Common use of SECURITY AND PRIVACY SAFEGUARDING REQUIREMENTS Clause in Contracts

SECURITY AND PRIVACY SAFEGUARDING REQUIREMENTS. SSA shall comply with the Office of Child Support Enforcement Division of Federal Systems This section provides the safeguarding requirements with which OCSE and SSA shall comply and continuously monitor. SSA shall also comply with three additional requirements: Breach Reporting and Notification Responsibility, Security Authorization, and Audit Requirements. The safeguarding requirements for receiving NDNH information and the safeguards in place at OCSE for protecting the agency input files are as follows: 1. SSA shall restrict access to, and disclosure of, the NDNH information to authorized personnel who need the NDNH information to perform their official duties in connection with the authorized purposes specified in the agreement. OCSE restricts access to and disclosure of the agency input files to authorized personnel who need them to perform their official duties as authorized in this agreement. 2. SSA shall establish and maintain an ongoing management oversight and quality assurance program to ensure that only authorized personnel have access to NDNH information. OCSE management oversees the use of the agency input files to ensure that only authorized personnel have access. Policy/Requirements Traceability: 5 U.S.C. § 552a; NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, PL-4(1), PS-6, PS-8 3. SSA shall advise all authorized personnel who will access NDNH information of the confidentiality of the NDNH information, the safeguards required to protect the NDNH information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws, including section 453(l)(2) of the Social Security Act. 42 U.S.C. § 653(l)(2). OCSE advises all personnel who will access the agency input files of the confidentiality of the information, the safeguards required to protect the information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws. 4. SSA shall deliver security and privacy awareness training to personnel with authorized access to NDNH information and the system that houses, processes, or transmits NDNH information. The training shall describe each user’s responsibility for proper use and protection of NDNH information, how to recognize and report potential indicators of insider threat, and the possible sanctions for misuse. All personnel shall receive security and privacy awareness training before accessing NDNH information and, at least, annually thereafter. The training shall cover the matching provisions of the Privacy Act, the Computer Matching and Privacy Protection Act, and other federal laws governing use and misuse of protected information. OCSE delivers security and privacy awareness training to personnel. The training describes each user’s responsibility for proper use and protection of other agencies’ input files, how to recognize and report potential indicators of insider threats, and the possible sanctions for misuse. All personnel receive security and privacy awareness training before accessing agency input files and, at least, annually thereafter. The training covers the other federal laws governing use and misuse of protected information. Policy/Requirements Traceability: 5 U.S.C. § 552a; 44 U.S.C. § 3551 et seq; OMB Circular A-130, Managing Information as a Strategic Resource; OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (November 23, 2016); NIST SP 800-53 Rev 4, AT-2(2), AT-3 5. SSA personnel with authorized access to NDNH information shall sign non- disclosure agreements, rules of behavior, or equivalent documents before system access annually, and if changes in assignment occur. The non-disclosure agreement, rules of behavior, or equivalent documents shall outline the authorized purposes for which the SSA may use NDNH information, the privacy and security safeguards contained in this agreement and security addendum, and the civil and criminal penalties for unauthorized use. SSA may use “wet” and/or electronic signatures to acknowledge non-disclosure agreements, rules of behavior, or equivalent documents. OCSE personnel with authorized access to the agency input files sign non-disclosure agreements and rules of behavior. Policy/Requirements Traceability: OMB Circular A-130 - Appendix I, Responsibilities for Protecting and Managing Federal Information Resources; OMB M-17-12; NIST SP 800-53 Rev 4, PS-6 6. SSA shall maintain records of authorized personnel with access to NDNH information. The records shall contain a copy of each individual’s signed non- disclosure agreement, rules of behavior, or equivalent document, and proof of the individual’s participation in security and privacy awareness training. SSA shall make such records available to OCSE upon request. OCSE maintains a record of personnel with access to the agency input files. The records contain a copy of each individual’s signed non-disclosure agreement, rules of behavior, or equivalent document, and proof of the individual’s participation in security and privacy awareness training. 7. SSA shall have appropriate procedures in place to report confirmed and suspected security or privacy incidents (unauthorized use or disclosure involving personally identifiable information) involving NDNH information. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE, as designated in this security addendum. The requirement for SSA to report confirmed or suspected incidents involving NDNH information to OCSE exists in addition to, not in lieu of, any SSA requirements to report to the United States Computer Emergency Readiness Team (US-CERT) or other reporting agencies. 8. SSA shall prohibit the use of non-SSA furnished equipment to access NDNH information without specific written authorization from the appropriate SSA representatives. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment. 9. SSA shall require that personnel accessing NDNH information remotely (for example, telecommuting) adhere to all the security and privacy safeguarding requirements provided in this security addendum. SSA and non-SSA furnished equipment shall have appropriate software with the latest updates to protect against attacks, including, at a minimum, current antivirus software and up-to-date system patches and other software patches. Before electronic connection to SSA resources, SSA shall scan the SSA and non-SSA furnished equipment to ensure compliance with SSA standards. All remote connections shall be through Network Access Control and all data in transit between the remote location and SSA shall be encrypted using FIPS 140-2 encryption standards. Personally owned devices shall not be authorized. See numbers 8 and 19 of this section for additional information. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment. 10. SSA shall implement an effective continuous monitoring strategy and program that shall ensure the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing NDNH information. The continuous monitoring program shall include configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to SSA officials as required. OCSE has implemented a continuous monitoring strategy and program that ensures the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing the input files. The continuous monitoring program includes configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to the U.S. Department of Health and Human Services officials, as required. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, CA-7(1); NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations 11. SSA shall maintain an asset inventory of all software and hardware components within the boundary of the information system housing NDNH information. The inventory shall be detailed enough for SSA to track and report. OCSE maintains an inventory of all software and hardware components within the boundary of the information system housing the agency input files. 4(2)(4)(5), PM-5 12. SSA shall maintain a system security plan describing the security requirements for the system housing NDNH information and the security controls in place or planned for meeting those requirements. The system security plan shall describe the responsibilities and expected behavior of all individuals who access the system. OCSE maintains a system security plan that describes the security requirements for the information system housing the agency input files and the security controls in place or planned for meeting those requirements. The system security plan includes responsibilities and expected behavior of all individuals who access the system. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, PL-2(3), NIST SP 800- 18 Rev 1, Guide for Developing Security Plans for Federal Information Systems 13. SSA shall maintain a plan of action and milestones (and when applicable, a corrective action plan) for the information system housing NDNH information to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. SSA shall update the plan of action and milestones (and when applicable, the corrective action plan) as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OCSE maintains a plan of action and milestones for the information system housing the agency input files to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. OCSE updates the plan of action and milestones as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. 14. SSA shall maintain a baseline configuration of the system housing NDNH information. The baseline configuration shall include information on system components (for example, standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. OCSE maintains a baseline configuration of the information system housing the agency input files. 4(2)(4)(5) 15. SSA shall limit and control logical and physical access to NDNH information to only those personnel authorized for such access based on their official duties, and identified in the records maintained by SSA pursuant to numbers 6 and 27 of this section. SSA shall prevent personnel from browsing by using technical controls or other compensating controls. OCSE limits and controls logical and physical access to the agency input files to only those personnel authorized for such access based on their official duties. OCSE prevents browsing using technical controls that limit and monitor access to the agency input files. 16. SSA shall transmit and store all NDNH information provided pursuant to this agreement in a manner that safeguards the information and prohibits unauthorized access. All electronic SSA transmissions of information to SSA and entities specified in the agreement shall be encrypted utilizing a FIPS 140-2 compliant product. SSA and OCSE exchange data via a mutually approved and secured data transfer method that utilizes a FIPS 140-2 compliant product. Policy/Requirements Traceability: OMB M-17-12; FIPS 140-2, Security Requirements for Cryptographic Modules; NIST SP 800-53 Rev 4, MP-4, SC-8 17. SSA shall transfer and store NDNH information only on SSA owned portable digital media and mobile computing and communications devices that are encrypted at the disk or device level, using a FIPS 140-2 compliant product. See numbers 8 and 18 of this section for additional information. OCSE does not copy the agency input files to mobile media. 18. SSA shall prohibit the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing NDNH information. OCSE prohibits the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing the agency input files. 19. SSA shall prohibit remote access to NDNH information, except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. SSA shall control remote access through a limited number of managed access control points. OCSE prohibits remote access to the agency input files except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. 20. SSA shall maintain a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction to its initiator, capture date and time of system events and type of events. The audit trail system shall protect data and the audit tool from addition, modification or deletion and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. OCSE maintains a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction with its initiator, capture date and time of system events and type of events. The audit trail system shall protect data and the audit tool from addition, modification or deletion and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. 21. SSA shall log each computer-readable data extract (secondary store or files with duplicate NDNH information) from any database holding NDNH information and verify that each extract has been erased within 90 days after completing required use. If SSA requires the extract for longer than 90 days to accomplish a purpose authorized pursuant to this agreement, SSA shall request permission, in writing, to keep the extract for a defined period of time, subject to OCSE written approval. SSA shall comply with the retention and disposition requirements in the agreement. OCSE does not extract information from the agency input files. 22. SSA shall utilize a time-out function for remote access and mobile devices that require a user to re-authenticate after no more than 30 minutes of inactivity. See numbers 8, 9, and 19 of this section for additional information. OCSE utilizes a time-out function for remote access and mobile devices that requires a user to re-authenticate after no more than 30 minutes of inactivity. 23. SSA shall erase electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. OCSE erases the electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. 24. When storage media are disposed of, the media will be destroyed or sanitized so that the erased records are not recoverable. 25. SSA shall implement a Network Access Control (also known as Network Admission Control (NAC)) solution in conjunction with a Virtual Private Network (VPN) option to enforce security policy compliance on all SSA and non-SSA remote devices that attempt to gain access to, or use, NDNH information. SSA shall use a NAC solution to authenticate, authorize, evaluate, and remediate remote wired and wireless users before they can access the networ

