of the information. Except as otherwise provided in Section V of II.B.6, if the security agreementstate CS agency knows or suspects FPLS or CS program information has been breached, in the case of a confirmed either electronic or suspected data breach involving FPLS informationphysical form, the organization providing information system services agrees to report state CS agency:
1. Alerts the breach FPLS Director designated on this security agreement immediately upon discovery, but in no case later than one hour after discovery of the incident
2. Follows the state CS agency procedures for responding to a data breach
3. Reports the results of the investigation, mitigation, and resolution to the OCSS security mailbox, ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇▇.▇▇▇. See Security Agreement, Section V, for additional information. Upon disclosure of FPLS information from OCSS to the state agency, the state agency is the responsible party in the event of a confirmed or suspected breach of the information, including responsibility for any costs associated with breach mitigation and remediation. Immediately upon discovery, but in no case later than one hour after discovery of the incident, the state agency must report confirmed or suspected incidents, in either electronic or physical form, to the OCSS security mailbox. Director The state agency IV-D director or designee is responsible for all reporting reporting, notification, and notification activitiesmitigation activities as well as the associated costs. Reporting, including notification, and mitigation activities include but are not limited to: investigating the incident; communicating with required state government breach response officials; notifying by U.S. mail all individuals whose information is breached; notifying communicating with any third parties, including the media, as necessary; notifying any other public and private sector agencies involved; responding to inquiries about the breach; resolving all issues surrounding the breach of FPLS information breachand CS program information; performing any necessary follow-up activities; correcting activities to correct the vulnerability that allowed the breach; and any other activity, as required by OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information, and other federal law and guidance. The state IV-D director or designee is responsible for ensuring appropriate measures are in place at the data center storing, transmitting, or processing FPLS information and CS program information to report confirmed or suspected incidents of such information to the state IV-D director or designee. Policy/Requirements Traceability: US-CERT Federal Incident Notification Guidelines (April 1, 2017); OMB Circular A-130 – Appendix I; OMB M-17-12; NIST SP 800-53 Rev 54, IR-6 The organization providing information system services must protect the FPLS information and state child support program information and segregate it from the provider’s infrastructure to ensure that only authorized personnel have access to the FPLS information and state child support program information. OCSS reserves the right to audit the state agency and any organization providing information system services to the state agency or to make other provisions to ensure that the state agency is maintaining adequate safeguards to protect the FPLS information and child support program information. Audits ensure that the security policies, practices, and procedures required by OCSS are in place and assess the completeness, authenticity, reliability, accuracy, and security of information and the systems used to process the data within the state child support agency and any organization providing information system services to the state agency. Policy/Requirements Traceability: OMB M-23-03, Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements, December 2, 2022; OMB Circular A-130, Appendix I; 45 C.F.R. §§ 95.621(a)-(c), and 305.60 The organization providing information system services may choose to use cloud computing to distribute services over broader architectures. The organization must leverage vendors and services only when all FPLS information physically resides in systems located within the United States and all support and services of the system that may facilitate FPLS access must be done from the U.S., its possessions, and territories. The cloud service provider must be Federal Risk and Authorization Management Program (FedRAMP) certified in order to meet federal security requirements for cloud-based computing or data storage solutions. Cloud implementations are defined by the service model and deployment model used. Software as a Service, Platform as a Service, and Infrastructure as a Service are examples of cloud service models for cloud implementation. The deployment models may include private cloud, community cloud, public cloud, and hybrid cloud. Data security requirements as defined below still must be met regardless of the type of cloud implementation chosen.IR-6
Appears in 1 contract
Sources: Security Agreement