Incident Reporting. USAC and SERVICE PROVIDER agree to report and track incidents in accordance with the PII breach reporting requirements as set forth in Office of Management and Budget (“OMB”) Memorandum M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information” (2017). SERVICE PROVIDER will promptly notify these contacts at USAC simultaneously: USAC Privacy, ▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDER, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or (▇▇▇) ▇▇▇-▇▇▇▇ of incidents within one (1) hour of notification. If the Party experiencing the incident cannot contact the other Party’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical, then this contact information shall be used: USAC Manager of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC and SERVICE PROVIDER agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The Party that experienced the incident will also be responsible for following its internal established procedures, including: Notifying the proper organizations (e.g., Information Systems Security Officers (ISSOs”), and other contacts listed in this document); Conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; and Providing such notice and credit monitoring at no cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII.
Appears in 2 contracts
Sources: Interconnection Security Agreement, Interconnection Security Agreement
Incident Reporting. USAC and SERVICE PROVIDER agree Upon detection of a security incident or PII breach related to report and track incidents this CMA, the agency experiencing the incident will promptly notify the other agency’s System Security Contact(s) named in accordance this CMA. VA will promptly notify the following FSA contacts in the order listed, until a successful notification has been made: NSLDS Owner’s Primary Representative or NSLDS Information System Security Officer (ISSO). If the agency experiencing the incident is unable to speak with the other agency’s System Security Contact within one hour or if for some reason contacting the System Security Contact is not practicable (e.g., outside of normal business hours), then the following contact information shall be used: VA: • VA Network Security Operations Center (VA NSOC) at ▇-▇▇▇-▇▇▇-▇▇▇▇ or email ▇▇▇▇▇▇@▇▇.▇▇▇ ED/FSA: • EDCIRC: ▇▇▇▇▇@▇▇.▇▇▇: ▇▇▇-▇▇▇-▇▇▇▇ If ED experiences a loss of PII under the terms of this CMA, ED will also comply with the PII breach reporting and security requirements as set forth in Office of Management and Budget (“OMB”) required by OMB Memorandum M-1717-12, “Preparing for and Responding to a Breach of Personally Identifiable Information.” (Jan. 3, 2017). SERVICE PROVIDER will promptly notify these contacts at USAC simultaneously: USAC Privacy, ▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDER, USAC ) ED also will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or (▇▇▇) ▇▇▇-▇▇▇▇ of incidents within one (1) hour of notification. If the Party experiencing the incident cannot contact the other Party’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical, then this contact information shall be used: USAC Manager of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC and SERVICE PROVIDER agree to notify all the Security Contact(sVA security contact(s) named in this Agreement CMA as soon as possible, but no later than one (1) hour, hour after the discovery of a breach (or suspected breach) involving PII. The Party agency that experienced the incident will also be responsible for following its internal established procedures, including: Notifying including notifying the proper organizations (e.g., Information Systems Security Officers United State Computer Emergency Readiness Team (US-CERT), the ISSOs”), and other contacts listed in this document); Conducting , conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; and Providing . If the agency’s analysis indicates that an individual notice and/or remediation is appropriate, the agency that experienced the incident will be responsible for providing such notice and credit monitoring at no and/or remediation without cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PIIagency.
Appears in 2 contracts
Sources: Computer Matching Agreement, Computer Matching Agreement
Incident Reporting. USAC and SERVICE PROVIDER agree to report and track incidents in accordance with the PII breach reporting requirements as set forth in Office of Management and Budget (“OMB”) Memorandum M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information” (2017). SERVICE PROVIDER will promptly notify these contacts at USAC simultaneously: USAC Privacy, ▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] B.8.1 As soon as possible after notifying SERVICE PROVIDER the Supplier becomes aware, it shall immediately report any incident affecting the Client’s consignment to the Client. The Supplier will undertake an immediate investigation and will provide feedback on findings, including corrective actions required and trends observed, to the Client within 24 hours of an the incident being reported by telephone/e-mail.
B.8.2 Serious incidents can be categorised as: Items that cannot be traced following despatch; Any tracked item that has been delivered incorrectly; Any items that are found in public places; Any items that have been stolen whilst in the Suppliers’ possession; and Any items delivered incorrectly to a private address; This list is indicative only and not prescriptive.
B.8.3 The Supplier shall, in the event of a serious incident, or receiving notification provide from within Senior Management, a single point of an incident from SERVICE PROVIDER, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or (▇▇▇) ▇▇▇-▇▇▇▇ of incidents contact person within one (1) 1 hour of notification. If It shall be the Party experiencing responsibility of the contact person to pursue the investigation and mitigation of the incident cannot contact to the other Party’s System Security Contacts within one (1) hour, or if contacting satisfaction of the System Security Contact is not practical, then this contact information Client and shall be used: USAC Manager required to provide progress updates to the Client on request.
