SUPPORTING STATEMENT
U.S. Department of Commerce
National Technical Information Service
Limited Access Death Master File Accredited Conformity Assessment Body Systems Safeguards Attestation Form
and
Limited Access Death Master File
State or Local Auditor General or Inspector General Systems Safeguards Attestation Form
OMB Control No. 0692-XXXX
The National Technical Information Service respectfully requests an expedited review and approval of this information collection for the following reason:
Section 203 of the Bipartisan Budget Act of 2013 prohibits disclosure of Limited Access Death Master File (Limited Access DMF) information, as detailed in this supporting statement and the cover memorandum, unless a person has been certified for access pursuant to certain criteria in a program established by the Secretary of Commerce, who has delegated that responsibility to the Director of NTIS. NTIS issued a final rule establishing a certification program, which becomes effective November 28, 2016, replacing and superseding the interim final rule now in effect. The final rule contains new requirements for certification, including the submission with a person’s application of a written attestation from an “Accredited Conformity Assessment Body” (ACAB) that the person meets the safeguarding requirements of the final rule for the protection of Limited Access DMF information. A state or local government Auditor General (AG) or Inspector General (IG) may submit the written attestation for a state or local government department or agency seeking certification or renewal if the AG or IG is a department or agency of the same state or local government. The forms are to be used by ACABs and state and local AGs and IGs attesting on the behalf of the applicants.
Many businesses and other organizations, including credit card companies, financial institutions, health and life insurance companies, medical and health care, as well as state and local government departments and agencies, rely upon uninterrupted access to the Limited Access DMF. If the information collection is not available for use under the final rule, NTIS will not be able to implement the final rule. This could result in such persons who require a renewal of certification not being able to be recertified and experience a disruption in access.
NTIS is requesting OMB approval by the effective date of the final rule, November 28, 2016.
A. JUSTIFICATION
This is a new information collection associated with a final rulemaking (Certification Program for Access to the Death Master File/RIN 0692-AA21).
1. Explain the circumstances that make the collection of information necessary.
The National Technical Information Service (NTIS) Limited Access Death Master File Accredited Conformity Assessment Body Systems Safeguards Attestation Form (ACAB Systems Safeguards Attestation Form) and the Limited Access Death Master File State or Local Auditor General or Inspector General Systems Safeguard Attestation Form (AG or IG Systems Safeguards Attestation Form) are used to collect information related to the implementation of Section 203 of the Bipartisan Budget Act of 2013 (Pub. L. 113-67) (Act). Section 203 of the Act prohibits disclosure of Limited Access Death Master File (Limited Access DMF) information during the three-calendar-year period following an individual’s death unless the person requesting the information has been certified under a program established by the Secretary of Commerce. The Act directs the Secretary of Commerce to establish a certification program for such access to the Limited Access DMF. The Secretary of Commerce has delegated the authority to carry out the DMF certification program to the Director of NTIS.
Initially, on March 26, 2014, NTIS promulgated an interim final rule, establishing a temporary certification program (79 FR 16668) for persons who seek access to the Limited Access DMF. Subsequently, on December 30, 2014, NTIS issued a notice of proposed rulemaking (79 FR 78314). NTIS adjudicated the comments received, and, on June 1, 2016, published a final rule (81 FR 34882). The final rule requires that, in order to become certified, a Person or Certified Person must submit a written attestation from an “Accredited Conformity Assessment Body” (ACAB), as defined in the final rule, concluding that such Person or Certified Person has information security systems, facilities and procedures in place to protect the security of the Limited Access DMF, as required under Section 1110.102(a)(2) of the final rule. In addition, a Certified Person must provide an ACAB’s written attestation for renewal of its certification at least once every three years as specified in the final rule. In general, the ACAB must be independent of the Person or Certified Person, unless it is a third party conformity assessment body which qualifies for “firewalled status” pursuant to Section 1110.502 of the final rule.
