BACKGROUND: .gov

?

FedBizOppsSources Sought Notice*******CLASSIFICATION CODESUBJECTCONTRACTING OFFICE'S ZIP-CODESOLICITATION NUMBERRESPONSE DATE (MM-DD-YYYY)ARCHIVE DAYS AFTER THE RESPONSE DATERECOVERY ACT FUNDSSET-ASIDENAICS CODECONTRACTING OFFICE ADDRESSPOINT OF CONTACT(POC Information Automatically Filled from User Profile Unless Entered)DESCRIPTIONSee AttachmentAGENCY'S URLURL DESCRIPTIONAGENCY CONTACT'S EMAIL ADDRESSEMAIL DESCRIPTION ADDRESSPOSTAL CODECOUNTRYADDITIONAL INFORMATIONGENERAL INFORMATIONPLACE OF PERFORMANCE* = Required FieldFedBizOpps Sources Sought NoticeRev. March 2010RAdministration (HRA) requires an automated method of2170336C10X19Q006302-22-201960N541612Strategic Acquisition Center - FrederickDepartment of Veterans Affairs5202 Presidents Court, Suite 103Frederick MD 21703Jennifer BenisekContract Specialist202-664-4948 Acquisition Center - FrederickJennifer.Benisek@Jennifer.Benisek@This is a sources sought notice for market research purposes only.The Department of Veterans Affairs (VA) is seeking eligible contractors to furnish access to an automated employment and income verification database. Should your company provide access to a database that meets the requirements in the attached draft PWS, kindly respond to this email by the response due date above with the following information:-Positive verification that your company provides access to a database which meets the requirements outlined in the draft PWS-Supporting documentation (i.e. product fact sheet/catalogue/etc)-Pricing for market research purposes onlyAll responsible sources may identify their interest. Please also identify your size designation/small business.This sources sought is for informational purposes only. This is NOT a solicitation. It does not constitute a requestfor quote and shall not be construed as a commitment by the Government. Responses in any form are not quotesand the Government is under no obligation to award a task order as a result of this announcement.The results of this market research will contribute to determining the method of procurement.Draft Performance Work Statement (PWS) Department of Veterans Affairs Office of Information & Technology (OIT) Enterprise Application Support (EAS)Employment & Income Verification ServicesBACKGROUND:The Department of Veteran Affairs (VA) Human Resources Administration (HRA) provides VA employees with a method by which subscribing employers can share employment and income data to various providers, electronically secure, such as qualifying for mortgages, leases, and consumer loans.A lender/verifier that uses the Service frequently may subscribe by contracting with the Contractor to become a Member Verifier. Other subscribes using the service, on an infrequent basis, are non-member verifiers. Member Verifiers and non-member verifiers shall receive the same data. Signature Verifiers are authorized to access the Service by employee signature, and receive data, World Wide Web, or by other secure electronic means.Employees must authorize income verification. Lender/verifiers may access the service at their own initiative to verify employment only (i.e., not income data).SCOPE OF WORKThe Contractor shall provide VA employees with an automated method of obtaining employment verification. Groups with interest in the verification process shall interact with the Service-subscribing employers, employees of subscribing employers and lender/verifiers who wish to verify employment and/or income. The service shall be used to provide verification of employment only, or of both employment and income.This service shall be available to VA employees 24 hours a day, 365 days a year.PERFORMANCE PERIODThe period of performance is estimated be November 14, 2019 to November 13, 2020.SPECIFIC TASKS AND DELIVERABLESThe contractor shall provide employment verification services as follows:Assure Employee Data Security and Integrity. Contractor shall always protect VA employee data from unauthorized use or disclosure. All electronic data transmissions shall be via certified means (e.g., FIPS 140-2 and Common Criteria). All World Wide Web access to employee data shall occur via Secure Sockets Layer (SSL) technology. World Wide Web sessions unused for twenty minutes shall automatically disconnect. Data backups shall be in encrypted (i.e., Advanced Encryption Standard or better) form and securely stored. All media, to include paper reports and listings, shall be sanitized via certified (e.g., NIST 800-88) means. Agency invoices shall not contain full employee SSNs, but masked equivalents (e.g., XXX-XX-9999).VA employees should be capable of authorizing income verification in a variety of methods such as:Via a secure World Wide Web site (e.g., using an Employer Code, SSN and Personal Information Number to establish a salary key).By signature on Social Services or credit applications received by Contractor Signature Verifiers.Once an authorization is provided to the lender/verifier, the lender/verifier shall generate an income verification request to the Contractor by World Wide Web, or electronic process. A lender/verifier using the Contractor's secure World Wide Web site receives a real-time response of data displayed on their screen, which may be printed or stored electronically for later use.Contractor shall provide VA employee and management with various functions to control information availability as follows:Employee Salary Key Indicator, Request, Review or Cancellation.Employment Verification.Income Verification: Employment + Salary Rate + Salary History.Audit or re-verify a previous request using a Reference Number.Employer placement or removal of a legal hold (i.e., not to release Information on individual employees).Employer real-time entry of terminations or termination cancellations.Standard Personal Information Number (PIN) AdministrationThe VA will choose a default PIN for their employee data file to be used as the initial PIN for Agency employees. The VA will be responsible for communicating this default PIN to employees. The PIN scheme shall contain a minimum of 4 digits (e.g., the last 4 digits of employee's SSN plus year of birth= 3441 1956). The VA will continue to supply the default value with every data file that Contractor receives.If a VA employee forgets their PIN, then they will need to speak with a contractor Customer Service Representative who shall reset the PIN.Reference Number Audits. Each verification performed by the Contractor shall feature a unique Reference Number identifying the transaction. This reference number shall be used as quality control for auditors to obtain a copy of the original transaction. Audits by reference number shall not contain current (updated) data.Signature Verifiers. For social service or credit applications verified by signature authorization, the Contractor shall take proper action to determine that signature authorization has been obtained by a Signature Verifier. To become established as a Signature Verifier, a lender/verifier shall meet the contractor’s authentication criteria and shall be documented by the contractor. Signature Verifier certification is subject to periodic audit by the Agency.Social Services Description:The Contractor shall verify employment and income where either: (a) an employee has applied for an income-qualified benefit from a Social Services Agency, or (b) the employer is legally obligated to provide the employment information to the Social Services Agency.Contractor shall provide Social Services Agencies with the capability to request employment and income verification by mail, World Wide Web. Requests for employment data received by mail by the contractor shall be completed and returned to the requesting organization. Request by agencies using the service by World Wide Web shall be required to pre- register, and agrees to seek verification where the agency is providing a benefit to the employee or where the employer is legally required to provide the information. The Contractor shall provide the Social Service Agency verification(s) when provided the following employment information:The employee's Social Security Number; andA facsimile number to which the verification can be rmation shall be released to State and Federal agencies, income- qualified housing organizations, and charitable organizations for the purposes of:Determining eligibility for Social Services assistance;Preventing social services overpayments and fraud; andVerifying employment and income for state child support enforcement rmation verified by the contractor for use by Social Services Agencies may include: basic employment information; gross earnings, commissions and overtime or year-to-date and two years' previous; twelve most recent pay periods of information, including the pay periods' ending date, pay date and number of hours worked and total gross earnings; and medical and dental insurance coverage and (insurance) contractor name.Quality Assurance Surveillance. The Contractor shall deliver Service in accordance with the Service Level Agreement in paragraph 3.1 of this PWS.The Contractor shall deliver services in accordance with the Interconnection Security Agreement and Memorandum of Understanding dated October 29, 2015. (See Attachment 1)PERFORMANCE METRICSPerformance measurements shall be in accordance with the following Service Level