B.8.4 In addition to the above notification requirements, the Supplier must have in place an effective and efficient incident handling procedure for dealing with security breaches in the courier service to be agreed by the Client. As a minimum it must include:
a. Early identification of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC and SERVICE PROVIDER agree any loss of data;
b. Early notification to Client on any security breaches;
c. Set procedures in place to conduct thorough premises searches;
d. Ability to provide immediate feedback on investigations to Client contacts that may be requested at any time from the notification;
e. Internal escalation procedures in place to notify all senior contract managers and security managers;
f. Ability within workforce planning to provide on site management and assistance to ascertain the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after causes of the discovery of a breach (or suspected breach) involving PII. The Party that experienced the incident will also be responsible for following its internal established procedures, including: Notifying the proper organizations (e.g., Information Systems Security Officers (ISSOs”), and other contacts listed in this document); Conducting a security breach and risk analysis, and making a determination implement any immediate remedial actions in mitigation;
g. Final reporting writing procedures in agreement with Client;
h. Full written responses to incidents within 5 working days of the need initial notification;
i. Full co-operation with any requests for notice and/or remediation written reports and information pertaining to individuals affected security incidents that may be requested by the loss; and Providing such notice and credit monitoring at no cost Information Commissioner.
B.8.5 Where requested to the other Partydo so by an individual Client, if the analysis conducted by the Party having experienced the loss The Supplier must respond to a formal incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII.report as follows: Serious Incident Initial verbal report within 24 hrs Full written response within 5 working days Incident Full written response within 8 working days
Appears in 2 contracts
Sources: Courier Services Framework Agreement, Courier Services Framework Agreement
Incident Reporting. USAC HUD and SERVICE PROVIDER VA agree to report and track incidents in accordance with the PII breach reporting requirements as set forth in Office most current, final version of Management and Budget (“OMB”) Memorandum M-17NIST Special Publication 800-1253. Upon detection of an incident related to this interconnection, “Preparing for and Responding to a Breach of Personally Identifiable Information” (2017). SERVICE PROVIDER the agency experiencing the incident will promptly notify these contacts the other agency’s System Security Contact(s) named in paragraph XVII, of this agreement. HUD will promptly notify the following at USAC simultaneouslyVA: USAC Privacy, ▪ ▇▇▇▇▇ ▇▇▇▇▇▇▇@▇▇: ▇▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDER, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or Phone (▇▇▇) ▇▇▇-▇▇▇▇ of incidents within one (1) hour of notification. If the Party federal agency experiencing the incident cannot contact is unable to speak with the other Partyfederal agency’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practicalpractical (e.g., outside of normal business hours), then this the following contact information shall be used: USAC Manager of Security Operations - ▪ HUD’s HITS Helpdesk: (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC ▪ VA Cyber Security Operations Center (CSOC): (▇▇▇) ▇▇▇-▇▇▇▇ opt.1, opt.4 If either HUD or VA experience a loss of PII provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and SERVICE PROVIDER security requirements set forth by OMB M-06-19, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security into IT Investments” (July 12, 2006), and OMB M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information” (May 22, 2007). VA and HUD also agree to notify all the Security Contact(s) named in this Agreement (and for VA, the primary representative as well) as soon as possible, but no later than one forty-five (145) hourminutes, after the discovery of a breach (or suspected breach) involving PII. The Party agency that experienced the incident will also be responsible for following its internal established procedures, including: ▪ Notifying the proper organizations (e.g., United States Computer Emergency Readiness Team (US-CERT), the Information Systems Security Officers (ISSOs”)Officer, and other contacts listed in this document); ▪ Conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; and ▪ Providing such notice and credit monitoring monitoring, at no cost to the other Partyagency, if the analysis conducted by the Party agency having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII.
Appears in 1 contract
Sources: Computer Matching Agreement
Incident Reporting. USAC and SERVICE PROVIDER agree Upon detection of a security incident or PII breach related to report and track incidents this CMA, the agency experiencing the incident will promptly notify the other agency’s System Security Contact(s) named in accordance this CMA. VA will promptly notify the following FSA contacts in the order listed, until a successful notification has been made: NSLDS Owner’s Primary Representative or NSLDS Information System Security Officer (ISSO). If the agency experiencing the incident is unable to speak with the other agency’s System Security Contact within one hour or if for some reason contacting the System Security Contact is not practicable (e.g., outside of normal business hours), then the alternate contact information shall be used. If ED experiences a loss of PII under the terms of this CMA, ED will also comply with the PII breach reporting and security requirements as set forth in Office of Management and Budget (“OMB”) required by OMB Memorandum M-1717-12, “Preparing for and Responding to a Breach of Personally Identifiable Information” (Jan. 3, 2017). SERVICE PROVIDER will promptly notify these contacts at USAC simultaneously: USAC Privacy, ▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDER, USAC ED also will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or (▇▇▇) ▇▇▇-▇▇▇▇ of incidents within one (1) hour of notification. If the Party experiencing the incident cannot contact the other Party’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical, then this contact information shall be used: USAC Manager of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC and SERVICE PROVIDER agree to notify all the Security Contact(sVA security contact(s) named in this Agreement CMA as soon as possible, but no later than one (1) hour, hour after the discovery of a breach (or suspected breach) involving PII. The Party agency that experienced the incident will also be responsible for following its internal established procedures, including: Notifying including notifying the proper organizations (e.g., Information Systems Security Officers United State Computer Emergency Readiness Team (US-CERT), the ISSOs”), and other contacts listed in this document); Conducting , conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; and Providing . If the agency’s analysis indicates that an individual notice and/or remediation is appropriate, the agency that experienced the incident will be responsible for providing such notice and credit monitoring at no and/or remediation without cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PIIagency.
