myctrl.tools
Compare

PT-8Computer Matching Requirements

PRIVACY

>Control Description

When a system or organization processes information for the purpose of conducting a matching program: a. Obtain approval from the Data Integrity Board to conduct the matching program; b. Develop and enter into a computer matching agreement; c. Publish a matching notice in the Federal Register; d. Independently verify the information produced by the matching program before taking adverse action against an individual, if required; and e. Provide individuals with notice and an opportunity to contest the findings before taking adverse action against an individual.

>Cross-Framework Mappings

SCF

PRI-02.3
Compare

>Supplemental Guidance

The PRIVACT establishes requirements for federal and non-federal agencies if they engage in a matching program. In general, a matching program is a computerized comparison of records from two or more automated PRIVACT systems of records or an automated system of records and automated records maintained by a non-federal agency (or agent thereof). A matching program either pertains to federal benefit programs or federal personnel or payroll records.

A federal benefit match is performed to determine or verify eligibility for payments under federal benefit programs or to recoup payments or delinquent debts under federal benefit programs. A matching program involves not just the matching activity itself but also the investigative follow-up and ultimate action, if any.

>Related Controls

PM-24

>Assessment Interview Topics

Questions assessors commonly ask

Process & Governance:

  • What is the process for developing and maintaining computer matching agreements and notices?
  • How does the organization ensure computer matching complies with the Computer Matching Act?
  • Who reviews and approves computer matching agreements?
  • What process exists for notifying individuals of computer matching results?
  • What governance exists for ensuring computer matching activities are lawful and appropriate?

Technical Implementation:

  • What systems technically implement computer matching requirements?
  • How are matching algorithms configured and controlled?
  • What technical controls ensure matching complies with agreements?
  • How are matching results verified before action is taken?
  • What audit trails exist for computer matching activities?

Evidence & Documentation:

  • Provide current computer matching agreements.
  • Provide evidence of Data Integrity Board review and approval of matching programs.
  • Provide matching program notices published in the Federal Register.
  • Provide records of matching program reviews and renewals.
  • Provide documentation of individual notifications of matching results.

Ask AI

Configure your API key to use AI features.