Agreement:Description of PerformanceMetricPerformance GoalDefinition of MeasurementMethod of Data CollectionInterv al of PerformanceMeasureData CollectionResponsibilityReport Availabilityand MethodAccess methods of IVR, Web, and Portal Availability.Metrics apply to Employee, Employer, and/or Verifier access methods as appropriate.99.6% availability of chosen access method with the exception of scheduled maintenance.Due to the availability of multiple access methods, defined metrics will be applied to each access method independently.X Y Z X Y100X= Total Number of possible minutes in intervalY= Number of minutes ofscheduled access method maintenance in intervalZ= Number of unscheduledunavailable minutes in intervalEWS reserves scheduled maintenance windows.EWS reserves two (2) weekendextended outage maintenance windows annually to performmajor system maintenance and upgradesManual data collection via review of SNMP event trap logs, system logs, and manual data collection.MonthlyEWSOperationsAvailable monthly upon request.Supplied via e-mail in PDF format.Client Service Center Average Speed to Answer (ASA)Average Speed to Answer of 4.0 minutes or less for 80% ofidentifiable calls.Siemens ProCenter “Call Type Answered Profile” report is in 30 second increments.Automated and standardized via Siemens Hipath ProCenter SoftwareMonthlyEWSClient Service Center viaSiemens HiPathProCenter SoftwareAvailablemonthly upon request.Supplied viae-mail in Excel spreadsheetor HTML format.Data Load Time– Files which are Electronically received by EWS or which EWS may pick up in an automated mannerAll client supplied production data loads started within 24 hours of receipt by the EWS Data Load Team, excluding non-business days. (Clean data, properly formatted required.)Load start time minus time of receiptAutomatic load time data collected via EWS Data Load systemPer file loadedEWSData Load TeamAutomated e-mail confirmation and load results within one business day.(Appropriate contact e- mail addressis required.)GOVERNMENT FURNISHED PROPERTYVA shall provide accurate and current employment and income data to the Contractor on a bi-weekly basis, following the computation of payroll. It is this data that the Contractor shall base the verifications on, and only on the most accurate and current data provided.Addendums and AttachmentsAddendum A – Additional VA Requirements, ConsolidatedAddendum B – VA Information and Information Systems Security/Privacy LanguageAttachment 1 – ISA and MOU TemplateADDENDUM A – ADDITIONAL VA REQUIREMENTS, CONSOLIDATEDA1.0Cyber and Information Security Requirements for VA IT ServicesThe Contractor shall ensure adequate LAN/Internet, data, information, and system security in accordance with industry practices and applicable laws, andregulations. The Contractor’s firewall and web server shall meet or exceed industry standard practices for security. All VA data shall be protected behind an approved firewall. Any security violations shall be reported to the VA Program Manager and VA Information Security Officer as soon as possible. Notification may be delayed to the extent that law enforcement determinates that such notification may delay or impede its investigation. The Contractor shall follow all applicable VA policies and procedures governing information security, especially those that pertain to certification and accreditation, which Contractor has been given the opportunity to review and agree in writing to comply with.A2.0Confidentiality and Non-DisclosureThe Contractor shall follow all VA rules and regulations regarding information security to prevent disclosure of sensitive information to unauthorized individuals or organizations, which Contractor has been given the opportunity to review and agree in writing to comply with.The Contractor will have access to some privileged and confidentialmaterials of VA. These printed and electronic documents are for internal use only, are not to be copied or released except as necessary for the performance of the service, and remain the sole property of VA. Some of these materials are protected by the Privacy Act of 1974 (revised by PL 93- 5791) and Title 38. Unauthorized disclosure of Privacy Act or Title 38 covered materials is a criminal offense.The VA CO will be the sole authorized official to release in writing, any data, draft deliverables, final deliverables, or any other written or printed materials pertaining to this contract. The Contractor shall release no information except for the purpose of performance under this Agreement.Contractor personnel recognize that in the performance of this effort, Contractor personnel may receive or have access to sensitive information, including information provided on a proprietary basis by carriers, equipment manufacturers and other private or public entities. Contractor personnel agree to safeguard such information and use the information exclusively in the performance of this contract. Contractor shall follow all VA rules and regulations regarding information security to prevent disclosure of sensitive information to unauthorized individuals or organizations as enumerated in this section and elsewhere in this Contract and its subparts and appendices.Contractor shall limit access to the minimum number of personnel necessary for contract performance for all information considered sensitive or proprietary in nature. If the Contractor is uncertain of the sensitivity of anyinformation obtained during the performance this contract; the Contractor has a responsibility to ask the VA CO.Contractor shall train all their employees involved in the performance of this contract on their roles and responsibilities for proper handling and nondisclosure of sensitive VA or proprietary information. Contractor personnel shall not engage in any other action, venture or employment wherein sensitive information shall be used for the profit of any party other than those furnishing the information. The sensitive information transferred, generated, transmitted, or stored herein is for VA benefit and ownership alone.Contractor shall maintain physical security at all facilities housing the activities performed under this contract, including any Contractor facilities according to industry standard practices.ADDENDUM B – VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGEB1.ACCESS TO VA INFORMATION AND VA INFORMATION SYSTEMSA Contractor/Subcontractor shall request logical (technical) or physical access to VA information and VA information systems for their employees, Subcontractors, and affiliates only to the extent necessary to perform the services specified in the contract, agreement, or task order.All Contractors, Subcontractors, and third-party servicers and associates working with VA information are subject to investigative requirements which are consistent with those of VA appointees or employees who have access to the same types of information. Contractor represents that Contractor has adopted and enforces workplace policies and that Contractor’s employees are required to abide by such contractor workplace policies while performing Services under this contract. Contractor acknowledges that all of the employees that it provides pursuant to this contract shall be subject to drug screening and background checks and screening, including requesting information from public and private sources that may include education, social security number verification, employment, and criminal checks. In no event shall Contractor use any employees to perform the Services whose testing has revealed a positive drug screen or whose background investigation has disclosed an invalid social security number, illegal immigration status, or a conviction or pending proceedings related to a jobrelated felony criminal offense. The following information is included on each applicant: InstaCheck, Criminal Histories, Denied Person’s List, Education Verification, and Employment Verification (“Security Inquiries”). Contractor shall perform all such Security Inquiries at its sole expense.B2.VA INFORMATION CUSTODIAL LANGUAGEInformation made available to the Contractor or Subcontractor by VA for the performance or administration of this contract or information developed by the Contractor/Subcontractor in performance or administration of the contract shall be used only for those purposes and shall not be used in any other way without the prior written agreement of VA. This clause expressly limits the Contractor/Subcontractor's rights to use data as described in Rights in Data - General, FAR 52.227-14(d) (1).Neither party’s ownership rights, including but not limited to, any intellectual property rights in or used by Contractor to perform the Services nor any intellectual property rights in or to VA’s employment or income data, shall be transferred pursuant to this contract.VA information should not be co-mingled, if possible, unless logically segregated with any other data on the Contractors/Subcontractor’s information systems or media storage systems to ensure VA requirements related to data protection and industry standard sanitization requirements. If mingling must be allowed to meet therequirements of the business need, the Contractor must ensure that VA information is destroyed in accordance with VA’s sanitization requirements.The Contractor/Subcontractor must receive, gather, store, back