Common use of SSA Permitted Entity Security Posture Clause in Contracts

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA shall demonstrate, and OCSE shall review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit, or store NDNH information shall be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities shall have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information shall first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 2. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement shall ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process shall have been conducted according to the NIST SP 800- 37 Revision 2 as appropriate. Federal agencies shall comply with NIST SP 800-37 Revision 2, including implementing a continuous monitoring program for permitted entities. Agencies shall conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems, and determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199. See also XXX X-00-00, Fiscal Year 2018-2019 Guidance on Federal Information Security and Privacy Management Requirements, October 25, 2018.

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA shall demonstrate, and OCSE shall review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit, or store NDNH information shall be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities shall have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information shall first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 21. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement shall ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process shall have been conducted according to the NIST SP 800- 800-37 Revision 2 1, as appropriate. Federal agencies shall comply with NIST SP 800-37 Revision 21, including implementing a continuous monitoring program for permitted entities. Agencies shall conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems, and has determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (February 2002). See also XXX X-00OMB M-17-0005, Fiscal Year 20182016-2019 2017 Guidance on Federal Information Security and Privacy Management Requirements, October 25November 4, 20182016.

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA shall must demonstrate, and OCSE shall must review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit, transmit or store NDNH information shall must be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities shall must have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information shall must first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 2. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement shall must ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process shall must have been conducted according to the NIST SP 800- 800-37 Revision 2 2, as appropriate. Federal agencies shall must comply with NIST SP 800-37 Revision 21, including implementing a continuous monitoring program for permitted entities. Agencies shall must conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems, systems and has determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199. See also XXX X-00also: OMB M-22-0005, Fiscal Year 20182021-2019 2022 Guidance on Federal Information Security and Privacy Management RequirementsPrivacy, October 25December 6, 20182021.

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA shall must demonstrate, and OCSE shall must review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit, transmit or store NDNH information shall must be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities shall must have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information shall must first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 2. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement shall must ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process shall must have been conducted according to the NIST SP 800- 800-37 Revision 2 2, as appropriate. Federal agencies shall must comply with NIST SP 800-37 Revision 2, including implementing a continuous monitoring program for permitted entities. Agencies shall must conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems, systems and has determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199. See also XXX X-00also: OMB M-22-0005, Fiscal Year 20182021-2019 2022 Guidance on Federal Information Security and Privacy Management RequirementsPrivacy, October 25December 6, 20182021.

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA shall demonstrate, and OCSE shall review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit, or store NDNH information shall be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities shall have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information shall first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 21. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement shall ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process shall have been conducted according to the NIST SP 800- 800-37 Revision 2 1, as appropriate. Federal agencies shall comply with NIST SP 800-37 Revision 21, including implementing a continuous monitoring program for permitted entities. Agencies shall conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems, and has determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199. See also XXX X-00OMB M-17-0005, Fiscal Year 20182016-2019 2017 Guidance on Federal Information Security and Privacy Management Requirements, October 25November 4, 20182016.

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA shall demonstrate, and OCSE shall review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit, or store NDNH information shall be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities shall have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information shall first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 21. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement shall ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process shall have been conducted according to the NIST SP 800- 800-37 Revision 2 1, as appropriate. Federal agencies shall comply with NIST SP 800-37 Revision 21, including implementing a continuous monitoring program for permitted entities. Agencies shall conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems, and determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199. See also XXX X-00-00, Fiscal Year 20182017-2019 2018 Guidance on Federal Information Security and Privacy Management Requirements, October 2516, 20182017.