The URL can be used to link to this page

Home My WebLink AboutMOU-25-6190_EXECUTED_2025-10-17.pdf MOU-25-6190 Page 1 of 46 CDSS/Fresno County PRIVACY & SECURITY AGREEMENT NO.: 25-17 PRIVACY AND SECURITY AGREEMENT BETWEEN the California Department of Social Services and the County of Fresno Department/Agency of Social Services PREAMBLE The California Department of Social Services (CDSS) and the County of Fresno Department/Agency of S o ca I Sevi c es (County Department) enter into this Data Privacy and Security Agreement (Agreement) in order to ensure the privacy and security of Social Security Administration (SSA), Medi-Cal Eligibility Data System (MEDS) and Applicant Income and Eligibility Verification System (IEVS) Personally Identifiable Information (PII), covered by this Agreement and referred to hereinafter as PII, that the counties access through CDSS and the Department of Health Care Services (DHICS). This Agreement covers the following programs; • CalFresh; • California Food Assistance Program (CFAP); • California Work Opportunity and Responsibility to Kids Program (CalWORKs); • Cash Assistance Program for Immigrants (CAPI); • Entrant Cash Assistance (ECA)/Refugee Cash Assistance (RCA); • Foster Care (FC) (eligibility); • Kinship Guardianship Assistance Program (Kin-GAP) (eligibility); • Federal Guardianship Assistance Program (Fed-GAP) (eligibility); • General Assistance/General Relief(GA/GR); and • Trafficking and Crime Victims Assistance Program (TCVAP). The CDSS has an Inter-Agency Agreement (IAA) with DHCS that allows CDSS and local county agencies to access SSA and MEDS data in order to assist in the Administration of the Program for the programs listed above. The IAA requires that CDSS may only share SSA and MEDS data if its contract with the entity with whom it intends to share the data reflects the entity's obligations under the IAA. The County Department/Agency utilizes SSA and MEDS data in conjunction with other MOU-25-6190 Page 2 of 46 CDSS/Fresno County PRIVACY & SECURITY AGREEMENT NO.: 25-17 system data in order to Assist in the Administration of the Program for the programs listed above. This Agreement covers the County of F re oo Department/Agency of S ocialServices and its staff(County Workers), who assist in the administration of programs; and access, use, or disclose PII. DEFINITIONS For the purpose of this Agreement, the following terms mean: 1. "Assist in the administration of the program"means performing administrative functions on behalf of programs, such as establishing eligibility, determining the amount of medical assistance, and collecting PH for such purposes, to the extent such activities are authorized by law. 2. "Breach" refers to actual loss, loss of control, compromise, unauthorized disclosure, unauthorized acquisition, unauthorized access, or any similar term referring to situations where persons other than authorized users and for other than authorized purposes have access or potential access to Pll, whether electronic, paper, verbal, or recorded. 3. "County Worker" means those county employees, contractors, subcontractors, vendors and agents performing any functions for the County that require access to and/or use of PH and that are authorized by the County to access and use PII. An agent is a person or organization authorized to act on behalf of the County Department/Agency. 4. "Pll" is personally identifiable information directly obtained in the course of performing an administrative function through the MEDS or IEVS systems on behalf of the programs, that can be used alone, or in conjunction with any other information, to identify a specific individual. PII includes any information that can be used to search for or identify individuals, or can be used to access their files, including but not limited to name, social security number (SSN), date and place of birth (DOB), mother's maiden name, driver's license number, or identification number. Pll may also include any information that is linkable to an individual, such as medical, educational financial, and employment information. PH may be electronic, paper, verbal, or recorded and includes statements made by, or attributed to, the individual_ 5. "Security Incident' means the attempted or successful unauthorized access, use, disclosure, modification, or destruction of PII, or interference with system operations in an information system which processes PH that is under the control of the County or California Statewide Automated Welfare System (CaISAWS) Consortium, or a contractor, subcontractor or vendor of the County. 2 MOU-25-6190 Page 3 of 46 CDSS/Fresno County PRIVACY & SECURITY AGREEMENT NO.: 25-17 6. "Secure Areas" means any area where: A. County Workers assist in the administration of their program; B. County Workers use or disclose PII; or C. PH is stored in paper or electronic format. 7. "SSA-provided or verified data (SSA data)" means: A. Any infcrmation under the control of the Social Security Administration (SSA) provided to CDSS under the terms of an information exchange agreement with SSA (e.g., SSA provided date of death, SSA Title II or Title XVI benefit and eligibility data, or SSA citizenship verification); or B. Any information provided to CDSS, including a source other than SSA, but in which CDSS attests that SSA verified it, or couples the information with data from SSA to certify the accuracy of it (e.g., SSN and associated SSA verification indicator displayed together on a screen, file, or report, or DOB and associated SSA verification indicator displayed together or a screen, file, or report). AGREEMENTS CDSS and County Department/Agency mutually agree as follows: I. PRIVACY AND CONFIDENTIALITY A. County Department/Agency County Workers may use or disclose PH only as permitted in this Agreement and only to assist in the administration of PH in accordance with Section 14100.2 of the Welfare and Institutions Code, Section 431.302 of Title 42 Code of Federal Regulations, as limited by this Agreement, and as otherwise required by law. Disclosures required by law or that are made with the explicit written authorization of the client, such as through an authorized release of information form, are allowable. Any other use or disclosure of PH requires the express approval in wnting of CDSS. No County Worker shall duplicate, disseminate or disclose PH except as allowed in this Agreement. B. Access to PH shall be restricted to County Workers who need to perform their official duties to assist in the administration of their respective programs. C. County Workers who access, disclose or use PH in a manner or for a purpose not authorized by this Agreement may be subject to civil and criminal sanctions contained in applicable federal and state statutes. 3 MOU-25-6190 Page 4 of 46 CDSS/Fresno County PRIVACY & SECURITY AGREEMENT NO.: 25-17 Ill. PERSONNEL CONTROLS The County Department/Agency agrees to advise County Workers who have access to PH of the confidentiality of the information, the safeguards required to protect the information, and the civil and criminal sanctions for non-compliance contained in applicable federal and state laws. For that purpose, the County DepartmentlAgency shall implement the following personnel controls: A. Employee Training. Train and use reasonable measures to ensure compliance with the requirements of this Agreement by County Workers, including, but not limited to: 1. Provide initial privacy and security awarenes: training to each new County Worker within 30 days of employment; 2. Thereafter, provide annual refresher training or reminders of the privacy and security safeguards in this Agreement to all County Workers. Three or more security reminders per year are recommended; 3. Maintain records indicating each County Worker's name and the date on which the privacy and security awareness training was completed; and 4. Retain training records for a p-Briod of five years after completion of the training. B. Employee Discipline. 1. Provide documented sanction policies and procedures for County Workers who fail to comply with privacy policies and procedures or any provisions of these requirements. 2. Sanction policies and procedures shall include termination of employment when appropriate. C. Confidentiality Statement. Ensure that all County Workers sign a confidentiality statement. The statement shall be signed by County Workers prior to accessing PH and annually thereafter. Signatures may be physical or electronic. The signed statement shall be retained for a period of five years. The statement shall include, at a minimum, a description of the following: 1. General Use of PII; 2. Security and Privacy Safeguards for PII, 3. Unacceptable Use of PII; and 4. Enforcement Policies. 4 MOU-25-6190 Page 5 of 46 CDSS/Fresno County PRIVACY & SECURITY AGREEMENT NO.: 25-17 D. Background Screening. 1. Conduct a background screening of a County Worker before they may access PII. 2. The background screening should be commensurate vvith the risk and magnitude of harm the employee could cause. More thorough screening shall be done for those employees who are authorized to bypass significant technical and operational security controls. 3. The County Department/Agency shall retain each County Worker's background screening documentation for a period of three years following conclusion of employment relationship. III. MANAGEMENT OVERSIGHT AND MONITORING To ensure compliance with the privacy and security safeguards in this Agreement the County shall perform the following: A. Conduc: periodic privacy and security review of work activity by County Workers, including random sampling of work product. Examples include, but are not limited to, access to case files or other activities related to the handling of PII. The periodic privacy and security reviews shall be performed or overseen by management level personnel who are knowledgeable and experienced in the areas of privacy and information security in the administration of their program and the use or disclosure of PII. IV. INFORMATION SECURITY AND PRIVACY STAFFING The County Department/Agency agrees to: A. Designate information security and privacy officials who are accountable for compliance with these and all other applicable requirements stated in this Agreement. B. Provide the CDSS with applicable contact information for these designated individuals using the County PSA inbox listed in Section IX of this Agreement. Any changes to this information should be reported to DHCS within ten days. C. Assign County Workers to be responsible for administration and monitoring of all security-related controls stated in this Agreement. 5 MOU-25-6190 Page 6 of 46 CDSS/Fresno County PRIVACY & SECURITY AGREEMENT NO.: 25-17 V. TECHNICAL SECURITY CONTROLS The State of California Office of Information Security (OIS) and SSA have adopted the National Institute of Standards and Technology (NIST) Special Publication (SP) 800- 63, Security and Privacy controls for Information Systems and Organizations, and NIST SP 800-37, Risk Management Framework for Information Systems and Organizations. OIS and SSA require organizations to comply and maintain the minimum standards outlined in NIST SP 800-53 when working with PH and SSA data. County Department/Agency shall, at a minimum, implement an information security program that effectively manages risk in accordance with the Systems Security Standards and Requirements outlined in this Section of this Agreement. Guidance regarding implementation of NIST SP 800-53 is available in the Statewide Information Management Manual(SIMM), 51MM-5300-A, which is hereby incorporated into this Agreement (Exhibit C) and availably upon request. DHCS and CDSS will enter into a separate PSA with California Statewide Automated Welfare System (CaISAWS) Joint Powers Authority specific to the CaISAWS. Any requirements for data systems in this PSA would only apply to County Departmert/Agency's locally operated/administered systems that access, store, or process PII. 6 MOU-25-6190 Page 7 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 A. Systems Security Standards and Requirements 1. Access Control(AC) Control Num r AC 1 Title Access ontmi Pofic aand Procedures CDSS The organization must Requirement a.Develop.document,and disseminate to designated organization officials: 1.An access control policy that addresses purpose,scooa,roles,responsibilities,management commitment,coordination among organizational entitles,and cerlpffance; 2.Procedures to facilitate the Implementation of the access control policy and associated access rnntmts b.Review and update the current access control procedures with the organization-defined frequency. Supplemental This control addresses the establishment of policy and procedures for the effective Guidance(from implementation of selected security controls and control enhancements In the AC family.Policy NIST 900-53) and procedures reflect applicable federal laws,Executive Orders,directives,regulations,policies, standards,and guidance.Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary.The policy can be included as part of the general information security policy for organizations or conversely,can be represented by multiple policies reflecting the complex nature of certain organizations.The paocedures can be established for the security program in general and for particular information s}stems,if needed.The organizational risk management strategy is a key factor in establishing policy and procedures.Related control:PM-9, Control Number AC-2 Title Account Management CDSS The organization must: Requlremant a.Identify and select the accounts with access to PII to support organizational mission/business functions. b.Assign account managers for Information system accounts. c.Establish cond,lions for group and role membersh p. d Specify authorized users of the information system,group and role membership,and access autnorizations(i.e.,privileges)and other attributes(as required)for each account; e.Require approvals by designated access authority for requests to create information system accounts; f. Create,enable,modify,disable,and remove information system accounts In accordance with organization account management procedures; g.Monitors the use of information system accounts; In.Notifies account managers when accounts are no longer required,when users are terminated or transferred;and when individual information system tsage or need-to-know,changes. i. Authorizes access to the information systems that receive,process,store or transmit Pit based on valid access aulhorzabon,need-to-kncw. J. Review accounts for Compliance with account manag>ment requirements according to organization-based frequency:and k.Establishes a process for reissuing shared/group account credenliefs(if ceployed)when Individuals are removed from the group. Supplemental Information system account types include,for example.Individual,shared,group,system, Guidance(from guestlanonymous,emergency,developer/manufacturenvendor,temporary,and service.Some of NIST 800-53) the account management requirements listed above car be implemented by organizational information systems.The Identification of authorized users of the information system and the specification of access privileges reflects the requirements In other security controls to the security plan.Users requiring administrative privileges on information system accounts rece,ve additional scrutiny by appropriate organizational personnel(e.g..s/stem owner,mission/business owner,or chief Information security officer)responsible for approving such accounts and privileged access. Organizations may choose to define access oriWages or other attributes by aCCOLnt,by type of account,or a combination of both.Other attributes required for authorizing access include,for example,restrictions on time-of-day,day-of-week,and point-of-origin.In defining other account attributes,organizations consider system-related requirements(e.g.,scheduled maintenance, system upgrades)and mission/business requirements(e.g.,time zone differences,customer requirements,remote access to support travel requirements).Failure to consider these factors could affect information system availability.Temporary and emergency accounts are accounts intended for short-term use.Organizations establish temporary accounts as a part of normal account activator procedures when there is a need for short-term accounts without the demand for immediacy in account activation.Organizations establish emergency accounts in response to crisis situatiors and with the need for rapid account activation.Therefore,emergency account activation may bypass normal account authorization processes.Emergency and temporary accounts are not to be confused with infrequently used accounts(e.g..local logon accounts used for special tasks defined by organizations or when network resources are unavailable).Such accounts remain available and are not subject to automatic disabling or removal dates.Conditions for disabling cr deactivating accounts Include,for example:(I)when shared/group,emergency,or temporary accounts are no longer required;or(ii)when Individuate are tramfencd or terminated. Some types of Information system accounts may require specialized training.Related controls:AC- 3.ACd,AC-5,AC-6.AC-10.AC-1 7,AC-19.AC-20,AU•9,IA-2,IA-4.IA-5,IA-9,CM-5.CM-6.CM- 11,MA-3,MA-4,Ill PLC,SC-13. 