Certification Program for Access to the Death Master File
Federal Register, Volume 79 Issue 249 (Tuesday, December 30, 2014)
Federal Register Volume 79, Number 249 (Tuesday, December 30, 2014)
Proposed Rules
Pages 78314-78324
From the Federal Register Online via the Government Printing Office www.gpo.gov
FR Doc No: 2014-30199
Page 78314
DEPARTMENT OF COMMERCE
National Technical Information Service
15 CFR Part 1110
Docket Number: 141219001-4999-02
RIN 0692-AA21
Certification Program for Access to the Death Master File
AGENCY: National Technical Information Service, U.S. Department of Commerce.
ACTION: Notice of proposed rulemaking; request for comments.
-----------------------------------------------------------------------
SUMMARY: The National Technical Information Service (NTIS) issues a proposed rule that would, if implemented, establish a program pursuant to Section 203 of the Bipartisan Budget Act of 2013 (Act) through which persons may become ``certified'' and thereby be eligible to obtain access to Death Master File (DMF) information about an individual within three years of that individual's death (``Limited Access DMF,'' as defined in the proposed rule). The rule is established to provide immediate access to the DMF to those users who demonstrate a legitimate fraud prevention interest or a legitimate business purpose for the information, and to otherwise delay the release of the DMF to all other users, thereby reducing opportunities for identity theft and restricting information sources used to file fraudulent tax returns. This rule sets forth requirements to become a certified person, establishes a process for third party attestation and auditing of the information safeguarding requirement for certification, provides that certified persons will be subject to periodic scheduled and unscheduled audits, and sets out penalties for persons who disclose or use DMF information in a manner not in accordance with the Act. This rule would also establish the process for appealing denials or revocations of certification, the imposition penalties, and a fee program.
DATES: Comments are due on this proposed rule on January 29, 2015.
ADDRESSES: Written comments on this proposed rule must be submitted via http://www.regulations.gov. Comments sent by any other method, to any other address or individual, or received after the end of the comment period, may not be considered. All comments received are a part of the public record and will generally be posted for public viewing on www.regulations.gov without change. However, comments that contain profanity, vulgarity, threats, or other inappropriate language will not be posted. All personal identifying information (e.g., name, address) submitted voluntarily by the sender will be publicly accessible. Do not submit confidential business information, or otherwise sensitive or protected information. Attachments to electronic comments will be accepted in Microsoft Word or Excel, WordPerfect, or Adobe PDF formats only.
FOR FURTHER INFORMATION CONTACT: Henry Wixon, Chief Counsel for NIST, at henry.wixon@nist.gov, or by telephone at 301-975-2803. Information about the DMF made available to the public by NTIS may be found at https://dmf.ntis.gov.
SUPPLEMENTARY INFORMATION:
Background
On December 26, 2013, the Bipartisan Budget Act of 2013, Pub. L. 113-67, (the Act) became law. Section 203 of the Act prohibits the Secretary of Commerce (Secretary) from disclosing DMF information during the three-calendar-year period following an individual's death (the ``Limited Access DMF''), unless the person requesting the information has been certified to receive that information under a program established by the Secretary. The Act further requires the Secretary to establish a fee-based certification program that will certify these persons. It also provides for penalties for those who receive or distribute DMF information without being certified. Finally, the Act sets March 26, 2014, as the date after which any party seeking access to the Limited Access DMF must be certified in order to access Limited Access DMF. The Secretary has delegated the authority to carry out Section 203 to the Director of NTIS.
On March 3, 2014, NTIS published a Request for Information (RFI) and Advance Notice of Public Meeting on the Certification Program for Access to the Death Master File (RFI) at 79 FR 11735, available at http://www.gpo.gov/fdsys/pkg/FR-2014-03-03/pdf/2014-04584.pdf. The public meeting was held March 4, 2014, from 9:00 a.m. to 12:00 p.m. Eastern time at the United States Patent and Trademark Office, Madison Building West, 600 Dulany Street, Alexandria, VA 22314. The public meeting was also webcast. Written comments received in response to the RFI, and a transcription of oral comments made and comments submitted via webcast at the public meeting, may be viewed at https://dmf.ntis.gov.
On March 26, 2014, NTIS published an interim final rule, ``Temporary Certification Program for Access to the Death Master File,'' at 79 FR 16668, available at http://www.gpo.gov/fdsys/pkg/FR-2014-03-26/pdf/2014-06701.pdf (the Interim Final Rule). That rule codified an interim approach to implementing the Act's provisions pertaining to the certification program and the penalties for violating the Act, and set out an interim fee schedule for the program. NTIS published the Interim Final Rule in order to provide a mechanism for persons to access the DMF immediately on the effective date prescribed in Section 203 of the Act. Written comments received in response to the Interim Final Rule may be viewed at http://www.regulations.gov.
The preambles for both the RFI and the Interim Final Rule set out the specific provisions of the Act, and also noted that several Members of Congress described their understanding of the purpose and meaning of Section 203 during Congressional debate on the Joint Resolution which became the Act. Citations to those Member statements were provided in the RFI, which also provided background on the component of the DMF covered by Section 203, which originates from the Social Security Administration. The Interim Rule was established to provide immediate access to the DMF to those users who demonstrate a legitimate fraud prevention interest or a legitimate business purpose for the information, and to otherwise delay the release of the DMF to all other users, thereby reducing opportunities for identity theft and restricting information sources used to file fraudulent tax returns.
Page 78315
This rule, if adopted, would replace the regulatory structure put into place by the Interim Final Rule. It describes who may become a ``Certified Person'' under the Act, creates a process by which NTIS can certify such persons, establishes a process for third party attestation and auditing of the information safeguarding requirement for certification, establishes a fee program, establishes penalties for disseminating or receiving DMF information in violation of the Act, and creates a process to appeal some penalties. However, until this rule becomes final and effective, the Temporary Certification Program established under the Interim Final Rule shall remain in force and effect.
The Proposed Rule
This proposed rule would amend subparts and add a new subpart E to the DMF Certification Program in part 1110 of title 15 of the Code of Federal Regulations. The following describes specific provisions being amended.
Under Section 1110.2, ``Definitions,'' NTIS proposes to revise the definition of ``Person'' to recite ``state and local government departments and agencies,'' so that ``Person'' will be defined as including ``corporations, companies, associations, firms, partnerships, societies, joint stock companies, and other private organizations, and state and local government departments and agencies, as well as individuals.'' However, Executive departments or agencies of the United States Government would not be considered ``Persons'' for the purposes of this rule. Accordingly, Executive departments or agencies will not have to complete the Certification Form as set forth in the rule, and will be able to access Limited Access DMF under a subscription or license agreement with NTIS, describing the purpose(s) for which Limited Access DMF is collected, used, maintained and shared. Those working on behalf of and authorized by Executive departments or agencies may access the Limited Access DMF from their sponsoring Executive department or agency, which will be responsible for ensuring that such access is solely for the authorized purposes described by the agency. Unauthorized secondary use of Limited Access DMF by Executive departments or agencies or those working for them or on their behalf is prohibited. If an Executive department or agency wishes those working on its behalf to access the Limited Access DMF directly from NTIS, then those working on behalf of that Executive department or agency will be required to complete and submit the Certification Form as set forth in the rule and enter into a subscription agreement with NTIS in order to access the Limited Access DMF. Under this proposed rule, a Certified Person will be eligible to access the Limited Access DMF made available by NTIS through subscription or license.
