Establishment of an Automated Data Processing (ADP) and Information Retrieval System.
(a) Scope and application.
This section establishes conditions for initial and continuing authority to claim Federal financial participation (FFP) for the costs of the planning, development, acquisition, installation and implementation of ADP equipment and services used in the administration of the Food Stamp Program. Due to the nature of the procurement of ADP equipment and services, current State agency approved cost allocation plans for ongoing operational costs shall not apply to ADP system development costs under this section unless documentation required under paragraph (c) of this section is submitted to and approvals are obtained from FNS.
Acceptance Documents means written evidence of satisfactory completion of an approved phase of work or contract, and acceptance thereof by the State agency.
Advance Planning Document for Project Implementation or Implementation APD means a written plan of action requesting Federal financial participation (FFP) to acquire and implement ADP services and/or equipment.
Advance Planning Document for Project Planning or Planning APD means a brief written plan of action that requests FFP to accomplish the planning necessary for a State agency to determine the need for and plan the acquisition of ADP equipment and/or services, and to acquire information necessary to prepare an Implementation APD.
Advance Planning Document Update (APDU) means an annual self-certification by the State agency on the status of project development activities and expenditures in relation to the approved Planning APD or Implementation APD. An APDU may also be submitted as needed to request funding approval for project continuation whenever significant project changes occur or are anticipated.
Automated Data Processing or ADP means data processing performed by a system of electronic or electrical machines so interconnected and interacting as to minimize the need for human assistance or intervention.
Automated Data Processing Equipment or hardware means:
Electronic digital computers, regardless of size, capacity, or price, that accept data input, store data, perform calculations, and other processing steps, and prepare information;
All peripheral or auxiliary equipment used in support of electronic digital computers whether selected and acquired with the computer or separately;
Data transmission or communications equipment that is selected and acquired solely or primarily for use with a configuration of ADP equipment which includes an electronic digital computer; and
Data input equipment used to enter directly or indirectly into an electronic digital computer, peripheral or auxiliary equipment, or data transmission, or communication equipment.
Automated Data Processing Services means:
Services to operate ADP equipment, either by private sources, or by employees of the State agency, or by State or local organizations other than the State agency; and/or
Services provided by private sources or by employees of the State agency or by State and local organizations other than the State agency to perform such tasks as feasibility studies, system studies, system design efforts, development of system specifications, system analysis, programming and system implementation. This includes system training, systems development, site preparation, data entry, and personal services related to automated systems development and operations that are specifically identified as part of a Planning APD or Implementation APD.
Data Processing means the preparation of source media containing data or basic elements of information and the use of such source media according to precise rules of procedures to accomplish such operations as classifying, sorting, calculating, summarizing, recording, and transmitting.
Emergency situation means a situation where:
The State agency can demonstrate to FNS an immediate need to acquire ADP equipment or services in order to continue operation of the Food Stamp Program; and
The State agency can clearly document that the need could not have been anticipated or planned for and the need prevents the State from following the prior approval requirements of § 277.18(c).
Feasibility Study means a preliminary study to determine whether it is sufficiently probable that effective and efficient use of ADP equipment or systems would warrant a substantial investment of staff, time, and money being requested, and whether the plan can be accomplished successfully.
Functional Requirements Specification means an initial definition of the proposed system, which documents the goals, objectives, user or programmatic requirements, the operating environment, and the proposed design methodology, e.g., centralized or distributed. This document details what the new system and/or hardware should do, not how it is to do it. The Specification document shall be based upon a clear and accurate description of the functional requirements for the project, and shall not, in competitive procurements, lead to requirements which unduly restrict competition.
General Systems Design means a combination of narrative and diagrams describing the generic architecture of a system as opposed to the detailed architecture of the system. A general systems design may include a systems diagram; narrative identifying overall logic flow and systems functions; a description of equipment needed (including processing, data transmission and storage requirements); a description of other resource requirements which will be necessary to operate the system; a description of system performance requirements; and a description of the environment in which the system will operate, including how the system will function within that environment.
