Certification Program for Access to the Death Master File, 78314-78324 [2014-30199]
Download as PDF
78314
Proposed Rules
Federal Register
Vol. 79, No. 249
Tuesday, December 30, 2014
This section of the FEDERAL REGISTER
contains notices to the public of the proposed
issuance of rules and regulations. The
purpose of these notices is to give interested
persons an opportunity to participate in the
rule making prior to the adoption of the final
rules.
DEPARTMENT OF COMMERCE
National Technical Information Service
15 CFR Part 1110
[Docket Number: 141219001–4999–02]
RIN 0692–AA21
Certification Program for Access to the
Death Master File
National Technical Information
Service, U.S. Department of Commerce.
ACTION: Notice of proposed rulemaking;
request for comments.
AGENCY:
The National Technical
Information Service (NTIS) issues a
proposed rule that would, if
implemented, establish a program
pursuant to Section 203 of the
Bipartisan Budget Act of 2013 (Act)
through which persons may become
‘‘certified’’ and thereby be eligible to
obtain access to Death Master File
(DMF) information about an individual
within three years of that individual’s
death (‘‘Limited Access DMF,’’ as
defined in the proposed rule). The rule
is established to provide immediate
access to the DMF to those users who
demonstrate a legitimate fraud
prevention interest or a legitimate
business purpose for the information,
and to otherwise delay the release of the
DMF to all other users, thereby reducing
opportunities for identity theft and
restricting information sources used to
file fraudulent tax returns. This rule sets
forth requirements to become a certified
person, establishes a process for third
party attestation and auditing of the
information safeguarding requirement
for certification, provides that certified
persons will be subject to periodic
scheduled and unscheduled audits, and
sets out penalties for persons who
disclose or use DMF information in a
manner not in accordance with the Act.
This rule would also establish the
process for appealing denials or
revocations of certification, the
imposition penalties, and a fee program.
tkelley on DSK3SPTVN1PROD with PROPOSALS
SUMMARY:
VerDate Sep<11>2014
17:03 Dec 29, 2014
Jkt 235001
Comments are due on this
proposed rule on January 29, 2015.
ADDRESSES: Written comments on this
proposed rule must be submitted via
https://www.regulations.gov. Comments
sent by any other method, to any other
address or individual, or received after
the end of the comment period, may not
be considered. All comments received
are a part of the public record and will
generally be posted for public viewing
on www.regulations.gov without change.
However, comments that contain
profanity, vulgarity, threats, or other
inappropriate language will not be
posted. All personal identifying
information (e.g., name, address)
submitted voluntarily by the sender will
be publicly accessible. Do not submit
confidential business information, or
otherwise sensitive or protected
information. Attachments to electronic
comments will be accepted in Microsoft
Word or Excel, WordPerfect, or Adobe
PDF formats only.
FOR FURTHER INFORMATION CONTACT:
Henry Wixon, Chief Counsel for NIST,
at henry.wixon@nist.gov, or by
telephone at 301–975–2803. Information
about the DMF made available to the
public by NTIS may be found at
https://dmf.ntis.gov.
SUPPLEMENTARY INFORMATION:
DATES:
Background
On December 26, 2013, the Bipartisan
Budget Act of 2013, Pub. L. 113–67, (the
Act) became law. Section 203 of the Act
prohibits the Secretary of Commerce
(Secretary) from disclosing DMF
information during the three-calendaryear period following an individual’s
death (the ‘‘Limited Access DMF’’),
unless the person requesting the
information has been certified to receive
that information under a program
established by the Secretary. The Act
further requires the Secretary to
establish a fee-based certification
program that will certify these persons.
It also provides for penalties for those
who receive or distribute DMF
information without being certified.
Finally, the Act sets March 26, 2014, as
the date after which any party seeking
access to the Limited Access DMF must
be certified in order to access Limited
Access DMF. The Secretary has
delegated the authority to carry out
Section 203 to the Director of NTIS.
On March 3, 2014, NTIS published a
Request for Information (RFI) and
PO 00000
Frm 00001
Fmt 4702
Sfmt 4702
Advance Notice of Public Meeting on
the Certification Program for Access to
the Death Master File (RFI) at 79 FR
11735, available at https://www.gpo.gov/
fdsys/pkg/FR-2014-03-03/pdf/201404584.pdf. The public meeting was held
March 4, 2014, from 9:00 a.m. to 12:00
p.m. Eastern time at the United States
Patent and Trademark Office, Madison
Building West, 600 Dulany Street,
Alexandria, VA 22314. The public
meeting was also webcast. Written
comments received in response to the
RFI, and a transcription of oral
comments made and comments
submitted via webcast at the public
meeting, may be viewed at https://
dmf.ntis.gov.
On March 26, 2014, NTIS published
an interim final rule, ‘‘Temporary
Certification Program for Access to the
Death Master File,’’ at 79 FR 16668,
available at https://www.gpo.gov/fdsys/
pkg/FR-2014-03-26/pdf/2014-06701.pdf
(the Interim Final Rule). That rule
codified an interim approach to
implementing the Act’s provisions
pertaining to the certification program
and the penalties for violating the Act,
and set out an interim fee schedule for
the program. NTIS published the
Interim Final Rule in order to provide
a mechanism for persons to access the
DMF immediately on the effective date
prescribed in Section 203 of the Act.
Written comments received in response
to the Interim Final Rule may be viewed
at https://www.regulations.gov.
The preambles for both the RFI and
the Interim Final Rule set out the
specific provisions of the Act, and also
noted that several Members of Congress
described their understanding of the
purpose and meaning of Section 203
during Congressional debate on the Joint
Resolution which became the Act.
Citations to those Member statements
were provided in the RFI, which also
provided background on the component
of the DMF covered by Section 203,
which originates from the Social
Security Administration. The Interim
Rule was established to provide
immediate access to the DMF to those
users who demonstrate a legitimate
fraud prevention interest or a legitimate
business purpose for the information,
and to otherwise delay the release of the
DMF to all other users, thereby reducing
opportunities for identity theft and
restricting information sources used to
file fraudulent tax returns.
E:\FR\FM\30DEP1.SGM
30DEP1
Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 / Proposed Rules
tkelley on DSK3SPTVN1PROD with PROPOSALS
This rule, if adopted, would replace
the regulatory structure put into place
by the Interim Final Rule. It describes
who may become a ‘‘Certified Person’’
under the Act, creates a process by
which NTIS can certify such persons,
establishes a process for third party
attestation and auditing of the
information safeguarding requirement
for certification, establishes a fee
program, establishes penalties for
disseminating or receiving DMF
information in violation of the Act, and
creates a process to appeal some
penalties. However, until this rule
becomes final and effective, the
Temporary Certification Program
established under the Interim Final Rule
shall remain in force and effect.
The Proposed Rule
This proposed rule would amend
subparts and add a new subpart E to the
DMF Certification Program in part 1110
of title 15 of the Code of Federal
Regulations. The following describes
specific provisions being amended.
Under Section 1110.2, ‘‘Definitions,’’
NTIS proposes to revise the definition of
‘‘Person’’ to recite ‘‘state and local
government departments and agencies,’’
so that ‘‘Person’’ will be defined as
including ‘‘corporations, companies,
associations, firms, partnerships,
societies, joint stock companies, and
other private organizations, and state
and local government departments and
agencies, as well as individuals.’’
However, Executive departments or
agencies of the United States
Government would not be considered
‘‘Persons’’ for the purposes of this rule.
Accordingly, Executive departments or
agencies will not have to complete the
Certification Form as set forth in the
rule, and will be able to access Limited
Access DMF under a subscription or
license agreement with NTIS, describing
the purpose(s) for which Limited Access
DMF is collected, used, maintained and
shared. Those working on behalf of and
authorized by Executive departments or
agencies may access the Limited Access
DMF from their sponsoring Executive
department or agency, which will be
responsible for ensuring that such
access is solely for the authorized
purposes described by the agency.
Unauthorized secondary use of Limited
Access DMF by Executive departments
or agencies or those working for them or
on their behalf is prohibited. If an
Executive department or agency wishes
those working on its behalf to access the
Limited Access DMF directly from
NTIS, then those working on behalf of
that Executive department or agency
will be required to complete and submit
the Certification Form as set forth in the
VerDate Sep<11>2014
17:03 Dec 29, 2014
Jkt 235001
rule and enter into a subscription
agreement with NTIS in order to access
the Limited Access DMF. Under this
proposed rule, a Certified Person will be
eligible to access the Limited Access
DMF made available by NTIS through
subscription or license.