The final rule, however, also recognizes a circumstance where a state or local government department or agency seeking certification or renewal may rely on the attestation of a state or local government Auditor General (AG) or Inspector General (IG) in lieu of the attestation of an independent ACAB. Specifically, Section 1110.501(a)(2) provides that a state or local government office of AG or IG and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common “parent” entity under Section 1110.501(a)(1)(ii) for the purpose of determining independence.
An ACAB providing a written attestation for a Person or Certified Person must use the ACAB Systems Safeguards Attestation Form. A state or local government AG or IG providing a written attestation for a Person or Certified Person must use the AG or IG Systems Safeguards Attestation Form.
The ACAB Systems Safeguards Attestation Form collects the following information:
i) Name of Applicant Organization: Collection of the name of the Applicant Organization (i.e., the Person or Certified Person for which the ACAB is submitting the ACAB Safeguards Attestation Form), is necessary for NTIS to identify for which applicant the ACAB is submitting an attestation.
ii) NTIS Invoice/Order Confirmation Number for Processing Fee: Collection of the invoice/order confirmation number for the processing fee for the application of the Person or Certified Person for which the ACAB is submitting the ACAB Systems Safeguards Attestation Form provides a unique identifier which will allow NTIS to link the ACAB Systems Safeguards Attestation Form to the Limited Access Death Master File Subscriber Certification Form (Certification Form) and other information about the Person or Certified Person who is an existing customer.
iii) Name of the Assessor: Collection of the name of the assessor for the ACAB will provide NTIS with the identity of a knowledgeable person to contact with questions or for additional information concerning the ACAB’s written attestation.
iv) Email and Phone Number of Assessor: Collection of the email and phone number of the assessor will provide NTIS with contact information for a knowledgeable person to contact with questions or for additional information concerning the ACAB’s written attestation.
v) Name of the Assessor Company (ACAB): Collecting the name of the ACAB is necessary for NTIS to identify the ACAB.
vi) Applicable standard(s): The final rule requires that the ACAB conduct its assessment of the Person or Certified Person’s systems, facilities and procedures in place to protect Limited Access DMF using a nationally or internationally recognized auditing standard for information security systems, such as, but not limited to, ISO/IEC 27006-2011, “Information technology – Security techniques – Requirements for providing audit and certification of information security management systems.” Collection of the standard(s) used is necessary to establish that the Person or Certified Person meets the requirements of Section 1110.102(a)(2).
vii) Date of the Assessment: Collecting the date on which the ACAB performed the assessment of the Person’s or Certified Person’s systems, facilities and procedures in place to protect Limited Access DMF is necessary to establish that the assessment was conducted no more than three years prior to the date of the submission of the Person’s or Certified Person’s Certification Form, as required by Section 1101.101(b) of the final rule.
viii) Description of Assessment Not Conducted Specifically or Solely for Submission of Attestation: Under Section 1101.101(b) of the final rule, an ACAB’s written attestation that a Person or Certified Person has systems, facilities and procedures in place to protect Limited Access DMF need not be based on an assessment conducted specifically or solely for the purpose of the Person’s or Certified Person’s certification for access to Limited Access DMF. If the ACAB conducted the assessment for purposes other than submission of the applicant’s Limited Access DMF certification, NTIS must collect this information to determine whether the ACAB’s written attestation establishes that the Person or Certified Person meets the requirements of Section 1110.102(a)(2).
ix) Independent or “Firewalled” ACAB: The final rule requires that the written attestation be provided by an ACAB independent of the Person or Certified Person, unless it is a third party conformity assessment body which qualifies for “firewalled” status pursuant to Section 1110.502. An ACAB that is not independent of the Person or Certified Person must have its application for “firewalled” status accepted by NTIS before it can provide a written attestation. NTIS will use this information to determine whether an ACAB indicating that it has “firewalled status” has in fact already had its “firewalled” status accepted by NTIS, and therefore, qualifies to submit a written attestation.
x) Nationally or Internationally Recognized Standard(s) to Which the ACAB is Accredited: Section 1110.2 of the final rule sets forth the requisite credentials for an ACAB submitting a written attestation Specifically, the ACAB must be accredited by an accreditation body under nationally or internationally recognized criteria such as, but not limited to, ISO/IEC 27006-2011, ”Information technology – Security techniques – Requirements for providing audit and certification of information security management systems.” Section 1110.503(a) requires that the ACAB identify its accreditation in the written attestation. Collection of the standard used is necessary to establish that the ACAB is attesting that it is an ACAB as defined in the final rule.
