Common use of Security Documentation Clause in Contracts

Security Documentation. Both parties shall:  Ensure that security is planned for, documented, and integrated into the System Life Cycle from the IT system’s initiation to the system’s disposal. For applicable guidance, please refer to CMS eXpedited Life Cycle12 and the CMS Risk Management Handbook.13 CMS shall:  Review the CMS System Security and Privacy Plan (SSP) for CMS information systems and the CMS network annually and update it when a major modification occurs, as required by the CMS SSP Procedures. The Non-CMS Organization shall:  Maintain an SSP based on the Enhanced Direct Enrollment (EDE) System Security and Privacy Plan (SSP) document14 on the Non-CMS Organization’s network and update annually or whenever there is a significant change;15 and 11 Located at: xxxxx://xxx.xxx.xxx/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs- information-resources/index.html. 12 Located at: xxxx://xxx.xxx.xxx/Research-Statistics-Data-and-Systems/CMS-Information- Technology/XLC/index.html. 13 Located at: xxxx://xxx.xxx.xxx/Research-Statistics-Data-and-Systems/CMS-Information- Technology/InformationSecurity/Information-Security-Library.html.

Security Documentation. ‌ Both parties shall:  13F 14F • Ensure that security is planned for, documented, and integrated into the System Life Cycle from the IT system’s initiation to the system’s disposal. For applicable guidance, please refer to CMS eXpedited Target Life Cycle12 Cycle 14 and the CMS Risk Management Handbook.13 Handbook. 15 CMS shall:  • Review the CMS System Security and Privacy Plan (SSP) for CMS information systems and the CMS network annually and update it when a major modification occurs, as required by the CMS SSP Procedures. 13 Located at: xxxxx://xxx.xxx.xxx/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs- information-resources/index.html. 14 Located at: xxxxx://xxx.xxx.xxx/Research-Statistics-Data-and-Systems/CMS-Information-Technology/TLC. 15 Located at: xxxxx://xxx.xxx.xxx/Research-Statistics-Data-and-Systems/CMS-Information- Technology/InformationSecurity/Information-Security-Library. The Non-CMS Organization shall:  15F 16F • Maintain an SSP based on the Enhanced Direct Enrollment Non-Exchange Entity (EDENEE) System Security and Privacy Plan (SSP) document14 document 16 on the Non-CMS Organization’s network and update annually or whenever there is a significant change;15 change; 17 and 11 Located at: xxxxx://xxx.xxx.xxx/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs- information-resources/index.html. 12 Located at: xxxx://xxx.xxx.xxx/Research-Statistics-Data-and-Systems/CMS-Information- Technology/XLC/index.html. 13 Located at: xxxx://xxx.xxx.xxx/Research-Statistics-Data-and-Systems/CMS-Information- Technology/InformationSecurity/Information-Security-Library.html• Make accessible to CMS all IS program documents including, but not limited to, those documents specified in Section 7.1.

Security Documentation. Both parties shall:  • Ensure that security is planned for, documented, and integrated into the System Life Cycle from the IT system’s initiation to the system’s disposal. For applicable guidance, please refer to CMS eXpedited Life Cycle12 and the CMS Risk Management Handbook.13 CMS shall:  • Review the CMS System Security and Privacy Plan (SSP) for CMS information systems and the CMS network annually and update it when a major modification occurs, as required by the CMS SSP Procedures. The Non-CMS Organization shall:  • Maintain an SSP based on the Enhanced Direct Enrollment (EDE) System Security and Privacy Plan (SSP) document14 on the Non-CMS Organization’s network and update annually or whenever there is a significant change;15 and 11 Located at: xxxxx://xxx.xxx.xxx/about/agencies/asa/ocio/cybersecurity/rules-of-behavior-for-use-of-hhs- information-resources/index.html. 12 Located at: xxxx://xxx.xxx.xxx/Research-Statistics-Data-and-Systems/CMS-Information- Technology/XLC/index.html. 13 Located at: xxxx://xxx.xxx.xxx/Research-Statistics-Data-and-Systems/CMS-Information- Technology/InformationSecurity/Information-Security-Library.html.