NTIS proposes to revise the definition of ``Limited Access DMF'' by adding a sentence that clarifies that an individual element of information (name, social security number, date of birth, or date of death) in the possession of a Person, whether or not certified, but obtained by such Person through a source independent of the Limited Access DMF, will not be considered ``DMF information'' for the purposes of the rule, and requests comment on the proposed definition. The additional sentence is as follows:
As used in this part, Limited Access DMF does not include an individual element of information (name, social security number, date of birth, or date of death) in the possession of a Person, whether or not certified, but obtained by such Person through a source independent of the Limited Access DMF. If a Certified Person obtains, or a third party subsequently provides to a Certified Person, death information (i.e., the name, social security account number, date of birth, or date of death) independently, the information is not considered part of the Limited Access DMF if the NTIS source information is replaced with the newly provided information.
NTIS believes this revision of the definition of Death Master File adds clarity to what is and is not Limited Access DMF, and requests comment on the proposed definition.
Under Section 1110.102(a)(1) of the interim final rule, to become certified, a Person must certify that the Person has a ``legitimate fraud prevention interest,'' or has a ``legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty,'' and must specify the basis for so certifying. NTIS is not proposing to change this requirement here. However, the Temporary Certification Program established under the Interim Final Rule did not provide for review, assessment or audit of the systems, facilities, and procedures of a Person with attestation by an independent, third party conformity assessment body, as NTIS is now proposing in this rule, and as discussed at length below. Given this proposed rule's emphasis on security and safeguarding of Limited Access DMF, the proposed rule's provision for procedures and processes addressing the proper safeguarding of Limited Access DMF, and the proposed rule's provision for review, assessment, audit and attestation of a Person's information and information security controls by independent, third party conformity assessment bodies, NTIS requests comments on the specificity with which a Person should be required to provide as the basis for certifying its fraud prevention interest or business purpose under the proposed rule.
NTIS acknowledges that some entities may seek to provide NTIS with supplemental or supporting information over and above what may be required along with the attestation, to augment or support their request for certification for access to Limited Access DMF. If submitted, NTIS will evaluate such materials and may accept or reject that information when determining whether to certify a person. To assist NTIS in determining how to evaluate such materials, NTIS also requests comments on what types of materials NTIS should accept in support of a certification that a party has a legitimate business purpose or legitimate fraud prevention interest.
This rule would add a requirement that, in order to become certified, a Person must submit a written attestation from an Accredited Certification Body (as defined below) that such Person has information security systems, facilities, and procedures in place to protect the security of the DMF information, as required under Section 1110.102(a)(2) of the rule. Such a requirement was not made under the Interim Final Rule. In considering how to establish a permanent certification program as required under Section 203, NTIS carefully considered developing, within the agency, the capacity to evaluate the information systems, facilities and procedures of Persons to safeguard DMF information, as well as to conduct audits of Certified Persons. NTIS has consulted with the National Institute of Standards and Technology (NIST), which has expertise in testing, standard setting, and certification of various systems. Based on NIST recommendations, NTIS believes it appropriate for private sector, third party, Accredited Certification Bodies to attest to a Person's information security safeguards under Section 1110.102(a)(2) of the rule, and for NTIS to rely upon such attestation in certifying a Person under the proposed rule. NTIS also believes it appropriate for Accredited Certification Bodies to conduct periodic scheduled and unscheduled audits of Certified Persons on behalf of NTIS. NTIS requests comments on the proposal to accept attestations by private sector, third party, Accredited Certification Bodies under the rule.
Under this rule, an ``Accredited Certification Body'' is an independent
Page 78316
third party conformity assessment body that is not owned, managed, or controlled by a Person or Certified Person which is the subject of attestation or audit, and that is accredited, by an accreditation body under nationally or internationally recognized criteria such as, but not limited to, the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) publication ISO/IEC 27006-2011, ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' to attest that a Person or Certified Person has information technology systems, facilities and procedures in place to safeguard DMF information. Based on NIST recommendations, NTIS believes it is appropriate to use the ISO/IEC 27006-2001 as a baseline for accreditation under the proposed certification program. The ISO Committee on conformity assessment (CASCO) prepared ISO/IEC 27006-2001, and NTIS believes the use of the ISO/IEC standard will help ensure that attestations and audits under the proposed certification program operate in a manner consistent with national and international practices. Accreditation is a third-party attestation that a conformity assessment body operates in accordance with national and international standards. Accreditation is used nationally and internationally in many sectors where there is a need, through certification, that safety, health or security requirements are met by products or services. Accreditation ensures that a conformity assessment body is technically competent in the subject matter (in this case, the information safeguarding and security requirements as set forth in the rule) and has a management system in place to ensure competency and acceptable certification program operations on a continuing basis. Accreditation requires that Accredited Certification Bodies be re-accredited on a periodic basis.
However, NTIS is also aware that standards other than ISO/IEC 27006-2001 exist that may be equally appropriate for the purposes of accreditation under the Act, and that additional standards may be developed in the future. At this time, NTIS proposes that an Accredited Certification Body may attest, subject to the conditions of verification in proposed section 1110.503 of this rule, that it is accredited to a nationally or internationally recognized standard for bodies providing audit and certification of information security management systems other than ISO/IEC Standard 27006-2011. In addition, NTIS proposes that an Accredited Certification Body must also attest that the scope of its accreditation encompasses the information safeguarding and security requirements as set forth in the rule. NTIS requests comments on these proposals.
NTIS is aware that security and safeguarding of information and information systems is of great concern in many fields of endeavor other than with respect to DMF information. NTIS has consulted with subject matter experts from NIST, which in 2014 published the ``Framework for Improving Critical Infrastructure Cybersecurity'' (Framework), in response to President Obama's Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' which established that ``it is the Policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.'' In articulating this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework--a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created by NIST through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risks in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. The Framework enables organizations--regardless of size, degree of cybersecurity risk, or cybersecurity sophistication--to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework provides organization and structure to today's multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. Accordingly, in addressing the requirements of Section 203 for ``systems, facilities, and procedures'' to safeguard DMF information, NTIS contemplates that Persons, as well as Accredited Certification Bodies, may look to the Framework and to the Framework's Informative References. The Framework is referenced by NTIS in its security guideline document, ``Limited Access Death Master File (LADMF) Certification Program Publication 100,'' which is similar to the Internal Revenue Service (IRS) Publication 1075, ``Tax Information Security Guidelines for Federal, State and Local Agencies,'' available at http://www.irs.gov/pub/irs-pdf/p1075.pdf, and IRS Publication 4812, ``Contractor Security Controls,'' available at http://www.irs.gov/pub/irs-procure/
Publication-4812_Contractor_Security-Controls.pdf. As set forth in the security guideline document as well as in the Framework's Informative References, a number of different approaches exist to safeguarding information. These include ISO/IEC, Control Objectives for Information and Related Technology (COBIT), International Society of Automation (ISA), and NIST's 800 series publications. Others include the Service Organization Controls (SOC) of the American Institute of CPAs (AICPA). NTIS intends that by following its security guideline document, Persons and Certified Persons will satisfy the requirements of the rule. NTIS requests comments on other relevant approaches that may exist and be suitable for the purposes of the rule.
