SUPPORTING STATEMENT
U.S. Department of Commerce
National Technical Information Service
Limited Access Death Master File Accredited Conformity Assessment Body Systems Safeguards Attestation Form
and
Limited Access Death Master File
State or Local Auditor General or Inspector General Systems Safeguards Attestation Form
OMB Control No. 0692-0016
A. ABSTRACT
This is an extension of a currently approved information collection. This information collection will be used in connection with the “Certification Program for Access to the Death Master File” (15 CFR part 1110), which prohibits the disclosure of Limited Access Death Master File (Limited Access DMF) during the three-calendar-year period following death unless the person requesting information has been certified as required by 15 CFR part 1110. This instrument collects information for the written attestation, as required by the rule, that each person seeking certification or renewal of certification has information security systems, facilities, and procedures in place to protect the security of the Limited Access DMF.
B. JUSTIFICATION
1. Explain the circumstances that make the collection of information necessary. Identify any legal or administrative requirements that necessitate the collection. Attach a copy of the appropriate section of each statute and regulation mandating or authorizing the collection of information.
The National Technical Information Service (NTIS) Limited Access Death Master File Accredited Conformity Assessment Body Systems Safeguards Attestation Form (ACAB Systems Safeguards Attestation Form) and the Limited Access Death Master File State or Local Auditor General or Inspector General Systems Safeguard Attestation Form (AG or IG Systems Safeguards Attestation Form) are used to collect information related to the implementation of Section 203 of the Bipartisan Budget Act of 2013 (Pub. L. 113-67) (Act). Section 203 of the Act prohibits disclosure of Limited Access Death Master File (Limited Access DMF) information during the three-calendar-year period following death unless the person requesting the information has been certified under a program established by the Secretary of Commerce. The Act directs the Secretary of Commerce to establish a certification program for such access to the Limited Access DMF. The Secretary of Commerce has delegated the authority to carry out the DMF certification program to the Director, NTIS.
On June 1, 2016, NTIS published the final rule (81 FR 34882, 15 CFR Part 1110). The final rule requires that, in order to become certified, a Person or Certified Person must submit a written attestation from an “Accredited Conformity Assessment Body” (ACAB), as defined in the final rule, concluding that such Person or Certified Person has information security systems, facilities and procedures in place to protect the security of the Limited Access DMF, as required under Section 1110.102(a)(2) of the final rule. In addition, a Certified Person must provide an ACAB’s written attestation for renewal of its certification at least once every three years as specified in the final rule. In general, the ACAB must be independent of the Person or Certified Person, unless it is a third-party conformity assessment body which qualifies for “firewalled status” pursuant to Section 1110.502 of the final rule.
The final rule, however, also recognizes a circumstance where a state or local government department or agency seeking certification or renewal may rely on the attestation of a state or local government Auditor General (AG) or Inspector General (IG) in lieu of the attestation of an independent ACAB. Specifically, Section 1110.501(a)(2) provides that a state or local government office of AG or IG and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common “parent” entity under Section 1110.501(a)(1)(ii) for the purpose of determining independence.
An ACAB providing a written attestation for a Person or Certified Person must use the ACAB Systems Safeguards Attestation Form. A state or local government AG or IG providing a written attestation for a Person or Certified Person must use the AG or IG Systems Safeguards Attestation Form.
2. Indicate how, by whom, and for what purpose the information is to be used. Except for a new collection, indicate the actual use the agency has made of the information received from the current collection.
Item # |
Requirement |
Statute |
Regulation |
Form # |
Needs and Uses |
1 |
Limited Access Death Master File Attestation Form |
Section 203 of the Bipartisan Budget Act of 2013 |
15 CFR Part 1110 |
FM100A and B |
To ensure conformity with requirements of an established program through which persons may become eligible to obtain access to Death Master File (DMF) |
The information collected was and will be used by NTIS to evaluate whether a particular Person or Certified Person has the requisite systems, facilities and procedures in place to protect the security of the Limited Access DMF as required under the final rule. The ACAB Systems Safeguards Attestation Form and the AG or IG Systems Safeguards Attestation Form collect information to establish that the Person’s or Certified Person’s systems, facilities and procedures are sufficient to safeguard the Limited Access DMF as required by the final rule. The information collected will not be disseminated to the public.
3. Describe whether, and to what extent, the collection of information involves the use of automated, electronic, mechanical, or other technological techniques or other forms of information technology, e.g. permitting electronic submission of responses, and the basis for the decision for adopting this means of collection. Also, describe any consideration of using information technology to reduce burden.
NTIS has fillable versions of the ACAB Systems Safeguards Attestation Form and the AG or IG Systems Safeguards Attestation Form, as currently approved, available on its website. NTIS encourages Persons and Certified Persons to make use of the fillable online forms, but will continue to accept forms submitted through other means, including fax, mail or as email attachments.
4. Describe efforts to identify duplication. Show specifically why any similar information already available cannot be used or modified for use for the purposes described in Question 2.
The attestations and supporting information collected via the ACAB Systems Safeguards Attestation Form and AG or IG Systems Safeguards Attestation Form are unique to this program, as the attestations are related to requirements set forth in the legislation and regulations specific to this program.
5. If the collection of information involves small businesses or other small entities, describe the methods used to minimize burden.
Small businesses or other small entities may submit ACAB Systems Safeguards Attestation Forms and AG or IG Systems Safeguards Attestation Forms, but NTIS lacks information about the types and sizes of entities impacted by the rule. NTIS included in its notice of proposed rulemaking a request for information from the public about the types of entities impacted by this rule, whether those are small or large entities under SBA’s size standards, and the level of or a description of the type of impacts that the rule will have on those entities. NTIS received a few comments addressing these issues. These comments were taken into consideration in drafting the ACAB Systems Safeguards Attestation Form and AG or IG Systems Safeguards Attestation Form.
The ACAB Systems Safeguards Attestation Form and the AG or IG Systems Safeguards Attestation Form collect only information necessary for NTIS to conduct the program.
6. Describe the consequences to the Federal program or policy activities if the collection is not conducted or is conducted less frequently, as well as any technical or legal obstacles to reducing burden.
Pursuant to Section 203 of the Act, NTIS must audit, inspect and monitor persons certified under the program. This includes determining whether a Person or Certified Person has information security systems, facilities and procedures in place to protect the Limited Access DMF. The provision of a written attestation from an ACAB applying a nationally or internationally recognized auditing standard is a critical device for ensuring that the Person or Certified Person is in compliance with the Limited Access DMF safeguarding requirement. Section 1110.501(a)(2) provides that a state or local government office of AG or IG and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common “parent” entity under Section 1110.501(a)(1)(ii) for the purpose of determining independence, and attestation by the AG or IG is possible. In that event, the attestation of that state or local AG or IG office may similarly serve as a means of ensuring the Person or Certified Person is in compliance with the Limited Access DMF safeguarding requirement. NTIS cannot determine whether a Person or Certified Person satisfies the safeguarding requirement without collecting this information. Under Section 1110.105(b) of the final rule, all Certified Persons seeking renewal of certification must establish their continued compliance with the safeguarding requirement of Section 203 of the Act once every three years either by the submission of the written attestation of an ACAB or completion of a satisfactory unscheduled or scheduled audit under Section 1110.201. Therefore, unless a Certified Person has completed a satisfactory audit under Section 1110.201 in the three-year interim the Certified Person must have an ACAB or AG or IG submit a new attestation form within three years of the previously submitted attestation.
If NTIS did not collect this information or collected it less frequently, it would not be able to ensure compliance with Section 203 of the Act or the implementing regulations.
7. Explain any special circumstances that require the collection to be conducted in a manner inconsistent with OMB guidelines.
Not Applicable.
8. If applicable, provide a copy and identify the date and page number of publications in the Federal Register of the agency’s notice, required by 5 CFR 1320.8 (d), soliciting comments on the information collection prior to submission to OMB. Summarize public comments received in response to that notice and describe actions taken by the agency in response to these comments. Specifically address comments received on cost and hour burden.
A 60 Day Federal Register Notice (FRN) soliciting public comments was published on June 29, 2020 (85 FR 38868). No comments were received. A copy of the FRN is included as a supplementary document.
9. Explain any decisions to provide payments or gifts to respondents, other than remuneration of contractors or grantees.
None.
10. Describe any assurance of confidentiality provided to respondents and the basis for assurance in statute, regulation, or agency policy. If the collection requires a systems of records notice (SORN) or privacy impact assessment (PIA), those should be cited and described here.
Not applicable.
11. Provide additional justification for any questions of a sensitive nature, such as sexual behavior and attitudes, religious beliefs, and other matters that are commonly considered private. This justification should include the reasons why the agency considers the questions necessary, the specific uses to be made of the information, the explanation to be given to persons from whom the information is requested, and any steps to be taken to obtain their consent.
Not Applicable.
12. Provide an estimate in hours of the burden of the collection of information.
13. Provide an estimate of the total annual cost burden to the respondents or record-keepers resulting from the collection (excluding the value of the burden hours in
Question 12 above).
14. Provide estimates of annualized cost to the Federal government. Also, provide a description of the method used to estimate cost, which should include quantification of hours, operational expenses (such as equipment, overhead, printing, and support staff), and any other expense that would not have been incurred without this collection of information.
Agencies may also aggregate cost estimates from Questions 12, 13, and 14 in a single table.
15. Explain the reasons for any program changes or adjustments reported in ROCIS.
Based on an assessment of the actual use during the prior approval period, NTIS anticipates a decrease in respondents and burden hours. The instrument also includes changes to the Project Manager and contact information.
16. For collections whose results will be published, outline the plans for tabulation and publication. Address any complex analytical techniques that will be used. Provide the time schedule for the entire project, including beginning and ending dates of the collection of information, completion of report, publication dates, and other actions.
Not Applicable.
17. If seeking approval to not display the expiration date for OMB approval of the information collection, explain the reasons why display would be inappropriate.
Not Applicable.
18. Explain each exception to the certification statement.
There are no exceptions requested to the certification statement.
B. COLLECTIONS OF INFORMATION EMPLOYING STATISTICAL METHODS
Not Applicable.
File Type | application/vnd.openxmlformats-officedocument.wordprocessingml.document |
File Modified | 0000-00-00 |
File Created | 2021-01-13 |