Common use of SECURITY AND PRIVACY SAFEGUARDS Clause in Contracts

SECURITY AND PRIVACY SAFEGUARDS. General Security Requirements DHS-USCIS and ED will comply with all Federal requirements relating to information security, information systems security, and privacy, including the Federal Information Security Management Act of 2002 (FISMA), the E-Government Act of 2002, the Privacy Act of 1974, OMB memoranda related to privacy, and National Institute of Standards and Technology (NIST) directives in the Special Publications (SP) 800 series (e.g., NIST SP 800-53, and NIST SP 800-37). Specific security requirements include, but are not limited to, the following: • Data must be protected at the Moderate system certification criticality level according to Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems. • DHS-USCIS and ED’s CPS have completed the security authorization process (formerly called certification and accreditation) within the last three years, using the required NIST guidance, and have an Authorization to Operate (ATO) with the appropriate signatures. • Electronic files are encrypted using the FIPS 140-2 standard and, to the extent possible, are interoperable with ED’s personal identity verification logical access control card (PIV LAC) for Government Employees and support contractors authorized to have an HSPD-12 card (HSPD-12= Homeland Security Presidential Directive #12). FISMA requirements apply to all Federal contractors, organizations, or entities that possess or use Federal information, or that operate, use, or have access to Federal information systems on behalf of an agency. DHS-USCIS and ED agree that they are responsible for oversight and compliance of their own contractors and agents. DHS- USCIS and ED each reserve the right to conduct onsite inspections of any contractor or agent who has access to matched data in order to monitor compliance with FISMA regulations during the lifetime of this agreement. ED and DHS-USCIS will also comply with the personally identifiable information (PII) breach reporting and security requirements as required by OMB M-06-19, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost for Security in Agency Information Technology Investments,” and XXX X-00-00, “Safeguarding Against and Responding to the Breach of Personally Identifiable Information.” ED and DHS-USCIS also agree to notify each other as soon as possible, but no later than one hour, after the discovery of a suspected or actual breach involving PII. All incidents involving confirmed or suspected breaches of PII must be reported to the U.S. Computer Emergency Readiness Team (US-CERT) within one hour of discovering the incident. In addition, the agency experiencing the loss of PII will notify the other agency’s Systems Security Contact named in Section S of this Agreement. If ED is unable to speak with the DHS-USCIS Information Security Officer, and the USCIS Service Desk at 000-000-0000, within one hour, or if for some other reason notifying the DHS-USCIS Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), ED will contact DHS-USCIS Verification Division, SAVE Program 202-443- 0144. If DHS-USCIS is unable to speak with ED’s Systems Security Contact within one hour, DHS-USCIS will contact the VDC Help Desk in Plano, Texas at 000-000-0000 and Xxxxx Xxxxxx, Information System Security Officer (ISSO), at 000-000-0000. DHS- USCIS will also report all breaches and incidents via email to the ED Computer Incident Response Capability at: xxxxxx@xx.xxx. DHS-USCIS Security Safeguards DHS-USCIS agrees to safeguard information it receives from ED in connection with status verification inquiries in accordance with the Privacy Act, FISMA, the IRCA, and other applicable statutes, as well as the requirements of the agreement between ED and DHS-USCIS. DHS-USCIS agrees to safeguard the information provided by ED in accordance with DHS-USCIS disclosure standards and to provide the name of DHS-USCIS program inspector responsible for compliance with these standards. DHS-USCIS also agrees to limit access to information to those individuals responsible for the verification of the aliens’ immigration status or necessary support functions or follow-up actions, and to restrict the further dissemination of information. The DHS Data Center One (DC-1) where ED and DHS-USCIS information is stored complies with requirements of Department of Homeland Security, DHS Sensitive Systems Policy 4300A. It is a secure facility accessed only by authorized individuals with properly coded key cards, authorized door keys, or access authorization. There is a security guard force, twenty-four (24) hours a day, seven (7) days a week. The building is protected against unauthorized access, unauthorized use of equipment, or removal of storage media and listings. Employees have clearances through background checks and are provided badges. All employees and contractors must undergo a background investigation prior to being granted access to information systems at DC-1. This access is granted when the employee or contractor receives a favorably adjudicated Background Investigation (BI) and his/her Entry on Duty Status designation. ED Security Safeguards ED’s CPS facility, located in Plano, Texas, has a high level of security. Access within the processing facility is controlled by a computerized badge reading system, while other areas are controlled by cipher locks