Ask an Assessor: Death Master File

The Death Master File (DMF) is a protected file that includes information regarding the deceased such as:

  • Name
  • Date of Birth
  • Date of Death
  • Social Security Number

Since November 28, 2016, organizations have faced a stricter certification process to be granted access to the DMF. In that time, A-LIGN has served as an Accredited Conformity Assessment Body (ACAB) that has submitted written attestation to validate that the appropriate controls are in place to maintain the confidentiality and security of DMF information. Senior Manager, Sue Wells, took the time to discuss the challenges that organizations face when seeking DMF certification and how A-LIGN can help.

Learn more: Becoming Certified to Access the Limited Access Death Master File

Death Master File FAQ

What lessons have we learned from our DMF successes, as assessors, that we can utilize to help future clients that require DMF access?

Some of our DMF clients have never had any type of audit before, so there is a learning curve for those organizations to understand the process, such as document requests. For organizations that have never been certified before, they need to understand the steps to achieve certification:

  1. A-LIGN conducts testing against the approved standard.
  2. Once testing is complete, organizations must go to the National Technical Information Service (NTIS) website to pay the required fees. Organizations pay $1,575 annually for certification to NTIS, and an additional $525 every 3 years when 3rd party certification must be completed again. These fees are separate from those paid to the ACAB for attestation, as they are paid directly to NTIS. Once fees are paid, the organization will be provided a processing number.
  3. From there, organizations must obtain the attestation form from the NTIS website and provide A-LIGN with the processing number to complete the attestation.
  4. A-LIGN files the attestation documentation.

What information do companies seeking DMF certification need to know regarding their vendors and how they may impact their ability to be certified?

If significant technical safeguards used to protect the DMF are provided by a third-party, they may have to obtain information directly from that third party to provide to A-LIGN, as the DMF attestation form does not provide for the ability to carve-out other organizations. In this event, the technical safeguards would need to be verified.

What standards can organizations certify against?

Since 2015, A-LIGN has successfully helped several organizations achieve certification by certifying against standards such as SOC 2, PCI DSS, and NIST 800-53.

Helping You Achieve DMF Certification

NTIS can conduct both scheduled and unscheduled compliance audits, and organizations that fail to comply with the set provisions may be subject to fines of up to $250,000 per year. As an ACAB, A-LIGN can attest to your organization’s ability to protect DMF information. We have extensive experience in testing the required controls and can guide your organization through the certification process with ease.

Have questions about accessing the DMF? Contact us at info@a-lign.com or call 1-888-702-5446 to have an experienced assessor answer your questions regarding DMF certification.

Becoming Certified to Access the Limited Access Death Master File

What is the Limited Access Death Master File (LADMF)?

The LADMF, or Limited Access Death Master File, contains sensitive information that cannot be disclosed during the three-year period following an individual’s death, including:

  • Social Security Number
  • Name
  • Date of Birth
  • Date of Death

Read now: [Whitepaper]: Cyber Defense Guide 2017 – Part 1

Effective November 28, 2016, organizations face a more stringent certification process to be granted access to the DMF. To access the DMF, an individual or entity must:

  • Have a legitimate fraud prevention interest; or
  • Have a legitimate business purpose to a law, government rule, regulation, or fiduciary duty

The main changes that organizations need to be prepared for are:

  • Annual recertification by the organization seeking access
  • Third-party conformity attestation every three years
  • Agreement to schedule and unscheduled audits, conducted by National Technical Information Service (NTIS) or the Accredited Conformity Assessment Body (ACAB) at the request of NTIS
  • Fines up to $250,000 per year for noncompliance

The entity wishing to access the DMF must submit written attestation from an ACAB to prove that the appropriate systems, facilities and procedures are in place to safeguard information and maintain the confidentiality, security, and appropriate use of the information.

To better understand the requirement, organizations can find the sample certification forms here:

Subscriber Certification must be completed annually. The LADMF Systems Safeguards Attestation Form must be completed every three years.

The U.S. Department of Commerce’s National Technical Information Service (NTIS), the governing body behind the DMF, can conduct both scheduled and unscheduled compliance audits and fine organizations up to $250,000 for noncompliance, with even higher penalties for willful violations. Due to the potential for substantial fines, it is important that entities be able to implement the appropriate systems facilities and procedures to safeguard the information.

How A-LIGN Can Help

A-LIGN is an ACAB that can attest to organizations’ systems and procedures in place. A-LIGN utilizes various published information security standards, including the AICPA SOC 2 and ISO 27001 to satisfy the rule’s audit requirements.

Since 2015, A-LIGN has been working to help our clients meet their DMF audit requirements, and has successfully submitted the appropriate attestation forms to NTIS, resulting in certification for our clients. We have extensive experience testing the controls required by LADMF and understand the certification process and requirements.

Have questions about accessing the LADMF? Contact us at info@a-lign.com or call 1-888-702-5446 to have an experienced assessor answer your questions.