Regular funding or regular FFP rate means any Federal reimbursement rate authorized by § 277.4(b).
Request for Proposal or RFP means the document used for public solicitations of competitive proposals from qualified sources as outlined in § 277.14(g)(3).
Service Agreement means the document, described in § 277.18(f), signed by the State or local agency and the State or local central data processing facility whenever a central data processing facility provides ADP services to the State or local agency.
Software means a set of computer programs, procedures, and associated documentation used to operate the hardware.
System specifications means information about the new ADP systems, such as: Workload descriptions, input data, information to be maintained and processed, data processing techniques, and output data, which is required to determine the ADP equipment and software necessary to implement the system design.
System study means the examination of existing information flow and operational procedures within an organization. The study consists of three basic phases: Data gathering or investigation of the present system and new information requirements; analysis of the data gathered in the investigation; and synthesis, or refitting, of the parts and relationships uncovered through the analysis into an efficient system.
(c) General acquisition requirements—(1) Requirement for prior FNS approval.
A State agency shall obtain prior written approval from FNS as specified in paragraph (c)(2) of this section when it plans to acquire ADP equipment or services with proposed FFP that it anticipates will have total acquisition costs of $5 million or more in Federal and State funds. This applies to both competitively bid and sole source acquisitions. A State agency shall also obtain prior written approval from FNS of its justification for a sole source acquisition when it plans to acquire ADP equipment or services non-competitively from a nongovernmental source which has a total State and Federal acquisition cost of more than $1 million but no more than $5 million. The State agency shall request prior FNS approval by submitting the Planning APD, the Implementation APD or the justification for the sole source acquisition signed by the appropriate State official to the FNS Regional Office. However, a State agency shall obtain prior written approval from FNS for the acquisition of ADP equipment or services to be utilized in an EBT system regardless of the cost of the acquisition.
(2) Specific prior approval requirements.
For ADP equipment and services acquisitions which require prior approval as specified in paragraph (c)(1) of this section, the State agency shall obtain the prior written approval of FNS for:
The Planning APD prior to entering into contractual agreements or making any other commitment for acquiring the necessary planning services;
The Implementation APD prior to entering into contractual agreements or making any other commitment for the acquisition of ADP equipment or services.
For ADP equipment and services acquisitions requiring prior approval as specified in paragraph (c)(1) of this section, prior approval of the following documents associated with such acquisitions is also required:
RFP's; unless specifically exempted by FNS, the State agency shall obtain prior written approval of the RFP before the RFP may be released. However, RFPs costing up to $5 million for competitive procurements and up to $1 million for noncompetitive acquisitions from non-governmental sources and which are an integral part of the approved APD need not be submitted to FNS. States will be required to submit RFPs under this threshold amount on an exception basis or if the procurement strategy is not adequately described and justified in an APD. The State agency shall obtain prior written approval from FNS for Request for Proposals which are associated with an EBT system regardless of the cost.
Contracts; unless specifically exempted by FNS, the State agency shall obtain prior written approval before the contract may be signed by the State agency. However, contracts costing up to $5 million for competitive procurements and up to $1 million for noncompetitive acquisitions from nongovernmental sources, and which are an integral part of the approved APD need not be submitted to FNS. States will be required to submit contracts under this threshold amount on an exception basis or if the procurement strategy is not adequately described and justified in an APD. The State agency shall obtain prior written approval from FNS for contracts which are associated with an EBT system regardless of the cost.
Contract amendments; unless specifically exempted by FNS, the State agency shall obtain prior written approval before the contract amendment may be signed by the State agency. However, contract amendments involving cost increases of up to $1 million or time extensions of up to 120 days, and which are an integral part of the approved APD need not be submitted to FNS. States will be required to submit contract amendments under these threshold amounts on an exception basis or if the contract amendment is not adequately described and justified in an APD. Amendments to contracts for EBT systems shall be permitted within the approved funding cap. State agencies shall submit copies of any contract amendments or contract extensions to FNS with an accompanying analysis of the impact the changes would have upon the approved issuance cap.
