The recipient and subrecipient must:
(a) Establish, document, and maintain effective internal control over the Federal award that provides reasonable assurance that the recipient or subrecipient is managing the Federal award in compliance with Federal statutes, regulations, and the terms and conditions of the Federal award. These internal controls should align with the guidance in “Standards for Internal Control in the Federal Government” issued by the Comptroller General of the United States or the “Internal Control-Integrated Framework” issued by the Committee of Sponsoring Organizations of the Treadway Commission (COSO).
(b) Comply with the U.S. Constitution, Federal statutes, regulations, and the terms and conditions of the Federal award.
(c) Evaluate and monitor the recipient's or subrecipient's compliance with statutes, regulations, and the terms and conditions of Federal awards.
(d) Take prompt action when instances of noncompliance are identified.
(e) Take reasonable cybersecurity and other measures to safeguard information including protected personally identifiable information (PII) and other types of information. This also includes information the Federal agency or pass-through entity designates as sensitive or other information the recipient or subrecipient considers sensitive and is consistent with applicable Federal, State, local, and tribal laws regarding privacy and responsibility over confidentiality.