Appears in 1 contract
Sources: Computer Matching Agreement
Incident Reporting. USAC CMS and SERVICE PROVIDER agree to report and track incidents VHA will comply with 0MB reporting guidelines in accordance with the event of a Security Incident, loss, potential loss, or Breach of PII breach reporting requirements as set forth in Office of Management and Budget (“OMB”) Memorandum see 0MB M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information” Information (Jan. 3, 2017) and 0MB M-23-03, "Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements" (Dec. 2, 2022)) and notify the National Cybersecurity and Communications Integration Center/United States Computer Emergency Readiness Team (NCCIC/US-CERT) within one hour of being identified by the agency's top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department. SERVICE PROVIDER In addition, within one hour of discovering the incident, the Party experiencing the incident will promptly notify these contacts the other agency's System Security Contact named in this Agreement within one (I) hour of discovering the loss, potential loss, Security Incident, or Breach. If CMS is unable to speak with the other Party's System Security Contact within one hour or if for some reason notifying the System Security Contact is not practicable (e.g., outside of normal business hours), CMS will call VA Network and Security Operations Center (NSOC) toll free at USAC simultaneously: USAC Privacy, ▇-▇▇▇-▇▇▇-▇▇▇▇ or via email at ▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IfVHA is unable to speak with CMS Systems Security Contact within one hour, VHA will promptly notify this contact CMS IT Service Desk at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, 1-800- 562-1963 or receiving notification of an incident from SERVICE PROVIDER, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) via email at ▇▇▇_▇-▇_▇▇▇▇▇▇▇_▇▇▇▇@▇▇▇.▇▇▇ or (▇.▇▇▇) ▇▇▇-▇▇▇▇ of incidents within one (1) hour of notification. If the Party experiencing the incident cannot contact the other Party’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical, then this contact information shall be used: USAC Manager of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC and SERVICE PROVIDER agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The Party that experienced the incident loss, potential loss, Security Incident, or Breach will also be responsible for following its internal established procedures, including: Notifying including notifying the proper organizations (e.g., Information Systems Security Officers United States Computer Emergency Readiness Team (ISSOs”US-CERT)), and other contacts listed in this document); Conducting conducting a breach and risk analysis, and making a determination of determining the need for notice and/or remediation to individuals affected by the loss; . Parties under this agreement will follow PII breach notification policies and Providing such notice related procedures as required by 0MB guidelines and credit monitoring at no the US- CERT Federal Incident Notification Guidelines. If the Party experiencing the breach determines that the risk of harm requires notification to the affected individuals or other remedies, then that Party will carry out these remedies without cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII.
Appears in 1 contract
Sources: Computer Matching Agreement
Incident Reporting. USAC and SERVICE PROVIDER agree to report and track incidents in accordance with the Upon detection of a security incident or PII breach reporting requirements as set forth in Office of Management and Budget (“OMB”) Memorandum M-17-12related to this CMA, “Preparing for and Responding to a Breach of Personally Identifiable Information” (2017). SERVICE PROVIDER the agency experiencing the incident will promptly notify these the other agency’s System Security Contact(s) named in this CMA. VA will promptly notify the following FSA contacts in the order listed, until a successful notification has been made: National Student Loan Data System Owner’s Primary Representative or National Student Loan Data System Information System Security Officer (ISSO). If the agency experiencing the incident is unable to speak with the other agency’s System Security Contact within one hour or if for some reason contacting the System Security Contact is not practicable (e.g., outside of normal business hours), then the following contact information shall be used: VA: • VA Network Security Operations Center (VA NSOC) at USAC simultaneously: USAC Privacy, ▇-▇▇▇-▇▇▇-▇▇▇▇ or email ▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇ ED/FSA: • EDCIRC: ▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDER, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or (▇▇▇) ▇▇▇-▇▇▇▇ If ED experience a loss of incidents within one PII under the terms of this CMA, ED will also comply with the PII breach reporting and security requirements as required by OMB M-06-19, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security into IT Investments,” as amended by OMB M-15-01, Fiscal Year 2014-2015 “Guidance on Improving Federal Information Security and Privacy Management Practices” (1) hour of notificationOctober 3, 2014). If the Party experiencing the incident cannot contact the other Party’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical, then this contact information shall be used: USAC Manager of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC and SERVICE PROVIDER agree to also will notify all the Security Contact(sVA security contact(s) named in this Agreement CMA as soon as possible, but no later than one (1) hour, hour after the discovery of a breach (or suspected breach) involving PII. The Party agency that experienced the incident will also be responsible for following its internal established procedures, including: Notifying including notifying the proper organizations (e.g., Information Systems Security Officers United State Computer Emergency Readiness Team (ISSOs”US-CERT), the ISSOs and other contacts listed in this document); Conducting , conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; and Providing . If the agency’s analysis indicates that an individual notice and/or remediation is appropriate, the agency that experienced the incident will be responsible for providing such notice and credit monitoring at no and/or remediation without cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PIIagency.
