The Department will conduct periodic onsite surveys and reviews of State and local agency ADP methods and practices to determine the adequacy of such methods and practices and to assure that ADP equipment and services are utilized for the purposes consistent with proper and efficient administration under the Act. Where practical, the Department will develop a mutually acceptable schedule between the Department and State or local agencies prior to conducting such surveys or reviews, which may include but are not limited to:

(a) Pre-installation readiness. A pre-installation survey including an onsite evaluation of the physical site and the agency's readiness to productively use the proposed ADP services, equipment or system when installed and operational.

(b) Post-installation. A review conducted after installation of ADP equipment or systems to assure that the objectives for which FFP was approved are being accomplished.

(c) Utilization. A continuing review of ADP facilities to determine whether or not the ADP equipment or services are being efficiently utilized in support of approved programs or projects.

(d) Acquisitions not subject to prior approval. Reviews will be conducted on an audit basis to assure that system and equipment acquisitions costing less than $200,000 or acquisitions exempted from prior approval were made in accordance with part 75 and the conditions of this subpart and to determine the efficiency, economy and effectiveness of the equipment or service.

(e) State Agency Maintenance of Service Agreements. The State agency will maintain a copy of each service agreement in its files for Federal review.

(f) ADP System Security Requirements and Review Process

(1) ADP System Security Requirement. State agencies are responsible for the security of all ADP projects under development, and operational systems involved in the administration of HHS programs. State agencies shall determine the appropriate ADP security requirements based on recognized industry standards or standards governing security of Federal ADP systems and information processing.

(2) ADP Security Program. State ADP Security requirements shall include the following components:

(i) Determination and implementation of appropriate security requirements as specified in paragraph (f)(1) of this section.

(ii) Establishment of a security plan and, as appropriate, policies and procedures to address the following area of ADP security:

(A) Physical security of ADP resources;

(B) Equipment security to protect equipment from theft and unauthorized use;

(C) Software and data security;

(D) Telecommunications security;

(E) Personnel security;

(F) Contingency plans to meet critical processing needs in the event of short or long-term interruption of service;

(G) Emergency preparedness; and,

(H) Designation of an Agency ADP Security Manager.

(iii) Periodic risk analyses. State agencies must establish and maintain a program for conducting periodic risk analyses to ensure that appropriate, cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur.

(3) ADP System Security Reviews. State agencies shall review the ADP system security of installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices.

(4) Costs incurred in complying with provisions of paragraphs (f)(1)-(3) of this section are considered regular administrative costs which are funded at the regular match rate.

(5) The security requirements of this section apply to all ADP systems used by State and local governments to administer programs covered under 45 CFR part 95, subpart F.

(6) The State agency shall maintain reports of their biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site review.

[43 FR 44853, Sept. 29, 1978, as amended at 51 FR 45329, Dec. 18, 1986; 53 FR 27, Jan. 4, 1988; 55 FR 4378, Feb. 7, 1990; 61 FR 39898, July 31, 1996; 75 FR 66340, Oct. 28, 2010; 81 FR 3020, Jan. 20, 2016]


Tried the LawStack mobile app?

Join thousands and try LawStack mobile for FREE today.

  • Carry the law offline, wherever you go.
  • Download CFR, USC, rules, and state law to your mobile device.