up, maintain, use, disclose and dispose of VA information only in compliance with the terms of the contract and applicable Federal and VA information confidentiality and security laws, regulations and policies. If Federal or VA information confidentiality and security laws, regulations and policies become applicable to VA information or information systems after execution of the contract, or if NIST issues or updates applicable FIPS or Special Publications (SP) after execution of this contract, the parties agree to negotiate in good faith to implement the information confidentiality and security laws, regulations and policies in this contract.The Contractor/Subcontractor shall not make copies of VA information except as authorized and necessary to perform the terms of the agreement or to preserve electronic information stored on Contractor/Subcontractor electronic storage media for restoration in case any electronic equipment or data used by the Contractor/Subcontractor needs to be restored to an operating state.If VA determines that the Contractor has violated any of the information confidentiality, privacy, and security provisions of the contract, it shall be sufficient grounds for VA to terminate the contract for default or terminate for cause under Federal Acquisition Regulation (FAR) part 12.The Contractor/Subcontractor must store, transport, or transmit VA sensitive information in an encrypted form, using encryption tools that are, at a minimum, FIPS 140-2 validated.The Contractor/Subcontractor’s firewall and Web services security controls, if applicable, shall meet or exceed industry standard requirements.Except for uses and disclosures of VA information authorized by this contract for performance of the contract, the Contractor/Subcontractor may use and disclose VA information only in two other situations: (i) in response to a qualifying order of a court of competent jurisdiction, or (ii) with VA prior written approval. The Contractor/Subcontractor must refer all requests for, demands for production of, or inquiries about, VA information and information systems to the VA CO for response.RMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USEFor information systems that are hosted, operated, maintained, or used on behalf of VA at non-VA facilities, Contractors/Subcontractors are fully responsible and accountable for ensuring compliance with all applicable federal and state regulations. This includes conducting compliant risk assessments, routine vulnerability scanning, system patching and change management procedures, and the completion of an acceptable contingency plan for each system.Performance Work Statement (PWS)Employment Verification ServicesThe Contractor/Subcontractor must conduct an annual self-assessment on all applicable systems and outsourced services as required. The Contractor/Subcontractor must take appropriate and timely action (this can be specified in the contract) to correct or mitigate any material weaknesses discovered during such testing, generally at no additional cost.B4.SECURITY INCIDENT INVESTIGATIONThe term “security incident” means an event that has resulted in unauthorized access to, loss or damage to VA sensitive information. The Contractor/Subcontractor shall, as soon as possible and in no case later than within forty-eight (48) hours, notify the COR and simultaneously, the designated ISO and Privacy Officer for the contract of any known incidents, or any unauthorized disclosure of sensitive information, including that contained in system(s) to which the Contractor/Subcontractor has access.To the extent known by the Contractor/Subcontractor, the Contractor/Subcontractor’s notice to VA shall reasonably identify the information involved, the circumstances surrounding the incident (including to whom, how, when, and where the VA information or assets were placed at risk or compromised), and any other information that the Contractor/Subcontractor considers relevant.In instances of theft or break-in or other criminal activity, the Contractor/Subcontractor must concurrently report the incident to the appropriate law enforcement entity (or entities) of jurisdiction. The Contractor, its employees, and its Subcontractors and their employees shall cooperate with any law enforcement authority responsible for the investigation and prosecution of any possible criminal law violation(s) associated with any incident. The Contractor shall reasonably cooperate with VA in any civil litigation to recover VA information, obtain monetary or other compensation from a third party for damages arising from any incident, or obtain injunctive relief against any third party arising from, or related to, the incident.B5.LIQUIDATED DAMAGES FOR DATA BREACHConsistent with the requirements of 38 U.S.C. §5725, a contract may require access to sensitive personal information. If so, the Contractor is liable to VA for liquidated damages in the event of a data breach or privacy incident involving any SPI the Contractor/Subcontractor processes or maintains under this contract.The Contractor shall provide notice to VA of a “security incident” as set forth in the Security Incident Investigation section above. Upon such notification, VA must secure from a non-Department entity or the VA Office of Inspector General an independent risk analysis of the data breach to determine the level of risk associated with the data breach for the potential misuse of any sensitive personal information involved in the data breach. The term 'data breach' means the loss, theft, or otherunauthorized access, or any access other than that incidental to the scope of employment, to data containing sensitive personal information, in electronic or printed form, that results in the potential compromise of the confidentiality or integrity of the data. Contractor shall fully cooperate with the entity performing the risk analysis. Failure to cooperate may be deemed a material breach and grounds for contract termination.Each risk analysis shall address all relevant information concerning the data breach, including the following:Nature of the event (loss, theft, unauthorized access);Description of the event, including:date of occurrence;data elements involved, including any PII, such as full name, social security number, date of birth, home address, account number, disability code;Number of individuals affected or potentially affected;Names of individuals or groups affected or potentially affected;Ease of logical data access to the lost, stolen or improperly accessed data in light of the degree of protection for the data, e.g., unencrypted, plain text;Amount of time the data has been out of VA control;The likelihood that the sensitive personal information will or has been compromised (made accessible to and usable by unauthorized persons);Known misuses of data containing sensitive personal information, if any;Assessment of the potential harm to the affected individuals;Data breach analysis as outlined in 6500.2 Handbook, Management of Security and Privacy Incidents, as appropriate; andWhether credit protection services may assist record subjects in avoiding or mitigating the results of identity theft based on the sensitive personal information that may have been compromised.Based on the determinations of the independent risk analysis, the Contractor shall be responsible for paying to VA liquidated damages in the amount of $37.50 peraffected individual to cover the cost of providing credit protection services to affected individuals consisting of the following:Notification;One year of credit monitoring services consisting of automatic daily monitoring of at least 3 relevant credit bureau reports;Data breach analysis;Fraud resolution services, including writing dispute letters, initiating fraud alerts and credit freezes, to assist affected individuals to bring matters to resolution;One year of identity theft insurance with $20,000.00 coverage at $0 deductible; andNecessary legal expenses the subjects may incur to repair falsified or damaged credit records, histories, or financial affairs.B6.ASSESSMENTVA may conduct an onsite security assessment (“Assessment”)to examine Contractor’s performance of this Agreement.An Assessment shall be defined as the VA having the right to, a) review policies and procedures; b) review high level network and infrastructure diagrams; c) review the executive summary of third party audit reports; d) participate in a “Question and Answer” session with subject matter experts;e) conduct site tour (site tour will not include access to the raised floor area of the datacenter); f) other items as may be approved by Equifax Security. An Assessment will be conducted (i) during regular business hours, (ii) at VA’s sole expense, (iii) no more frequently than once per calendar year, (iv) on a mutually agreed upon date but no less than thirty (30) days’ notice, and (v) subject to Contractor’s security policies over its facilities and systems. VA and its auditors shall not be given access to any Contractor’s systems for auditing purposes. The right to conduct an Assessment does not allow VA to perform security testing, vulnerability assessment, or penetration testing against Contractor. As an alternative to allowing VA, their clients, or their auditors to perform their own scans, Contractor shall hire an independent nationally