SECURITY AND PRIVACY SAFEGUARDING REQUIREMENTS. SSA shall comply with the Office of Child Support Enforcement Division of Federal Systems Security Requirements for Federal Agencies Receiving Federal Parent Locator Service Data. SSA received this document on December 7, 2017. The safeguarding requirements in this security addendum are drawn from this document and are also based on the federal laws and requirements governing the protection of information referenced in section I of this security addendum. This section provides the safeguarding requirements with which OCSE and SSA shall comply and continuously monitor. SSA shall also comply with three additional requirements: Breach Reporting and Notification Responsibility, Security Authorization, and Audit Requirements. The safeguarding requirements for receiving NDNH information and as well as the safeguards in place at OCSE for protecting the agency input files are as follows: 1. SSA shall restrict access to, and disclosure of, the NDNH information to authorized personnel who need the NDNH information to perform their official duties in connection with the authorized purposes specified in the agreement. OCSE restricts access to and disclosure of the agency input files to authorized personnel who need them to perform their official duties as authorized in this agreement. 2. SSA shall establish and maintain an ongoing management oversight and quality assurance program to ensure that only authorized personnel have access to NDNH information. OCSE management oversees the use of the agency input files to ensure that only authorized personnel have access. Policy/Requirements Traceability: 5 U.S.C. § §552a; NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, PL-4(1), PS-6, PS-8 3. SSA shall advise all authorized personnel who will access NDNH information of the confidentiality of the NDNH information, the safeguards required to protect the NDNH information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws, including section 453(l)(2) of the Social Security Act. 42 U.S.C. § §653(l)(2). OCSE advises all personnel who will access the agency input files of the confidentiality of the information, the safeguards required to protect the information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws. 4. SSA shall deliver security and privacy awareness training to personnel with authorized access to NDNH information and the system that houses, processes, or transmits NDNH information. The training shall describe each user’s responsibility for proper use and protection of NDNH information, how to recognize and report potential indicators of insider threatthreats, and the possible sanctions for misuse. All personnel shall receive security and privacy awareness training before accessing NDNH information and, and at least, least annually thereafter. The training shall cover the matching provisions of the federal Privacy Act, the Computer Matching and Privacy Protection Act, and other federal laws governing use and misuse of protected information. OCSE delivers security and privacy awareness training to personnel. The training describes each user’s responsibility for proper use and protection of other agencies’ input files, how to recognize and report potential indicators of insider threats, and the possible sanctions for misuse. All personnel receive security and privacy awareness training before accessing agency input files and, and at least, least annually thereafter. The training covers the other federal laws governing use and misuse of protected information. Policy/Requirements Traceability: 5 U.S.C. § §552a; 44 U.S.C. § §3551 et seq; OMB Circular A-130, Managing Information as a Strategic Resource; OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (November 23, 2016)Information; NIST SP 800-53 Rev 4, AT-2(2), AT-3 5. SSA personnel with authorized access to NDNH information shall sign non- disclosure agreements, rules of behavior, or equivalent documents before system access access, annually, and if changes in assignment occur. The non-disclosure agreementagreements, rules of behavior, or equivalent documents shall outline the authorized purposes for which the SSA may use NDNH information, the privacy and security safeguards contained in this agreement and security addendum, and the civil and criminal penalties for unauthorized use. SSA may use “wet” and/or electronic signatures to acknowledge non-disclosure agreements, rules of behavior, or equivalent documents. OCSE personnel with authorized access to the agency input files sign non-disclosure agreements and rules of behavior. Policy/Requirements Traceability: OMB Circular A-130 - Appendix I, Responsibilities for Protecting and Managing Federal Information Resources; OMB M-17-12; NIST SP 800-53 Rev 4, PS-6 6. SSA shall maintain records of authorized personnel with access to NDNH information. The records shall contain a copy of each individual’s signed non- disclosure agreement, rules of behavior, or equivalent document, document and proof of the individual’s participation in security and privacy awareness training. SSA shall make such records available to OCSE upon request. OCSE maintains a record of personnel with access to the agency input files. The records contain record contains a copy of each individual’s signed non-disclosure agreement, rules of behavior, or equivalent document, document and proof of the individual’s participation in security and privacy awareness training. 7. SSA shall have appropriate procedures in place to report confirmed and suspected security or privacy incidents (unauthorized use or disclosure involving personally identifiable information) ), involving NDNH information. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE, as designated in this security addendum. The requirement for SSA to report confirmed or suspected incidents involving NDNH information to OCSE exists in addition to, not in lieu of, any SSA requirements to report to the United States Computer Emergency Readiness Team (US-CERT) or other reporting agencies. 8. SSA shall prohibit the use of non-SSA furnished equipment to access NDNH information without specific written authorization from the appropriate SSA representatives. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment. 9. SSA shall require that personnel accessing NDNH information remotely (for example, telecommuting) adhere to all the security and privacy safeguarding requirements provided in this security addendum. SSA and non-SSA furnished equipment shall have appropriate software with the latest updates to protect against attacks, including, at a minimum, current antivirus software and up-to-date system patches and other software patches. Before electronic connection to SSA resources, SSA shall scan the SSA and non-SSA furnished equipment to ensure compliance with SSA standards. All remote connections shall be through Network Access Control Control, and all data in transit between the remote location and SSA shall be encrypted using FIPS 140-2 encryption standards. Personally owned devices shall not be authorized. See numbers 8 and 19 of this section for additional information. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment. 10. SSA shall implement an effective continuous monitoring strategy and program that shall ensure the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing NDNH information. The continuous monitoring program shall include configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to SSA officials as required. OCSE has implemented a continuous monitoring strategy and program that ensures the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing the input files. The continuous monitoring program includes configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to the U.S. Department of Health and Human Services officials, officials as required. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, CA-7(1); NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations 11. SSA shall maintain an asset inventory of all software and hardware components within the boundary of the information system housing NDNH information. The inventory shall be detailed enough for SSA to track and report. OCSE maintains an inventory of all software and hardware components within the boundary of the information system housing the agency input files. 4(2)(4)(5), PM-5 12. SSA shall maintain a system security plan describing the security requirements for the system housing NDNH information and the security controls in place or planned for meeting those requirements. The system security plan shall describe the responsibilities and expected behavior of all individuals who access the system. OCSE maintains a system security plan that describes the security requirements for the information system housing the agency input files and the security controls in place or planned for meeting those requirements. The system security plan includes responsibilities and expected behavior of all individuals who access the system. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, PL-2(3), NIST SP 800- 18 Rev 1, Guide for Developing Security Plans for Federal Information Systems 13. SSA shall maintain a plan of action and milestones (and when applicable, a corrective action plan) for the information system housing NDNH information to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. SSA shall update the plan of action and milestones (and when applicable, the corrective action plan) as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OCSE maintains a plan of action and milestones for the information system housing the agency input files to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. OCSE updates the plan of action and milestones as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. 14. SSA shall maintain a baseline configuration of the system housing NDNH information. The baseline configuration shall include information on system components (for example, standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. OCSE maintains a baseline configuration of the information system housing the agency input files. 4(2)(4)(5) 15. SSA shall limit and control logical and physical access to NDNH information to only those personnel authorized for such access based on their official duties, and identified in the records maintained by SSA pursuant to numbers 6 and 27 of this section. SSA shall prevent personnel from browsing by using technical controls or other compensating controls. OCSE limits and controls logical and physical access to the agency input files to only those personnel authorized for such access based on their official duties. OCSE prevents browsing using technical controls that limit and monitor access to the agency input files. 16. SSA shall transmit and store all NDNH information provided pursuant to this agreement in a manner that safeguards the information and prohibits unauthorized access. All electronic SSA transmissions of information to SSA and entities specified in the agreement shall be encrypted utilizing a FIPS 140-2 compliant product. SSA and OCSE exchange data via a mutually approved and secured data transfer method that utilizes a FIPS 140-2 compliant product. Policy/Requirements Traceability: OMB M-17-12; FIPS 140-2, Security Requirements for Cryptographic Modules; NIST SP 800-53 Rev 4, MP-4, SC-8 17. SSA shall transfer and store NDNH information only on SSA owned portable digital media and mobile computing and communications devices that are encrypted at the disk or device level, using a FIPS 140-2 compliant product. See numbers 8 and 18 of this section for additional information. OCSE does not copy the agency input files to mobile media. 18. SSA shall prohibit the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing NDNH information. OCSE prohibits the use of computing resources resident residing in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing the agency input files. 19. SSA shall prohibit remote access to NDNH information, except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. SSA shall control remote access through a limited number of managed access control points. OCSE prohibits remote access to the agency input files except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. 