Working with government agencies always involves some form of security, which is extremely important for handling federal data, no matter the reason. So, when enterprises want to access information from the SSA Limited Access Death Master File (LADMF), there are certain expectations for these businesses.
What Is the Limited Access Death Master File (LADMF)?
The Social Security Administration (SSA) manages one of the (most likely) largest databases of private information in the U.S. This database is critical in managing social security benefits for millions of working Americans, and the database must remain accurate and secure.
One of the significant pieces of this database is the Limited Access Death Master File (LADMF). The LADMF is a record of “over 85 million” death records, from the start of social security in 1936 until the present, that includes private identifiable information like birth and death dates, social security numbers, and other connecting info.
At its heart, the LADMF is a record for the SSA to determine who should still receive their benefits and who, due to death, should not. Furthermore, other government agencies and associated contractors will use the list to detect fraudulent benefit collection or insurance claims, aid in the authentication of life insurance claims, and support efforts to allocate estate property or other matters of legal interest.
It’s probably not shocking that the government has several laws and regulations to protect this data from external theft, including during any outside access from another agency or third party. However, this wasn’t always the case.
Before 2014, it was relatively easy for a business to access the file… with a demonstrated business need for the list, plus a fee, an enterprise could literally download the file from the Internet.
After passing the Bipartisan Budget Act in 2013, the Department of Commerce developed a certification program to help provide a level of third-party security and risk management to protect this data. The managing agency of the LADMF, the National Technical Information Service (NTIS), was now expected to set requirements for organizations to self-certify their systems while also undergoing regular audits, both scheduled and unscheduled.
What Makes Up LADMF Compliance?
The core of LADMF certification is NTIS Publication 100, “Limited Access Death Master File Certification Program.” This document outlines the responsibilities and requirements of any organization that wants to download, store, or transmit the LADMF list.
The purpose of this document is to guide organizations or members of organizations to become “Certified Persons,” or parties that have demonstrated compliance with these requirements to the satisfaction of an Accredited Conformity Assessment Body (more on this later).
These requirements include:
Limited Access to Authorized Users
Any Certified Person must demonstrate that they can maintain the confidentiality of private data, submit that proof to an ACAB, and do so with periodic audits, including unscheduled audits.
Audits and Reviews
An audit must be performed by an “objective, impartial, and independent” party. The auditor will provide an attestation that your organization can provide secure data storage, restrict access to the DMF data, dispose of DMF information as needed, and adhere to the Information security guidance in the document.
Limited Access to Storage
Your organization must restrict unauthorized access to DMF information. This includes implementing measures such as:
- Restricted Area Access: This includes restricting physical access to locations where systems storing DMF are located. Locked doors, credentialed security access, authorized user lists, and visitor logs are all part of restricted area access measures.
- Limited Access DMF in Transit: If DMF is moved physically via paper records, USB devices, or other digital media, it must be done so only by users that will maintain its security. It must also be sealed in a confidential envelope to indicate potential tampering.
- Physical Security of Computers: Devices or storage media containing DMF information must be locked or made inaccessible when not in use. Furthermore, the devices must utilize encryption and appropriate authentication methods to protect that data should the device be stolen.
- Telework Locations: If employees within your organization are authorized to handle DMF information but work at off-site locations (such as remotely from home), they may do so if they have compliant technology and security in place.
Restricting Access to Limited Access DMF Information
Certified Persons should protect access to DMF information more broadly during its use or processing. The aspects of this requirement include:
- Training: In short, all authorized persons must have appropriate training in accessing and handling DMF information, and your organization should have a training program to this effect. This will include disclosure awareness training specifically for DMF.
- Internal Inspections: Organizations should periodically conduct internal assessments to ensure that DMF information remains protected from unauthorized disclosure. These inspections of privacy controls should follow a regular schedule, spanning from 1-2 years, depending on the office and type of use.
Disposing of Limited Access DMF Information
Organizations are expected to practice compliant archival or disposal methods once they’ve finished using the data for whatever purpose they had for requesting it.
- Disposing of Limited Access DMF Information at End of Subscription: Your organization doesn’t need to return DMF information after use. However, should they continue to use it, they must continue to follow guidelines for three years following their last DMF list update. Furthermore, if the organization isn’t going to use that information anymore, then it is recommended that they destroy or securely archive it.
- Destruction: Electronic data must be sanitized or destroyed according to guidelines (physical destruction, magnetic degaussing, etc.). Any removable or disk media used to store DMF information may not be used at all without electromagnetic erasure. Physical media like paper records or photographs must be burned or shredded to render them unreadable and unusable.