recognized third party to perform an ethical hack/penetration test annually. VA may review the executive summary results either onsite at Contractor’s company headquarters or via web conference. Contractor will not be required to provide access to the proprietary data of Contractor or of its other clients. All information learned or exchanged about an Assessment shall be kept confidential.INTERCONNECTION SECURITY AGREEMENTANDMEMORANDUM OF UNDERSTANDINGBetween the Department of Veterans Affairs Financial Services Center (VA FSC) And<VENDOR><Date>DOCUMENT CONTROL CHANGE SHEETDateVersionAuthorRevision Description05/29/20140.1Michael RootsNew draft using template dated August 20135/30/20140.1Caroline JustRevised diagram3/20-4/20/20151.0Caroline JustIncorporate Equifax changes and prepare for final review/signature: Removed references to HIPAA unless applicable to VA only or defined in Appendices.?Removed items 2,3,4 from section 3.66/19/20152.0Caroline JustPrepare final draft for internal approval and signatures.6/23/20152.0Caroline JustCorrected typographical errors (pages 5, 7); removed one reference to health information from Appendix D; updated TOC.10/16/20152.1Caroline JustSection 2.1; added Contract Order; added "as approved and directed by the Director of VA Enterprise Applications"; replaced topological drawing; updated TOC.10/29/20152.2Caroline JustSection 1.2, 2.3.1: added document dates for VA Directive 6500, VA handbook 6500, and VA Handbook 6500.2; 3.2.9 removed "(or successors)" following VA Handbook 6500.Table of Contents TOC \o "1-3" \h \z \u HYPERLINK \l "_Toc256000000" 1.BACKGROUND: PAGEREF _Toc256000000 \h 2 HYPERLINK \l "_Toc256000001" 1.1SCOPE OF WORK PAGEREF _Toc256000001 \h 2 HYPERLINK \l "_Toc256000002" 1.2PERFORMANCE PERIOD PAGEREF _Toc256000002 \h 3 HYPERLINK \l "_Toc256000003" 2SPECIFIC TASKS AND DELIVERABLES PAGEREF _Toc256000003 \h 3 HYPERLINK \l "_Toc256000004" 3.2GOVERNMENT FURNISHED PROPERTY PAGEREF _Toc256000004 \h 8 HYPERLINK \l "_Toc256000005" 4Addendums and Attachments PAGEREF _Toc256000005 \h 8 HYPERLINK \l "_Toc256000006" Addendum A – Additional VA Requirements, Consolidated Addendum B – VA Information and Information Systems Security/Privacy Language Attachment 1 – ISA and MOU Template PAGEREF _Toc256000006 \h 8 HYPERLINK \l "_Toc256000007" ADDENDUM A – ADDITIONAL VA REQUIREMENTS, CONSOLIDATED PAGEREF _Toc256000007 \h 9 HYPERLINK \l "_Toc256000008" A2.0Confidentiality and Non-Disclosure PAGEREF _Toc256000008 \h 9 HYPERLINK \l "_Toc256000009" ADDENDUM B – VA INFORMATION AND INFORMATION SYSTEM SECURITY/PRIVACY LANGUAGE PAGEREF _Toc256000009 \h 12 HYPERLINK \l "_Toc256000010" B2.VA INFORMATION CUSTODIAL LANGUAGE PAGEREF _Toc256000010 \h 12 HYPERLINK \l "_Toc256000011" RMATION SYSTEM HOSTING, OPERATION, MAINTENANCE, OR USE PAGEREF _Toc256000011 \h 15 HYPERLINK \l "_Toc256000012" B4.SECURITY INCIDENT INVESTIGATION PAGEREF _Toc256000012 \h 10 HYPERLINK \l "_Toc256000013" B5.LIQUIDATED DAMAGES FOR DATA BREACH PAGEREF _Toc256000013 \h 11 HYPERLINK \l "_Toc256000014" B6.ASSESSMENT PAGEREF _Toc256000014 \h 14 HYPERLINK \l "_Toc256000015" EXECUTIVE SUMMARY PAGEREF _Toc256000015 \h 2 HYPERLINK \l "_Toc256000016" 1INTRODUCTION PAGEREF _Toc256000016 \h 4 HYPERLINK \l "_Toc256000017" 1.1Overview and Purpose PAGEREF _Toc256000017 \h 4 HYPERLINK \l "_Toc256000018" 1.2Authority PAGEREF _Toc256000018 \h 4 HYPERLINK \l "_Toc256000019" 2MEMORANDUM OF UNDERSTANDING PAGEREF _Toc256000019 \h 6 HYPERLINK \l "_Toc256000020" 2.1Background PAGEREF _Toc256000020 \h 6 HYPERLINK \l "_Toc256000021" 2.2Ownership of Data, including Requirements for Storage PAGEREF _Toc256000021 \h 9 HYPERLINK \l "_Toc256000022" 2.3Communications PAGEREF _Toc256000022 \h 13 HYPERLINK \l "_Toc256000023" 3INTERCONNECTION SECURITY AGREEMENT PAGEREF _Toc256000023 \h 16 HYPERLINK \l "_Toc256000024" 3.1Background PAGEREF _Toc256000024 \h 16 HYPERLINK \l "_Toc256000025" 3.2System Security Considerations PAGEREF _Toc256000025 \h 17 HYPERLINK \l "_Toc256000026" 3.3TOPOLOGICAL DRAWING PAGEREF _Toc256000026 \h 24 HYPERLINK \l "_Toc256000027" 4Duration PAGEREF _Toc256000027 \h 25 HYPERLINK \l "_Toc256000028" 5SIGNATORY AUTHORITY PAGEREF _Toc256000028 \h 26 HYPERLINK \l "_Toc256000029" Appendix A: Points of Contact PAGEREF _Toc256000029 \h 15 HYPERLINK \l "_Toc256000030" Appendix B: Questionnaire - Transmission of VA Sensitive Information Utilizing a System Interconnection PAGEREF _Toc256000030 \h 16 HYPERLINK \l "_Toc256000031" Appendix C: VA Annual Review Documentation PAGEREF _Toc256000031 \h 18 HYPERLINK \l "_Toc256000032" Appendix D: Definitions of Sensitive Information Types PAGEREF _Toc256000032 \h 20 HYPERLINK \l "_Toc256000033" First Year Annual Review PAGEREF _Toc256000033 \h 23EXECUTIVE SUMMARYPAID is primarily used by the HR community as payroll processing services are now provide by the Defense Finance Accounting Service (DFAS). As an automated Human Resources (HR) application PAID processes data for over 362,000 VA employees. Processing includes personnel actions, benefits, entitlements, transmission of timecard data from the VA's legacy system, training data, updating VA financial systems, and producing financial reports.Employee master records are updated nightly to reflect new hires, promotions, separations, reassignments, and adjustments to employees' leave balances based on data received from DFAS. The PAID application gives the HR and payroll offices direct and timely access to their employee's personnel and to some payroll data. The PAID application also provides feeds to various VA financial systems for bill-paying purposes.The Personnel and Accounting Integrated Data System (PAID), owned by VA, utilizes a Memorandum of Understanding (MOU) to document the terms and conditions for sharing data and information resources in a secure manner. The following supporting information within the MOU will define the purpose of the interconnection, identify relative authorities, specify the responsibilities of both organizations, and define the terms of the agreement. Additionally, the MOU provides details pertaining to apportionment of cost and timeline for terminating or reauthorizing the interconnection.Technical details on how the interconnection is established or maintained are included within the Interconnection Security Agreement (ISA). A system interconnection is a direct connection between two or more information technology (IT) systems for sharing data and other information resources. The Personnel and Accounting Integrated Data System (PAID), owned by VA, uses the ISA to formally document the reasons, methodology, and approvals for interconnecting IT systems; to identify the basic components of an interconnection; to identify methods and levels of interconnectivity; and to discuss potential security risks associated with the interconnections.INTRODUCTIONOverview and PurposeThe ISA specifies the technical and security requirements of the interconnection and the MOU defines the responsibilities of the participating organizations.This ISA/MOU between the organizations listed below supersedes all previous ISA/MOUs pertaining to the interconnection described below. The last ISA/MOU was authorized on <Date>The purpose of this agreement section is to establish a management agreement between Department of Veterans Affairs Financial Services Center (VA FSC) and <VENDOR>. This agreement will govern the relationship between VA FSC and <VENDOR>, including designated managerial and technical staff, in the absence of a common management authority.AuthorityThe authority for this interconnection is based on, but not limited to:Federal Information Security Management Act (FISMA)VA Directive 6500, Managing Information Security Risk: VA Information Security Program, dated September 20, 2012, and Handbook 6500, Risk Management Framework for VA Information Systems: Tier 3 - VA Information Security Program, dated March 10, 2015National Institute of Standards and Technology (NIST) Special Publication (SP) 800-47,Security Guide for Interconnecting Information Technology Systems38 United States Code (U.S.C.) §§ 5721-5728, Veteran's Benefits, Information SecurityOffice of Management and Budget (OMB) Circular A-130, Appendix III, Security of Federal Automated Information Systems18 U.S.C. 641 Criminal Code: Public Money, Property or Records18 U.S.C. 1905 Criminal Code: Disclosure of Confidential InformationThe authority to disclose VA data per this agreement must comply with disclosure authority under each of the below applicable statutes:Privacy Act of 1974, 5 U.S.C. § 552aFair Credit Reporting Act (FCRA)Confidential Nature of Claims, 38 U.S.C § 5701Freedom of Information Act, 5 U.S.C. § 552MEMORANDUM OF UNDERSTANDINGBackgroundIt is the intent of both parties to this agreement to interconnect the following IT systems to exchange data between PAID and The Work Number. VA requires the use of The Work Number, and <VENDOR> requires the use of PAID, as approved and directed by the Director of VA Enterprise Applications, under the guidelines established by the National Institute of Standards and Technology (NIST) in Special Publication (SP) 800-47 Security Guide for Interconnecting Information Technology Systems, dated August 2002. The expected benefit of the interconnection is to provide a method by which subscribing providers can verify employment and income