20. SSA shall maintain a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction to its initiator, initiator and capture the date and time of system events and type of events. The audit trail system shall protect data and the audit tool from addition, modification modification, or deletion and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. OCSE maintains a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction with its initiator, initiator and capture the date and time of system events and type of events. The audit trail system shall protect data and the audit tool from addition, modification modification, or deletion and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. 21. SSA shall log each computer-readable data extract (secondary store or files with duplicate NDNH information) from any database holding NDNH information and verify that each extract has been erased within 90 days after completing required use. If SSA requires the extract for longer than 90 days to accomplish a purpose authorized pursuant to this agreement, SSA shall request permission, in writing, to keep the extract for a defined period of time, subject to OCSE written approval. SSA shall comply with the retention and disposition requirements in the agreement. OCSE does not extract information from the agency input files. 22. SSA shall utilize a time-out function for remote access and mobile devices that require a user to re-authenticate after no more than 30 minutes of inactivity. See numbers 8, 9, and 19 of this section for additional information. OCSE utilizes a time-out function for remote access and mobile devices that requires a user to re-authenticate after no more than 30 minutes of inactivity. 23. SSA shall erase electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. OCSE erases the electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. 24. When storage media are disposed of, the media will be destroyed or sanitized so that the erased records are not recoverable. 25. SSA shall implement a Network Access Control (also known as Network Admission Control (NAC)) solution in conjunction with a Virtual Private Network (VPN) option to enforce security policy compliance on all SSA and non-SSA remote devices that attempt to gain access to, or use, NDNH information. SSA shall use a NAC solution to authenticate, authorize, evaluate, and remediate remote wired and wireless users before they can access the networa

SECURITY AND PRIVACY SAFEGUARDING REQUIREMENTS. SSA shall comply with OCSE developed these safeguarding requirements based on the federal laws and requirements governing the protection of information referenced in Section I of this security addendum, as well as the Office of Child Support Enforcement Division of Federal Systems This section provides the safeguarding requirements with which OCSE and SSA shall comply and continuously monitorSecurity Requirements for Federal Agencies Receiving Federal Parent Locator Service Data. SSA shall also comply with three additional requirements: was provided a copy of the Office of Child Support Enforcement Division of Federal Systems Security Requirements for Federal Agencies Receiving Federal Parent Locator Service Data, on July 14, 2015. Breach Reporting and Notification Responsibility, ; Security Authorization, ; and Audit Requirements. The safeguarding requirements for receiving NDNH information and the safeguards in place at OCSE for protecting the agency input files are as follows:. 1. SSA shall restrict access to, and disclosure of, the NDNH information to authorized personnel who need the NDNH information to perform their official duties in connection with the authorized purposes specified in the agreement. OCSE restricts access to and disclosure of the agency input files to authorized personnel who need them to perform their official duties as authorized in this agreement.agreement.‌ 2. SSA shall establish and maintain an ongoing management oversight and quality assurance program to ensure that only authorized personnel have access to NDNH information. OCSE management oversees the use of the agency input files to ensure that only authorized personnel have access. Policy/Requirements Traceability: 5 U.S.C. § 552a; NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, PL-4(1), PS-6, PS-8information.‌ 3. SSA shall advise all authorized personnel who will access NDNH information of the confidentiality of the NDNH information, the safeguards required to protect the NDNH information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws, including section 453(l)(2) of the Social Security Act. 42 U.S.C. § 653(l)(2). OCSE advises all personnel who will access the agency input files of the confidentiality of the information, the safeguards required to protect the information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws.laws.‌ 4. SSA shall deliver security and privacy awareness training to personnel with authorized access to NDNH information and the system that houses, processes, or transmits NDNH information. The training shall describe each user’s responsibility for proper use and protection of NDNH information, how to recognize and report potential indicators of insider threat, and the possible sanctions for misuse. All personnel shall must receive security and privacy awareness training before prior to accessing NDNH information and, and at least, least annually thereafter. The training shall cover the matching provisions of the Privacy Act, the Computer Matching and Privacy Protection Act, and other federal laws governing use and misuse of protected information. OCSE delivers security and privacy awareness training to personnel. The training describes each user’s responsibility for proper use and protection of other agencies’ input files, how to recognize and report potential indicators of insider threats, and the possible sanctions for misuse. All personnel receive security and privacy awareness training before accessing agency input files and, at least, annually thereafter. The training covers the other federal laws governing use and misuse of protected information. Policy/Requirements Traceability: 5 U.S.C. § 552a; 44 U.S.C. § 3551 et seq; OMB Circular A-130, Managing Information as a Strategic Resource; OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (November 23, 2016); NIST SP 800-53 Rev 4, AT-2(2), AT-3information.‌ 5. SSA personnel with authorized access to the NDNH information shall sign non- disclosure agreements, rules of behavior, or equivalent documents before system access annually, and if changes in assignment occur. The non-disclosure agreement, rules of behavior, or equivalent documents shall outline the authorized purposes for which the SSA may use NDNH information, the privacy and security safeguards contained in this agreement and security addendum, and the civil and criminal penalties for unauthorized use. SSA may use “wet” and/or electronic signatures to acknowledge non-disclosure agreements, rules of behavior, or equivalent documents. OCSE personnel with authorized access to the agency input files sign non-disclosure agreements and rules of behavior. Policy/Requirements Traceability: OMB Circular A-130 - Appendix I, Responsibilities for Protecting and Managing Federal Information Resources; OMB M-17-12; NIST SP 800-53 Rev 4, PS-6documents prior to‌ 6. SSA shall maintain records of authorized personnel with access to the NDNH information. The records shall contain a copy of each individual’s signed non- disclosure agreement, rules of behavior, or equivalent document, and proof of the individual’s participation in security and privacy awareness training. SSA shall make such records available to OCSE upon request. OCSE maintains a record of personnel with access to the agency input files. The records contain a copy of each individual’s signed non-disclosure agreement, rules of behavior, or equivalent document, and proof of the individual’s participation in security and privacy awareness training.signed‌ 7. SSA shall have appropriate procedures in place to report confirmed and suspected security or privacy incidents, or suspected incidents (unauthorized use or disclosure involving personally identifiable information) involving NDNH information. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall report confirmed and suspected incidents, in either electronic or physical form, form to OCSE, as designated in on this security addendum. The requirement for SSA to report confirmed or suspected incidents involving NDNH information to OCSE exists in addition to, not in lieu of, any SSA requirements to report to the United States Computer Emergency Readiness Team (US-CERT) or other reporting agencies.agencies.‌ 8. SSA shall prohibit the use of non-SSA furnished equipment to access NDNH information without specific written authorization for the equipment from the appropriate SSA representatives. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment.representative.‌ 9. SSA shall require that personnel accessing NDNH information remotely (for example, telecommuting) adhere to all the security and privacy safeguarding requirements provided in this security addendum. SSA and non-SSA furnished equipment shall have appropriate software with the latest updates to protect against attacks, including, at a minimum, current antivirus software and up-to-date system patches and other software patches. Before Prior to electronic connection to SSA resources, SSA shall scan the SSA and non-SSA furnished equipment to ensure compliance with SSA standards. All remote connections shall be through Network Access Control and all data in transit between the remote location and SSA shall be encrypted using FIPS 140-2 encryption standards. Personally owned devices shall not be authorized. See numbers 8 and 19 of this section for additional information. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment.the‌ 10. SSA shall implement an effective continuous monitoring strategy and program that shall ensure the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing NDNH information. The continuous monitoring program shall include configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to SSA officials as required. OCSE has implemented a continuous monitoring strategy and program that ensures the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing the input files. The continuous monitoring program includes configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to the U.S. Department of Health and Human Services officials, as required. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, CA-7(1); NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizationsrequired.‌ 11. SSA shall maintain an asset inventory of all software and hardware components within the boundary of the information system housing the NDNH information. The inventory shall be detailed enough at a level of granularity deemed necessary by SSA for SSA to track internal tracking and report. OCSE maintains an inventory of all software and hardware components within the boundary of the information system housing the agency input files. 4(2)(4)(5), PM-5reporting.‌ 12. SSA shall maintain a system security plan describing the security requirements for the system housing NDNH information and the security controls in place or planned for meeting those requirements. The system security plan shall describe the responsibilities and expected behavior of all individuals who access the system. OCSE maintains a system security plan that describes the security requirements for the information system housing the agency input files and the security controls in place or planned for meeting those requirements. The system security plan includes responsibilities and expected behavior of all individuals who access the system. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, PL-2(3), NIST SP 800- 18 Rev 1, Guide for Developing Security Plans for Federal Information Systemssystem.‌ 13. SSA shall maintain a plan of action and milestones (and when applicable, a corrective action plan) for the information system housing NDNH information to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. SSA shall update the plan of action and milestones (and when applicable, the corrective action plan) as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OCSE maintains a plan of action and milestones for the information system housing the agency input files to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. OCSE updates the plan of action and milestones as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities.activities.‌ 14. SSA shall maintain a baseline configuration of the system housing NDNH information. The baseline configuration shall include information on system components (for example, standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. OCSE maintains a baseline configuration of the information system housing the agency input files. 4(2)(4)(5)architecture.‌ 15. SSA shall limit and control logical and physical access to NDNH information to only those personnel authorized for such access based on their official duties, and identified in the records maintained by SSA pursuant to numbers number 6 and number 27 of this section. SSA shall prevent personnel from browsing case files not assigned to them by using technical controls or other compensating controls. OCSE limits and controls logical and physical access to the agency input files to only those personnel authorized for such access based on their official duties. OCSE prevents browsing using technical controls that limit and monitor access to the agency input files.controls.