Certification Program for Access to the Death Master File
Federal Register, Volume 81 Issue 105 (Wednesday, June 1, 2016)
Federal Register Volume 81, Number 105 (Wednesday, June 1, 2016)
Rules and Regulations
Pages 34882-34895
From the Federal Register Online via the Government Publishing Office www.gpo.gov
FR Doc No: 2016-12479
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
National Technical Information Service
15 CFR Part 1110
Docket Number: 160511004-4999-04
RIN 0692-AA21
Certification Program for Access to the Death Master File
AGENCY: National Technical Information Service, U.S. Department of Commerce.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The National Technical Information Service (NTIS) issues this final rule establishing a program through which persons may become eligible to obtain access to Death Master File (DMF) information about an individual within three years of that individual's death. This final rule supersedes and replaces the interim final rule that NTIS promulgated following passage of Section 203 of the Bipartisan Budget Act of 2013 to provide immediate and ongoing access to persons who qualified for temporary certification. The program established under this final rule contains some changes from the proposed rule published by NTIS.
DATES: This final rule is effective November 28, 2016.
FOR FURTHER INFORMATION CONTACT: Brian Lieberman, Senior Counsel for NTIS, at blieberman@ntis.gov, or by telephone at 703-605-6404. Information about the DMF made available to the public by NTIS may be found at https://dmf.ntis.gov.
SUPPLEMENTARY INFORMATION:
Background
This final rule is promulgated under Section 203 of the Bipartisan Budget Act of 2013, Public Law 113-67 (Act), passed into law on December 26, 2013. The Act prohibits the Secretary of Commerce (Secretary) from disclosing DMF information during the three-calendar-
year period following an individual's death (referred to as the ``Limited Access DMF,'' or ``LADMF''), unless the person requesting the information has been certified to access that information pursuant to certain criteria in a program that the Secretary establishes. The Act further requires the Secretary to establish a fee-based program to certify Persons for access to LADMF. In addition, it provides for penalties for Persons who receive or distribute LADMF without being certified or otherwise satisfying the requirements of the Act. The Secretary has delegated the authority to carry out Section 203 to the Director of NTIS.
The Act mandated that no person could receive LADMF without certification after March 26, 2014 (i.e., 90 days from enactment of the Act). NTIS acted promptly to ensure that a suitable certification program was in place by that date, and to avoid interruption of access by legitimate users of the data. On March 3, 2014, NTIS published a Request for Information (RFI) and Advance Notice of Public Meeting on the Certification Program for Access to the Death Master File (79 FR 11735). NTIS held the public meeting, with webcast, on March 4, 2014. Written comments received in response to the RFI, and a transcription of oral comments submitted at the public meeting, may be viewed at https://dmf.nist.gov.
On March 26, 2014, NTIS published an interim final rule, ``Temporary Certification Program for Access to the Death Master File'' (interim final rule) (79 FR 16668). That rule codified an interim approach to implementing the Act's provisions pertaining to the certification program and the penalties for violating the Act, and set out an interim fee schedule for the program. NTIS published the interim final rule in order to provide a mechanism for Persons to access LADMF immediately on the effective date prescribed in the Act. Written comments received in response to the Interim Final Rule may be viewed at http://www.regulations.gov.
The preambles for both the RFI and the interim final rule set out the specific provisions of the Act, and also noted that several Members of Congress described their understanding of the purpose and meaning of Section 203 during Congressional debate on the Joint Resolution which became the Act. Citations to those Member statements were provided in the RFI, which also provided background on the component of the DMF, which originates from the Social Security Administration, covered by Section 203. The interim final rule was established to provide immediate access to the LADMF to those users who demonstrated a legitimate fraud prevention interest, or a legitimate business purpose for the information, and to otherwise delay the release of the LADMF to all other users, thereby reducing opportunities for identity theft and restricting information sources used to file fraudulent tax returns.
In addition, in December, 2014, NTIS issued an initial public draft of ``Limited Access Death Master File (Limited Access DMF) Certification Program Publication 100,'' (Publication 100), available at https://dmf.ntis.gov. Publication 100 is the NTIS security guideline document for persons certified under this final rule. Publication 100 sets forth suggested security controls, standards and protocols for the protection of LADMF in the possession of Certified Persons.
On December 30, 2014, NTIS published the proposed rule (79 FR 78314). The proposed rule introduced changes, clarifications and additions to the interim final rule, based in part upon comments received. For example, the proposed rule introduced a ``safe harbor'' provision, Sec. 1110.103, which would exempt a Certified Person from penalty for disclosure of LADMF to another Certified Person. The proposed rule set forth a provision for review, assessment, audit and attestation of a Person's information and information security controls by independent, third party conformity assessment bodies. Section 1110.201 of the proposed rule would permit Certified Persons to provide the attestation of an ``Accredited Certification Body'' (as defined in Sec. 1110.2) concerning the
Page 34883
adequacy of the Certified Person's ``systems, facilities and procedures in place to safeguard DMF information.''
NTIS requested that all written comments on the proposed rule be submitted to Regulations.gov by January 31, 2015. The agency, however, received requests to extend the public comment period. In response, on January 28, 2015, NTIS published a notice extending the comment period until March 30, 2015 (80 FR 4519). Written comments received in response to the proposed rule may be viewed at http://www.regulations.gov.
Comments in Response to the Proposed Rule
In response to the proposed rule, NTIS received 62 written comments. The commenters included one foreign government, twenty industry and trade associations, five service providers, three financial services companies, two insurance companies, four health care and medical research organizations and five service providers. The remainder of the commenters were primarily individuals, including a number identifying themselves as genealogists.
In preparing this final rule, NTIS has carefully considered all comments received in response to the proposed rule. Many commenters requested that NTIS provide unrestricted access to LADMF. However, NTIS cannot revise the rule to accommodate such comments, since access to and use of LADMF is governed by the statutory provisions set forth in Section 203 of the Act. A number of commenters requested changes to the composition of the DMF itself; however, the composition of the DMF is explicitly defined in Section 203(d) of the Act as consisting of ``the name, social security account number, date of birth and date of death of deceased individuals maintained by the Commissioner of Social Security.'' NTIS, therefore, has no discretion to alter the composition of the DMF. Some commenters suggested that NTIS should enhance search capabilities available to DMF subscribers. NTIS has no present plans to alter database search capabilities, but may consider doing so in the future. However, NTIS's database search capabilities are not an element of this final rule. NTIS also received multiple comments to the effect that the proposed subscription cost of the LADMF should be reduced; however, Section 203(b)(3) mandates the charge of fees sufficient to cover costs associated with the certification program. The certification fee that NTIS charges covers the costs of receiving and processing applications, including authenticating the statements made in the application, and ensuring access to the Limited Access DMF.
A number of comments were received asserting that some Certified Persons need to provide LADMF date of death information in the ordinary course of their business, for example, to retirement plans and others who have a legal obligation to provide death benefits payments to beneficiaries or for other legitimate purposes, and some suggested that the rule should specifically provide for the disclosure of date of death information alone as an exception to requirement for certification. However, as noted above, ``date of death'' is one of the four elements (the others being name, social security number, and date of birth) expressly set forth in the statutory definition of the term ``Death Master File'' under the Act, and NTIS is without discretion to categorically exclude it through rulemaking. NTIS notes that it received no comments suggesting that retirement plans and others having a legal obligation to provide death benefits would be unable to demonstrate one or more of a legitimate fraud prevention interest, business purpose, or fiduciary duty, to qualify for certification or, if not certified, that they would be unable to demonstrate, first, that they meet the requirements for LADMF access (i.e., the legitimate fraud prevention or business purpose and security requirements of Sec. 1110.102(a)(1), (2), and (3)), and, second, that they would not misuse or further disclose LADMF to a person who would either wrongfully use LADMF or could not comply with the security requirements set forth in Sec. 1110.200(a)(1)(ii) or (iii) respectively. NTIS points out that ``fact of death,'' i.e., the fact that a person is no longer living, confirmation of which was identified by some commenters as important for legitimate business purposes, is not an element of the statutory definition of the term ``Death Master File,'' and will not be considered by NTIS to be equivalent to ``date of death'' under the final rule.
NTIS also notes that the proposed rule would revise the definition of ``Limited Access DMF'' to provide that an individual element of information (name, social security number, date of birth, or date of death) in the possession of a Person, whether or not certified, but obtained by such Person through a source independent of the Limited Access DMF, would not be considered ``DMF information.'' That revision is retained in the final rule, and has been further clarified in response to comments. Specifically, NTIS has replaced the term ``Certified Person'' in the last sentence of the LADMF definition with ``Person'' to make clear that any Person, whether or not certified, who obtains an individual element of information independently is not considered to possess ``Limited Access DMF.''
Comments were received suggesting that, for clarity and simplicity, the final rule should refer to the defined term ``Limited Access DMF'' to the extent possible. NTIS has incorporated these comments into the final rule, including Sec. Sec. 1110.102(a)(4) and 1110.200(a)(1).