data. VA requires that <VENDOR> verify employee employment data, as approved by contract number <#>, order number <#>, issued by the Department of Veteran Affairs. The date of the contract can be found in Block 31c of the contract's form 1449.Each IT system is described below:The Department of Veterans Affairs (VA)NamePersonnel and Accounting Integrated Data System (PAID)FunctionAn automated Human Resources (HR) application that processes data for over 362,000 VA employees and stores payroll related data that has been processed by DFAS.LocationAustin Information Technology Center (AITC) 1615 Woodward St, Austin, TX 78772Description of data to be transmitted, including Federal Information Processing Standard (FIPS) 199 sensitivity categorization levelThis interconnection will exchange personal and financial data which is Sensitive-But-Unclassified. The sensitivity level is categorized as High.The <VENDOR> Corporation ("<VENDOR>")NameThe Work Number Employment and Income Verifications (The Work Number)Function<VENDOR> performs the day to day operational requirements of the program which collects employee employment verification data from PAID.Location St. Louis, MO Alpharetta GADescription of data to be transmitted, including sensitivity categorization or classification levelThis interconnection will exchange personal and financial data which is Sensitive-But-Unclassified. The sensitivity level is categorized as High.Ownership of Data, including Requirements for StorageThe system interconnection described in this ISA/MOU may enable the transmission of both VA owned sensitive information and non-VA owned sensitive information, as well as non-sensitive information, depending on the business needs described in this document. Regardless of which entity owns the information, if VA transmits sensitive information to <VENDOR> over the system interconnection, the transmission must be protected through the use of FIPS 140-2 (or successor) validated encryption.Detail any specific requirements that <VENDOR> requires from VA regarding information transmitted via the system interconnection from <VENDOR> to VA: Refer to Appendix B for details.If ownership of the data is transferred to <VENDOR> from VA, <VENDOR> will follow its own established policy for storage. Only copies of VA information may be given to <VENDOR>; VA must always retain VA's copy of the data.State the type of data being transmitted: employment verification data files of all VA employees (active, inactive, and terminated). Refer to Appendix B for details.If, after consultation with the Privacy Officer (PO) and the Information Security Officer (ISO) as appropriate, it is determined that VA retains ownership of the sensitive information that will be transferred from VA and stored on <VENDOR> system, the VA originating point of contact (POC) for the data transfer must submit responses to the questionnaire contained in Appendix B.The parties agree that transmission and storage of VA sensitive information on <VENDOR> systems will follow VA requirements as described herein. <VENDOR> will review the security controls on the system where the data will be stored at the connecting site to ensure the data is adequately protected. <VENDOR> agrees to provide an existing authorization package, if applicable, or to complete a VA provided security self-assessment for VA review prior to the establishment of the interconnection and annually thereafter as part of the annual review of this document.Check one of the following: YES - VA sensitive information WILL be stored on <VENDOR>'s systems (i.e., VA will retain ownership of sensitive data transmitted to <VENDOR>'s system via the interconnection).NO - VA sensitive information will NOT be stored on <VENDOR>'s systems (i.e., VA will NOT retain ownership of any sensitive data transmitted to <VENDOR>'s system via the interconnection).The following requirements are applicable for VA owned sensitive information transferred via this ISA/MOU and stored on <VENDOR> systems.<VENDOR> shall establish appropriate administrative, technical, procedural, and physical safeguards in accordance with VA Handbook 6500 to protect VA owned sensitive information and to prevent unauthorized access to the information provided by VA. <VENDOR> shall logically segregate VA data from its other clients and ensure that VA's sensitive information is destroyed in accordance with NIST SP 800- 88 guidelines.<VENDOR> shall encrypt in storage all VA owned sensitive information provided by or on behalf of VA for the employment and income verification services.All VA owned sensitive information and derivative information must be stored in an encrypted partition on <VENDOR> or its contractor's/subcontractor's information system hard drive using FIPS 140-2 (or successor) validated software. (See HYPERLINK "" for a complete list of validated cryptographic modules.) The application must be capable of key recovery and a copy of the encryption key(s) must be stored in multiple secure locations.If VA owned sensitive information must be stored on any portable drives, IT components, disks, CDs/DVDs, then FIPS 140-2 (or successor) validated encryption must be used to secure the information.VA owned sensitive information must not be physically moved or transmitted from the site without the data being encrypted prior to said move or transmission.Except for backup purposes, VA owned sensitive information must not be physically moved from the location specified in section 2.1 without first providing prior written notice to the Information Owner. Data backed up to offsite media must be encrypted prior to transmission.All electronic storage media used on non-VA leased or owned IT equipment to store, process, or access VA sensitive information must have all VA sensitive information removed, cleared, sanitized, or destroyed in accordance with Equifax policies and procedures promptly upon the written notice by VA. Notwithstanding anything to the contrary, <VENDOR> shall have the right to retain copies of VA's Data for audit purposes, dispute resolution, and to fulfill retention requirements. <VENDOR> may also retain VA's Data which is stored on encrypted backup media until such media is re-used or destroyed. <VENDOR> shall be required to maintain the security guidelines of this agreement for the period that such data is under control of <VENDOR><VENDOR> will allow authorized representatives of VA and the VA Office of the Inspector General (OIG) to be granted access to premises (which will not include the raised floor area of the datacenter) where the data are kept by <VENDOR> for the purpose of confirming that <VENDOR>'s data security controls, separation of data and job duties, and destruction/media sanitization procedures are in compliance with VA requirements and this agreement.In the event VA determines or has a reasonable cause to believe that <VENDOR> disclosed or may have used or disclosed any part of the data other than as authorized by this Agreement or other written authorization from the Information Owner of this Agreement, VA in its sole discretion may require <VENDOR> to: (a) promptly investigate and report to VA <VENDOR>'s determinations regarding any alleged or actual unauthorized use or disclosure; (b) promptly resolve any problems identified by the investigation; and (c) if requested by VA, submit a formal response to an allegation of unauthorized disclosure. If VA reasonably determines or believes that unauthorized disclosures of Information Owner's data in the possession of <VENDOR> have taken place, VA may terminate this Agreement.Access to VA owned sensitive information shall be restricted to authorized <VENDOR> employees, contractors, agents and verifiers, as necessary for <VENDOR> to perform its obligations under the Agreement (s), who require access to perform their official duties in accordance with the uses of the information as authorized in this Agreement. Such personnel shall be advised of: (1) the confidential nature of the information; (2) safeguards required for protecting the information; and (3) the administrative, civil and criminal penalties for noncompliance contained in applicable Federal laws. <VENDOR> agrees to limit access to, disclosure of and use of all data provided under this Agreement. <VENDOR> agrees that access to the data covered by this Agreement shall be limited to the minimum number of individuals who need access to the Information Owner's data to perform this Agreement.<VENDOR>, its employees, contractors, or agents, will protect the privacy and confidentiality of any individually identifiable information contained in the data consistent with the Privacy Act of 1974, and, to where applicable, standards promulgated pursuant to 38 U.S.C. 5701(f) and other applicable laws, regulations, and policies. <VENDOR> may provide data access to appropriate employees, contractors, agents or verifiers, as necessary for <VENDOR> to perform its obligations under the Agreement(s). Except as may be required in a public health emergency to protect life and health of individuals and populations, and for authorized follow-up activities described herein, <VENDOR> will not attempt to identify the individuals whose records are contained in the data provided under this agreement or link these data with other data sources for identification purposes.The information provided may not be disclosed or used for any purpose other than as outlined in this Agreement. If <VENDOR> wishes to use the data and information provided by VA under this Agreement for any purpose other than those outlined in this Agreement, <VENDOR> shall make a written request to VA describing the additional purposes for which it seeks to use the data. If VA determines that <VENDOR>'s request to use the data and information provided hereunder is acceptable, VA shall provide <VENDOR> with written approval of the additional use of the data.