7 MOU-25-6190 Page 8 of 46 CDSS/Fresno County PRIVACY&SECURI-Y AGREEMENT NO.:25-17 Control Number Title AccessEnforcalment CDSS The organization must: Requirement Enforces approved authorizations for logical access to Information and system resources In accordance with applicable access control policies. Supplemental Access control policies(e.g.,identity-based policies,role-based policies,control matrices, Guldastee cryptography)control access between active entities or subjects(i.e.,users or processes acting on behalf of users)and passive entities or objects(e.g..devices,files,records.domains)In information systems.In ad6tion to enforcing authorized access at the information system level and recognizing that information systems can host many applfcatiors and services in support of organizational missions and business operations,access enforcement mechanisms can also be employed at the application and service level to provide increased Information security.Related controls:AC-2,AC-4,AC-5,AC-8,AC-15.AC-17 AC- ontmi Number -Twe cress Enforcement I Role-Based Access Control Coss The organization information system must: Requirement enforce a role-based access control policy over defined subjects and objects and controls access based u on the need to utilize PII. Supplemental Role-based access control(RBAC)is an access control policy that restricts information system Guldance(from access to authorized users.Organizations can create specific roles based on jeo functions and NiST 800-53) the authorizations(i.e.,privileges)to perform needed operations on organizational information systems associated with the organization-defined roes.When users are assigned to the organizational roles,the inherit the authorizations or prvil es defined_ for those roles.RBAC simplifies privilege administration or organizations ecaase privileges are not ass rect y to every user(which can be a significant number of ind viduals for mid-to large-size organizations) but are instead acquired through role assignments.RBAC can be implemented either as a mandatory or discretionary form of access control.For crganizations implementing RBAC with mandatory access controls,the requirements in AC-3(3)define the scope of the subjects and objects covered b thepolicy. tmtro Number 8 (:CeS8 Enforcement I Revocation of Access Authorization Coss The organization must: Requirement Enforce a role-based access control over users and information resources that have access to PII,and control access based upon organization defined roles and users authorized to assume such roles. Supplemental Revocation of access rules may diffar hasad on tha types of arxess revoked Fnr example.if a Guidance(from subject(i.e.,user or process)is removed from a group,access may not be revoked until the next NIST 000-53) time the abject(e.g.,file)is opened or until the next time the subject attempts a new access to the object.Revocation based on changes to seririty labels may take effect immediately. Organizations can provide alternative approaches on how to make revocations immediate if Information systems Cannot provide such capability and-mmediate revocation is necessa,ry. Contml Numbil A the Informallon Flow Enforcement class The organization information system must:enforce approved authorizations for controlling the Requirement flow of information within the system and between interconnected systems based on the need for interconnected systems to share Pit to conduct business. Supplemental Information flow control regulates where information is allowed to travel within an information Guidance(from system and between information systems(as opposed to who is allowed to access the NIST 800-53) information)and without explicit regard to subsequent accesses to that information.Flow control restrictions Include,forexample,keeping export-con:rolled information from being transmitted in the clear to the Internet.blocking outside traffic that claims to be from within the organization, restricting web requests to the Internet that are not from the internal web proxy server,and limiting information transfers between organizations based on data structures and content. Transforring information between information systems representing different security domains with different security policies introduces risk that such transfers violate one or more domaia security policies.In such situations,information ownerslstewarcis provide guidance at designated policy enforcement points between interconnected systems.Organizations consider mandating specific architectural solutions when required to enforce specific security policies.Enforcement includes,for example:(i)prohibiting information transfers between interconnected systems(i.e, allowing access only);it employing hardware mechanisms to enforce one-way information flows;and(hi)implementing trustworthy regrading mechanisms to reassign security attributes and security labels. Organizations wmmonly employ information flow control policies and enforcement mechanisms to control the flow of information between designated sources and destinations(e.g.,networks. individuals,and devices)within information systems and between Interconnected systems.Flow control Is based on the charactensllcs of the Information andror the Information path. Enforcement occurs,for example,in boundary protection devices(il gateways.routers, guards encrypted tunnels,fill that employ rule sets or establish configuration settings that restrict Information system services,provide a packet-filtering capability based on header Information,or message-filtering capability based on message content(e.g„implementing key word searches or using document characteristics).Organizations also consder the trustworthiness of filtering/inspection mechanisms(i.e.,hardware,firmware,and software components)that are critical to information flow enforcement.Control enhancements 3 through 22 primarily address cross-domain solution reeds whist focus on more advanced filtering techniques,in-depth analysis,and stronger flaw enforcement mechanisms implemented in cross- domain products,for exampip.high-assurance guards.Such capabilities are generally not available in commercial off-the-shelf information technology products.Related controls:AC-3, AG-17.AC-19 AC-21 CM-6 CM-7 SA-8 SC-2,SC-6 SC-7 SC-18 e MOU-25-6190 Page 9 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 ontrol Num- rr AC-5 - Title Separation of Duties CDSS The organization must: Requirement a.Separate organization-deflned duties of individua;s; b.Document separation of duties of individuals;and c.Defines information system access authorizations to support separation ofdutles. CDSS also requires that the state organization prohibit any lunctioral components)or-official(s) from issuing crelenhals or access authority to themselves or other individuals within theirjob- function or category of access. Federal requirements and CDSS policy exclude any employee who uses Pit to process programmatic workloads to make benefit or entitlement de!ei'minations from partic,pation in management orquality assurance funchbns. Supplemental Separation of duties addresses the potential for abuse of authorized privileges and helps to Guldance(from reduce the risk of malevolent activity without collusion.Separation of duties includes,for NIST 500-53) example: (i)dividing mission functions and information system support functions among different individuals and/or roles;(ii)conducting infornatlon system support functions with different Individuals(e.g.,system management,programming,configuration management,Quality assurance and testing,and network security);and(iii)ensuring security personnel adminis;eiing access control functions do not also administer audit functions.Related controls:AC-3.AC-6. PE-3 PE 4.PS-2. Control Numbor A Title - e riviie CDSS The organization must: Requirement Employ the principle of least privilege,allowing only authorized accesses for users(or process', acting on behalf of users)which are necessary to accomplish assigned tasks In accordance with organizational missions and business functions. Supplemental Organizations employ least privilege for specific duties and information systems.The principle Guldance(from of least privilege is also applied to information system processes,ensuring that the processes NIST 600.53) operate at privilege levels no higher than necessary to accomplish required organizational missionsrbusiness h:nctions.Organizations consider the creation of additional processes,roles, and information system accounts as necessary,to achieve least privilege.Organizations also apply least privilege to the development,Implementation,and operation of organizational Information systems.Related controls:AC-2 AC-3.AC-5 CM-8 CM-7 PL-2. Control Number Least Privilege I Authorize Access to Security Functions Coss The organization must explicitly autlraize access to organization-defined security functions Requirement (deployed in hardware software.and firmware and security-relevant Information. Supplemental Security functions include,for example,establishing system accounts,configuring access Guidance(from authorizations(i.e.,permissions,privileges),selling events to be audited,and setting Intrusion NIST 800-53) detection parameters.Security-relevant information includes.for example,filtering rules for routerslflrewalls,cryptographic key management Information,configuration parameters for security services,and access control lists.Explicitly authorized personnel include,for example, security administrators,system and network administrators,system sewrity officers,system maintenance personnel,system programmers,and other privileged users. Control Number ACC Title Least Privilege(Review Of User Privileges CDSS The organization must: Requirement a-Review the privileges assigned to organization-defined roles or classes of users to validate the need for such privileges;and to.Reassign or removes privileges,it necessary,to correctly reflect organizational mssionfbusiness needs. supplemental The need for certain assigned user privileges may change over time reflecting changes in Guidance(from organizational missions/business function,environments of operation,technologies,or threat. N)ST 800-53) Periodic review of assigned user privileges is necessary to determine if the rationae for assigning such privileges remains valid.If the need cannot be revalidated,organizations take appropriate corrective actions.Related control:CA-7. Control Number AC-7 Title unsuccessful Lo on Attempts Coss The organization must: Requirement a.Enforce a limit of no fewer than three(3)and no greater than five(5)consecutive invalid logon attempts by a user during an organization-defined time period;and b.Automatically lock the accounUnode for:an organization-defined time period;or locks the accountlnode until released by an administrator,or delays next logon prompt according to organization-defined delay algorithm when the maximum number of unsuccessful attempts is exceeded. Supplemental This control applies regardless of whether the logon occurs via a local or network connection. Guidance(from Due to the potential for denial of service,automatic lockouts initiated by Information systems NIST 800-53) are usually temporary and automatically release after a predetermined time period established by organizations.If a delay algorithm is selected,organizations may choose to employ different algorithms for different informati)n system components based on the capabilities of those components.Responses to unsuccessful logon attempts may be implemented at both the operating systerr and the application levels.Related controls:AC-2,AC-9,AC-114,IA-5, 9 MOU-25-6190 Page 10 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 Control Number AC-8 _ Title S stem Use Notfication_ CDSS The organization must: Requirement a•Displays to users system use notification message or banner before granting access to the system that provides privacy and security notices consistent with applicable federal laws, Executive Orders,directives,policies,regulations,standards,and guidance and states that: 1.Users are accessing a U.S.Government information system; 2.Information system usage may be monitored,recorded,and subject to audit, 3.Unauthorized use of the information system is prohiMed and subject to criminal and civil penalties;aid 4.Use of the information system indicates consent to monitoring and recording; b.Retains the notification message or banner on the screen until users acknowledge tie usage conditions and take explicit actions to log on to or further access the information system,and c.For publidy accessible systems: 1.Displays system use information organization-defined conditions,before granting further access; 2.Displays references,if any,to monitoring,recording,or auditing that are consistent with privacy accommodations for such systems that generally p,,ohibit those activities;and 3.Includes a description of the authorized uses of the system. At a minimum,this can be done at initial to on and is not required for every to on. Supplemental System use notilcations can be Implemented using messages or warning banners displayed Guldanee(from before individuals log in to information systems.System use notifications are used only for MIST 800.63) access via Iegon Interfaces with human users and are not required when such human Interfaces do no;exist.Organizations consider system use notification messages/banners displayed In mulliple languages based on speci5c organizational needs and the demographics of information system users.Organizations also consult with the Office of the General Counsel for at review and approval of warning banner content. Conllrol Number 11 TWO sloe o Goss The organizatior's information sfstem: Requirement a.Prevents further access to the system by initiating a session lock after 15 minutes or upon receiving a request from a user,and b.Retains the session lock until the user reestablishes access using established Identification and authanliration prorAdurps supplert enul Session locks are temporary actions taken when users stop work and move away from the Guldanee(from immediate vlciniy of Information systems but do not want to IN out because of the temporary NIST 500-53) nature of their absences Session locks are imptemented where session adivilies can he determined.This is typically at the operating system level but can also be at the application level.Session locks are not an acceptable substitute for logging out of information systems,for example,if ornanizations require users to log out at the end of workdays.Related control:AC-7- Control Number AC-17 Tide Remote Access COSS The organization must: Requirement a.Establish and document wage restrictions,configuration/eonnection requirements, and impiementatlon guidance for each type of remote access allowed:and b.Authorize remote access to the information system prior to allowing such connections. Supplemental Remote access s access to organizational Information systems by users(or p•ocesses acting Guidance(from on behalf of users)communicating through external networks(e.g.,the Internet).Remote NIST 800-53) access methods include,for example,dial-up,broadband,and wireless.Organizations often employ encrypted virtual private networks(VPNs)to enhance confidentiality and integrity over remote connections.The use of encrypted VPNs does not make the access non-remote; hgwevec the use of VPNs,when adequately provisioned with appropriate security controls (e.g..employing appropriate encryption techniques for confidentiality and integrity protection) may provide sufficient assurance to the organization that it can effectively treat such connections as hternal networks.Still,VPN connections traverse external networks,and the encrypted VPN does not enhance the availab lity of remote connections.Also.VPNs with encrypted tunne's can affec!the organizational capability to adequately monitor network communications traffic for malicious code.Remote access controls apply to Information systems other than public web servers or systems designed for public access.This control addresses authorization prior to allowing remote access without specifying the formats for such authorization.Whlle organizations may use interconnection security agreements to authorize remote access connections,such agreements are not required by this control.Enforcing access restrictions for remote connections is addressed in AC-3.Related controls:AC-2,AC-3,AC-18, AC-19 AC-20 CA-3 CA-7 CM-8 IA-2 IA-3 IA-8 MA4,PE-17 PL-4 SC-10 SH. 10 MOU-25-6190 Page 11 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO..25.17 2. Accountability,Audit,and Risk Management(AR) Control Number AR-3 -Tide I Privracy RequiremeriFsYr Contractors and oe Providers CDSS The organization must: Requirement a.Establish privacy roles,responsibilities,and access requirements for contractors and service providers;and b.Includes privacy requirements in contracts and otheracquisition-related documents. Supplemental Contractors and service providers include,but are not limited to,information providers, Guldance(from Information processors,and other organzationsproviding Information system development, NIST 900-53) information technology services,and other outcourced applications_Organizations consult with legal counsel,the Senior Agency Official for Privacy(SAOP)lChief Privacy Officer(CPO),and contracting officers about applicable laws,directives.policies,or regulations that may impact Implementation of this control.Related control:AR-1,AR-5,SA-4_ 3.Audit and Accountability(AU) Control Number AU-1 Trite Audit and Accountability Policy and Procedures CDSS The organization must: Requirement a.Develop,document,and disseminate to individuals and organizations that store,process,or transmit Pit: 1.An audit and accounteblhty policy that addresses purpose,scope,roles,responsibilities, management commitment,coordination among organizational entities.and compliance:and 2.Procedures to facilitate the impiememauon of me audit ana accountability policy and associated audit and accountability controls:and b.Review and update the current: }.Audit aid accountability policy at least trienniaty;and 2.Audit and accountability procedures at least triemlall Supplemental This control addresses the establishment of policy and procedures for the effective Guidance(from Implementation of selected security controls and cor:trol enhancements in the AU family.Policy NIST 800.53) and procedures reflect applicable federal laws.Executive Orders,directives,regulations,policies, standards,and guidance Security program policies and procedures at the organization level may make the need for system-specific policies and procedures unnecessary.The policy can be included as part of the general information security policy for organizations or conversely,can be represented by multiple policies reflecting the complex nature of certain organaations.The procedures can to estabFished for the security program in general and for particular information systems,if needed.The organizational risk management strategy is a key factor in establishing policy and procediLres.Related control:PM-g. _ ontrol Number AU-2 Title Audit Eventai Coss The organization must: Requirement a.Audit the following events: 1)Viewing PII stored within the organization's system, 2)Viewing of screens that contain Pll: 3)All system and data interactions concerning Pit. Ill.Coordinate the security audit function with other organizational entities requiring audit-related Information to enhances mutual aupprid and to heln 0uide the seledinn of acditahle events: c.Determines that the following events are to be audited within the information system: 1)Viewing PII stored within the organization's system: 2)Viewing of screens that contain Pit: 3 All system and data interactions concerning Pli. Supplemental An event is any observable occurrence In an organizational Information system.Organizations Guidance(from Identify audit events as those events which are significant and relevant to the security of NIST 800-63) Information systems and the envlronments in which those systems operate in order to meet specific and ongoing audit needs.Audit events can include,for example,password changes, failed logons.or tailed accesses related to information systems,administrative privilege usage, PIV credential usage,or third-party credential usage.In determining me set of auditable events, organizations consider the auditing appropriate for each of the security controls to be implomerlted.To balance auditing requirements with other information system needs.this control also requires identifying that subset of auditable events that are audited at a given point in time. For example,organizations may determine that information systems must have the capabi!lty to log every file access both successful and unsuccessful,but not activate that capability except for specific circumstances due to the potential burden on system performance.Auditing requirements including the need for auditable events,may be referenced in other security Controls and control enhancements.Organizations also Include auditable events that are required by applicable federal laws,Executive Orders,directives,policies,regulations,and standards. Audit records car be generated at various levels of abstraction,including at the packet level as information traverses the network.Selecting the appropriate level of abstraction is a critical aspect of an audit capability and can farilitate the identification of root causes to problems. Organizations consider in the definition of auditable events,the auditing necessary to cover related events such as the steps in distributed,transaction-based processes(e.g..processes that are distributed across multiple organizations)and actions that occur in service-oriented architectures.Related controls:AC-6,AC-17,AU-3,AU-12.li MP-2,MP-4.SIA 11 MOU-25-6190 Page 12 of 46 CDSS/Fresno County PRIVACY&SECURITY AGRE"EMENT NO,:25-17 Controi Number to Audit Record Retention CDSS The organization most retain audit records for six(6)years to provide support for after-the-fact Requirement investigations of security incidents and to meet regulatory and organizational information retention requirements. Supplemental Organizations retain audit records until it is determined that they are no longer needed for Guidance(from administrative,legai,audit,or other operational purposes.This includes,for example,retention NIST 900-53) and availability of audit records relative to Freedom of Information Act(FOIA)requests, subpoenas,and law enforcement actions.Organizations develop standard categories of audit records relative to such types of actions and standard responoe processes for each type of actic n. The National Archives and Records Administration(NARA)General Records Schedules provide federal policy on record retention Related controls:AU-4.AU-5,AU-9.Ili _ 'Control Number AU-12 -TWe u it enera ion CDSS The organization Information system must: Requirement a.Provide audit record generation capability for the auditaUe events defined in AU-2 a.at the audit reporting mechanism: b.Al:ow security personnel to acted which auditable events are to be audited by specific components of the Information system;and c.Generates audit records for the events defined in Al d.with the content defined in AU-3 Supplemental Audit records can be generated from many different Information system components.The list of Guidance(from audited events is the set of events for which audits are to be generated.These events are NIST 800-53) typically a subset of all events for which the information system is capable of generating audit records.Related controls:AC-3,AU-2,AU-3,AU-6,AU-7. 