The State agency must obtain prior written approval from FNS as specified in paragraphs (c)(2) (i) and (ii) of this section in order to claim and receive reimbursement for the associated costs of the ADP acquisition.
(3) Approval requirements.
For ADP equipment and service acquisitions requiring prior approval as specified in paragraph (c)(1) of this section, the State agency shall submit the following documents to FNS for approval:
Feasibility studies, when specifically required by FNS as a condition of approving the Planning APD. When required by FNS for approval, the State agency shall submit the feasibility study no later than 90 days after its completion.
APD Updates, as required by paragraph (e) of this section, on an annual or as needed basis.
The State agency must obtain FNS approval of the documents specified in paragraph (c)(3)(i) of this section in order to claim and receive reimbursement for the associated costs of the ADP acquisition.
(4) Approval by the State agency.
Approval by the State agency is required for all documents specified in this regulation prior to submission for FNS approval. In addition, State agency approval is also required for those acquisitions of ADP equipment and services not requiring prior approval by FNS.
(5) Prompt action on requests for prior approval.
FNS will reply promptly to State requests for prior approval. If FNS has not provided written approval, disapproval or a request for additional information within 60 days of FNS' letter acknowledging receipt of the State's request, the request will be deemed to have provisionally met the prior approval requirement in paragraph (c) of this section. However, provisional approval will not exempt a State from having to meet all other Federal requirements which pertain to the acquisition of ADP equipment and services. Such requirements remain subject to Federal audit and review.
(d) APD content requirements—
(1) Planning APD.
The State agency may request FFP for the costs of determining the need for and planning the acquisition of ADP equipment or services through the submission of the Planning APD. The State agency may request FFP for the costs of planning activities beginning with initial project inception through the performance of necessary systems and alternatives analyses, selection and design, including the completion of a general systems design. The Planning APD shall contain the following information:
The State agency's description of the programmatic and organizational needs and/or problems to be addressed by the proposed ADP acquisition and the specific objectives to be accomplished under the Planning APD;
The State agency's commitment to complete the following, where appropriate, as part of project planning activities: a functional requirements specification document, feasibility study, alternatives analysis, cost-benefit analysis, and a general system design. If an existing ADP system is to be transferred, the State agency may plan to use the general system design of the transferred system.
The State agency's description of the organization, required State and contractual resources and availability of those resources, and the assignments of roles and responsibilities for project planning activities. The State agency shall include a description of resources to be procured and procurement methods;
The State agency's schedule of activities and deliverables during project planning, including a description and schedule of procurement activities to be undertaken in support of the planning project; and
A proposed budget which shall identify costs for project planning activities by Federal fiscal year. The budget shall include an estimate of prospective cost distribution to participating Federal agencies and the method for cost allocation. The State agency shall also include an estimate of the total project costs, including both the cost of the planning project and the cost of any eventual ADP equipment and/or services acquisition, which will be used only for determining whether the threshold of §§ 277.18(c)(1) is met. An estimate of total project cost for an EBT system shall not be required to be incorporated into the Planning APD budget.
(2) Implementation APD.