<VENDOR> hereby acknowledges that criminal penalties under § 1106(a) of the Social Security Act (42 U.S.C.§ 1306(a)) may apply to disclosures of information that are covered by § 1106 and that are not authorized by regulation or by Federal law. <VENDOR> further acknowledges that criminal penalties under the Privacy Act (5 U.S.C. § 552a(i)(1)) may apply if it is determined that <VENDOR>, or any individual employed or affiliated therewith, knowingly and willfully discloses VA's sensitive information. Finally, <VENDOR> acknowledges that criminal penalties may be imposed under 18 U.S.C. § 641 if it is determined that <VENDOR>, or any individual employed or affiliated therewith, has taken or converted to his own use data file(s), or received the file(s) knowing that they were stolen or municationsFrequent formal communications are essential to ensure the successful management and operation of the interconnection agreement. The parties agree to maintain open lines of communication between designated staff at both the managerial and technical levels. All communications described herein must be conducted in writing (mail or email, excluding any sensitive VA information) unless otherwise noted.The owners of PAID and The Work Number agree to designate and provide contact information for the technical lead(s) for their respective system, and to facilitate direct contact between technical leads to support the management and operation of the interconnection. To safeguard the confidentiality, integrity, and availability of the connected systems and the data stored, processed, and transmitted, the parties agree to provide notice of specific events within the timeframes indicated below.Security IncidentsVA Handbook 6500.2, Management of Data Breaches Involving Sensitive Personal Information (SPI), dated January 6, 2012, governs the reporting of incidents involving VA systems and information. If <VENDOR> 's employee, contractor, or agent becomes aware of the theft, loss or compromise of any device used to transport, access or store unencrypted VA sensitive information or data, such employee, agent, or contractor must, as soon as possible and in no case later than within forty-eight (48) hours, report the incident to the VA POC listed within Appendix A, or contract when applicable, so that the incident can be reported to the VA Network Security Operations Center (VA-NSOC) for action. Should any security incident or event involve VA owned sensitive data (e.g. the theft, loss, compromise, or destruction of any device used to transport, access, or store VA data) covered by this agreement, or <VENDOR> has a reasonable belief based on constructive knowledge that a security incident took place affecting VA data, then <VENDOR> will notify the VA POC listed within Appendix A, or contract when applicable, by phone or in writing as soon as possible and in no case later than within forty-eight (48) hours following detection. For avoidance of doubt, <VENDOR>shall have constructive knowledge of a security incident if <VENDOR> has a reasonable basis in facts or circumstances, whether acts or omissions, for its belief that a security incident occurred. The VA POC will immediately notify VA's ISO or PO who will contact VA-NSOC within one hour of notification. <VENDOR> will provide details of the security event, the potential risk to VA owned sensitive information, and the actions that have been or are being taken to remediate the issue. <VENDOR> will also provide VA with a written closing action report once the security event or incident has been resolved. VA will follow this same notification process should a security event occur within the VA boundary involving <VENDOR> 's provided data. Designated POCs will follow established incident response and reporting procedures, determine whether the incident warrants escalation, and comply with established escalation requirement for responding to security incidents.VA-NSOC contact information is included in Appendix A; only VA personnel should be contacting the VA-NSOC.Disasters and Other ContingenciesTechnical staff will promptly and without unreasonable delay notify their designated counterparts listed within Appendix A by telephone or email in the event of a disaster or other contingency that disrupts the normal operation of one or both connected systems.Material Changes to System ConfigurationPlanned technical changes to the system architecture will be reported to technical staff before such changes are implemented. Prior to implementing a change, the System Owner, with assistance from the ISO and PO, will conduct a risk assessment (RA) based on the new system architecture and determine if the proposed change requires reauthorization of the interconnection. Formal reauthorization is required whenever a system undergoes a significant change to the environment of operation such as moving to a new facility and the ISA/MOU must be modified and re-signed within one (1) month of implementation.Significant changes to the environment of operation include moving to a new facility.New InterconnectionsThe initiating party will notify the other party at least one (1) month before it connects its IT system, described in Section 2.1, with any other IT system that materially impacts the security of the interconnection covered by this ISA/MOU. This includes connecting the IT system with systems that are owned and operated by third parties.Personnel ChangesThe parties agree to provide notification of the separation or long-term absence of their respective system owner or technical lead. In addition, both parties will provide notification of any changes in POC information with respect to the system owner and technical lead, both parties also will provide notification of changes to user profiles, including users who resign or change job responsibilities.The responsible parties for each system are listed in Appendix A of this ISA/MOU. The appendix will be updated as necessary. Updating the appendix does not require the re-signing of this ISA/MOU by either party. It is the responsibility of each respective approving authority to ensure the timely updating of this appendix and for the notification of such changes to the alternate party within thirty (30) days of any personnel change.SecurityBoth parties agree to work together to ensure the joint security of the connected systems and the data stored, processed, and transmitted, as specified in the ISA section of this document. By signing this agreement each party certifies that its respective system is designed, managed, and operated in compliance with all relevant Federal laws, regulations, and policies including those stated in Section 1.2.Cost ConsiderationsBoth parties agree to share the costs of the interconnecting mechanisms and/or media. Percentage of cost assumed by each organization (e.g., 50/50, 40/60, etc.) must be agreed upon in advance, and no such expenditures or financial commitments shall be made without the written concurrence of both parties. Modifications to either system that are necessary to support the interconnection are the responsibility of the respective system owner's organization.INTERCONNECTION SECURITY AGREEMENTBackgroundThe technical details of the interconnection are documented in this ISA section of the document. The parties agree to work together to develop the ISA, and the ISA/MOU must be signed by both parties before the interconnection is activated. Proposed changes to either system or the interconnecting medium will be reviewed and evaluated to determine the potential impact to the interconnection. The ISA/MOU will be renegotiated before changes (identified in Section 2.2.4) are implemented.Signatories to the ISA/MOU shall be the System Owner, ISO and PO for each system. The document should become an integral piece of the VA Assessment and Authorization (A&A) documentation and should be included in subsequent authorization requests.System DescriptionPAID is primarily used by the HR community as payroll processing services are now provide by the Defense Finance Accounting Service (DFAS). As an automated Human Resources (HR) application PAID processes data for over 362,000 VA employees. Processing includes personnel actions, benefits, entitlements, transmission of timecard data from the VA's legacy system, training data, updating VA financial systems, and producing financial reports.Employee master records are updated nightly to reflect new hires, promotions, separations, reassignments, and adjustments to employees' leave balances based on data received from DFAS. The PAID application gives the HR and payroll offices direct and timely access to their employee's personnel and to some payroll data. The PAID application also provides feeds to various VA financial systems for bill-paying purposes.System