Appears in 1 contract
Sources: Computer Matching Agreement
Incident Reporting. USAC HUD and SERVICE PROVIDER VA agree to report and track incidents in accordance with the PII breach reporting requirements as set forth in Office most current, final version of Management and Budget (“OMB”) Memorandum M-17NIST Special Publication 800-1253. Upon detection of an incident related to this interconnection, “Preparing for and Responding to a Breach of Personally Identifiable Information” (2017). SERVICE PROVIDER the agency experiencing the incident will promptly notify these contacts the other agency’s System Security Contact(s) named in paragraph XVII, of this agreement. HUD will promptly notify the following at USAC simultaneouslyVA: USAC Privacy, ▇▇▇▇▇ ▇▇▇▇▇▇▇@▇▇: ▇▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDER, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or Phone (▇▇▇) ▇▇▇-▇▇▇▇ of incidents within one (1) hour of notification. If the Party federal agency experiencing the incident cannot contact is unable to speak with the other Partyfederal agency’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practicalpractical (e.g., outside of normal business hours), then this the following contact information shall be used: USAC Manager of Security Operations - HUD’s HITS Helpdesk: (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC VA Cyber Security Operations Center (CSOC): (▇▇▇) ▇▇▇-▇▇▇▇ opt.1, opt.4 If either HUD or VA experience a loss of PII provided under the terms of this Agreement, the federal agency that experienced the loss incident will also comply with the PII breach reporting and SERVICE PROVIDER security requirements set forth by OMB M-06-19, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security into IT Investments” (July 12, 2006), and ▇▇▇ ▇-▇▇-▇▇, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information” (May 22, 2007). VA and HUD also agree to notify all the Security Contact(s) named in this Agreement (and for VA, the primary representative as well) as soon as possible, but no later than one forty-five (145) hourminutes, after the discovery of a breach (or suspected breach) involving PII. The Party agency that experienced the incident will also be responsible for following its internal established procedures, including: Notifying the proper organizations (e.g., United States Computer Emergency Readiness Team (US-CERT), the Information Systems Security Officers (ISSOs”)Officer, and other contacts listed in this document); Conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; and Providing such notice and credit monitoring monitoring, at no cost to the other Partyagency, if the analysis conducted by the Party agency having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII.
Appears in 1 contract
Sources: Computer Matching Agreement
Incident Reporting. USAC HUD and SERVICE PROVIDER ED agree to report and track incidents in accordance with the PII breach reporting requirements as set forth in Office most current, final version of Management and Budget (“OMB”) Memorandum M-17NIST Special Publication 800-1253. Upon detection of an incident related to this interconnection, “Preparing for and Responding to a Breach of Personally Identifiable Information” (2017). SERVICE PROVIDER the agency experiencing the incident will promptly notify these contacts at USAC simultaneously: USAC Privacy, ▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇the other agency’s System Security Contact(s) named in paragraph XVII of this agreement. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC HUD will promptly notify this contact at SERVICE PROVIDERthe following ED groups simultaneously: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDER, USAC will notify the FCC▪ Debt Management Collection System’s Network (DMCS) Primary Representative; ▪ ED Chief Information Security Operations Center Officer; and ▪ The DMCS Information System Security Officer (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or (▇▇▇) ▇▇▇-▇▇▇▇ of incidents within one (1) hour of notificationISSO). If the Party federal agency experiencing the incident cannot contact is unable to speak with the other Partyfederal agency’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practicalpractical (e.g., outside of normal business hours), then this the following contact information shall be used: USAC Manager of Security Operations ▪ HUD - HITS Helpdesk: (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC ▪ ED - ▇▇▇▇▇@▇▇.▇▇▇ If either HUD or ED experience a loss of PII provided under the terms of this Agreement, the federal agency that experienced the loss will also comply with the PII breach reporting and SERVICE PROVIDER security requirements set forth by OMB M-06-19, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security into IT Investments” (July 12, 2006), and OMB M-07-16, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information” (May 22, 2007). ED and HUD also agree to notify all the Security Contact(s) named in this Agreement (and for ED, the primary representative as well) as soon as possible, but no later than one forty-five (145) hourminutes, after the discovery of a breach (or suspected breach) involving PII. The Party agency that experienced the incident will also be responsible for following its internal established procedures, including: ▪ Notifying the proper organizations (e.g., United States Computer Emergency Readiness Team (US-CERT), the Information Systems Security Officers (ISSOs”)Officer, and other contacts listed in this document); ▪ Conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; and ▪ Providing such notice and credit monitoring monitoring, at no cost to the other Partyagency, if the analysis conducted by the Party agency having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII.