The State agency may request FFP to acquire ADP equipment and services through the submission of the Implementation APD. The State agency may request FFP for the necessary activities to develop, acquire, install and implement the proposed ADP system or acquisition. The Implementation APD shall contain the following information, where appropriate:
The State agency shall complete and submit a functional requirements specification document;
The State agency shall submit a feasibility study and associated alternatives analyses, which include the transfer or modification of an existing system from a similar State or jurisdiction in the examination of alternatives. State agencies which reject the transfer or modification of an existing system must provide an analysis describing the barriers to system transfer as part of the feasibility study. The analysis of barriers to system transfer shall include a comparison of the costs of overcoming the problem in transferring an operational system to the costs of developing a new system;
The State agency shall submit the new or transferred general systems design and shall also document the intended approaches, plans and techniques to develop or modify specific aspects of the proposed ADP system or acquisition including hardware, software, telecommunications, system testing, and data security;
The State agency shall describe the anticipated resource requirements for implementation of the ADP project, the resources planned to be available for the project, and plans for augmenting resources to meet resource requirements;
The State agency shall indicate the principal events and schedule of activities, milestones, and deliverables during implementation of the project;
The State agency shall submit a proposed budget which identifies costs for intended project development and implementation activities by Federal fiscal year and shall include a consideration of all possible Implementation APD activity costs (e.g., system conversion, computer capacity planning, supplies, training, and miscellaneous ADP expenses). The budget shall contain an estimate of prospective cost distribution and methods for allocating costs to participating Federal agencies;
The State agency shall document the scope, methodology, evaluation criteria and results of cost-benefit analyses for evaluating the selected design and alternatives. The cost-benefit analysis shall include a statement indicating the period of time the State agency intends to use the proposed equipment or system; and
The State agency shall describe the security and interface requirements to be employed and the backup and contingency procedures available.
(3) APD Budget.
The proposed budget for both the Planning APD and the Implementation APD shall include cost distribution plans containing the bases for proposed rates, both direct and indirect, for costs associated with system planning, development, acquisition or implementation, as appropriate. The budget proposals accompanying the Implementation APD shall also include proposed cost distribution plans and the bases of proposed rates for the operation of the ADP system. The budget activities shall be presented on a Federal fiscal year basis in a clear fashion to associate costs with each planned activity. The budgets must identify all development costs separately from any ongoing operational costs. Costs must be distinguished by developmental projects and developmental time periods. Actual costs claimed must be reconciliable to projected costs as proposed and approved by FNS in the APD.
(e) APD Update—
(1) General submission requirements.
The State agency shall submit an APD Update for FNS approval for all approved Planning and Implementation APD's when total acquisition costs exceed $5 million. The APD Update shall be submitted to the FNS Regional Office within 90 days after the annual anniversary date of the original APD approval, unless the submission date is specifically altered by FNS.
(2) Content requirements.
The APD Update represents a self-certification by the State agency of project status in relation to the provisions of the approved Planning APD and Implementation APD. The Annually Updated APD shall include:
Project activity status. (A) The status of all major tasks and milestones in the approved Planning APD, Implementation APD or previous APD Update's for the past year. The APD Update shall include all major tasks and milestones completed in the past year and degree of completion for unfinished tasks.
The status of all project deliverables completed in the past year and degree of completion for unfinished products.
Reports of past and/or anticipated problems or delays in meeting target dates in the approved Planning APD, Implementation APD or previous APD Update's for the remainder of the project. The Annually Updated APD shall include an explanation of the need to extend any major project target dates.
Project expenditures. (A) A detailed accounting for all expenditures for project development over the past year.
An explanation of differences between projected expenses in the approved Planning or Implementation APD, or previous APD Update's, and actual expenditures for the past year. If changes in costs are reported, FNS may require the submission of a revised cost-benefit analysis as a condition for approval of the APD Update.
Changes to the allocation basis in the approved APD's cost allocation methodology.
Changes to the approved APD.
Revised language for all changes to the approved APD or previous APD Updates shall be submitted as part of the APD Update, unless submitted separately by the State agency as the changes occurred throughout the year.
Changes in project management and/or contractor services.
(3) Submission as needed.
In addition to the requirement for approval of an APD Update on an annual basis, as specified in paragraph (e)(1) of this section, the State agency may submit an APD Update on a more frequent or as needed basis, in order to obtain a commitment of FFP whenever significant project changes occur. Without such approval, the State agency is at risk for funding of project activities which are not in compliance with the terms and conditions of the approved APD and subsequently approved APD Updates, until such time as approval is specifically granted by FNS. At a minimum, the State agency should consider submission of an APD Update whenever any of the following changes occur or are anticipated:
A significant increase ($1 million or more) in total project costs;
A significant schedule extension (60 days or more) for major milestones;
A significant change in procurement approach, and/or scope of procurement activities beyond that approved in the APD;
A change in system concept, or a change to the scope of the project; or
A change to the approved cost allocation methodology.