with combinations that are changed monthly. All employees must display a photo-identification pass upon entering the building. The perimeter of the Plano facility is monitored periodically and the main entrance is monitored continuously by a third-party security force. Access to all doors, as well as to the data center’s main corridors, is monitored by 12 closed circuit television (CCTV) cameras that can pan, zoom, and record the perimeter premises. The Plano facility monitors access 24 hours a day, 7 days a week. The CCTV cameras can record access at random or at a specific camera location. The cameras are connected to two videocassette recorders for recording purposes. Videotapes are retained for one month before being recycled by physical security administration. ED limits access to the information received from DHS and maintained in the CPS database. Access is granted only to those individuals responsible on a “need-to-know” basis, which is determined by assigned official duties and satisfying all personnel security criteria and intended system usage. These individuals make use of the data to determine eligibility for Title IV aid. There are three general types of CPS users: Federal Student Aid employees, contractors, and Financial Aid Administrators at institutions of higher education. Access to this information is controlled in accordance with a strict set of security procedures documented in the CPS System Security Plan. An automated audit trail is maintained for all user activities and interactions within the CPS. Additionally, all changes made by authorized users of the CPS to the Free Application for Federal Student Aid (FAFSA) data result in a new transaction, which also has a specified audit trail. All authorized users of the CPS are issued unique user identifiers and asked to establish and maintain a secure password which must be changed every 90 days. All personnel, including contractor personnel, who have access to the records matched and to any records created by the match have completed IT Security and Privacy Awareness training about the confidential nature of the information, the safeguards required to protect the information, and the civil and criminal sanctions for noncompliance imposed under the Privacy Act and other applicable Federal laws. At a minimum, DHS-USCIS and ED will use the data supplied in a manner prescribed by this agreement and will maintain proper safeguards to prevent unauthorized release or use of all data supplied. These safeguards include:

SECURITY AND PRIVACY SAFEGUARDS. General Security Requirements DHS-USCIS and ED will comply with all Federal requirements relating to information security, information systems security, and privacy, including the Federal Information Security Management Act of 2002 2014 (FISMA), the E-Government Act of 2002, the Privacy Act of 1974, OMB memoranda related to privacy, and National Institute of Standards and Technology (NIST) directives in the Special Publications (SP) 800 series (e.g., NIST SP 800-53, and NIST SP 800-37). Specific security requirements include, but are not limited to, the following: • Data must be protected at the Moderate system certification criticality level according to Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems. • DHS-USCIS and ED’s CPS have completed the security authorization process (formerly called certification and accreditation) within the last three years, using the required NIST guidance, and have an Authorization to Operate (ATO) with the appropriate signatures. • Electronic files are encrypted using the FIPS 140-2 standard and, to the extent possible, are interoperable with ED’s personal identity verification logical access control card (PIV LAC) for Government Employees and support contractors authorized to have an HSPD-12 card (HSPD-12= Homeland Security Presidential Directive #12). FISMA requirements apply to all Federal contractors, organizations, or entities that possess or use Federal information, or that operate, use, or have access to Federal information systems on behalf of an agency. DHS-USCIS and ED agree that they are responsible for oversight and compliance of their own contractors and agents. DHS- USCIS and ED each reserve the right to conduct onsite inspections of any contractor or agent who has access to matched data in order to monitor compliance with FISMA regulations during the lifetime of this agreement. ED and DHS-USCIS will also comply with the personally identifiable information (PII) breach reporting and security requirements as required by OMB M-06M-17-1912, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost Preparing for Security in Agency Information Technology Investments,” and XXX X-00-00, “Safeguarding Against and Responding to the a Breach of Personally Identifiable InformationInformation (PII).” ED and DHS-DHS- USCIS also agree to notify each other as soon as possible, but no later than one hour, after the discovery of a suspected or actual breach involving PII. All incidents involving confirmed or suspected breaches of PII must be reported to the U.S. Computer Emergency Readiness Team (US-CERT) within one hour of discovering the incident. In addition, the agency experiencing the loss of PII will notify the other agency’s Systems Security Contact named in Section S T of this Agreement. If ED is unable to speak with the DHS-USCIS Information Security Officer, and the USCIS