For Public Use
Page 15 of 31
Universal Service Administrative Co. | Lifeline and ACP BPO and Call Center Services | Request for Proposals (RFP)
government cloud-based environment. Regardless of hosting approach, the solution must be able
to achieve FISMA accreditation prior to going live.
Personally Identifiable Information (“PII”)
Contractor’s information systems, applications and processes shall be approved by USAC’s
security team. Contractor shall write, review, and update an assessment of all applicable Federal
mandates, including, but not limited to FISMA and most recently released revision of NIST 800-
53, Revision 5 or later revision (Security and Privacy Controls for federal Information Systems
and Organizations), including Appendix J, NIST privacy controls – or the most current revisions
of the aforementioned documents, to ensure adherence to NIST, FISMA, OMB, FCC, USAC, and
other industry-accepted standards. Data and documentation collected will include personally
identifiable information (“PII”), including names, addresses, email addresses, phone numbers and
commercial banking information and other confidential business information. PII shall be
protected in accordance with all federal and USAC requirements, including, but not limited to, the
most current revision of the following: OMB Circular No. A-130, OMB Memoranda M-06-16 and
guidance from the NIST, including NIST SP 800-53 Rev. 5 (Security and Privacy controls for
Federal Information Systems and Organizations) and NIST SP 800-122 (Guide to Protecting the
Confidentiality of Personally Identifiable Information) – or the most current revisions of the
aforementioned documents. All privacy and/or security-related incidents including, but not limited
to, the disclosure of PII, shall be tracked in accordance with policy standards as outlined in the
Incident Response (“IR”) controls documented in most recently released revision of NIST 800-53,
Revision 5 or later revision and NIST SP 800-61 and consistent with the requirements of OMB
Memoranda M-17-12 – or the most current revisions of the aforementioned documents. The
Incident Response Plan (“IRP”) shall include reporting to USAC’s Privacy Officer and to USAC’s
Director of Information Security or designated representative within one (1) hour of any breach or
suspected breach of PII. Failure to notify USAC’s aforementioned representatives will result in
USAC receiving a service level credit outlined in Attachment 4 (SLA Template).
Encryption and Secure Storage
Contractor shall ensure that USAC Data, Confidential Information, and PII are encrypted at all
times in accordance with Federal Information Processing Standards (FIPS) 140-3 standards. This
encryption requirement includes both Data at Rest (i.e., stored on a hard drive, CD, DVD, thumb
drive, etc.) and Data in Transit (i.e., via email or other electronic means). Any PII that is retained
in any formats must be stored in a secured location and with limited access. The standard for
disposal of PII requires practices that are adequate to protect against unauthorized access or use of
the PII, including at minimum shredding or burning papers containing PII and securely erasing
(using U.S. Department of Defense standards or the equivalent) electronic files and other media
containing PII.
Contractor Vulnerabilities