(f) Service agreements.
The State agency shall execute service agreements when data processing services are to be provided by a State central data processing facility or another State or local agency. Service agreements shall be kept on file by the State agency and be available for Federal review, and shall:
Identify the ADP services that will be provided;
Include, preferably as an amendable attachment, a schedule of charges for each identified ADP service, and a certification that these charges apply equally to all users;
Include a description of the method(s) of accounting for the services rendered under the agreement and computing services charges;
Include assurances that services provided will be timely and satisfactory;
Include assurances that information in the computer system as well as access, use and disposal of ADP data will be safeguarded in accordance with provisions of §§ 272.1(c) and 277.13 ;
Require the provider to obtain prior approval pursuant to § 277.18(c)(1) from FNS for ADP equipment and ADP services that are acquired from commercial sources primarily to support the Food Stamp Program and requires the provider to comply with § 277.14 for procurements related to the service agreement. ADP equipment and services are considered to be primarily acquired to support the Food Stamp Program when the Program may reasonably be expected to either be billed for more than 50 percent of the total charges made to all users of the ADP equipment and services during the time period covered by the service agreement, or directly charged for the total cost of the purchase or lease of ADP equipment or services;
Include the beginning and ending dates of the period of time covered by the service agreement; and
Include a schedule of expected total charges to the Program for the period of the service agreement.
(g) Conditions for receiving FFP—
A State agency may receive FFP at the 50 percent reimbursement rate for the costs of planning, design, development or installation of ADP and information retrieval systems if the proposed system will:
Assist the State agency in meeting the requirements of the Food Stamp Act;
Be likely to provide more efficient and effective administration of the program; and
Be compatible with such other systems utilized in the administration of State agency plans under the program of Temporary Assistance for Needy Families (TANF).
State agencies seeking FFP for the planning, design, development or installation of automated data processing and information retrieval systems shall develop Statewide systems which are integrated with TANF. In cases where a State agency can demonstrate that a local, dedicated, or single function (issuance or certification only) system will provide for more efficient and effective administration of the program, FNS may grant an exception to the Statewide integrated requirement. These exceptions will be based on an assessment of the proposed system's ability to meet the State agency's need for automation. Systems funded as exceptions to this rule, however, should be capable to the extent necessary, of an automated data exchange with the State agency system used to administer TANF. In no circumstances will funding be available for systems which duplicate other State agency systems, whether presently operational or planned for future development.
(h) Emergency acquisition requirements.
The State agency may request FFP for the costs of ADP equipment and services acquired to meet emergency situations which preclude the State agency from following the prior approval requirements of § 277.18(c). FNS may provide FFP in emergency situations if the following conditions are met:
The State agency must submit a written request to FNS prior to the acquisition of any ADP equipment or services. The written request must be sent by registered mail and shall include:
A brief description of the ADP equipment and/or services to be acquired and an estimate of their costs;
A brief description of the circumstances which result in the State agency's need to proceed with the acquisition prior to obtaining formal FNS approval; and
A description of the adverse impact which would result if the State agency does not immediately acquire the ADP equipment and/or services.
Upon receipt of a written request for emergency acquisition FNS shall provide a written response to the State agency within 14 days. The FNS response shall:
Inform the State agency that the request has been disapproved and the reason for disapproval; or,
Inform the State agency that FNS recognizes that an emergency situation exists and the State agency must submit a formal request for approval by FNS which includes the information specified at § 277.18(d)(2) within 90 days from the date of the State agency's initial written request.
If FNS approves the request submitted under paragraph (h)(1) of this section, FFP will be available from the date the State agency acquires the ADP equipment and services.
(i) Cost determination and claiming costs—
(1) Cost determination.
