The SDI Review Process

​The SDI Team reviews data-related agreements for three key measures: 

  1. Is there secure transfer of electronic data?

  2. Are the appropriate IT safeguards and access controls in place?

  3. Does the agreement comply with IT security policies and privacy laws and regulations?

How It Works

  1. The MDH Unit will submit their data-related agreement to the SDI Team via the Cognito platform.: SDI Agreement Review Form

  2. ​The SDI Team will have 15 days from submission to review the data-related agreement and request any additional information needed for review. The 15-day period begins once all requested information has been received. This may include requiring vendors to complete a  Security Controls Survey, submit proof of a SOC 2 Type II audit or Third Party Risk Assessment, or answer questions regarding data migration into an approved system.

  3. The SDI Team will discuss and vote on the data-related agreement during the SDI Team weekly meeting or approve the submission by administrative review. Review by the SDI Team will result in one of the following potential outcomes: approval, provisional approval, denial,  or assessment completed.  ​

  4. Once a determination has been made by the voting members or the administrative review committee, the SDI Team will send a memo to the MDH Unit with ​​​their determination.

  5. If the agreement is approved by the SDI Team, the MDH unit may proceed with execution of the data-related agreement.​

What documents do I need to submit?

Documents Required for Submission by Data-Related Agreement Type

1. Data Use Agreement (DUA)

2. Memorandum of Understanding (MOU)

3. Business Associate ​Agreement (BAA)

4. Interagency Agreement (IA)

5. Standard Grant Agreement (SGA)


  • Copy of the pending agreement
  • Security Controls Survey1
  • Copy of the previously executed agreement2
  •  SOC 2 type audits or Third-party Risk Assessment (if applicable)
  • Accompanying documents3



  1. The Security Controls Survey is only for agreements that are NOT on a State-approved system and do not have HITRUST Certification. Vendors only need to complete the Security Controls Survey once per year (unless there are changes to the platform). ​
  2. This applies to all submissions that are modifications, amendments, extensions, or renewals of a data-related agreement.
  3. Documents that will assist the SDI Team with review of the agreement. May include scope of work (SOW), award letter, appendix, cover sheet, ba​ckground information, vendor information.​​

Ready for SDI Review?


Contact us

SDI Team
Office of Internal Controls and Audit Compliance​
201 W. Preston Street
Baltimore, MD 21201

410-767-5314 office 
410-333-7194 fax  
mdh.sditeam@maryland.gov​

Ready for SDI Review?

Submit Your Agreement Now 


Looking for IAC? 

​VIsit the IAC Website​