NTIS proposes to revise the definition
of ‘‘Limited Access DMF’’ by adding a
sentence that clarifies that an individual
element of information (name, social
security number, date of birth, or date
of death) in the possession of a Person,
whether or not certified, but obtained by
such Person through a source
independent of the Limited Access
DMF, will not be considered ‘‘DMF
information’’ for the purposes of the
rule, and requests comment on the
proposed definition. The additional
sentence is as follows:
As used in this part, Limited Access DMF
does not include an individual element of
information (name, social security number,
date of birth, or date of death) in the
possession of a Person, whether or not
certified, but obtained by such Person
through a source independent of the Limited
Access DMF. If a Certified Person obtains, or
a third party subsequently provides to a
Certified Person, death information (i.e., the
name, social security account number, date
of birth, or date of death) independently, the
information is not considered part of the
Limited Access DMF if the NTIS source
information is replaced with the newly
provided information.
NTIS believes this revision of the
definition of Death Master File adds
clarity to what is and is not Limited
Access DMF, and requests comment on
the proposed definition.
Under Section 1110.102(a)(1) of the
interim final rule, to become certified, a
Person must certify that the Person has
a ‘‘legitimate fraud prevention interest,’’
or has a ‘‘legitimate business purpose
pursuant to a law, governmental rule,
regulation, or fiduciary duty,’’ and must
specify the basis for so certifying. NTIS
is not proposing to change this
requirement here. However, the
Temporary Certification Program
established under the Interim Final Rule
did not provide for review, assessment
or audit of the systems, facilities, and
procedures of a Person with attestation
by an independent, third party
conformity assessment body, as NTIS is
now proposing in this rule, and as
discussed at length below. Given this
proposed rule’s emphasis on security
and safeguarding of Limited Access
DMF, the proposed rule’s provision for
procedures and processes addressing
the proper safeguarding of Limited
Access DMF, and the proposed rule’s
provision for review, assessment, audit
and attestation of a Person’s information
PO 00000
Frm 00002
Fmt 4702
Sfmt 4702
78315
and information security controls by
independent, third party conformity
assessment bodies, NTIS requests
comments on the specificity with which
a Person should be required to provide
as the basis for certifying its fraud
prevention interest or business purpose
under the proposed rule.
NTIS acknowledges that some entities
may seek to provide NTIS with
supplemental or supporting information
over and above what may be required
along with the attestation, to augment or
support their request for certification for
access to Limited Access DMF. If
submitted, NTIS will evaluate such
materials and may accept or reject that
information when determining whether
to certify a person. To assist NTIS in
determining how to evaluate such
materials, NTIS also requests comments
on what types of materials NTIS should
accept in support of a certification that
a party has a legitimate business
purpose or legitimate fraud prevention
interest.
This rule would add a requirement
that, in order to become certified, a
Person must submit a written attestation
from an Accredited Certification Body
(as defined below) that such Person has
information security systems, facilities,
and procedures in place to protect the
security of the DMF information, as
required under Section 1110.102(a)(2) of
the rule. Such a requirement was not
made under the Interim Final Rule. In
considering how to establish a
permanent certification program as
required under Section 203, NTIS
carefully considered developing, within
the agency, the capacity to evaluate the
information systems, facilities and
procedures of Persons to safeguard DMF
information, as well as to conduct
audits of Certified Persons. NTIS has
consulted with the National Institute of
Standards and Technology (NIST),
which has expertise in testing, standard
setting, and certification of various
systems. Based on NIST
recommendations, NTIS believes it
appropriate for private sector, third
party, Accredited Certification Bodies to
attest to a Person’s information security
safeguards under Section 1110.102(a)(2)
of the rule, and for NTIS to rely upon
such attestation in certifying a Person
under the proposed rule. NTIS also
believes it appropriate for Accredited
Certification Bodies to conduct periodic
scheduled and unscheduled audits of
Certified Persons on behalf of NTIS.
NTIS requests comments on the
proposal to accept attestations by
private sector, third party, Accredited
Certification Bodies under the rule.
Under this rule, an ‘‘Accredited
Certification Body’’ is an independent
E:\FR\FM\30DEP1.SGM
30DEP1
tkelley on DSK3SPTVN1PROD with PROPOSALS
78316
Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 / Proposed Rules
third party conformity assessment body
that is not owned, managed, or
controlled by a Person or Certified
Person which is the subject of
attestation or audit, and that is
accredited, by an accreditation body
under nationally or internationally
recognized criteria such as, but not
limited to, the International
Organization for Standardization (ISO)
and the International Electrotechnical
Commission (IEC) publication ISO/IEC
27006–2011, ‘‘Information technology—
Security techniques—Requirements for
bodies providing audit and certification
of information security management
systems,’’ to attest that a Person or
Certified Person has information
technology systems, facilities and
procedures in place to safeguard DMF
information. Based on NIST
recommendations, NTIS believes it is
appropriate to use the ISO/IEC 27006–
2001 as a baseline for accreditation
under the proposed certification
program. The ISO Committee on
conformity assessment (CASCO)
prepared ISO/IEC 27006–2001, and
NTIS believes the use of the ISO/IEC
standard will help ensure that
attestations and audits under the
proposed certification program operate
in a manner consistent with national
and international practices.
Accreditation is a third-party attestation
that a conformity assessment body
operates in accordance with national
and international standards.
Accreditation is used nationally and
internationally in many sectors where
there is a need, through certification,
that safety, health or security
requirements are met by products or
services. Accreditation ensures that a
conformity assessment body is
technically competent in the subject
matter (in this case, the information
safeguarding and security requirements
as set forth in the rule) and has a
management system in place to ensure
competency and acceptable certification
program operations on a continuing
basis. Accreditation requires that
Accredited Certification Bodies be reaccredited on a periodic basis.
However, NTIS is also aware that
standards other than ISO/IEC 27006–
2001 exist that may be equally
appropriate for the purposes of
accreditation under the Act, and that
additional standards may be developed
in the future. At this time, NTIS
proposes that an Accredited
Certification Body may attest, subject to
the conditions of verification in
proposed section 1110.503 of this rule,
that it is accredited to a nationally or
internationally recognized standard for
VerDate Sep<11>2014
17:03 Dec 29, 2014
Jkt 235001
bodies providing audit and certification
of information security management
systems other than ISO/IEC Standard
27006–2011. In addition, NTIS proposes
that an Accredited Certification Body
must also attest that the scope of its
accreditation encompasses the
information safeguarding and security
requirements as set forth in the rule.
NTIS requests comments on these
proposals.
NTIS is aware that security and
safeguarding of information and
information systems is of great concern
in many fields of endeavor other than
with respect to DMF information. NTIS
has consulted with subject matter
experts from NIST, which in 2014
published the ‘‘Framework for
Improving Critical Infrastructure
Cybersecurity’’ (Framework), in
response to President Obama’s
Executive Order 13636, ‘‘Improving
Critical Infrastructure Cybersecurity,’’
which established that ‘‘[i]t is the Policy
of the United States to enhance the
security and resilience of the Nation’s
critical infrastructure and to maintain a
cyber environment that encourages
efficiency, innovation, and economic
prosperity while promoting safety,
security, business confidentiality,
privacy, and civil liberties.’’ In
articulating this policy, the Executive
Order calls for the development of a
voluntary risk-based Cybersecurity
Framework—a set of industry standards
and best practices to help organizations
manage cybersecurity risks. The
resulting Framework, created by NIST
through collaboration between
government and the private sector, uses
a common language to address and
manage cybersecurity risks in a costeffective way based on business needs
without placing additional regulatory
requirements on businesses. The
Framework enables organizations—
regardless of size, degree of
cybersecurity risk, or cybersecurity
sophistication—to apply the principles
and best practices of risk management to
improving the security and resilience of
critical infrastructure. The Framework
provides organization and structure to
today’s multiple approaches to
cybersecurity by assembling standards,
guidelines, and practices that are
working effectively in industry today.
Accordingly, in addressing the
requirements of Section 203 for
‘‘systems, facilities, and procedures’’ to
safeguard DMF information, NTIS
contemplates that Persons, as well as
Accredited Certification Bodies, may
look to the Framework and to the
Framework’s Informative References.
The Framework is referenced by NTIS
PO 00000
Frm 00003
Fmt 4702
Sfmt 4702
in its security guideline document,
‘‘Limited Access Death Master File
(LADMF) Certification Program
Publication 100,’’ which is similar to the
Internal Revenue Service (IRS)
Publication 1075, ‘‘Tax Information
Security Guidelines for Federal, State
and Local Agencies,’’ available at
https://www.irs.gov/pub/irs-pdf/
p1075.pdf, and IRS Publication 4812,
‘‘Contractor Security Controls,’’
available at https://www.irs.gov/pub/irsprocure/Publication-4812—
Contractor—Security-Controls.pdf. As
set forth in the security guideline
document as well as in the Framework’s
Informative References, a number of
different approaches exist to
safeguarding information. These include
ISO/IEC, Control Objectives for
Information and Related Technology
(COBIT), International Society of
Automation (ISA), and NIST’s 800 series
publications. Others include the Service
Organization Controls (SOC) of the
American Institute of CPAs (AICPA).