Service Desk at 000-000-0000, within one hour, or if for some other reason notifying the DHS-USCIS Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), ED will contact DHS-USCIS Verification Division, SAVE Program 202-443- 0144725- 6678. If DHS-USCIS is unable to speak with ED’s Systems Security Contact within one hour, DHS-USCIS will contact the VDC Help Desk in Plano, Texas at 000-000-0000 and Xxxxx XxxxxxXxxx Xxxxx, Information System Security Officer (ISSO), at 000-000-0000. DHS- DHS-USCIS will also report all breaches and incidents via email to the ED Computer Incident Response Capability at: xxxxxx@xx.xxx. DHS-USCIS Security Safeguards DHS-USCIS agrees to safeguard information it receives from ED in connection with status verification inquiries in accordance with the Privacy Act, FISMA, the IRCA, and other applicable statutes, as well as the requirements of the agreement between ED and DHS-USCIS. DHS-USCIS agrees to safeguard the information provided by ED in accordance with DHS-USCIS disclosure standards and to provide the name of DHS-USCIS program inspector responsible for compliance with these standards. DHS-USCIS also agrees to limit access to information to those individuals responsible for the verification of the aliens’ applicant’s immigration status or necessary support functions or follow-up actions, and to restrict the further dissemination of information. The DHS Data Center One (DC-1) where ED and DHS-USCIS information is stored complies with requirements of Department of Homeland Security, DHS Sensitive Systems Policy 4300A. It is a secure facility accessed only by authorized individuals with properly coded key cards, authorized door keys, or access authorization. There is a security guard force, twenty-four (24) hours a day, seven (7) days a week. The building is protected against unauthorized access, unauthorized use of equipment, or removal of storage media and listings. Employees have clearances through background checks and are provided badges. All employees and contractors must undergo a background investigation prior to being granted access to information systems at DC-1. This access is granted when the employee or contractor receives a favorably adjudicated Background Investigation (BI) and his/her Entry on Duty Status designation. ED Security Safeguards ED’s CPS facility, facility currently located in Plano, TexasTX, has a will move to Clarksville, VA in June 2017 where it will contain the same high level of securitysecurity as the current facility described herein. Access within the processing facility is controlled by a computerized badge reading system, while other areas are controlled by cipher locks with combinations that are changed monthly. All employees must display a photo-identification pass upon entering the building. The perimeter of the Plano facility is monitored periodically and the main entrance is monitored continuously by a third-party security force. Access to all doors, as well as to the data center’s main corridors, is monitored by 12 closed circuit television (CCTV) cameras that can pan, zoom, and record the perimeter premises. The Plano facility monitors access 24 hours a day, 7 days a week. The CCTV cameras can record access at random or at a specific camera location. The cameras are connected to two videocassette recorders for recording purposes. Videotapes are retained for one month before being recycled by physical security administration. ED limits access to the information received from DHS and maintained in the CPS database. Access is granted only to those individuals responsible on a “need-to-know” basis, which is determined by assigned official duties and satisfying all personnel security criteria and intended system usage. These individuals make use of the data to determine eligibility for Title IV aid. There are three general types of CPS users: Federal Student Aid employees, contractors, and Financial Aid Administrators at institutions of higher education. Access to this information is controlled in accordance with a strict set of security procedures documented in the CPS System Security Plan. An automated audit trail is maintained for all user activities and interactions within the CPS. Additionally, all changes made by authorized users of the CPS to the Free Application for Federal Student Aid (FAFSA) data result in a new transaction, which also has a specified audit trail. All authorized users of the CPS are issued unique user identifiers and asked to establish and maintain a secure password which must be changed every 90 days. All personnel, including contractor personnel, who have access to the records matched and to any records created by the match have completed IT Security and Privacy Awareness training about the confidential nature of the information, the safeguards required to protect the information, and the civil and criminal sanctions for noncompliance imposed under the Privacy Act and other applicable Federal laws. At a minimum, DHS-USCIS and ED will use the data supplied in a manner prescribed by this agreement and will maintain proper safeguards to prevent unauthorized release or use of all data supplied. These safeguards include:

SECURITY AND PRIVACY SAFEGUARDS. General Security Requirements DHS-USCIS and ED will comply with all Federal requirements relating to information security, information systems security, and privacy, including the Federal Information Security Management Act of 2002 2014 (FISMA), the E-Government Act of 2002, the Privacy Act of 1974, OMB memoranda related to privacy, and National Institute of Standards and Technology (NIST) directives in the Special Publications (SP) 800 series (e.g., NIST SP 800-53, and NIST SP 800-37). Specific security requirements include, but are not limited to, the following: • Data must be protected at the Moderate system certification criticality level according to Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems. • DHS-USCIS and ED’s CPS have completed the security authorization process (formerly called certification and accreditation) within the last three years, using the required NIST guidance, and have an Authorization to Operate (ATO) with the appropriate signatures. • Electronic files are encrypted using the FIPS 140-2 standard and, to the extent possible, are interoperable with ED’s personal identity verification logical access control card (PIV LAC) for Government Employees and support contractors authorized to have an HSPD-12 card (HSPD-12= Homeland Security Presidential Directive #12). FISMA requirements apply to all Federal contractors, organizations, or entities that possess or use Federal information, or that operate, use, or have access to Federal information systems on behalf of an agency. DHS-USCIS and ED agree that they are responsible for oversight and compliance of their own contractors and agents. DHS- USCIS and ED each reserve the right to conduct onsite inspections of any contractor or agent who has access to matched data in order to monitor compliance with FISMA regulations during the lifetime of this agreement. ED and DHS-USCIS will also comply with the personally identifiable information (PII) breach reporting and security requirements as required by OMB M-06M-17-1912, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost Preparing for Security in Agency Information Technology Investments,” and XXX X-00-00, “Safeguarding Against and Responding to the a Breach of Personally Identifiable InformationInformation (PII).” ED and DHS-DHS- USCIS also agree to notify each other as soon as possible, but no later than one hour, after the discovery of a suspected or actual breach involving PII. All incidents involving confirmed or suspected breaches of PII must be reported to the U.S. Computer Emergency Readiness Team (US-CERT) within one hour of discovering the incident. In addition, the agency experiencing the loss of PII will notify the other agency’s Systems Security Contact named in Section S T of this Agreement. If ED is unable to speak with the DHS-USCIS Information Security Officer, and the USCIS Service Desk at 000-000-0000, within one hour, or if for some other reason notifying the DHS-USCIS Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), ED will contact DHS-USCIS Verification Division, SAVE Program 202-443- 0144725- 6678. If DHS-USCIS is unable to speak with ED’s Systems Security Contact within one hour, DHS-USCIS will contact the VDC Help Desk in Plano, Texas at 000-000-0000 and Xxxxx XxxxxxXxxx Xxxxx, Information System Security Officer (ISSO), at 000-000-0000. DHS- DHS-USCIS will also report all breaches and incidents via email to the ED Computer Incident Response Capability at: xxxxxx@xx.xxx. DHS-USCIS Security Safeguards DHS-USCIS agrees to safeguard information it receives from ED in connection with status verification inquiries in accordance with the Privacy Act, FISMA, the IRCA, and other applicable statutes, as well as the requirements of the agreement between ED and DHS-USCIS. DHS-USCIS agrees to safeguard the information provided by ED in accordance with DHS-USCIS disclosure standards and to provide the name of DHS-USCIS program inspector responsible for compliance with these standards. DHS-USCIS also agrees to limit access to information to those individuals responsible for the verification of the aliens’ immigration status or necessary support functions or follow-up actions, and to restrict the further dissemination of information. The DHS Data Center One (DC-1) where ED and DHS-USCIS information is stored complies with requirements of Department of Homeland Security, DHS Sensitive Systems Policy 4300A. It is a secure facility accessed only by authorized individuals with properly coded key cards, authorized door keys, or access authorization. There is a security guard force, twenty-four (24) hours a day, seven (7) days a week. The building is protected against unauthorized access, unauthorized use of equipment, or removal of storage media and listings. Employees have clearances through background checks and are provided badges. All employees and contractors must undergo a background investigation prior to being granted access to information systems at DC-1. This access is granted when the employee or contractor receives a favorably adjudicated Background Investigation (BI) and his/her Entry on Duty Status designation. ED Security Safeguards ED’s CPS facility, located in Plano, Texas, has a high level of security. Access within the processing facility is controlled by a computerized badge reading system, while other areas are controlled by cipher locks with combinations that are changed monthly. All employees must display a photo-identification pass upon entering the building. The perimeter of the Plano facility is monitored periodically and the main entrance is monitored