4.Awareness and Training(AT) control u r TT security Awarensimanarainy o ano ProcRi5res Coss The organization must: Requirement a.Develop,document,and disseminate to personnel and organizations with access to PII: 1.A security awareness and training policy that addresses purpose,scope,roles. responsibilities,management commitment,coordination among organizational entities, and compliance;and 2.Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls:and b.Reviews and updates the current 1.Security awareness and training policy and. 2.Security awareness and training procedures. The training and awareness programs must include: The sensitivity of PII, The rules of behavior concerning use and security in systems andror apt rlcatlons processing PU, The Privacy Act and other Federal and state laws,including but not limited to Section 14100.2 of the Welfare and Insttutions Code and Section 431.302 et.Seq.of nUe 42 Code of Federal Regulations,governing collection.maintenance,use,and dissemination of information about individuals, The possible criminal and Uvll sanctions and penalties for misuse of PII. The respons'bllitles of employees,contractors,and agent's pertaining to the proper use and protection of PH, The restrictions on viewing and/or copying PII.The proper disposal of Pit, The security breach and data toss incident reporting procedures, The basic understanding of procedures to protect the network from viruses,worms,Trojan horses,and other malicious code, Social engineering(phishing,vishing and pharming)and network fraud prevention. Supplemental This control addresses the establishment of policy and procedures for the effective Guidance(from Implementation of selected security controls and control enhancements in the AT family.Policy NIST 800-53) and procedures reflect applit:able federal laws,Executive Orders,directives,regulations,policies, standards,and guidance.Security program pofctes and procedures at the organization level may make the need for system-spec policies and procedures unnecessary.The policy can be included as part of the general information security policy for organizations or conversely,can be represented by mullple polices reflecting the complex nature of certain organizations.The procedures can be established for the security prooram In oeneral and for particular information systems.if needed.The organizational risk management strategy is a key factor in establishing policy and procedures.Related control.PM-9. 12 MOU-25-6190 Page 13 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 Control Number T-2 Tftle Security Awareness Training CDSS The organization must provide basic security awareness training to Information system users Requirement (Including managers,senior executives,and contractors): a.As pan of initial training for new users; b.When required by information system changes:and e.Annually thereafter Supplemental Crganizations determine the appropriate content of security awareness training and security Guidance(from awareness techniques based on the specific organizalicnal requirements and the information MST 800-53) systems to which personnel have authorized axess.The content Includes a basic understanding of the need for Information security and user actions to maintain security and to respond to suspected security incidents.The content also addresses awareness of the need for operations security.Security awareness techniques can include,fo:example,displaying posters,offering supplies inscribed with security reminders,generating etlail advisodes/notices from senior organizational officials,displaying logon screen messages,and conducting information security awareness events.Related controls:AT-3 AT-1 PL-4. —Control Number TWO o e- ased Security Training CDSS The organization must provide role-based security training to personnel with assigned security Requirement roles and responsibilities a.Before authorizing access to the Information system or performing assigned duties; b.When required by information system changes:and c.With organization-defined frequency thereafter. supplemental organizations determine the appropriate content of security training based on the assigned roles tuidance(from and responsibilities of individuals and the specific securty requirements of organizations and the NISi 800-53 Informatien systems to which personnel have authorized access.In addition,organizations provide enterprise ar Reus,information system developers.so ware eve:opers, acquisitiondprocurement officials.information system msnacers,systern/netwoN administrators. personnel conducting configuration management and auditing activities,personnel performing independent verification and validation acthnues security control assessors,and other personnel having access to system-level software,adequate security-related technical training specifically tailored fer their assigned duties.Comprehensive ro!e-based training addresses management, operational,and technical roles and responsibilities covering physical,personnel,and technical safeguards and countermeasures.Such training can include for example,policies,procedures, tools,and artifacts for the organizational security roles defined.Organizations also provide the training necessary for individuals to carry out their respcnsibiilues related to operations and supply chain security within tho context of organizational information security programs.Role- based security training also applies to contractors providing services to federal agencies.Related controls:AT-2.ATA PLC PS-7 SA-3 SA-12 SA-16, Control Number AT-4 Title can Tra ninRecords CDSS The organization must: Requirement a. Document and monitor individual information system security training actvi6es Incl-iding basic security awareness training and specific information system security training.and b. Retain individual training records for 5 years. SSA also requires the organization to certify that each employee,contractor and agent who views SSA data certify that they understand the potential criminal,civil,and administrative sanctions or penalties for unlawful assess and/or disclosure. Supplemental Documentation for specialized training may be maVttained by individual supervisors at the opton Guidance(from of the organization. Related controls:AT-2,AT-3,PM-14. NIST BM-63 13 MOU-25-6190 Page 14 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 5.Contingency Planning(GP) Control Number'rff P-2 e onion enc Plan Coss The organization must: Requirement a.Develop a contingency plan for the information system that: 1.Identifies essential missions and business functions and associated contingency requirements; 2.Provides recovery objectives,restoration priorities,and metrics; 3.Addresses contingency roles,responsibilities,assigned individuals with contact information, 4.Addresses maintaining essential missions and business functions despite an information system disruption,compromise,or failure; S.Addresses eventual,full information system restoration without deterioration of the security safeguards originally planned and Implemented;and 6.Is reviewed and approved by a senior manager; b.Distribute copies of the contingency plan to personnel and organizations suppurting the contingency plan actions: c.Coordinate contingency planning activities with incident handling activities; d.Review the contingency plan for the Information system at least annually, e.Update the contingency plan to address changes to the organization.Information system,or environment of operatnn and problems encountered during contingency plan implementation, execution,or testing; f.Communicate contingency plan changes to personnel and organizations supporting the- contingency plan actions; g.Incorporate lessons learned from contingency plan testing,training,or actual contingency activities into contingency testing and training:and h.Protect the contingency plan from unauthorized disclosure and modification. Supolemental Contingency planning for information systems Is part of an overall organizational program for Guidance(from achieving continuity of operations for missloNbusiness functions Contingency planning addresses NIST 800-0) both information system restoration and implementation of alternative mission/business processes when systems are compromised.The effectiveness of contingency planning is maximized by considering such planning throughout the phases of the system development life cycle.Performing contingency planning on hardware,software,and firmware development can be an effective means of achieving information system resiliency.Contingency plans reflect the degree of restoration required for organizational information systems since not all systems may need to fully recover to achieve the level of continuity of operations desired. Information system recovery objectives reflect applicable laws,Executive Orders,directives. policies,standards,regulations,and guidelines.In addition to information system availability, contingency p!ans also address other security-related events resulting in a reduction in mission and/or business effectiveness,such as malicious attacks compromising the confident iaIlly or integrity of information systems.Actions addressed in contingency plans include,for example, orderly/graceful degradation,information system shutdown,fallback to a manual mcde,alternate information flows,and operating in modes reserved for when systems are under attack.By closely coordinating contingency planning with incident handling activities,organizations can ensure that the necessary contingency planning activities are in place and activated In the event of a security incident.Related controls AC-14,CP-6.CP-7,CP-8.CP-9,CP-10,IR-4,IR-8,MP-2,MP-4.NIP-5, Pli PM•11. to MOU-25-6190 Page 15 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 6.Data Minimization and Retention(DIVn Control Number D Title � to elenflon and s o�sat CDSS The organization must Requirement I a.Retain each collection of Pit no longer than required for the organization's business process or evidentiary purposes: b.Dispose of,destroys,erases,andror anonymizes tie Pit,regardless of the method of storage, in accordance with a NARA-approved record retention schedule and in a manner that prevents loss,theft,misuse,or unauthorized access;and C.Use organ tzallon-deflned techniques or methods to ensure secure deletion or destruction of Pit (Incltding originals,copies,and archived records). Supplemental NARA provides retention schedules that govern the disposition of federal records.Program Guidance(from officials coordinate with records officers and with NARA to identify appropriate retention periods NIST 800-53) and disposal methods.NARA may require organizations to retain Pit longer than is operationaii needed.In those situations,organizations describe such requirements In the notice.Methods of storage include,for example,electronic,optical media,or paper. Examples of ways organizations may reduce holdings Include reducing the types of Pit held(eg., delete Social Security numbers if their use is no longer needed)or shortening the retention period for Pit that is maintained If it is no longer necessary to keep Pit for Tong periods of time(this efort is undertaken in consultation with an organization's records officer to receive NARA approval) In both examples,organizations provide notice(e g.,an updated System of Records Notice)to inform the public of any changes in holdings of Pit. Certain read-only archiving techniques, such as DVDs, CDs,microfilm, or microfiche, may not permit the removal of individual records withot,l the destruction of the entire database contained on such media.Related controls:AR-4,AU-11.DMA.MP-1,MP-2,MP-3,MP-4,MP-5,MP-6.VIP- 7,MP-8,SI-12,TR-1. 7.Identification and Authentication(I►) Control Wmber IA-2 a (OManizational Wei OSS The organization's Information system must uniquely identify acre authenticate organizational Requirement utters or processes acting on behalf of organizational user6- Supplemental Organizational users include employees or individuals that organizations deem to have equivalent Guidance(from atatus of employees(e.g.,conlraotors,guest researchers).This control applies to all accesses NiST 800.53) other than:(i)accesses that are explicitly identified and documented in Aii and(ii)accesses that occur through authorized use of group authenticators without individual authentication. Organizations may require unique Identification of Individuals In group accounts(e.g..shared privilege accounts)or for detailed accountability of individual activity Organizations employ passwords,tokens,or bicrnetrics to authenticate user identities,or in the case multifactor authentication,or some combination thereof.Access to organizational Information systems is defined as either local access or network access.Local access is any access to organizational information systems by users(or processes acting on behalf of users)where such access is obtained by direct connections without the use of networks.Network access Is access to organizational Information systems by users(or.processes acting on behalf of users)where such access is obtained through network connections(i.e.,nenlocal accesses).Remote access is a type of network access that involves communication through external networks(e.g.,the Internet). Internal networks include local area networks and wide area networks.In addition,the use of encrypted virtual private networks(VPNs)for network connections between organization- eontrelled endpoints and non-organization controlled endpoints may be treated as Internal networks from the perspective of protecting the confidentiality and Integrity of informalon traversing the network. Organizations can satisfy the Idenlificatien and authentication requirements in this control by complyingwith the requirements in Homeland Security Presidential Directive.12 ccnsistent with the specific organizational implementation plans.Multifactor authentication requires the use of two or more different factors to achieve authentication.The factors are defined as.(i)something you know(e.g, password,personal identification number]PIN]);(ii)something you have(e.g.,cryptographic Identification device,token);or(iii)something you are(e.g.,biometric).Multifactor solutions that require devices separate from information systems gaining access include,for example,hardware tokens providing lime-based or challenge-response authenticators and smart cards such as the L.S. Government Personal Identify Verification card and the DoD common access caro.In additon to iderlifying ann authenticating users at the information system lever(i e.,at logon),organizations also employ identification and authentication mechanisms at the application level,when necessary,to provide increased information security,Identification and authert1ication requirements for other than organizational users are described in IA-8 Related controls:AC-2,AC-3,AC-14,AC-17,AC-18,IA-4, 1.4-5,IA-8 15 MOU-25-6190 Page 16 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 Control Number IA-5 Tilde Au enUcator Mm—agament CDSS The organization must manage Information system authenticators by: Requirement a Verifying,as part of the inhal authenticator distribution,the identity of the individual,group. role,or device reDelving the authenticator; b.Establishing tntial authenticator content for authenticators defined by the organization; c Ensuring that authenticators have sufficient strength of mechanism for their intended use: d.Establishing and implementing administrative procedures for initial authenticator distribution,for losUcompromised or damaged authenticators,and for revoking authenticators; e Changing default content of authenticators prior to information system installation: f.Establishing minimum and maximum lifetime restrictions and reuse conditions for aulhenbcators; g.Changingfrefreshing authenticators within organ ization-dofinod time period; h.Protecting authentcator content from unauthorized disclosure and modification; I.Requiring individuals to take,and having devices Implement,specific security safeguards to protect authenticators;and j.Changing authenticators for rouplrole accounts when membership to those accounts changes. Supplemental Individual authertleators include,for example,passwords,tokens,biometrics,PKI certificates, Guidance(from and key cards.Initial authenticator content is the actual content(e.g.,the Initial password)as NISI 800-53) opposed to requirements about authenticator content(e.g.,minimum password length).In many cases,developers ship information system components with factory default authentication credentials to allcw for initial installalibn and configuration.Default authenticalicn credentials are often well known,easily discoverable,and present a significant security risk.The requirement to protect individual authenticators maybe implemented via control PL-4 or PSG for authenticators in the possessior of individuals and by controls AC-3,AC-8,and SC-28 for authentiaalers stored within organizaticnal information systems(e.g..passwords stored In hashed or encrypted formats,files containing encrypted or hashed passwords accessible with administrator privilegesi. Information systems support individual authenticator management by organization-defined settings and restrictions for various authenticator characteristics including,for example,minimum password length,password composition,validation time window for time synchronous one-time tokens,and number of allowed rejections during the verification stage of biometric authentication Specific actions that can be taken to safeguard authenticators include,for example,maintaining possession of individual authenticators,not loaning or sharing Individual authenticators with others,and reporting lost,stolen,or compromised authenticators immediately.Authenticator management includes Issuing and revoking,when no longer needed,authenticators for temporary access such as that required for remote maintenance.Device authenticators induce, for example,certificates and passwords.Related controls:AC-2,AC-3,AC-6,CM-6,IA-2,IA-4, IA-8,PL4,PS-5 PS-6,SC-12,SC-13,SC-17,SC-28. Control Number IA-5(1) i Title Authenticator ana ement I Password- ased Authentication CDSS The Information system,for password-based authentication,must: Requil"Munt a.Enforces minlrsum password complexity of requirements for. case sensitivity(upper and lower case letters), •number of characters(equal to or greater than fifteen characters), mix of upper-case letters,Icwer-case letters,numbers,and special characters(al least one of each type); c.Stores and transmits only cryptographically-protected passwords; d.Enforces password lifetime of at least 160 days: e.Prohibits prior 10 passwords for reuse;and f.Allows the use of a temporary password for system logons with an Immediate change to a permanent password. Supplemental This control enhancement applies to single-factor authentication of Individuals using passwords Guidance(from as individual or group authenticators,and to a similar manner,when passwords are part of N13T 800-53) mullifactor authenticators.This k onlrol enhamement does not apply when passwords are used to unlock hardware authenticators(e.g..Personal Identity Verification cards).The Implementation of such