Common use of Security Certification and Compliance Review Programs Clause in Contracts

Security Certification and Compliance Review Programs. The primary statutory authority that supports the information contained in this document is the Federal Information Security Management Act (FISMA). FISMA became law as part of the Electronic Government Act of 2002. FISMA is the United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or manufactured threats. FISMA assigned the National Institute of Standards and Technology (NIST), a branch of the U.S. Department of Commerce, the responsibility to outline and define compliance with FISMA. Unless otherwise stated, all of SSA’s requirements mirror the NIST- defined management, operational, and technical controls listed in the various NIST Special Publications (SP) libraries of technical guidance documents. To gain electronic access to SSA-provided information, under the auspices of a data exchange agreement, EIEP’s must comply with SSA’s most current Technical System Security Requirements (hereafter referred to as TSSRs) to gain access to SSA-provided information. This document is synonymous with the Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration in the agreements. The TSSR specifies minimally acceptable levels of security standards and controls to protect SSA-provided information. SSA maintains the TSSR as a living document—subject to change--that addresses emerging threats, new attack methods and the development of new technology that potentially places SSA-provided information at risk. EIEPs may proactively ensure their ongoing compliance to the TSSR by periodically requesting the most current version from SSA. SSA will work with EIEPs to resolve deficiencies, which result from updates to the TSSRs. SSA refers to this process as Gap Analysis. EIEPs may proactively ensure their ongoing compliance with the TSSRs by periodically requesting the most current TSSR package from their SSA Point of Contact (POC) from the data exchange agreement. SSA’s standard for categorization of information (Moderate) and information systems is to provide appropriate levels of security according to risk level. Additions, deletions, or modification of security controls directly affect the level of security and due diligence SSA requires EIEPs use to mitigate risks. The emergence of new threats, attack methods, and the development of new technology warrants frequent reviews and revisions to our TSSR. Consequently, EIEPs should expect SSA’s TSSR to evolve in harmony with the industry.

Security Certification and Compliance Review Programs. The primary statutory authority that supports the information contained in this document is the Federal Information Security Management Act (FISMA). FISMA became law as part of the Electronic Government Act of 2002. FISMA is the United States legislation that defines a comprehensive framework to protect government information, operations, and assets against natural or manufactured threats. FISMA XXXXX assigned the National Institute of Standards and Technology (NIST), a branch of the U.S. Department of Commerce, the responsibility to outline and define compliance with FISMA. Unless otherwise stated, all of SSA’s requirements mirror the NIST- defined management, operational, and technical controls listed in the various NIST Special Publications (SP) libraries of technical guidance documents. To gain electronic access to SSA-provided information, under the auspices of a data exchange agreement, EIEP’s must comply with SSA’s most current Technical System Security Requirements (hereafter referred to as TSSRs) to gain access to SSA-provided information. This document is synonymous with the Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the Social Security Administration in the agreements. The TSSR specifies minimally acceptable levels of security standards and controls to protect SSA-provided information. SSA maintains the TSSR as a living document—subject to change--that addresses emerging threats, new attack methods and the development of new technology that potentially places SSA-provided information at risk. EIEPs may proactively ensure their ongoing compliance to the TSSR by periodically requesting the most current version from SSA. SSA will work with EIEPs to resolve deficiencies, which result from updates to the TSSRs. SSA refers to this process as Gap Analysis. EIEPs may proactively ensure their ongoing compliance with the TSSRs by periodically requesting the most current TSSR package from their SSA Point of Contact (POC) from the data exchange agreement. SSA’s standard for categorization of information (Moderate) and information systems is to provide appropriate levels of security according to risk level. Additions, deletions, or modification of security controls directly affect the level of security and due diligence SSA requires EIEPs use to mitigate risks. The emergence of new threats, attack methods, and the development of new technology warrants frequent reviews and revisions to our TSSR. Consequently, EIEPs should expect SSA’s TSSR to evolve in harmony with the industry.