Actual costs must be determined in compliance with an FNS approved budget and appendix A to this part, and must be reconcilable with the FNS funding level. There shall be no payments pursuant to this section to the extent that a State agency is reimbursed for such costs pursuant to any other Federal program or uses ADP systems for purposes not connected with the Food Stamp Program. The State agency approved cost allocation plan must be amended to disclose the methods which will be used to identify and classify costs to be claimed. This methodology must be submitted to FNS as part of the request for FNS approval of funding as required in paragraph (d)(3) of this section. Any costs funded pursuant to these regulations shall be excluded in determining the State agency's administrative costs under any other section of this part.
(2) Cost identification for purposes of FFP claims.
State agencies shall assign and claim the costs incurred under an approved APD in accordance with the following criteria:
(i) Development costs.
Using its normal departmental accounting system, the State agency shall specifically identify what items of costs constitute development costs, assign these costs to specific project cost centers, and distribute these costs to funding sources based on the specific identification, assignment and distribution outlined in the approved APD. The methods for distributing costs set forth in the APD should provide for assigning identifiable costs, to the extent practicable, directly to program/functions. The State agency shall amend the cost allocation plan required by § 277.9 to include the approved APD methodology for the identification, assignment and distribution of the development costs.
(ii) Operational costs.
Costs incurred for the operation of an ADP system shall be identified and assigned by the State agency to funding sources in accordance with the approved cost allocation plan required by § 277.9.
(iii) Service agreement costs.
States that operate a central data processing facility shall use their approved central service cost allocation plan required by OMB Circular A-87 to identify and assign costs incurred under service agreements with the State agency. The State agency shall then distribute these costs to funding sources in accordance with paragraphs (i)(2)(i) and (i)(2)(ii) of this section.
(3) Capital expenditures.
The State agency shall charge the costs of ADP equipment having unit acquisition costs or total aggregate costs, at the time of acquisition, of more than $25,000 by means of depreciation or use allowance, unless a waiver is specifically granted by FNS. If the equipment acquisition is part of an APD that is subject to the prior approval requirements of paragraph (c)(2) of this section, the State agency may submit the waiver request as part of the APD.
(4) Claiming costs.
Prior to claiming funding under this section the State agency shall have complied with the requirements for obtaining approval and prior approval of § 277.18(c).
(5) Budget authority.
FNS approval of requests for funding shall provide notification to the State agency of the budget authority and dollar limitations under which such funding may be claimed. FNS shall provide this amount as a total authorization for such funding which may not be exceeded unless amended by FNS. FNS's determination of the amount of this authorization shall be based on the budget submitted by the State agency. Activities not included in the approved budget, as well as continuation of approved activities beyond scheduled deadlines in the approved plan, shall require FNS approval of an amended State budget for payment. Requests to amend the budget authorization approved by FNS shall be submitted to FNS prior to claiming such expenses.
(j) Procurement requirements.
Procurements of ADP equipment and services are subject to the procurement standards prescribed by § 277.14 regardless of any conditions for prior approval, except the requirements of § 277.14(b)(1) and (2) regarding review of proposed contracts. Those standards include a requirement for maximum practical open and free competition regardless of whether the procurement is formally advertised or negotiated.
The standards prescribed by § 277.14, as well as the requirement for prior approval, apply to ADP services and equipment acquired by a State or local agency, and the ADP services and equipment acquired by a State or local central data processing facility primarily to support the Food Stamp Program.
The competitive procurement policy prescribed by § 277.14 shall be applicable except for ADP services provided by the agency itself, or by other State or local agencies.
(k) Access to the system and records.
Access to the system in all aspects, including but not limited to design, development, and operation, including work performed by any source, and including cost records of contractors and subcontractors, shall be made available by the State agency to FNS or its authorized representatives at intervals as are deemed necessary by FNS, in order to determine whether the conditions for approval are being met and to determine the efficiency, economy and effectiveness of the system. Failure to provide full access by appropriate State and Federal representatives to all parts of the system shall result in suspension and/or termination of Food Stamp Program funds for the costs of the system and its operation.