password mechanisms may not meet all of the requirements in the enhancement. Cryptographically-protected passwords Include,for example,encrypted versions of passwords and one-way cryptographic hashes of passwords.The number of changed characters refers to the number of changes required with respect to the total number of positions in the current password Password lifetime restrictions do not apply to temporary passwords.To mitigate certain brute force attacks against passwords,organizations may also consider salting passwords. Related control:IA-6. to MOU-25-6190 Page 17 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25.17 8.Incident Response(IR) Control Number ride Incident Response Policy and P111100(11.11103 _ CDSS The organization must: Requirement a.Develops,documents,and disseminates to organizatlon-defined personnel or roles: 1.An incident resoonse policy that addresses purpose,scope,roles,responsibliities, management commitment,coordination among organizational entities,and compliance;and 2.Procedures to facilitate the implementation of the incident response policy and associated Incident response controls;and b.Reviews and updates the current: 1.Incident response policy with organization-defined frequency;and 2.Incident response procedures with organization-defined frequency. CDSS and NIST Guidelines encourage agencies to consider establishing incident response teams or identifying individuals specifcaAy responsible fcr addressin;7 Fill and CDSS data breaches. Supplemental This control addresses the establishment of policy and procedures for the effective Guldalviceifrom implementation of selected security controls and control enhancements In the IR family,Policy NEST 80043) and procedures reflect applicable federal laws,Executive Orders,directives,regulations,policies, standards,and guidance.Security progrem policies and procedures at the organizallon'evel may make the need for system-specific policies and procedures unnecessary.The policy can be included as part of the general information security policy for organizations or conversely,can to represented by multiple policies reflecting the complex nature of cerain organizations.The procedures can be established for the security program In general and for particular information systems,if needed.The organizational risk management strategy is a key factor in establishing policy and procedures.Related control:PM-9. ontrol Number IR-2 _ itle Incident Response Traloing CDSS The organization must provide incident response training to information system users consistent Requirement with assigned roles and responsibii:fies: a.Within organization-defined time period of assuming an incident response rote or responeibirdy; b.When required by information system changes;and c.With organization-defined frequency thereafter. Supplemental Incident response training provided by organizations is linked to the assigned roles and Guidance(from responsibilities of organizational personnel to ensure the appropriate content and level of detail is NIST 600-53) included In such training.For example,regular users may only need to know who to call or how to recognize an incident an the information system;system administrators may require additional training on how to handlelremediate incidents:and incident responders may receive more specific training on forensics,reporting,system recovery,and restoration.Incident response training includes user training in the identification and reporting of suspicious activities,both fran external and internal sources.Related controls:AT-3.CP-3,IR-8. Control Number — - - Tide Incident Handling CDSS The organization must: 4 Requirement a.Implements an incident handling capability for security inodents that Includes preparation, detection and onolyaio,containment,orodieatlon,and rocovory; b.Coordinates incident handling activities with contingency planning activities:and c.Incorporates lessons learned from ongoing incident handling activities into incident response procedures,training,and testing,and implements the resulting cha es accordin 1 Supplemental Organizations recognize that incident response capability is dependent on the capabilities of Guidance(from organizational Information systems and the misslon/business processes being supported by NIST 80043) those systems.Therefore.organizations consider Incident response as part of the definition, design,and development of missionilbusiness processes and Information systems.Incident- related information can be obtained from a variety of sources including,for example,audit monitoring,network monitoring,physical access monitoring,user/administrator reports,and reported supply chain events Effective incident handling capabllly includes coordination among many organizational entities including,for example,miss'ortlbusiness owners,information,system owners,authorizing officials,human reso roes offices,physical and personnel security offices, legal departments,operations personnel,procurement offices,and the risk executive(function). Related controls:AU-6,CM-6,CP-2,CP-4,IR-2,IR-3,IR-8,'E-6,SC-5,SC-7,SI-3,SI.4,SI-7. 17 MOU-25-6190 Page 18 of 46 CDSS/Fresno County PRIVACY 8 SECURITY AGREEMENT N0.:25-17 Control Number Title Incident Response Plan _ cuss 1'he organization must: Requirement a.Develop an incident response plan that: 1.Provides the organization with a roadmap for implementing Its incident response capability; 2.Describes the structure and organization of the incident response capability; 3.Provides a high-level approach for how the incident response capability fits into the overH organization; 4.Meets the unique requirements of le organization,which relate to miss;on,size,structure,and functions; 5.Defines reportable Incidents; 6.Provides metrics for measuring the incident response capability within the organization; 7.Defines the resources and management support needed to effectively maintain and mature an Incident response capability;and 8.Is reviewed and approved by organization-defined personrel or roles; b.Distribute copies of the incident response plan to organization-defined incident response personnel(identified by name and/or by role)and organizational elements; C.Review the incident response plan organization-defined frequency, d.Updates the incident response plan to address systemiorganizational charges or problems encountered during plan ImplementaLon,execution,or testing; e.Communicate incident response plan changes to organization-defined incident response personnel(identified by name and/or by role)and organizational elements):and f.Protect the incident response plan from unauthorized disclosure and modification. Supplemental It Is important that organizations develop and Implement a coordinated approach to Incident Guidance(from response.Organizational missions,business functions,strategies,goals,and objectives for NIST 800-63) Incident response help to determine the structure of Incident response capabilities.As part of a comprehenslve incident response capability,organizations consider the coordination and sharing of information with external organizations,including,for example extemal service providers anc organizations involved in the supply chain for organizational information systems.Related controls:MP-2,MP-4,MP-5 9.Media Protection(MP) Control tmn er -2 _ Title Media Access CDSS The organization must: Requirement Restricts access to Pit to County Workers who require access to Pit for purposes of administering the program or as required for the administration of other public benefit programs. Supplemental Information system media includes both digital and non-digital media.Digital media includes,for Guldance(from example,diskettes,magnetic tapes,external/removable hard disk drives,flash drives,compact NIST 800-53) disks,and digital video disks.Non-digital media includes.for example,paper and microfilm. Restricting non-digital media access includes,for example,cenying access to patient medical records Ina community hospital unless the Indivlduals seeking access to such records are authorized healthcare providers.Restricting access to digital media includes.for example,limifirg access to design specifications stored on compact disks in the media library to the project leader and the individuals on the development team.Related centrols:AC-3,IA-2,MP4,PE-2,PE-3, PL-2. 76ontrol Number MP-6 T ue Media Sanitization CDSS The organization must: Requirement a.Sanitize media containing Pit prior to disposal,release outof organizational control,or release for reuse in accordance with applicable federal and organizational standards and policies;and b.Employs sanitizallon mechanisms with the strength and integrity commensurate with the security category or classification of the information. Supplemental This control applies to all information system media,both digital and non-digltal,subject to Guidance(from disposal or reuse,whether or not the media Is considered removable.Examples include media NIST 800.53) found in scanners,copiers,printers,notebook computers,wcrkstations,network components,and mobile devices.The sanitization process removes information from the media such that the information cannot be retrieved or reconstructed.Sanitization techniques,including clearing, purging,cryptographic erase,and destruction,prevent the disclosure of information to unauthorized individuals when such media is reused or released for disposal.Organizations determine the appropriate sanitization methods recognizing that destruction is sometimes necessary when other methods cannot be applied to media requiring sanitization.Organizations use discretion on the employment of approved sanitization techniques and procedures for media containing information deemed to be in the public domain or publicly releasable or deemed to have no adverse im?act on organizations or individuals if released for reuse or disposal. Sanilization of non-digltal media Includes,for example,removing a classified appendix from an otherwise unclassified document,or redacting selected sections or words from a document by obscuring the redacted sections/words in a manner equivalent in effectiveness to removing them from the document.NSA standards and policies control the sanitization process for media containing classified information.Related controls:MA-2,MA-4,RA3,SC-4. n6 MOU-25-6190 Page 19 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 10. Personnel Security(PS) Control Number - � ite ersonnel Screerun _ CCSS The organization must: Requirement a.Screen Individuals(employees,Contractors and agents)prior to auttio7zing access to the informations stem and Pit. Supplemental Personnel screening and rescreening activities reflect applicable federal laws.Executive Orders, Guidance(from directives,regulations,policies,standards,guidance,and specific criteria established for the risk NIST 600.53) designations of assigned positions.Organizations may define different rescreening conditions and frequencies for personnel accessing information systems based on types of information rocessed stored.or transmitted b the systems. Control Number S-4 Titlo eraonnel ermination CDSS The organization,upon termination of individual employment,must: Requirement a.Disable information system access; b.Terminate/revoke any authenticators/credentials associated with the individual; c.Conduct exit Interviews,as needed; d.Retrieve all security-related organizational Information system-related property; e.Retain access to organizational information and information systems formerly controlled by terminated individual;and f.Notified organization-defined personnel upon termination. Supplemental Infomation system-related property includes,for example,hardware authentication tokens,system Guidance(from administration technical manuals,keys.identification cards,and building passes.Exit interviews ll 000-0) ensure that terminated Individuals understand the security constraints Imposed by being former employees and that proper accountability is achieved for Information system-related property Security topics of interest at exit Interviews can Include,for example,reminding terminated Individuals of nondisclosure agreements and potential limitations on future employment Exit Interviews may not be possible for some terminated individuals.fnr example,in cases related to job abandonment,illnesses,and non-availability of supervisors.Exit interviews are important for individuals with security clearances.Timely execution of termination actions Is essential for individuals terminated for cause.In certain situations,organizations consider disabling the Information system accounts of individuals that are being terminated prior to the individuals being notified.Related Controls:AC-2 IA-4 PE72,PS-5,PS-ro. Cowat Number PS-6 Title Access Agreements CDSS The organization must: Requirement a.Develop and document access agreements for organizational Information systems; b.Reviews and updates the access agreements at organization-defined frequency:and c.Ensure that Individuals requiring access to organizational Information and Information systems: 1.Sign appropriate access ogreemerts prior to being granted access;and 2.Re-sign access agreements to maintain access to organizational information systems when access agreements have been updated or at an organization-defined frequency. CDSS requires that contracts for periodic disposaUdestruction of case files or other print media contain a non-disclosure agreement signed by all personnel who will encounter products that contain PII. Supplemental Supplemental Gufdarxe:Access agreements Include,for example,nondisclosure agreements, Guidance(from acceptable use agreements,rules of behavior,and conflict-of-interest agreements.Signed access MIST 800-53) agreements Include an adcnowtedgement that individuals have read,understand.and agree to abide by the conslrairts associated with organizational Information systems to which access is authorized.organizatons can use electronic signatures to acknowledge access agreements urdess specifically prohibited by organizational policy.Related control:PL-4,PS-2,PS-3.PS-4, PS4. 19 MOU-25-6190 Page 20 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 Control Number I PS-7 Tilde Third-Party Personnel Securitv CD3S The orgartlZalionmust; Requirement a.Establishes personnel security requirements Including security roles and responsibilities for counly agents,subcontractors,and vendors; b.Requires Ihlyd-party providers to comply with personnel security policies and procedures established by the organization; c.Documents personnel security requiremerts; d.Requires third-party providers to notify organization-defined personnel or roles of any personnel transfers or terminations of third-party personnel who possess organizal,ional credentials and/or badges,or who have information system priviegeswithin organization-defined time period;and e.Monitors providercempllance. The service level agreements with the contractors and agents must contain non-disclosure language as it pertains to Pll. The statement shell include,at a minimum,a description d the following. 1.General Use of Pit; 2.Securll,and Privacy Safeguards for Plh 3.Unacoeotable Use of Pl/,and 4.Enforcement Policies. The county depa1ment/agency must stain the non-disdosure agreements for at least Five(5)to seven(7)years for ad contractors and agents who processes, views,or encounters P11 as part of their dulfes Supplemental Third-party providers include,for example,service bureaus,contractors,and other organizations Guldance(from providing Infoinatlon system development,informatlon lechnology services,outsourced NIST 800.53) applications,andnetwork and security management.Orgarizatiorsexplicitly,include personnel security requirements in acquisition-related documents.Third-party providers may have personnel working at organizational facilities with credentials,badges,or Information system privileges Issued by organizatlons.Notifications of third-party personnel changes ensure appropriate termination of privileges and credentials.Organizations define the transfers and terminations deemed reportable by security-related charaaerlstics that include,for example,functions,roles, and nature of credentialsfprivileges associated with individuals transferred or terminated.Related controls:PS-2 PS-3,PS4,PS-5,PS-8 SA-9,SA-21. control Number P" rice t'ersonnei Sanctions CDSS The organization must: Requirement a.Employ a formal sanctions process for individuals failing to comply with established information security policies and procedures;and b.Notify organization personnel within the organization-defined time period when a formal employee sanctions process is initiated,identifying the individual sanctioned and the reason for Vie sanction. if a member of the county s workloree, as defined at 45 CFR 160.103 and inclusive of an employee,contractor,or agent is subject to an adverse action by the organization(e.g.,reduclion in pay,discipknary action,termination of employment,termination of contract for services),CDSS recommends the organization remove his orheraccess to Pit in advance of the adverse action to rodueo tho poaoibility that wily the individual will porform unouthorizod activilicc that involve Pp,if a pricable. Supplemental Organizational sanctions processes reflect applicable federal laws,Executive Orders,direchve5, Guidance(from regulations.policies,standards,and guidance.Sanctions processes are described In access NIST 800.53) agreements and can be Included as part of general persormel policies and procedures for organizations.Organizations consultwith the Office of the General Counsel regarding matters of emalovee sanctions.Related controls: PL-4.PS-6. M MOU-25-6190 Page 21 of 46 CDSS/Fresno County PRIVACY 8 SECURITY AGREEMENT NO.:25-17 11. Physical and Envircnmental Protection(PE) Control Number PE-3 _ Title cal Access ontrol CDSS The organization must: Requirement a Enforce physical access authorizations at entry and exit points to the facility where the information system resides by; 1.Verifying individual access authorizations before granting access to the facility;and 2.Controlling ingress/egress to the facility using physical access cont,oi systems/devices and/or guards; b.Maintain physical access audit logs for entry and exit points; a Provide securiy safeguards to control access to areas wilhin the faclty officially designated as publicly accessible; d.Escort visitors and monitors visitor activity; e Secure keys,combinations,and other physical access devices: If.Inventory physical access devices; and 9 Changes combinalions and keys at minimum when keys are lost,combinations are compromised,orindividuals are transferred or terminated Supplemental This control apples to organizational employees and visitors.Individuals(e.g.,employees, Guldanco(from contractors,and others)with permanent physical access authorization credentials are not NIST 800-53) considered visitor.Organizations determine the types of facility guards needed including,for example,prolesslonal pl•ysical security stall or other personnel such as administrative staff or information system users.Physical access devices include,for example,keys,locks, combinations,and card readers.Safeguards for publicly accessible areas within organizational facilities include,for example,cameras,monitoring by guards,and isolating selected information systems and/or cyctom components In oocurod aroac.Physical accose control systems comply with applicable federal laws,Executive Orders,directives,policies,regulations,standards,and guidance The Federal Identity,Credential,and Access Management Program provides implementation guidance for Identity,credential,and access management capabilities for physical access control systems.Organizations have flexibility in the types of audit logs employed.Audit logs can be procedural(e.g.,a written log of individuals accessing the facility and when such access occurred),automated(e.g.,capturing 10 provided by a PIV card),or some combination thereof.Physical access points can Include facility access points,Interior access points to information systems and/or components requiring supplemental access controls,or both. Components of organizational Information systems(e.g.,workstations,terminals)may be located in areas designated as publicly accessible with organizations safeguardng access to such devices.Related controls:AU-2,AU-G,MP-2,MP-4,PE-2.PE-4.PE-5.PS-3,RA-3. -Control Mumber PE 6 Title Monitoring Physical Access CDSS The organization must: Requirement a.Monitors physical access to the facility where the Information system resides to detect and respond to physical security incidents; b.Reviews physical access logs organization-defined frequency and upon occurrence of securfly incidents;and c.Coordinates results of reviews and Investigations with the organizational Inddentresponse caDabilitv Supplemental Organizational incident response capabilities include Investigations of and responses to detected Guidance(from physical security Incidents.Security Incidents Include,fcr example,apparent security violations or NIST 800.33) suspicious physical access allivitlps Suspidnus physical arrocs artiuities Inrir-rie.fnr PyamplQ' (i)accesses outside of normal work hours;(it)repeated accesses to areas not normally accessed; (fi)accesses for unusual lengths of tune,and(iv)out-of-sequence accesses.Related controls: CA-7 IR-4 IR-8. 