Hardware and Software RequirementsN/ASystem Security Considerations3.2.1System Security DocumentationVA Standardized SYSTEM SECURITY PLAN for Personnel and Accounting Integrated Data System (PAID).The purpose of the system security plan is to provide an overview of the security requirements of the system and describe the controls in place or planned for meeting those requirements. The systemsecurity plan also delineates responsibilities and expected behavior of all individuals who access the system.System Owner: Information Owner: Information Security Officer (ISO): Different institutions assess and document system security through a variety of methods (e.g., risk assessment (RA), security control assessment (SCA), contractor security control assessment (CSCA), or system security plan (SSP)). For VA systems, the system interconnection/information sharing aspect is an essential part of the SSP. Two sections in the SSP require documentation of interconnections:System Identification: The VA facility must identify and document the types of system interconnections and information sharing that is allowed within the system.Security Assessment and Authorization (CA-3): The VA facility must identify and document whether all connections are authorized between the system and other systems outside the authorization boundary. The VA facility must also identify, document, and list external connections outside VA, as well as indicate information concerning the ISA/MOU. The VA facility must identify and document the appropriate officials designated to approve the information system agreements.The Personnel and Accounting Integrated Data System (PAID), owned by VA has received an Authority to Operate (ATO), dated 08/29/2013 and signed by the Director, Office of Cyber Security. An SCA by the VA Certification Program Office (CPO) in support of FISMA compliance will be completed when mandated by OCS. System controls are detailed in the SSP.The Work Number, owned by <VENDOR>: A third party assessment was performed in 2014 and a three-year ATO was granted by the USDA. This ATO includes the TWN service as a part of the authorization boundary. Ongoing assessments will be performed each year by third party in support of the USDA continuous monitoring schedule. July 2, 2014 granted. July 2, 2017 expiration/renewal. If continuous monitoring is proven the ATO will not expire at the end of the three-year period.General Information/Data DescriptionThe interconnection between PAID and The Work Number is a two-way path. Refer to Appendix B for detailed data description.Services OfferedNo user services are offered. This connection only exchanges data between PAID and The Work Number via a dedicated in-house rmation Security Officer at Interconnection SiteThere must be an established ISO (or business partner equivalent) at all interconnection sites described herein, who can provide oversight through the duration of the system development lifecycle (SDLC) phases (development, deployment, operations, and disposal) of the interconnection and who can ensure that the systems maintain appropriate security controls.Sensitivity CategorizationThe sensitivity categorization of data exchanged between VA and <VENDOR> is based on FIPS 199, Sensitivity Categorization of Federal Systems, and the guidance in NIST SP 800-60, Guide for Mapping Types of Information and Information Systems to Security Categories. The data sensitivity categorization is High.User CommunityIf the contract with <VENDOR> stipulates that a VA personnel clearance is required, then the personnel clearance will be commensurate with the risk.All VA users with access to the data received from <VENDOR> have a current VA personnel clearance. All <VENDOR> users (employees and contractors) with access to the data received from VA have a current <VENDOR> background investigation or a mutually agreed upon U.S. Government or Department of Defense (DoD) level background clearance or other reciprocal agreement verified to be at [an acceptable level] or above. FIPS 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, describes the details of a National Agency Check (NAC) and a National Agency Check with Inquiries (NACI). The NAC is part of every NACI. Standard NACs are the Security/Suitability Investigations Index (SII), Defense Clearance and Investigation Index (DCII), Federal Bureau of Investigation (FBI) Name Check, and FBI National Criminal History Fingerprint Check. The NACI is the basic and minimum investigation required on all new Federal employees consisting of a NAC with written inquiries and searches of records covering specific areas of an individual's background during the past five years (inquiries sent to current and past employers, schools attended, references, and local law enforcement authorities). Coverage includes:Employment, 5 yearsEducation, 5 years and highest degree verifiedResidence, 3 yearsLaw Enforcement, 5 yearsNAC (Federal Employees and Contractors) or <VENDOR> background investigation as specified in above rmation Exchange SecurityThe security of the information being passed on this connection is protected using FIPS 140-2 (or successor) validated encryption when encryption is required. The connections at each end are located within controlled access facilities using physical access devices and/or guards. Individual users will not have access to the data except through the system security software inherent to the operating system. All access is controlled by authentication methods to validate the approved users.Trusted Behavior ExpectationsVA's system and users are expected to protect The Work Number, and <VENDOR>'s system and users are expected to protect PAID, in accordance with the Privacy Act and Trade Secrets Act (18 U.S.C. 1905), and the Unauthorized Access Act (18 U.S.C. 2701 and 2710).Formal Security PolicyDirectives or policies that govern the protection of the data include but are not limited to NIST documents; VA Directive 6500 and VA Handbook 6500; and <VENDOR>'s Equifax Security Policies and Standards.All <VENDOR> employees are expected to abide by the Equifax Security Policies and Standards and Equifax employee policies always. <VENDOR> employees must read and acknowledge the Equifax employee handbook before starting work. Ongoing security training must be taken as directed by security department.Audit Trail ResponsibilitiesBoth parties are responsible for auditing application processes and user activities involving the interconnection with sufficient granularity to allow successful investigation and possible prosecution of wrongdoers. Activities that will be recorded include event type, date and time of event, user identification, workstation identification, success or failure of access attempts, and security actions taken by system administrators or security officers. Audit logs will be retained for a minimum of oneyear.Security ParametersPAID is physically housed in a government-owned building located at the AITC in Austin, Texas. The entire building is occupied by the Department of Veterans Affairs and VA contractor personnel and is not open to the public.The PAID application runs at the AITC, and all information is processed and stored at the AITC. VA Central Office (VACO) manages the PAID application and manages Financial Management Systems (DOTFMS) services.Overall security for the IBM mainframe is provided for by AITC personnel and procedures. These procedures include providing change control for the mainframe connectivity and providing physical security. AITC personnel work to keep the IBM mainframe up to date with all latest software security patches and new software applications, where indicated.<VENDOR> Corporation, a provider of Equifax Workforce Solutions ("<VENDOR>") has multiple safeguards in place for our external web portals such as The Work Number that help ensure our client data remains secure including but not limited to the below:Risk Based AuthenticationLimited Access to DataAccount LockoutIP BlacklistingProtection Against Username HarvestingCustomizable PIN SchemeLogging & MonitoringIntrusion Prevention ServicesEncryption in TransitCredentialing ProcessTraining and AwarenessAll VA employees, as well as VA contractors, seeking access to VA information systems or VA sensitive information must annually complete the VA Privacy and Information Security Awareness Training and Rules of Behavior (VA 10176) and annually acknowledge VA's Rules of Behavior (RoB) before VA access is granted to such information or information systems. Additionally, individuals seeking access to health information must also annually complete Privacy and HIPAA Training (VA 10203).All <VENDOR> employees seeking access to VA sensitive information must annually complete the EquifaxInformation Security Awareness Training before access is granted to such information.3.3TOPOLOGICAL DRAWINGVA/Equifax Topological DrawingFor Official Use Only

