HRPAY 19-13, Secure File Transfer Protocol (SFTP) Process

Published: December 11, 2019
Effective: Pay Period 20, 2019


In accordance with the Secure File Transfer Protocol (SFTP) requirements mandated by the United States Department of Agriculture (USDA), all file transmissions currently conducted via File Transfer Protocol (FTP), and any new file transmissions, must utilize the SFTP method.

Agencies and the National Finance Center (NFC) will continue to establish a project team, considering roles, responsibilities, and skill sets required. Agencies will identify Points of Contact (POCs) and vendor/contract support and communicate the roles and responsibilities to their project team.

Agencies must submit their SFTP requirements to NFC via Form AD-3003, Software Change Request (SCR). In addition, Form AD-3113, Secure File Transfer Protocol (SFTP) File Transmission Request, must be completed to provide all file-related information. The NFC-assigned project number must be included in all subsequent correspondence related to the project. Once NFC receives forms from the Agency, NFC will schedule a meeting to review the request with the Agency technical team. If an outside contractor or servicing Agency manages the actual FTP process, they must participate as well.


For each project, the process below will be followed from initiation through implementation.

To Establish Project Team:

Each project team should include the POCs listed below.

After the project teams have been established, they will follow the process below.

To Establish Project:

  1. Agency submits the completed Form AD-3003 and Form AD-3113 to
  2. NFC requirements analyst contacts Agency within 15 days to acknowledge receipt of the request.
  3. NFC requirements branch prepares a Functional Requirements Document (FRD) due date based on project complexity and/or Agency priority (e.g., 30 days for a small project, 60 days for a medium project, and 90-120 days for a large project).
  4. NFC requirements branch requests an Interim Interagency Agreement (IIA) to fund requirements, if applicable.

    Note: No IIA is needed unless files are being added; file formats are being modified to add, modify, or delete data elements; or files are being deleted.

  5. NFC Project Control Office (PCO) sends the IIA to Agency, if applicable.
  6. Agency returns the signed IIA, if applicable, within 14 days.

To Define Requirements:

  1. NFC requirements analyst conducts meetings with the project team to further define and clarify requirements.
  2. NFC requirements analyst completes the FRD and submits to Agency.
  3. Agency returns the signed FRD within 14 days.
  4. Agency reviews, updates, and returns the ISA to NFC.

    Note: No updates to the ISA are required unless more than 3 years have passed since it was last updated, or the project requires changes in network architecture (e.g., IP Address).

  5. NFC prepares cost estimate, if applicable.
  6. NFC submits the final Interagency Agreement (IA) package, including the signed FRD and cost estimate, to the Agency, if applicable.
  7. Agency returns the signed IA package within 14 days, if applicable.

To Implement Changes:

  1. NFC builds workflow process, account profile, firewall rules, PGP encryption keys, and establishes server connectivity.
  2. Agency or vendor loads PGP encryption keys, modifies firewall rules, and establishes server connectivity.
  3. NFC and Agency or vendor test server connectivity.
  4. NFC development staff writes code to create requested data file changes.
  5. NFC schedules project for implementation.
  6. NFC migrates software code.
  7. NFC closes project 2 weeks after successful implementation.


For more information, refer to the Secure File Transfer Process (SFTP) Process information on NFC's Web site.


For questions about NFC processing, authorized Servicing Personnel Office representatives should contact the NFC Contact Center at 1-855-NFC-4GOV (1-855-632-4468) or via the customer service portal.