Appears in 1 contract
Sources: Computer Matching Agreement
Incident Reporting. USAC CMS and SERVICE PROVIDER agree to report and track incidents VHA will comply with OMB reporting guidelines in accordance with the event of a Security Incident, loss, potential loss, or Breach of PII breach reporting requirements as set forth in Office of Management and Budget (“OMB”) Memorandum see OMB M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information” Information (Jan. 3, 2017) and OMB M-23-03, “Fiscal Year 2023 Guidance on Federal Information Security and Privacy Management Requirements" (Dec. 2, 2022)) and notify the National Cybersecurity and Communications Integration Center/United States Computer Emergency Readiness Team (NCCIC/US-CERT) within one hour of being identified by the agency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department. SERVICE PROVIDER In addition, within one hour of discovering the incident, the Party experiencing the incident will promptly notify these contacts the other agency's System Security Contact named in this Agreement within one (l) hour of discovering the loss, potential loss, Security Incident, or Breach. If CMS is unable to speak with the other Party's System Security Contact within one hour or if for some reason notifying the System Security Contact is not practicable (e.g., outside of normal business hours), CMS will call VA Network and Security Operations Center (NSOC) toll free at USAC simultaneously: USAC Privacy, ▇-▇▇▇-▇▇▇-▇▇▇▇ or via email at ▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC If VHA is unable to speak with CMS Systems Security Contact within one hour, VHA will promptly notify this contact CMS IT Service Desk at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, 1-800- 562-1963 or receiving notification of an incident from SERVICE PROVIDER, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) via email at ▇▇▇_▇-▇_▇▇▇▇▇▇▇_▇▇▇▇@▇▇▇.▇▇▇ or (▇.▇▇▇) ▇▇▇-▇▇▇▇ of incidents within one (1) hour of notification. If the Party experiencing the incident cannot contact the other Party’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical, then this contact information shall be used: USAC Manager of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC and SERVICE PROVIDER agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The Party that experienced the incident loss, potential loss, Security Incident, or Breach will also be responsible for following its internal established procedures, including: Notifying including notifying the proper organizations (e.g., Information Systems Security Officers United States Computer Emergency Readiness Team (ISSOs”US-CERT)), and other contacts listed in this document); Conducting conducting a breach and risk analysis, and making a determination of determining the need for notice and/or remediation to individuals affected by the loss; . Parties under this agreement will follow PII breach notification policies and Providing such notice related procedures as required by OMB guidelines and credit monitoring at no the US- CERT Federal Incident Notification Guidelines. If the Party experiencing the breach determines that the risk of harm requires notification to the affected individuals or other remedies, then that Party will carry out these remedies without cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII.
Appears in 1 contract
Sources: Computer Matching Agreement
Incident Reporting. USAC and SERVICE PROVIDER agree to report and track incidents in accordance with the Upon detection of a security incident or PII breach reporting requirements as set forth in Office of Management and Budget (“OMB”) Memorandum M-17-12related to this CMA, “Preparing for and Responding to a Breach of Personally Identifiable Information” (2017). SERVICE PROVIDER the agency experiencing the incident will promptly notify these the other agency’s System Security Contact(s) named in this CMA. SSA will promptly notify the following FSA contacts at USAC simultaneouslyin the order listed, until a successful notification has been made: USAC PrivacyNational Student Loan Data System Owner’s Primary Representative or National Student Loan Data System Information System Security Officer (ISSO). If the agency experiencing the incident is unable to speak with the other agency’s System Security Contact within one hour or if for some reason contacting the System Security Contact is not practicable (e.g., outside of normal business hours), then the following contact information shall be used: SSA: • National Network Service Center: ▇-▇▇▇-▇▇▇-▇▇▇▇ ED/FSA: • EDCIRC: ▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDER, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or (▇▇▇) ▇▇▇-▇▇▇▇ If either SSA or ED experience a loss or breach of incidents within one (1) hour PII provided by SSA or ED under the terms of notificationthis CMA, they will follow the incident reporting guidelines issued by OMB. If In the Party event of a reportable incident under OMB guidance involving PII, the agency experiencing the incident cannot contact is responsible for following its established procedures, including notification to the other Partyproper organizations (e.g., United States Computer Emergency Readiness Team, the agency’s System Security Contacts within one (1) hour, or if contacting privacy office). ED and SSA also will notify the System Security Contact is not practical, then this contact information shall be used: USAC Manager of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC and SERVICE PROVIDER agree to notify all the Security Contact(ssecurity contact(s) named in this Agreement CMA as soon as possible, but no later than one (1) hour, hour after the discovery of a breach (or suspected breach) involving PII. The Party agency that experienced the incident will also be responsible for following its internal established procedures, including: Notifying including notifying the proper organizations (e.g., Information Systems Security Officers United State Computer Emergency Readiness Team (ISSOs”US-CERT), the ISSOs and other contacts listed in this document); Conducting , conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; and Providing . If the agency’s analysis indicates that an individual notice and/or remediation is appropriate, the agency that experienced the incident will be responsible for providing such notice and credit monitoring at no and/or remediation without cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PIIagency.