‌ 16. SSA shall transmit and store all NDNH information provided pursuant to this the agreement in a manner that safeguards the information and prohibits unauthorized access. All electronic SSA transmissions of information to SSA and entities specified in the agreement shall be encrypted utilizing a FIPS 140-2 compliant product. SSA and OCSE exchange data via a mutually approved and secured data transfer method that utilizes a FIPS 140-2 compliant product. Policy/Requirements Traceability: OMB M-17-12; FIPS 140-2, Security Requirements for Cryptographic Modules; NIST SP 800-53 Rev 4, MP-4, SC-8access.‌ 17. SSA shall transfer and store NDNH information only on SSA owned portable digital media and mobile computing and communications devices that are encrypted at the disk or device level, using a FIPS 140-2 compliant product. See numbers number 8 and number 18 of this section for additional information. OCSE does not copy the agency input files to mobile media.information.‌ 18. SSA shall prohibit the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing NDNH information. OCSE prohibits the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing the agency input files.information.‌ 19. SSA shall prohibit remote access to NDNH information, except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication, as required by OMB M-06-16. SSA shall control remote access through a limited number of managed access control points. OCSE prohibits remote access to the agency input files except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication.points.‌ 20. SSA shall maintain a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction to its initiator, capture date and time of system events events, and type of events. The audit trail system shall protect data and the audit tool from addition, modification or modification, and deletion and should be regularly reviewed and reviewed/analyzed for indications of inappropriate or unusual activity. OCSE maintains a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction with its initiator, capture date and time of system events and type of events. The audit trail system shall protect data and the audit tool from addition, modification or deletion and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity.activity.‌ 21. SSA shall log each computer-readable data extract (secondary store or files with duplicate NDNH information) from any database databases holding NDNH information and verify that each extract has been erased within 90 days after completing required use. If SSA requires the extract for longer than 90 days to accomplish a purpose authorized pursuant to this agreement, SSA shall request permission, in writing, to keep the extract for a defined period of time, subject to OCSE written approval. SSA shall comply with the retention and disposition requirements in the agreement. OCSE does not extract information from the agency input files.agreement.‌ 22. SSA shall utilize a time-out function for remote access and mobile devices that require a user to re-authenticate after no more than 30 minutes of inactivity. See numbers 8, 9, and 19 of this section for additional information. OCSE utilizes a time-out function for remote access and mobile devices that requires a user to re-authenticate after no more than 30 minutes of inactivity.that‌ 23. SSA shall erase electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. OCSE erases the electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. agreement.‌ 24. When storage media are disposed of, the media will be destroyed or sanitized so that the erased records are not recoverable. 25. SSA shall implement a Network Access Control (also known as Network Admission Control (NAC)) solution in conjunction with a Virtual Private Network (VPN) option to enforce security policy compliance on all SSA and non-SSA remote devices that attempt to gain access to, or use, NDNH information. SSA shall use a NAC solution to authenticate, authorize, evaluate, and remediate remote wired and wireless users before they can access the networnetwork. The implemented NAC solution shall evaluate whether remote machines are compliant with security policies through host(s)’ integrity tests against predefined templates, such as patch level, service packs, antivirus, and personal firewall status, as well as custom-created checks tailored for the SSA enterprise environment. SSA shall disable functionality that allows automatic execution of code execution. The solution shall enforce security policies by blocking, isolating, or quarantining non-compliant devices from accessing the SSA network and resources while maintaining an audit record on users’ access and presence on the SSA network. See numbers 8 and 18 of this section for additional information.‌

SECURITY AND PRIVACY SAFEGUARDING REQUIREMENTS. SSA shall comply Use of pseudo-identifiers does not eliminate the possibility that the individuals in the study may be identifiable from the remaining information. While not directly identified, the remaining information OCSE provides in conjunction with additional available data sources is sometimes sufficient to identify the Office study participants with reasonable certainty. Therefore, OPRE/OFA must safeguard the information to protect the privacy of Child Support Enforcement Division the individuals. Neither OPRE/OFA nor OCSE are permitted to reconstruct or link files, or participate in any activity, other than those identified and governed by the agreement, which could result in the personal identification of Federal Systems This section provides any individual whose information is contained in the safeguarding requirements with which OCSE and SSA shall comply and continuously monitor. SSA shall also comply with three additional requirements: Breach Reporting and Notification Responsibility, Security Authorization, and Audit Requirementsinput or output files. The safeguarding requirements for receiving NDNH information and as well as the safeguards in place at OCSE for protecting the agency input files are as follows: 1. SSA shall OPRE/OFA must restrict access to, and disclosure of, the NDNH information to authorized personnel who need the NDNH information to perform their official duties in connection with the authorized purposes specified in the agreement. OCSE restricts access to and disclosure of the agency input files to authorized personnel who need them to perform their official duties as authorized in this agreement.. Policy/Requirements Traceability: 5 U.S.C. § 552a (b)(1), NIST SP 800-53 Rev 5, Security and Privacy Controls for Information Systems and Organizations, AC-3, AC-6 2. SSA shall OPRE/OFA must establish and maintain an ongoing management oversight and quality assurance program to ensure that only authorized personnel have access to NDNH information. OCSE management oversees the use of the agency input files to ensure that only authorized personnel have access. Policy/Requirements Traceability: 5 U.S.C. § 552a; NIST SP 800-53 Rev 45, Security and Privacy Controls for Federal Information Systems and Organizations, PL-4(1PL- 4(1), PS-6, PS-8 3. SSA shall OPRE/OFA must advise all authorized personnel who will access NDNH information of the confidentiality of the NDNH information, the safeguards required to protect the NDNH information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws, including section 453(l)(2) of the Social Security Act. 42 U.S.C. § 653(l)(2). OCSE advises all personnel who will access the agency input files of the confidentiality of the information, the safeguards required to protect the information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws. 4. SSA shall OPRE/OFA must deliver security and privacy awareness training to personnel with authorized access to NDNH information and the system that houses, processes, or transmits NDNH information. The training shall must describe each user’s responsibility for proper use and protection of NDNH information, how to recognize and report potential indicators of insider threat, and the possible sanctions for misuse. All personnel shall must receive security and privacy awareness training before accessing NDNH information and, and at least, least annually thereafter. The training shall must cover the matching provisions of the federal Privacy Act, the Computer Matching and Privacy Protection Act, and other federal laws governing use and misuse of protected information. OCSE delivers security and privacy awareness training to personnel. The training describes each user’s responsibility for proper use and protection of other agencies’ input files, how to recognize and report potential indicators of insider threatsthreat, and the possible sanctions for misuse. All personnel receive security and privacy awareness training before accessing agency input files and, and at least, least annually thereafter. The training covers the other federal laws governing use and misuse of protected information. Policy/Requirements Traceability: 5 U.S.C. § 552a; 44 U.S.C. § 3551 et seq; OMB Circular A-130, Managing Information as a Strategic Resource; OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (November 23, 2016)Information; NIST SP 800-53 Rev 45, AT-2(2), AT-3 5. SSA OPRE/OFA personnel with authorized access to NDNH information shall must sign non- disclosure agreements, rules of behavior, or equivalent documents before system access access, annually, and if changes in assignment occur. The non-disclosure agreement, rules of behavior, or equivalent documents shall must outline the authorized purposes for which the SSA OPRE/OFA may use NDNH information, the privacy and security safeguards contained in this agreement and security addendum, and the civil and criminal penalties for unauthorized use. SSA OPRE/OFA may use “wet” and/or electronic signatures to acknowledge non-disclosure agreements, rules of behavior, or equivalent documents. OCSE personnel with authorized access to the agency input files sign non-disclosure agreements and rules of behavior. Policy/Requirements Traceability: OMB Circular A-130 - Appendix I, Responsibilities for Protecting and Managing Federal Information Resources; OMB M-17-12; NIST SP 800-53 Rev 45, PS-6 6. SSA shall OPRE/OFA must maintain records of authorized personnel with access to NDNH information. The records shall must contain a copy of each individual’s signed non- disclosure agreement, rules of behavior, or equivalent document, document and proof of the individual’s participation in security and privacy awareness training. SSA shall OPRE/OFA must make such records available to OCSE upon request. OCSE maintains a record of personnel with access to the agency input files. The records contain a copy of each individual’s signed non-disclosure agreement, rules of behavior, or equivalent document, document and proof of the individual’s participation in security and privacy awareness training. . 7. SSA shall OPRE/OFA must have appropriate procedures in place to report confirmed and suspected security or privacy incidents (unauthorized use or disclosure involving personally identifiable information) ), involving NDNH informationinformation and any activity that may serve to identify individuals within the output files, or any other incident or suspected incident that could compromise the privacy of the individuals in the study. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall OPRE/OFA must report confirmed and suspected incidents, in either electronic or physical form, to OCSE, as designated in this security addendum. The requirement for SSA OPRE/OFA to report confirmed or suspected incidents involving NDNH information to OCSE exists in addition to, not in lieu of, any SSA OPRE/OFA requirements to report to the United States Computer Emergency Readiness Team (US-CERT) or other reporting agencies. 8. SSA shall prohibit the use of non-SSA furnished equipment to access NDNH information without specific written authorization from the appropriate SSA representatives. OCSE does not permit personnel has appropriate procedures in place to access report security or privacy incidents, or suspected incidents involving the agency input files remotely using non- agency furnished equipment. 9files. SSA shall require that personnel accessing NDNH information remotely (for exampleImmediately upon discovery but in no case later than one hour after discovery of the incident, telecommuting) adhere OCSE will report confirmed and suspected incidents to all the OPRE/OFA security and privacy safeguarding requirements provided contact designated in this security addendum. SSA and nonThe requirement for OCSE to report confirmed or suspected incidents to OPRE/OFA exists in addition to, not in lieu of, requirements to report to US-SSA furnished equipment shall have appropriate software with the latest updates to protect against attacks, including, at a minimum, current antivirus software and up-to-date system patches and other software patches. Before electronic connection to SSA resources, SSA shall scan the SSA and non-SSA furnished equipment to ensure compliance with SSA standards. All remote connections shall be through Network Access Control and all data in transit between the remote location and SSA shall be encrypted using FIPS 140-2 encryption standards. Personally owned devices shall not be authorized. See numbers 8 and 19 of this section for additional information. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment. 10. SSA shall implement an effective continuous monitoring strategy and program that shall ensure the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing NDNH information. The continuous monitoring program shall include configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to SSA officials as required. OCSE has implemented a continuous monitoring strategy and program that ensures the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing the input files. The continuous monitoring program includes configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to the U.S. Department of Health and Human Services officials, as required. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, CA-7(1); NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations 11. SSA shall maintain an asset inventory of all software and hardware components within the boundary of the information system housing NDNH information. The inventory shall be detailed enough for SSA to track and report. OCSE maintains an inventory of all software and hardware components within the boundary of the information system housing the agency input files. 4(2)(4)(5), PM-5 12. SSA shall maintain a system security plan describing the security requirements for the system housing NDNH information and the security controls in place or planned for meeting those requirements. The system security plan shall describe the responsibilities and expected behavior of all individuals who access the system. OCSE maintains a system security plan that describes the security requirements for the information system housing the agency input files and the security controls in place or planned for meeting those requirements. The system security plan includes responsibilities and expected behavior of all individuals who access the system. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, PL-2(3), NIST SP 800- 18 Rev 1, Guide for Developing Security Plans for Federal Information Systems 13. SSA shall maintain a plan of action and milestones (and when applicable, a corrective action plan) for the information system housing NDNH information to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. SSA shall update the plan of action and milestones (and when applicable, the corrective action plan) as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OCSE maintains a plan of action and milestones for the information system housing the agency input files to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. OCSE updates the plan of action and milestones as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. 14. SSA shall maintain a baseline configuration of the system housing NDNH information. The baseline configuration shall include information on system components (for example, standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. OCSE maintains a baseline configuration of the information system housing the agency input files. 4(2)(4)(5) 15. SSA shall limit and control logical and physical access to NDNH information to only those personnel authorized for such access based on their official duties, and identified in the records maintained by SSA pursuant to numbers 6 and 27 of this section. SSA shall prevent personnel from browsing by using technical controls CERT or other compensating controls. OCSE limits and controls logical and physical access to the agency input files to only those personnel authorized for such access based on their official duties. OCSE prevents browsing using technical controls that limit and monitor access to the agency input filesreporting agencies. 16. SSA shall transmit and store all NDNH information provided pursuant to this agreement in a manner that safeguards the information and prohibits unauthorized access. All electronic SSA transmissions of information to SSA and entities specified in the agreement shall be encrypted utilizing a FIPS 140-2 compliant product. SSA and OCSE exchange data via a mutually approved and secured data transfer method that utilizes a FIPS 140-2 compliant product. Policy/Requirements Traceability: OMB M-17-12; FIPS 140-2, Security Requirements for Cryptographic Modules; NIST SP 800-53 Rev 4, MP-4, SC-8 17. SSA shall transfer and store NDNH information only on SSA owned portable digital media and mobile computing and communications devices that are encrypted at the disk or device level, using a FIPS 140-2 compliant product. See numbers 8 and 18 of this section for additional information. OCSE does not copy the agency input files to mobile media. 18. SSA shall prohibit the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing NDNH information. OCSE prohibits the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing the agency input files. 19. SSA shall prohibit remote access to NDNH information, except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. SSA shall control remote access through a limited number of managed access control points. OCSE prohibits remote access to the agency input files except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. 20. SSA shall maintain a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction to its initiator, capture date and time of system events and type of events. The audit trail system shall protect data and the audit tool from addition, modification or deletion and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. OCSE maintains a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction with its initiator, capture date and time of system events and type of events. The audit trail system shall protect data and the audit tool from addition, modification or deletion and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. 21. SSA shall log each computer-readable data extract (secondary store or files with duplicate NDNH information) from any database holding NDNH information and verify that each extract has been erased within 90 days after completing required use. If SSA requires the extract for longer than 90 days to accomplish a purpose authorized pursuant to this agreement, SSA shall request permission, in writing, to keep the extract for a defined period of time, subject to OCSE written approval. SSA shall comply with the retention and disposition requirements in the agreement. OCSE does not extract information from the agency input files. 22. SSA shall utilize a time-out function for remote access and mobile devices that require a user to re-authenticate after no more than 30 minutes of inactivity. See numbers 8, 9, and 19 of this section for additional information. OCSE utilizes a time-out function for remote access and mobile devices that requires a user to re-authenticate after no more than 30 minutes of inactivity. 23. SSA shall erase electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. OCSE erases the electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. 24. When storage media are disposed of, the media will be destroyed or sanitized so that the erased records are not recoverable. 25. SSA shall implement a Network Access Control (also known as Network Admission Control (NAC)) solution in conjunction with a Virtual Private Network (VPN) option to enforce security policy compliance on all SSA and non-SSA remote devices that attempt to gain access to, or use, NDNH information. SSA shall use a NAC solution to authenticate, authorize, evaluate, and remediate remote wired and wireless users before they can access the networ

SECURITY AND PRIVACY SAFEGUARDING REQUIREMENTS. SSA shall comply with The safeguarding requirements in this security addendum are drawn from the Office of Child Support Enforcement Division of Federal Systems Security Requirements for Federal Agencies Receiving National Directory of New Hires Data. This document is available upon request from ▇▇▇▇▇▇▇▇▇▇▇▇@▇▇▇.▇▇▇.▇▇▇. This section provides the safeguarding requirements with which OCSE and SSA shall comply must meet and continuously monitormonitor to ensure compliance. SSA shall must also comply with three additional requirements: Breach Reporting and Notification Responsibility, ; Security Authorization, ; and Audit Requirements. The safeguarding requirements for receiving NDNH information and as well as the safeguards in place at OCSE for protecting the agency input files are as follows: 1. SSA shall must restrict access to, and disclosure of, the NDNH information to authorized personnel who need the NDNH information to perform their official duties in connection with the authorized purposes specified in the agreement. OCSE restricts access to and disclosure of the agency input files to authorized personnel who need them to perform their official duties as authorized in this agreement.. Policy/Requirements Traceability: 5 U.S.C. § 552a(b)(1), NIST SP 800-53 Rev 5, Security and Privacy Controls for Information Systems and Organizations, AC-3, AC-6 2. SSA shall must establish and maintain an ongoing management oversight and quality assurance program to ensure that only authorized personnel have access to NDNH information. OCSE management oversees the use of the agency input files to ensure that only authorized personnel have access. Policy/Requirements Traceability: 5 U.S.C. § 552a; NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, PL-4(1), PS-6, PS-8. 3. SSA shall must advise all authorized personnel who will access NDNH information of the confidentiality of the NDNH information, the safeguards required to protect the NDNH information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws, including section 453(l)(2) of the Social Security Act. 42 U.S.C. § 653(l)(2). OCSE advises all personnel who will access the agency input files of the confidentiality of the information, the safeguards required to protect the information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws. 4. SSA shall must deliver security and privacy awareness training to personnel with authorized access to NDNH information and the system that houses, processes, or transmits NDNH information. The training shall must describe each user’s responsibility for proper use and protection of NDNH information, how to recognize and report potential indicators of insider threat, and the possible sanctions for misuse. All personnel shall must receive security and privacy awareness training before accessing NDNH information and, and at least, least annually thereafter. The training shall must cover the matching provisions of the federal Privacy Act, the Computer Matching and Privacy Protection Act, and other federal laws governing use and misuse of protected information. OCSE delivers security and privacy awareness training to personnel. The training describes each user’s responsibility for proper use and protection of other agencies’ input files, how to recognize and report potential indicators of insider threatsthreat, and the possible sanctions for misuse. All personnel receive security and privacy awareness training before accessing agency input files and, and at least, least annually thereafter. The training covers the other federal laws governing use and misuse of protected information. Policy/Requirements Traceability: 5 U.S.C. § 552a; 44 U.S.C. § 3551 et seq; OMB Circular A-130, Managing Information as a Strategic Resource; OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (November 23, 2016)Information; NIST SP 800-53 Rev 45, AT-2(2), AT-3 5. SSA personnel with authorized access to NDNH information shall must sign non- disclosure agreements, rules of behavior, or equivalent documents before system access access, annually, and if changes in assignment occur. The non-disclosure agreement, rules of behavior, or equivalent documents shall must outline the authorized purposes for which the SSA may use NDNH information, the privacy and security safeguards contained in this agreement and security addendum, and the civil and criminal penalties for unauthorized use. SSA may use “wet” and/or electronic signatures to acknowledge non-disclosure agreements, rules of behavior, or equivalent documents. OCSE personnel with authorized access to the agency input files sign non-disclosure agreements and rules of behaviorbehavior annually. Policy/Requirements Traceability: OMB Circular A-130 - – Appendix I, Responsibilities for Protecting and Managing Federal Information Resources; OMB M-17-12; NIST SP 800-53 Rev 45, PS-6 6. SSA shall must maintain records of authorized personnel with access to NDNH information. The records shall must contain a copy of each individual’s signed non- disclosure agreement, rules of behavior, or equivalent document, document and proof of the individual’s participation in security and privacy awareness training. SSA shall must make such records available to OCSE upon request. OCSE maintains a record of personnel with access to the agency input files. The records contain a copy of each individual’s signed non-disclosure agreement, rules of behavior, or equivalent document, document and proof of the individual’s participation in security and privacy awareness training. 