NTIS intends that by following its
security guideline document, Persons
and Certified Persons will satisfy the
requirements of the rule. NTIS requests
comments on other relevant approaches
that may exist and be suitable for the
purposes of the rule.
NTIS is aware that security and
safeguarding assessments such as those
contemplated under this proposed rule
are routinely carried out in the private
sector, including by entities which may
satisfy the requirements for Accredited
Certification Bodies under the rule.
Provided that such a routine assessment
or audit of a Person would permit an
Accredited Certification Body to attest
that such Person has systems, facilities,
and procedures in place to safeguard
DMF information as required under
Section 1110.102(a)(2) of the rule, albeit
carried out for a purpose other than
certification under the rule, NTIS
proposes to accept an attestation in
support of a Person’s certification with
respect to the requirements under
Section 1110.102(a)(ii) of the rule, as
well as in support of the renewal of a
Certified Person’s certification. NTIS
proposes that any attestation, whether
for a Person seeking certification or for
a Certified Person seeking renewal, must
be based on the Accredited Certification
Body’s review or assessment conducted
no more than three years prior to the
date of submission of the Person’s
completed certification statement or of
the Certified Person’s completed
renewal certification statement. As
noted, an Accredited Certification
Body’s review or assessment need not
have been conducted specifically or
E:\FR\FM\30DEP1.SGM
30DEP1
tkelley on DSK3SPTVN1PROD with PROPOSALS
Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 / Proposed Rules
solely for the purpose of submission of
an attestation under the proposed rule,
provided the review or assessment
addresses the controls set forth in the
‘‘Limited Access Death Master File
(LADMF) Certification Program
Publication 100.’’ From NTIS’s
consultations with NIST subject matter
experts, NTIS believes that the
limitation of three years is appropriate
as to frequency for assessments for the
security and safeguarding of information
and information systems, and that
permitting Persons and Certified
Persons to rely on attestations based on
such assessments conducted for
purposes other than solely for the rule
is reasonable and cost-effective. NTIS
requests comment on this aspect of the
proposed rule.
NTIS proposes to amend Section
1110.102(a)(2) and (3) to clarify that to
be certified to obtain access to the
Limited Access DMF, a Person must
certify both that the Person ‘‘has
systems, facilities, and procedures in
place to safeguard the accessed
information, and experience in
maintaining the confidentiality,
security, and appropriate use of
accessed information, pursuant to
requirements similar to the
requirements of section 6103(p)(4) of the
Internal Revenue Code of 1986,’’ and
that the Person ‘‘agrees to satisfy such
similar requirements.’’ This standard
differs somewhat from the requirement
of Section 203 of the Act, because that
Section contains contradictory
statements about the types of systems to
safeguard information that a Certified
Person must have in place. In Section
203(b)(2)(B), the Act states that in order
to receive Limited Access DMF, a
Person must agree to comply with
requirements ‘‘similar to’’ section
6103(p)(4) of the Internal Revenue Code
(IRC). Section 6103(p)(4) of the IRC is
directed to Federal government
agencies, and as such the ‘‘similar to’’
statement makes sense for nongovernment actors which are the subject
of the Act. However, Section
203(b)(2)(C) also requires a Certified
Person to ‘‘satisfy the requirements of
such section 6103(p)(4) as if such
section applied to such person’’
(emphasis added). It is unclear how or
why a Certified Person could or should
satisfy an information integrity
requirement ‘‘similar to’’ section
6103(p)(4) of the IRC while also
satisfying section 6103(p)(4) of the IRC.
To resolve this ambiguity, NTIS
interprets Section 203(b) of the Act as
requiring Persons to certify that they
have systems, facilities, and procedures
in place that are ‘‘similar to’’ those
VerDate Sep<11>2014
17:03 Dec 29, 2014
Jkt 235001
required by section 6103(p)(4) of the IRC
in order to become Certified Persons.
NTIS requests comments on this
interpretation, which NTIS believes will
allow NTIS to meet the interest of
protecting personal data generally and
deterring fraud, while also allowing
NTIS to set the data integrity standards
appropriate to safeguard DMF
information specifically. NTIS has
developed a security guideline
document, ‘‘Limited Access Death
Master File (LADMF) Certification
Program Publication 100,’’ similar to the
Internal Revenue Service (IRS)
Publication 1075, ‘‘Tax Information
Security Guidelines for Federal, State
and Local Agencies,’’ available at
https://www.irs.gov/pub/irs-pdf/
p1075.pdf, as well as IRS Publication
4812, ‘‘Contractor Security Controls,’’
available at https://www.irs.gov/pub/irsprocure/Publication-4812—
Contractor—Security-Controls.pdf, and
drawing on the National Institute of
Standards and Technology ‘‘Framework
for Improving Critical Infrastructure
Cybersecurity,’’ and informative
references cited therein, available at
https://www.nist.gov/cyberframework/
upload/cybersecurity-framework021214.pdf, that sets out safeguard
approaches adapted to the provisions of
Section 203 of the Act. NTIS will invite
the public to comment on and to
contribute to this guidance document on
a continuing basis. NTIS contemplates
that conforming to the proposed NTIS
security guideline document will permit
Persons and Certified Persons to satisfy
the Act. A draft of the proposed NTIS
security guideline document is available
for review at https://dmf.ntis.gov.
NTIS believes that adherence to the
information security controls and
practices described in the LADMF
Certification Program Publication 100
will help protect LADMF information
that resides on Certified Persons’
information technology systems.
Combined with the strict liability for
misusing the LADMF information set
out in section (c) of the Act, and in
section 1110.102 of this proposed rule,
LADMF Certification Program
Publication 100 describes safeguards for
minimizing occurrences of improper
access to, and misuse of, LADMF data.
Specifically, LADMF Certification
Program Publication 100 establishes the
guidelines and practices that Certified
Persons are to apply to their information
security programs to protect LADMF
information in their possession. Failure
to adhere to these guidelines and
practices increases the likelihood of
unauthorized access to, and misuse of,
LADMF data, including fraudulent
PO 00000
Frm 00004
Fmt 4702
Sfmt 4702
78317
misuse. Accordingly, the information
security measures required by this rule
and adherence to the guidelines and
practices described in LADMF
Certification Program Publication 100
require Certified Persons to maintain
adequate security controls for LADMF
information.
Persons previously certified under the
Interim Final Rule will need to become
certified in accordance with the
requirements of the proposed rule,
when it becomes final and effective.
Certification under this rule will
include an updated certification form,
discussed below under the heading,
‘‘Description of the Projected Reporting,
Recordkeeping, and Other Compliance
Requirements of the Proposed Rule,’’
collecting additional information that
will improve NTIS’s ability to determine
whether a Person meets, to the
satisfaction of NTIS, the requirements of
Section 203 of the Act.
Under Section 1110.103 of the
proposed rule, a Certified Person may
disclose Limited Access DMF to another
Certified Person, and will be deemed to
satisfy the disclosing Certified Person’s
obligation to ensure compliance with
proposed Section 1110.102(a)(4)(i)–(iii)
for the purposes of certification.
Similarly, under Section 1110.200(c),
NTIS will not impose a penalty, under
Section 1110.200(a)(1)(i)–(iii) of the
proposed rule, on a first Certified Person
who discloses Limited Access DMF to a
second Certified Person, where the first
Certified Person’s liability rests solely
on the fact that the second Certified
Person has been determined to be
subject to penalty. While the proposed
rule does not restrict disclosure of
Limited Access DMF to Certified
Persons, NTIS believes that these
provisions create an appropriately
limited ‘‘safe harbor’’ for Certified
Persons to disclose Limited Access DMF
to other Certified Persons. However,
note that any Person that receives
Limited Access DMF from a Certified
Person is still subject to penalty under
Section 1110.200(a)(1)–(4), for
violations of the Act. The safe harbor
provision applies to each disclosure
individually, and only the Certified
Person disclosing the information, not
the recipient, receives the benefit of the
presumed compliance with Section
1110.102(a)(4)(i)–(iii). NTIS requests
comment on this provision of the
proposed rule, including on whether or
not the ‘‘safe harbor’’ should also apply
when a first Certified Person discloses
Limited Access DMF to a second
Person, believed to be a Certified
Person, but who is not, in fact, certified
under the proposed rule.