Appears in 1 contract
Sources: Computer Matching Agreement
Incident Reporting. USAC and SERVICE PROVIDER Both Parties agree to report and track incidents in accordance with their respective incident response plans, using established protocols. ED will report to its Office of the Chief Information Officer (OCIO) in compliance with the instructions, standards, and procedures set forth in ED’s Departmental Directive OCIO: 3-112 on Cybersecurity Policy. VA will report using VA Handbook 6500.2, Management of Data Breaches Involving Sensitive Personal Information. Upon detection of an incident related to this CMA, the agency experiencing the incident will promptly notify the other agency’s System Security Contact(s) named in Section XIV of this CMA. If VA detects such an incident, then VA will notify ED’s System Security Contacts in the order designated in Section XIV of this CMA, beginning with the Department of Education Security Operations Center (EDSOC), (▇▇▇) ▇▇▇-▇▇▇▇; ▇▇▇▇▇@▇▇.▇▇▇. If the Party experiencing the incident is unable to speak with the other Party’s System Security Contact(s) within one hour or, if for some reason, contacting the System Security Contact(s) is not practicable (e.g., outside of normal business hours), then the following contact information shall be used: • VA Cyber Security Operations Center (CSOC), ▇▇▇@▇▇.▇▇▇; ▇▇▇-▇▇▇-▇▇▇▇ • EDSOC, (▇▇▇) ▇▇▇-▇▇▇▇; ▇▇▇▇▇@▇▇.▇▇▇. VA will subsequently notify the CPS and FPS Information System Security Officers (ISSOs) and then the CPS and FPS System Owner’s Primary Representatives, using their contact information, which is listed in Section XIV of this CMA. If either VA or ED experiences a loss of PII provided by VA or ED under the terms of this CMA, they will also comply with the PII breach reporting and security requirements as set forth in Office of Management and Budget (“OMB”) Memorandum required by OMB M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information.” (2017). SERVICE PROVIDER will promptly notify these contacts at USAC simultaneously: USAC Privacy, ▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDER, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or (▇▇▇) ▇▇▇-▇▇▇▇ of incidents within one (1) hour of notification. If the Party experiencing the incident cannot contact the other Party’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical, then this contact information shall be used: USAC Manager of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC ED and SERVICE PROVIDER VA also agree to notify all the Security Contact(ssecurity contact(s) for their agency named in Section XIV of this Agreement CMA as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The Party agency that experienced the incident breach will also be responsible for following its internal established procedures, including: Notifying including notifying the proper organizations (e.g., Information Systems Security Officers (ISSOs”CISA), and other contacts listed in this document); Conducting conducting a breach and risk analysis, and making a determination of deciding the need for notice and/or remediation to individuals affected by the loss; and Providing breach. If the agency’s analysis indicates that an individual notice or remediation or both is appropriate, the agency that experienced the breach will be responsible for providing such notice and credit monitoring at no or remediation or both without cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PIIagency.