21 MOU-25-6190 Page 22 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 12. Planning(PQ Control umber PL- _ Tlt --- ecuri annrn Policy and Procedures Coss The organization must: Requirement a.Develop,document,and disseminate to personnel and organizations with access to PII: 1.A security planning polity that addresses purpose,scope,roles,responsibilities,management commitment,coordination among organizational entities,and compliance:and 2.Procedures to facilitate the Implementation of the security planning policy and associated security planning controls;and b.Reviews and updates the current: 1 Spairlty plannire policy. end 2.Security planning procedures. Supplemental This control addresses the establishment of policy and procedures for the effective Guidance(from implementation of selected security controls and control enhancements in the PL family,Policy NIST 800-53) and procedures reflect applicable federal laws,Executive Orders,directives,regulations.policies, standards,and guidance.Security program policies and procedures at the organization level may make the need to*system-specific policies and procedures unnecessary.The policy can be Included as part of the general information security policy for organizations or conversely,can be represented by multiple policies reflecting the complex nature of certain organizations.The procedures can be established for the security program in general and for particular information systems,if needed.The organizalioral risk management strategy is a key factor in establishing ppoot and rocedures.Related control:PM-9. t—o—ntr—ol Number PL- Thle Sy*am Socurity PT3—n CDsS The organization must: Requirement a.Develop a security plan for the information system that: 1.Is consistent wth the organization's enterprise architecture; 2.Explicitly defines the authorization boundary for the system; 3.Describes the operational context of the information system in terms of missions and business processes; 4_Provides the securely categorization of the Information system Including supporting rationale: 5.Describes the operational environment forthe information system and relationships with or connect!on5 to other inforrnatlon systems: 6.Provides an overview of the security requirements for the system; 7.Identifies any relevant overlays,if appricablo: 8.Describes the security controls in place orplanned for meeting those requirements including a rationale for the tallorng decisions;and 9.Is reviewed any approved by the authorizing official or designated representative prior to plan imptementaton: b.Distribute copies of the security plan and communicates subsequent changes to the plan to personnel and organizations with security responsibilities; c-Review the security plan for the information system: d.Update the plan to address changes to the information systendenvironment cf operation or problems identified during plan Implementation or security control assessments;and e.Protect the security plan from unauthorized disclosure and modification. CBganfzeffon5 security plan should irwiudc rlateded information 3pocific to cafoguarding Modi- Cel Pl. Supplemental Security plans re ate security requirements to a set of security oarttrols ands Guldance(from enhancements.Security plans also describe,at a high level,how the security controls and NIST 600-63) control enhancements meet those security requirements.but do not provide detailed,technical descriptions of the specific design or implementation of the controls/enhancements.Security plans contain sufficient information(Including the specification of parameter values for assignment and selection statements either explicitly or by reference)to enable a design and Implementation that is unambiguously compliant with the intent of the plans and subsequent determinations of risk to organizational operations and assets,individuals,other organizations, and the Nation if the plan Is implemented as intended.Organizations can also apply tailoring guidance to the security control basellnes in Appendix D and CNSS Instruction 1253 to develop overlays for cOnyriunity-wide use or to address specialized requirements,technologies,or missionslenvironmeMs of operation(e.g.,DoD-tactical,Federal Public Key Infrastructure,or Federal Identify,Credential,and Access Management,space operations).Appendix i provides guidance on developing overlays. Security plans need not be single documents,the plans can be a collection of various documents including documents that already erast.Effective security plans make extensive use of references to policies,procedures,and additional documents(e.g.,design and Implementation specifications)where more detailed information can be obtained.This reduces the documentation requirements associated with security programs and maintains security-related information in other established management/operational areas related to enterprise architecture, system development life cycle,systems engineering,and acquisition.For example,security plans do not certain detailed contingency plan or incident response plan information but instead provide explicitly or by reference,sufficient information to define what needs to be accomplished by those plans.Related controls:AC-2,AG-6,AC-14,AC-17,AC-20,CA-2,CA-3,CA-7,CM-9, CP-2,iR-8,MA-4,MA-5,MP-2,MP4,MP-5,PL-7,PM-1,PM-7,PM-8.PM-g,PM-1 1.SA-5.SA- 17. 22 MOU-25-6190 Page 23 of 46 CDSS/Fresno County PR'VACY 8 SECURITY AGREEMENT N0.:25-17 13. Risk Assessment(RA) ontrol Number— Tide isk Assessment policy and rocedures CDSS e organization must: Requirement a.Develop,document,and disseminate to system owners using Pit: 1.A risk assessment policy that addresses purpose,scope.roles,responsibilities,management commitment,coordination among organizational entities,and compliance;and 2.Procedures to facilitate the implementation of the risk assessment policy and associated risk assessment coni Supplemental This control addresses the establishment of policy and procedures for the e ective Guidance(from implementation ni sPlertPd security controls and control enhancements In the RA family.Policy MIST 800-63) and procedures reflect applicable federal laws,Executive Orders,directives,regulations,policies, standards,and guidance.Security program policies and procedures at the orgarization level may make the need fog system-specific policies and procedures unnecessary.The policy can be included as part of the general information security policy for organizations or conversely,Can be represented by miitlple policies reflecting the complex nature of certain organizations.The procedures can be established for the security program in general and for particular information systems,if needed.The organizational risk management strategy is a key factor in establishing i policy and procedures.Related control:PM-9. Control Number -3 TiVe Risk Assessment CDSS he organization must: Requirement a.Conduct an assessment of risk,including the likelihood and magnitude of harm.from the unauthonzed access,use,disclosure,disruption,modification,or destruction of the information System and the information it processes,stores.or transmits: b.Documents risk assessment results in a risk assessment report or organization defined risk report document. c.Review risk assessment results annually;and e.Update the risk assessment whenever there are significant changes to the information system or environment of operation(ndu ,the Identification of new threats and vulnerabilities),or other conditions that ma im ct the security state of the system. Supplemental Clearly defined authorization boundaries are a prerequisite for effective risk assessments.Risk Guidance(from assessments take into account threats,vulnerabilities,likelihood,and impact to organizational NIST 800.53) operations and assets.individuals,other organizations,and the Nation based on the operation and use of information systems.Risk assessments also take into account risk from extemel parties(e.g.,service providers,contraclers operating information systems on behalf of tho organization,individuals accessing organizational information systems,outsourcing entities).In accordance with OMB po:icy and related E-authentication initiatives,authentication of public users accessing federal information systems may also be required to protect nonpublic or privacy-related in`ormation.As such,organizational assessments of risk also address public access to federal information systems. Risk assessmcnts(either formal or informal)can be conducted at all three tiers in the risk management hierarchy(i.e.,organization level,mission/business process level,or information system level)and at any phase In the system development life cycle.Risk assessments can also be conducted at various steps in the Risk Management Framework.including categorization, security control selection,security control implementation,security control assessment, Information syslen authorization,and security control monitoring.PA-3 Isnoteworthy in that the control must be partially Implemented prior to the implementation of other controls in order to complete the firsttwo steos in the Risk Management Framework.Risk assessments can play an important role in somrity control selection processes,particularly during the application of tailoring guidance,which Includes security control supplementation.Rcloted controls:RA-2,PM-9. 23 MOU-25-6190 Page 24 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 Control umber -5 _ e u Hera i ity canning _ _ CDSS The organization must: Requirement a.Scan for vulnerabilities In the Information system and hosted applications at a minmum of a monthly basis and when new vulnerabilities potentially affecting the system/applications are identified and reputed; b.Employ vulnerbitity scanning toots and techniques that facilitate interoperabilty among tools and automate parts of the vulnerability management process by using standards for 1.Enumerating platforms,software flaws,and improper configurations; a.Analyze vulnerability scan repots and results from security control assessments; Id.Remediate legitimate vulnerabilities within organization defined time periods in accordance with an organizational assessment of risk;and c.Share information obtained from the vulnerability scanning process and security control assessments witt all impacted system owners to help eliminate similar vulnerabilities in other Inkirmation systems(i.e.,systemlC weaknesses or deficiencies). Supplemental Seeunty categorization of information systems guides the frequency and comprehensiveness of Guidance(from vulnerability scans.Organizations determine the required vulnerability scanning for all NIST ON-67) Information system components,ensuring that potential sources of vulnerabilities such as networked printers,scanners,and copiers are not overlooked.Vulnerability analyses for custom software applications may require additional approaches such as static analysis,dynamic analysis,binary analysis,or a hybrid of the three approaches.Organizations can employ these analysis approaches in a variety of tools(e.g.,web-based application scanners,static analysis tools,binary analyzers)and in source code reviews.Vulnerability scanning includes,for example: 0)scanning for patch levels;(ii)scanning for functions,ports,protocols.and services that should not be accessible to users or devices:and(ii)scanning for Improperly configured or incorrectly operating information Flow control mechanisms.Organizations consider using tculs that express vutnorabiLliee it the Common Vulnerabilities and Fxpesures(rVF)naming convention and that use the Open Vulnerability Assessment Language(OVAL)to deternlneltesi for the presence of vulnerati0ties.Suggested sources for vulnerability information Include the Common Weakness Emlrtrerafion(CYIE)listing and the National Vulnerability Database(NVD).In addition,security control assessments such as red team exercises provide other sources of potential vulnerabilities for which to scan.Organizations also consider using tools that express vulnerability impact by(fie Common Vulnerability Scoring System(CVSS).Related controls:CA-2.CA-7.CM4,CM-6.RA- 2,RA-3,SA-11.SI-2. 24 MOU-25-6190 Page 25 of 46 CDSS/Fresno County PRIVACY S SECURITY AGREEMENT NO.:25-17 14. Security Assessment and Authorlutlon(CA) Control Number CA-2 _ Tito ecu sessments CDSS The organization must Requirement a.Develops a security assessment plan that describes the scope of the 85sessment including: 1. Security controls and control enhancements under assessment: 2.Assessment procedures to be used to determine security control effectiveness;and 3.Assessment environment,assessment team,and assessment roles and respcnsibllitles; to,Assesses the security controls to the information system and its environment of operation with organization-defined frequency to determine the extent to which the controls are implemented correctly,operating as intended,and producing the desired outcome with respect to meeting established security requirements; c.Produces a security assessment report that documents the results of the assessment;and d.ProvvIes the results of the security control assessment to organization-defined iftdivkluals or roles Supplemeahl Organzations assess security Controls in organizational information systems and the Guidance(from environments In whtcd those systems operate as part of:(i)Initial and ongoing security NIST 500-53) authorizations:(ii)FISMA annual assessments:(iii)continuous monitoring:and(iv)system development life cycle activities.Security assessments:(I)ensure that Information security is built into organizational information systems;(ID Identify weaknesses and deficiencies early in the development process;(M)provide essential Information needed to make risk-based decisions as part of security authorization processes;and(iv)ensure compliance to vulnerability mitigation procedures.Assessments are conducted on the implemented security controls from Appendix F (main catalog)and Appandix G(Program Managoment controls)as documented in System Security Plans and Information Security Program Plans.Organizations can use other types of assessment activities such as vulnerability scanning and system monitoring to maintain the security posture of information systems during the entire life cycle.Security assessment reports document assessment results In sufficient detail as deemed necessary by organizations,to determine the accuracy and completeness of the reports and whether the securty controls are implemented correctly,operating as intended,and producing the de=lred outcome with respect to meeting security requirements.The FISMA requirement for assessing security controls at least annually does not require additional assessment activities to those activities already in place In organizational security authorization processes.Security assessment results are provided to the individuafq or roles appropriate for the types of assessments being conducted.For example. assessments conducted in support of security authorization decisions are provided to authorizing officials or authorizing official designated representatives. To satisfy annual assessment requirements,organizations can use assessment results from the following sources:(i)initial or ongoing information system aulhorizatons;(ii)continuous monitoring;or(u)system development life cycle activities.Organizations ensure that security assessment results are current,relevant to the determination of security control effectiveness,and obtained with the appropriate level of assessor independence.Existing security control assessment results can be reused to the extent that the results are still valid and can also be supplemented with additional assessments as needed.Subsequent to initial authorizations and in accordance with OMB policy,organizations assess security controls during continuous monitoring. Organizations estahlish the frequency for ongoing security control assessments In accordance with organizational continuous monitoring strategies.Information Assurance Vulnerability Alerts provide useful examples of vulnerability mitigation procedures.External audits(e.g.,audits by external entities such as regulatory agencies)are outside the scope of this control.Related controls.CA-6,CA-6.CA-7,PM-0,RA-5,SAA 1,SAA2,9I-4. 