E:\FR\FM\30DEP1.SGM
30DEP1
tkelley on DSK3SPTVN1PROD with PROPOSALS
78318
Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 / Proposed Rules
Under Section 1110.201 of the
proposed rule, NTIS may conduct, or
may request an Accredited Certification
Body conduct, at the Certified Person’s
expense, periodic scheduled and
unscheduled audits of the systems,
facilities, and procedures of any
Certified Person relating to such
Certified Person’s access to, and use and
distribution of, the Limited Access
DMF. NTIS contemplates that many, if
not most, audits of Certified Persons
will be scheduled, but NTIS may also
conduct, or request an Accredited
Certification Body conduct,
unscheduled audits—for example,
where a prior scheduled audit may have
identified the need for adjustment to a
Certified Person’s systems, facilities, or
procedures. Audits conducted by NTIS
or by an Accredited Certification Body
may take place at a Certified Person’s
place of business (i.e., field audits), or
may be conducted remotely (i.e., desk
audits). As discussed above, NTIS is
proposing that all Certified Persons be
audited with respect to the requirements
of Section 1110.102(a)(2) no less
frequently than every three years under
the program, and that this requirement
may be satisfied by a Certified Person
based on an audit or assessment
conducted for a purpose other than
solely for the rule. NTIS is not
proposing routine scheduled audits on
the attestation regarding Section
1110.102(a)(1), though unscheduled
audits of this and other aspects of the
requirements for certification may be
conducted in NTIS’s discretion. NTIS
requests comment on these aspects of
the proposed rule. NTIS’ costs for
conducting audits will be recoverable
from the audited Person. Failure to
submit to audit, to cooperate fully with
NTIS in its conduct of an audit, or to
pay an audit fee owed to NTIS, will be
grounds for revocation of certification.
NTIS intends that a Person or Certified
Person will be directly responsible to an
Accredited Certification Body for any
charges by that Accredited Certification
Body related to requirements under this
proposed rule, as it would be
responsible for NTIS’ auditing costs
under the Act, and requests comments.
Section 1110.200(c) of the proposed
rule sets out the penalties for
unauthorized disclosures or uses of the
Limited Access DMF. Each individual
unauthorized disclosure is punishable
by a fine of $1,000, payable to the
United States Treasury. However, the
total amount of the penalty imposed
under this part on any Person for any
calendar year shall not exceed $250,000,
unless such Person’s disclosure or use is
determined to be willful or intentional.
VerDate Sep<11>2014
17:03 Dec 29, 2014
Jkt 235001
A disclosure or use is considered willful
when it is a ‘‘voluntary, intentional
violation of a known legal duty.’’ See,
U.S. v. Pomponio, 429 US 10 (1976)
(holding that for purposes of
interpreting the criminal tax provisions
of the Internal Revenue Code, the term
‘‘willful’’ means a voluntary, intentional
violation of a known legal duty).
The proposed rule’s Section 1110.300
establishes the procedures to appeal a
denial or revocation of certification, or
of penalties for violating the Act. An
administrative appeal must be filed, in
writing, within 30 days (or such longer
period as the Director of NTIS may, for
good cause shown in writing, establish
in any case) after receiving a notice of
denial, revocation or imposition of
penalties. Appeals should be directed to
the Director of NTIS. Any such appeal
must set forth the following: The name,
street address, email address and
telephone number of the Person seeking
review; a copy of the notice of denial or
revocation of certification, or the
imposition of penalty, from which
appeal is taken; a statement of
arguments, together with any supporting
facts or information, concerning the
basis upon which the denial or
revocation of certification, or the
imposition of penalty, should be
reversed; and a request for hearing of
oral argument before a representative of
the Director, if desired.
Section 1110.300(a)–(d) proposes the
procedures for an administrative appeal.
Under section 1110.300(c), a Person
may, but need not, retain an attorney to
represent such Person in an appeal.
Those with attorneys shall designate
such attorney by submitting to the
Director of NTIS a written power of
attorney. If a hearing is requested, the
Person (or the Person’s designated
attorney) and a representative of NTIS
familiar with the notice from which
appeal has been taken will present oral
arguments which, unless otherwise
ordered before the hearing begins, will
be limited to thirty minutes for each
side. A Person need not retain an
attorney or request an oral hearing to
secure full consideration of the facts and
the Person’s arguments. Where no
hearing is requested, the Director shall
review the case and issue a decision as
set out below.
Under Section 1110.300(e), the
Director of NTIS shall issue a decision
on the matter within 120 days after a
hearing, or, if no hearing was requested,
within 90 days of receiving the letter of
appeal. In making decisions on appeal,
the Director shall consider the
arguments and statements of fact and
information in the Person’s appeal, and
made at the oral argument hearing, if
PO 00000
Frm 00005
Fmt 4702
Sfmt 4702
such was requested, but the Director at
his or her discretion and with due
respect for the rights and convenience of
the Person and the agency, may call for
further statements on specific questions
of fact or may request additional
evidence in the form of affidavits on
specific facts in dispute. An appellant
may seek reconsideration of the
decision, but must do so in writing, and
the request for reconsideration must be
received within 30 days of the Director’s
decision or within such an extension of
time thereof as may be set by the
Director of NTIS before the original
period expires. A decision shall become
final either after the 30-day period for
requesting reconsideration expires and
no request has been submitted, or on the
date of final disposition of a decision on
a petition for reconsideration.
As discussed above, for certification
of a Person under the rule, as well as
renewal of a Certified Person’s
certification, NTIS proposes requiring
submission of a third party attestation as
to the information safeguarding
requirement. Third party attestation is
accordingly a key element of the
certification program under the rule. In
view of this, the rule provides that an
Accredited Certification Body must be
independent of the Person or Certified
Person, and must itself be accredited by
a recognized accreditation body. The
requirement for independence from the
Person seeking certification, or from the
Certified Person seeking renewal or
subject to audit, is important to ensure
integrity of any assessment and
attestation. NTIS requests comment on
this requirement.
NTIS proposes that an Accredited
Certification Body must be an
independent third party certification
body that is not owned, managed, or
controlled by a Person or Certified
Person that is the subject of attestation
or audit by the Accredited Certification
Body. Under the rule, a Person or
Certified Person is considered to own,
manage, or control a third party
certification body if any one of the
following characteristics applies:
(1) The Person or Certified Person
holds a 10 percent or greater ownership
interest, whether direct or indirect, in
the third party certification body.
Indirect ownership interest is calculated
by successive multiplication of the
ownership percentages for each link in
the ownership chain;
(2) The third party certification body
and the Person or Certified Person are
owned by a common ‘‘parent’’ entity;
(3) The Person or Certified Person has
the ability to appoint a majority of the
third party certification body’s senior
internal governing body (such as, but
E:\FR\FM\30DEP1.SGM
30DEP1
tkelley on DSK3SPTVN1PROD with PROPOSALS
Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 / Proposed Rules
not limited to, a board of directors), the
ability to appoint the presiding official
(such as, but not limited to, the chair or
president) of the third party certification
body’s senior internal governing body,
and/or the ability to hire, dismiss, or set
the compensation level for third party
certification body personnel; or
(4) The third party certification body
is under a contract to the Person or
Certified Person that explicitly limits
the services the third party certification
body may perform for other customers
and/or explicitly limits which or how
many other entities may also be
customers of the third party certification
body.
In order for NTIS to accept an
attestation as to, or audit of, a Person or
Certified Person submitted to NTIS
under the rule, the Accredited
Certification Body must attest that it is
independent of that Person or Certified
Person. The Accredited Certification
Body also must attest that it has read,
understood, and agrees to the
regulations as set forth in the rule. The
Accredited Certification Body must also
attest that it is accredited to ISO/IEC
Standard 27006–2011 ‘‘Information
technology—Security techniques—
Requirements for bodies providing audit
and certification of information security
management systems,’’ or to another
nationally or internationally recognized
standard for bodies providing audit and
certification of information security
management systems. The Accredited
Certification Body must also attest that
the scope of its accreditation
encompasses the safeguarding and
security requirements as set forth in the
rule. NTIS requests comments on these
aspects of the proposed rule.
Where review or assessment or audit
by an Accredited Certification Body was
not conducted specifically or solely for
the purpose of submission under this
part, the rule requires that the written
attestation or assessment report (if an
audit) describe the nature of that review
or assessment or audit, and that the
Accredited Certification Body attest that
on the basis of such review or
assessment or audit, the Person or
Certified Person has systems, facilities,
and procedures in place to safeguard
DMF information as required under
Section 1110.102(a)(2) of this part. The
rule provides that in so attesting, an
Accredited Certification Body may
reference ‘‘Limited Access Death Master
File (LADMF) Certification Program
Publication 100,’’ guidelines published
by NTIS and available at https://
dmf.ntis.gov.