Appears in 1 contract
Sources: Computer Matching Agreement
Incident Reporting. USAC and SERVICE PROVIDER Both Parties agree to report and track incidents in accordance with their respective incident response plans, using established protocols. ED will report to its Office of the Chief Information Officer (OCIO) in compliance with the instructions, standards, and procedures set forth in ED’s Departmental Directive OCIO: 3-112 on Cybersecurity Policy. VA will report using VA Handbook 6500.2, Management of Data Breaches Involving Sensitive Personal Information. Upon detection of an incident related to this CMA, the agency experiencing the incident will promptly notify the other agency’s System Security Contact(s) named in Section XIV of this CMA. If VA detects such an incident, then VA will notify ED’s System Security Contacts in the order designated in Section XIV of this CMA, beginning with the Department of Education Security Operations Center (EDSOC), (▇▇▇) ▇▇▇-▇▇▇▇; ▇▇▇▇▇@▇▇.▇▇▇. If the Party experiencingthe incident is unable to speak with the other Party’s System Security Contact(s) within one hour or, if for some reason, contacting the System Security Contact(s) is not practicable (e.g., outside of normal business hours), then the following contact information shall be used: VA: • VA Cyber Security Operations Center (CSOC), ▇▇▇@▇▇.▇▇▇; ▇▇▇-▇▇▇-▇▇▇▇ ED/FSA: • EDSOC, (▇▇▇) ▇▇▇-▇▇▇▇; ▇▇▇▇▇@▇▇.▇▇▇. VA will subsequently notify the CPS and FPS Information System Security Officers (ISSOs) and then the CPS and FPS System Owner’s Primary Representatives, using their contact information, which is listed in Section XIV of this CMA. If either VA or ED experiences a loss of PII provided by VA or ED under the terms of this CMA, they will also comply with the PII breach reporting and security requirements as set forth in Office of Management and Budget (“OMB”) Memorandum required by OMB M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information.” (2017). SERVICE PROVIDER will promptly notify these contacts at USAC simultaneously: USAC Privacy, ▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDER, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or (▇▇▇) ▇▇▇-▇▇▇▇ of incidents within one (1) hour of notification. If the Party experiencing the incident cannot contact the other Party’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical, then this contact information shall be used: USAC Manager of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC ED and SERVICE PROVIDER VA also agree to notify all the Security Contact(ssecurity contact(s) for their agency named in Section XIV of this Agreement CMA as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PII. The Party agency that experienced the incident breach will also be responsible for following its internal established procedures, including: Notifying including notifying the proper organizations (e.g., Information Systems Security Officers (ISSOs”CISA), and other contacts listed in this document); Conducting conducting a breach and risk analysis, and making a determination of deciding the need for notice and/or remediation to individuals affected by the loss; and Providing breach. If the agency’s analysis indicates that an individual notice or remediation or both is appropriate, the agency that experienced the breach willbe responsible for providing such notice and credit monitoring at no or remediation or both without cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PIIagency.
Appears in 1 contract
Sources: Computer Matching Agreement
Incident Reporting. USAC and SERVICE PROVIDER agree Upon detection of an actual or suspected security incident, including a PII breach, related to report and track incidents in accordance with this CMA, the PII breach reporting requirements as set forth in Office of Management and Budget (“OMB”) Memorandum M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information” (2017). SERVICE PROVIDER agency detecting the actual or suspected incident will promptly notify these contacts at USAC simultaneouslythe other agency’s System Security Contact(s) named in this CMA. If the agency that detects the actual or suspected incident is unable to speak with the other agency’s System Security Contact within one hour, or if for some reason contacting the System Security Contact is not practicable (e.g., outside of normal business hours), then the following contact information shall be used: USAC Privacy, DoD: DMDC Cybersecurity Incident Response Team: ▇▇▇▇▇▇.▇▇▇▇-▇▇.▇▇▇▇.▇▇▇▇.▇▇-▇▇▇▇@▇▇▇▇.▇▇▇ and ▇▇▇▇▇▇.▇▇▇▇-▇▇.▇▇▇▇.▇▇▇▇.▇▇▇▇▇▇▇-▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ; (▇▇▇)-▇▇▇-▇▇▇▇ ED/FSA: EDCIRC: ▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDER, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or (▇▇▇) ▇▇▇-▇▇▇▇ If either DoD or ED experience a loss or breach of incidents within one (1) hour of notification. If PII, the Party agency experiencing the incident cannot contact will follow the other Partyincident reporting guidelines issued by OMB. In the event of a reportable incident under OMB guidance involving PII, the agency experiencing the incident is responsible for following its established procedures, including notification to the proper organizations (e.g., United States Computer Emergency Readiness Team, the agency’s System Security Contacts within one (1) hourprivacy office, or if contacting etc.). ED and DoD also will notify the System Security Contact is not practical, then this contact information shall be used: USAC Manager of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC and SERVICE PROVIDER agree to notify all the Security Contact(scontact(s) named in this Agreement CMA as soon as possible, but no later than one (1) hour, hour after the discovery of a breach (or suspected breach) involving PII. The Party agency that experienced the incident will also be responsible for following its internal established procedures, including: Notifying including notifying the proper organizations (e.g., Information Systems Security Officers United States Computer Emergency Readiness Team (ISSOs”US- CERT)), the ISSOs and other contacts listed in this document); Conducting , conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; and Providing . If the agency’s analysis indicates that an individual notice and/or remediation is appropriate, the agency that experienced the incident will be responsible for providing such notice and credit monitoring at no and/or remediation without cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PIIagency.
