Objective 1: Describe legislation, regulations, and policy that address safeguarding SNAP Participant Data

1.1 What federal legislation addresses SAs’ and Federal Government agencies’ handling of PII? What legislation specifically addresses SNAP participants’ PII?

1.2 What federal regulations address SAs’ and Federal Government agencies’ handling of PII? What regulations specifically address SNAP participants’ PII?

1.3 What additional guidance has FNS provided SAs in regard to handling PII?

1.4 What State legislation and regulations govern SAs’ handling of PII?

1.5 Describe the National Institute of Standards and Technology (NIST) guidelines.

Objective 2: Describe methods that can be used to safeguard PII

2.1 What measures are established to prevent unauthorized users from accessing PII?

2.2 Are appropriate role permissions established to limit PII access to authorized individuals only? If so, what are they?

2.3 Does the State allow remote access to systems containing PII? If so, what is the process?

2.4 Is masking used in PII data entry, particularly for SSNs?

2.5 Is there a time-out function used on application screens that contain PII? If so, what is the time limit for the time-out? What policy or guidance covers time-out functions?

2.6 Are encryption methods used for transmitting and storing PII? If so, what are the methods in place?

Objective 3: Describe how States currently safeguard participant PII

3.1 What vulnerabilities and threats to privacy have States encountered?

3.2 When States perform data matches of State SNAP administrative data with other administrative data, what data files do States perform matches with? What PII is used for linking the files? How do States protect confidentiality in files produced by data matching? How does PII and confidentiality protection vary among different data matches?

3.3 How do States handle law enforcement requests for PII?

3.4 Do States follow the Federal Information Security Management Act (FISMA) or NIST guidelines?

3.5 What is the training process to ensure personnel understand their responsibilities in protecting PII?

3.6 Which States have had data breaches? What has been the response?

3.7 How secure is the transmission of online application data? How is the confidentiality of paper applications secured?

3.8 How do safeguarding practices differ between States with county-administered SNAP versus those with Statewide administration?

3.9 What other measures has the State implemented to ensure the protection of PII?

Objective 4: Examine the consistency of safeguarding practices across States

4.1 What are the safeguarding practices that vary the most among States?

4.2 What are the safeguarding practices that are most often practiced within States?

4.3 In which areas are the safeguarding practices of States most in need of improvement?

Objective 5: Provide recommendations to States for improved safeguarding of PII

5.1 What best practices should States implement to ensure the safeguarding of PII?