U.S. Department of Housing and Urban Development (HUD)

Office of the Chief Information Officer (OCIO)

Memorandum of Understanding (MOU)

Between the U.S. Department of Housing and Urban Development (HUD)

and

‘Organization B’

March 3, 2021

Revisions Record

Table of Contents

1. Introduction

The purpose of this memorandum is to establish a management agreement between the U.S. Department of Housing and Urban Development (HUD) and Organization B regarding the development, management, operation, and security of a connection between the MTW Expansion Application, owned by HUD, and System B, owned by Organization B. This agreement will govern the relationship between HUD and Organization B, including designated managerial and technical staff, in the absence of a common management authority.

2. Supercedes

None

3. Background

It is the intent of both parties to this agreement to interconnect the following information technology (IT) systems to exchange data between the MTW Expansion Application and XYZ database. HUD requires the use of Organization B's XYZ database, and Organization B requires the use of HUD’s MTW Expansion Application data. The expected benefit of the interconnection is to expedite the processing of data associated with the MTW Expansion application project within prescribed timelines.

Each IT system is described below:

• SYSTEM A: MTW Expansion Application

  • Name: MTW Expansion Application

  • Function: Provides Public Housing Authorities (PHAs) the ability to electronically submit and process the new HUD-50058 Moving to Work Expansion Form  

  • Location: The application is hosted in the Salesforce Government Cloud, which maintains a FedRAMP Moderate Authority to Operate (ATO)

  • Description of Data: Data includes personally identifiable information (PII)

• SYSTEM B

  • Name

  • Function

  • Location

  • Description of data, including sensitivity or classification level

4. Point of Contact

For all issues associated with this MOU, the established points of contact are as follows:

5. Communications

Regular formal communications are essential to ensure the successful management and operation of the interconnection. The parties agree to maintain open lines of communication between designated staff at both the managerial and technical levels. All communications described herein must be conducted in writing unless otherwise noted.

The owners of the MTW Expansion Application and System B agree to designate and provide contact information for technical leads for their respective system, and to facilitate direct contacts between technical leads to support the management and operation of the interconnection. To safeguard the confidentiality, integrity, and availability of the connected systems and the data they store, process, and transmit, the parties agree to provide notice of specific events within the time frames indicated below:

• Security Incidents: Technical staff will immediately notify their designated counterparts by telephone or e-mail when a security incident(s) is detected, so the other party may take steps to determine whether its system has been compromised and to take appropriate security precautions. The system owner will receive formal notification in writing within five (5) business days after detection of the incident(s).

• Disasters and Other Contingencies: Technical staff will immediately notify their designated counterparts by telephone or e-mail in the event of a disaster or other contingency that disrupts the normal operation of one or both of the connected systems.

• Material Changes to System Configuration: Planned technical changes to the system architecture will be reported to technical staff before such changes are implemented. The initiating party agrees to conduct a risk assessment based on the new system architecture and to modify and re-sign the ISA within one (1) month of implementation.

• New Interconnections: The initiating party will notify the other party at least one (1) month before it connects its IT system with any other IT system, including systems that are owned and operated by third parties.

• Personnel Changes: The parties agree to provide notification of the separation or long-term absence of their respective system owner or technical lead. In addition, both parties will provide notification of any changes in point of contact information. Both parties also will provide notification of changes to user profiles, including users who resign or change job responsibilities.

6. Interconnection Security agreement

The technical details of the interconnection will be documented in an Interconnection Security Agreement (ISA). The parties agree to work together to develop the ISA, which must be signed by both parties before the interconnection is activated. Proposed changes to either system or the interconnecting medium will be reviewed and evaluated to determine the potential impact on the interconnection. The ISA will be renegotiated before changes are implemented. Signatories to the ISA shall be the Authorizing Official (AO) for each system.

7. Security

Both parties agree to work together to ensure the joint security of the connected systems and the data they store, process, and transmit, as specified in the ISA. Each party certifies that its respective system is designed, managed, and operated in compliance with all relevant federal laws, regulations, and policies.

8. Cost Considerations

Both parties agree to equally share the costs of the interconnecting mechanism and/or media, but no such expenditures or financial commitments shall be made without the written concurrence of both parties. Modifications to either system that are necessary to support the interconnection are the responsibility of the respective system owners’ organization.

9. Timeline

This agreement will remain in effect for one (1) year after the last date on either signature in the signature block below. After one (1) year, this agreement will expire without further action. If the parties wish to extend this agreement, they may do so by reviewing, updating, and reauthorizing this agreement. The newly signed agreement should explicitly supersede this agreement, which should be referenced by title and date. If one or both of the parties wish to terminate this agreement prematurely, they may do so upon 30 days' advanced notice or in the event of a security incident that necessitates an immediate response.

10. Signatory Authority

I agree to the terms of this Memorandum of Understanding.

MTW Expansion Application (System B)

Matilda Chiu System Owner Name

System Owner Title

______________________________ ________________________________

(Signature Date) (Signature Date)

Hun Kim CISO Name

Chief Information Security Officer Chief Information Security Officer

______________________________ ________________________________

(Signature Date) (Signature Date)

Chris Webber CIO Name

Chief Information Officer (Acting) Chief Information Officer

______________________________ ________________________________

(Signature Date) (Signature Date)