7. SSA shall must have appropriate procedures in place to report confirmed and suspected security or privacy incidents (unauthorized use or disclosure involving personally identifiable information) ), involving NDNH information. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall must report confirmed and suspected incidents, in either electronic or physical form, incidents to OCSE, as designated in this security addendum. The requirement for SSA to report confirmed or suspected incidents involving NDNH information to OCSE exists in addition to, not in lieu of, any SSA requirements to report to the United States Computer Emergency Readiness Team (US-CERT) or other reporting agencies. 8. SSA shall must prohibit the use of non-SSA furnished equipment to access NDNH information without specific written authorization from the appropriate SSA representatives. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment. 9. SSA shall must require that personnel accessing NDNH information remotely (for example, telecommuting) adhere to all the security and privacy safeguarding requirements provided in this security addendum. SSA and non-SSA furnished equipment shall must have appropriate software with the latest updates to protect against attacks, including, at a minimum, current antivirus software and up-to-date system patches and other software patches. Before electronic connection to SSA resources, SSA shall must scan the SSA and non-SSA furnished equipment to ensure compliance with SSA standards. All remote connections shall must be through Network Access Control Control, and all data in transit between the remote location and SSA shall must be encrypted using FIPS 140-2 encryption standards. Personally owned devices shall must not be authorized. See numbers 8 and 19 of this section for additional information. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment. 10. SSA shall must implement an effective continuous monitoring strategy and program that shall must ensure the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing NDNH information. The continuous monitoring program shall must include configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to SSA officials as required. OCSE has implemented a continuous monitoring strategy and program that ensures the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing the input files. The continuous monitoring program includes configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to the U.S. Department of Health and Human Services officials, officials as required. Policy/Requirements Traceability: NIST SP 800-53 Rev 45, CA-7(1CA-7(1)(4); NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations 11. SSA shall must maintain an asset inventory of all software and hardware components within the boundary of the information system housing NDNH information. The inventory shall must be detailed enough for SSA to track and report. OCSE maintains an inventory of all software and hardware components within the boundary of the information system housing the agency input files. 4(2)(4)(5), PM-5 12. SSA shall must maintain a system security plan describing the security requirements for the system housing NDNH information and the security controls in place or planned for meeting those requirements. The system security plan shall must describe the responsibilities and expected behavior of all individuals who access the system. OCSE maintains a system security plan that describes the security requirements for the information system housing the agency input files and the security controls in place or planned for meeting those requirements. The system security plan includes responsibilities and expected behavior of all individuals who access the system. Policy/Requirements Traceability: NIST SP 800-53 Rev 45, PL-2(3)PL-2, NIST SP 800- 800-18 Rev 1, Guide for Developing Security Plans for Federal Information Systems 13. SSA shall must maintain a plan of action and milestones (and when applicable, a corrective action plan) for the information system housing NDNH information to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. SSA shall must update the plan of action and milestones (and when applicable, the corrective action plan) as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OCSE maintains a plan of action and milestones for the information system housing the agency input files to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. OCSE updates the plan of action and milestones as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. 14. SSA shall must maintain a baseline configuration of the system housing NDNH information. The baseline configuration shall must include information on system components (for example, standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. OCSE maintains a baseline configuration of the information system housing the agency input files. 4(2)(4)(5). 15. SSA shall must limit and control logical and physical access to NDNH information to only those personnel authorized for such access based on their official duties, and identified in the records maintained by SSA pursuant to numbers 6 and 27 of this section. SSA shall must prevent personnel from browsing by using technical controls or other compensating controls. OCSE limits and controls logical and physical access to the agency input files to only those personnel authorized for such access based on their official duties. OCSE prevents browsing using technical controls that limit and monitor access to the agency input files. 16. SSA shall must transmit and store all NDNH information provided pursuant to this agreement in a manner that safeguards the information and prohibits unauthorized access. All electronic SSA transmissions of information to SSA and entities specified in the agreement shall must be encrypted utilizing a FIPS 140-2 compliant product. SSA and OCSE exchange data via a mutually approved and secured data transfer method that utilizes a FIPS 140-2 compliant product. Policy/Requirements Traceability: OMB M-17-12; FIPS 140-23, Security Requirements for Cryptographic Modules; NIST SP 800-53 Rev 45, MP-4, SC-8 17. SSA shall must transfer and store NDNH information only on SSA owned portable digital media and mobile computing and communications devices that are encrypted at the disk or device level, using a FIPS 140-2 compliant product. See numbers 8 and 18 of this section for additional information. OCSE does not copy the agency input files to mobile media. 18. SSA shall must prohibit the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing NDNH information. OCSE prohibits the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing the agency input files. 19. SSA shall must prohibit remote access to NDNH information, except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. SSA shall must control remote access through a limited number of managed access control points. OCSE prohibits remote access to the agency input files except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. 20. SSA shall must maintain a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction to its initiator, capture date and time of system events and type of events. The audit trail system shall must protect data and the audit tool from addition, modification or deletion and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. OCSE maintains a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction with its initiator, capture date and time of system events and type of events. The audit trail system shall must protect data and the audit tool from addition, modification or deletion and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. 21. SSA shall must log each computer-readable data extract (secondary store or files with duplicate NDNH information) from any database holding NDNH information and verify that each extract has been erased within 90 60 days after completing required authorized use. If SSA requires the extract for longer than 90 60 days to accomplish a purpose authorized pursuant to this agreement, SSA shall must request permission, in writing, to keep the extract for a defined period of time, subject to OCSE written approval. SSA shall must comply with the retention and disposition requirements in the agreement. OCSE does not extract information from the agency input files. 22. SSA shall must utilize a time-out function for remote access and mobile devices that require a user to re-authenticate after no more than 30 minutes of inactivity. See numbers 8, 9, and 19 of this section for additional information. OCSE utilizes a time-out function for remote access and mobile devices that requires a user to re-authenticate after no more than 30 minutes of inactivity. 23. SSA shall must erase electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. OCSE erases the electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. 24. When storage media are disposed of, the media will be destroyed or sanitized so that the erased records are not recoverable. 25. SSA shall must implement a Network Access Control (also known as Network Admission Control (NAC)) solution in conjunction with a Virtual Private Network (VPN) option to enforce security policy compliance on all SSA and non-SSA remote devices that attempt to gain access to, or use, NDNH information. SSA shall must use a NAC solution to authenticate, authorize, evaluate, and remediate remote wired and wireless users before they can access the networauth

SECURITY AND PRIVACY SAFEGUARDING REQUIREMENTS. SSA shall comply with the Office of Child Support Enforcement Division of Federal Systems This section provides the safeguarding requirements with which OCSE and SSA shall comply and continuously monitor. SSA shall also comply with three additional requirements: Breach Reporting and Notification Responsibility, ; Security Authorization, ; and Audit Requirements. The safeguarding requirements for receiving NDNH information and the safeguards in place at OCSE for protecting the agency input files are as follows: 1. SSA shall restrict access to, and disclosure of, the NDNH information to authorized personnel who need the NDNH information to perform their official duties in connection with the authorized purposes specified in the agreement. OCSE restricts access to and disclosure of the agency input files to authorized personnel who need them to perform their official duties as authorized in this agreement. 2. SSA shall establish and maintain an ongoing management oversight and quality assurance program to ensure that only authorized personnel have access to NDNH information. OCSE management oversees the use of the agency input files to ensure that only authorized personnel have access. Policy/Requirements Traceability: 5 U.S.C. § §552a; NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, PL-4(1), PS-6, PS-8 3. SSA shall advise all authorized personnel who will access NDNH information of the confidentiality of the NDNH information, the safeguards required to protect the NDNH information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws, including section 453(l)(2) of the Social Security Act. 42 U.S.C. § §653(l)(2). OCSE advises all personnel who will access the agency input files of the confidentiality of the information, the safeguards required to protect the information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws. 4. SSA shall deliver security and privacy awareness training to personnel with authorized access to NDNH information and the system that houses, processes, or transmits NDNH information. The training shall describe each user’s responsibility for proper use and protection of NDNH information, how to recognize and report potential indicators of insider threat, and the possible sanctions for misuse. All personnel shall receive security and privacy awareness training before accessing NDNH information and, and at least, least annually thereafter. The training shall cover the matching provisions of the Privacy Act, the Computer Matching and Privacy Protection Act, and other federal laws governing use and misuse of protected information. OCSE delivers security and privacy awareness training to personnel. The training describes each user’s responsibility for proper use and protection of other agencies’ input files, how to recognize and report potential indicators of insider threats, and the possible sanctions for misuse. All personnel receive security and privacy awareness training before accessing agency input files and, and at least, least annually thereafter. The training covers the other federal laws governing use and misuse of protected information. Policy/Requirements Traceability: 5 U.S.C. § §552a; 44 U.S.C. § §3551 et seq; OMB Circular A-130, Managing Information as a Strategic Resource; OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (November 23, 2016)Information; NIST SP 800-53 Rev 4, AT-2(2), AT-3 5. SSA personnel with authorized access to the NDNH information shall sign non- non­ disclosure agreements, rules of behavior, or equivalent documents before system access annually, and if changes in assignment occur. The non-disclosure agreement, rules of behavior, or equivalent documents shall outline the authorized purposes for which the SSA may use the NDNH information, the privacy and security safeguards contained in this agreement and security addendum, and the civil and criminal penalties for unauthorized use. The SSA may use “wet” and/or electronic signatures to acknowledge non-disclosure agreements, rules of behavior, or equivalent documents. OCSE personnel with authorized access to the agency input files sign non-disclosure agreements and rules of behavior. Policy/Requirements Traceability: OMB Circular A-130 - Appendix I, Responsibilities for Protecting and Managing Federal Information Resources; OMB M-17-12; NIST SP 800-53 Rev 4, PS-6 6. SSA shall maintain records of authorized personnel with access to the NDNH information. The records shall contain a copy of each individual’s signed non- non­ disclosure agreement, rules of behavior, or equivalent document, document and proof of the individual’s participation in security and privacy awareness training. SSA shall make such records available to OCSE upon request. OCSE maintains a record of personnel with access to the agency input files. The records contain a copy of each individual’s signed non-disclosure agreement, rules of behavior, or equivalent document, document and proof of the individual’s participation in security and privacy awareness training. 