NTIS is aware that security and safeguarding assessments such as those contemplated under this proposed rule are routinely carried out in the private sector, including by entities which may satisfy the requirements for Accredited Certification Bodies under the rule. Provided that such a routine assessment or audit of a Person would permit an Accredited Certification Body to attest that such Person has systems, facilities, and procedures in place to safeguard DMF information as required under Section 1110.102(a)(2) of the rule, albeit carried out for a purpose other than certification under the rule, NTIS proposes to accept an attestation in support of a Person's certification with respect to the requirements under Section 1110.102(a)(ii) of the rule, as well as in support of the renewal of a Certified Person's certification. NTIS proposes that any attestation, whether for a Person seeking certification or for a Certified Person seeking renewal, must be based on the Accredited Certification Body's review or assessment conducted no more than three years prior to the date of submission of the Person's completed certification statement or of the Certified Person's completed renewal certification statement. As noted, an Accredited Certification Body's review or assessment need not have been conducted specifically or
Page 78317
solely for the purpose of submission of an attestation under the proposed rule, provided the review or assessment addresses the controls set forth in the ``Limited Access Death Master File (LADMF) Certification Program Publication 100.'' From NTIS's consultations with NIST subject matter experts, NTIS believes that the limitation of three years is appropriate as to frequency for assessments for the security and safeguarding of information and information systems, and that permitting Persons and Certified Persons to rely on attestations based on such assessments conducted for purposes other than solely for the rule is reasonable and cost-effective. NTIS requests comment on this aspect of the proposed rule.
NTIS proposes to amend Section 1110.102(a)(2) and (3) to clarify that to be certified to obtain access to the Limited Access DMF, a Person must certify both that the Person ``has systems, facilities, and procedures in place to safeguard the accessed information, and experience in maintaining the confidentiality, security, and appropriate use of accessed information, pursuant to requirements similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986,'' and that the Person ``agrees to satisfy such similar requirements.'' This standard differs somewhat from the requirement of Section 203 of the Act, because that Section contains contradictory statements about the types of systems to safeguard information that a Certified Person must have in place. In Section 203(b)(2)(B), the Act states that in order to receive Limited Access DMF, a Person must agree to comply with requirements ``similar to'' section 6103(p)(4) of the Internal Revenue Code (IRC). Section 6103(p)(4) of the IRC is directed to Federal government agencies, and as such the ``similar to'' statement makes sense for non-government actors which are the subject of the Act. However, Section 203(b)(2)(C) also requires a Certified Person to ``satisfy the requirements of such section 6103(p)(4) as if such section applied to such person'' (emphasis added). It is unclear how or why a Certified Person could or should satisfy an information integrity requirement ``similar to'' section 6103(p)(4) of the IRC while also satisfying section 6103(p)(4) of the IRC. To resolve this ambiguity, NTIS interprets Section 203(b) of the Act as requiring Persons to certify that they have systems, facilities, and procedures in place that are ``similar to'' those required by section 6103(p)(4) of the IRC in order to become Certified Persons. NTIS requests comments on this interpretation, which NTIS believes will allow NTIS to meet the interest of protecting personal data generally and deterring fraud, while also allowing NTIS to set the data integrity standards appropriate to safeguard DMF information specifically. NTIS has developed a security guideline document, ``Limited Access Death Master File (LADMF) Certification Program Publication 100,'' similar to the Internal Revenue Service (IRS) Publication 1075, ``Tax Information Security Guidelines for Federal, State and Local Agencies,'' available at http://www.irs.gov/pub/irs-pdf/p1075.pdf, as well as IRS Publication 4812, ``Contractor Security Controls,'' available at http://www.irs.gov/pub/irs-procure/
Publication-4812_Contractor_Security-Controls.pdf, and drawing on the National Institute of Standards and Technology ``Framework for Improving Critical Infrastructure Cybersecurity,'' and informative references cited therein, available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf, that sets out safeguard approaches adapted to the provisions of Section 203 of the Act. NTIS will invite the public to comment on and to contribute to this guidance document on a continuing basis. NTIS contemplates that conforming to the proposed NTIS security guideline document will permit Persons and Certified Persons to satisfy the Act. A draft of the proposed NTIS security guideline document is available for review at https://dmf.ntis.gov.
NTIS believes that adherence to the information security controls and practices described in the LADMF Certification Program Publication 100 will help protect LADMF information that resides on Certified Persons' information technology systems. Combined with the strict liability for misusing the LADMF information set out in section (c) of the Act, and in section 1110.102 of this proposed rule, LADMF Certification Program Publication 100 describes safeguards for minimizing occurrences of improper access to, and misuse of, LADMF data. Specifically, LADMF Certification Program Publication 100 establishes the guidelines and practices that Certified Persons are to apply to their information security programs to protect LADMF information in their possession. Failure to adhere to these guidelines and practices increases the likelihood of unauthorized access to, and misuse of, LADMF data, including fraudulent misuse. Accordingly, the information security measures required by this rule and adherence to the guidelines and practices described in LADMF Certification Program Publication 100 require Certified Persons to maintain adequate security controls for LADMF information.
Persons previously certified under the Interim Final Rule will need to become certified in accordance with the requirements of the proposed rule, when it becomes final and effective. Certification under this rule will include an updated certification form, discussed below under the heading, ``Description of the Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Proposed Rule,'' collecting additional information that will improve NTIS's ability to determine whether a Person meets, to the satisfaction of NTIS, the requirements of Section 203 of the Act.
Under Section 1110.103 of the proposed rule, a Certified Person may disclose Limited Access DMF to another Certified Person, and will be deemed to satisfy the disclosing Certified Person's obligation to ensure compliance with proposed Section 1110.102(a)(4)(i)-(iii) for the purposes of certification. Similarly, under Section 1110.200(c), NTIS will not impose a penalty, under Section 1110.200(a)(1)(i)-(iii) of the proposed rule, on a first Certified Person who discloses Limited Access DMF to a second Certified Person, where the first Certified Person's liability rests solely on the fact that the second Certified Person has been determined to be subject to penalty. While the proposed rule does not restrict disclosure of Limited Access DMF to Certified Persons, NTIS believes that these provisions create an appropriately limited ``safe harbor'' for Certified Persons to disclose Limited Access DMF to other Certified Persons. However, note that any Person that receives Limited Access DMF from a Certified Person is still subject to penalty under Section 1110.200(a)(1)-(4), for violations of the Act. The safe harbor provision applies to each disclosure individually, and only the Certified Person disclosing the information, not the recipient, receives the benefit of the presumed compliance with Section 1110.102(a)(4)(i)-(iii). NTIS requests comment on this provision of the proposed rule, including on whether or not the ``safe harbor'' should also apply when a first Certified Person discloses Limited Access DMF to a second Person, believed to be a Certified Person, but who is not, in fact, certified under the proposed rule.
Page 78318
Under Section 1110.201 of the proposed rule, NTIS may conduct, or may request an Accredited Certification Body conduct, at the Certified Person's expense, periodic scheduled and unscheduled audits of the systems, facilities, and procedures of any Certified Person relating to such Certified Person's access to, and use and distribution of, the Limited Access DMF. NTIS contemplates that many, if not most, audits of Certified Persons will be scheduled, but NTIS may also conduct, or request an Accredited Certification Body conduct, unscheduled audits--
for example, where a prior scheduled audit may have identified the need for adjustment to a Certified Person's systems, facilities, or procedures. Audits conducted by NTIS or by an Accredited Certification Body may take place at a Certified Person's place of business (i.e., field audits), or may be conducted remotely (i.e., desk audits). As discussed above, NTIS is proposing that all Certified Persons be audited with respect to the requirements of Section 1110.102(a)(2) no less frequently than every three years under the program, and that this requirement may be satisfied by a Certified Person based on an audit or assessment conducted for a purpose other than solely for the rule. NTIS is not proposing routine scheduled audits on the attestation regarding Section 1110.102(a)(1), though unscheduled audits of this and other aspects of the requirements for certification may be conducted in NTIS's discretion. NTIS requests comment on these aspects of the proposed rule. NTIS' costs for conducting audits will be recoverable from the audited Person. Failure to submit to audit, to cooperate fully with NTIS in its conduct of an audit, or to pay an audit fee owed to NTIS, will be grounds for revocation of certification. NTIS intends that a Person or Certified Person will be directly responsible to an Accredited Certification Body for any charges by that Accredited Certification Body related to requirements under this proposed rule, as it would be responsible for NTIS' auditing costs under the Act, and requests comments.
Section 1110.200(c) of the proposed rule sets out the penalties for unauthorized disclosures or uses of the Limited Access DMF. Each individual unauthorized disclosure is punishable by a fine of $1,000, payable to the United States Treasury. However, the total amount of the penalty imposed under this part on any Person for any calendar year shall not exceed $250,000, unless such Person's disclosure or use is determined to be willful or intentional. A disclosure or use is considered willful when it is a ``voluntary, intentional violation of a known legal duty.'' See, U.S. v. Pomponio, 429 US 10 (1976) (holding that for purposes of interpreting the criminal tax provisions of the Internal Revenue Code, the term ``willful'' means a voluntary, intentional violation of a known legal duty).
The proposed rule's Section 1110.300 establishes the procedures to appeal a denial or revocation of certification, or of penalties for violating the Act. An administrative appeal must be filed, in writing, within 30 days (or such longer period as the Director of NTIS may, for good cause shown in writing, establish in any case) after receiving a notice of denial, revocation or imposition of penalties. Appeals should be directed to the Director of NTIS. Any such appeal must set forth the following: The name, street address, email address and telephone number of the Person seeking review; a copy of the notice of denial or revocation of certification, or the imposition of penalty, from which appeal is taken; a statement of arguments, together with any supporting facts or information, concerning the basis upon which the denial or revocation of certification, or the imposition of penalty, should be reversed; and a request for hearing of oral argument before a representative of the Director, if desired.
Section 1110.300(a)-(d) proposes the procedures for an administrative appeal. Under section 1110.300(c), a Person may, but need not, retain an attorney to represent such Person in an appeal. Those with attorneys shall designate such attorney by submitting to the Director of NTIS a written power of attorney. If a hearing is requested, the Person (or the Person's designated attorney) and a representative of NTIS familiar with the notice from which appeal has been taken will present oral arguments which, unless otherwise ordered before the hearing begins, will be limited to thirty minutes for each side. A Person need not retain an attorney or request an oral hearing to secure full consideration of the facts and the Person's arguments. Where no hearing is requested, the Director shall review the case and issue a decision as set out below.
Under Section 1110.300(e), the Director of NTIS shall issue a decision on the matter within 120 days after a hearing, or, if no hearing was requested, within 90 days of receiving the letter of appeal. In making decisions on appeal, the Director shall consider the arguments and statements of fact and information in the Person's appeal, and made at the oral argument hearing, if such was requested, but the Director at his or her discretion and with due respect for the rights and convenience of the Person and the agency, may call for further statements on specific questions of fact or may request additional evidence in the form of affidavits on specific facts in dispute. An appellant may seek reconsideration of the decision, but must do so in writing, and the request for reconsideration must be received within 30 days of the Director's decision or within such an extension of time thereof as may be set by the Director of NTIS before the original period expires. A decision shall become final either after the 30-day period for requesting reconsideration expires and no request has been submitted, or on the date of final disposition of a decision on a petition for reconsideration.
As discussed above, for certification of a Person under the rule, as well as renewal of a Certified Person's certification, NTIS proposes requiring submission of a third party attestation as to the information safeguarding requirement. Third party attestation is accordingly a key element of the certification program under the rule. In view of this, the rule provides that an Accredited Certification Body must be independent of the Person or Certified Person, and must itself be accredited by a recognized accreditation body. The requirement for independence from the Person seeking certification, or from the Certified Person seeking renewal or subject to audit, is important to ensure integrity of any assessment and attestation. NTIS requests comment on this requirement.
NTIS proposes that an Accredited Certification Body must be an independent third party certification body that is not owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Certification Body. Under the rule, a Person or Certified Person is considered to own, manage, or control a third party certification body if any one of the following characteristics applies:
(1) The Person or Certified Person holds a 10 percent or greater ownership interest, whether direct or indirect, in the third party certification body. Indirect ownership interest is calculated by successive multiplication of the ownership percentages for each link in the ownership chain;
(2) The third party certification body and the Person or Certified Person are owned by a common ``parent'' entity;
(3) The Person or Certified Person has the ability to appoint a majority of the third party certification body's senior internal governing body (such as, but
Page 78319
not limited to, a board of directors), the ability to appoint the presiding official (such as, but not limited to, the chair or president) of the third party certification body's senior internal governing body, and/or the ability to hire, dismiss, or set the compensation level for third party certification body personnel; or
(4) The third party certification body is under a contract to the Person or Certified Person that explicitly limits the services the third party certification body may perform for other customers and/or explicitly limits which or how many other entities may also be customers of the third party certification body.
In order for NTIS to accept an attestation as to, or audit of, a Person or Certified Person submitted to NTIS under the rule, the Accredited Certification Body must attest that it is independent of that Person or Certified Person. The Accredited Certification Body also must attest that it has read, understood, and agrees to the regulations as set forth in the rule. The Accredited Certification Body must also attest that it is accredited to ISO/IEC Standard 27006-2011 ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' or to another nationally or internationally recognized standard for bodies providing audit and certification of information security management systems. The Accredited Certification Body must also attest that the scope of its accreditation encompasses the safeguarding and security requirements as set forth in the rule. NTIS requests comments on these aspects of the proposed rule.
Where review or assessment or audit by an Accredited Certification Body was not conducted specifically or solely for the purpose of submission under this part, the rule requires that the written attestation or assessment report (if an audit) describe the nature of that review or assessment or audit, and that the Accredited Certification Body attest that on the basis of such review or assessment or audit, the Person or Certified Person has systems, facilities, and procedures in place to safeguard DMF information as required under Section 1110.102(a)(2) of this part. The rule provides that in so attesting, an Accredited Certification Body may reference ``Limited Access Death Master File (LADMF) Certification Program Publication 100,'' guidelines published by NTIS and available at https://dmf.ntis.gov.
While NTIS will normally accept written attestations and assessment reports from an Accredited Certification Body that attests, to the satisfaction of NTIS, as provided in Section 1110.502 of the rule, the rule also provides that NTIS may decline to accept written attestations or assessment reports from an Accredited Certification Body, whether or not it has attested as provided in Section 1110.502, for any of the following reasons:
(1) When it is in the public interest under Section 203 of the Bipartisan Budget Act of 2013, and notwithstanding any other provision of this part;
(2) Submission of false or misleading information concerning a material fact(s) in an Accredited Certification Body's attestation under Section 1110.502;
(3) Knowing submission of false or misleading information concerning a material fact(s) in an attestation or assessment report by an Accredited Certification Body of a Person or Certified Person;
(4) Failure of an Accredited Certification Body to cooperate in response to a request from NTIS verify the accuracy, veracity, and/or completeness of information received in connection with an attestation under Section 1110.502 or an attestation or assessment report by that Body of a Person or Certified Person. An Accredited Certification Body ``fails to cooperate'' when it does not respond to NTIS inquiries or requests, or it responds in a manner that is unresponsive, evasive, deceptive, or substantially incomplete.
(5) Where NTIS is unable for any reason to verify the accuracy of the Accredited Certification Body's attestation.
In addition, with respect to audits under the proposed rule, NTIS may in its discretion decline to accept an attestation or assessment report conducted for other purposes, and may conduct or require that an Accredited Certification Body conduct a review solely for the purpose of the rule, and requests comments on this proposal.
Classification
Executive Order 12630
This rule does not effect a taking of private property or otherwise have taking implications under Executive Order 12630, Governmental Actions and Interference with Constitutionally Protected Property Rights.
Executive Order 12866
This proposed rule has been determined to be significant under Executive Order 12866.
Executive Order 12898
NTIS evaluated the environmental effects of this proposed rule in accordance with Executive Order 12898 and determined that there are no environmental justice issues associated with its provisions and no collective environmental impact resulting from its promulgation.
Executive Order 13132
A rule has implications for federalism under Executive Order 13132, Federalism, if it has a substantial direct effect on State or local governments and would either preempt State law or impose a substantial direct cost of compliance on States or localities. NTIS has analyzed this proposed rule under that Order and has determined that it does not have implications for federalism.
Initial Regulatory Flexibility Analysis (IRFA)
Pursuant to Section 603 of the Regulatory Flexibility Act, NTIS has prepared the following IRFA to analyze the potential impact that this proposed rule, if adopted, would have on small entities.
Description of the Reasons Why Action Is Being Considered
The policy reasons for issuing this proposed rule are discussed in the preamble of this document, and not repeated here.
Statement of the Objectives of, and Legal Basis for, the Proposed Rule; Identification of All Relevant Federal Rules Which May Duplicate, Overlap, or Conflict With the Proposed Rule
The legal basis for this rule is Section 203 of the Bipartisan Budget Act of 2013, Pub. L. 113-67, codified at 42 USCA Sec. 1306c (the Act). The proposed rule is intended to implement the Act, which requires the Secretary of Commerce to create a program to certify that persons given access to information contained on the DMF with respect to any deceased individual at any time during the 3-calendar-year period following that individual's death satisfy the statutory requirements for accessing the Limited Access DMF. Accordingly, this rule creates a program for certifying persons eligible to access the Limited Access DMF. It requires that Certified Persons annually re-
certify as eligible to access the Limited Access DMF, and that they agree to be subject to scheduled and unscheduled audits. The rule also sets out the penalties for violating the Act's disclosure provisions, establishes a process to appeal penalties or revocations of
Page 78320
certification, and adopts a fee program for the certification program, audits, and appeals.
When the proposed rule becomes final, it will replace the Interim Final Rule NTIS put in place to establish a Temporary Certification Program, in order to avoid the complete loss of access to the Limited Access DMF when the Act became effective. No other rules duplicate, overlap, or conflict with this proposed rule.
Number and Description of Small Entities Regulated by the Proposed Action
The proposed rule will apply to all persons seeking to become certified to obtain the Limited Access DMF from NTIS. The entities affected by this rule could include banks and other financial institutions, pension plans, health research institutes or companies, state and local governments, information companies, and similar research services, and others not identified. NTIS therefore requests comments on the nature and types of affected entities.
Many of the impacted entities likely are considered ``large'' entities under the applicable Small Business Administration (SBA) size standards. While NTIS anticipates that this rule will have an impact on various small entities, NTIS is unable at this time to estimate the number of impacted entities that may be considered small entities. Because NTIS cannot estimate the type, number, or other details about the small entities potentially impacted by this rule, it cannot make an estimate about the level of impact this rule will have on those entities. Nor can it estimate whether the rule's impacts will disproportionately impact small entities as opposed to large ones.
Because NTIS lacks information about the types and sizes of entities impacted by this rule, it cannot determine the impacts. Accordingly, NTIS requests that the public provide it with information about the types of entities impacted by this rule, whether those are small or large entities under SBA's size standards, and the level of or a description of the type of impacts that this rule will have on those entities.
Description of the Projected Reporting, Recordkeeping, and Other Compliance Requirements of the Proposed Rule
This proposed rule will require Persons seeking certification to access the Limited Access DMF to provide NTIS with information about the basis upon which they are seeking certification (i.e., legitimate fraud prevention or business purpose), using an updated version of the Limited Access Death Master File Subscriber Certification Form, Form NTIS FM161 (Certification Form), approved by the Office of Management and Budget (OMB) under Control Number 0692-0013. Specifically, the Certification Form will be updated to include collection of additional information that will improve NTIS's ability to determine whether a Person meets, to the satisfaction of NTIS, the requirements of Section 203 of the Act. This additional information will also facilitate NTIS's ability to carry out audits, and Certified Persons agree to be subject to periodic scheduled and unscheduled audits of their systems and operations to ensure compliance with the Act's data integrity standards. Therefore, the proposed rule requires Certified Persons to maintain their records for these audits. Additionally, to maintain their status as Certified Persons, applicants must re-certify with NTIS on an annual basis.
Description of Any Significant Alternatives to the Proposed Rule That Accomplish the Stated Objectives of Applicable Statutes and That Minimize Any Significant Economic Impact of the Proposed Rule on Small Entities
As required by 5 U.S.C. 603(c), NTIS considered significant alternatives to the proposed rule to minimize the impacts of the proposed rule on small entities. NTIS considered a (1) no-action alternative; (2) setting different auditing requirements for small entities; (3) relaxing the systems requirements for small entities; and (4) the preferred alternative of setting a fee schedule to enable NTIS to achieve full cost recovery, and requiring Certified Persons to maintain data in a manner similar to the requirements of section 6103(p)(4) of the IRC.
NTIS rejected the no-action alternative because the Act requires that any person seeking Limited Access DMF become certified to access such information according to a program established by the Secretary. The no-action alternative would establish no new program, and therefore is contrary to the Act.
Similarly, NTIS did not further consider alternatives 2 and 3, which would have created exceptions to the auditing requirements of the proposed rule and the systems requirements for becoming certified. Exempting small entities from the auditing or systems requirements would potentially risk allowing the Limited Access DMF to be released to non-certified persons or the public at large, and thus would counter the benefits to security and anti-fraud efforts the rule will create.
The fourth alternative complies with the Act, creates a program to certify persons eligible to access the Limited Access DMF, and safeguards that information from unauthorized disclosures. The audits required by the rule further strengthen the oversight NTIS has over the redistribution and use of the Limited Access DMF, and thereby help ensure the data's security. Because alternative 4 accomplishes the statutory goals set out in the Act, and would not create the potential for security or data integrity breaches, NTIS prefers it and has proposed a rule based on this alternative.
Paperwork Reduction Act
With this proposed rule, NTIS is requesting approval of a new information collection that will contain two forms. One form, the ``Limited Access Death Master File (LADMF) Systems Safeguards Attestation Form,'' is new. The new information collection will also revise the ``Limited Access Death Master File Subscriber Certification Form'' (Certification Form), which is currently approved under OMB Control No. 0692-0013. In the Certification Form NTIS has added a description of the type of information required for each fill-in box to ensure that the respondents' answers show that they meet the requirements of Section 203 of the Act. The revised Certification Form also collects the following information in addition to the information collected in the existing Certification Form:
URL (if applicable)--Collection of each respondent's URL is necessary for NTIS to perform due diligence. NTIS will use the information to ascertain that the organization seeking certification is a legitimate business performing the functions it claims to be performing.
NTIS Customer Number--Collection of each respondent's NTIS Customer Number will allow NTIS to readily identify existing customers, streamlining the certification process.
Dun and Bradstreet Number (if applicable)--Collection of each respondent's Dun and Bradstreet Number is necessary for NTIS to perform due diligence. NTIS will use the information to ascertain that the organization seeking certification is a legitimate business performing the functions it claims to be performing.
Authorized Contact Person--Collection of each respondent's authorized contact person will expedite the certification process by permitting NTIS to contact the identified contact person without first having to spend
Page 78321
time identifying the correct person during the certification process.
Authorized Contact Person's Phone Number and Email Address (if different than that collected for the organization)--Collection of this information is necessary to allow NTIS to contact the person if questions arise during review of the Certification Form.
With these changes to the collection, and based also on its experience in administering the temporary certification program under the Interim Final Rule, NTIS expects the burden hours per respondent to increase from two hours to two and one-half hours, and will increase the cost per respondent in the form of a certification fee from $200 to $400. NTIS expects to receive approximately 550 Certification Forms, for a total burden of 2,200 hours and a total cost to the public of $220,000.
The ``Limited Access Death Master File (LADMF) Systems Safeguards Attestation Form'' would require accredited certification bodies to attest that a party seeking to be certified to access Limited Access DMF has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(ii) of this part. NTIS expects the additional burden hours for filling out this form to range from 2 hours to 200 hours, at a cost ranging from $270-$27,000. NTIS bases this estimated range on an average senior auditor rate of $135/hour, and assumes that the time required to fill out the form may or may not also include time required for an Accredited Certification Body to conduct a complete assessment under the proposed rule. Where a prior assessment has been conducted, for example, where a broader assessment has been conducted for other purposes, NTIS has assumed that the cost of the DMF-specific aspects may be small or even negligible. Conversely, where no prior assessment has been conducted within a three year period preceding a Person's application for certification under the proposed rule, NTIS has assumed that the cost of a complete assessment will be greater, and will depend as well on the nature of an applicant's systems and its use of Limited Access DMF. NTIS has submitted this form to OMB for review and addition to the collection approved at control number 0692-0013.
Comments are invited on: (a) Whether the proposed collection of information is necessary for the proper performance of the functions of NTIS/Commerce, including whether the information will have practical utility; (b) the accuracy of the estimate of the burden of the proposed information collection; (c) ways to enhance the quality, utility, and clarity of the information to be collected; and (d) ways to minimize the burden of the information collection on respondents, including the use of automated collection techniques or other forms of information technology. Comments regarding the collection of information associated with this rule, including suggestions for reducing the burden, should be sent to OMB Desk Officer, New Executive Office Building, Washington, DC 20503, Attention: Jasmeet Seehra, or by email to Jasmeet_K._Seehra@omb.eop.gov, or by fax to (202) 395-7285, and to NTIS as set forth under ADDRESSES, above.
Notwithstanding any other provision of law, no person is required to comply with, and neither shall any person be subject to penalty for failure to comply with, a collection of information subject to the requirements of the Paperwork Reduction Act, unless that collection of information displays a currently valid OMB Control Number.
List of Subjects in 15 CFR Part 1110
Certification program; Administrative appeal; Imposition of penalty; Fees.
Dated: December 19, 2014.
Bruce Borzino,
Director.
For reasons set forth in the preamble, the National Technical Information Service proposes to amend 15 CFR part 1110 as follows:
PART 1110--CERTIFICATION PROGRAM FOR ACCESS TO THE DEATH MASTER FILE
0
-
The authority for this part continues to read as follows:
Authority: Pub. L. 113-67, Sec. 203.
0
-
Amend Sec. 1110.2 by
0
-
Adding, in alphabetical order, the definition, ``Accredited Certification Body,'' and
0
-
Revising the definitions of ``Limited Access DMF'' and ``Person'' to read as follows:
Sec. 1110.2 Definitions used in this part.
* * * * *
Accredited Certification Body. An independent third party conformity assessment body that is not owned, managed, or controlled by a Person or Certified Person which is the subject of attestation or audit, and that is accredited, by an accreditation body under nationally or internationally recognized criteria such as ISO/IEC 27006-2011, ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' to attest that a Person or Certified Person has systems, facilities and procedures in place to safeguard DMF information.
* * * * *
Limited Access DMF. The DMF product made available by NTIS which includes DMF with respect to any deceased individual at any time during the three-calendar-year period beginning on the date of the individual's death. As used in this part, Limited Access DMF does not include an individual element of information (name, social security number, date of birth, or date of death) in the possession of a Person, whether or not certified, but obtained by such Person through a source independent of the Limited Access DMF. If a Certified Person obtains, or a third party subsequently provides to a Certified Person, death information (i.e., the name, social security account number, date of birth, or date of death) independently, the information is not considered part of the Limited Access DMF if the NTIS source information is replaced with the newly provided information.
* * * * *
Person. Includes corporations, companies, associations, firms, partnerships, societies, joint stock companies, and other private organizations, and state and local government departments and agencies, as well as individuals.
0
-
-
Revise the section heading of Sec. 1110.100 to read as follows:
Sec. 1110.100 Scope; term.
* * * * *
0
-
Revise Sec. 1110.101 to read as follows:
Sec. 1110.101 Submission of certification; attestation.
(a) In order to become certified under the certification program established under this part, a Person must submit a completed certification statement and any required documentation, using the form NTIS FM161 with OMB Control Number 0692-0013, and its accompanying instructions at https://dmf.ntis.gov, together with the required fee.
(b) In addition to the requirements under paragraph (a) of this section, in order to become certified, a Person must submit a written attestation from an Accredited Certification Body that such Person has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(2) of this part. Such attestation must be based on the Accredited Certification Body's review or assessment conducted no more than three years prior to the date of submission of the Person's completed
Page 78322
certification statement, but such review or assessment need not have been conducted specifically or solely for the purpose of submission under this part.
0
-
Amend Sec. 1110.102 by revising paragraphs (a)(3) and (a)(4)(iv) to read as follows:
Sec. 1110.102 Certification.
(a) * * *
(3) Such Person agrees to satisfy such similar requirements; and
(4) * * *
(iv) Use any such deceased individual's DMF for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty.
* * * * *
0
-
In subpart B of Part 1110, add Sec. Sec. 1110.103, 1110.104, and 1110.105 to read as follows:
Sec. 1110.103 Disclosure to a certified person.
Disclosure by a Person certified under this part of Limited Access DMF to another Person certified under this part shall be deemed to satisfy the disclosing Person's obligation to ensure compliance with Sec. 1110.102(a)(4)(i)-(iii).
Sec. 1110.104 Revocation of certification.
False certification as to any element of Sec. 1110.102(a) shall be grounds for revocation of certification, in addition to any other penalties at law. A Person properly certified who thereafter becomes aware that the Person no longer satisfies one or more elements of Sec. 1110.102(a) of this part shall immediately inform NTIS thereof in writing.
Sec. 1110.105 Renewal of Certification.
(a) A Certified Person may renew its certification status by submitting, on or before the date of expiration of the term of its certification, a completed certification statement in accordance with Sec. 1110.101, together with the required fee, indicating on the form NTIS FM161 that it is a renewal, and also indicating whether or not there has been any change in any basis previously relied upon for certification.
(b) Except as may otherwise be required by NTIS, where a Certified Person seeking certification status renewal has, within a three-year period preceding submission under paragraph (a) of this section, previously submitted a written attestation under Sec. 1110.101(b), or has within such period been subject to a satisfactory audit under Sec. 1110.201, such Certified Person shall so indicate on the form NTIS FM161, and shall not be required to submit a written attestation under Sec. 1110.101(b).
(c) A Certified Person who submits a certification statement, attestation (if required) and fee pursuant to Sec. 1110.105(a) shall continue in Certified Person status pending notification of renewal or non-renewal from NTIS.
(d) A Person who is a Certified Person before EFFECTIVE DATE OF THIS RULE shall be considered a Certified Person under this part, and shall continue in Certified Person status until the date which is one year from the date of acceptance of such Person's certification by NTIS under the Temporary Certification Program, provided that if such expiration date falls on a weekend or a federal holiday, the term of certification shall be considered to extend to the next business day.
0
-
Revise Sec. 1110.200 to read as follows:
Sec. 1110.200 Imposition of penalty.
(a) General. (1) Any Person certified under this part who receives DMF information, including information about any deceased individual at any time during the three-calendar-year period beginning on the date of the individual's death, and who during such three-calendar-year period:
(i) Discloses such deceased individual's DMF information to any person other than a person who meets the requirements of Sec. 1110.102(a)(1) through (3);
(ii) Discloses such deceased individual's DMF information to any person who uses the information for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty;
(iii) Discloses such deceased individual's DMF information to any person who further discloses the information to any person other than a person who meets the requirements of Sec. 1110.102(a)(1) through (3); or
(iv) Uses any such deceased individual's DMF information for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty; and
(2) Any Person to whom such information is disclosed, whether or not such Person is certified under this part, who further discloses or uses such information as described in paragraphs (a)(1)(i) through (iv) of this section, shall pay to the General Fund of the United States Department of the Treasury a penalty of $1,000 for each such disclosure or use, and, if such Person is certified, shall be subject to having such Person's certification revoked.
(b) Limitation on penalty. The total amount of the penalty imposed under this part on any Person for any calendar year shall not exceed $250,000, unless such Person's disclosure or use is determined to be willful or intentional. For the purposes of this part, a disclosure or use is willful when it is a ``voluntary, intentional violation of a known legal duty.''
(c) Disclosure to a Certified Person. No penalty shall be imposed under paragraphs (a)(i) through(iii) of this section on a first Certified Person who discloses, to a second Certified Person, DMF information of any deceased individual at any time during the three-
calendar-year period beginning on the date of the individual's death, where the sole basis for imposition of penalty on such first Certified Person is that such second Certified Person has been determined to be subject to penalty under this part.
0
-
Revise Sec. 1110.201 to read as follows:
Sec. 1110.201 Audits.
Any Person certified under this part shall, as a condition of certification, agree to be subject to audit by NTIS, or, at the request of NTIS, by an Accredited Certification Body, to determine the compliance by such Person with the requirements of this part. NTIS may conduct, or request that an Accredited Certification Body conduct, periodic scheduled and unscheduled audits of the systems, facilities, and procedures of any Certified Person relating to such Certified Person's access to, and use and distribution of, the Limited Access DMF. NTIS may conduct, or request that an Accredited Certification Body conduct, field audits (during regular business hours) or desk audits of a Certified Person. Failure of a Certified Person to submit to or cooperate fully with NTIS, or with an Accredited Certification Body acting pursuant to this section, in its conduct of an audit, or to pay an audit fee to NTIS, will be grounds for revocation of certification.
0
-
Redesignate subpart D to part 1110 as subpart E, add a new subpart D, and revise the newly redesignated subpart E to read as follows:
Subpart D--Administrative Appeal
Sec. 1110.300 Appeal.
(a) General. Any Person adversely affected or aggrieved by reason of NTIS denying or revoking such Person's certification under this part, or
Page 78323
imposing upon such Person under this part a penalty, may obtain review by filing, within 30 days (or such longer period as the Director of NTIS may, for good cause shown in writing, fix in any case) after receiving notice of such denial, revocation or imposition, an administrative appeal to the Director of NTIS.
(b) Form of Appeal. An appeal shall be submitted in writing to Director, National Technical Information Service, 5301 Shawnee Road, Alexandria, VA 22312, ATTENTION DMF APPEAL, and shall include the following:
(1) The name, street address, email address and telephone number of the Person seeking review;
(2) A copy of the notice of denial or revocation of certification, or the imposition of penalty, from which appeal is taken;
(3) A statement of arguments, together with any supporting facts or information, concerning the basis upon which the denial or revocation of certification, or the imposition of penalty, should be reversed;
(4) A request for hearing of oral argument before the Director, if desired.
(c) Power of Attorney. A Person may, but need not, retain an attorney to represent such Person in an appeal. A Person shall designate any such attorney by submitting to the Director of NTIS a written power of attorney.
(d) Hearing. If requested in the appeal, a date will be set for hearing of oral argument before a representative of the Director of NTIS, by the Person or the Person's designated attorney, and a representative of NTIS familiar with the notice from which appeal has been taken. Unless it shall be otherwise ordered before the hearing begins, oral argument will be limited to thirty minutes for each side. A Person need not retain an attorney or request an oral hearing to secure full consideration of the facts and the Person's arguments.
(e) Decision. After a hearing on the appeal, if a hearing was requested, the Director of NTIS shall issue a decision on the matter within 120 days, or, if no hearing was requested, within 90 days of receiving the appeal. The decision of the Director of NTIS shall be made after consideration of the arguments and statements of fact and information in the Person's appeal, and the hearing of oral argument if a hearing was requested, but the Director of NTIS at his or her discretion and with due respect for the rights and convenience of the Person and the agency, may call for further statements on specific questions of fact or may request additional evidence in the form of affidavits on specific facts in dispute. After the original decision is issued, an appellant shall have 30 days (or a date as may be set by the Director of NTIS before the original period expires) from the date of the decision to request a reconsideration of the matter. The Director's decision becomes final 30 days after being issued, if no request for reconsideration is filed, or on the date of final disposition of a decision on a petition for reconsideration.
Subpart E--Fees
Sec. 1110.400 Fees.
Fees sufficient to cover (but not to exceed) all costs to NTIS associated with evaluating Certification Forms and auditing, inspecting, and monitoring certified persons under the certification program established under this part, as well as appeals, will be published (as periodically reevaluated and updated by NTIS) and available at https://dmf.ntis.gov. NTIS will not set fees for attestations or audits by an Accredited Certification Body.
0
-
Add subpart F to read as follows:
Subpart F--Accredited Certification Bodies
Sec.
1110.500 Accredited certification bodies.
1110.501 Requirement for independence.
1110.502 Attestation by accredited certification body.
1110.503 Acceptance of accredited certification bodies.
Sec. 1110.500 Accredited certification bodies.
This subpart describes Accredited Certification Bodies and their accreditation for third party attestation and auditing of the information safeguarding requirement for certification of Persons under this part. NTIS will accept an attestation or audit of a Person or Certified Person from an Accredited Certification Body that is independent of that Person or Certified Person and that is itself accredited by a recognized accreditation body.
Sec. 1110.501 Requirement for independence.
(a) An Accredited Certification Body must be an independent third party certification body that is not owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Certification Body.
(1) A Person or Certified Person is considered to own, manage, or control a third party certification body if any one of the following characteristics applies:
(i) The Person or Certified Person holds a 10 percent or greater ownership interest, whether direct or indirect, in the third party certification body. Indirect ownership interest is calculated by successive multiplication of the ownership percentages for each link in the ownership chain;
(ii) The third party certification body and the Person or Certified Person are owned by a common ``parent'' entity;
(iii) The Person or Certified Person has the ability to appoint a majority of the third party certification body's senior internal governing body (such as, but not limited to, a board of directors), the ability to appoint the presiding official (such as, but not limited to, the chair or president) of the third party certification body's senior internal governing body, and/or the ability to hire, dismiss, or set the compensation level for third party certification body personnel; or
(iv) The third party certification body is under a contract to the Person or Certified Person that explicitly limits the services the third party certification body may perform for other customers and/or explicitly limits which or how many other entities may also be customers of the third party certification body.
Sec. 1110.502 Attestation by accredited certification body.
(a) In any attestation or audit of a Person or Certified Person that will be submitted to NTIS under this part, an Accredited Certification Body must attest that it is independent of that Person or Certified Person. The Accredited Certification Body also must attest that it has read, understood, and agrees to the regulations in this part. The Accredited Certification Body must also attest that it is accredited to a nationally or internationally recognized standard such as the ISO/IEC Standard 27006-2011 ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' or any other similar recognized standard for bodies providing audit and certification of information security management systems. The Accredited Certification Body must also attest that the scope of its accreditation encompasses the safeguarding and security requirements as set forth in this part.
(b) Where a Person seeks certification, or where a Certified Person seeks renewal of certification or is audited under this part, an Accredited Certification Body may provide written attestation that such Person or Certified Person has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(2). In so attesting, an Accredited Certification Body may reference ``Limited Access Death Master File (LADMF) Certification Program
Page 78324
Publication 100,'' guidelines published by NTIS and available at https://dmf.ntis.gov. Such attestation must be based on the Accredited Certification Body's review or assessment conducted no more than three years prior to the date of submission of the Person's or Certified Person's completed certification statement, and, if an audit of a Certified Person by an Accredited Certification Body is required by NTIS, no more than three years prior to the date upon which NTIS notifies the Certified Person of NTIS's requirement for audit, but such review or assessment or audit need not have been conducted specifically or solely for the purpose of submission under this part.
(c) Where review or assessment or audit by an Accredited Certification Body was not conducted specifically or solely for the purpose of submission under this part, the written attestation or assessment report (if an audit) shall describe the nature of that review or assessment or audit, and the Accredited Certification Body shall attest that on the basis of such review or assessment or audit, the Person or Certified Person has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(2). In so attesting, an Accredited Certification Body may reference ``Limited Access Death Master File (LADMF) Certification Program Publication 100,'' guidelines published by NTIS and available at https://dmf.ntis.gov.
(d) Notwithstanding paragraphs (a) through (c) of this section, NTIS may, in its sole discretion, require that review or assessment or audit by an Accredited Certification Body be conducted specifically or solely for the purpose of submission under this part.
Sec. 1110.503 Acceptance of accredited certification bodies.
(a) NTIS will accept written attestations and assessment reports from an Accredited Certification Body that attests, to the satisfaction of NTIS, as provided in Sec. 1110.502.
(b) NTIS may decline to accept written attestations or assessment reports from an Accredited Certification Body, whether or not it has attested as provided in Sec. 1110.502, for any of the following reasons:
(1) When it is in the public interest under Section 203 of the Bipartisan Budget Act of 2013, and notwithstanding any other provision of this part;
(2) Submission of false or misleading information concerning a material fact(s) in an Accredited Certification Body's attestation under Sec. 1110.502;
(3) Knowing submission of false or misleading information concerning a material fact(s) in an attestation or assessment report by an Accredited Certification Body of a Person or Certified Person;
(4) Failure of an Accredited Certification Body to cooperate in response to a request from NTIS verify the accuracy, veracity, and/or completeness of information received in connection with an attestation under Sec. 1110.502 or an attestation or assessment report by that Body of a Person or Certified Person. An Accredited Certification Body ``fails to cooperate'' when it does not respond to NTIS inquiries or requests, or it responds in a manner that is unresponsive, evasive, deceptive, or substantially incomplete; or
(5) Where NTIS is unable for any reason to verify the accuracy of the Accredited Certification Body's attestation.
FR Doc. 2014-30199 Filed 12-29-14; 8:45 am
BILLING CODE 3510-04-P
