Common use of SSA Permitted Entity Security Posture Clause in Contracts

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA must demonstrate, and OCSE must review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit or store NDNH information must be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities must have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information must first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 2. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement must ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process must have been conducted according to the NIST SP 800-37 Revision 2, as appropriate. Federal agencies must comply with NIST SP 800-37 Revision 2, including implementing a continuous monitoring program for permitted entities. Agencies must conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems and has determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199. See also: OMB M-22-05, Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy, December 6, 2021.

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA must shall demonstrate, and OCSE must shall review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit transmit, or store NDNH information must shall be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities must shall have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information must shall first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 21. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement must shall ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process must shall have been conducted according to the NIST SP 800-37 Revision 21, as appropriate. Federal agencies must shall comply with NIST SP 800-37 Revision 21, including implementing a continuous monitoring program for permitted entities. Agencies must shall conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems systems, and has determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199, Standards for Security Categorization of Federal Information and Information Systems (February 2002). See also: also OMB M-22M-17-05, Fiscal Year 20212016-2022 2017 Guidance on Federal Information Security and PrivacyPrivacy Management Requirements, December 6November 4, 20212016.

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA must shall demonstrate, and OCSE must shall review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit transmit, or store NDNH information must shall be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities must shall have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information must shall first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 21. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement must shall ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process must shall have been conducted according to the NIST SP 800-37 Revision 21, as appropriate. Federal agencies must shall comply with NIST SP 800-37 Revision 21, including implementing a continuous monitoring program for permitted entities. Agencies must shall conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems systems, and has determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199. See also: also OMB M-22M-17-05, Fiscal Year 20212016-2022 2017 Guidance on Federal Information Security and PrivacyPrivacy Management Requirements, December 6November 4, 20212016.

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA must shall demonstrate, and OCSE must shall review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit transmit, or store NDNH information must shall be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities must shall have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information must shall first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 21. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement must shall ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process must shall have been conducted according to the NIST SP 800-37 Revision 21, as appropriate. Federal agencies must shall comply with NIST SP 800-37 Revision 21, including implementing a continuous monitoring program for permitted entities. Agencies must shall conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems systems, and has determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199. See also: OMB M-22also ▇▇▇ ▇-05▇▇-▇▇, Fiscal Year 20212017-2022 2018 Guidance on Federal Information Security and PrivacyPrivacy Management Requirements, December 6October 16, 20212017.

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA must shall demonstrate, and OCSE must shall review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit transmit, or store NDNH information must shall be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities must shall have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information must shall first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 2. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement must shall ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process must shall have been conducted according to the NIST SP 800-800- 37 Revision 2, 2 as appropriate. Federal agencies must shall comply with NIST SP 800-37 Revision 2, including implementing a continuous monitoring program for permitted entities. Agencies must shall conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems systems, and has determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199. See also: OMB M-22also ▇▇▇ ▇-05▇▇-▇▇, Fiscal Year 20212018-2022 2019 Guidance on Federal Information Security and PrivacyPrivacy Management Requirements, December 6October 25, 20212018.

SSA Permitted Entity Security Posture. Prior to the redisclosure of NDNH information by SSA to any authorized entity, SSA must demonstrate, and OCSE must review and approve, the security posture of the entity’s systems and processes. All information systems and applications that process, transmit or store NDNH information must be fully compliant with FISMA, OMB directives, and NIST guidelines. Prior to receiving NDNH information, entities must have implemented the minimum security controls required for a system categorized as “moderate” in accordance with FIPS 199. All systems and applications handling NDNH information must first be granted the ATO through the authorization process according to NIST SP 800-37 Revision 2. In addition, if applicable, federal agencies that share NDNH information with entities specified in the agreement must ensure the specified contractors meet the same safeguarding requirements. The authorizing official of the agency that re-discloses NDNH information to the permitted entity may grant them the ATO or security authorization. The security authorization process must have been conducted according to the NIST SP 800-37 Revision 2, as appropriate. Federal agencies must comply with NIST SP 800-37 Revision 21, including implementing a continuous monitoring program for permitted entities. Agencies must conduct the authorization process at least every three years or when there are major changes to a system. Agencies must verify privacy protection periodically through audits and reviews of the systems and procedures. By signing the security addendum, SSA signatories confirm that SSA has reviewed the entities specified in the agreement, reviewed the security controls in place to safeguard information and information systems and has determined that the risk to federal data is at an acceptable level. The security controls in place at all entities specified in the agreement are commensurate with those of a federal system categorized as “moderate” according to FIPS 199. See also: OMB M-22-05, Fiscal Year 2021-2022 Guidance on Federal Information Security and Privacy, December 6, 2021.