Working with government agencies always involves some form of security, which is extremely important for handling federal data, no matter the reason. So, when enterprises want to access information from the SSA Limited Access Death Master File (LADMF), there are certain expectations for these businesses.
What Is the Limited Access Death Master File (LADMF)?
The Social Security Administration (SSA) manages one of the (most likely) largest databases of private information in the U.S. This database is critical in managing social security benefits for millions of working Americans, and the database must remain accurate and secure.
One of the significant pieces of this database is the Limited Access Death Master File (LADMF). The LADMF is a record of “over 85 million” death records, from the start of social security in 1936 until the present, that includes private identifiable information like birth and death dates, social security numbers, and other connecting info.
At its heart, the LADMF is a record for the SSA to determine who should still receive their benefits and who, due to death, should not. Furthermore, other government agencies and associated contractors will use the list to detect fraudulent benefit collection or insurance claims, aid in the authentication of life insurance claims, and support efforts to allocate estate property or other matters of legal interest.
It’s probably not shocking that the government has several laws and regulations to protect this data from external theft, including during any outside access from another agency or third party. However, this wasn’t always the case.
Before 2014, it was relatively easy for a business to access the file… with a demonstrated business need for the list, plus a fee, an enterprise could literally download the file from the Internet.
After passing the Bipartisan Budget Act in 2013, the Department of Commerce developed a certification program to help provide a level of third-party security and risk management to protect this data. The managing agency of the LADMF, the National Technical Information Service (NTIS), was now expected to set requirements for organizations to self-certify their systems while also undergoing regular audits, both scheduled and unscheduled.
What Makes Up LADMF Compliance?
The core of LADMF certification is NTIS Publication 100, “Limited Access Death Master File Certification Program.” This document outlines the responsibilities and requirements of any organization that wants to download, store, or transmit the LADMF list.
The purpose of this document is to guide organizations or members of organizations to become “Certified Persons,” or parties that have demonstrated compliance with these requirements to the satisfaction of an Accredited Conformity Assessment Body (more on this later).
These requirements include:
Limited Access to Authorized Users
Any Certified Person must demonstrate that they can maintain the confidentiality of private data, submit that proof to an ACAB, and do so with periodic audits, including unscheduled audits.
Audits and Reviews
An audit must be performed by an “objective, impartial, and independent” party. The auditor will provide an attestation that your organization can provide secure data storage, restrict access to the DMF data, dispose of DMF information as needed, and adhere to the Information security guidance in the document.
Limited Access to Storage
Your organization must restrict unauthorized access to DMF information. This includes implementing measures such as:
- Restricted Area Access: This includes restricting physical access to locations where systems storing DMF are located. Locked doors, credentialed security access, authorized user lists, and visitor logs are all part of restricted area access measures.
- Limited Access DMF in Transit: If DMF is moved physically via paper records, USB devices, or other digital media, it must be done so only by users that will maintain its security. It must also be sealed in a confidential envelope to indicate potential tampering.
- Physical Security of Computers: Devices or storage media containing DMF information must be locked or made inaccessible when not in use. Furthermore, the devices must utilize encryption and appropriate authentication methods to protect that data should the device be stolen.
- Telework Locations: If employees within your organization are authorized to handle DMF information but work at off-site locations (such as remotely from home), they may do so if they have compliant technology and security in place.
Restricting Access to Limited Access DMF Information
Certified Persons should protect access to DMF information more broadly during its use or processing. The aspects of this requirement include:
- Training: In short, all authorized persons must have appropriate training in accessing and handling DMF information, and your organization should have a training program to this effect. This will include disclosure awareness training specifically for DMF.
- Internal Inspections: Organizations should periodically conduct internal assessments to ensure that DMF information remains protected from unauthorized disclosure. These inspections of privacy controls should follow a regular schedule, spanning from 1-2 years, depending on the office and type of use.
Disposing of Limited Access DMF Information
Organizations are expected to practice compliant archival or disposal methods once they’ve finished using the data for whatever purpose they had for requesting it.
- Disposing of Limited Access DMF Information at End of Subscription: Your organization doesn’t need to return DMF information after use. However, should they continue to use it, they must continue to follow guidelines for three years following their last DMF list update. Furthermore, if the organization isn’t going to use that information anymore, then it is recommended that they destroy or securely archive it.
- Destruction: Electronic data must be sanitized or destroyed according to guidelines (physical destruction, magnetic degaussing, etc.). Any removable or disk media used to store DMF information may not be used at all without electromagnetic erasure. Physical media like paper records or photographs must be burned or shredded to render them unreadable and unusable.
NTIS 100 defines the specific requirements that support the above-listed guidelines. This section lists and defines an in-depth catalog of security and privacy controls and practices. These controls cover areas like Account Management, Media Sanitation, Remote Access controls, Configuration Management, Penetration Testing, Configuration Management, and other categories.
All Certified Persons must retain data related to the request, storage, and use of DMF information for a minimum of 5 years. This includes any correspondence with NTIS or your ACAB auditor.
Get Certified for DMF with Lazarus Alliance
Lazarus Alliance is an established, experienced security firm versed in private and public-sector frameworks and regulations. We use the NIST Framework for Improving Critical Infrastructure Cybersecurity, alongside NTIS 100, to guide our audits and attestations for the Limited Access Death Master File. We can also help you streamline these audits by pulling forward already-existing certifications and assets from other audits.
Are You Preparing to Access the Limited Access DMF?
Call Lazarus Alliance at 1-888-896-7580 or fill in this form.