SUPPORTING STATEMENT
U.S. Department of Commerce
National Technical Information Service
Limited Access Death Master File Accredited Conformity Assessment Body Systems Safeguards Attestation Form
and
Limited Access Death Master File
State or Local Auditor General or Inspector General Systems Safeguards Attestation Form
OMB Control No. 0692-0016
A. JUSTIFICATION
This is a renewal of a currently approved information collection associated with a final rulemaking (Certification Program for Access to the Death Master File/RIN 0692-AA21).
1. Explain the circumstances that make the collection of information necessary.
The National Technical Information Service (NTIS) Limited Access Death Master File Accredited Conformity Assessment Body Systems Safeguards Attestation Form (ACAB Systems Safeguards Attestation Form) and the Limited Access Death Master File State or Local Auditor General or Inspector General Systems Safeguard Attestation Form (AG or IG Systems Safeguards Attestation Form) are used to collect information related to the implementation of Section 203 of the Bipartisan Budget Act of 2013 (Pub. L. 113-67) (Act). Section 203 of the Act prohibits disclosure of Limited Access Death Master File (Limited Access DMF) information during the three-calendar-year period following death unless the person requesting the information has been certified under a program established by the Secretary of Commerce. The Act directs the Secretary of Commerce to establish a certification program for such access to the Limited Access DMF. The Secretary of Commerce has delegated the authority to carry out the DMF certification program to the Director, NTIS.
Initially, on March 26, 2014, NTIS promulgated an interim final rule, establishing a temporary certification program (79 FR 16668) for persons who seek access to the Limited Access DMF. Subsequently, on December 30, 2014, NTIS issued a notice of proposed rulemaking (79 FR 78314). NTIS adjudicated the comments received, and, on June 1, 2016, published a final rule (81 FR 34882). The final rule requires that, in order to become certified, a Person or Certified Person must submit a written attestation from an “Accredited Conformity Assessment Body” (ACAB), as defined in the final rule, concluding that such Person or Certified Person has information security systems, facilities and procedures in place to protect the security of the Limited Access DMF, as required under Section 1110.102(a)(2) of the final rule. In addition, a Certified Person must provide an ACAB’s written attestation for renewal of its certification at least once every three years as specified in the final rule. In general, the ACAB must be independent of the Person or Certified Person, unless it is a third party conformity assessment body which qualifies for “firewalled status” pursuant to Section 1110.502 of the final rule.
The final rule, however, also recognizes a circumstance where a state or local government department or agency seeking certification or renewal may rely on the attestation of a state or local government Auditor General (AG) or Inspector General (IG) in lieu of the attestation of an independent ACAB. Specifically, Section 1110.501(a)(2) provides that a state or local government office of AG or IG and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common “parent” entity under Section 1110.501(a)(1)(ii) for the purpose of determining independence.
An ACAB providing a written attestation for a Person or Certified Person must use the ACAB Systems Safeguards Attestation Form. A state or local government AG or IG providing a written attestation for a Person or Certified Person must use the AG or IG Systems Safeguards Attestation Form.
The ACAB Systems Safeguards Attestation Form collects the following information:
i) Name of Applicant Organization: Collection of the name of the Applicant Organization (i.e., the Person or Certified Person for which the ACAB is submitting the ACAB Safeguards Attestation Form), is necessary for NTIS to identify for which applicant the ACAB is submitting an attestation.
ii) NTIS Invoice/Order Confirmation Number for Processing Fee: Collection of the invoice/order confirmation number for the processing fee for the application of the Person or Certified Person for which the ACAB is submitting the ACAB Systems Safeguards Attestation Form provides a unique identifier which will allow NTIS to link the ACAB Systems Safeguards Attestation Form to the Limited Access Death Master File Subscriber Certification Form (Certification Form) and other information about the Person or Certified Person who is an existing customer.
iii) Name of the Assessor: Collection of the name of the assessor for the ACAB will provide NTIS with the identity of a knowledgeable person to contact with questions or for additional information concerning the ACAB’s written attestation.
iv) Email and Phone Number of Assessor: Collection of the email and phone number of the assessor will provide NTIS with contact information for a knowledgeable person to contact with questions or for additional information concerning the ACAB’s written attestation.
v) Name of the Assessor Company (ACAB): Collecting the name of the ACAB is necessary for NTIS to identify the ACAB.
vi) Applicable standard(s): The final rule requires that the ACAB conduct its assessment of the Person or Certified Person’s systems, facilities and procedures in place to protect Limited Access DMF using a nationally or internationally recognized auditing standard for information security systems, such as, but not limited to, ISO/IEC 27006-2011, “Information technology – Security techniques – Requirements for providing audit and certification of information security management systems.” Collection of the standard(s) used is necessary to establish that the Person or Certified Person meets the requirements of Section 1110.102(a)(2).
vii) Date of the Assessment: Collecting the date on which the ACAB performed the assessment of the Person’s or Certified Person’s systems, facilities and procedures in place to protect Limited Access DMF is necessary to establish that the assessment was conducted no more than three years prior to the date of the submission of the Person’s or Certified Person’s Certification Form, as required by Section 1101.101(b) of the final rule.
viii) Description of Assessment Not Conducted Specifically or Solely for Submission of Attestation: Under Section 1101.101(b) of the final rule, an ACAB’s written attestation that a Person or Certified Person has systems, facilities and procedures in place to protect Limited Access DMF need not be based on an assessment conducted specifically or solely for the purpose of the Person’s or Certified Person’s certification for access to Limited Access DMF. If the ACAB conducted the assessment for purposes other than submission of the applicant’s Limited Access DMF certification, NTIS must collect this information to determine whether the ACAB’s written attestation establishes that the Person or Certified Person meets the requirements of Section 1110.102(a)(2).
ix) Independent or “Firewalled” ACAB: The final rule requires that the written attestation be provided by an ACAB independent of the Person or Certified Person, unless it is a third party conformity assessment body which qualifies for “firewalled” status pursuant to Section 1110.502. An ACAB that is not independent of the Person or Certified Person must have its application for “firewalled” status accepted by NTIS before it can provide a written attestation. NTIS will use this information to determine whether an ACAB indicating that it has “firewalled status” has in fact already had its “firewalled” status accepted by NTIS, and therefore, qualifies to submit a written attestation.
x) Nationally or Internationally Recognized Standard(s) to Which the ACAB is Accredited: Section 1110.2 of the final rule sets forth the requisite credentials for an ACAB submitting a written attestation Specifically, the ACAB must be accredited by an accreditation body under nationally or internationally recognized criteria such as, but not limited to, ISO/IEC 27006-2011, ”Information technology – Security techniques – Requirements for providing audit and certification of information security management systems.” Section 1110.503(a) requires that the ACAB identify its accreditation in the written attestation. Collection of the standard used is necessary to establish that the ACAB is attesting that it is an ACAB as defined in the final rule.
The AG or IG Systems Safeguards Attestation Form collects the following information:
i) Name of Applicant State or Local Government Department or Agency: Collection of this information is necessary for NTIS to be able to identify the state or local government department or agency on whose behalf the state or local government AG or IG is submitting the attestation.
ii) NTIS Invoice/Order Confirmation Number for Processing Fee: Collection of the invoice/ordering confirmation number for the processing fee for the application of the state or local government department or agency (Person or Certified Person) for the which the AG or IG is submitting the AG or IG Systems Safeguards Attestation Form provides a unique identifier which will allow NTIS to link the AG or IG Systems Safeguards Attestation Form to the Certification Form and other information about the state or local government Person or Certified Person who is an existing customer.
iii) Name of the Assessor: Collection of the name of the assessor for the AG or IG will provide NTIS with the identity of a knowledgeable person to initiate contact with questions or for additional information concerning the AG or IG’s attestation.
iv) Email and Phone Number of Assessor: Collection of the email and phone number of the assessor for the AG or IG will provide NTIS with contact information for a knowledgeable person to contact with questions or for additional information concerning the AG or IG’s attestation.
v) State or Local Government Auditor General or Inspector General Office: Collecting the name of the state or local government office of the AG or IG is necessary for NTIS to identify the state or local AG or IG and to be able to contact that office with any questions or for additional information concerning its written attestation.
vi) Date of the Assessment: Collecting the date on which the AG or IG performed the assessment of the Person’s or Certified Person’s systems, facilities and procedures in place to protect Limited Access DMF is necessary to establish that the assessment was conducted no more than three years prior to the date of the submission of the Person’s or Certified Person’s Certification Form, as required by Section 1101.101(b) of the final rule.
vii) Description of Assessment Not Conducted Specifically or Solely for Submission of Attestation: Under Section 1101.101(b) of the final rule, an ACAB’s written attestation that a Person or Certified Person has systems, facilities and procedures in place to protect Limited Access DMF need not be based on an assessment conducted specifically or solely for the purpose of the Person’s or Certified Person’s certification for access to Limited Access DMF. If the AG or IG conducted the assessment for purposes other than submission of the applicant’s Limited Access DMF certification, NTIS must collect this information to evaluate whether the ACAB’s written attestation establishes that the Person or Certified Person meets the requirements of Section 1110.102(a)(2).
2. Explain how, by whom, how frequently, and for what purpose the information will be used. If the information collected will be disseminated to the public or used to support information that will be disseminated to the public, then explain how the collection complies with all applicable Information Quality Guidelines.
All ACABs attesting that a Person or Certified Person has information security systems, facilities and procedures in place to protect the security of the Limited Access DMF as required under Section 1110.102(a)(2) of the final rule must submit the ACAB Systems Safeguards Attestation Form. All state or local government Auditors Generals or Inspectors General attesting that a Person or Certified Person has information security systems, facilities and procedures in place to protect the security of the Limited Access DMF as required under Section 1110.102(a)(2) of the final rule must submit the AG or IG Systems Safeguards Attestation Form. Under the final rule, all Certified Persons must be audited at least once every three years concerning their compliance with Section 1110.102(a). Section 1110.105(b) specifies that this requirement may be satisfied by either the submission of the written attestation of an ACAB or completion of a satisfactory unscheduled or scheduled audit under Section 1110.201. Therefore, unless a Certified Person has completed a satisfactory audit under Section 1110.201 in the interim, the Certified Person must have an ACAB or AG or IG submit a new attestation form no later than three years following the submission of the initial form. NTIS will use the information collected to evaluate whether a particular Person or Certified Person has the requisite systems, facilities and procedures in place. The ACAB Systems Safeguards Attestation Form and the AG or IG Systems Safeguards Attestation Form collect information to establish that the Person’s or Certified Person’s systems, facilities and procedures are sufficient to safeguard the Limited Access DMF as required by the final rule. The information collected will not be disseminated to the public.
3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological techniques or other forms of information technology.
NTIS has fillable versions of the ACAB Systems Safeguards Attestation Form and the AG or IG Systems Safeguards Attestation Form, as currently approved, available on its website. NTIS encourages Persons and Certified Persons to make use of the fillable online forms, but will continue to accept forms submitted through other means, including fax, mail or as email attachments.
4. Describe efforts to identify duplication.
The attestations and supporting information collected via the ACAB Systems Safeguards Attestation Form and AG or IG Systems Safeguards Attestation Form are unique to this program, as the attestations are related to requirements set forth in the legislation and regulations specific to this program.
5. If the collection of information involves small businesses or other small entities, describe the methods used to minimize burden.
Small businesses or other small entities may submit ACAB Systems Safeguards Attestation Forms and AG or IG Systems Safeguards Attestation Forms, but NTIS lacks information about the types and sizes of entities impacted by the rule. NTIS included in its notice of proposed rulemaking a request for information from the public about the types of entities impacted by this rule, whether those are small or large entities under SBA’s size standards, and the level of or a description of the type of impacts that the rule will have on those entities. NTIS received a few comments addressing these issues. These comments were taken into consideration in drafting the ACAB Systems Safeguards Attestation Form and AG or IG Systems Safeguards Attestation Form.
The ACAB Systems Safeguards Attestation Form and the AG or IG Systems Safeguards Attestation Form collect only information necessary for NTIS to conduct the program.
6. Describe the consequences to the Federal program or policy activities if the collection is not conducted or is conducted less frequently.
Pursuant to Section 203 of the Act, NTIS must audit, inspect and monitor persons certified under the program. This includes determining whether a Person or Certified Person has information security systems, facilities and procedures in place to protect the Limited Access DMF. The provision of a written attestation from an ACAB applying a nationally or internationally recognized auditing standard is a critical device for ensuring that the Person or Certified Person is in compliance with the Limited Access DMF safeguarding requirement. Section 1110.501(a)(2) provides that a state or local government office of AG or IG and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common “parent” entity under Section 1110.501(a)(1)(ii) for the purpose of determining independence, and attestation by the AG or IG is possible. In that event, the attestation of that state or local AG or IG office may similarly serve as a means of ensuring the Person or Certified Person is in compliance with the Limited Access DMF safeguarding requirement. NTIS cannot determine whether a Person or Certified Person satisfies the safeguarding requirement without collecting this information. Under Section 1110.105(b) of the final rule, all Certified Persons seeking renewal of certification must establish their continued compliance with the safeguarding requirement of Section 203 of the Act once every three years either by the submission of the written attestation of an ACAB or completion of a satisfactory unscheduled or scheduled audit under Section 1110.201. Therefore, unless a Certified Person has completed a satisfactory audit under Section 1110.201 in the three-year interim the Certified Person must have an ACAB or AG or IG submit a new attestation form within three years of the previously submitted attestation.
If NTIS did not collect this information or collected it less frequently, it would not be able to ensure compliance with Section 203 of the Act or the implementing regulations.
7. Explain any special circumstances that require the collection to be conducted in a manner inconsistent with OMB guidelines.
Not Applicable.
8. Provide information of the PRA Federal Register Notice that solicited public comments on the information collection prior to this submission. Summarize the public comments received in response to that notice and describe the actions taken by the agency in response to those comments. Describe the efforts to consult with persons outside the agency to
obtain their views on the availability of data, frequency of collection, the clarity of instructions and recordkeeping, disclosure, or reporting format (if any), and on the data elements to be recorded, disclosed, or reported.
A 60 Day Federal Register Notice (FRN) soliciting public comments was published on February 9, 2017 (Vol. 82, Number 26, pages 9991-9993). No comments were received.
A 30 Day Federal Register Notice (FRN) soliciting public comments was published on April 20, 2017 (Vol. 82, Number 75, pages 18609-18610). NTIS received one comment in response to this notice. The comment, however, addresses a standard license that Certified Persons must sign to receive DMF information from NTIS and has nothing to do with this information collection for which NTIS is seeking approval. Under the final rule, Persons provide written attestations from ACABs to ensure compliance with the requirements for safeguarding Limited Access DMF information. An ACAB uses the ACAB Systems Safeguards Attestation Form (or, in the case of a state or local AG or IG, the AG or IG Systems Safeguards Attestation Form) to attest for the Person or Certified Person. NTIS is seeking PRA clearance for collecting the information required by the forms.
In addition to completing all forms and becoming certified, to obtain a subscription to receive Limited Access DMF information Certified Persons must enter into a standard license agreement with NTIS. The standard license sets forth the terms and conditions governing the Certified Person’s use of the Limited Access DMF information. One commenter requests that NTIS cease requiring use of the license agreement, or revise or remove a number of terms and conditions in the standard license. The commenter contends that Section 203 of the Act and the final rule govern use and disclosure of Limited Access DMF, so the license agreement is not necessary. The commenter also asserts that the license agreement contains terms that conflict with or exceed the requirements of Section 203 of the Act and the final rule.
The license agreement is not subject to Paperwork Reduction Act (PRA) clearance or the rulemaking process. NTIS utilizes the license agreement to grant Certified Persons permission to use Limited Access DMF for particular purposes consistent with the requirements of Section 203 of the Act and the final rule, including the limitations on disclosure. Accordingly, NTIS disagrees with the commenter’s position that the license agreement is not necessary or that it imposes conflicting or excessive requirements. NTIS, however, appreciates one of the commenter’s suggestions for revision of the license agreement. As the commenter notes, when a Certified Person discloses Limited Access DMF to an uncertified Person in accordance with Section 203 of the Act, the uncertified Person is not subject to all terms of the licensing agreement; for example, the uncertified Person does not need to be become certified to receive Limited Access DMF. Rather, uncertified Persons receiving Limited Access DMF must, among other things, meet the requirements for certification as set forth in the final rule and must not misuse or further disclose LADMF in violation of the final rule. NTIS will revise the license agreement to clarify this. NTIS does not see a basis for adopting the commenter’s other suggested changes to the license agreement. NTIS will contact the commenter directly to discuss this matter.
9. Explain any decisions to provide payments or gifts to respondents, other than remuneration of contractors or grantees.
None.
10. Describe any assurance of confidentiality provided to respondents and the basis for assurance in statute, regulation, or agency policy.
None.
11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private.
Not Applicable.
12. Provide an estimate in hours of the burden of the collection of information.
NTIS estimates completion of the ACAB Systems Safeguards Attestation Form to take approximately 3 hours per form and expects to receive approximately 500 ACAB Systems Safeguards Attestation Forms annually, for a total of 1500 burden hours. NTIS estimates completion of the AG or IG Systems Safeguards Attestation Form to take approximately 3 hours per form, and expects to receive approximately 60 AG or IG Systems Safeguards Attestation Forms annually, for a total of 180 burden hours. The estimated annual estimated burden hours for completion of the ACAB Systems Safeguards Attestation Form and the AG or IG Systems Safeguards Attestation Form totals 1,680.
13. Provide an estimate of the total annual cost burden to the respondents or record-keepers resulting from the collection (excluding the value of the burden hours in
Question 12 above).
ACAB Systems Safeguards Attestation Forms: NTIS expects to receive approximately 500 ACAB Systems Safeguards Attestation Forms annually at a fee of $525 perform, for a total estimated cost to the public of $262,500. This estimated total annual cost reflects the cost to the Federal Government for the ACAB Systems Safeguards Attestation Forms, which consists of the expenses associated with NTIS personnel reviewing and processing t the forms.
AG or IG Systems Safeguards Attestation Forms: NTIS expects to receive approximately 60 AG or IG Systems Safeguards Attestation Forms annually at a fee of $525 perform, for a total estimated cost to the public of $31,500. This estimated total annual cost reflects the cost to the Federal Government for the AG or IG Systems Safeguards Attestation Forms, which consists of the expenses associated with NTIS personnel reviewing and processing the forms.
14. Provide estimates of annualized cost to the Federal government.
ACAB Systems Safeguards Attestation Forms: The cost to the Federal Government consists of the expenses associated with NTIS personnel reviewing and processing the ACAB Systems Safeguards Attestation Forms. NTIS estimates that NTIS personnel will require 5680 hours to review and process the approximately 500 forms, at an average hourly rate of $46.20, for an estimated total cost of $262,500.
AG or IG Systems Safeguards Attestation Forms: The cost to the Federal Government consists of the expenses associated with NTIS personnel reviewing and processing the AG or IG Systems Safeguards Attestation Forms. NTIS estimates that NTIS personnel will require 680 hours to review and process the estimated approximately 60 forms, at an average hourly rate of $46.20, for an estimated total cost of $31,500.
15. Explain the reasons for any program changes or adjustments.
This is a renewal of a currently approved information collection associated with the publication of the final rule “Certification Program for Access to the Death Master File” (RIN 0692-AA21). The final rule requires that Persons and Certified Persons provide written attestations from ACABs to ensure compliance with the requirements for safeguarding Limited Access DMF information. The ACAB Systems Safeguards Attestation Form collects information to establish that the applicant has the systems, facilities and procedures in place to meet the safeguarding requirement. The final rule also provides that a state or local government office of AG or IG and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common “parent” entity under Section 1110.501(a)(1)(ii) for the purpose of determining independence, and attestation by the AG or IG is possible. In that event, the state or local AG or IG may attest as to the Person or Certified Person’s compliance with the requirements for safeguarding Limited Access DMF information. The AG or IG Systems Safeguards Attestation Form collects information to establish that the applicant has the systems, facilities and procedures in place to meet the safeguarding requirement.
16. For collections whose results will be published, outline the plans for tabulation and publication.
Not Applicable.
17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons why display would be inappropriate.
Not Applicable.
18. Explain each exception to the certification statement.
Not Applicable.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
Not Applicable.
| File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
| File Modified | 0000-00-00 |
| File Created | 2021-01-22 |