95.621—ADP reviews.
The Department will conduct periodic onsite surveys and reviews of State and local agency ADP methods and practices to determine the adequacy of such methods and practices and to assure that ADP equipment and services are utilized for the purposes consistent with proper and efficient administration under the Act. Where practical, the Department will develop a mutually acceptable schedule between the Department and State or local agencies prior to conducting such surveys or reviews, which may include but are not limited to:
(a) Pre-installation readiness.
A pre-installation survey including an onsite evaluation of the physical site and the agency's readiness to productively use the proposed ADP services, equipment or system when installed and operational.
(b) Post-installation.
A review conducted after installation of ADP equipment or systems to assure that the objectives for which FFP was approved are being accomplished.
(c) Utilization.
A continuing review of ADP facilities to determine whether or not the ADP equipment or services are being efficiently utilized in support of approved programs or projects.
(d) Acquisitions not subject to prior approval.
Reviews will be conducted on an audit basis to assure that system and equipment acquisitions costing less the $200,000 were made in accordance with 45 CFR part 74 and the conditions of this subpart and to determine the efficiency, economy and effectiveness of the equipment or system.
(e) State Agency Maintenance of Service Agreements.
(1)
The State agency will maintain a copy of each service agreement in its files for Federal review.
(2)
A State agency that did not obtain prior approval of a service agreement, as required by § 95.611(b)(2) as it was in effect from December 28, 1978 (unless a State chose to exercise the option to make it effective as early as September 29, 1978) through January 19, 1987, is eligible for FFP claimed for services furnished by other State or local agencies under that agreement if:
(ii)
It meets the definition of a service agreement as it was defined in section 95.605 from December 28, 1978 through January 19, 1987;
(f) ADP System Security Requirements and Review Process—
(1) ADP System Security Requirement.
State agencies are responsible for the security of all ADP projects under development, and operational systems involved in the administration of HHS programs. State agencies shall determine the appropriate ADP security requirements based on recognized industry standards or standards governing security of Federal ADP systems and information processing.
(i)
Determination and implementation of appropriate security requirements as specified in paragraph (f)(1) of this section.
(ii)
Establishment of a security plan and, as appropriate, policies and procedures to address the following area of ADP security:
(F)
Contingency plans to meet critical processing needs in the event of short or long-term interruption of service;
(iii)
Periodic risk analyses. State agencies must establish and maintain a program for conducting periodic risk analyses to ensure that appropriate, cost effective safeguards are incorporated into new and existing systems. State agencies must perform risk analyses whenever significant system changes occur.
(3) ADP System Security Reviews.
State agencies shall review the ADP system security of installations involved in the administration of HHS programs on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security operating procedures, and personnel practices.
(4)
Costs incurred in complying with provisions of paragraphs (f)(1)-(3) of this section are considered regular administrative costs which are funded at the regular match rate.
(5)
The security requirements of this section apply to all ADP systems used by State and local governments to administer programs covered under 45 CFR part 95, subpart F.
(6)
The State agency shall maintain reports of their biennial ADP system security reviews, together with pertinent supporting documentation, for HHS on-site review.
[43 FR 44853, Sept. 29, 1978, as amended at 51 FR 45329, Dec. 18, 1986; 53 FR 27, Jan. 4, 1988; 55 FR 4378, Feb. 7, 1990; 61 FR 39898, July 31, 1996]