While NTIS will normally accept
written attestations and assessment
reports from an Accredited Certification
VerDate Sep<11>2014
17:03 Dec 29, 2014
Jkt 235001
Body that attests, to the satisfaction of
NTIS, as provided in Section 1110.502
of the rule, the rule also provides that
NTIS may decline to accept written
attestations or assessment reports from
an Accredited Certification Body,
whether or not it has attested as
provided in Section 1110.502, for any of
the following reasons:
(1) When it is in the public interest
under Section 203 of the Bipartisan
Budget Act of 2013, and
notwithstanding any other provision of
this part;
(2) Submission of false or misleading
information concerning a material
fact(s) in an Accredited Certification
Body’s attestation under Section
1110.502;
(3) Knowing submission of false or
misleading information concerning a
material fact(s) in an attestation or
assessment report by an Accredited
Certification Body of a Person or
Certified Person;
(4) Failure of an Accredited
Certification Body to cooperate in
response to a request from NTIS verify
the accuracy, veracity, and/or
completeness of information received in
connection with an attestation under
Section 1110.502 or an attestation or
assessment report by that Body of a
Person or Certified Person. An
Accredited Certification Body ‘‘fails to
cooperate’’ when it does not respond to
NTIS inquiries or requests, or it
responds in a manner that is
unresponsive, evasive, deceptive, or
substantially incomplete.
(5) Where NTIS is unable for any
reason to verify the accuracy of the
Accredited Certification Body’s
attestation.
In addition, with respect to audits
under the proposed rule, NTIS may in
its discretion decline to accept an
attestation or assessment report
conducted for other purposes, and may
conduct or require that an Accredited
Certification Body conduct a review
solely for the purpose of the rule, and
requests comments on this proposal.
Classification
Executive Order 12630
This rule does not effect a taking of
private property or otherwise have
taking implications under Executive
Order 12630, Governmental Actions and
Interference with Constitutionally
Protected Property Rights.
Executive Order 12866
This proposed rule has been
determined to be significant under
Executive Order 12866.
PO 00000
Frm 00006
Fmt 4702
Sfmt 4702
78319
Executive Order 12898
NTIS evaluated the environmental
effects of this proposed rule in
accordance with Executive Order 12898
and determined that there are no
environmental justice issues associated
with its provisions and no collective
environmental impact resulting from its
promulgation.
Executive Order 13132
A rule has implications for federalism
under Executive Order 13132,
Federalism, if it has a substantial direct
effect on State or local governments and
would either preempt State law or
impose a substantial direct cost of
compliance on States or localities. NTIS
has analyzed this proposed rule under
that Order and has determined that it
does not have implications for
federalism.
Initial Regulatory Flexibility Analysis
(IRFA)
Pursuant to Section 603 of the
Regulatory Flexibility Act, NTIS has
prepared the following IRFA to analyze
the potential impact that this proposed
rule, if adopted, would have on small
entities.
Description of the Reasons Why Action
Is Being Considered
The policy reasons for issuing this
proposed rule are discussed in the
preamble of this document, and not
repeated here.
Statement of the Objectives of, and
Legal Basis for, the Proposed Rule;
Identification of All Relevant Federal
Rules Which May Duplicate, Overlap,
or Conflict With the Proposed Rule
The legal basis for this rule is Section
203 of the Bipartisan Budget Act of
2013, Pub. L. 113–67, codified at 42
USCA § 1306c (the Act). The proposed
rule is intended to implement the Act,
which requires the Secretary of
Commerce to create a program to certify
that persons given access to information
contained on the DMF with respect to
any deceased individual at any time
during the 3-calendar-year period
following that individual’s death satisfy
the statutory requirements for accessing
the Limited Access DMF. Accordingly,
this rule creates a program for certifying
persons eligible to access the Limited
Access DMF. It requires that Certified
Persons annually re-certify as eligible to
access the Limited Access DMF, and
that they agree to be subject to
scheduled and unscheduled audits. The
rule also sets out the penalties for
violating the Act’s disclosure
provisions, establishes a process to
appeal penalties or revocations of
E:\FR\FM\30DEP1.SGM
30DEP1
78320
Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 / Proposed Rules
certification, and adopts a fee program
for the certification program, audits, and
appeals.
When the proposed rule becomes
final, it will replace the Interim Final
Rule NTIS put in place to establish a
Temporary Certification Program, in
order to avoid the complete loss of
access to the Limited Access DMF when
the Act became effective. No other rules
duplicate, overlap, or conflict with this
proposed rule.
tkelley on DSK3SPTVN1PROD with PROPOSALS
Number and Description of Small
Entities Regulated by the Proposed
Action
The proposed rule will apply to all
persons seeking to become certified to
obtain the Limited Access DMF from
NTIS. The entities affected by this rule
could include banks and other financial
institutions, pension plans, health
research institutes or companies, state
and local governments, information
companies, and similar research
services, and others not identified. NTIS
therefore requests comments on the
nature and types of affected entities.
Many of the impacted entities likely
are considered ‘‘large’’ entities under
the applicable Small Business
Administration (SBA) size standards.
While NTIS anticipates that this rule
will have an impact on various small
entities, NTIS is unable at this time to
estimate the number of impacted
entities that may be considered small
entities. Because NTIS cannot estimate
the type, number, or other details about
the small entities potentially impacted
by this rule, it cannot make an estimate
about the level of impact this rule will
have on those entities. Nor can it
estimate whether the rule’s impacts will
disproportionately impact small entities
as opposed to large ones.
Because NTIS lacks information about
the types and sizes of entities impacted
by this rule, it cannot determine the
impacts. Accordingly, NTIS requests
that the public provide it with
information about the types of entities
impacted by this rule, whether those are
small or large entities under SBA’s size
standards, and the level of or a
description of the type of impacts that
this rule will have on those entities.
Description of the Projected Reporting,
Recordkeeping, and Other Compliance
Requirements of the Proposed Rule
This proposed rule will require
Persons seeking certification to access
the Limited Access DMF to provide
NTIS with information about the basis
upon which they are seeking
certification (i.e., legitimate fraud
prevention or business purpose), using
an updated version of the Limited
VerDate Sep<11>2014
17:03 Dec 29, 2014
Jkt 235001
Access Death Master File Subscriber
Certification Form, Form NTIS FM161
(Certification Form), approved by the
Office of Management and Budget
(OMB) under Control Number 0692–
0013. Specifically, the Certification
Form will be updated to include
collection of additional information that
will improve NTIS’s ability to determine
whether a Person meets, to the
satisfaction of NTIS, the requirements of
Section 203 of the Act. This additional
information will also facilitate NTIS’s
ability to carry out audits, and Certified
Persons agree to be subject to periodic
scheduled and unscheduled audits of
their systems and operations to ensure
compliance with the Act’s data integrity
standards. Therefore, the proposed rule
requires Certified Persons to maintain
their records for these audits.
Additionally, to maintain their status as
Certified Persons, applicants must recertify with NTIS on an annual basis.
Description of Any Significant
Alternatives to the Proposed Rule That
Accomplish the Stated Objectives of
Applicable Statutes and That Minimize
Any Significant Economic Impact of the
Proposed Rule on Small Entities
As required by 5 U.S.C. 603(c), NTIS
considered significant alternatives to the
proposed rule to minimize the impacts
of the proposed rule on small entities.
NTIS considered a (1) no-action
alternative; (2) setting different auditing
requirements for small entities; (3)
relaxing the systems requirements for
small entities; and (4) the preferred
alternative of setting a fee schedule to
enable NTIS to achieve full cost
recovery, and requiring Certified
Persons to maintain data in a manner
similar to the requirements of section
6103(p)(4) of the IRC.
NTIS rejected the no-action
alternative because the Act requires that
any person seeking Limited Access DMF
become certified to access such
information according to a program
established by the Secretary. The noaction alternative would establish no
new program, and therefore is contrary
to the Act.
Similarly, NTIS did not further
consider alternatives 2 and 3, which
would have created exceptions to the
auditing requirements of the proposed
rule and the systems requirements for
becoming certified. Exempting small
entities from the auditing or systems
requirements would potentially risk
allowing the Limited Access DMF to be
released to non-certified persons or the
public at large, and thus would counter
the benefits to security and anti-fraud
efforts the rule will create.
PO 00000
Frm 00007
Fmt 4702
Sfmt 4702
The fourth alternative complies with
the Act, creates a program to certify
persons eligible to access the Limited
Access DMF, and safeguards that
information from unauthorized
disclosures. The audits required by the
rule further strengthen the oversight
NTIS has over the redistribution and use
of the Limited Access DMF, and thereby
help ensure the data’s security. Because
alternative 4 accomplishes the statutory
goals set out in the Act, and would not
create the potential for security or data
integrity breaches, NTIS prefers it and
has proposed a rule based on this
alternative.