Appears in 1 contract
Sources: Computer Matching Agreement
Incident Reporting. USAC Security incidents are immediately addressed, so as to contain the incident, establish countermeasures to mitigate the impact of the incident, and SERVICE PROVIDER agree to report and track incidents recover from the incident. The party discovering the incident in accordance with their procedures will report security incidents. In the PII breach case of {ETS Contractor}, a Computer Security Incident Response Capability (CSIRC) will be established for detecting, reporting, and responding to security incidents. In addition, any security incident will be reported immediately to the E-Gov Travel Information System Security Officer (ISSO), the {Agency} ISSO, and {state who/what other organization(s) this will be reported to, can bullet if desired. See MOU for example}.The {ETS Contractor} will complete and submit the specified GSA security incident reporting requirements as set forth in form to the E-Gov Travel ISSO within 24 hrs; however, if Personally Identifiable Information (PII), is involved, it will be submitted within one hour. The E-Gov Travel ISSO will notify the GSA Information System Security Manager (ISSM) of the incident and will submit security incident reports to the Office of Management and Budget the Senior Agency Information Security Official (“OMB”) Memorandum M-17-12OSAISO), “Preparing for and Responding to a Breach of all security incidents, within 24 hrs; however, if Personally Identifiable InformationInformation (PII), is involved, it will be submitted within one hour. The GSA Senior Agency Information Security Official (SAISO) shall determine which security incidents should be reported to U.S. Computer Emergency Readiness Team (US-CERT), Office of the Inspector General or external law enforcement.” In the case of the {Agency}, the {Agency} will immediately notify {ETS Contractor’s} ISSO when a security incident(s) is detected, so {ETS Contractor} may take steps to determine whether its system has been compromised, and to take appropriate security precautions. The {Agency} will prepare and submit a security incident reporting form to {ETS Contractor}. In addition, any security incident will be reported to the E-Gov Travel PMO and {state who/what other organization(s) this will be reported to}. If the security incident is determined significant, the {Agency’s} Office of the Senior Agency Information Security Official (2017)OSAISO) will report incidents to the US-CERT, office within the Department of Homeland Security, and the CERT Coordination Center. SERVICE PROVIDER Policy governing the reporting of Security Incidents is {list each policy name and number}. The incident response team will promptly notify these contacts at USAC simultaneously: USAC Privacy, ▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC IT Security Operations, ▇▇▇▇▇▇▇▇@▇▇▇▇.▇▇▇. USAC will promptly notify this contact at SERVICE PROVIDER: SERVICE PROVIDER [TO FILL OUT] As soon as possible hold a “lessons learned” meeting with all involved parties after notifying SERVICE PROVIDER of an incident, or receiving notification of an incident from SERVICE PROVIDERto address the reason(s) for the incident, USAC will notify the FCC’s Network Security Operations Center (“NSOC”) at ▇▇▇▇-▇▇▇▇▇▇▇@▇▇▇.▇▇▇ or (▇▇▇) ▇▇▇-▇▇▇▇ of incidents within one (1) hour of notification. If the Party experiencing improving security measures, and the incident cannot contact the other Party’s System Security Contacts within one (1) hour, or if contacting the System Security Contact is not practical, then this contact information shall handling process. These “lessons learned” will be used: USAC Manager documented and any appropriate “plans of Security Operations - (▇▇▇) ▇▇▇-▇▇▇▇ SERVICE PROVIDER [TO FILL OUT] USAC and SERVICE PROVIDER agree to notify all the Security Contact(s) named in this Agreement as soon as possible, but no later than one (1) hour, after the discovery of a breach (or suspected breach) involving PIIaction” addressed. The Party that experienced the incident will also be responsible for following its internal established procedures, including: Notifying the proper organizations (e.g., Information Systems NIST SP 800-61. Computer Security Officers (ISSOs”), and other contacts listed in this document); Conducting a breach and risk analysis, and making a determination of the need for notice and/or remediation to individuals affected by the loss; and Providing such notice and credit monitoring at no cost to the other Party, if the analysis conducted by the Party having experienced the loss incident indicates that individual notice and credit monitoring are appropriate. In the event of any incident arising from or in connection with this Agreement, each Party will be responsible only for costs and/or litigation arising from a breach of the Party’s own systems; USAC Incident Handling Guide is responsible only for costs and litigation associated with breaches to USAC systems and SERVICE PROVIDER is responsible only for breaches associated with SERVICE PROVIDER systems. USAC shall not be liable to SERVICE PROVIDER or to any third person for any cause of action arising from the possession, control, or use by SERVICE PROVIDER of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PII. SERVICE PROVIDER shall not be liable to USAC or to any third person for any cause of action arising from the possession, control, or use by USAC of applicant or subscriber PII, or for any loss, claim, damage or liability, of whatever kind or nature, which may arise from or in connection with this Agreement or using applicant or subscriber PIIfollowed.
Appears in 1 contract
Sources: Interconnection Security Agreement