Since late 2016, organizations have faced a stricter certification process to be granted access to the Death Master File (DMF), a computer database created by the United States’ Social Security Administration from 1962 to present day. The DMF is a protected file that includes information regarding the deceased such as their name, date of birth, date of death, social security number, last known zip code, if their death certification was observed, and other personal identifiable information (PII). For organizations who need to access to the PII of deceased individuals, they will need to certify with the DMF. Generally, in the three-year period following an individual’s death, sensitive information is unable to be released.
There are many challenges organizations can face when seeking DMF certification. Let’s review the certification process, what your organization should prepare for, and the standards against which you can certify.
What is the DMF certification process?
To access the DMF, an individual or entity must have a legitimate fraud prevention interest or have a legitimate business purpose to a law, government rule, regulation, or fiduciary duty. If an organization qualifies for DMF certification, they will be required to follow the steps below during their assessment process.
Step 1: Testing is conducted against SOC 2 or NIST 800 series standards.
Step 2: Organizations must go to the National Technical Information Service (NTIS) website to pay the required fees and will receive a processing number. Please note, these fees are in addition to those paid to the Accredited Conformity Assessment Body (ACAB) for attestation.
Step 3: Organizations must obtain the FM100A attestation form from the NTIS website and provide your auditing firm with the processing number to complete the attestation.
Step 4: Your auditor files the attestation documentation with NTIS. Your auditor will notify you that your form has been submitted and reaches out only if an issue arises. If all information is correct, NTIS communicates directly with your organization on approval/certification status.
What should my organization prepare for?
Once you achieve DMF certification, it doesn’t stop there. Your organization will need to be prepared for recertifications, unscheduled audits and more. Below is a list of what you can expect in the next several years following your initial DMF certification.
- Annual recertification by the organization seeking access
- Third-party conformity attestation every three years
- Agreement to scheduled and unscheduled audits, conducted by National Technical Information Service (NTIS) or the ACAB at the request of NTIS
- Fines up to $250,000 per year for noncompliance
The entity wishing to access the DMF must submit written attestation from an ACAB to prove that the appropriate systems, facilities and procedures are in place to safeguard information and maintain the confidentiality, security, and appropriate use of the information.
Subscriber certification must be completed annually. The LADMF Systems Safeguards Attestation Form must be completed every three years.
The U.S. Department of Commerce’s National Technical Information Service (NTIS), the governing body behind the DMF, can conduct both scheduled and unscheduled compliance audits and fine organizations up to $250,000 for noncompliance, with even higher penalties for willful violations. Due to the potential for substantial fines, it is important that entities be able to implement the appropriate systems’ facilities and procedures to safeguard the information.
What standards can organizations certify against?
Organizations can achieve certification by testing against standards such as SOC 2, and NIST 800 series publications.
What is SOC 2?
SOC 2 is a reporting standard that provides clients assurance regarding a service organization’s controls that do not affect the clients’ internal controls over financial reporting. This report is intended for use by stakeholders (customers, regulators, business partners, suppliers, directors) of the service organization to have a thorough understanding of the service organization and its internal controls.
What is NIST 800-53?
Published by the National Institute of Standards and Technology (NIST), NIST 800-53 covers the steps in the Risk Management Framework (RMF) that address security control selection for federal information systems in accordance with the security requirements in the Federal Information Processing Standard (FIPS) 200.
Helping You Achieve DMF Certification
A-LIGN is an ACAB that can attest to organizations’ systems and procedures in place. A-LIGN utilizes various published information security standards, mainly the AICPA SOC 2, to satisfy the rule’s audit requirements.
Since 2015, A-LIGN has been working to help our clients meet their DMF audit requirements and has successfully submitted the appropriate attestation forms to NTIS, resulting in certification for our clients. We have extensive experience testing the controls required by LADMF and can guide your organization through the certification process with ease.