U.S. Department of Health and Human Services
Two NIST special publications guide HHS security practices for interconnecting systems. NIST SP 800-18 Rev.1 requires a formal ISA, MOU, MOA between systems that share data when the data is owned or operated by different organizations.
HHS uses a combination MOU/ISA. HHS also adheres to a highly structured Enterprise Performance Lifecycle (EPLC), similar but not identical to that recommended by NIST.
NIST SP 800-47, Security Guide for Interconnecting Information Systems Technology, offers specific guidance and security ground rules for interconnections.
Page 3 of 5
Setting the Ground Rules with MOUs and MOAs