25 MOU-25-6190 Page 26 of 46 CDSS/Fresno County PRIVACY 8 SECURITY AGREEMENT N0.:25.17 Control umber -3 Title System Interconpections CDSS The organization must: Requirement a.Authorizes connections from the Information system to other Information systems through the use of Interconnection Security Agreements; b.Documents,for each interconnection,the interface characteristics,security requirements,and the nature of the information communicated;and c.Review:and updates Interconnection Security Agreements(Assignment:organization-defined frequency]. Supplemental This control applies to dedicated connections between information systems(i.e.,system Ouldance(from Interconnections)and does not apply to transitory.user-ritrolled connections such as email and NIST 800-53) website browsing.Organizations carefully consider the risks that may be introduced when information systems are connected to other systems with different security requirements and security controls,both within organizations and external to organizations.Authorizing officials determine the risk associated with information system connections ar.d the appropriate controls employed.If interconnecting systems have the same awhortzing official,organizations do not need to develop Interconnection Security Agreements Instead,organizations can describe the interface characteristics between those interconnecting systems in their respective security plans. If interconnecting systems have different authorizing offtdals within the same organization, orgarnzations can either develop Interconnection Security Agreements or describe the Interface characteristics between systems in the security plans for the respective systems.Organizations may also Incorporate Interconnection Security Agreement information Into formal contracts, especially for Interconnections established between federal agenties and nonfederal(i.e.,private sector)organ¢ations.Risk considerations also include information systems sharing the same networks.For certain technologies(e.g.,space,unmanred aerial vehicles,and medical devices), thara may be specialized connections in place during prooperationai testing.Such connections may require Interconnection Security Agreements and bg subject to additional security controls. Related controls;AC3,AC-4,AG20,AU•2,AU-12,AU-18,CA-7,IA-3,$A-9,SC-7,6I-4. Number -7 continuous Monitoring 3The organization must clevelicip a continuous monitoring strategy and Imp ement a CAntinu_au_s Requirerminit monitoring program that includes a.Establishment of Pit security controls to be monitorec!; c.Ongoing security control assessments in accordance with the organizational continuous monitoring strategy; d.Ongoing security status monitoring of Pit security controls In accordance with the organizational continuous monitoring strategy; e.Correlation and analysis of security-related information generated by assessments and monitcring; f.Response actions to address results of the analysis of security-related information;and g.Reporting the security status of organization and the information system to organization- defined personnel or roles and to CDSS when requested. Supplemental Continuous monitoring programs facilitate ongoing awar;ness of threats,vulnerabilities,and Guidance(from information security to support organizational risk management decisions.The terms continuous NIST RDO.53) and ongoing imply that organizations assessfanalyze security controls and information security related risks at a frequency sufficient to support organizational risk-based decisions.The results of continuous monitoring programs generate appropriate risk response actions by organizations. Continuous monitoring programs also allow organizations to maintain the security authorizations of information systems and common controls over time li highly dynamic environments of operation with changing mission/business needs,threats,vulnerabilities,and technologies. Having access to security-related information on a continuing basis through repo rtsldashboards gives organizational officials the capability to make more effective and timely nsk management decisions,including ongoing security authorization decisons_Automation supports more frequent updates to security authorization packages,hardware/software/firmware inventories,and other system Information.Effectiveness is further enhanced wren continuous monitoring outputs are formatted to provide Information that is specific,measurable,actionable,relevant,and timely. Continuous monitoring activities are scaled in accordance with the security categories of Information systems.Related controls:CA-2,CA-5,CA-6,CM-3,CM-4,pM-6,PM-0,RA-5,SA- 11,SA-12,SI-2,SI-4. MOU-25-6190 Page 27 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 Control Number -8 Title Penetration Tv.Ung CDSS e organ zatton must conduct penetration testing annually on systems sto rig,processing,or Requirement transmltti PII. Su lemental netralion test s a s al o assessment ryon acted an In nna on systems or Guidance(from Individual system components to Identify vulnera illltles that could be exploited by adversaries. NIST 800.63) Such testing can be used to either validate vulnerabilities or determine the degree of resistance organizational Information systems have to adversaries within a set of specified constraints(e.s., time,resources,and/or skills).Penetration testing attempts to duplicate the actions of adversaries in ca-rying out hostile cyberattacks against organizations and provides a more in- depth analysis of security-related weaknesses/deficiencies.Organizations can also use the results of vulnerability analyses to support penetration testing activities.Penetration testing can be conducted on the hardware,software,or finmware components of an information system and can exercise both physical and technical security controls.A standard method for penetration testing includes,for example:(I)pretest analysis based on full knowledge of the target system; (0)pretest identification of potential vulnerabilities based on pretest analysis;and(iii)testing designed to determine exploitabifily of identified vulnerabilities.All parties agree to the rules of engagement before the commencement of penetration testing scenarios.Organizations correlate the penetration testing rules of engagement with the tools,techniques,and procedures that are anticipated to be employed by adversaries carrying out attacks.Organizational risk assessments guide decisions cn the level of independence required for personnel conducting penetration testing.Related control.SA-12. 15. System and Communications Protection(SC) Combvil Nilimber 7 Tftb oundery Protection CDSS The organization information system must: Requirement a.Monitor and control communications at the external boundary of the system and a:key Internal boundaries within the system: b.Implements subnetworks for publicly accessible system components that are physically and INiea5y separated from internal organizational networks;and c.Connect to external networks or Information systems only through managed interfams consisting of boundary protection devices arranged in accordance with an organizational se,;unly architecture. Supplemental Managed interfaces include,for example,gateways,routers,firewalls,guards,network-based Guidance(from malicious code analysis and vfrtualizatior systems,or encrypted tunnels implemented within a NIST 800.53 seruli architecture e. .,routers protecting firewalls or applicatbn atewa is resldi on protected subnetworks). Subnetworks that are physically or logically separated from Internal networks are referred to as demilitarized zones or DMZs.Restricting or prohibiting interfaces within organizational infornatlon systems Indudes,for example,restricting external web traffic to designated web servers within managed interfaces and prohibiting external traffic that appears to be spoofing internal addresses. Organizations consider the shared nature of commercial telecommunications senrces in the implementation of security controls associated with the use of such services.Commercial telecommunications servicoc are commonly based on network components and consolidated management systems shared by all attached commercial customers, and may also include third party-provided access lines and other service elements. Such transmission services may represent sources of increased risk despite contract security rovisions,Related controls:ACC AC-17,CA-3,CM-7.CP-&.IR-4.RA-3.SC-5.SC-13. ontro u Title Transmission Confidentiality and Inc CDSS The organization information system must: Requirement Protect the confidentiality of transmitted Information. Supplemental This control applies to both internal and external networks and all types of information system Guidance(from components from which information can be transmitted(e.g.,servers,mobile devices,notebook NIST 800-63) computers,printers,copiers,scanners,facsimile machines).Communication paths outside the physical protection of a controlled boundary are exposed to the possibility of Interception and modification.Protecting the confidentiality and/or integrity of organizational information can be accomplished by physical means (e.g., by employing protected dlstributien systems) or by logical means(e.g.. employing encryption techniques).Organizations relying on commercial providers offering transmission services as commodity services rather than as fully dedicated services(I_e.,services which can be highly specialized to individual customer needs),may find it difficult to obtain the necessary assurances regarding the implementation of needed security controls for transmission corfidentiality/integrity. In such situations, organizations determine what types of confide ntialftyflntegrity services are avallab!e in standard, commercial telecommunication service packages. If It Is infeasible or impractical to obtain the necessary security controls and assurances of control effectiveness lhrough appropriate contracting vehicles, organizations impleme'it appropriate compensating security controls or explicitly accept the additional risk_ Related controls:AC-17.PE-4. i MOU-25-6190 Page 28 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT N0.:25-17 Central um r Title rensmission Confidentiality and Integrity I Cryptographic or Alternate h sical Protection CDSS The organization information system must Implement cryptographic mechanisms to prevent Requirement unauthorized disclosure of information during transmission. Supplemental Encrypting information for transmission protects information from unauthorized disclosure and Guldance(from modification.Cryptographic mechanisms implemented to protect Information integrity Include,fa. NIST 800-63) example,cryptographic hash functions which have common application in digital signatures, checksums,and message authentication codes.Alternative physical security safeguards include, for example.protecled distilibution systems.Related control:SCA 3. Control Number SC-13 Title __ryp_tcgraphicProtection CDSS The organization information system must Implement FIPS 14D-3 compliant encryption modules Requirement in accordance with applicable federal laws,Fxecutive Orders,directives,policies,regulations, and standards. Supplemental Cryptography can be employed to support a variety of security solutions including,for example, Guldance(from the protection of classified and Controlled Unclassified Information,the provision of digital N1ST 800-53) signatures,and the enforcement of information sapa-ation when authorized individuals have the necessary clearances for such information but lack the necessary formal access approvals. Cryptography can also be used to support random number generation and hash generation. Generally applicable cryptographic standards include F)PS,-validated cryptography and NSA- approved cryptography.This control does not impose any requirements on organizations to use cryptography.However,if cryptography is required based on the selection of other security controls,organizations define each type of cryptographic use and the type of cryptography required(e.g.,protection of classified information:NSA-approved cryptography;provision of digital signatures:FIPS-validated cryptography).Related controls:AC-2,AC-3,AC-7,AC-17,AC- 18,AU-9,AU-10,CM-1 1,CP-9,IA-3,IA-7,MA-4,MP-2,MP-4,NP-5,SA-4,SC-8,SC-12,SC-28, SI-7. CollUol Number S We Protection of Information at Rest CDSS The organization information system must Requirement Protect the confidentiality of Pit at rest. Supplemental This control addresses the confidentiality and integrity of information et rest and covers user Guidance(from information and system information.Information at rest refers to the state of information when it NIST 800.53) is located on storage devices as specific components of Information systems.System-related Information requiring protection includes,for example,configurations or rule sets for firewalls, gateways,Intrusion detediontprevention systems,filtering routers,and authenticafor content. Organizations may employ different mechanisms to achieve confidentiality and integrity protections,including the use of cryptographic mechanisms and file share scanning.Integrity protection can be achieved,for example,by implementing Write-Once-Read-Many(WORM) technologies.Organizations may also employ other security controls including,for example, secure oft-line storage in lieu of online storage when adequate protection of Information at rest cannot otherwise be achieved and/or continuous monitoring to identify malicious code at rest. Related controls:AC-3.AC-6,CA-7,CM-3 CM-5,CM-6 PE-3,SC-3,SC-13,SI-3,SI-7 A MOU-25-6190 Page of 29 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 16. System and Information Integrity ii ontro umber I-2 Tide Flaw Remedlation cli The organization rr i Requirement a.Identify,report,and correct information system flaws; b.Tests software and firmware updates related to flaw remediation for effectiveness and potential side effects before InSlallallon; c.Installs security-relevant software and firmware updates,within acceptable organization Standards,of the release of the updates;and _ d.Incorporates flaw remediation into the organizational configuration management process. Supplemental Organizations identify information systems a`fecled by announced software flews Including Guidance(from potential vulnerabilities resulting tom those flaws,and report this information to designated NIST 800-53) organizational personnel with information security responsibilities.Security-relevant software updates include,for example.patches,service packs,hot fixes,and antivirus signatures. Organizations also address flaws discovered during security assessments,continuous monitoring,incident response activities,and system error handling.Organizations take advantage of available resources such as the Common Weakness Enumeration(CWE)or Common Vulnerabilities and Exposures(CVE)databases in remediating Raws discovered in organizational information systems.By incorporating Raw remed'alien into ongoing configuration management processes,requiredtanticipated remediation actions can be tracked and verified. Flaw remediation actions that can be tracked and verified include,for example,determining whether organizations follow US-CERT guidance and Information Assurance Vulnerability Alerts. Organizafon-defined time periods for updatirg security-relevant software and firmware may vary based on a variety of factors including,for example,the security category of the Information system or the criticality of the update(i.e.,severity of the vulnerability related to the discovered flaw).Some types of flaw remedlation may require more testing than other types.Organizations determine the degree and type of testing needed for the specific type of flaw remediation activity under consideration and also the types or changes that are to be configuration-managed,In some situations.organizations may determine that the testing of software and/or firmware updates Is not necessary or practical,for example,when implementing simple anti-virus signature updates.Organizations may also consider in testing decisions,whether secunty- re!evant software or firmware updates are obtained from authorized sources with appropriate digital signatures.Related controls:CA-2,CA-7,CM-3,CM-5,CAA-8,NIA-2,IR-4,RA-5,SA-10. SA-11.8I-11. _ -Control Number -3 Tide Malicious Code Protection Coss The organization must: Requiromont a.Employ malicious code protection mechan sms at information system entry and exit points to detect and eradicate malicious code; b.Update malicious code protection mechanisms whenever new releases are available in accordance with organizational configuration management policy and procedures; c.Configure malicious code protection mechanisms to: 1.Perform periodic scans of the information system and real-time scans of files from external sources at the endpoint and network entry/exit points as the files are downloaded,opened,or executed in accordance with organizational security policy;and 2.Block malicious code or quarantine malicious code,and send alert to administrator for Incid handling in response to malicious code detection;and d.Address the receipt of false positives during malicious code detection and eradication and th resulting potential Impact on the availability of the information system Supplemental Information system entry and exit points include,for example,firewa113,electronic mail servers, Guidance(from web servers,proxy servers.remote-access servers,workstations,notebook computers.and NISI 800-53) mobile devices.Malicious code includes,for example,viruses,worms,Trojan horses,and spyware.Malicious code can also be encoded in various formats(e.g.,UUENCODE,Unicode). contained within compressed or hidden files,or hidden in files using steganography,Malicious code can be transported by different means including,for example,web accesses,electronic mail,electronic mail attachments,and portal,le storage devices.Malicious code insertions occur through the exploitation of information system vulnerabilities Malicious code protection mechanisms include,for example,anti-virus signature definitions and reputation-based technologies.A variety of technologies and methods exist to limit or eliminate the effects of malicious code Pervasive configuration management and comprehensive software integrity controls may be effective in preventing executior of unauthorized code.In addition to commercial otf-the-shetf software,malicious code may also be present in custom-built software. This could include,for example,logic bombs.back doors,and other types of cyber attacks that could affect orgarzatonal missionslbusiness functions.Traditional malicious code protection mechanisms cannot always detect such code.In these situations,organizations rely instead on other safeguards including,for example,secure coding practices,configuration management and control,tasted procurement processes,and monitoring practices to help ensure that software does not perform functions other than the functions intended.Organizations may determine that in responsc to the detection of malicious code,different actions may be warranted.For example,organizations can define actions in response to malicious code detection during periodic scans,actions in response to detection of malicious downloads,ancifor actions in response to detection of maliciousness when attempting to open or execute files. Related controls:CM-3,MP-2,SA4,SA-8,SA-12,SA-13,SC-7,SC-26,SC-44,SI-2,Sl-4,SI-7. 79 MOU-25-6190 Page 30 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 Continoll Number 14 Titje linformaWn System Monitorir. Coss The organization must: Requirement a.Monitor the Information system to detect: 1.Attacks and indicators of potential attacks in accordance with organizatior-defined monitoring objectives;and 2.Unauthorized local,network.and remote connections; b.Identity unauthorized use of the Information system through organization-defined techniques and methods; c.Deploy monitoring devices. 1.Strategically wthin the information system to collect organization-determined essential information;and 2.At ad hoc locations within the system to track specific types of transactions of Interest to the organization; d.Protect Information obtained from Intrusion-monitoring tools from unauthorized access, modification,and deletion; e.Heighten the level of information system monitoring activity whenever there is an Indication of increased risk to organizational operations and assets,individuals,other organizations,or the Nation based on aw enforcement information,intelligence information,or other credible sources of information;Relevant risk would apply to anything impacting the conridentiarity Integrty,or availaJility of the information system. f.Obtain legal opinion with regard to information system monitoring activities In accordance with applicable federal laws,Executive Orders,directives,policies,or regulations;and g.Provides organization-defined information system monitoring information to organization- defined personnel and CDSS as needed. SPpplomontal Information system monitoring includes external and internal monitoring,External monitoring Guidance(from includes the observation of events occurring at the Information system boundary(i.e.,pert of NIST 800-53) perimeter defense and boundary protection).Internal monitoring includes the observation of events occurring rvithln the information system.Organizations can monitor inforration systems, for example,by observing audit activities in real time or by observing other system aspects such as access patterns,characteristics of access,and other actions.The monitoring objectives may guide delerminalhn of the events.IMormatlon system monitoring capability is acttleved through a variety of tools and techniques(e.g.,intrusion detection systems,intrusion prevention systems, malicious code protection software,scanning tools,audit record monitoring software,network monitoring software).Strategic locations for monitoring devices include,for example,selected perimeter locations and near server farms supporting critical applications,with such devices typically being employed at the managed interfaces associated with controls SC-7 and AC-17. Einstein network monitoring devices from the Department of Homeland Security can also be Included as monitoring devices The granularity of monitoring Information collected is based on organizational mcnitoring objectives and the capability of information systems to support such objectives.Specific types of transactions of interest Include,for example,Hyper Text Transfer Protocol(HTTP)traffic that bypasses HTTP proves.Information system monitoring Is an integral part of organizational continuous monitoring and incident response programs.Output from system monitoring serves as input to continuous monitoring and incident response programs.A network connection is any connection with a device that communicates through a network(e_g,local area network,Internet) A remote connection Is any connection with a device communicating through an external netwcrk(e.g.,the Internet).Local,network,and remote connections can be either Wired or wireless.Related controls;AC-3,AC-4,AC-8,AC-17,AU-2,AU-6.Al AU-9,AU-1 2, CA-7,IR-4 PE-3 RA-5,SC-7 SG28 SC-35 SI-3 SI-7. MOU-25-6190 Page 31 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT NO.:25-17 Control Number -4 Tub Information System tdonitorir9_1 System Generated Alerts CDSS The Information system alerts County Worker when the following Indications of compromise or Reclulm dent potential compromise occur 1.Protected system files or directories have been modified without notification from the appropriate chancelconfiauratior.management channels. 