Across government and private organizations, the need to match records and confirm death has become a major concern. People who take out credit or receive benefits do so because they are living, and once they pass, there must be a way to align the state of their benefits and finances. This is where the NTIS Death Master File comes in. 

This collection of records helps organizations track the deaths of social security beneficiaries. It contains private information that needs to be protected. 

What Is the NTIS Death Master File?

The NTIS DMF is a database maintained by the National Technical Information Service containing records of deaths reported to the Social Security Administration. The primary purpose of the DMF is to help prevent identity theft and fraud by providing a reliable source of information on deceased individuals. Government agencies, financial institutions, insurance companies, and other organizations use it to verify that a person is deceased and to prevent fraudulent use of their identity.

The DMF is updated regularly and made available to subscribers through the NTIS. Access to the full DMF is restricted and requires a subscription, as it contains sensitive information. However, a publicly available, limited version of the DMF is also available, omitting some more sensitive data.

What Are the Security Requirements for the NIST DMF?

Accessing DMF information involves stringent security requirements to protect sensitive data and ensure it is used appropriately. Some of the key information contained in this database include:

• Full Names
• Dates and Places of Birth and Death
• Social Security Numbers
• Addresses

This information should be protected. The NTIS has established the following security requirements for accessing the DMF:

• Certification: Organizations and individuals must undergo a certification process to demonstrate their eligibility and need to access the DMF. This includes verifying their identity and purpose for accessing the data.
• User Agreement: All users must sign a user agreement that outlines the terms and conditions of access, including compliance with data protection laws and regulations.
• Data Security Plan: Users must implement a comprehensive data security plan encompassing physical, technical, and administrative security.
  
• Background Checks: Organizations must conduct background checks on individuals accessing the DMF to ensure they are trustworthy and do not pose a security risk.
• Audit and Compliance: Users must agree to regular audits and compliance checks by NTIS or an authorized third party to ensure adherence to the security requirements and proper use of the DMF data.
• Breach Notification: In the event of a data breach, users must have a plan to promptly notify NTIS and take appropriate steps to mitigate the breach and prevent further unauthorized access.
• Data Retention and Destruction: Users must adhere to strict data retention and destruction policies to ensure that DMF data is kept only as long as necessary and is securely destroyed when no longer needed.

Non-Security Requirements for Accessing the DMF

While these security requirements are designed to protect the sensitive information in the DMF, several overarching requirements beyond security ensure that the list is only used by those for whom it is intended. 

Yes, in addition to the security requirements, there are several other requirements and conditions for accessing the Death Master File (DMF) information:

• Permitted Purposes: Access to the DMF is granted only for specific, approved purposes such as fraud prevention and identity verification, compliance with legal or regulatory requirements, and research and statistical analysis.
• User Fee: Organizations and individuals must pay a fee to access the DMF (for the listed access reasons). This fee helps cover the cost of maintaining and distributing the database.
• Annual Certification: Users must certify their compliance with all NTIS requirements, including security measures and usage restrictions. This certification process involves submitting documentation and possibly undergoing audits or reviews.
• Reporting Requirements: Users must promptly report any suspected or actual data breaches, misuse of DMF data, or non-compliance with NTIS requirements. Reporting must include details of the incident and the steps taken to address it.
• Review and Approval: Access to the DMF is subject to NTIS review and approval. NTIS evaluates applicants based on their need for access, the adequacy of their security measures, and their compliance with legal and regulatory requirements.
• Non-Disclosure: Users must agree not to disclose DMF information to unauthorized parties. Any sharing of DMF data must be strictly controlled and limited to authorized users for approved purposes.
• Recordkeeping: Users must maintain accurate records of their access to and use of the DMF. These records must be available for inspection by NTIS or other authorized entities to verify compliance with all requirements.

These requirements help ensure that access to the DMF is granted only to responsible, authorized entities and that the sensitive information contained in the database is protected from misuse and unauthorized access.

The Importance of Security for the DMF File

While accessing the DMF database might seem, on its surface, much less intense than adhering to HIPAA or CMMC requirements, the truth is that private information must be protected regardless of the context. If you’re an organization that handles access to the DMF, then it’s critical to meet these requirements. 

Are you looking to get certification for DMF and want your cybersecurity to align with the requirements? Contact Lazarus Alliance and Continuum GRC.

Continuum GRC is a cloud platform that stays ahead of the curve, including support for all certifications (along with our sister company and assessors, Lazarus Alliance). 

• FedRAMP
• StateRAMP
• NIST 800-53
• FARS NIST 800-171 & 172
• CMMC
• SOC 1 & SOC 2
• HIPAA
• PCI DSS 4.0
• IRS 1075 & 4812
• COSO SOX
• ISO 27001 + other ISO standards
• NIAP Common Criteria
• And dozens more!

We are the only FedRAMP and StateRAMP-authorized compliance and risk management solution worldwide.

Continuum GRC is a proactive cyber security® and the only FedRAMP and StateRAMP-authorized cybersecurity audit platform worldwide. Call 1-888-896-6207 to discuss your organization’s cybersecurity needs and learn how we can help protect its systems and ensure compliance.