ACAB LADMF Certification Assessment
In 2016, the Social Security Administration suddenly began requiring security certification for companies accessing the SSA Death Master File. In response, LBMC Information Security became one of the first companies offering ACAB certification assessments.
Today, we remain one of the most of experienced LADMF certification firms in the nation. LBMC Information Security uses the NIST Framework for Improving Critical Infrastructure Cybersecurity and the NTIS Limited Access Death Master File (LADMF) Certification Program Publication 100 as guidelines to satisfy the requirements of the rule. In accordance with NTIS Limited Access Death Master File Certification Program Publication 100, LBMC Security & Risk Services evaluates criteria to include:
- Information Secure Storage
- Restricting Access to LADMF Information
- Disposing of Limited Access DMF Information
- Information Security guidance in accordance with ACAB requirements
Additionally, we conduct an initial scoping of the environment where we will determine, based on how and where the LADMF is handled, the extent to which we can “pull-forward” testing results from any previous assessments. Upon completion of the assessment, and upon the satisfactory completion of any associated remediation efforts, LBMC Information Security submits a completed LADMF ACAB Systems Safeguards Attestation Form (Form NTIS FM100A) in accordance with NTIS procedures, to the NTIS on our client’s behalf.
What is ACAB LADMF?
What is ACAB?
Accredited Conformity Assessment Body
What is LADMF?
Limited Access Death Master File
What is SSA?
Social Security Administration
What is NTIS?
National Technical Information Service
What is NIST?
The National Institute of Standards and Technology at the U.S. Department of Commerce.
ACAB and LADMF Compliance: Rules for Accessing Data of the Deceased
Organizations who utilize government data to monitor and track deaths in the U.S. know it is no longer the simple process it once was. The Death Master File data, governed by the U.S. Department of Commerce National Technical Information Service (NTIS), is commonly referenced by healthcare providers, insurance companies, and financial institutions, among others, to identify concerns such as expired account holders and fraudulent activities.
This data used to be obtained from NTIS through a formal, yet uncomplicated, request process. Now, however, regulations have gone into effect with the intent of ensuring secure and responsible handling of this data and have created additional regulatory compliance for requestors.
The NTIS cybersecurity standards were called for as part of the 2013 Bipartisan Budget Act and ultimately were established through a final rule published on November 28, 2016. The new rule prohibits the Secretary of Commerce from disclosing Death Master File (DMF) information during the three-calendar-year period following an individual’s death (the “Limited Access DMF or LADMF”). The only entities who can access this data must be certified to receive that information.
In short, organizations requesting access to LADMF data must:
- Attest to the security of the systems and processes utilized in the acquisition and management of this data.
- Gain an assessment by a reputable independent party, otherwise known as an Accredited Conformity Assessment Body (ACAB), against an established cybersecurity standard.
- The submitted assessment must be in line with security control requirements documented in the LADMF Certification Program (Publication 100). Security controls listed in Publication 100 are “not intended to be prescriptive” and that results of an assessment against other established standards or in the course of satisfying other regulations, can satisfy the LADMF security and safeguard requirements.
- Then the assessor will submit an attestation form to the NTIS on behalf of the applicant after which, subject to acceptance of the attestation and associated fees, the applicant is provided access to LADMF data.
Fortunately, this assessment can be addressed as a component of other security assessment programs and, according to the NTIS website, must only be completed every three years in addition to annual certification and fee requirements.
Whether organizations choose to assess their LADMF program directly or as part of other organizational security assessments, choosing the right partner to serve as their ACAB is important. LBMC Information Security is an Accredited Conformity Assessment Body. To request a private briefing, or for questions about the NTIS LADMF certification program, contact us today.