The AG or IG Systems Safeguards Attestation Form collects the following information:
i) Name of Applicant State or Local Government Department or Agency: Collection of this information is necessary for NTIS to be able to identify the state or local government department or agency on whose behalf the state or local government AG or IG is submitting the attestation.
ii) NTIS Invoice/Order Confirmation Number for Processing Fee: Collection of the invoice/ordering confirmation number for the processing fee for the application of the state or local government department or agency (Person or Certified Person) for the which the AG or IG is submitting the AG or IG Systems Safeguards Attestation Form provides a unique identifier which will allow NTIS to link the AG or IG Systems Safeguards Attestation Form to the Certification Form and other information about the state or local government Person or Certified Person who is an existing customer.
iii) Name of the Assessor: Collection of the name of the assessor for the AG or IG will provide NTIS with the identity of a knowledgeable person to initiate contact with questions or for additional information concerning the AG or IG’s attestation.
iv) Email and Phone Number of Assessor: Collection of the email and phone number of the assessor for the AG or IG will provide NTIS with contact information for a knowledgeable person to contact with questions or for additional information concerning the AG or IG’s attestation.
v) State or Local Government Auditor General or Inspector General Office: Collecting the name of the state or local government office of the AG or IG is necessary for NTIS to identify the state or local AG or IG and to be able to contact that office with any questions or for additional information concerning its written attestation.
vi) Date of the Assessment: Collecting the date on which the AG or IG performed the assessment of the Person’s or Certified Person’s systems, facilities and procedures in place to protect Limited Access DMF is necessary to establish that the assessment was conducted no more than three years prior to the date of the submission of the Person’s or Certified Person’s Certification Form, as required by Section 1101.101(b) of the final rule.
vii) Description of Assessment Not Conducted Specifically or Solely for Submission of Attestation: Under Section 1101.101(b) of the final rule, an ACAB’s written attestation that a Person or Certified Person has systems, facilities and procedures in place to protect Limited Access DMF need not be based on an assessment conducted specifically or solely for the purpose of the Person’s or Certified Person’s certification for access to Limited Access DMF. If the AG or IG conducted the assessment for purposes other than submission of the applicant’s Limited Access DMF certification, NTIS must collect this information to evaluate whether the ACAB’s written attestation establishes that the Person or Certified Person meets the requirements of Section 1110.102(a)(2).
2. Explain how, by whom, how frequently, and for what purpose the information will be used. If the information collected will be disseminated to the public or used to support information that will be disseminated to the public, then explain how the collection complies with all applicable Information Quality Guidelines.
All ACABs attesting that a Person or Certified Person has information security systems, facilities and procedures in place to protect the security of the Limited Access DMF as required under Section 1110.102(a)(2) of the final rule must submit the ACAB Systems Safeguards Attestation Form. All state or local government Auditors Generals or Inspectors General attesting that a Person or Certified Person has information security systems, facilities and procedures in place to protect the security of the Limited Access DMF as required under Section 1110.102(a)(2) of the final rule must submit the AG or IG Systems Safeguards Attestation Form. Under the final rule, all Certified Persons must be audited at least once every three years concerning their compliance with Section 1110.102(a). Section 1110.105(b) specifies that this requirement may be satisfied by either the submission of the written attestation of an ACAB or completion of a satisfactory unscheduled or scheduled audit under Section 1110.201. Therefore, unless a Certified Person has completed a satisfactory audit under Section 1110.201 in the interim, the Certified Person must have an ACAB or AG or IG submit a new attestation form no later than three years following the submission of the initial form. NTIS will use the information collected to evaluate whether a particular Person or Certified Person has the requisite systems, facilities and procedures in place. The ACAB Systems Safeguards Attestation Form and the AG or IG Systems Safeguards Attestation Form collect information to establish that the Person’s or Certified Person’s systems, facilities and procedures are sufficient to safeguard the Limited Access DMF as required by the final rule. The information collected will not be disseminated to the public.