2.System performance indicates resource consumption that is inconsistent with expected operating conditions. 3-Auditing functionality has been disabled or modified to reduce audit visibility. 4.Audit or log records have been deleted or modified without explanation. 5.The system Is alsing alerts or faults In a manner that indicates the presence of an abnormal condition. 6.Resource or service requests are initiated from clients that are outside of the expected client membership set. 7.The system reports failed logins or password changes for administrative or key service accounts. 8.Processes and services are running that are outside of the baseline system profile. 9.Utilities,tools,or scripts have beer saved or installed on production systems+without clear indication of their use or purpose. Supplemental Alerts may be generated from a variety of sources,including.forexample,audit records or inputs Guidance(from from malicious cede protection mechanisms,intrusion detection or prevention mechanisms,or NIST 800.53) boundary protecton devices such as firewalls.gateways,and routers.Alerts can be transmitted, for example,telephonically,by electronic mall messages,or by text messaging.Organizational personnel on the notification list can include,for example,system administrators, mission/busiress owners.system owners.or information system security offices.Related controls:AU-5,PE-6. vntro Number Title In ormation System Monitoring I Analyze Traffic i Event Patterns CDSS The organization must: Requirement a.Analyzes communications traffic/event patterns for the Information system; b.Develops profiles representing common traffic pahems andfor events and c.Uses the trafficlevent profiles in tuning system-monitoring devices to reduce the number of false positives and the nutter of false negatives. Supplemental None Guldance(from NIST 800-53) 17. System and Services Acquisition(SA) Control Number SA-9 Tttie EAernaOnformation System Services _ CDSS The organization must: Requlromerit a.Require that providers of external information system services comply with organizational information security requirements and employ organization-defined security controls in accordance with r:D5S PSA,applicable federal laws,Exewive Orders,directives,policies. regulations,standards,and guidance; b.Defines and documents government oversight and user roles and responsibilities with regard to external information system services:and c.Employs organization-defined processes,methods,and techniques to monitor security control compliance by eatemal service providers on an ongoing basis. The slate organization writ provide its contractors and agents with copies of the Agreement, related IEAs,anc all related attachments before initial disdasure of PH to such contractors and agent&Prior to sgning the Agreement,and thereafter at COSS's request,the state organization will obtain from its contractors and agents a current fist of the employees of such contractors and agents with access to Pit and provide such lists to COSS. Supplemental External Information system services are services that are implemented outside of the Guidance(from authorization boundaries of organizational information systems.Thus includes services that are NIST 800. 3) used by,but not a part of,organizational information systems.FISMA and OMB po5cy require that organizations using external service providers that are processing,storing,or transmitting federal information or operating information systems on behalf of the federal government ensure that such providers meet the sane security requirements that federal agencies are required to meet.Organizations establish relationships with external service providers in a variety of ways Including,for example,through joint ventures,business partnerships,contracts,interagency agreements.lines of business arrangements,licensing agreements,and supply chain exchanges.The tesponsibility for managing risks from the use of external information system services remainswith authorizing off dais.For services external to organizations,a chain cf trust requires than organizations establish and retain a level of confidence that each participating provider in the potentially complex consumer-provider relationship provides adequate protection for the services rendered.Tips extent and nature of this chain of trust varies based on the relationships between organizations and the external providers.Organizations document the basis for trust relationships so the relationships can be monitored over time.External information system services documentation includes government,service providers,end user security roles and responsibilities,and service-level agreements.Service-level agreements define expectations of performance for security controls,describe measurable outcomes,and identify remedies and response requirements for Identified instances of noncompliance.Related controls:CA-3,IR-7,PS-7. 31 MOU-25-6190 Page of 32 of 46 CDSS/Fresno County PRIVACY&SECURITY AGREEMENT N0.:25.17 Ontro No RUFF A-11 Title Developer Security Testing And Evaluation CDSS The organization must require the developer of the inforrr-atien system,system component,or Requlrammt Information system service to: a.Create and Implement a security assessment plan; b.Perform(Selection(one or more):unit:integration;system;regression]testingfevaluation at [Assignment:organization-defined depth and coverage]; o.Produce evidence of the execution of the security assessrent plan and the results of the security testing/evaluation: d.Implement a verifiable flaw remediation process;and e.Correct flaws identifitxt during security testing/evaluatien Supplemental Supplemental Guidance:Developmental security testing/evaluation occurs at all post-design Guidance(from phases of the system development life cycle.Such testing/evaluation confirms that the required NIST 800-53) security controls are Implemented correctly,operating as Intended,enforcing the desired security policy.and meeting established security requirements.Security properties of information systems may be affected by the Interconnection of system components or changes to those components. These Interconnections or changes(e.g.,upgrad;ng or replacing applications and operating systems)may adversely affect previously implemented security controls This control provides additional types of security testing/evaluation that developers can conduct to reduce or eliminate polental flaws.Testing custom software applications may require approaches such as static analysis,dynamic analysis,binary analysis,or a hybrid of the three approaches Developers can employ these analysis approaches in a variety of tools(e.g..web-based application scanners, Static analysis tools,binary analyzers)and in source code reviews.Security assessment plans provide the specife activities that developers plan to carry out Including the types of analyses, testing,evaluation,and reviews of software and firmware components,the degree of rigor to be applied,and the types of artifacts produced during those processes.The depth of security tocting/ovaluation refore to the rigor and lovol of dotal accocioted with the accoccment procoao (e.g.,black box,gray box,or white box testing).The coverage of security testing/evaluation refers to the scope(i.e..number and type)of the artifacts included in the assessment process.Contracts specify the acceptance criteria for security assessment plans,flaw remediation processes,and the evidence that the plans/processes have been diligently applied.Methods for reviewing and protecting assessment plans,evidence,and documentation are commensurate with the security category or classification level of the vrfoanat'on system.Contracts may speciy documentation protection requirements.Related controls:CA-2.CM-4.SA-3.SA-4,SA-5 SI-2. MOU-25-6190 Page 33 of 46 CDSS/Fresno County B. Minimum Cloud Security Requirements County Department/Agency and any agents, subcontractors, and vendors storing Pill in a cloud service must comply with the Cloud Computing Policy, State Administration Manual (SAM) Sections 4983-4983.1. and employ the capabilities in the Cloud Security Standard, SIMM 5315-B to protect information and systems in cloud services as outlined below. 1. Identify and classify assets to focus and prioritize efforts in aligning business needs and risk management. 2. Each information asset for which the County Department/Agency entity has ownership responsibility shall be inventoried and identified to include the following: a. Description and value of the information asset. b. Owner of the information asset. c. Custodians of the information asset. d. Users of the information asset. e. Classification of information. f. FIPS Publication 199 categorization and level of protection (Lcw, Moderate, or High). g. Importance of information assets to the execution of the Agency/state entity's mission and program function. h. Potential consequences and impacts if confidentiality, integrity, and availability of the information asset were compromised. 3. Security of cloud services stems from managing authentication and fine- grained authorization. To safeguard cloud systems, County Department/Agency shall establish processes and procedures to ensure: a. Maintenance of user identities, including both provisioning and de- provisioning; b. Enforcement of password policies or more advanced multifactor mechanisrrs to authenticate users and devices; c. Management of access ccntrol rules, limiting access to the minimum necessary to complete defined responsibilities; d. Separation of duties to avoid functional conflicts; e. Periodic recertification of access control rules to identify those that are no longer needed or provide overly broad clearance; f. Use of privileged accounts that can bypass security are restricted and audited; g. Systems to administer access based on roles are defined and installed; and h. Encryption keys and system security certificates are effectively generated, exchanged, stored and safeguarded. 4. Infrastructure protection controls limit the impact of unintended access or potential vulnerabilities. PaaS and SaaS resources may already have these controls implemented by the service provider. County Department/Agency must configure information assets to provide only 33 MOU-25-6190 Page 34 of 46 CDSS/Fresno County essential capabilites. 5. County Department/Agency are entrusted with protecting the integrity and confidentiality of data processed by their information systems. Cloud technologies simplify data protection by providing managed data storage services with native protection and backup features, but these features must be configured and managed appropriately. 6. Detective controls identify potential security threats or incidents, supporting timely investigation and response. County Department/Agency must continuously identify and remediate vulnerabilities. 7. Response controls enable timely event and incident response which is essential to reduc'ng the impact if an incident were to occur. Compliance with incident management requirements as outlined in VII. Notificatiol and Investigation of Breaches and Security Incidents. 8. Recover controls facilitate long-term recovery activities following events or incidents. With cloud services, primarily SaaS solutions, the services provider hosts the data in its application, and unless properly planned and provisioned for in the contract with the service provider it may be difficult or impossible to obtain the data in a usable format at contract termination. County Department/Agency must ensure agreements with cloud service providers include recover controls. C. Minimum Necessary. Only the minimum necessary amount of PII required to perform required business functions applicable to the terms of this Agreement may be used, disclosed, copied, downloaded, or exported. D. Transmission and Storage of PH. All persons that will be working with PII shall employ FIPS 140-2 or greater approved security functions as described in section 6.2 2 of NIST SIP 800-140Crl encryption of PII at rest and in motion unless County Department/Agency determines it is not reasonable and appropriate to do so based upon a risk assessment, and equivalent alternative measures are in place and documented as such. In addition, County Department/Agency shall maintain, at a minimum, the most current industry standards for transmission and storage of CDSS data and other confidential information. E. DHCS Remote Work Policy. County Department/Agency, its County Workers and any agents, subcontractors, and vendors accessing Pl I pursuant to this PSA when working remotely, shall follow reasonable policies and procedures that are equivalent to or better than the DHCS Remote Work Policy, as published in Medi-Cal Eligibility Division Informational Letter (MEDIL) 123-35E. Working remotely means working from a physical location not under the control of the person's employer. If DHCS changes the terms of the DHCS Remote to Work Policy, DHCS will, as soon as reasonably possible, supply copies to CWDA and the County Department'Agency or its designee as well as DCHS' proposed target date for compliance. For a period of thirty (30) days, DHCS will accept input from 34 MOU-25-6190 Page 35 of 46 CDSS/Fresno County CWDA and the County Department/Agency or its designee on the proposed changes. DHCS will issue a new policy in a future MEDIL. If the County Department/Agency is unable to comply with these standards, the CND will be asked to develop a Plan of Action and Milestones (POA&M) detailing a concrete roadmap to becoming fully compliant with the po icy's standard. The POA&M must be provided to CDSS for review and approval. Any CWDA who is under a POA&M will be required to provide quarterly updates to DHCS until the fully compliant. VI. AUDIT CONTROLS A. Audit Control Mechanisms. The County Department/Agency shall ensure audit control mechanisms are in place that are compliant with the Technical Security Controls within Section V of this Agreement. B. Anomalies. When the County Department/Agency or CDSS suspects MECS usage anomalies, the County Department/Agency shall work with CDSS to investigate the anomalies and report conclusions of such investigations and remediation to CDSS. C. Notification to CDSS in event County DepartmentlAgency is subject to other Audit. If County Department/Agency is the subject of an audit, compliance review, investigation, or any proceeding that is related to the performance of its obligations pursuant to this Agreement, or is the subject of any judicial or administrative proceeding alleging a violation of law related to the privacy and security of PII, including but not limited to PII, the County Department/Agency shall promptly notify CDSS unless it is legally prohibited from doing so. VII. PAPER. RECORD. AND MEDIA CONTROLS A. Supervision of Data. Pit shall not be left unattended at any time, unless it is locked in a file cabinet, file room, desk, or office at the individual's place of employment or at home when working remotely. Unattended means that information may be observed by an individual not authorized to access the information. B. Data in Vehicles. The County Department/Agency shall have policies that include, based on applicable risk factors, a description of the circumstances under which the Cminty Workers ran transport PII, as well as the physical security requirements during transport A County Department/Agency that chooses to permit its County Workers to leave records unattended in vehicles, shall include provisions in its policies to provide that the PII is stored in a non-visible area such as a trunk, that the vehicle is locked, and that under no circumstances permit PII to be left unattended in a vehicle overnight or for other extended periods of time. 35 MOU-25-6190 Page 36 of 46 CDSS/Fresno County C. Public Modes of Transportation. PI shall not be left unattended at any time in airplanes, buses, trains, etc., inclusive of baggage areas. This should be included in training due to the nature of the risk. D. Escorting Visitors. Visitors to areas where PH is contained shall be escorted, and Pll shall be kept out of sight while visitors are in the area. E. Confidential Destruction. PII shall be disposed of through confidential means, such as cross cut shredding or pulverizing. F. Removal of Data. PH shall not be removed from the premises of County Department/Agency except for justifiable business purposes. G. Faxing. 1. Faxes containing PH shall not be left unattended and fax machines shall be in secure areas. 2. Faxes shall contain a confidentiality statement notifying persons receiving faxes in error to destroy them and notify the sender. 3. Fax numbers shall be verified with the intended recipient before sending the fax H. Mailing. 1. Maitrngs containing PH shall be sealed and secured from damage or inappropriate viewing of PII to the extent possible. 2. Mailings that include 500 or more individually identifiable records containing PH in a single package shall be sent using a tracked mailing method that includes verification of delivery and receipt. Vill. NOTIFICATION AND INVESTIGATION OF BREACHES AND SECURITY INCIDENTS During the term of this Agreement, the County Department/Agency agrees to implement reasonable systems for the discovery and prompt reporting of any breach or security incident, and to take the following steps: A. Initial Notice to DHCS: The County Department/Agency shall notify DHCS using DHCS' online incident reporting portal of any suspected security incident; intrusion, or unauthorized access, use, or disclosure of PII or potential loss of PII. When making notification, the following applies: 36 MOU-25-6190 Page 37 of 46 CDSS/Fresno County 1. If a suspected security incident involves PI provided or verified by SSA, the County Department/Agency shall immediately notify DHCS upon discovery. For more information on SSA data, please see the Definition section of this Agreement. 