(l) Ownership rights—
Software (i) The State or local government shall include a clause in all procurement instruments which provides that the State or local government shall have all ownership rights in any software or modifications thereof and associated documentation designed, developed or installed with FFP under this section.
FNS reserves a royalty-free, nonexclusive, and irrevocable license to reproduce, publish, or otherwise use and to authorize others to use for Federal Government purposes, such software, modifications, and documentation.
Proprietary operating/vendor software packages (e.g., ADABAS or TOTAL) which are provided at established catalog or market prices and sold or leased to the general public shall not be subject to the ownership provisions in paragraphs (l)(1)(i) and (l)(1)(ii) of this section. FFP is not available for proprietary applications software developed specifically for the Food Stamp Program.
(2) Automated data processing equipment.
The policies and procedures governing title, use and disposition of property purchased with Food Stamp Program funds, which appear at 7 CFR 277.13 are applicable to automated data processing equipment.
(m) Use of ADP systems.
ADP systems designed, developed or installed with FFP shall be used for the period of time specified in the APD, unless FNS determines that a shorter period is justified.
(n) Basis for continued Federal financial participation.
FNS will continue FFP at the levels approved in the Planning APD and the Implementation APD provided that project development proceeds in accordance with the conditions and terms of the approved APD and that ADP resources are used for the purposes authorized. FNS will use the APD Update to monitor ADP project development. The submission of the report prescribed in § 277.18(e) for the duration of project development is a condition for continued FFP. In addition, periodic onsite reviews of ADP project development and State and local agency ADP operations may be conducted by or for FNS to assure compliance with approved APD's, proper use of ADP resources, and the adequacy of State or local agency ADP operations.
(o) Disallowance of Federal financial participation.
If FNS finds that any ADP acquisition approved under the provisions of § 277.18(c) fails to comply with the criteria, requirements, and other undertakings described in the approved or modified APD, payment of FFP may be disallowed.
(p) ADP system security requirements and review process—
(1) ADP system security requirements.
State and local agencies are responsible for the security of all ADP projects under development, and operational systems involved in the administration of the Food Stamp Program. State and local agencies shall determine appropriate ADP security requirements based on recognized industry standards or standards governing security of Federal ADP systems and information processing.
(2) ADP security program.
State agencies shall implement and maintain a comprehensive ADP Security Program for ADP systems and installations involved in the administration of the Food Stamp Program. ADP Security Programs shall include the following components.
Determination and implementation of appropriate security requirements as prescribed in paragraph (p)(1) of this section.
Establishment of a security plan and, as appropriate, policies and procedures to address the following areas of ADP security:
Physical security of ADP resources;
Equipment security to protect equipment from theft and unauthorized use;
Software and data security;
Contingency plans to meet critical processing needs in the event of short- or long-term interruption of service;
Emergency preparedness; and
Designation of an Agency ADP Security Manager.
Periodic risk analyses. State agencies shall establish and maintain a program for conducting periodic risk analyses to ensure that appropriate, cost-effective safeguards are incorporated into new and existing systems. In addition, risk analyses shall be performed whenever significant system changes occur.
(3) ADP system security reviews.
State agencies shall review the ADP system security of installations involved in the administration of the Food Stamp Program on a biennial basis. At a minimum, the reviews shall include an evaluation of physical and data security, operating procedures, and personnel practices. State agencies shall maintain reports of their biennial ADP system security reviews, together with pertinent supporting documentation, for Federal on-site review.
The security requirements of this section apply to all ADP systems used by State and local governments to administer the Food Stamp Program.
Costs incurred for complying with the provisions of paragraphs (p)(1) through (p)(3) of this section are considered regular administrative costs which are funded at the regular FFP level.
[Amdt. 319, 55 FR 4355, Feb. 7, 1990, as amended by Amdt. 345, 57 FR 11259, Apr. 1, 1992; Amdt. 342, 59 FR 2733, Jan. 19, 1994; Amdt. 368, 61 FR 33643, June 28, 1996; Amdt. 385, 65 FR 33440, May 24, 2000]