Noncompliance and Applicability. The Non-Exchange Entity must develop a corrective action plan to mitigate any security and privacy risks if the SPA assessment identifies a deficiency in the Non-Exchange Entity’s security and privacy controls. Alternatively, the Non-Exchange Entity may document why it believes a critical control is not applicable to its system or circumstances. The SPA assessment results do not alter the Agreement between the Non-Exchange Entity and CMS, including any penalties for non-compliance. If the Non- Exchange Entity’s SPA assessment includes findings suggesting significant security or privacy risks, and the Non-Exchange Entity does not commence development and implementation of a corrective action plan to the reasonable satisfaction of CMS, a comprehensive audit may be initiated by CMS, and/or the Agreement between the Non- Exchange Entity and CMS may be terminated for cause.
Appears in 2 contracts
Sources: Web Broker Agreement, Web Broker Agreement (eHealth, Inc.)