Information Security
NTIS 100 defines the specific requirements that support the above-listed guidelines. This section lists and defines an in-depth catalog of security and privacy controls and practices. These controls cover areas like Account Management, Media Sanitation, Remote Access controls, Configuration Management, Penetration Testing, Configuration Management, and other categories.
Record-Keeping Requirements
All Certified Persons must retain data related to the request, storage, and use of DMF information for a minimum of 5 years. This includes any correspondence with NTIS or your ACAB auditor.
Get Certified for DMF with Lazarus Alliance
Lazarus Alliance is an established, experienced security firm versed in private and public-sector frameworks and regulations. We use the NIST Framework for Improving Critical Infrastructure Cybersecurity, alongside NTIS 100, to guide our audits and attestations for the Limited Access Death Master File. We can also help you streamline these audits by pulling forward already-existing certifications and assets from other audits.
Are You Preparing to Access the Limited Access DMF?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.
What Is Autonomous Malware?
We’re reaching the end of 2025, and looking ahead to 2026, most experts are discussing the latest threats that will shape the year ahead. This year, we’re seeing a new, but not unexpected, shift to autonomous threats driven by state-sponsored actors and AI. With that in mind, a new generation of threats, broadly known as...Continue reading→
What CISA’s Emergency Directive 26-01 Means for Everyone
In mid-October 2025, the CISA issued one of its most urgent orders yet: Emergency Directive 26-01. The directive calls on all Federal Civilian Executive Branch (FCEB) agencies to immediately mitigate vulnerabilities in devices from F5 Networks following a state-sponsored breach of F5’s systems and access to portions of BIG-IP source code and vulnerability data. The event...Continue reading→
Cybersecurity and Vetting AI-Powered Tools
A recent exploit involving a new AI-focused browser shone a light on a critical problem–namely, that browser security is a constant issue, and AI is just making that threat more pronounced. Attackers discovered a way to use that browser’s memory features to implant hidden instructions inside an AI assistant. Once stored, those instructions triggered unwanted...Continue reading→
Shutdown Security And Cyber Vulnerability
When the federal government shuts down, the public sees closed monuments, unpaid workers, and halted programs. What they do not see is the silent surge of cyberattacks targeting agencies already operating on fumes. During the most recent shutdown, attacks against U.S. government systems spiked by nearly 85%. Cybersecurity failures during government disruptions rarely start with...Continue reading→
Identity and the Shift from Malware
The world of cyber threats is rapidly evolving, and while we can see these changes more generally, it’s always crucial to understand them concretely. As the 2025 CrowdStrike Global Threat Report shows us, the landscape of our industry is changing. We’re digging into this report to discuss a challenging trend: the move of hackers foregoing...Continue reading→
Maintaining Compliance Against Prompt Injection Attacks
The increasing adoption of AI by businesses introduces security risks that current cybersecurity frameworks are not prepared to address. A particularly complex emerging threat is prompt injection attacks. These attacks manipulate the integrity of large language models and other AI systems, potentially compromising security protocols and legal compliance. Organizations adopting AI must have a plan...Continue reading→
Are We Already Talking About CMMC 3.0?
The ink has barely dried on the CMMC final rule, and already the defense contracting community is buzzing with speculation about what comes next. Just when contractors thought they had a moment to catch their breath after years of regulatory limbo, whispers of CMMC 3.0 have begun circulating through the industry. But is this just...Continue reading→
Centralizing Identity-Based Risk
As the traditional network boundary dissolves and remote work becomes standard practice, identities are the major frontier for security. Whether we’re talking about human users, service accounts, or machine identities, these have emerged as both the primary access mechanism and the most targeted attack vector. It has become imperative for providers to centralize identity management...Continue reading→
Deviation and Significant Change Requests in FedRAMP: A Comprehensive Guide
FedRAMP provides a standardized approach to security assessment, authorization, and continuous monitoring for cloud products and services used by federal agencies. While the program’s rigorous baseline requirements ensure consistent security, the reality is that this consistency calls for a little flexibility. This is where deviation requests and significant change requests come into play. These two...Continue reading→
The Costs of Compliance and Data Breaches
Data is possibly one of the most valuable assets any organization holds. Customer information, employee records, and proprietary business intelligence present challenges because the data flowing through modern enterprises represents both significant opportunities and serious risks. Businesses face a challenging balance: investing in compliance measures to protect sensitive information while also preparing for the real...Continue reading→
Related Posts