top of page
Copy of NDB Advisory Header_edited_edited.png
Header Side.png

Blog Article

Blog Search

Search

Navigating the Death Master File (DMF) Certification & Audit Process

  • ndbsites
  • Oct 29, 2024
  • 3 min read

Since late 2016, organizations seeking access to the Death Master File (DMF) have encountered a more rigorous certification process. The DMF, maintained by the United States Social Security Administration (SSA) since 1962, is a critical database containing information about deceased individuals. This protected file includes essential details such as names, dates of birth and death, social security numbers, last known zip codes, and whether death certifications were verified. Accessing personally identifiable information (PII) from the DMF is restricted, particularly within three years of an individual's death, emphasizing the sensitivity of the data involved.

Understanding the DMF Certification Process

For organizations to gain access to the DMF, they must demonstrate a legitimate interest in fraud prevention or possess a valid business need dictated by laws, regulations, or fiduciary responsibilities. If an organization meets these criteria, they must adhere to a detailed certification process comprised of the following steps:


  1. Compliance Testing: Organizations must first undergo testing to ensure compliance with either SOC 2 or NIST 800 series standards. These frameworks evaluate the security and operational controls that protect sensitive information.

  2. Fee Payment: Next, organizations are required to visit the National Technical Information Service (NTIS) website to pay necessary fees, which grant them a processing number. These fees are separate from any costs incurred for attestation by an Accredited Conformity Assessment Body (ACAB).

  3. Attestation Form: After payment, organizations must download the FM100A attestation form from the NTIS website and provide their auditing firm with the processing number to facilitate the completion of the attestation.

  4. Filing with NTIS: The auditing firm submits the attestation documentation to NTIS. The auditor will inform the organization once the submission is made and will only reach out if issues arise. If everything is in order, NTIS will directly communicate with the organization regarding the approval and certification status.

Ongoing Requirements for DMF Certified Organizations

Achieving DMF certification is not a one-time event; organizations must be ready for ongoing obligations. Following initial certification, organizations can expect the following:


  • Annual Recertification: Organizations must undergo an annual recertification process to maintain their access rights.

  • Third-Party Attestation: A third-party conformity attestation is required every three years to validate compliance with necessary standards.

  • Audits: Organizations must agree to both scheduled and unscheduled audits conducted by NTIS or the ACAB at NTIS's request.

  • Penalties for Noncompliance: Noncompliance can result in hefty fines, potentially reaching $250,000 annually, with higher penalties for willful violations.


Entities wishing to access the DMF must submit a written attestation from an ACAB to verify that they have established the requisite systems, facilities, and procedures to ensure the confidentiality, security, and proper use of the information.

Certification Standards for Organizations

To achieve DMF certification, organizations can choose to align their compliance efforts with standards such as SOC 2 and the NIST 800 series.


  • SOC 2: This reporting standard assures clients regarding the effectiveness of a service organization’s controls, specifically those that do not impact the clients’ internal controls over financial reporting. The SOC 2 report is valuable for stakeholders—including customers, regulators, and business partners—providing insights into the organization’s internal control environment.

  • NIST 800-53: This framework, published by the National Institute of Standards and Technology (NIST), details the security control selection process within the Risk Management Framework (RMF). It is designed for federal information systems and aligns with security requirements established in the Federal Information Processing Standard (FIPS) 200.

Partnering with NDB for DMF Certification

NDB specializes in helping organizations meet DMF audit requirements. Since 2015, NDB has successfully assisted clients in navigating the certification process, ensuring compliance with relevant standards, primarily utilizing the AICPA SOC 2 framework.

With extensive experience in assessing controls necessary for DMF access, NDB can guide your organization smoothly through the certification process, helping you implement the appropriate systems and practices to safeguard sensitive information and maintain compliance with regulatory requirements.

Please contact Christopher Nickell at cnickell@ndbcpa.com or at 850-295-0808 to learn more about NDB's DMF services.

 
 

Contact NDB Today to Get Started. 

Thanks for submitting! We’ll get back to you shortly.

Trusted Advisors to Businesses throughout North America

Death Master File.png

The DMF plays an important role in preventing identity theft by allowing organizations to cross-reference deceased individuals with active accounts or benefits. By identifying deceased individuals, entities can take appropriate actions such as stopping benefit payments, closing accounts, or preventing fraudulent use of personal information.

Contact us Today for a Consultation.

PRIVACY POLICY

© 2023 NDB. All Rights Reserved. Reproduction in whole or in part in any form without express written permission is strictly prohibited.

bottom of page