7. SSA shall have appropriate procedures in place to report confirmed and suspected security or privacy incidents (unauthorized use or disclosure involving personally identifiable information) involving NDNH information. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE, as designated in this security addendum. The requirement for SSA to report confirmed or suspected incidents involving NDNH information to OCSE exists in addition to, not in lieu of, any SSA requirements to report to the United States Computer Emergency Readiness Team (US-CERT) or other reporting agencies. 8. SSA shall prohibit the use of non-SSA furnished equipment to access NDNH information without specific written authorization from the appropriate SSA representatives. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment. 9. SSA shall require that personnel accessing NDNH information remotely (for example, telecommuting) adhere to all the security and privacy safeguarding requirements provided in this security addendum. SSA and non-SSA furnished equipment shall have appropriate software with the latest updates to protect against attacks, including, at a minimum, current antivirus software and up-to-date system patches and other software patches. Before electronic connection to SSA resources, the SSA shall scan the SSA and non-SSA furnished equipment to ensure compliance with the SSA standards. All remote connections shall be through Network Access Control Control, and all data in transit between the remote location and the SSA shall be encrypted using FIPS 140-2 encryption standards. Personally owned devices shall not be authorized. See numbers 8 and 19 of this section for additional information. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment. 10. SSA shall implement an effective continuous monitoring strategy and program that shall ensure the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing NDNH information. The continuous monitoring program shall include configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to SSA officials as required. OCSE has implemented a continuous monitoring strategy and program that ensures the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing the input files. The continuous monitoring program includes configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to the U.S. Department of Health and Human Services officials, officials as required. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, CA-7(1); NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations 11. SSA shall maintain an asset inventory of all software and hardware components within the boundary of the information system housing NDNH information. The inventory shall be detailed enough for SSA to track and report. OCSE maintains an inventory of all software and hardware components within the boundary of the information system housing the agency input files. 4(2)(4)(5), PM-5 12. SSA shall maintain a system security plan describing the security requirements for the system housing NDNH information and the security controls in place or planned for meeting those requirements. The system security plan shall describe the responsibilities and expected behavior of all individuals who access the system. OCSE maintains a system security plan that describes the security requirements for the information system housing the agency input files and the security controls in place or planned for meeting those requirements. The system security plan includes responsibilities and expected behavior of all individuals who access the system. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, PL-2(3), NIST SP 800- 800­ 18 Rev 1, Guide for Developing Security Plans for Federal Information Systems 13. SSA shall maintain a plan of action and milestones (and when applicable, a corrective action plan) for the information system housing NDNH information to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. SSA shall update the plan of action and milestones (and when applicable, the corrective action plan) as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OCSE maintains a plan of action and milestones for the information system housing the agency input files to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. OCSE updates the plan of action and milestones as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. 14. SSA shall maintain a baseline configuration of the system housing NDNH information. The baseline configuration shall include information on system components (for example, standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. OCSE maintains a baseline configuration of the information system housing the agency input files. 4(2)(4)(5) 15. SSA shall limit and control logical and physical access to NDNH information to only those personnel authorized for such access based on their official duties, and identified in the records maintained by SSA pursuant to numbers 6 and 27 of this section. SSA shall prevent personnel from browsing by using technical controls or other compensating controls. OCSE limits and controls logical and physical access to the agency input files to only those personnel authorized for such access based on their official duties. OCSE prevents browsing using technical controls that limit and monitor access to the agency input files. 16. SSA shall transmit and store all NDNH information provided pursuant to this agreement in a manner that safeguards the information and prohibits unauthorized access. All electronic SSA transmissions of information to SSA and entities specified in the agreement shall be encrypted utilizing a FIPS 140-2 compliant product. SSA and OCSE exchange data via a mutually approved and secured data transfer method that utilizes a FIPS 140-2 compliant product. Policy/Requirements Traceability: OMB M-17-12; FIPS 140-2, Security Requirements for Cryptographic Modules; NIST SP 800-53 Rev 4, MP-4, SC-8 17. SSA shall transfer and store NDNH information only on SSA SSA-owned portable digital media and mobile computing and communications devices that are encrypted at the disk or device level, using a FIPS 140-2 compliant product. See numbers 8 and 18 of this section for additional information. OCSE does not copy the agency input files to mobile media. 18. SSA shall prohibit the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing NDNH information. OCSE prohibits the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing the agency input files. 19. SSA shall prohibit remote access to NDNH information, except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. SSA shall control remote access through a limited number of managed access control points. OCSE prohibits remote access to the agency input files except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. 20. SSA shall maintain a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction to its initiator, and capture the date and time of system events and type of events. The audit trail system shall protect data and the audit tool from addition, modification or deletion and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. OCSE maintains a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction with its initiator, capture date and time of system events and type of events. The audit trail system shall protect data and the audit tool from addition, modification or deletion and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. 21. SSA shall log each computer-readable data extract (secondary store or files with duplicate NDNH information) from any database holding NDNH information and verify that each extract has been erased within 90 days after completing required use. If SSA requires the extract for longer than 90 days to accomplish a purpose authorized pursuant to this agreement, SSA shall request permission, in writing, to keep the extract for a defined period of time, subject to OCSE written approval. SSA shall comply with the retention and disposition requirements in the agreement. OCSE does not extract information from the agency input files. 22. SSA shall utilize a time-out function for remote access and mobile devices that require a user to re-authenticate after no more than 30 minutes of inactivity. See numbers 8, 9, and 19 of this section for additional information. OCSE utilizes a time-out function for remote access and mobile devices that requires a user to re-authenticate after no more than 30 minutes of inactivity. 23. SSA shall erase electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. OCSE erases the electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. 24. When storage media are disposed of, the media will be destroyed or sanitized so that the erased records are not recoverable. 25. SSA shall implement a Network Access Control (also known as Network Admission Control (NAC)) solution in conjunction with a Virtual Private Network (VPN) option to enforce security policy compliance on all SSA and non-SSA remote devices that attempt to gain access to, or use, NDNH information. SSA shall use a NAC solution to authenticate, authorize, evaluate, and remediate remote wired and wireless users before they can access the networnetwork. The implemented NAC solution shall evaluate whether remote machines are compliant with security policies through host(s)

SECURITY AND PRIVACY SAFEGUARDING REQUIREMENTS. SSA shall comply with the Office of Child Support Enforcement Division of Federal Systems Security Requirements for Federal Agencies Receiving Federal Parent Locator Service Data. SSA received this document on May 14, 2019. The safeguarding requirements in this security addendum are drawn from this document and are also based on the federal laws and requirements governing the protection of information referenced in section I of this security addendum. This section provides the safeguarding requirements with which OCSE and SSA shall comply and continuously monitor. SSA shall also comply with three additional requirements: Breach Reporting and Notification Responsibility, Security Authorization, and Audit Requirements. The safeguarding requirements for receiving NDNH information and as well as the safeguards in place at OCSE for protecting the agency input files are as follows: 1. SSA shall restrict access to, and disclosure of, the NDNH information to authorized personnel who need the NDNH information to perform their official duties in connection with the authorized purposes specified in the agreement. OCSE restricts access to and disclosure of the agency input files to authorized personnel who need them to perform their official duties as authorized in this agreement. 