VA – TALX InterfaceSFTP Over SSHEquifax 1-wayEquifax St. Louis, MOAITC/PAIDAustin, TXFirewallEquifax SFTPServerEquifax Dataloading ServerVAGatewayIBMMainframeEquifaxInternal FirewallVA INTRANETEquifaxExternal FirewallNSOCFirewallATTManaged RouterPublicInternetFor Official Use OnlyAITC/Equifax File TransferLast Updated 9/1/2015 VA: Diagram originally done by Naomi Gilbert Revised By Don Waters and Caroline JustUPDATEDurationThis ISA/MOU will be reviewed no later than one (1) year after the last date on the signatures below, and every year thereafter, to determine if the interconnection is still required. The VA ISO will be the primary party responsible for reviewing the agreement on behalf of the VA and will coordinate the review with the VA CIO, VA Business Owner and Key Stakeholders.If there is no review, then this Agreement will expire.If the interconnection is deemed still necessary and there are no significant changes to the interconnection (see section 2.3.3 Material Changes to System Configuration), then the agreement will remain in effect and the VA ISO will document the annual review in Appendix C Annual Review.If there are significant changes to the interconnection or the VA ISO finds that a review has been completed and major changes were noted during the review, the signatories must update and reauthorize the agreement.If one or both parties wish to terminate this agreement prematurely, they may do so upon thirty (30) days advanced notice or in the event of a security incident that necessitates an immediate response.SIGNATORY AUTHORITYWe, the undersigned, mutually agree to the terms of this agreement.Name of Department of Veterans Affairs (VA) System Owner:Name of Department of Veterans Affairs (VA) Local Information Security Officer: Name of Department of Veterans Affairs (VA) Local Privacy Officer:Name of <VENDOR> Corporation ("<VENDOR>") System Owner:Name of <VENDOR> Information Security Officer:Appendix A: Points of ContactList of Responsible Parties for Each System:NameCompanyTitleOffice PhoneEmailList of Responsible Parties to Contact during a Security Incident:NameCompanyTitleOffice PhoneEmailAppendix B: Questionnaire - Transmission of VA Sensitive Information Utilizing a System InterconnectionISA/MOU for Interconnection: INTERCONNECTION SECURITY AGREEMENT AND MEMORANDUM OF UNDERSTANDING Between the Department of Veterans Affairs (VA) Personnel and Accounting Integrated Data System (PAID) And <VENDOR> Corporation, a provider of Equifax Workforce Solutions ("<VENDOR>") The Work Number Employment and Income Verifications (The Work Number)VA Point of Contact: Description of Data: Purpose for Data Transfer: The purpose of the interconnection is to deliver the employment verification data file to <VENDOR> and verify that the data was received. The <VENDOR> interface information allows <VENDOR> to verify employment of VA employees. Users are authorized by the employer or the employee to access current employment data to verify employment and income for mortgage and personal credit approval.Non-VA Storage Location of the Transmitted Information: <VENDOR>Supporting Document(s) Describing the Transfer of the Data to the Recipient: VA Interface Control Document <VENDOR> - Employment Verification File and VA Personnel and Accounting Integrated Data System.Provisions for Destruction or Return of the Data (if applicable): <VENDOR> will delete the sensitive information provided by the VA from the Work Number database, as described in the contract, at the completion of the contract.VA Point of Contact Privacy Officer:VA Information Security Officer: Appendix C: VA Annual Review DocumentationVA ISO signature is required for each annual review. During the annual review, the ISO should consult key stakeholders, for example: CIO, VA Business Owner, Privacy Officer, Contracting Officer, and Research.When a page is full, the ISO should add another page.Date of ReviewChange StatusAdditionalSignature(s)(Select all that apply)CommentsAppendix D: Definitions of Sensitive Information TypesThe definitions in this Appendix are for reference only and may not apply to all VA agreements.The following discussion defines the various types of personal information collected, maintained, and used within VA and provides an overview of how they inter-relate. Every type is subject to VA security statutes (38 U.S.C. §§ 5721-28), if it identifies or could reasonably be used to identify an individual. Depending on the type of information, it may also be protected by the Privacy Act (5 U.S.C.§ 552a), the VA confidentiality statutes (38 U.S.C. §§ 5701, 5705, and 7332), and the HIPAA Privacy and Security Rules (45 C.F.R. Parts 160, 164).VA Sensitive Information/Data. All Department information and/or data on any storage media or in any form or format, which requires protection due to the risk of harm that could result from inadvertent or deliberate disclosure, alteration, or destruction of the information. The term includes not only information that identifies an individual but also other information whose improper use or disclosure could adversely affect the ability of an agency to accomplish its mission, proprietary information, and records about individuals requiring protection under applicable confidentiality provisions. SOURCE: 38 U.S.C. § 5727.Personally Identifiable Information (PII). Any information which can be used to distinguish or trace an individual's identity, such as their name, social security number, biometric records, etc. alone, or when combined with other personal or identifying information which is linked or linkable to a specific individual, such as date and place of birth, mother's maiden name, etc. Information does not have to be retrieved by any specific individual or unique identifier (i.e., covered by the Privacy Act) to be personally identifiable information. SOURCE: Office of Management and Budget (OMB) Memorandum 07-16, Safeguarding Against and Responding to Breaches of Personally Identifiable Information (May 22, 2007)NOTE: The term "Personally Identifiable Information" is synonymous and interchangeable with "Sensitive Personal Information."Sensitive Personal Information (SPI). The term, with respect to an individual, means any information about the individual maintained by VA, including the following: (i) education, financial transactions, medical history, and criminal or employment history; and (ii) information that can be used to distinguish or trace the individual's identity, including name, social security number, date and place of birth, mother's maiden name, or biometric records. SPI is a subset of VA Sensitive Information/Data. SOURCE: 38 U.S.C. § 5727.NOTE: The term "Sensitive Personal Information" is synonymous and interchangeable with "Personally Identifiable Information."Individually Identifiable Information (III). Individually Identifiable Information is any information pertaining to an individual that is retrieved by the individual's name or other unique identifier, regardless of how it is retrieved. Individually Identifiable Information is a subset of Personally Identifiable Information and is protected by the Privacy Act.Non-identifiable Information. Non-identifiable Information is information from which all Unique Identifiers have been removed so that the information is no longer protected under the Privacy Act, 38 U.S.C. §5701, or 38 U.S.C. § 7332.Limited Data Set. A Limited Data Set is protected health information from which certain specified direct identifiers of the individuals and their relatives, household members, and employers have beenremoved. These identifiers include name, address (other than town or city, state, or zip code), phone number, fax number, e-mail address, Social Security Number (SSN), medical record number, health plan number, account number, certificate and/or license numbers, vehicle identification, device identifiers, web universal resource locators (URL), internet protocol (IP) address numbers, biometric identifiers, and full-face photographic images. The two patient identifiers that can be used are dates and postal address information that is limited to town or city, State or zip code. Thus, a Limited Data Set is not De-Identified Information, and it is covered by the HIPAA Privacy Rule. A Limited Data Set may be used and disclosed for research, health care operations, and public health purposes pursuant to a Data Use Agreement. SOURCE: 45 C.F.R. § 164.514(e)(2)Unique Identifier. A Unique Identifier is an individual's name, address, social security number, or some other identifying number, symbol, or code assigned only to that individual (e.g., medical record number and claim number). If these identifiers are removed, then the information is no longer Individually Identifiable Information and is no longer covered by the Privacy Act, 38 U.S.C. § 5701, or 38 U.S.C. § 7332.NOTE: The VA Office of General Counsel has indicated that the first initial of last name and last four of the social security number (e.g., A2222) is not a unique identifier; therefore, inclusion of this number by itself does not make the information identifiable or sensitive.Relations Among Different Types of InformationVA Sensitive Information/Data is the broadest term and generally encompasses all the other terms with the exception of de-identified data.Sensitive Personal Information and Personally Identifiable Information are synonymous and encompass Individually Identifiable Information.First Year Annual ReviewDate of ReviewReviewer SignatureAnnual ReviewReviewer CommentsSecond Year Annual ReviewReviewer CommentsReviewer SignatureDate of ReviewNote: For the 3rd year review, a ISA/MOU renewal is required to be completed and executed before the current ISA/MOU expires. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download