Common use of SECURITY AND PRIVACY SAFEGUARDS Clause in Contracts

SECURITY AND PRIVACY SAFEGUARDS. 1. SSS and ED will comply with all Federal requirements relating to information security, information systems security, and privacy, including the Federal Information Security Management Act of 2002, as amended by the Federal Information Security Modernization Act of 2014 (FISMA), section 208 of the E-Government Act of 2002, the Privacy Act, OMB Memorandum 08-05, “Implementation of Trusted Internet Connections (TIC)” and all subsequent related memoranda, OMB memoranda related to privacy, and National Institute of Standards and Technology (NIST) directives in the Special Publications (SP) 800 series (e.g., NIST SP 800-53, Rev. 4, and NIST SP 800-37, Rev. 1). Specific security requirements include, but are not limited to, the following: a. Data must be protected at the Moderate system certification criticality level according to Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems. b. SSS’s Registration, Compliance, and Verification System (RCV) and FSA’s Central Processing System (CPS) have completed the security authorization process (formerly called certification and accreditation) within the last three years, using the required NIST guidance, and have an Authorization to Operate (ATO) with the appropriate signatures. c. Electronic files are encrypted using the FIPS 140-2 standard and are interoperable with ED’s personal identity verification logical access control card (PIV LAC) for Government Employees and support contractors authorized to have an HSPD-12 card (HSPD-12 = Homeland Security Presidential Directive #12). d. Electronic files are encrypted while in transit, with the use of FIPS 140-2 product(s) that provide a secure tunnel between SSS and FSA sites. e. SSS and ED information systems reside behind a Trusted Internet Connection (TIC). i. FISMA requirements apply to all Federal contractors, organizations, or entities that possess or use Federal information, or that operate, use, or have access to Federal information systems on behalf of an agency. SSS and ED agree that they are responsible for oversight and compliance of their own contractors and agents. SSS and ED each reserve the right to conduct onsite inspections of any contractor or agent who has access to matched data in order to monitor compliance with FISMA regulations during the lifetime of this agreement. ii. ED and SSS will also comply with the personally identifiable information (PII) breach reporting and security requirements as required by OMB Memorandum M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information (PII).” ED and SSS also agree to notify each other as soon as possible, but no later than one hour, after the discovery of a suspected or actual breach involving PII. All incidents involving confirmed or suspected breaches of PII must be reported to the U.S. Computer Emergency Readiness Team (US-CERT) within one hour of discovering the incident. iii. In addition, the agency experiencing the loss of PII will notify the other agency’s Systems Security Contact named in Section III of this Agreement. If ED is unable to speak with the SSS Systems Security Contact within one hour or if for some other reason notifying the SSS Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), ED will call ▇▇▇▇▇▇▇ ▇▇▇▇▇, Chief Information Security Officer, at ▇▇▇-▇▇▇-▇▇▇▇, ▇▇▇▇▇▇@▇▇▇.▇▇▇ (primary), or ▇▇▇▇▇ ▇. ▇▇▇▇▇, Chief Information Officer, at ▇▇▇-▇▇▇-▇▇▇▇, ▇▇▇▇▇.▇▇▇▇▇@▇▇▇.▇▇▇ (secondary). If SSS is unable to speak with ED’s Systems Security Contact within one hour or if for some other reason notifying ED’s Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), SSS will contact both the Education Security Operations Center (EDSOC), (▇▇▇) ▇▇▇-▇▇▇▇, EDSOC @▇▇.▇▇▇ and ▇▇▇▇▇▇ ▇▇▇▇▇▇▇, the FSA Chief Information Security Officer, at (▇▇) ▇▇▇-▇▇▇▇, Email: ▇▇▇▇▇▇.▇▇▇▇▇▇▇@▇▇.▇▇▇. f. Using established criteria, if the agency that experienced the breach of PII determines that the risk of harm to affected individuals or to the agency requires notification to affected individuals and/or other remedies, that agency will carry out these remedies without cost to the other agency.