2. SSA shall establish and maintain an ongoing management oversight and quality assurance program to ensure that only authorized personnel have access to NDNH information. OCSE management oversees the use of the agency input files to ensure that only authorized personnel have access. Policy/Requirements Traceability: 5 U.S.C. § 552a; NIST SP 800-53 Rev 4, Security and Privacy Controls for Federal Information Systems and Organizations, PL-4(1), PS-6, PS-8 3. SSA shall advise all authorized personnel who will access NDNH information of the confidentiality of the NDNH information, the safeguards required to protect the NDNH information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws, including section 453(l)(2) of the Social Security Act. 42 U.S.C. § 653(l)(2). OCSE advises all personnel who will access the agency input files of the confidentiality of the information, the safeguards required to protect the information, and the civil and criminal sanctions for non-compliance contained in the applicable federal laws. 4. SSA shall deliver security and privacy awareness training to personnel with authorized access to NDNH information and the system that houses, processes, or transmits NDNH information. The training shall describe each user’s responsibility for proper use and protection of NDNH information, how to recognize and report potential indicators of insider threatthreats, and the possible sanctions for misuse. All personnel shall receive security and privacy awareness training before accessing NDNH information and, at least, annually thereafter. The training shall cover the matching provisions of the federal Privacy Act, the Computer Matching and Privacy Protection Act, and other federal laws governing use and misuse of protected information. OCSE delivers security and privacy awareness training to personnel. The training describes each user’s responsibility for proper use and protection of other agencies’ input files, how to recognize and report potential indicators of insider threatsthreat, and the possible sanctions for misuse. All personnel receive security and privacy awareness training before accessing agency input files and, at least, annually thereafter. The training covers the other federal laws governing use and misuse of protected information. Policy/Requirements Traceability: 5 U.S.C. § 552a; 44 U.S.C. § 3551 et seq; OMB Circular A-130, Managing Information as a Strategic Resource; OMB M-17-12, Preparing for and Responding to a Breach of Personally Identifiable Information (November 23, 2016)Information; NIST SP 800-53 Rev 4, AT-2(2), AT-3 5. SSA personnel with authorized access to NDNH information shall sign non- disclosure agreements, rules of behavior, or equivalent documents before system access access, annually, and if changes in assignment occur. The non-disclosure agreementagreements, rules of behavior, or equivalent documents shall outline the authorized purposes for which the SSA may use NDNH information, the privacy and security safeguards contained in this agreement and security addendum, and the civil and criminal penalties for unauthorized use. SSA may use “wet” and/or electronic signatures to acknowledge non-disclosure agreements, rules of behavior, or equivalent documents. OCSE personnel with authorized access to the agency input files sign non-disclosure agreements and rules of behavior. Policy/Requirements Traceability: OMB Circular A-130 - Appendix I, Responsibilities for Protecting and Managing Federal Information Resourcesas a Strategic Resource; OMB M-17-12; NIST SP 800-53 Rev 4, PS-6 6. SSA shall maintain records of authorized personnel with access to NDNH information. The records shall contain a copy of each individual’s signed non- disclosure agreement, rules of behavior, or equivalent document, and proof of the individual’s participation in security and privacy awareness training. SSA shall make such records available to OCSE upon request. OCSE maintains a record of personnel with access to the agency input files. The records contain record contains a copy of each individual’s signed non-disclosure agreement, rules of behavior, or equivalent document, and proof of the individual’s participation in security and privacy awareness training. 7. SSA shall have appropriate procedures in place to report confirmed and suspected security or privacy incidents (unauthorized use or disclosure involving personally identifiable information) involving NDNH information. Immediately upon discovery, but in no case later than one hour after discovery of the incident, SSA shall report confirmed and suspected incidents, in either electronic or physical form, to OCSE, as designated in this security addendum. The requirement for SSA to report confirmed or suspected incidents involving NDNH information to OCSE exists in addition to, not in lieu of, any SSA requirements to report to the United States Computer Emergency Readiness Team (US-CERT) or other reporting agencies. 8. SSA shall prohibit the use of non-SSA furnished equipment to access NDNH information without specific written authorization from the appropriate SSA representatives. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment. 9. SSA shall require that personnel accessing NDNH information remotely (for example, telecommuting) adhere to all the security and privacy safeguarding requirements provided in this security addendum. SSA and non-SSA furnished equipment shall have appropriate software with the latest updates to protect against attacks, including, at a minimum, current antivirus software and up-to-date system patches and other software patches. Before electronic connection to SSA resources, SSA shall scan the SSA and non-SSA furnished equipment to ensure compliance with SSA standards. All remote connections shall be through Network Access Control Control, and all data in transit between the remote location and SSA shall be encrypted using FIPS 140-2 encryption standards. Personally owned devices shall not be authorized. See numbers 8 and 19 of this section for additional information. OCSE does not permit personnel to access the agency input files remotely using non- agency furnished equipment. 10. SSA shall implement an effective continuous monitoring strategy and program that shall ensure the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing NDNH information. The continuous monitoring program shall include configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to SSA officials as required. OCSE has implemented a continuous monitoring strategy and program that ensures the continued effectiveness of security controls by maintaining ongoing awareness of information security, vulnerabilities, and threats to the information system housing the input files. The continuous monitoring program includes configuration management, patch management, vulnerability management, risk assessments before making changes to the system and environment, ongoing security control assessments, and reports to the U.S. Department of Health and Human Services officials, officials as required. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, CA-7(1); NIST SP 800-137, Information Security Continuous Monitoring for Federal Information Systems and Organizations 11. SSA shall maintain an asset inventory of all software and hardware components within the boundary of the information system housing NDNH information. The inventory shall be detailed enough for SSA to track and report. OCSE maintains an inventory of all software and hardware components within the boundary of the information system housing the agency input files. 4(2)(4)(5), PM-5 12. SSA shall maintain a system security plan describing the security requirements for the system housing NDNH information and the security controls in place or planned for meeting those requirements. The system security plan shall describe the responsibilities and expected behavior of all individuals who access the system. OCSE maintains a system security plan that describes the security requirements for the information system housing the agency input files and the security controls in place or planned for meeting those requirements. The system security plan includes responsibilities and expected behavior of all individuals who access the system. Policy/Requirements Traceability: NIST SP 800-53 Rev 4, PL-2(3), NIST SP 800- 18 Rev 1, Guide for Developing Security Plans for Federal Information Systems 13. SSA shall maintain a plan of action and milestones (and when applicable, a corrective action plan) for the information system housing NDNH information to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. SSA shall update the plan of action and milestones (and when applicable, the corrective action plan) as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. OCSE maintains a plan of action and milestones for the information system housing the agency input files to document plans to correct weaknesses identified during security control assessments and to reduce or eliminate known vulnerabilities in the system. OCSE updates the plan of action and milestones as necessary based on the findings from security control assessments, security impact analyses, and continuous monitoring activities. 14. SSA shall maintain a baseline configuration of the system housing NDNH information. The baseline configuration shall include information on system components (for example, standard software packages installed on workstations, notebook computers, servers, network components, or mobile devices; current version numbers and patch information on operating systems and applications; and configuration settings/parameters), network topology, and the logical placement of those components within the system architecture. OCSE maintains a baseline configuration of the information system housing the agency input files. 4(2)(4)(5) 15. SSA shall limit and control logical and physical access to NDNH information to only those personnel authorized for such access based on their official duties, and identified in the records maintained by SSA pursuant to numbers 6 and 27 of this section. SSA shall prevent personnel from browsing by using technical controls or other compensating controls. OCSE limits and controls logical and physical access to the agency input files to only those personnel authorized for such access based on their official duties. OCSE prevents browsing using technical controls that limit and monitor access to the agency input files. 16. SSA shall transmit and store all NDNH information provided pursuant to this agreement in a manner that safeguards the information and prohibits unauthorized access. All electronic SSA transmissions of information to SSA and entities specified in the agreement shall be encrypted utilizing a FIPS 140-2 compliant product. SSA and OCSE exchange data via a mutually approved and secured data transfer method that utilizes a FIPS 140-2 compliant product. Policy/Requirements Traceability: OMB M-17-12; FIPS 140-2, Security Requirements for Cryptographic Modules; NIST SP 800-53 Rev 4, MP-4, SC-8 17. SSA shall transfer and store NDNH information only on SSA owned portable digital media and mobile computing and communications devices that are encrypted at the disk or device level, using a FIPS 140-2 compliant product. See numbers 8 and 18 of this section for additional information. OCSE does not copy the agency input files to mobile media. 18. SSA shall prohibit the use of computing resources resident in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing NDNH information. OCSE prohibits the use of computing resources resident residing in commercial or public facilities (for example, hotels, convention centers, airports) from accessing, transmitting, or storing the agency input files. 19. SSA shall prohibit remote access to NDNH information, except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. SSA shall control remote access through a limited number of managed access control points. OCSE prohibits remote access to the agency input files except via a secure and encrypted (FIPS 140-2 compliant) transmission link and using two-factor authentication. 20. SSA shall maintain a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction to its initiator, initiator and capture the date and time of system events and type of events. The audit trail system shall protect data and the audit tool from addition, modification modification, or deletion deletion, and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. OCSE maintains a fully automated audit trail system with audit records that, at a minimum, collect data associated with each query transaction with its initiator, initiator and capture the date and time of system events and type of events. The audit trail system shall protect data and the audit tool from addition, modification modification, or deletion deletion, and should be regularly reviewed and analyzed for indications of inappropriate or unusual activity. 21. SSA shall log each computer-readable data extract (secondary store or files with duplicate NDNH information) from any database holding NDNH information and verify that each extract has been erased within 90 days after completing required use. If SSA requires the extract for longer than 90 days to accomplish a purpose authorized pursuant to this agreement, SSA shall request permission, in writing, to keep the extract for a defined period of time, subject to OCSE written approval. SSA shall comply with the retention and disposition requirements in the agreement. OCSE does not extract information from the agency input files. 22. SSA shall utilize a time-out function for remote access and mobile devices that require a user to re-authenticate after no more than 30 minutes of inactivity. See numbers 8, 9, and 19 of this section for additional information. OCSE utilizes a time-out function for remote access and mobile devices that requires a user to re-authenticate after no more than 30 minutes of inactivity. 23. SSA shall erase electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. OCSE erases the electronic records after completing authorized use in accordance with the retention and disposition requirements in the agreement. 24. When storage media are disposed of, the media will be destroyed or sanitized so that the erased records are not recoverable. 25. SSA shall implement a Network Access Control (also known as Network Admission Control (NAC)) solution in conjunction with a Virtual Private Network (VPN) option to enforce security policy compliance on all SSA and non-SSA remote devices that attempt to gain access to, or use, NDNH information. SSA shall use a NAC solution to authenticate, authorize, evaluate, and remediate remote wired and wireless users before they can access the networ