2. If a suspected security incident does not involve PI provided or verified by SSA, the County Department/Agency shall notify DHCS promptly and in no event later than one working day of discovery of: a. Unsecured Pill if the PH is reasonably believed to have been accessed or acquired by an Unauthorized person; b. Any suspected security incident which risks unauthorized access to PH and/or; c Any intrusion or unauthorized access, usa, or disclosure of PH in violation of this Agreement; or d. Potential loss of PH affecting this Agreement. Notice to DHCS shall include all information known at the time the incident is reported. The County Department/Agency can submit notice via the DHCS incident reporting portal which is available online at: httos:l/www,dhcs.ca.gov/formsandpubs/laws/priv/Pagesldefault.aspx If DHCS' online incident reporting portal is unavailable, notice to DHCS can instead be made via email using the DHCS Privacy Incident Report (PIR) form. The email address to submit a PIR can be found on the PIR and in subsection H of this section. The County Department/Agency shall use the most current version of the PIR,which is available online at: https://www.dhcs.ca.gov/formsandpubs/laws/priv/Documents/Privacy- I ncident-Report-PI R.pd f. If the County Department/Agency is unable to notify DHCS the via the Incident Reporting Portal or email, notification can be made by telephone using the contact information listed in subsection H. A breach shall be treated as discovered by the County Department/Agency as of the first day on which the breach is known, o� by exercising reasonable diligence would have been known, to any person (other than the person committing the breach), who is an employee, officer or other agent of the County Department. Upon discovery of a breach, security incident, intrusion, or unauthorized access, use, or disclosure of PII, the County Department/Agency shall take: 1. Prompt corrective action to mitigate any risks or damages involved wit.i the security incident or breach; and 37 MOU-25-6190 Page 38 of 46 CDSS/Fresno County 2. Any action pertaining to such unauthorized disclosure required by applicable Federal and State laws and regulations. B. Investigation of Security Incident or Breach. The County Department/Agency shall immediately investigate such a security incident, breach, or unauthorized use of PII. C. Complete Report. Within ten (10)working days of the discovery the County Department/Agency shall provide any additional information related to the incident requested by DHCS. The County Department/Agency shall make reasonable efforts tc provide DHCS with such information. The complete report must include an assessment of all known factors relevant to a determination of whether a breach occurred under applicable federal and state laws. The report shall include a full, detailed corrective action plan (CAP) including mitigating measures that were taken to halt and!or contain the improper use or disclosure. If DHCS requests additional information related to the incident, the County Departmerit/Agency shall make reasonable efforts to provide DHCS with such information. If necessary, the County Department/Agency shall submit an updated report with revisions andlor additional information after the Completed Report has been provided. DHCS will review and determine whether a breach occurred and whether individual notification is required. DHCS will maintain the final decision making over a breach determination. D. Notification of Individuals. If the cause of a breach is solely attributable to County Department/Agency or its agents, County Department/Agency shall notify individuals accordingly and shall pay all costs of such notifications as well as any costs associated with the breach. The notifications shall comply with applicable federal and state law. DHCS shall approve the time, manner, and content of any such notifications and their review and approval must be obtained before the notifications are made. DHCS and the County Department/Agency shall work together to ensure that notification of individuals is done in compliance with statutory deadlines within applicable federal and state law. If the cause of a brea-,h is solely attributable to CDSS, CDSS shall pay all costs of such notifications as well as any costs associated with the breach. If there is any question as to whether CDSS or the County Department/Agency is responsible for the breach or CDSS and the County Department/Agency acknowledge that both are responsible for the breach, CDSS and the County Department/Agency shall jointly determine responsibility for purposes of allocating the costs. 1. All notifications (regardless of breach status) regarding beneficiaries' 38 MOU-25-6190 Page 39 of 46 CDSS/Fresno County PI shall comply with the requirements set forth in Section 1798.29 of the California CivJ Code and Section 17932 of Title 42 of United States Code, inclusive of its implementing regulations, including but not limited to the requirement that the notifications be made without unreasonable delay and in no event later than sixty (60) calendar days from discovery E. Responsibility for Reporting of Breaches 1. Breach Attributable to County Department/Agency_ If the cause of a breach of PH is attributable to the County Department/Agency or its agents, subcontractors, or vendors, the County Department/Agency shall be responsible for all required reporting of the breach. 2. Breach Attributable to CDSS. If the cause of the breach is attributable to CDSS, CDSS shall be responsible for all required reporting of the breach. F. Coordination of Reporting. When applicable law requires the breach be reported to a federal or state agency, or that notice be given to media outlets, DHCS (if the breach involves MEDS or SSA data), CDSS, and the County Department/Agency shall coordinate to ensure such reporting is compliant with applicable law and prevent duplicate reporting and to jointly determine responsibility for purposes of allocating the costs of such reports, if any. G. Submission of Sample Notification to Attorney General: If the cause of the breach is attributable to the County Department/Agency or an agent subcontractor, or vendor of the County Department/Agency and if notification to more than 500 individuals is required pursuant to California Civil Code section 1798.29, regardless of whether County Department/Agency is considered only a custodian and/or non-owner of the PII, County Department/Agency shall, at its sole expense and at the sole election of DHCS, either.- 1. Electronically submit a single sample copy of the security breach notification, excluding any persona`.ly identifiable information, to the Attorney General pursuant to the format, content, and timeliness provisions of Section 1798.29, subdivision (e). County DepartmentlAgency shall inform the DHCS Privacy Officer of the time, manner, and content o`any such submissions prior to the transmission of such submissions to the Attorney General; or 2. Cooperate with and assist DHCS in its submission of a sample copy of the notification to the Attorney General- H. CDSS and DHCS Contact Information. The County Department/Agency shall utilize the below contact information to direct all communication/notifications of 39 MOU-25-6190 Page 40 of 46 CDSS/Fresno County breach and security incidents to CDSS and DHCS. CDSS reserves the right to make changes to the contact information by giving written notice to the County Department/Agency. Said changes shall not require an amendment to this Agreement or any other agreement into which it is incorporated. CDSS Breach and Security Incident Reporting California Department of Social Services Information Security and Privacy Office Department of Health Care Services 744 P Street, MS 9-10-59 Sacramento, CA 95814-6413 Email: GEN1370C@dss.ca.gov Telephone: (916)651-5558 The preferred method of communication is email, when available. Do not include any Pll unless requested by CDSS. DHCS Breach and Security Incident Reporting Privacy Officer c/o Data Privacv Unit Department of Health Care Services P.O. Box 997413, MS 0011 Sacramento, CA 95899-7413 Email: incidents cDdhcs.ca.gov Telephone: (916) 445-4646 The preferred method of communication is email, when available. Do not include any Pll unless requested by DHCS IX. CDSS PSA CONTACTS ThP County DPpartment/Agency shall utili7P the helow contact information for any PSA-related inquiries or questions. CDSS reserves the right to make changes to the contact information by giving written notice to the County Department/Agency. Said changes shall not require an amendment to this Agreement or any other agreement into which it is incorporated. Please use the contact information listed in Section Vlll of this Agreement for any PH incident or breach reporting. ao MOU-25-6190 Page 41 of 46 CDSS/Fresno County PSA Inquires and Questions Department of Social Services Information Security and Privacy Office - PSA 744 P Street, MS-10-59 Sacramento, CA 95814-6413 Email: iso(a)_dss.ca.gov X. COMPLIANCE WITH SSA AGREEMENT The County Department/Agency agrees to comply with applicable privacy and security requirements in the Computer Matching and Privacy Protection Act Agreement (CMPPA) between SSA and the California Health and Human Services Agency (CaIHHS), in the Information Exchange Agreement (IEA) between SSA and DHCS, and in the Electronic Information Exchange Secuhty Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with SSA (TSSR),which are incorporated into this Agreement within section V. Technical Security Controls and Exhibit A (availab'e upon request). If there is any conflict between a privacy and security standard in the CMPPA, IEA or TSSR, and a standard in this Agreement, the most stringent standard shalt apply. The most stringent standard means the standard which provides the greatest protection to PII. If SSA changes tVe terms of its agreement(s)with CDSS, CDSS will. as soon as reasonably possible after receipt, supply copies to County Welfare Directors Association (CWDA) and the County Department/Agency or its designee as well as CDSS' proposed target date for compliance. For a period of thirty (30) days, CDSS will accept input from CWDA and the County Department/Agency or its designee on the proposed target date and make adjustments, if appropriate. After the thirty (30) day period, CDSS will submit the proposed target date to SSA, which will be subject to adjustment by SSA. Once a target date for compliance is determined by SSA, CDSS will supply copies of the changed agreement to CWDA and the County Department/Agency or its designee, along with the compliance date expected by SSA. If the County Department/Agency is not able to meet the SSA compliance date, the County Department/Agency will be asked to develop a Plan of Action and Milestones POAM detailing a concrete roadmap to becoming fully compliant with the policy's standard. The POAM must be provided to CDSS for review and approval. Any County Department/Agency who is under a POAM will be required to provide quarterly updates to CDSS until the fully compliant. A copy of Exhibit A can be requested by authorized County Department/Agency individuals from CDSS using the contact information listed in Section IX of this Agreement. XI. COMPLIANCE NTH DEPARTMENT OF HOMELAND SECURITY 41 MOU-25-6190 Page 42 of 46 CDSS/Fresno County AGREEMENT The County Department/Agency agrees to comply with substantive privacy and security requirements in the Computer Matching Agreement (CMA) between the Department of Hcmeland Security. United States Citizenship and Immigration Services (DHS-USCIS) and CD,S, which is hereby incorporated into this Agreement (Exhibit B) and available upon request. if there is any conflict between a privacy and security standard in the CMA and a standard in this Agreement, the most stringent standard shall apply. The most stringent standard means the standard which provides the greatest protection to PII. If DHS-USCIS changes the terms of its agreement(s)with CDSS, CDSS will, as soon as reasonably possible after receipt, supply copies to the CWDA and the County Dopertment/Agency or its designee as well as CDSS' proposed target date for compliance. For a period of thirty(30) days, CDSS will accept input from CWDA and the County Department/Agency or its designee on the proposed target date and make adjustments, if appropriate. After the 30-day period, CDSS will submit the proposed target date to DHS-USCIS, which will be subject to adjustment by DNS-USCIS. Once a target date for compliance is determined by DHS-USCIS, CDSS will supply copies of the changed agreement to CWDA and the County Department/Agency or its designee, along with the compliance date expected by DHS-USCIS. If the County Department/Agency is not able to meet the DHS-USCIS compliance date. the POA&M must be provided to CDSS for review and approval. Any County Department/Agency who is under a POA&M will be required to provide quarterly updates to CDSS until the fully compliant. A copy of Exhibit B can be requested by authorized County Department/Agency individuals from CDSS using the contact information listed in Section IX of this Agreement. X11. COUNTY DEPARTMENT'SIAGENCY'S AGENTS. SUBCONTRACTORS, AND VENDORS The County Department/Agency agrees to enter into written agreements with all agents, subcontractors and vendors that have access to County Department/Agency PH. These agreements will impose, at a minimum, the same restrictions and conditions that apply to the County Department/Agency with respect to PII upon such agents, subcontractors, and vendors. These shall include, (1) restrictions on disclosure of PII, (2) conditions regarding the use of appropriate administrative, physical, and technical safeguards to protect PII, and, where relevant, (3) the requirement that any breach, security incident, intrusion, or unauthorized access, use, or disclosure of PH be reported to the County Department/Agency. If the agents, subcontractors, and vendors of County Department/Agency access data provided to CDSS and/or DHCS by SSA or DHS-USCIS, the County Department/Agency shall also incorporate -he Agreement's Exhibits into each subcontract or subaward with agents, subcontractors, and vendors. County Departments/Agencies who would like assistance or guidance with this 42 MOU-25-6190 Page 43 of 46 CDSS/Fresno County requirement are encouraged to contact CDSS via email at iso@dss.ca_gov. XIII. ASSESSMENTS AND REVIEWS In order to enforce this Agreement and ensure compliance with its provisions and Exhibits, the County Department/Agency agrees to assist CDSS or DHCS (on behalf of CDSS) in performing compliance assessments. These assessments may involve compliance review questionnaires, and/or review of the facilities, systems, books, and records of the County Department/Agency, with reasonable notice from CDSS or DHCS. Such reviaws shall be scheduled at times that take into account the operational and staffing demands. The County Department/Agency agrees to promptly remedy all violations of any provision of this Agreement and certify the same to the CDSS in writing, or to enter into a POA&M with CDSS containing deadlines for achieving compliance with specific provisions of this Agreement. XIV. ASSISTANCE IN LITIGATION OR ADMINISTRATIVE PROCEEDINGS In the event of litigation or administrative proceedings involving CDSS based upon claimed violations by the County Department/Agency of the privacy or security of PII or of federal o- state laws or agreements concerning privacy or security of PII, the County Department(Agency shall make all reasonable effort to make itself and County Workers assisting in the administration of their program and using or disclosing PH available to CDSS at no cost to CDSS to testify as witnesses. CDSS shall also make all reasonable efforts to make itself and any subcontractors, agents, and employees available to the County Department/Agency at no cost to the County Department/Agency to testify as witnesses, in the event of litigation or administrative proceedings invoving the County Department/Agency based upon claimed violations by CDSS of the privacy or security of PII cr of state or federal laws cr agreements concerning privacy or security of PII. XV. AMENDMENT OF AGREEMENT CDSS and the County DepartmentlAgency acknowledge that federal and state laws relating to data security and privacy are rapidly evolving and that amendment of this Agreement may be required to ensure compliance with such changes. Upon request by CDSS, the County Department/Agency agrees to promptly enter into negotiations with CDSS concerning an amendment to this Agreement as may be needed by changes in federal and state laws and regulations or NIST 800-53. In addition to any other lawful remedy, CDSS may terminate this Agreement upon 30 days written notice if the County Department/Agency does not promptly agree to enter into negotiations to amend this Agreement when requested to do so or does not enter into an amendment that CDSS deems necessary. XVI. TERMINATION i his Agreement shall terminate on September 1, 2028, regardless cf the date the Agreement is executed by the parties. The parties can agree in writing to extend the term of the Agreement. County Department/Agency's requests for an extension shall 43 MOU-25-6190 Page 44 of 46 CDSS/Fresno County be approved by CDSS and limited to no more than a six (6) month extension. A. Survival:All provisions of this Agreement that provide restrictions on disclosures of PH and that provide administrative, technical, and physical safeguards for the PH in the County Department/Agency's possession shall continue in effect beyond the termination or expiration of this Agreement and shall continue until the PH is destroyed or returned to CDSS. XVII, TERMINATION FOR CAUSE Upon CDSS' knowledge of a material breach or violation of this Agreement by the County Department/Agency, CDSS may provide an opportunity for he County Department/Agency to cure the breach or end the violation and may terminate this Agreement if the County Department/Agency does not cure the breach or end the violation within the time specified by CDSS. This Agreement may be terminated immediately by CDSS if the County Department/Agency has breached a material term and CDSS determines, in its sole discretion, that cure is not possible or available under the circumstances. Upon termination of this Agreement, the County Department/Agency sha!I return or destroy all PII in accordance with Section VII, above. The provisions of this Agreement governing the privacy and security of the PH shall remain in effect until all PH is returned or destroyed and CDSS receives a certificate of destruction. 44 MOU-25-6190 Page 45 of 46 CDSS/Fresno County XVIII. SIGNATORIES The signatories below warrant and represent that they have the competent authority on behalf of their respective agencies to enter into the obligations set forth in this Agreement. The authorized officials whose signatures appear below have committed their respective agencies to the terms of this Agreement. The contract is effective no later than ten calendar weeks after the date this ACL was issued. For the County of Fresno Department/Agency of Social Services (Signature) (Date) Ernest Buddy Mendes chairman of the Board ofwperAsasof the County ofFresno (Name) (Title) nrrEs- L Deputy Print Name:Bernice E.Seidel For the California Department of Social Services, Title:Clerk yr the Buerd of Supervisors County of Fresno,State of California 10/17/2025 (Signature) YY� 61 (Date) Sharon Hoshiyama Staff Services Manager II Contracts and Procurement Services Branch (Name) (Title) 45 MOU-25-6190 Page 46 of 46 CDSS/Fresno County EXHIBIT A Exhibit A consists of the current versions of the following documents, copies of which can be requested by the County Department/Agency information security and pi ivacy staff, or other authorized county official from CDSS by using the contact information listed in Section IX of this Agreement. • Computer Matching and Privacy Protection Act Agreement between the SSA and California Health and Human Services Agency • Information Exchange Agreement between SSA and DHCS • Electronic Information Exchange Security Requirements and Procedures for State and Local Agencies Exchanging Electronic Information with the SSA (TSSR) EXHIBIT B Exhibit B consists of the current version of the following document, a copy of which can be requested by the Ceunty Department/Agency information security and privacy staff, or other authorized county official from CDSS by using the contact information listed in Section IX of this Agreement. • Computer Matching Agreement between the Department of Homeland Security, United States Citizenship and Immigration Services (DHS-USCIS) and California Department of Social Services (CDSS) EXHIBIT C Exhibit C consists of the current version of the SINW-5300-A, a copy of which can be requested by the County Department/Agency information security and privacy staff, or other authorized county official from CDSS by using the contact information listed in Section IX of this Agreement. The SIMM-5300-A can be used as guidance for implementing security controls found in NIST SP 600-53. 46