Paperwork Reduction Act
With this proposed rule, NTIS is
requesting approval of a new
information collection that will contain
two forms. One form, the ‘‘Limited
Access Death Master File (LADMF)
Systems Safeguards Attestation Form,’’
is new. The new information collection
will also revise the ‘‘Limited Access
Death Master File Subscriber
Certification Form’’ (Certification Form),
which is currently approved under
OMB Control No. 0692–0013. In the
Certification Form NTIS has added a
description of the type of information
required for each fill-in box to ensure
that the respondents’ answers show that
they meet the requirements of Section
203 of the Act. The revised Certification
Form also collects the following
information in addition to the
information collected in the existing
Certification Form:
• URL (if applicable)—Collection of
each respondent’s URL is necessary for
NTIS to perform due diligence. NTIS
will use the information to ascertain
that the organization seeking
certification is a legitimate business
performing the functions it claims to be
performing.
• NTIS Customer Number—
Collection of each respondent’s NTIS
Customer Number will allow NTIS to
readily identify existing customers,
streamlining the certification process.
• Dun and Bradstreet Number (if
applicable)—Collection of each
respondent’s Dun and Bradstreet
Number is necessary for NTIS to
perform due diligence. NTIS will use
the information to ascertain that the
organization seeking certification is a
legitimate business performing the
functions it claims to be performing.
• Authorized Contact Person—
Collection of each respondent’s
authorized contact person will expedite
the certification process by permitting
NTIS to contact the identified contact
person without first having to spend
E:\FR\FM\30DEP1.SGM
30DEP1
tkelley on DSK3SPTVN1PROD with PROPOSALS
Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 / Proposed Rules
time identifying the correct person
during the certification process.
• Authorized Contact Person’s Phone
Number and Email Address (if different
than that collected for the
organization)—Collection of this
information is necessary to allow NTIS
to contact the person if questions arise
during review of the Certification Form.
With these changes to the collection,
and based also on its experience in
administering the temporary
certification program under the Interim
Final Rule, NTIS expects the burden
hours per respondent to increase from
two hours to two and one-half hours,
and will increase the cost per
respondent in the form of a certification
fee from $200 to $400. NTIS expects to
receive approximately 550 Certification
Forms, for a total burden of 2,200 hours
and a total cost to the public of
$220,000.
The ‘‘Limited Access Death Master
File (LADMF) Systems Safeguards
Attestation Form’’ would require
accredited certification bodies to attest
that a party seeking to be certified to
access Limited Access DMF has
systems, facilities, and procedures in
place as required under § 1110.102(a)(ii)
of this part. NTIS expects the additional
burden hours for filling out this form to
range from 2 hours to 200 hours, at a
cost ranging from $270–$27,000. NTIS
bases this estimated range on an average
senior auditor rate of $135/hour, and
assumes that the time required to fill out
the form may or may not also include
time required for an Accredited
Certification Body to conduct a
complete assessment under the
proposed rule. Where a prior assessment
has been conducted, for example, where
a broader assessment has been
conducted for other purposes, NTIS has
assumed that the cost of the DMFspecific aspects may be small or even
negligible. Conversely, where no prior
assessment has been conducted within
a three year period preceding a Person’s
application for certification under the
proposed rule, NTIS has assumed that
the cost of a complete assessment will
be greater, and will depend as well on
the nature of an applicant’s systems and
its use of Limited Access DMF. NTIS
has submitted this form to OMB for
review and addition to the collection
approved at control number 0692–0013.
Comments are invited on: (a) Whether
the proposed collection of information
is necessary for the proper performance
of the functions of NTIS/Commerce,
including whether the information will
have practical utility; (b) the accuracy of
the estimate of the burden of the
proposed information collection; (c)
ways to enhance the quality, utility, and
VerDate Sep<11>2014
17:03 Dec 29, 2014
Jkt 235001
clarity of the information to be
collected; and (d) ways to minimize the
burden of the information collection on
respondents, including the use of
automated collection techniques or
other forms of information technology.
Comments regarding the collection of
information associated with this rule,
including suggestions for reducing the
burden, should be sent to OMB Desk
Officer, New Executive Office Building,
Washington, DC 20503, Attention:
Jasmeet Seehra, or by email to Jasmeet_
K._Seehra@omb.eop.gov, or by fax to
(202) 395–7285, and to NTIS as set forth
under ADDRESSES, above.
Notwithstanding any other provision
of law, no person is required to comply
with, and neither shall any person be
subject to penalty for failure to comply
with, a collection of information subject
to the requirements of the Paperwork
Reduction Act, unless that collection of
information displays a currently valid
OMB Control Number.
List of Subjects in 15 CFR Part 1110
Certification program; Administrative
appeal; Imposition of penalty; Fees.
Dated: December 19, 2014.
Bruce Borzino,
Director.
For reasons set forth in the preamble,
the National Technical Information
Service proposes to amend 15 CFR part
1110 as follows:
PART 1110—CERTIFICATION
PROGRAM FOR ACCESS TO THE
DEATH MASTER FILE
1. The authority for this part
continues to read as follows:
■
Authority: Pub. L. 113–67, Sec. 203.
2. Amend § 1110.2 by
a. Adding, in alphabetical order, the
definition, ‘‘Accredited Certification
Body,’’ and
■ b. Revising the definitions of ‘‘Limited
Access DMF’’ and ‘‘Person’’ to read as
follows:
■
■
§ 1110.2
Definitions used in this part.
*
*
*
*
*
Accredited Certification Body. An
independent third party conformity
assessment body that is not owned,
managed, or controlled by a Person or
Certified Person which is the subject of
attestation or audit, and that is
accredited, by an accreditation body
under nationally or internationally
recognized criteria such as ISO/IEC
27006–2011, ‘‘Information technology—
Security techniques—Requirements for
bodies providing audit and certification
of information security management
systems,’’ to attest that a Person or
PO 00000
Frm 00008
Fmt 4702
Sfmt 4702
78321
Certified Person has systems, facilities
and procedures in place to safeguard
DMF information.
*
*
*
*
*
Limited Access DMF. The DMF
product made available by NTIS which
includes DMF with respect to any
deceased individual at any time during
the three-calendar-year period
beginning on the date of the individual’s
death. As used in this part, Limited
Access DMF does not include an
individual element of information
(name, social security number, date of
birth, or date of death) in the possession
of a Person, whether or not certified, but
obtained by such Person through a
source independent of the Limited
Access DMF. If a Certified Person
obtains, or a third party subsequently
provides to a Certified Person, death
information (i.e., the name, social
security account number, date of birth,
or date of death) independently, the
information is not considered part of the
Limited Access DMF if the NTIS source
information is replaced with the newly
provided information.
*
*
*
*
*
Person. Includes corporations,
companies, associations, firms,
partnerships, societies, joint stock
companies, and other private
organizations, and state and local
government departments and agencies,
as well as individuals.
■ 3. Revise the section heading of
§ 1110.100 to read as follows:
§ 1110.100
Scope; term.
*
*
*
*
*
■ 4. Revise § 1110.101 to read as
follows:
§ 1110.101 Submission of certification;
attestation.
(a) In order to become certified under
the certification program established
under this part, a Person must submit a
completed certification statement and
any required documentation, using the
form NTIS FM161 with OMB Control
Number 0692–0013, and its
accompanying instructions at https://
dmf.ntis.gov, together with the required
fee.
(b) In addition to the requirements
under paragraph (a) of this section, in
order to become certified, a Person must
submit a written attestation from an
Accredited Certification Body that such
Person has systems, facilities, and
procedures in place as required under
§ 1110.102(a)(2) of this part. Such
attestation must be based on the
Accredited Certification Body’s review
or assessment conducted no more than
three years prior to the date of
submission of the Person’s completed
E:\FR\FM\30DEP1.SGM
30DEP1
78322
Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 / Proposed Rules
certification statement, but such review
or assessment need not have been
conducted specifically or solely for the
purpose of submission under this part.
■ 5. Amend § 1110.102 by revising
paragraphs (a)(3) and (a)(4)(iv) to read as
follows:
§ 1110.102
Certification.
(a) * * *
(3) Such Person agrees to satisfy such
similar requirements; and
(4) * * *
(iv) Use any such deceased
individual’s DMF for any purpose other
than a legitimate fraud prevention
interest or a legitimate business purpose
pursuant to a law, governmental rule,
regulation, or fiduciary duty.
*
*
*
*
*
■ 6. In subpart B of Part 1110, add
§§ 1110.103, 1110.104, and 1110.105 to
read as follows:
§ 1110.103
person.
Disclosure to a certified
Disclosure by a Person certified under
this part of Limited Access DMF to
another Person certified under this part
shall be deemed to satisfy the disclosing
Person’s obligation to ensure
compliance with § 1110.102(a)(4)(i)–
(iii).
§ 1110.104
Revocation of certification.