NTIS received comments supporting the provision of the proposed rule that would amend Sec. 1110.102(a)(2) and (3) to clarify that, to be certified to obtain access to the Limited Access DMF, a Person must certify both that the Person has systems, facilities, and procedures in place to safeguard the accessed information, and experience in maintaining the confidentiality, security, and appropriate use of accessed information, pursuant to requirements similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986, and that the Person ``agrees to satisfy such similar requirements.''
This standard differs from the requirement of Section 203 of the Act, because that Section contains contradictory statements about the types of systems to safeguard information that a Certified Person must have in place. In Section 203(b)(2)(B), the Act states that in order to receive Limited Access DMF, a Person must agree to comply with requirements ``similar to'' Section 6103(p)(4) of the Internal Revenue Code (IRC). Section 6103(p)(4) of the IRC is directed to Federal government agencies, and as such the ``similar to'' statement makes sense for non-government actors which are the subject of the Act. However, Section 203(b)(2)(C) requires a Certified Person to also ``satisfy the requirements of such section 6103(p)(4) as if such section applied to such person.'' It is unclear how or why a Certified Person could or should satisfy safeguarding requirements ``similar to'' section 6103(p)(4) of the IRC, while also satisfying section 6103(p)(4) of the IRC. In addition, commenters pointed out that some of the provisions of section 6103(p)(4) could not reasonably be imposed on non-government actors, because, for example, in contrast to Federal Tax Information, Limited Access DMF under Section 203 is not subject to restriction when beyond the three-calendar-year period following the date of death.
To resolve this ambiguity and address these comments, NTIS interprets
Page 34884
Section 203(b) of the Act as requiring Persons to certify that they have systems, facilities, and procedures in place that are ``reasonably similar to'' those required by section 6103(p)(4) of the IRC in order to become Certified Persons. This interpretation allows NTIS to meet the interest of protecting personal data generally and deterring fraud, while also allowing NTIS to set the data integrity standards appropriate to safeguard Limited Access DMF specifically. The final rule amends Sec. 1110.102(a)(2) and (3) accordingly.
A number of commenters suggested that the final rule should expressly classify certain categories of activities or enterprises, such as health care research and insurance investigation, as ``a legitimate fraud prevention interest'' or ``a legitimate business purpose.'' Other commenters suggested that the final rule should specifically provide that when an applicant or Certified Person is subject to other laws governing the use of personal information, the applicant or Certified Person should for that reason be deemed to have a ``legitimate fraud prevention interest'' or ``legitimate business purpose.'' It was urged that codification of such categories would further the purpose of the Act and benefit businesses and other entities reliant upon the LADMF by eliminating the threat of interrupted access. NTIS has carefully considered these suggestions, and observes that each Person applying for certification must certify to NTIS that such Person satisfies each of three requirements specified under Section 203(b)(2) of the Act, and that NTIS will evaluate each application individually to ensure that an individual applicant is properly certified. NTIS does acknowledge that it received numerous comments to the effect that awardees of federal research grants and others conducting extramural and intramural research under federal programs should be eligible for certification, provided that they otherwise satisfy the requirements of the final rule. NTIS notes that, while it appreciates the commenters' position, such Persons must, like any applicants, demonstrate that they satisfy the requirements for LADMF access.
A commenter observed that use of the term ``Accredited Certification Body'' in the proposed rule could create confusion, particularly since the concept of ``certification'' appears and is used separately in the rule. Accordingly, the final rule uses the term ``Accredited Conformity Assessment Body'' rather than ``Accredited Certification Body,'' and NTIS uses the former term in the preamble as well.
A number of commenters urged that particular activities and enterprises, such as direct marketing and life insurance companies, should not be subject to DMF-related audits or required to obtain a written third party attestation, where such activities and enterprises are independently subject to regulatory scrutiny and must comply with the privacy security requirements of other laws, such as the Gramm-
Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While NTIS will decline to exclude Persons from the requirement for attestation as part of the certification process under the final rule, and will decline to exclude Certified Persons from being subject to audit, NTIS emphasizes that it is NTIS's intent under this final rule that applicants and Certified Persons should not incur the burden or expense of a DMF-specific audit when they have already had, or will have, an appropriate independent assessment or audit performed for other purposes, including but not limited to those noted above. To this end, Sec. 1110.503(c) of the final rule explicitly contemplates reliance upon a review or assessment or audit by an Accredited Conformity Assessment Body that was not conducted specifically or solely for the purpose of submission to NTIS. NTIS intends that when a review, assessment or audit has been or can be performed in the course of satisfying other Federal, state, tribal, or local government laws or regulations, such as those mentioned by commenters, or other regulatory or fiduciary requirements flowing from such laws or regulations, a Person or Certified Person will be able to rely upon that review, assessment or audit, to the extent that the requirements of the final rule are satisfied. In these circumstances, NTIS intends that it will accept an Accredited Conformity Assessment Body's attestation regarding a non-DMF audit, which attestation includes an explanation of the nature of that non-DMF audit and represents that, based on its review, the Accredited Conformity Assessment Body is satisfied that the LADMF security and safeguard requirements are met.
NTIS will not at this time accept the suggestion of some commenters to permit ``self-assessments'' or ``a self-certified written attestation'' in lieu of a written attestation from an independent Accredited Conformity Assessment Body. With respect to state and local government departments and agencies, which are included within the definition of Persons in the final rule, NTIS notes some commenters' concerns that the proposed rule could burden such departments and agencies given state-established information security and safeguarding procedures, and agrees with the recommendation of a commenter that it should accept written attestation from an independent state or local government Inspector General or Auditor General office.
Accordingly, provided that a state or local government Inspector General or Auditor General satisfies the requirements of the final rule for Accredited Conformity Assessment Bodies, new Sec. 1110.501(a)(2) of the final rule provides that a state or local government office of Inspector General or Auditor General and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common ``parent'' entity under Sec. 1110.501(a)(1)(ii) for the purpose of determining independence, and attestation by the Inspector General or Auditor General will be possible.
With respect to comments urging that provision should be made for self-assessments and attestations by organizations having the capacity to perform assessments and audits, NTIS recognizes that some organizations have such capacity, and are able in exercising it to address safeguarding and security requirements under other laws and regulations. Accordingly, new Sec. 1110.502 of the final rule provides that, in addition to ``independent'' Accredited Conformity Assessment Bodies, a Person or Certified Person may engage a ``firewalled'' Accredited Conformity Assessment Body, as defined in the final rule and with the approval of NTIS, under conditions, as defined in the rule, which ensure that concerns about independence and actual or apparent conflicts of interest or undue influence are satisfactorily addressed.
Under new Sec. 1110.502(a), a third party conformity assessment body must apply to NTIS for firewalled status if it is owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, applying the characteristics set forth under Sec. 1110.501(a)(1) for independence. Under new Sec. 1110.502(b), NTIS will accept an application for firewalled status when it finds that: (1) Acceptance of the third party conformity assessment body for firewalled status would provide equal or greater assurance that the Person or Certified Person has information
Page 34885
security systems, facilities, and procedures in place to protect the security of the Limited Access DMF than would the Person's or Certified Person's use of an independent third party third party conformity assessment body; and (2) the third party conformity assessment body has established procedures to ensure that: (1) Its attestations and audits are protected from undue influence by the Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, or by any other interested party; (2) NTIS is notified promptly of any attempt by the Person or Certified Person that is the subject of attestation or audit by the third party conformity assessment body, or by any other interested party, to hide or exert undue influence over an attestation, assessment or audit; and (3) allegations of undue influence may be reported confidentially to NTIS. To the extent permitted by Federal law, NTIS will undertake to protect the confidentiality of witnesses reporting allegations of undue influence. Under new Sec. 1110.502(c), NTIS will review each application and may contact the third party conformity assessment body with questions or to request submission of missing information, and will communicate its decision on each application in writing to the applicant.
Some commenters expressed concern that in attesting to its credentials under Sec. 1110.503(a), an Accredited Conformity Assessment Body must indicate that it is accredited to a nationally or internationally recognized standard such as the ISO/IEC Standard 27006-
2011 or any other similar recognized standard for bodies providing audit and certification for information security management systems, pointing to other potentially applicable standards, such as the American Institute of Public Accountants (AICPA) Service Organization Control Report (SOC) Type 2 Audit Report. NTIS wishes to emphasize that it is not NTIS's intent, in reciting ISO/IEC 27006-2011, to exclude from consideration AICPA SOC2 or other appropriate accreditation standards. The regulation identifies the ISO/IEC standard as one example of an acceptable national or international accreditation standard. NTIS selected the ISO/IEC standard, as noted in the original discussion of the proposed rule, to serve ``as a baseline for accreditation,'' because it was prepared by the International Organization for Standardization (ISO) Committee on conformity assessment (79 FR at 78316). Moreover, NTIS emphasized that it is ``is aware that standards other than ISO/IEC 27006-2001 exist that may be equally appropriate for the purposes of accreditation under the Act, and that additional standards may be developed in the future . . . an Accredited Conformity Assessment Body may attest, subject to the conditions of verification in final rule Section 1110.503, that it is accredited to a nationally or internationally recognized standard for management systems other than ISO/IEC Standard 27006-2011.'' NTIS further observes that the burden rests with the Person or Certified Person to identify and submit an attestation by an Accredited Conformity Assessment Body certified or credentialed by an appropriate accrediting body. Accordingly, NTIS concludes that Sec. 1110.503(a) provides appropriate guidance as to the accreditation standard for Accredited Conformity Assessment Bodies.