3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological techniques or other forms of information technology.
Beginning on November 28, 2016, the date the final rule becomes effective, NTIS will make a fillable version of the ACAB Systems Safeguards Attestation Form and the AG or IG Systems Safeguards Attestation Form available on its website. NTIS encourages Persons and Certified Persons to make use of the fillable online forms, but will continue to accept forms submitted through other means, including fax, mail or as email attachments.
4. Describe efforts to identify duplication.
The attestations and supporting information collected via the ACAB Systems Safeguards Attestation Form and AG or IG Systems Safeguards Attestation Form are unique to this program, as the attestations are related to requirements set forth in the legislation and regulations specific to this program.
5. If the collection of information involves small businesses or other small entities, describe the methods used to minimize burden.
Small businesses or other small entities may submit ACAB Systems Safeguards Attestation Forms and AG or IG Systems Safeguards Attestation Forms, but NTIS lacks information about the types and sizes of entities impacted by the rule. NTIS included in its notice of proposed rulemaking a request for information from the public about the types of entities impacted by this rule, whether those are small or large entities under SBA’s size standards, and the level of or a description of the type of impacts that the rule will have on those entities. NTIS received a few comments addressing these issues. These comments were taken into consideration in drafting the ACAB Systems Safeguards Attestation Form and AG or IG Systems Safeguards Attestation Form.
The ACAB Systems Safeguards Attestation Form and the AG or IG Systems Safeguards Attestation Form collect only information necessary for NTIS to conduct the program.
6. Describe the consequences to the Federal program or policy activities if the collection is not conducted or is conducted less frequently.
Pursuant to Section 203 of the Act, NTIS must audit, inspect and monitor persons certified under the program. This includes determining whether a Person or Certified Person has information security systems, facilities and procedures in place to protect the Limited Access DMF. The provision of a written attestation from an ACAB applying a nationally or internationally recognized auditing standard is a critical device for ensuring that the Person or Certified Person is in compliance with the Limited Access DMF safeguarding requirement. Section 1110.501(a)(2) provides that a state or local government office of AG or IG and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common “parent” entity under Section 1110.501(a)(1)(ii) for the purpose of determining independence, and attestation by the AG or IG is possible. In that event, the attestation of that state or local AG or IG office may similarly serve as a means of ensuring the Person or Certified Person is in compliance with the Limited Access DMF safeguarding requirement. NTIS cannot determine whether a Person or Certified Person satisfies the safeguarding requirement without collecting this information. Under Section 1110.105(b) of the final rule, all Certified Persons seeking renewal of certification must establish their continued compliance with the safeguarding requirement of Section 203 of the Act once every three years either by the submission of the written attestation of an ACAB or completion of a satisfactory unscheduled or scheduled audit under Section 1110.201. Therefore, unless a Certified Person has completed a satisfactory audit under Section 1110.201 in the three-year interim the Certified Person must have an ACAB or AG or IG submit a new attestation form within three years of the previously submitted attestation.
If NTIS did not collect this information or collected it less frequently, it would not be able to ensure compliance with Section 203 of the Act or the implementing regulations.
7. Explain any special circumstances that require the collection to be conducted in a manner inconsistent with OMB guidelines.
Not Applicable.
8. Provide information of the PRA Federal Register Notice that solicited public comments on the information collection prior to this submission. Summarize the public comments received in response to that notice and describe the actions taken by the agency in response to those comments. Describe the efforts to consult with persons outside the agency to
obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.
A notice soliciting public comments was published in the Federal Register on December 1, 2016 (Vol. 81, Number 231, pages 86703-86704).
NTIS is requesting comments on the ACAB Systems Safeguards Attestation Form and AG or IG Systems Safeguards Attestation Form in this public notice.
NTIS has been working closely with OMB and other relevant Federal agencies on requirements of the certification program.
9. Explain any decisions to provide payments or gifts to respondents, other than remuneration of contractors or grantees.
None.
10. Describe any assurance of confidentiality provided to respondents and the basis for assurance in statute, regulation, or agency policy.
This information collection is covered by a Privacy Impact Assessment (PIA) and System of Records Notice (SORN). For details concerning the controls implemented to protect the confidentiality of the information collected from respondents, see draft Privacy Impact Assessment for the Death Master File (DMF) Cert (Attachment A) and draft Systems Record of Notice (Attachment B). The draft Privacy Impact Assessment and draft Systems Record of Notice have been submitted to the Department of Commerce for approval.
11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.
Not Applicable.
12. Provide an estimate in hours of the burden of the collection of information.
NTIS estimates completion of the ACAB Systems Safeguards Attestation Form to take approximately 3 hours per form and expects to receive approximately 500 ACAB Systems Safeguards Attestation Forms annually, for a total of 1500 burden hours. NTIS estimates completion of the AG or IG Systems Safeguards Attestation Form to take approximately 3 hours per form, and expects to receive approximately 60 AG or IG Systems Safeguards Attestation Forms annually, for a total of 180 burden hours. The estimated annual estimated burden hours for completion of the ACAB Systems Safeguards Attestation Form and the AG or IG Systems Safeguards Attestation Form totals 1,680.
13. Provide an estimate of the total annual cost burden to the respondents or record-keepers resulting from the collection (excluding the value of the burden hours in
Question 12 above).
ACAB Systems Safeguards Attestation Forms: NTIS expects to receive approximately 500 ACAB Systems Safeguards Attestation Forms annually at a fee of $525 perform, for a total estimated cost to the public of $262,500. This estimated total annual cost reflects the cost to the Federal Government for the ACAB Systems Safeguards Attestation Forms, which consists of the expenses associated with NTIS personnel reviewing and processing t the forms.
AG or IG Systems Safeguards Attestation Forms: NTIS expects to receive approximately 60 AG or IG Systems Safeguards Attestation Forms annually at a fee of $525 perform, for a total estimated cost to the public of $31,500. This estimated total annual cost reflects the cost to the Federal Government for the AG or IG Systems Safeguards Attestation Forms, which consists of the expenses associated with NTIS personnel reviewing and processing the forms.
14. Provide estimates of annualized cost to the Federal government.
ACAB Systems Safeguards Attestation Forms: The cost to the Federal Government consists of the expenses associated with NTIS personnel reviewing and processing the ACAB Systems Safeguards Attestation Forms. NTIS estimates that NTIS personnel will require 5680 hours to review and process the approximately 500 forms, at an average hourly rate of $46.20, for an estimated total cost of $262,500.
AG or IG Systems Safeguards Attestation Forms: The cost to the Federal Government consists of the expenses associated with NTIS personnel reviewing and processing the AG or IG Systems Safeguards Attestation Forms. NTIS estimates that NTIS personnel will require 680 hours to review and process the estimated approximately 60 forms, at an average hourly rate of $46.20, for an estimated total cost of $31,500.
15. Explain the reasons for any program changes or adjustments.
This is a new information collection associated with the publication of the final rule “Certification Program for Access to the Death Master File” (RIN 0692-AA21). The final rule requires that Persons and Certified Persons provide written attestations from ACABs to ensure compliance with the requirements for safeguarding Limited Access DMF information. The ACAB Systems Safeguards Attestation Form collects information to establish that the applicant has the systems, facilities and procedures in place to meet the safeguarding requirement. The final rule also provides that a state or local government office of AG or IG and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common “parent” entity under Section 1110.501(a)(1)(ii) for the purpose of determining independence, and attestation by the AG or IG is possible. In that event, the state or local AG or IG may attest as to the Person or Certified Person’s compliance with the requirements for safeguarding Limited Access DMF information. The AG or IG Systems Safeguards Attestation Form collects information to establish that the applicant has the systems, facilities and procedures in place to meet the safeguarding requirement.
16. For collections whose results will be published, outline the plans for tabulation and publication.
Not Applicable.
17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons why display would be inappropriate.
Not Applicable.
18. Explain each exception to the certification statement.
Not Applicable.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
Not Applicable.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2021-01-23 |