SECURITY AND PRIVACY SAFEGUARDS. 1. SSS ED and ED DoD will comply with all Federal requirements relating to information security, information systems security, and privacy, including the Federal Information Security Management Act of 2002, as amended by the Federal Information Security Modernization Act of 2014 (FISMA), section 208 of the E-Government Act of 2002, the Privacy Act, OMB Memorandum 08-05, “Implementation of Trusted Internet Connections (TIC)” and all subsequent related memoranda, OMB memoranda related to privacy, and National Institute of Standards and Technology (NIST) directives in the Special Publications (SP) 800 series (e.g., NIST SP 800-53, Rev. 4, and NIST SP 800-37, Rev. 1). Specific security requirements include, but are not limited to, the following: a. A. Data must be protected at the Moderate system certification criticality level according to Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems. b. SSS’s Registration, Compliance, B. ED and Verification System (RCV) and FSA’s Central Processing System (CPS) DoD must have completed the security authorization Security Assessment and Authorization (SA&A) process (formerly called certification and accreditation) within the last three years, using the required NIST guidance, and have an Authorization to Operate (ATO) with the appropriate signatures. c. C. Electronic files are encrypted using the FIPS 140-2 standard and are interoperable with ED’s personal identity verification logical access control card (PIV LAC) for Government Employees government employees and support contractors authorized to have an HSPD-12 card (HSPD-12 = HSPD-12= Homeland Security Presidential Directive #12). d. D. Electronic files are encrypted while in transit, with the use of FIPS 140-2 product(s) that provide a secure tunnel between SSS DoD and FSA sites. e. SSS E. DoD and ED information systems reside behind a Trusted Internet Connection (TIC). i. . FISMA requirements apply to all Federal contractors, organizations, or entities that possess or use Federal information, or that operate, use, or have access to Federal information systems on behalf of an agency. SSS ED and ED DoD agree that they are responsible for oversight and compliance of their own contractors and agents. SSS ED and ED DoD each reserve the right to conduct onsite inspections of any contractor or agent who has access to matched data in order to monitor compliance with FISMA regulations during the lifetime of this agreement. iiCMA. ED and SSS DoD will also comply with the personally identifiable information (PII) breach reporting and security requirements as required by OMB Memorandum M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information (PII).” ED and SSS DoD also agree to notify each other as soon as possiblereport information security incidents, but no later than one hourwhere the confidentiality, after the discovery integrity, or availability of a suspected or actual breach involving PII. All incidents involving confirmed or suspected breaches federal information system of PII must be reported a civilian, Executive Branch agency is potentially compromised, to the U.S. Computer Emergency Readiness Team (US-CERT) NCCIC/US- CERT with the required data elements, as well as any other available information, within one hour of discovering being identified by the incident. iiiagency’s top-level Computer Security Incident Response Team (CSIRT), Security Operations Center (SOC), or information technology department. In addition, the agency experiencing the loss of PII will notify the other agency’s Systems Security Contact named in Section III section XIII of this AgreementCMA. If ED is unable to speak with the SSS DoD Systems Security Contact within one hour or if for some other reason notifying the SSS DoD Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), ED will call ▇▇▇▇▇▇▇ ▇▇▇▇▇, Chief Information contact the DoD/DMDC Security Officer, at ▇▇▇-▇▇▇-▇▇▇▇, ▇▇▇▇▇▇@▇▇▇.▇▇▇ (primary), or ▇▇▇▇▇ ▇. ▇▇▇▇▇, Chief Information Officer, at ▇▇▇-▇▇▇-▇▇▇▇, ▇▇▇▇▇.▇▇▇▇▇@▇▇▇.▇▇▇ (secondary)Incident Response Team. If SSS DoD is unable to speak with ED’s Systems Security Contact within one hour or if for some other reason notifying ED’s Systems Security Contact is not practicable (e.g.hour, it is outside of the normal business hours), SSS DoD will contact both the Department of Education Security Operations Center (EDSOC), (▇▇▇) ▇▇▇-▇▇▇▇, EDSOC @▇▇.▇▇▇ and ▇▇▇▇▇▇ ▇▇▇▇▇▇▇, the FSA Chief Information Security Officer, at (▇▇) ▇▇▇-▇▇▇▇, Email: ▇▇▇▇▇▇.▇▇▇▇▇▇▇@▇▇.▇▇▇. f. . Using established criteria, if the agency that experienced the breach of PII determines that the risk of harm to affected individuals or to the agency requires notification to affected individuals and/or other remedies, that agency will carry out these remedies without cost to the other agency.

