Section



[Code of Federal Regulations]
[Title 45, Volume 1]
[Revised as of October 1, 2007]
From the U.S. Government Printing Office via GPO Access
[CITE: 45CFR95.621]

[Page 484-485]
 
                        TITLE 45--PUBLIC WELFARE
 
                           AND HUMAN SERVICES
 
PART 95_GENERAL ADMINISTRATION_GRANT PROGRAMS (PUBLIC ASSISTANCE,
MEDICAL ASSISTANCE AND STATE CHILDREN'S HEALTH
 
 Subpart F_Automatic Data Processing Equipment and Services_Conditions 
                for Federal Financial Participation (FFP)
 
Sec. 95.621  ADP reviews.

    The Department will conduct periodic onsite surveys and reviews of 
State and local agency ADP methods and practices to determine the 
adequacy of such methods and practices and to assure that ADP equipment 
and services are utilized for the purposes consistent with proper and 
efficient administration under the Act. Where practical, the Department 
will develop a mutually acceptable schedule between the Department and 
State or local agencies prior to conducting such surveys or reviews, 
which may include but are not limited to:
    (a) Pre-installation readiness. A pre-installation survey including 
an onsite evaluation of the physical site and the agency's readiness to 
productively use the proposed ADP services, equipment or system when 
installed and operational.
    (b) Post-installation. A review conducted after installation of ADP 
equipment or systems to assure that the objectives for which FFP was 
approved are being accomplished.
    (c) Utilization. A continuing review of ADP facilities to determine 
whether or not the ADP equipment or services are being efficiently 
utilized in support of approved programs or projects.
    (d) Acquisitions not subject to prior approval. Reviews will be 
conducted on an audit basis to assure that system and equipment 
acquisitions costing less the $200,000 were made in accordance with 45 
CFR part 74 and the conditions of this subpart and to determine the 
efficiency, economy and effectiveness of the equipment or system.
    (e) State Agency Maintenance of Service Agreements. (1) The State 
agency will maintain a copy of each service agreement in its files for 
Federal review.
    (2) A State agency that did not obtain prior approval of a service 
agreement, as required by Sec. 95.611(b)(2) as it was in effect from 
December 28, 1978 (unless a State chose to exercise the option to make 
it effective as early as September 29, 1978) through January 19, 1987, 
is eligible for FFP claimed for services furnished by other State or 
local agencies under that agreement if:
    (i) The State agency has a copy of it in its files for Federal 
review;

[[Page 485]]

    (ii) It meets the definition of a service agreement as it was 
defined in section 95.605 from December 28, 1978 through January 19, 
1987;
    (iii) The claim conforms to the timely claim provisions of 45 CFR 
part 95, subpart A; and
    (iv) The service agreement was not previously disapproved by HHS.
    (f) ADP System Security Requirements and Review Process--(1) ADP 
System Security Requirement. State agencies are responsible for the 
security of all ADP projects under development, and operational systems 
involved in the administration of HHS programs. State agencies shall 
determine the appropriate ADP security requirements based on recognized 
industry standards or standards governing security of Federal ADP 
systems and information processing.
    (2) ADP Security Program. State ADP Security requirements shall 
include the following components:
    (i) Determination and implementation of appropriate security 
requirements as specified in paragraph (f)(1) of this section.
    (ii) Establishment of a security plan and, as appropriate, policies 
and procedures to address the following area of ADP security:
    (A) Physical security of ADP resources;
    (B) Equipment security to protect equipment from theft and 
unauthorized use;
    (C) Software and data security;
    (D) Telecommunications security;
    (E) Personnel security;
    (F) Contingency plans to meet critical processing needs in the event 
of short or long-term interruption of service;
    (G) Emergency preparedness; and,
    (H) Designation of an Agency ADP Security Manager.
    (iii) Periodic risk analyses. State agencies must establish and 
maintain a program for conducting periodic risk analyses to ensure that 
appropriate, cost effective safeguards are incorporated into new and 
existing systems. State agencies must perform risk analyses whenever 
significant system changes occur.
    (3) ADP System Security Reviews. State agencies shall review the ADP 
system security of installations involved in the administration of HHS 
programs on a biennial basis. At a minimum, the reviews shall include an 
evaluation of physical and data security operating procedures, and 
personnel practices.
    (4) Costs incurred in complying with provisions of paragraphs 
(f)(1)-(3) of this section are considered regular administrative costs 
which are funded at the regular match rate.
    (5) The security requirements of this section apply to all ADP 
systems used by State and local governments to administer programs 
covered under 45 CFR part 95, subpart F.
    (6) The State agency shall maintain reports of their biennial ADP 
system security reviews, together with pertinent supporting 
documentation, for HHS on-site review.

[43 FR 44853, Sept. 29, 1978, as amended at 51 FR 45329, Dec. 18, 1986; 
53 FR 27, Jan. 4, 1988; 55 FR 4378, Feb. 7, 1990; 61 FR 39898, July 31, 
1996]