continuously by a third-party security force. Access to all doors, as well as to the data center’s main corridors, is monitored by 12 closed circuit television (CCTV) cameras that can pan, zoom, and record the perimeter premises. The Plano facility monitors access 24 hours a day, 7 days a week. The CCTV cameras can record access at random or at a specific camera location. The cameras are connected to two videocassette recorders for recording purposes. Videotapes are retained for one month before being recycled by physical security administration. ED limits access to the information received from DHS and maintained in the CPS database. Access is granted only to those individuals responsible on a “need-to-know” basis, which is determined by assigned official duties and satisfying all personnel security criteria and intended system usage. These individuals make use of the data to determine eligibility for Title IV aid. There are three general types of CPS users: Federal Student Aid employees, contractors, and Financial Aid Administrators at institutions of higher education. Access to this information is controlled in accordance with a strict set of security procedures documented in the CPS System Security Plan. An automated audit trail is maintained for all user activities and interactions within the CPS. Additionally, all changes made by authorized users of the CPS to the Free Application for Federal Student Aid (FAFSA) data result in a new transaction, which also has a specified audit trail. All authorized users of the CPS are issued unique user identifiers and asked to establish and maintain a secure password which must be changed every 90 days. All personnel, including contractor personnel, who have access to the records matched and to any records created by the match have completed IT Security and Privacy Awareness training about the confidential nature of the information, the safeguards required to protect the information, and the civil and criminal sanctions for noncompliance imposed under the Privacy Act and other applicable Federal laws. At a minimum, DHS-USCIS and ED will use the data supplied in a manner prescribed by this agreement and will maintain proper safeguards to prevent unauthorized release or use of all data supplied. These safeguards include:.

SECURITY AND PRIVACY SAFEGUARDS. General Security Requirements DHS-USCIS and ED will comply with all Federal requirements relating to information security, information systems security, and privacy, including the Federal Information Security Management Modernization Act of 2002 2014 (FISMA), the E-Government Act of 2002, the Privacy Act of 1974, OMB memoranda related to privacy, and National Institute of Standards and Technology (NIST) directives in the Special Publications (SP) 800 series (e.g., NIST SP 800-53, and NIST SP 800-37). Specific security requirements include, but are not limited to, the following: • Data  At a minimum, data must be protected at the Moderate system certification criticality level according to Federal Information Processing Standards (FIPS) Publication 199, Standards for Security Categorization of Federal Information and Information Systems. •  DHS-USCIS and ED’s CPS have completed the security authorization process (formerly called certification and accreditation) within the last three years, using the required NIST guidance, and have an Authorization to Operate (ATO) with the appropriate signatures. •  Each agency participates in a continuous diagnostic and mitigation (CDM) program.  Electronic files are encrypted using the FIPS 140-2 standard and, to the extent possible, are interoperable with ED’s personal identity verification logical access control card (PIV LAC) for Government Employees and support contractors authorized to have an HSPD-12 card (HSPD-12= Homeland Security Presidential Directive #12).  DHS-USCIS and ED information systems reside behind a Trusted Internet Connection (TIC). FISMA requirements apply to all Federal contractors, organizations, or entities that possess or use Federal information, or that operate, use, or have access to Federal information systems on behalf of an agency. DHS-USCIS and ED agree that they are responsible for oversight and compliance of their own contractors and agents. DHS- USCIS and ED each reserve the right to conduct onsite inspections of any contractor or agent who has access to matched data in order to monitor compliance with FISMA regulations during the lifetime of this agreement. ED and DHS-USCIS will also comply with the personally identifiable information (PII) breach reporting and security requirements as required by OMB M-06under M-17-1912, “Reporting Incidents Involving Personally Identifiable Information and Incorporating the Cost Preparing for Security in Agency Information Technology Investments,” and XXX X-00-00, “Safeguarding Against and Responding to the a Breach of Personally Identifiable InformationInformation (PII).” ED and DHS-DHS- USCIS also agree to notify each other as soon as possible, but no later than one hour, after the discovery of a suspected or actual breach involving PII. All incidents involving confirmed or suspected breaches of PII must be reported to the U.S. Computer Emergency Readiness Team (US-CERT) within one hour of discovering the incident. In addition, the agency experiencing the loss of PII will notify the other agency’s Systems Security Contact