SECURITY AND PRIVACY SAFEGUARDS. 1. SSS ED and ED DoD will comply with all Federal requirements relating to information security, information systems security, and privacy, including the Federal Information Security Management Act of 2002, as amended by the Federal Information Security Modernization Act of 2014 (FISMA), section 208 of the E-Government Act of 2002, the Privacy Act, OMB Memorandum 08-05, “Implementation of Trusted Internet Connections (TIC)” and all subsequent related memoranda, OMB memoranda related to privacy, and National Institute of Standards and Technology (NIST) directives in the Special Publications (SP) 800 series (e.g., NIST SP 800-53, Rev. 4, and NIST SP 800-37, Rev. 1). Specific security requirements include, but are not limited to, the following: a. A. Data must be protected at the Moderate system certification criticality level according to Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems. b. SSS’s Registration, Compliance, B. ED and Verification System (RCV) and FSA’s Central Processing System (CPS) DoD must have completed the security authorization Security Assessment and Authorization (SA&A) process (formerly called certification and accreditation) within the last three years, using the required NIST guidance, and have an Authorization to Operate (ATO) with the appropriate signatures. c. C. Electronic files are must be encrypted using the FIPS 140-2 standard and are interoperable with ED’s personal identity verification logical access control card (PIV LAC) for Government Employees government employees and support contractors authorized to have an HSPD-12 card (HSPD-12 = HSPD-12= Homeland Security Presidential Directive #12). d. D. Electronic files are must be encrypted while in transit, with the use of FIPS 140-2 product(s) that provide a secure tunnel between SSS DoD and FSA sites. e. SSS E. ED and ED DoD information systems must reside behind a Trusted Internet Connection (TIC). i. . FISMA requirements apply to all Federal contractors, organizations, or entities that possess or use Federal information, or that operate, use, or have access to Federal information systems on behalf of an agency. SSS ED and ED DoD agree that they are responsible for oversight and compliance of their own contractors and agents. SSS ED and ED DoD each reserve the right to conduct onsite inspections of any contractor or agent who has access to matched data in order to monitor compliance with FISMA regulations during the lifetime of this agreement. iiCMA. ED and SSS DoD will also comply with the personally identifiable information (PII) breach reporting and security requirements as required by OMB Memorandum M-17-12, “Preparing for and Responding to a Breach of Personally Identifiable Information (PII).” ED and SSS DoD also agree to notify each other as soon as possiblereport information security incidents, but no later than one hourwhere the confidentiality, after the discovery integrity or availability of a suspected or actual breach involving PII. All incidents involving confirmed or suspected breaches federal information system of PII must be reported a civilian, Executive Branch agency is potentially compromised, to the U.S. Computer Emergency Readiness Team (NCCIC/US-CERT) CERT with the required data elements, as well as any other available information, within one hour of discovering being identified by the incident. iiiagency’s top-level Computer Security Incident Response Term (CSIRT), Security Operations Center (SOC), or information technology department. In addition, the agency experiencing the loss of PII will notify the other agency’s Systems Security Contact named in Section III section XIII of this AgreementCMA. If ED is unable to speak with the SSS DoD Systems Security Contact within one hour or if for some other reason notifying the SSS DoD Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), ED will call ▇▇▇▇▇▇▇ ▇▇▇▇▇, Chief Information contact the DoD/DMDC Security Officer, at ▇▇▇and Incident Response Team at: dodhra.dodc-▇▇▇-▇▇▇▇, ▇▇mb.dmdc.list.ir- ▇▇▇▇@▇▇▇.▇▇▇ (primary), or ▇▇▇▇▇ ▇. ▇▇▇▇▇, Chief Information Officer, at ▇▇▇-▇▇▇-▇▇▇▇, ▇▇▇▇▇.▇▇▇▇▇@▇▇▇.▇▇▇ (secondary). If SSS DoD is unable to speak with ED’s Systems Security Contact within one hour or if for some other reason notifying ED’s Systems Security Contact is not practicable (e.g.hour, it is outside of the normal business hours), SSS DoD will contact both the Department of Education Security Operations Center (EDSOC), (202) 245- 6550, EDSOC@ ▇▇.▇▇▇ and ▇▇▇▇▇▇ Commons, Chief Information Systems Security Officer, at (▇▇▇) ▇▇▇-▇▇▇▇, EDSOC @▇▇.▇▇▇ and ▇▇▇▇▇▇ ▇▇▇▇▇▇▇, the FSA Chief Information Security Officer, at (▇▇) ▇▇▇-▇▇▇▇, . Email: ▇▇▇▇▇▇.▇▇▇▇▇▇▇@▇▇.▇▇▇. f. . Using established criteria, if the agency that experienced the breach of PII determines that the risk of harm to affected individuals or to the agency requires notification to affected individuals and/or other remedies, that agency will carry out these remedies without cost to the other agency.