A few commenters suggested that NTIS should directly accredit Accredited Conformity Assessment Bodies to conduct assessments and audits or provide a list of acceptable accreditations for Accredited Conformity Assessment Bodies. NTIS does not intend to do so. Recognized professional accreditation organizations with well-established, rigorous accreditation processes already exist in the private sector. Such organizations have either adopted or established nationally and internationally accepted standards for entities which may serve as Accredited Conformity Assessment Bodies under the final rule. In considering how to establish a permanent certification program as required under Section 203, NTIS carefully considered developing, within the agency, the capacity to evaluate the information systems, facilities and procedures of Persons to safeguard Limited Access DMF, as well as to conduct audits of Certified Persons and to itself accredit conformity assessment bodies. NTIS has consulted with the National Institute of Standards and Technology (NIST), which has expertise in testing, standard setting, certification and conformity assessment. Based on NIST recommendations, NTIS believes it appropriate for private sector, third party, Accredited Conformity Assessment Bodies to attest to a Person's information security safeguards under Sec. 1110.102(a)(2) of the rule, for NTIS to rely upon such attestation in certifying a Person under the final rule, and for NTIS to rely as well upon third party, private sector accreditation of Accredited Conformity Assessment Bodies, while reserving to itself the ability to perform assessments and audits itself, in its discretion.
A number of commenters expressed concerns regarding the identification, in Sec. 1110.502(b) of the proposed rule, of the ``Limited Access Death Master File Publication 100'' (Publication 100) as a source of guidance to which an Accredited Conformity Assessment Body could refer in its attestation as to the adequacy of an applicant's or Certified Person's safeguards for Limited Access DMF. These commenters stated that, even though Publication 100 is intended to set forth recommended guidelines, procedures and best practices, reference to that publication in the proposed rule implied a limitation to those safeguarding approaches set forth in Publication 100. These commenters offered other sources of security requirements for personal information they thought were pertinent and should be expressly included in the rule, such as the security standards for the GLBA.
NTIS notes, however, that the language of the rule makes clear that Publication 100 merely offers an example of security controls and protocols that an applicant or Certified Person may use, and is not intended to be prescriptive (79 FR at 78316). Moreover, NTIS recognizes that ``a number of different approaches exist to safeguarding information.'' Id. In the December 2014 Draft Version of Publication 100, NTIS stated:
``These information security guidelines are derived from NIST SP800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Only NIST SP 800-53 controls believed to be essential to the protection of Limited Access DMF information are included in this publication as a baseline. Applicability was determined by selecting controls relevant to protecting the confidentiality of Limited Access DMF information. The NIST controls discussed here are intended by NTIS to be illustrative, not exclusive. Other controls that can be assessed and used as guidelines include the NIST Framework for Improving Critical Infrastructure Cybersecurity v1.0. The Framework Core provides a common set of activities for managing risks, and associated controls. The references provided in the Framework Core represent a diverse set of information security guidelines including: International Organization for Standardization ISO 27001; International Society for Automation ISA/IEC 62443; Control Objectives for Information and Related Technology COBIT; Council on Cybersecurity Critical Security Controls CCS CSC2; and NIST 800-53 rev. 4. Again, these references are illustrative.''
Nevertheless, in response to commenters' concerns, NTIS has removed reference to Publication 100 from Sec. 1110.503(b) of the final rule.
Page 34886
Given the continuously evolving nature of information technology security and safeguard guidelines, procedures and best practices, NTIS intends that Publication 100 will be a living document. NTIS has invited comments on Publication 100 from the public on an ongoing basis, and contemplates interactive public dialog regarding its contents.
The proposed rule introduced a ``safe harbor'' provision in Sec. 1110.200(c) that would exempt from penalty a first Certified Person who discloses LADMF to a second Certified Person, where the first Certified Person's liability rests solely on the fact that the second Certified Person has been determined to be subject to penalty. The provision was specifically drafted to apply to each disclosure and to limit the presumption of compliance to the first Certified Person, while the second Certified Person (i.e., the recipient of the LADMF) remained subject to penalty for violations of the Act (79 FR at 78317.) NTIS invited comments as to whether the ``safe harbor'' provision should be extended to circumstances where the recipient is believed to be certified but, in fact, is not. NTIS did not receive comment on this point. A Certified Person desiring to rely upon the ``safe harbor'' provision as set forth in this final rule will bear responsibility for ensuring that a recipient of LADMF is, in fact, a Certified Person at the time of disclosure. NTIS notes that it maintains and publishes a list of Certified Persons, available at https://dmf.ntis.gov.
NTIS received many comments suggesting that it should promulgate a broader ``safe harbor'' for a Certified Person who discloses LADMF to Persons whom the Certified Person knows are not certified (``uncertified Persons''). Many commenters urged that, unless the final rule made further allowance for Certified Persons to share LADMF with uncertified Persons, the commenters' businesses would suffer and their clients or other users would be deprived of data they need for critical purposes including fraud prevention, record-keeping and meeting legal and regulatory obligations. Many of these commenters also urged the extension of the ``safe harbor'' to Certified and uncertified Persons under certain circumstances, such as where an uncertified Person attests in writing that it meets the requirements for certification and to disclose the LADMF only to other uncertified Persons who could also meet the requirements, or where private contractual obligations were incurred. Some commenters contended that it would be unreasonable and unrealistic for NTIS to require their clients or other users to become certified and thus be subject to the rule's security and auditing requirements.
NTIS will not extend the ``safe harbor'' provision of Sec. 1110.102(c) in this manner. However, NTIS emphasizes that Certified Person status has not been and is not required in order for a Certified Person to disclose LADMF to another Person. A Certified Person may, without penalty under Sec. 1110.200 (but without ``safe harbor'' protection), disclose LADMF to another Person who, although not certified, meets the requirements of Sec. 1110.102(a)(1) through (3), and who does not misuse or further disclose the LADMF in violation of Sec. 1110.200(a)(1)(ii) or (iii). Indeed, many of the comments described above reflect the types of procedures that Certified Persons have successfully adopted under the Temporary Certification Program, and might be expected to adopt successfully in disclosing LADMF to uncertified Persons under the final rule. However, under such circumstances not involving a certified recipient, NTIS will not apply a ``safe harbor'' such as is applied under the final rule to a Certified Person who discloses Limited Access DMF to another who is also a Certified Person.
A few commenters were critical of the appeals process set forth in Sec. 1110.300. One commenter opined that entities facing potential liability through ``unscheduled audits'' and ``substantial financial penalties'' needed ``well-developed procedural rights'' such as the right of appeal to an administrative law judge and federal court. NTIS has carefully considered these comments, but concludes that the process and procedures set forth in Sec. 1110.300 are legally sufficient. NTIS has provided an appropriate administrative and appeal process in Sec. 1110.300. Pursuant to the Administrative Procedure Act (Pub. L. 79-404, 60 Stat. 237), any Person or Certified Person can seek review of any adverse action or decision by the Director of NTIS in federal district court.
A comment was received suggesting that the exclusion of Executive departments or agencies of the United States Government from the definition of ``Persons,'' noted initially under the interim final rule and continued in the proposed rule, should be extended as well to the governments of foreign countries. NTIS has carefully considered this comment, but will not adopt such a categorical exclusion. NTIS will continue to consider applications by foreign governments on a case-by-
case basis, in accordance with general principles of comity and consistent with the purposes of Section 203 and the requirements of the final rule.
The Final Rule
This final rule amends subparts A, B, C, D, and adds a new subpart E to the DMF Certification Program in part 1110 of title 15 of the Code of Federal Regulations. The following describes specific provisions being amended.
Under Sec. 1110.2, ``Definitions,'' NTIS is revising the definition of ``Person'' to recite ``state and local government departments and agencies,'' so that ``Person'' will be defined as including corporations, companies, associations, firms, partnerships, societies, joint stock companies, and other private organizations, and state and local government departments and agencies, as well as individuals. However, Executive departments or agencies of the United States Government will not be considered ``Persons'' for the purposes of this rule. Accordingly, Executive departments or agencies will not have to complete the Certification Form as set forth in the rule, and will be able to access Limited Access DMF under a subscription or license agreement with NTIS, describing the purpose(s) for which Limited Access DMF is collected, used, maintained and shared. Those working on behalf of and authorized by Executive departments or agencies may access the Limited Access DMF from their sponsoring Executive department or agency, which will be responsible for ensuring that such access is solely for the authorized purposes described by the agency. Unauthorized secondary use of Limited Access DMF by Executive departments or agencies or those working for them or on their behalf is prohibited. If an Executive department or agency wishes those working on its behalf to access the Limited Access DMF directly from NTIS, then those working on behalf of that Executive department or agency will be required to complete and submit the Certification Form as set forth in the rule and enter into a subscription agreement with NTIS in order to directly access the Limited Access DMF. Under this final rule, a Certified Person will be eligible to access the Limited Access DMF made available by NTIS through subscription or license.
The final rule adds a requirement that, in order to become certified, a Person must submit a written attestation from an Accredited Conformity Assessment Body, as defined in the final rule, that such Person has information security systems, facilities, and procedures in place to protect the
Page 34887
security of the Limited Access DMF, as required under Sec. 1110.102(a)(2) of the rule. NTIS has consulted with NIST, which has expertise in testing, standard-setting, and certification of various systems. Based on NIST recommendations, the final rule provides for private sector, third party, Accredited Conformity Assessment Bodies to attest to a Person's information security safeguards under Sec. 1110.102(a)(2) of the rule, and NTIS will rely upon such attestation in certifying a Person under the final rule. The final rule also provides for Accredited Conformity Assessment Bodies to conduct periodic scheduled and unscheduled audits of Certified Persons on behalf of NTIS.
Under the final rule, an ``Accredited Conformity Assessment Body'' is defined as an independent third party conformity assessment body that is not owned, managed, or controlled by a Person or Certified Person which is the subject of attestation or audit, and that is accredited by an accreditation body under nationally or internationally recognized criteria such as, but not limited to, ISO and the International Electrotechnical Commission (IEC) publication ISO/IEC 27006-2011, ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' to attest that a Person or Certified Person has information technology systems, facilities and procedures in place to safeguard Limited Access DMF. Based on NIST recommendations, NTIS believes it is appropriate to reference the ISO/IEC 27006-2001 as an exemplary baseline for accreditation under the final certification program. The ISO Committee on conformity assessment (CASCO) prepared ISO/IEC 27006-2001, and reference to the ISO/IEC standard will help ensure that attestations and audits under the final certification program operate in a manner consistent with national and international practices. Accreditation is a third-party attestation that a conformity assessment body operates in accordance with national and international standards. Accreditation is used nationally and internationally in many sectors where there is a need, through certification, for safety, health or security requirements to be met by products or services. Accreditation ensures that a conformity assessment body is technically competent in the subject matter (in this case, the information safeguarding and security requirements as set forth in the rule) and has a management system in place to ensure competency and acceptable certification program operations on a continuing basis. Accreditation requires that Accredited Conformity Assessment Bodies be re-accredited on a periodic basis.
However, NTIS also acknowledges that standards other than ISO/IEC 27006-2001 exist that are equally appropriate for the purposes of accreditation under the Act, and that additional appropriate standards may be developed in the future. The final rule provides that an Accredited Conformity Assessment Body may attest, subject to the conditions of verification in Sec. 1110.503 of the final rule, that it is accredited to a nationally or internationally recognized standard for bodies providing audit and certification of information security management systems other than ISO/IEC Standard 27006-2011. In addition, the rule provides that an Accredited Conformity Assessment Body must also attest that the scope of its accreditation encompasses the information safeguarding and security requirements as set forth in the rule.
NTIS is aware that security and safeguarding of information and information systems is of great concern in many fields of endeavor other than with respect to Limited Access DMF. NTIS has consulted with subject matter experts from NIST, which in 2014 published the ``Framework for Improving Critical Infrastructure Cybersecurity'' \1\ (Framework), in response to President Obama's Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' which established that ``it is the Policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.'' In articulating this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework--a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created by NIST through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risks in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. The Framework enables organizations--regardless of size, degree of cybersecurity risk, or cybersecurity sophistication--to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework provides organization and structure to today's multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. Accordingly, in addressing the requirements of Section 203 for ``systems, facilities, and procedures'' to safeguard Limited Access DMF, NTIS contemplates that Persons, as well as Accredited Conformity Assessment Bodies, may look to the Framework and to the Framework's Informative References. The Framework is referenced by NTIS in Publication 100. As set forth in Publication 100, as well as in the Framework's Informative References, a number of different approaches exist to safeguarding information. These include ISO/IEC, Control Objectives for Information and Related Technology (COBIT), International Society of Automation (ISA), and NIST's 800 series publications. Others include the Service Organization Controls (SOC) of the American Institute of CPAs (AICPA).
---------------------------------------------------------------------------
\1\ This document can be found at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
---------------------------------------------------------------------------
NTIS is aware that security and safeguarding assessments such as those contemplated under this final rule are routinely carried out in the private sector, including by entities which may satisfy the requirements for Accredited Conformity Assessment Bodies under the rule. Provided that such a routine assessment or audit of a Person would permit an Accredited Conformity Assessment Body to attest that such Person has systems, facilities, and procedures in place to safeguard Limited Access DMF as required under Sec. 1110.102(a)(2) of the final rule, albeit carried out for a purpose other than certification under the rule, NTIS will accept an attestation in support of a Person's certification with respect to the requirements under Sec. 1110.102(a)(2) of the rule, as well as in support of the renewal of a Certified Person's certification. The final rule provides that any attestation, whether for a Person seeking certification or for a Certified Person seeking renewal, must be based on the Accredited Conformity Assessment Body's review or assessment conducted no more than three years prior to the date of submission of the Person's completed certification statement or of the Certified Person's completed renewal certification statement. As noted, an
Page 34888
Accredited Conformity Assessment Body's review or assessment need not have been conducted specifically or solely for the purpose of submission of an attestation under the final rule. From NTIS's consultations with NIST subject matter experts, NTIS believes that the limitation of three years is appropriate as to frequency for assessments for the security and safeguarding of information and information systems, and that permitting Persons and Certified Persons to rely on attestations based on such assessments conducted for purposes other than solely for the rule is reasonable and cost-
effective.
Persons previously certified under the interim final rule will need to become certified in accordance with the requirements of this final rule, when it becomes effective. Certification under this final rule will include an updated certification form (NTIS FM161), discussed under the heading, ``Paperwork Reduction Act,'' collecting additional information that will improve NTIS's ability to determine whether a Person meets, to the satisfaction of NTIS, the requirements of Section 203 of the Act.
Under Sec. 1110.103 of the final rule, a Certified Person may disclose Limited Access DMF to another Certified Person, and will be deemed to satisfy the disclosing Certified Person's obligation to ensure compliance with final Sec. 1110.102(a)(4)(i)-(iii) for the purposes of certification. Similarly, under Sec. 1110.200(c), NTIS will not impose a penalty, under Sec. 1110.200(a)(1)(i)-(iii) of the final rule, on a first Certified Person who discloses Limited Access DMF to a second Certified Person, where the first Certified Person's liability rests solely on the fact that the second Certified Person has been determined to be subject to penalty. While the final rule does not restrict disclosure of Limited Access DMF to Certified Persons, these provisions create an appropriately limited ``safe harbor'' for Certified Persons to disclose Limited Access DMF to other Certified Persons. However, note that any Person, including any Certified Person, who receives Limited Access DMF from a Certified Person, is still subject to penalty under Sec. 1110.200(a)(2), for violations of the Act. The safe harbor provision applies to each disclosure individually, and only the Certified Person disclosing the information, not the Certified Person recipient, receives the benefit of the presumed compliance with Sec. 1110.102(a)(4)(i)-(iii).
Under Sec. 1110.201 of the final rule, NTIS may conduct, or may request that an Accredited Conformity Assessment Body conduct, at the Certified Person's expense, periodic scheduled and unscheduled audits of the systems, facilities, and procedures of any Certified Person relating to such Certified Person's access to, and use and distribution of, the Limited Access DMF. NTIS contemplates that many, if not most, audits of Certified Persons will be scheduled, but NTIS may also conduct, or request an Accredited Conformity Assessment Body conduct, unscheduled audits--for example, where a prior scheduled audit may have identified the need for adjustment to a Certified Person's systems, facilities, or procedures. Audits conducted by NTIS or by an Accredited Conformity Assessment Body may take place at a Certified Person's place of business (i.e., field audits), or may be conducted remotely (i.e., desk audits). The final rule provides that all Certified Persons be audited with respect to the requirements of Sec. 1110.102(a)(2) no less frequently than every three years under the program, and this requirement may be satisfied by a Certified Person based on an audit or assessment conducted for a purpose other than solely for the purpose of this program. The final rule does not require that Certified Persons undergo routine scheduled audits on the attestation regarding Sec. 1110.102(a)(1), but does provide that unscheduled audits of this and other aspects of the requirements for certification may be conducted at NTIS's discretion. Under the final rule, NTIS' costs for conducting audits will be recoverable from the audited Person. Failure to submit to an audit, to cooperate fully with NTIS in its conduct of an audit or an Accredited Conformity Assessment Body conducting an audit on NTIS's request, or to pay an audit fee owed to NTIS, are grounds for revocation of certification under the final rule. NTIS intends that a Person or Certified Person will be directly responsible to an Accredited Conformity Assessment Body for any charges by that Accredited Conformity Assessment Body related to requirements under this final rule, as it would be responsible for NTIS' auditing costs under the Act.
Section 1110.200(a)(2) and (b) of the final rule set out the penalties for unauthorized disclosures or uses of the Limited Access DMF. Each individual unauthorized disclosure is punishable by a fine of $1,000, payable to the United States Treasury. However, the total amount of the penalty imposed under this part on any Person for any calendar year shall not exceed $250,000, unless such Person's disclosure or use is determined to be willful or intentional. A disclosure or use is considered willful when it is a ``voluntary, intentional violation of a known legal duty.'' See U.S. v. Pomponio, 429 US 10 (1976) (holding that for purposes of interpreting the criminal tax provisions of the Internal Revenue Code, the term ``willful'' means a voluntary, intentional violation of a known legal duty).
The final rule's Sec. 1110.300 establishes the procedures to appeal a denial or revocation of certification, or the imposition of penalties for violating the Act. An administrative appeal must be filed, in writing, within 30 days (or such longer period as the Director of NTIS may, for good cause shown in writing, establish in any case) after receiving a notice of denial, revocation or imposition of penalties. Appeals are to be directed to the Director of NTIS. Any such appeal must set forth the following: The name, street address, email address and telephone number of the Person seeking review; a copy of the notice of denial or revocation of certification, or the imposition of penalty, from which appeal is taken; a statement of arguments, together with any supporting facts or information, concerning the basis upon which the denial or revocation of certification, or the imposition of penalty, should be reversed; and a request for hearing of oral argument before a representative of the Director, if desired.
Section 1110.300(a)-(d) sets forth the procedures for an administrative appeal. Under Sec. 1110.300(c), a Person may, but need not, retain an attorney to represent such Person in an appeal. A Person must designate an attorney by submitting to the Director of NTIS a written power of attorney. If a hearing is requested, the Person (or the Person's designated attorney) and a representative of NTIS familiar with the notice from which appeal has been taken will present oral arguments which, unless otherwise ordered before the hearing begins, will be limited to thirty minutes for each side. A Person need not retain an attorney or request an oral hearing to secure full consideration of the facts and the Person's arguments. Where no hearing is requested, the Director shall review the case and issue a decision, as set out below.
Under Sec. 1110.300(e), the Director of NTIS shall issue a decision on the matter within 120 days after a hearing, or, if no hearing was requested, within 90 days of receiving the letter of appeal. In making decisions on appeal, the Director shall consider the arguments and statements of fact and information in the Person's appeal, and made at the oral argument hearing, if such was requested, but the Director at his or her discretion and with due respect for the
Page 34889
rights and convenience of the Person and the agency, may call for further statements on specific questions of fact, or may request additional evidence in the form of affidavits on specific facts in dispute. An appellant may seek reconsideration of the decision, but must do so in writing, and the request for reconsideration must be received within 30 days of the Director's decision or within such an extension of time thereof as may be set by the Director of NTIS before the original period expires. A decision shall become final either after the 30-day period for requesting reconsideration expires and no request has been submitted, or on the date of final disposition of a decision on a petition for reconsideration.
Under Sec. 1110.500 of the final rule, an Accredited Conformity Assessment Body must be independent of the Person or Certified Person seeking certification, unless it is a third party conformity assessment body which a Certified Person has qualified for ``firewalled'' status pursuant to Sec. 1110.502, and must itself be accredited by a recognized accreditation body. The requirement for independence from the Person seeking certification, or from the Certified Person seeking renewal or subject to audit, is important to ensure integrity of any assessment and attestation or audit. The final rule provides that an Accredited Conformity Assessment Body must be an independent third party conformity assessment body that is not owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, except where the third party conformity assessment body qualifies for ``firewalled'' status under Sec. 1110.502.
Accordingly, under the final rule, a Person or Certified Person is considered to own, manage, or control a third party conformity assessment body if the Person or Certified Person holds a 10 percent or greater ownership interest, whether direct or indirect, in the third party conformity assessment body; if the third party conformity assessment body and the Person or Certified Person are owned by a common ``parent'' entity; if the Person or Certified Person has the ability to appoint a majority of the third party conformity assessment body's senior internal governing body, the ability to appoint the presiding official of the third party conformity assessment body's senior internal governing body, and/or the ability to hire, dismiss, or set the compensation level for third party conformity assessment body personnel; or if the third party conformity assessment body is under a contract to the Person or Certified Person that explicitly limits the services the third party conformity assessment body may perform for other customers and/or explicitly limits which or how many other entities may also be customers of the third party conformity assessment body.
In order for NTIS to accept an attestation as to, or audit of, a Person or Certified Person submitted to NTIS under the final rule, the Accredited Conformity Assessment Body must attest that it is independent of that Person or Certified Person. The Accredited Conformity Assessment Body also must attest that it has read, understood, and agrees to the regulations as set forth in the final rule. The Accredited Conformity Assessment Body must also attest that it is accredited to ISO/IEC Standard 27006-2011 ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' or to another nationally or internationally recognized standard for bodies providing audit and certification of information security management systems. The Accredited Conformity Assessment Body must also attest that the scope of its accreditation encompasses the safeguarding and security requirements as set forth in the final rule.
Where review or assessment or audit by an Accredited Conformity Assessment Body was not conducted specifically or solely for the purpose of submission under this part, the final rule requires that the written attestation or assessment report (if an audit) describe the nature of that review or assessment or audit, and that the Accredited Conformity Assessment Body attest that on the basis of such review or assessment or audit, the Person or Certified Person has systems, facilities, and procedures in place to safeguard Limited Access DMF as required under Sec. 1110.102(a)(2).
While NTIS will normally accept written attestations and assessment reports from an Accredited Conformity Assessment Body that attests, to the satisfaction of NTIS, as provided in Sec. 1110.503 of the final rule, the final rule also provides that NTIS may decline to accept written attestations or assessment reports from an Accredited Conformity Assessment Body, whether or not it has attested as provided in Sec. 1110.503, for any of the following reasons: when NTIS determines that doing so is in the public interest under Section 203 of the Bipartisan Budget Act of 2013, and notwithstanding any other provision of these regulations; submission of false or misleading information concerning a material fact(s) in an Accredited Conformity Assessment Body's attestation under Sec. 1110.503; knowing submission of false or misleading information concerning a material fact(s) in an attestation or assessment report by an Accredited Conformity Assessment Body of a Person or Certified Person; failure of an Accredited Conformity Assessment Body to cooperate (as defined in this section) in response to a request from NTIS to verify the accuracy, veracity, and/
or completeness of information received in connection with an attestation under Sec. 1110.503 or an attestation or assessment report by that Body of a Person or Certified Person; or where NTIS is unable for any reason to verify the accuracy of the Accredited Conformity Assessment Body's attestation.
In addition, with respect to audits under the final rule, NTIS may in its discretion decline to accept an attestation or assessment report conducted for other purposes, and may conduct or require that an Accredited Conformity Assessment Body conduct a review solely for the purpose of the final rule.
Executive Order 12866
This final rule has been determined to be significant as that term is defined in Executive Order 12866.
Executive Order 13132
A rule has implications for federalism under Executive Order 13132, Federalism, if it has a substantial direct effect on State or local governments and would either preempt State law or impose a substantial direct cost of compliance on States or localities. NTIS has analyzed this rule under that Order and has determined that it does not have implications for federalism.
Final Regulatory Flexibility Analysis
The Regulatory Flexibility Act of 1980, as amended, (RFA), requires agencies to analyze impacts of regulatory actions on small entities (businesses, non-profit organizations, and governments), and to consider alternatives that minimize such impacts while achieving regulatory objectives. Agencies must first conduct a threshold analysis to determine whether regulatory actions are expected to have significant economic impact on a substantial number of small entities. If the threshold analysis indicates a significant economic impact on a substantial number of small entities, an initial regulatory flexibility analysis must be produced and made available
Page 34890
for public review and comment along with the proposed regulatory action. A final regulatory flexibility analysis that considers public comments must then be produced and made publicly available with the final regulatory action.
An Initial Regulatory Flexibility Act Analysis (``IRFA'') was incorporated into the NTIS proposed rule. NTIS sought written public comment on the proposed rule, including comment on the IRFA. This Final Regulatory Flexibility Act Analysis (``FRFA'') conforms to the RFA, and incorporates the IRFA pursuant to Section 603 and comments received, to analyze the impact that this final rule will have on small entities.
Description of the Reasons Why Action Is Being Considered
The policy reasons for issuing this rule are discussed in the preamble of this document, and not repeated here.
Statement of the Objectives of, and Legal Basis for, the Rule; Identification of All Relevant Federal Rules Which May Duplicate, Overlap, or Conflict With the Rule
The legal basis for this rule is Section 203 of the Bipartisan Budget Act of 2013, Pub. L. 113-67, codified at 42 U.S.C. 1306c (the Act). The rule, which replaces NTIS' interim final rule, implements the Act, which requires the Secretary of Commerce to create a program to certify that persons given access to the Limited Access DMF satisfy the statutory requirements for accessing that information. Accordingly, this rule creates a permanent program for certifying persons eligible to access Limited Access DMF. It requires that Certified Persons annually re-certify as eligible to access the Limited Access DMF, and that they agree to be subject to scheduled and unscheduled audits. The rule also sets out the penalties for violating the Act's disclosure provisions, establishes a process to appeal penalties or revocations of certification, and adopts a fee program for the certification program, audits, and appeals.
When this final rule becomes effective, it will replace the interim final rule promulgated by NTIS to establish a Temporary Certification Program, in order to avoid the complete loss of access to the Limited Access DMF when the Act became effective. No other rules duplicate, overlap, or conflict with this rule.
Number and Description of Small Entities Regulated by the Action
The final rule applies to all persons seeking to become certified to obtain the Limited Access DMF from NTIS. The entities affected by this rule could include banks and other financial institutions, pension plans, health research institutes or companies, state and local governments, information companies, and similar research services, and others not identified. Many of the impacted entities likely are considered ``large'' entities under the applicable United States Small Business Administration (SBA) size standards. The SBA defines a ``small business'' (or ``small entity'') as one with annual revenue that meets or is below an established size standard. The SBA ``small business'' size standard is $550 million in annual revenue for Commercial Banking, Savings Institutions, Credit Unions, and Credit Card Issuing (North American Industry Code (NAICS) 522110, 522120, 522130, and 522210). The size standard is $38.5 million for Consumer Lending and Trust, Fiduciary and Custody Activities, and Direct Health and Medical Insurance Carriers (NAICS 52291, 523991, and 524114), $7.5 million for Mortgage and Nonmortgage Loan Brokers, and Insurance Agencies and Brokerages (NAICS 522310, and 524210), and $32.5 million for Third Party Administration of Insurance and Pension Funds (NAICS 524292). NTIS anticipates that this rule will have an impact on various small entities.
Projected Reporting, Recordkeeping and Other Compliance Requirements of the Rule
Under this final rule, a ``Limited Access Death Master File (LADMF) Systems Safeguards Attestation Form'' would require Accredited Conformity Assessment Bodies to attest that a Person seeking to be certified to access Limited Access DMF has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(ii) of the rule. NTIS estimates that the type of professional skills necessary for the preparation of an attestation will be those of a senior auditor at an Accredited Conformity Assessment Body, to conduct an assessment under the rule.
Steps NTIS Has Taken To Minimize the Significant Economic Impact on Small Entities
NTIS carefully considered a number of alternatives to ensure compliance with the safeguarding requirements of Section 203 of the Act. These alternatives included requiring all Persons desiring to become certified to comply with the same requirements as those set forth in Section 6103(p)(4) of the Internal Revenue Code; Section 203(b)(2)(C) of the Act recites that a Certified Person ``satisfy the requirements of such section 6103(p)(4) as if such section applied to such person.'' Such a requirement would have had a very significant impact on small entities. As pointed out in some comments on the proposed rule, some of the provisions of section 6103(p)(4) would have been extremely burdensome, because, for example, in contrast to Federal Tax Information, Limited Access DMF under Section 203 is not subject to restriction when beyond the three-calendar-year period following the date of death.
Accordingly, NTIS rejected this burdensome alternative, and the final rule instead requires Persons to certify that they have systems, facilities, and procedures in place that are ``reasonably similar to'' those required by section 6103(p)(4) of the IRC in order to become Certified Persons. This interpretation allows NTIS to meet the interest of protecting personal data generally and deterring fraud, while also allowing NTIS to set the data integrity standards appropriate to safeguard Limited Access DMF specifically, and lessens the burden on small entities which, as noted by a number of commenters, tend not to have in place some more advanced information system controls.
NTIS carefully considered, but rejected, the alternative of requiring Certified Persons to undergo audits annually for the purpose of re-certification. This alternative would have necessitated that a Certified Person bear the expense of assessment for the purpose of attestation by a third party Accredited Conformity Assessment Body each year as part of the annual re-certification process under the rule. Based on consultations with NIST subject matter experts, NTIS concluded instead that a limitation of three years is appropriate as to frequency for assessments for the security and safeguarding of information and information systems, thus lessening the economic impact on small entities under the rule.
NTIS carefully considered, but rejected, the suggestion by a commenter that NTIS itself should accredit third party Accredited Conformity Assessment Bodies. This would have required that NTIS independently develop government-specific accreditation expertise and capacity. Because the Act requires NTIS to obtain full cost recovery, the cost of such an
Page 34891
effort would have to be borne by Certified Persons, including small entities. This would have been inefficient as well as burdensome. Instead, the final rule provides that an Accredited Conformity Assessment Body attest that it is accredited to a nationally or internationally recognized standard for bodies providing audit and certification of information security management systems, and that the scope of its accreditation encompasses the information safeguarding and security requirements as set forth in the rule.
NTIS carefully considered, and rejected, a proposed requirement that Persons desiring to become certified under the rule be limited to program-specific assessments and audits carried out by third party Accredited Conformity Assessment Bodies. This requirement would have necessitated that any Person, including a Person otherwise subject to periodic audit and assessment in the normal course of such Person's business, bear the burden of an additional program-specific audit or assessment for the purposes of the rule. NTIS, however, in consultation with NIST subject matter experts, considered and adopted a less burdensome approach: Provided that a routine assessment or audit of a Person would permit an Accredited Conformity Assessment Body to attest that such Person has systems, facilities, and procedures in place to safeguard Limited Access DMF as required under Sec. 1110.102(a)(2) of the final rule, albeit carried out for a purpose other than certification under the rule, NTIS will accept an attestation in support of a Person's certification with respect to the requirements under Sec. 1110.102(a)(ii) of the rule, as well as in support of the renewal of a Certified Person's certification. Thus, under the final rule, an Accredited Conformity Assessment Body's review or assessment need not have been conducted specifically or solely for the purpose of submission of an attestation under the rule, reducing the economic impact that the rejected alternative would have been imposed on small entities.
NTIS carefully considered, but rejected, the alternative of requiring that a first Certified Person who discloses Limited Access DMF to a second Certified Person be subject to penalty under the rule where, through no fault of the first Certified Person, the second Certified Person is determined to be subject to penalty under the rule. This alternative would have exposed to penalty under the rule a first Certified Person, who disclosed Limited Access DMF to another Person certified by NTIS, even absent any violation by the first Certified Person. Instead, the Final Rule provides for a ``safe harbor'' that exempts from penalty a first Certified Person who discloses LADMF to a second Certified Person, where the first Certified Person's liability rests solely on the fact that the second Certified Person has been determined to be subject to penalty. The less burdensome approach chosen by NTIS will reduce the potential economic impact on Certified Persons, including those that are small entities, under such circumstances.
Based on its analysis, NTIS estimates that the rule reflects alternatives placing the least economic impact on small entities, and that the rule will not disproportionately impact small entities as opposed to large ones.
Paperwork Reduction Act
Notwithstanding any other provision of law, no person is required to comply with, and neither shall any person be subject to penalty for failure to comply with, a collection of information subject to the requirements of the Paperwork Reduction Act, unless that collection of information displays a currently valid OMB Control Number.
This final rule contains collection of information requirements subject to review and approval by OMB under the Paperwork Reduction Act (PRA). Approval from OMB will be obtained prior to the final rule becoming effective and prior to the collection of such information, except that NTIS will continue to collect information already approved by OMB under OMB Control No. 0692-0013.
List of Subjects in 15 CFR Part 1110
Administrative appeal, Certification program, Fees, Imposition of penalty.
Dated: May 23, 2016.
Bruce Borzino,
Director.
For reasons set forth in the preamble, the National Technical Information Service amends 15 CFR part 1110 as follows:
PART 1110--CERTIFICATION PROGRAM FOR ACCESS TO THE DEATH MASTER FILE
0
-
The authority for part 1110 continues to read as follows:
Authority: Pub. L. 113-67, Sec. 203.
0
-
Amend Sec. 1110.2 by:
0
-
Adding, in alphabetical order, the definition, ``Accredited Conformity Assessment Body;'' and
0
-
Revising the definitions of ``Limited Access DMF'' and ``Person''.
The addition and revision read as follows:
Sec. 1110.2 Definitions used in this part.
* * * * *
Accredited Conformity Assessment Body. A third party conformity assessment body that is accredited by an accreditation body under nationally or internationally recognized criteria such as, but not limited to, International Organization for Standardization (ISO)/
International Electrotechnical Commission (IEC) 27006-2011, ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' to attest that a Person or Certified Person has systems, facilities and procedures in place to safeguard Limited Access DMF.
* * * * *
Limited Access DMF. The DMF product made available by NTIS which includes DMF with respect to any deceased individual at any time during the three-calendar-year period beginning on the date of the individual's death. As used in this part, Limited Access DMF does not include an individual element of information (name, social security number, date of birth, or date of death) in the possession of a Person, whether or not certified, but obtained by such Person through a source independent of the Limited Access DMF. If a Person obtains, or a third party subsequently provides to such Person, death information (i.e., the name, social security account number, date of birth, or date of death) independently, such information in the possession of such Person is not part of the Limited Access DMF or subject to this part.
* * * * *
Person. Includes corporations, companies, associations, firms, partnerships, societies, joint stock companies, and other private organizations, and state and local government departments and agencies, as well as individuals.
0
-
-
Revise the section heading of Sec. 1110.100 to read as follows:
Sec. 1110.100 Scope; term.
* * * * *
0
-
Revise Sec. 1110.101 to read as follows:
Sec. 1110.101 Submission of certification; attestation.
(a) In order to become certified under the certification program established under this part, a Person must submit a completed certification statement and any required documentation, using the
Page 34892
most current version of the Limited Access Death Master File Subscriber Certification Form, and its accompanying instructions at https://dmf.ntis.gov, together with the required fee.
(b) In addition to the requirements under paragraph (a) of this section, in order to become certified, a Person must submit a written attestation from an Accredited Conformity Assessment Body that such Person has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(2). Such attestation must be based on the Accredited Conformity Assessment Body's review or assessment conducted no more than three years prior to the date of submission of the Person's completed certification statement, but such review or assessment need not have been conducted specifically or solely for the purpose of submission under this part.
0
-
Amend Sec. 1110.102 by revising paragraphs (a)(2), (3), and (4) to read as follows:
Sec. 1110.102 Certification.
* * * * *
(a) * * *
(2) Such Person has systems, facilities, and procedures in place to safeguard the accessed information, and experience in maintaining the confidentiality, security, and appropriate use of accessed information, pursuant to requirements reasonably similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986;
(3) Such Person agrees to satisfy such similar requirements; and
(4) Such Person shall not, with respect to Limited Access DMF of any deceased individual:
(i) Disclose such deceased individual's Limited Access DMF to any person other than a person who meets the requirements of paragraphs (a)(1) through (3) of this section;
(ii) Disclose such deceased individual's Limited Access DMF to any person who uses the information for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty;
(iii) Disclose such deceased individual's Limited Access DMF to any person who further discloses the information to any person other than a person who meets the requirements of paragraphs (a)(1) through (3) of this section; or
(iv) Use any such deceased individual's Limited Access DMF for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty.
* * * * *
0
-
In subpart B of part 1110, add Sec. Sec. 1110.103, 1110.104, and 1110.105 to read as follows:
Sec. 1110.103 Disclosure to a certified person.
Disclosure by a Person certified under this part of Limited Access DMF to another Person certified under this part shall be deemed to satisfy the disclosing Person's obligation to ensure compliance with Sec. 1110.102(a)(4)(i) through (iii).
Sec. 1110.104 Revocation of certification.
False certification as to any element of Sec. 1110.102(a)(1) through (4) shall be grounds for revocation of certification, in addition to any other penalties at law. A Person properly certified who thereafter becomes aware that the Person no longer satisfies one or more elements of Sec. 1110.102(a) shall promptly inform NTIS thereof in writing.
Sec. 1110.105 Renewal of certification.
(a) A Certified Person may renew its certification status by submitting, on or before the date of expiration of the term of its certification, a completed certification statement in accordance with Sec. 1110.101, together with the required fee, indicating on the form NTIS FM161 that it is a renewal, and also indicating whether or not there has been any change in any basis previously relied upon for certification.
(b) Except as may otherwise be required by NTIS, where a Certified Person seeking certification status renewal has, within a three-year period preceding submission under paragraph (a) of this section, previously submitted a written attestation under Sec. 1110.101(b), or has within such period been subject to a satisfactory audit under Sec. 1110.201, such Certified Person shall so indicate on the form NTIS FM161, and shall not be required to submit a written attestation under Sec. 1110.101(b).
(c) A Certified Person who submits a certification statement, attestation (if required) and fee pursuant to paragraph (a) of this section shall continue in Certified Person status pending notification of renewal or non-renewal from NTIS.
(d) A Person who is a Certified Person before November 28, 2016 shall be considered a Certified Person under this part, and shall continue in Certified Person status until the date which is one year from the date of acceptance of such Person's certification by NTIS under the Temporary Certification Program, provided that if such expiration date falls on a weekend or a federal holiday, the term of certification shall be considered to extend to the next business day.
0
-
Revise Sec. 1110.200 to read as follows:
Sec. 1110.200 Imposition of penalty.
(a) General. (1) Any Person certified under this part who receives Limited Access DMF, and who:
(i) Discloses Limited Access DMF to any person other than a person who meets the requirements of Sec. 1110.102(a)(1) through (3);
(ii) Discloses Limited Access DMF to any person who uses the Limited Access DMF for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty;
(iii) Discloses Limited Access DMF to any person who further discloses the Limited Access DMF to any person other than a person who meets the requirements of Sec. 1110.102(a)(1) through (3); or
(iv) Uses any such Limited Access DMF for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty; and
(2) Any Person to whom such Limited Access DMF is disclosed, whether or not such Person is certified under this part, who further discloses or uses such Limited Access DMF as described in paragraphs (a)(1)(i) through (iv) of this section, shall pay to the General Fund of the United States Department of the Treasury a penalty of $1,000 for each such disclosure or use, and, if such Person is certified, shall be subject to having such Person's certification revoked.
(b) Limitation on penalty. The total amount of the penalty imposed under this part on any Person for any calendar year shall not exceed $250,000, unless such Person's disclosure or use is determined to be willful or intentional. For the purposes of this part, a disclosure or use is willful when it is a ``voluntary, intentional violation of a known legal duty.''
(c) Disclosure to a Certified Person. No penalty shall be imposed under paragraphs (a)(1)(i) through (iii) of this section on a first Certified Person who discloses, to a second Certified Person, Limited Access DMF, where the sole basis for imposition of penalty on such first Certified Person is that such second
Page 34893
Certified Person has been determined to be subject to penalty under this part.
0
-
Revise Sec. 1110.201 to read as follows:
Sec. 1110.201 Audits.
Any Person certified under this part shall, as a condition of certification, agree to be subject to audit by NTIS, or, at the request of NTIS, by an Accredited Conformity Assessment Body, to determine the compliance by such Person with the requirements of this part. NTIS may conduct, or request that an Accredited Conformity Assessment Body conduct, periodic scheduled and unscheduled audits of the systems, facilities, and procedures of any Certified Person relating to such Certified Person's access to, and use and distribution of, the Limited Access DMF. NTIS may conduct, or request that an Accredited Conformity Assessment Body conduct, field audits (during regular business hours) or desk audits of a Certified Person. Failure of a Certified Person to submit to or cooperate fully with NTIS, or with an Accredited Conformity Assessment Body acting pursuant to this section, in its conduct of an audit, or to pay an audit fee to NTIS, will be grounds for revocation of certification.
Subpart E--Redesignated as Subpart E
0
-
Redesignate subpart D as subpart E.
0
-
Add new subpart D to read as follows:
Subpart D--Administrative Appeal
Sec.
1110.3000 Appeal.
Subpart D--Administrative Appeal
Sec. 1110.300 Appeal.
(a) General. Any Person adversely affected or aggrieved by reason of NTIS denying or revoking such Person's certification under this part, or imposing upon such Person under this part a penalty, may obtain review by filing, within 30 days (or such longer period as the Director of NTIS may, for good cause shown in writing, fix in any case) after receiving notice of such denial, revocation or imposition, an administrative appeal to the Director of NTIS.
(b) Form of appeal. An appeal shall be submitted in writing to Director, National Technical Information Service, at NTIS's current mailing address as found on its Web site: www.ntis.gov., ATTENTION DMF APPEAL, and shall include the following:
(1) The name, street address, email address and telephone number of the Person seeking review;
(2) A copy of the notice of denial or revocation of certification, or the imposition of penalty, from which appeal is taken;
(3) A statement of arguments, together with any supporting facts or information, concerning the basis upon which the denial or revocation of certification, or the imposition of penalty, should be reversed;
(4) A request for hearing of oral argument before the Director, if desired.
(c) Power of attorney. A Person may, but need not, retain an attorney to represent such Person in an appeal. A Person shall designate any such attorney by submitting to the Director of NTIS a written power of attorney.
(d) Hearing. If requested in the appeal, a date will be set for hearing of oral argument before a representative of the Director of NTIS, by the Person or the Person's designated attorney, and a representative of NTIS familiar with the notice from which appeal has been taken. Unless it shall be otherwise ordered before the hearing begins, oral argument will be limited to thirty minutes for each side. A Person need not retain an attorney or request an oral hearing to secure full consideration of the facts and the Person's arguments.
(e) Decision. After a hearing on the appeal, if a hearing was requested, the Director of NTIS shall issue a decision on the matter within 120 days, or, if no hearing was requested, within 90 days of receiving the appeal. The decision of the Director of NTIS shall be made after consideration of the arguments and statements of fact and information in the Person's appeal, and the hearing of oral argument if a hearing was requested, but the Director of NTIS at his or her discretion and with due respect for the rights and convenience of the Person and the agency, may call for further statements on specific questions of fact or may request additional evidence in the form of affidavits on specific facts in dispute. After the original decision is issued, an appellant shall have 30 days (or a date as may be set by the Director of NTIS before the original period expires) from the date of the decision to request a reconsideration of the matter. The Director's decision becomes final 30 days after being issued, if no request for reconsideration is filed, or on the date of final disposition of a decision on a petition for reconsideration.
0
-
Revise newly redesignated subpart E to read as follows:
Subpart E--Fees
Sec.
1110.400 Fees.
Subpart E--Fees
Sec. 1110.400 Fees.
Fees sufficient to cover (but not to exceed) all costs to NTIS associated with evaluating Certification Forms and auditing, inspecting, and monitoring certified persons under the certification program established under this part, as well as appeals, will be published (as periodically reevaluated and updated by NTIS) and available at https://dmf.ntis.gov. NTIS will not set fees for attestations or audits by an Accredited Conformity Assessment Body.
0
-
Add subpart F to read as follows:
Subpart F--Accredited Conformity Assessment Bodies
Sec.
1110.500 Accredited conformity assessment bodies.
1110.501 Independent.
1110.502 Firewalled.
1110.503 Attestation by accredited conformity assessment body.
1110.504 Acceptance of accredited conformity assessment bodies.
Subpart F--Accredited Conformity Assessment Bodies
Sec. 1110.500 Accredited conformity assessment bodies.
This subpart describes Accredited Conformity Assessment Bodies and their accreditation for third party attestation and auditing of the information safeguarding requirement for certification of Persons under this part. NTIS will accept an attestation or audit of a Person or Certified Person from an Accredited Conformity Assessment Body that is:
(a) Independent of that Person or Certified Person; or
(b) Is firewalled from that Person or Certified Person, and that in either instance is itself accredited by a nationally or internationally recognized accreditation body.
Sec. 1110.501 Independent.
(a) An Accredited Conformity Assessment Body that is an independent third party conformity assessment body is one that is not owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body.
(1) A Person or Certified Person is considered to own, manage, or control a third party conformity assessment body if any one of the following characteristics applies:
(i) The Person or Certified Person holds a 10 percent or greater ownership interest, whether direct or indirect, in
Page 34894
the third party conformity assessment body. Indirect ownership interest is calculated by successive multiplication of the ownership percentages for each link in the ownership chain;
(ii) The third party conformity assessment body and the Person or Certified Person are owned by a common ``parent'' entity;
(iii) The Person or Certified Person has the ability to appoint a majority of the third party conformity assessment body's senior internal governing body (such as, but not limited to, a board of directors), the ability to appoint the presiding official (such as, but not limited to, the chair or president) of the third party conformity assessment body's senior internal governing body, and/or the ability to hire, dismiss, or set the compensation level for third party conformity assessment body personnel; or
(iv) The third party conformity assessment body is under a contract to the Person or Certified Person that explicitly limits the services the third party conformity assessment body may perform for other customers and/or explicitly limits which or how many other entities may also be customers of the third party conformity assessment body.
(2) A state or local government office of Inspector General or Auditor General and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common ``parent'' entity under paragraph (a)(1)(ii) of this section.
(b) Reserved
Sec. 1110.502 Firewalled.
(a) A third party conformity assessment body must apply to NTIS for firewalled status if it is owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, applying the characteristics set forth under Sec. 1110.501(a)(1).
(b) The application for firewalled status of a third party conformity assessment body under paragraph (a) of this section will be accepted by NTIS where NTIS finds that:
(1) Acceptance of the third party conformity assessment body for firewalled status would provide equal or greater assurance that the Person or Certified Person has information security systems, facilities, and procedures in place to protect the security of the Limited Access DMF than would the Person's or Certified Person's use of an independent third party third party conformity assessment body; and
(2) The third party conformity assessment body has established procedures to ensure that:
(i) Its attestations and audits are protected from undue influence by the Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, or by any other interested party;
(ii) NTIS is notified promptly of any attempt by the Person or Certified Person that is the subject of attestation or audit by the third party conformity assessment body, or by any other interested party, to hide or exert undue influence over an attestation, assessment or audit; and
(iii) Allegations of undue influence may be reported confidentially to NTIS. To the extent permitted by Federal law, NTIS will undertake to protect the confidentiality of witnesses reporting allegations of undue influence.
(c) NTIS will review each application and may contact the third party conformity assessment body with questions or to request submission of missing information, and will communicate its decision on each application in writing to the applicant, which may be by electronic mail.
Sec. 1110.503 Attestation by accredited conformity assessment body.
(a) In any attestation or audit of a Person or Certified Person that will be submitted to NTIS under this part, an Accredited Conformity Assessment Body must attest that it is independent of that Person or Certified Person. The Accredited Conformity Assessment Body also must attest that it has read, understood, and agrees to the regulations in this part. The Accredited Conformity Assessment Body must also attest that it is accredited to a nationally or internationally recognized standard such as the ISO/IEC Standard 27006-
2011 ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' or any other similar nationally or internationally recognized standard for bodies providing audit and certification of information security management systems. The Accredited Conformity Assessment Body must also attest that the scope of its accreditation encompasses the safeguarding and security requirements as set forth in this part.
(b) Where a Person seeks certification, or where a Certified Person seeks renewal of certification or is audited under this part, an Accredited Conformity Assessment Body may provide written attestation that such Person or Certified Person has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(2). Such attestation must be based on the Accredited Conformity Assessment Body's review or assessment conducted no more than three years prior to the date of submission of the Person's or Certified Person's completed certification statement, and, if an audit of a Certified Person by an Accredited Conformity Assessment Body is required by NTIS, no more than three years prior to the date upon which NTIS notifies the Certified Person of NTIS's requirement for audit, but such review or assessment or audit need not have been conducted specifically or solely for the purpose of submission under this part.
(c) Where review or assessment or audit by an Accredited Conformity Assessment Body was not conducted specifically or solely for the purpose of submission under this part, the written attestation or assessment report (if an audit) shall describe the nature of that review or assessment or audit, and the Accredited Conformity Assessment Body shall attest that on the basis of such review or assessment or audit, the Person or Certified Person has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(2).
(d) Notwithstanding paragraphs (a) through (c) of this section, NTIS may, in its sole discretion, require that review or assessment or audit by an Accredited Conformity Assessment Body be conducted specifically or solely for the purpose of submission under this part.
Sec. 1110.504 Acceptance of accredited conformity assessment bodies.
(a) NTIS will accept written attestations and assessment reports from an Accredited Conformity Assessment Body that attests, to the satisfaction of NTIS, as provided in Sec. 1110.503.
(b) NTIS may decline to accept written attestations or assessment reports from an Accredited Conformity Assessment Body, whether or not it has attested as provided in Sec. 1110.503, for any of the following reasons:
(1) When it is in the public interest under Section 203 of the Bipartisan Budget Act of 2013, and notwithstanding any other provision of this part;
(2) Submission of false or misleading information concerning a material fact(s) in an Accredited Conformity Assessment Body's attestation under Sec. 1110.503;
(3) Knowing submission of false or misleading information concerning a material fact(s) in an attestation or
Page 34895
assessment report by an Accredited Conformity Assessment Body of a Person or Certified Person;
(4) Failure of an Accredited Conformity Assessment Body to cooperate in response to a request from NTIS to verify the accuracy, veracity, and/or completeness of information received in connection with an attestation under Sec. 1110.503 or an attestation or assessment report by that Body of a Person or Certified Person. An Accredited Conformity Assessment Body ``fails to cooperate'' when it does not respond to NTIS inquiries or requests, or it responds in a manner that is unresponsive, evasive, deceptive, or substantially incomplete; or
(5) Where NTIS is unable for any reason to verify the accuracy of the Accredited Conformity Assessment Body's attestation.
FR Doc. 2016-12479 Filed 5-31-16; 8:45 am
BILLING CODE P