named in Section S T of this Agreement. If ED is unable to speak with the DHS-USCIS Information Security Officer, and the USCIS Service Desk at 000-000-0000, within one hour, or if for some other reason notifying the DHS-USCIS Systems Security Contact is not practicable (e.g., it is outside of the normal business hours), ED will contact DHS-USCIS Verification Division, SAVE Program 202800-443- 0144741- 5023. If DHS-USCIS is unable to speak with ED’s Systems Security Contact within one hour, DHS-USCIS will contact the VDC Help Desk in Plano, Texas at 000-000-0000 and Xxxxx XxxxxxXxxx Xxxxx, Information System Security Officer (ISSO), at 000-000-0000. DHS- DHS-USCIS will also immediately report all breaches and incidents via email or phone to the ED Computer Incident Response Capability at: xxxxxx@xx.xxxSecurity Operations Center (EDSOC) at xxxxx@xx.xxx; 000-000-0000. DHS-USCIS Security Safeguards DHS-USCIS agrees to safeguard information it receives from ED in connection with status verification inquiries in accordance with the Privacy Act, FISMA, the IRCA, and other applicable statutes, as well as the requirements of the agreement between ED and DHS-USCIS. DHS-USCIS agrees to safeguard the information provided by ED in accordance with DHS-USCIS disclosure standards and to provide the name of the DHS-USCIS program inspector responsible for compliance with these standards. DHS-USCIS also agrees to limit access to information to those individuals responsible for the verification of the aliens’ applicant’s immigration status or necessary support functions or follow-up actions, and to restrict the further dissemination of information. The DHS Data Center One (DC-1) where ED and DHS-USCIS information is stored complies with requirements of Department of Homeland Security, DHS Sensitive Systems Policy 4300A. It is a secure facility accessed only by authorized individuals with properly coded key cards, authorized door keys, or access authorization. There is a security guard force, twenty-four (24) hours a day, seven (7) days a week. The building is protected against unauthorized access, unauthorized use of equipment, or removal of storage media and listings. Employees have clearances through background checks and are provided badges. All employees and contractors must undergo a background investigation prior to being granted access to information systems at DC-1. This access is granted when the employee or contractor receives a favorably adjudicated Background Investigation (BI) and his/her Entry on Duty Status designation. ED Security Safeguards ED’s CPS facility, facility located in PlanoClarksville, TexasVA, has a high level meets all security standards set forth in the most current version of securityNIST SP-800-53. Access within the processing facility is controlled by a computerized badge reading system, while other areas are controlled by cipher locks with combinations that are changed monthly. All employees must display a photo-identification pass upon entering the building. The perimeter of the Plano facility is monitored periodically and the main entrance is monitored continuously by a third-party security force. Access to all doors, as well as to the data center’s main corridors, is monitored by 12 closed circuit television (CCTV) cameras that can pan, zoom, and record the perimeter premises. The Plano facility monitors access 24 hours a day, 7 days a week. The CCTV cameras can record access at random or at a specific camera location. The cameras are connected to two videocassette recorders for recording purposes. Videotapes are retained for one month before being recycled by physical security administration. ED limits access to the information received from DHS and maintained in the CPS database. Access is granted only to those individuals responsible on a “need-to-know” basis, which is determined by assigned official duties and satisfying all personnel security criteria and intended system usage. These individuals make use of the data to determine eligibility for Title IV aid. There are three general types of CPS users: Federal Student Aid employees, contractors, and Financial Aid Administrators at institutions of higher education. Access to this information is controlled in accordance with a strict set of security procedures documented in the CPS System Security Plan. An automated audit trail is maintained for all user activities and interactions within the CPS. Additionally, all changes made by authorized users of the CPS to the Free Application for Federal Student Aid (FAFSA) data result in a new transaction, which also has a specified audit trail. All authorized users of the CPS are issued unique user identifiers and asked to establish and maintain a secure password which must be changed every 90 days. All personnel, including contractor personnel, who have access to the records matched and to any records created by the match have completed IT Security and Privacy Awareness training about the confidential nature of the information, the safeguards required to protect the information, and the civil and criminal sanctions for noncompliance imposed under the Privacy Act and other applicable Federal laws. At a minimum, DHS-USCIS and ED will use the data supplied in a manner prescribed by this agreement and will maintain proper safeguards to prevent unauthorized release or use of all data supplied. These safeguards include: