Document

Supporting Statement A

ICR 202606-3145-001 · OMB 3145-0278 · Object 169655400.

Document Viewer [docx]

Status: The document is viewable through fallback artifacts while conversion repair continues in the background.

Queue: Repair is queued and waiting for the next worker pass. (priority 70 · attempts 51 · next 2026-06-17 00:41:17)

Missing: pdf

Download: Source copy (docx) | html

Primary: docxSource: application/vnd.openxmlformats-officedocument.wordprocessingml.document
Loading document viewer…
Document Metadata
File Typeapplication/vnd.openxmlformats-officedocument.wordprocessingml.document
File TitleSupporting Statement A
Authorholly002
Last Modified ByPlimpton, Suzanne H.
File Modified2026-06-09
File Created2026-06-04
Conversion Statefailed_conversion
Extracted Text
SUPPORTING STATEMENT PART A
OMB Control No. 3145-0278


A. Justification

The Foundations for Evidence-Based Policymaking Act of 2018 (44 U.S.C. 3583) mandates that the Director of the Office of Management and Budget (OMB) establish a Standard Application Process (SAP) for requesting access to certain confidential data assets. OMB published the SAP policy M-23-04 on December 8, 2022. The SAP Portal is the software implementation of the SAP and includes a web-based application designed to collect information from individuals requesting access to confidential data assets from federal statistical agencies and units. The application collects information on the individual requesting access to data, the data requested, the proposed uses of the data, and products to be released to the public. In late 2025, NCSES published a 60-day Federal Register Notice (90 FR 25380) announcing plans to renew information collection through what is referred to by the Office of Management and Budget as a Common Form. OMB approved the Common Form for the agencies that applied in December of 2022 (OMB Control Number 3145-0271). 

Once an agency approves an application to use confidential data, applicants must demonstrate how they meet agency-specific security requirements to access restricted-use microdata. Each agency is submitting its own ICR to OMB to collect information from individuals to fulfill agency-specific data security requirements for the purpose of evidence building. 

The National Center for Science and Engineering Statistics (NCSES) is seeking renewal of a previously approved information collection request to determine if applicants meet NCSES’ security requirements. NCSES’s data security agreements and other paperwork, along with the corresponding security protocols, allow NCSES to maintain careful controls on the confidentiality and privacy of our data, as required by law. This information collection will occur outside of the SAP Portal. In February of 2026, NCSES published a 60-day Federal Register Notice (91 FR 5515) announcing plans for this collection. 

    1. Necessity of the Information Collection

NCSES makes confidential survey data available to approved SAP applicants through its restricted data licensing program. This program provides secure data access to approved applicants for statistical uses. Statistical uses are approved through the SAP application process. NCSES confidential survey data is collected under the Confidential Information Protection and Statistical Efficiency Act (Pub. L. 115-435, 132 Stat. 5529), the NSF Act of 1950 as amended, 42 U.S.C. 1873(i), and the Privacy Act of 1974 as amended, 5 U.S.C. 552a. These statutes provide for the confidentiality of respondents and the protection of the data they provide. To ensure that NCSES meets its statutory obligations, individuals who request to gain or maintain access to confidential data must become CIPSEA agents, which requires a license agreement, a security plan, and an affidavit of nondisclosure. Annually, all individuals with data access must take CIPSEA training as well as sign an individual data usage agreement and a rules of behavior form that outlines the etiquette for accessing NCSES’s virtual secure data access facility. In addition, access and use of the data must occur in NCSES’ virtual data enclave and all output resulting from data use must be cleared through a disclosure review process prior to public release.  

To maintain data access, individuals must have an active data licensing agreement and complete the following annual requirements: CIPSEA training, individual data usage agreement, and a rules of behavior form.

    2. Needs and Uses

Data collected, accessed, or acquired by statistical agencies and units is vital for developing evidence on conditions, characteristics, and behaviors of the public and on the operations and outcomes of public programs and policies. Access to confidential data on businesses, households, and individuals from federal statistical agencies and units enables agencies, the Congressional Budget Office, State, local, and Tribal governments, researchers, and other individuals to contribute evidence-based information to research and policy questions on economic, social, and environmental issues of national, regional, and local importance. This evidence can benefit the stakeholders in the programs, the broader public, as well as policymakers and program managers at the local, State, Tribal, and National levels.
 
In addition, data users may provide insights on how statistical agencies and units may improve the quality of the data collected or acquired; identify shortcomings of current data collection programs and data processing methods; document new data needs; and develop methods to address survey nonresponse or improve statistical weights.

Collection of Information for NCSES Data Security Requirements
When NCSES makes a positive determination for an application requesting access to an NCSES-owned confidential data asset, NCSES will contact the applicant(s) to initiate the process of collecting information to fulfill its data security requirements. This process allows NCSES to place the applicant(s) in a trusted access category and includes the collection of the following information from applicant(s):

    • Restricted-use licensing agreement (attached as appendix A) – This document is an agreement between NCSES and the applicant’s organization provisioning NCSES’s confidential data assets exclusively for statistical purposes in accordance with the terms and conditions stated in the agreement and all prevailing laws and regulations. The agreement requires signatures from the applicant(s) and a senior official at the applicant’s organization who has the authority to enter the organization into a legal agreement with NCSES.

    • Security plan form (attached as appendix B) – This document requests information from the applicant(s) to ensure the confidential data assets are protected from unauthorized access, disclosure, or modification. The information collected in the security plan form includes the following:
        ◦ planned work location address(es),
        ◦ workstation specifications (make, model, serial number, type, and operating system),
        ◦ workstation authorized users,
        ◦ workstation monitor position (to prevent unauthorized viewing), and
        ◦ workstation antivirus brand and version.

Finally, the form requires signatures from the applicant(s), a senior official at the applicant’s organization, and an Information System Security Officer (ISSO) at the applicant’s organization. The ISSO, in signing the Security plan form, assures the inspection and integrity of the applicant’s security plan.

    • Affidavit of nondisclosure form (attached as appendix C) – This document describes the confidentiality protections the applicant(s) must uphold and the penalties for unauthorized access or disclosure. The form requires signatures from the applicant(s) and the principal researcher for the project as well as the imprint of a notary public.

    • Rules of behavior (attached as appendix D) – The intent of this document is for each licensed individuals to expressly acknowledge receipt and understanding of physical security requirements and user responsibilities for devices used to access NCSES’s virtual secure data access facility on an annual basis. This serves as an annual reminder and administrative safeguard in deterring improper disclosure and use of NCSES’s restricted-use data.

    • Individual data use agreement (attached as appendix E) – The intent of this document is for each licensed individuals to expressly acknowledge receipt and understanding that NCSES restricted-use data may only be used for the following purposes under CIPSEA: data processing, statistical analysis, and statistical reporting on an annual basis. This serves as an annual reminder and administrative safeguard in deterring improper disclosure and use of NCSES’s restricted-use data.

In addition to completing the forms listed above, all applicants who will access data are required to complete CIPSEA training annually for the duration of their data access. 

Authorization
Foundations for Evidence-Based Policymaking Act of 2018 (44 U.S.C. 3583); Confidential Information Protection and Statistical Efficiency Act (Pub. L. 115-435, 132 Stat. 5529), the NSF Act of 1950 as amended, 42 U.S.C. 1873(i), and the Privacy Act of 1974 as amended, 5 U.S.C. 552a.
    3. Use of Information Technology

NCSES will contact individuals whose approved applications requesting access to NCSES’s confidential data via email. Applicants complete NCSES’s required forms, provide them to NCSES by email, or upload them directly into an onboarding system maintained by an NCSES contractor.

    4. Efforts to Identify Duplication

NCSES has reviewed its security requirements to eliminate duplication. NCSES is required by law to maintain careful controls on confidentiality and limit disclosure risk. Its restricted use licensing agreement, security plan form, affidavit of nondisclosure form, individual data user agreement, and rules of behavior are required for each approved research project to ensure minimal disclosure risk of NCSES’s confidential data. NCSES security paperwork must be completed for each individual project.

Each statistical agency’s requirements are unique, based on their statutory requirements. The SAP Governance Board reviews these requirements for potential duplication in security across agencies with the goal to streamline processes as part of a wider effort within the federal statistical system. 

    5. Impact on Small Entities 

Small businesses or their representatives may choose to participate in this voluntary collection of information. The burden of this collection does not represent a significant barrier to participation from small businesses and is not large enough to pose significant costs to respondents, including small businesses. 

    6. Consequences of Less Frequent Collection

NCSES requires and collects information for its security forms for all individuals on each application approved through the SAP Portal who will be accessing data. Less frequent collection would compromise NCSES’s ability to secure its confidential data. 

    7. Special Circumstances

There are no special circumstances for this information collection.

    8. Consultations Outside the Agency

On February 6, 2026, the National Center for Science and Engineering Statistics (NCSES) within the U.S. National Science Foundation published a notice in the Federal Register (91 FR 5515) inviting the public and other federal agencies to comment on plans to submit this request. NCSES received no public comments. 
 
    9. Paying Respondents

No payments or gifts will be given to holders of user accounts in the system.

    10. Assurance of Confidentiality

All personal identifiers will be protected under the Privacy Act of 1974 and NCSES’ confidentiality privacy and practices.

    11. Justification for Sensitive Questions

No sensitive questions will be asked in this information collection. 

    12. Estimate of Hour Burden

Many applicants will be academic research faculty or students at U.S. universities or other types of research institutions. Other applicants are likely to include analysts at nonprofit organizations and research groups in U.S. Government organizations (Federal, State, local, and Tribal). Scientific research typically results in papers presented at scientific conferences and published in peer-reviewed academic journals, working paper series, monographs, and technical reports. The scientific community at large benefits from the additions to knowledge resulting from research with statistical agencies and units’ data. Results inform both scientific theory and public policy and can assist agencies in carrying out their missions.

The amount of time to complete the agreements and other paperwork that comprise NCSES's security requirements will vary based on the confidential data assets requested. To obtain access to NCSES confidential data assets, it is estimated that the average time to complete and submit NCSES's data security agreements, other paperwork, and take required CIPSEA training is 60 minutes. This estimate does not include the time needed to complete and submit an application within the SAP Portal. All efforts related to SAP Portal applications occur prior to and separate from NCSES's effort to collect information related to data security requirements.

The expected number of applications in the SAP Portal that receive a positive determination from NCSES in a given year may vary. 

Overall, per year, NCSES estimates it will collect data security information for 20 application submissions that received a positive determination within the SAP Portal. NCSES estimates that the total burden for the collection of information for data security requirements over the course of the three-year OMB clearance will be about 60 hours and, as a result, an average annual burden of 20 hours.

In addition, continuing users must complete annual requirements such as taking the CIPSEA training and signing the individual data use agreement form and rules of behavior form. An average of 90 continuing users per year, taking an average of 35 minutes for the CIPSEA training and completing the individual data use agreement and rules of behavior for a total annual burden of approximately 53 hours for continuing users.

The total annual burden, for new applicants and continuing users, is therefore 73 hours.

Annual Burden for New Applicants
Activity
Number of Applicants
Average Time (minutes)
Total Burden (hours)
Completion of Security Paperwork
20
30
10
CIPSEA Training
20 (Same Applicants as Above)
30
10
Total
20
60
20

Annual Burden for Continuing Users
Activity
Number of Continuing Users
Average Time (minutes)
Total Burden (hours)
Completion of individual data use agreement and rules of behavior
90
5
8
CIPSEA Training
90 (Same Applicants as Above)
30
45
Total
90
35
53


The total cost to applications requesting and maintaining access to NCSES data for the 73 total burden hours is estimated to be $3,560 annually over each year of the three-year OMB clearance period. 

This estimate is based on an estimated median annual salary of $120,224 per applicant.1 Assuming a 40-hour workweek and a 52-week salary, this annual salary translates to an hourly salary of $57.80.  

    13. Estimate of Cost Burden

NCSES does not impose any fees, charges, or costs to individuals submitting NCSES security forms. Users must have the initial licensing agreement notarized which may require a fee depending on the state regulations in which the applicant resides.

    14. Cost to Federal Government

We estimate the average annual cost to the Federal Government for the collection and review of NCSES security documents to be approximately $669,568 per year for Fiscal Years 2026, 2027, and 2028.  These figures are based on required contractual and staff resources necessary to collect and review documents given the expected annual number of submitted applications. 

    15. Reason for Change in Burden

The 60-day FRN did not capture the burden estimate for continuing users. This estimate has been updated to reflect the reduction in estimated number of new applicants from 40 to 20 and includes the addition of burden for continuing users.

    16. Project Schedule

The information provided by applicants to NCSES is received on an ongoing basis and is not subject to any schedule. Users provide information voluntarily and at their discretion.

    17. Request to Not Display Expiration Date

The expiration date of OMB approval will be displayed on NCSES’s security forms. 

    18. Exceptions to the Certification 

There are no exceptions.

B. Collections of Information Employing Statistical Methods

Because applications requesting access to NCSES data are voluntary, this information collection will not employ statistical methods.