False certification as to any element of
§ 1110.102(a) shall be grounds for
revocation of certification, in addition to
any other penalties at law. A Person
properly certified who thereafter
becomes aware that the Person no
longer satisfies one or more elements of
§ 1110.102(a) of this part shall
immediately inform NTIS thereof in
writing.
tkelley on DSK3SPTVN1PROD with PROPOSALS
§ 1110.105
Renewal of Certification.
(a) A Certified Person may renew its
certification status by submitting, on or
before the date of expiration of the term
of its certification, a completed
certification statement in accordance
with § 1110.101, together with the
required fee, indicating on the form
NTIS FM161 that it is a renewal, and
also indicating whether or not there has
been any change in any basis previously
relied upon for certification.
(b) Except as may otherwise be
required by NTIS, where a Certified
Person seeking certification status
renewal has, within a three-year period
preceding submission under paragraph
(a) of this section, previously submitted
a written attestation under
§ 1110.101(b), or has within such period
been subject to a satisfactory audit
under § 1110.201, such Certified Person
shall so indicate on the form NTIS
VerDate Sep<11>2014
17:03 Dec 29, 2014
Jkt 235001
FM161, and shall not be required to
submit a written attestation under
§ 1110.101(b).
(c) A Certified Person who submits a
certification statement, attestation (if
required) and fee pursuant to
§ 1110.105(a) shall continue in Certified
Person status pending notification of
renewal or non-renewal from NTIS.
(d) A Person who is a Certified Person
before [EFFECTIVE DATE OF THIS
RULE] shall be considered a Certified
Person under this part, and shall
continue in Certified Person status until
the date which is one year from the date
of acceptance of such Person’s
certification by NTIS under the
Temporary Certification Program,
provided that if such expiration date
falls on a weekend or a federal holiday,
the term of certification shall be
considered to extend to the next
business day.
■ 7. Revise § 1110.200 to read as
follows:
§ 1110.200
Imposition of penalty.
(a) General. (1) Any Person certified
under this part who receives DMF
information, including information
about any deceased individual at any
time during the three-calendar-year
period beginning on the date of the
individual’s death, and who during
such three-calendar-year period:
(i) Discloses such deceased
individual’s DMF information to any
person other than a person who meets
the requirements of § 1110.102(a)(1)
through (3);
(ii) Discloses such deceased
individual’s DMF information to any
person who uses the information for any
purpose other than a legitimate fraud
prevention interest or a legitimate
business purpose pursuant to a law,
governmental rule, regulation, or
fiduciary duty;
(iii) Discloses such deceased
individual’s DMF information to any
person who further discloses the
information to any person other than a
person who meets the requirements of
§ 1110.102(a)(1) through (3); or
(iv) Uses any such deceased
individual’s DMF information for any
purpose other than a legitimate fraud
prevention interest or a legitimate
business purpose pursuant to a law,
governmental rule, regulation, or
fiduciary duty; and
(2) Any Person to whom such
information is disclosed, whether or not
such Person is certified under this part,
who further discloses or uses such
information as described in paragraphs
(a)(1)(i) through (iv) of this section, shall
pay to the General Fund of the United
States Department of the Treasury a
PO 00000
Frm 00009
Fmt 4702
Sfmt 4702
penalty of $1,000 for each such
disclosure or use, and, if such Person is
certified, shall be subject to having such
Person’s certification revoked.
(b) Limitation on penalty. The total
amount of the penalty imposed under
this part on any Person for any calendar
year shall not exceed $250,000, unless
such Person’s disclosure or use is
determined to be willful or intentional.
For the purposes of this part, a
disclosure or use is willful when it is a
‘‘voluntary, intentional violation of a
known legal duty.’’
(c) Disclosure to a Certified Person.
No penalty shall be imposed under
paragraphs (a)(i) through(iii) of this
section on a first Certified Person who
discloses, to a second Certified Person,
DMF information of any deceased
individual at any time during the threecalendar-year period beginning on the
date of the individual’s death, where the
sole basis for imposition of penalty on
such first Certified Person is that such
second Certified Person has been
determined to be subject to penalty
under this part.
■ 8. Revise § 1110.201 to read as
follows:
§ 1110.201
Audits.
Any Person certified under this part
shall, as a condition of certification,
agree to be subject to audit by NTIS, or,
at the request of NTIS, by an Accredited
Certification Body, to determine the
compliance by such Person with the
requirements of this part. NTIS may
conduct, or request that an Accredited
Certification Body conduct, periodic
scheduled and unscheduled audits of
the systems, facilities, and procedures of
any Certified Person relating to such
Certified Person’s access to, and use and
distribution of, the Limited Access
DMF. NTIS may conduct, or request that
an Accredited Certification Body
conduct, field audits (during regular
business hours) or desk audits of a
Certified Person. Failure of a Certified
Person to submit to or cooperate fully
with NTIS, or with an Accredited
Certification Body acting pursuant to
this section, in its conduct of an audit,
or to pay an audit fee to NTIS, will be
grounds for revocation of certification.
■ 9. Redesignate subpart D to part 1110
as subpart E, add a new subpart D, and
revise the newly redesignated subpart E
to read as follows:
Subpart D—Administrative Appeal
§ 1110.300
Appeal.
(a) General. Any Person adversely
affected or aggrieved by reason of NTIS
denying or revoking such Person’s
certification under this part, or
E:\FR\FM\30DEP1.SGM
30DEP1
tkelley on DSK3SPTVN1PROD with PROPOSALS
Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 / Proposed Rules
imposing upon such Person under this
part a penalty, may obtain review by
filing, within 30 days (or such longer
period as the Director of NTIS may, for
good cause shown in writing, fix in any
case) after receiving notice of such
denial, revocation or imposition, an
administrative appeal to the Director of
NTIS.
(b) Form of Appeal. An appeal shall
be submitted in writing to Director,
National Technical Information Service,
5301 Shawnee Road, Alexandria, VA
22312, ATTENTION DMF APPEAL, and
shall include the following:
(1) The name, street address, email
address and telephone number of the
Person seeking review;
(2) A copy of the notice of denial or
revocation of certification, or the
imposition of penalty, from which
appeal is taken;
(3) A statement of arguments, together
with any supporting facts or
information, concerning the basis upon
which the denial or revocation of
certification, or the imposition of
penalty, should be reversed;
(4) A request for hearing of oral
argument before the Director, if desired.
(c) Power of Attorney. A Person may,
but need not, retain an attorney to
represent such Person in an appeal. A
Person shall designate any such attorney
by submitting to the Director of NTIS a
written power of attorney.
(d) Hearing. If requested in the appeal,
a date will be set for hearing of oral
argument before a representative of the
Director of NTIS, by the Person or the
Person’s designated attorney, and a
representative of NTIS familiar with the
notice from which appeal has been
taken. Unless it shall be otherwise
ordered before the hearing begins, oral
argument will be limited to thirty
minutes for each side. A Person need
not retain an attorney or request an oral
hearing to secure full consideration of
the facts and the Person’s arguments.
(e) Decision. After a hearing on the
appeal, if a hearing was requested, the
Director of NTIS shall issue a decision
on the matter within 120 days, or, if no
hearing was requested, within 90 days
of receiving the appeal. The decision of
the Director of NTIS shall be made after
consideration of the arguments and
statements of fact and information in the
Person’s appeal, and the hearing of oral
argument if a hearing was requested, but
the Director of NTIS at his or her
discretion and with due respect for the
rights and convenience of the Person
and the agency, may call for further
statements on specific questions of fact
or may request additional evidence in
the form of affidavits on specific facts in
dispute. After the original decision is
VerDate Sep<11>2014
17:03 Dec 29, 2014
Jkt 235001
issued, an appellant shall have 30 days
(or a date as may be set by the Director
of NTIS before the original period
expires) from the date of the decision to
request a reconsideration of the matter.
The Director’s decision becomes final 30
days after being issued, if no request for
reconsideration is filed, or on the date
of final disposition of a decision on a
petition for reconsideration.
Subpart E—Fees
§ 1110.400
Fees.
Fees sufficient to cover (but not to
exceed) all costs to NTIS associated
with evaluating Certification Forms and
auditing, inspecting, and monitoring
certified persons under the certification
program established under this part, as
well as appeals, will be published (as
periodically reevaluated and updated by
NTIS) and available at https://
dmf.ntis.gov. NTIS will not set fees for
attestations or audits by an Accredited
Certification Body.
■ 10. Add subpart F to read as follows:
Subpart F—Accredited Certification
Bodies
Sec.
1110.500 Accredited certification bodies.
1110.501 Requirement for independence.
1110.502 Attestation by accredited
certification body.
1110.503 Acceptance of accredited
certification bodies.
§ 1110.500
Accredited certification bodies.
This subpart describes Accredited
Certification Bodies and their
accreditation for third party attestation
and auditing of the information
safeguarding requirement for
certification of Persons under this part.
NTIS will accept an attestation or audit
of a Person or Certified Person from an
Accredited Certification Body that is
independent of that Person or Certified
Person and that is itself accredited by a
recognized accreditation body.
§ 1110.501
Requirement for independence.
(a) An Accredited Certification Body
must be an independent third party
certification body that is not owned,
managed, or controlled by a Person or
Certified Person that is the subject of
attestation or audit by the Accredited
Certification Body.
(1) A Person or Certified Person is
considered to own, manage, or control
a third party certification body if any
one of the following characteristics
applies:
(i) The Person or Certified Person
holds a 10 percent or greater ownership
interest, whether direct or indirect, in
the third party certification body.
Indirect ownership interest is calculated
PO 00000
Frm 00010
Fmt 4702
Sfmt 4702
78323
by successive multiplication of the
ownership percentages for each link in
the ownership chain;
(ii) The third party certification body
and the Person or Certified Person are
owned by a common ‘‘parent’’ entity;
(iii) The Person or Certified Person
has the ability to appoint a majority of
the third party certification body’s
senior internal governing body (such as,
but not limited to, a board of directors),
the ability to appoint the presiding
official (such as, but not limited to, the
chair or president) of the third party
certification body’s senior internal
governing body, and/or the ability to
hire, dismiss, or set the compensation
level for third party certification body
personnel; or
(iv) The third party certification body
is under a contract to the Person or
Certified Person that explicitly limits
the services the third party certification
body may perform for other customers
and/or explicitly limits which or how
many other entities may also be
customers of the third party certification
body.
§ 1110.502 Attestation by accredited
certification body.
(a) In any attestation or audit of a
Person or Certified Person that will be
submitted to NTIS under this part, an
Accredited Certification Body must
attest that it is independent of that
Person or Certified Person. The
Accredited Certification Body also must
attest that it has read, understood, and
agrees to the regulations in this part.
The Accredited Certification Body must
also attest that it is accredited to a
nationally or internationally recognized
standard such as the ISO/IEC Standard
27006–2011 ‘‘Information technology—
Security techniques—Requirements for
bodies providing audit and certification
of information security management
systems,’’ or any other similar
recognized standard for bodies
providing audit and certification of
information security management
systems. The Accredited Certification
Body must also attest that the scope of
its accreditation encompasses the
safeguarding and security requirements
as set forth in this part.
(b) Where a Person seeks certification,
or where a Certified Person seeks
renewal of certification or is audited
under this part, an Accredited
Certification Body may provide written
attestation that such Person or Certified
Person has systems, facilities, and
procedures in place as required under
§ 1110.102(a)(2). In so attesting, an
Accredited Certification Body may
reference ‘‘Limited Access Death Master
File (LADMF) Certification Program
E:\FR\FM\30DEP1.SGM
30DEP1
78324
Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 / Proposed Rules
Publication 100,’’ guidelines published
by NTIS and available at https://
dmf.ntis.gov. Such attestation must be
based on the Accredited Certification
Body’s review or assessment conducted
no more than three years prior to the
date of submission of the Person’s or
Certified Person’s completed
certification statement, and, if an audit
of a Certified Person by an Accredited
Certification Body is required by NTIS,
no more than three years prior to the
date upon which NTIS notifies the
Certified Person of NTIS’s requirement
for audit, but such review or assessment
or audit need not have been conducted
specifically or solely for the purpose of
submission under this part.
(c) Where review or assessment or
audit by an Accredited Certification
Body was not conducted specifically or
solely for the purpose of submission
under this part, the written attestation
or assessment report (if an audit) shall
describe the nature of that review or
assessment or audit, and the Accredited
Certification Body shall attest that on
the basis of such review or assessment
or audit, the Person or Certified Person
has systems, facilities, and procedures
in place as required under
§ 1110.102(a)(2). In so attesting, an
Accredited Certification Body may
reference ‘‘Limited Access Death Master
File (LADMF) Certification Program
Publication 100,’’ guidelines published
by NTIS and available at https://
dmf.ntis.gov.
(d) Notwithstanding paragraphs (a)
through (c) of this section, NTIS may, in
its sole discretion, require that review or
assessment or audit by an Accredited
Certification Body be conducted
specifically or solely for the purpose of
submission under this part.
tkelley on DSK3SPTVN1PROD with PROPOSALS
§ 1110.503 Acceptance of accredited
certification bodies.
(a) NTIS will accept written
attestations and assessment reports from
an Accredited Certification Body that
attests, to the satisfaction of NTIS, as
provided in § 1110.502.
(b) NTIS may decline to accept
written attestations or assessment
reports from an Accredited Certification
Body, whether or not it has attested as
provided in § 1110.502, for any of the
following reasons:
(1) When it is in the public interest
under Section 203 of the Bipartisan
Budget Act of 2013, and
notwithstanding any other provision of
this part;
(2) Submission of false or misleading
information concerning a material
fact(s) in an Accredited Certification
Body’s attestation under § 1110.502;
VerDate Sep<11>2014
17:03 Dec 29, 2014
Jkt 235001
(3) Knowing submission of false or
misleading information concerning a
material fact(s) in an attestation or
assessment report by an Accredited
Certification Body of a Person or
Certified Person;
(4) Failure of an Accredited
Certification Body to cooperate in
response to a request from NTIS verify
the accuracy, veracity, and/or
completeness of information received in
connection with an attestation under
§ 1110.502 or an attestation or
assessment report by that Body of a
Person or Certified Person. An
Accredited Certification Body ‘‘fails to
cooperate’’ when it does not respond to
NTIS inquiries or requests, or it
responds in a manner that is
unresponsive, evasive, deceptive, or
substantially incomplete; or
(5) Where NTIS is unable for any
reason to verify the accuracy of the
Accredited Certification Body’s
attestation.
[FR Doc. 2014–30199 Filed 12–29–14; 8:45 am]
BILLING CODE 3510–04–P
CONSUMER PRODUCT SAFETY
COMMISSION
16 CFR Part 1307
[Docket No. CPSC–2014–0033]
Prohibition of Children’s Toys and
Child Care Articles Containing
Specified Phthalates
Consumer Product Safety
Commission.
ACTION: Notice of Proposed Rulemaking.
AGENCY:
Section 108 of the Consumer
Product Safety Improvement Act of
2008 (CPSIA), requires the United States
Consumer Product Safety Commission
(Commission or CPSC) to convene a
Chronic Hazard Advisory Panel (CHAP)
to study the effects on children’s health
of all phthalates and phthalate
alternatives as used in children’s toys
and child care articles and to provide
recommendations to the Commission
regarding whether any phthalates or
phthalate alternatives other than those
already permanently prohibited should
be prohibited. The CPSIA requires the
Commission to promulgate a final rule
after receiving the final CHAP report.
The Commission is proposing this rule
pursuant to section 108(b) of the CPSIA.
DATES: Submit comments by March 16,
2015.
ADDRESSES: You may submit comments,
identified by Docket No. CPSC–2014–
0033, by any of the following methods:
Electronic Submissions: Submit
electronic comments to the Federal
SUMMARY:
PO 00000
Frm 00011
Fmt 4702
Sfmt 4702
eRulemaking Portal at: https://
www.regulations.gov. Follow the
instructions for submitting comments.
The Commission does not accept
comments submitted by electronic mail
(email), except through
www.regulations.gov. The Commission
encourages you to submit electronic
comments by using the Federal
eRulemaking Portal, as described above.
Written Submissions: Submit written
submissions in the following way: Mail/
Hand delivery/Courier, preferably in
five copies, to: Office of the Secretary,
Consumer Product Safety Commission,
Room 820, 4330 East West Highway,
Bethesda, MD 20814; telephone (301)
504–7923.
Instructions: All submissions received
must include the agency name and
docket number for this proposed
rulemaking. All comments received may
be posted without change, including
any personal identifiers, contact
information, or other personal
information provided, to: https://
www.regulations.gov. Do not submit
confidential business information, trade
secret information, or other sensitive or
protected information that you do not
want to be available to the public. If
furnished at all, such information
should be submitted in writing.
Docket: For access to the docket to
read background documents or
comments received, go to: https://
www.regulations.gov, and insert the
docket number, CPSC–2014–0033, into
the ‘‘Search’’ box, and follow the
prompts.
Kent
R. Carlson, Ph.D., Toxicologist, Division
of Toxicology & Risk Assessment,
Directorate for Health Sciences, U.S.
Consumer Product Safety Commission,
5 Research Place, Rockville, MD 20850–
3213; email: kcarlson@cpsc.gov.
SUPPLEMENTARY INFORMATION:
FOR FURTHER INFORMATION CONTACT:
I. Background
A. Consumer Product Safety
Improvement Act
1. Statutory Prohibitions
Section 108 of the CPSIA establishes
requirements concerning phthalates.
The term ‘‘phthalates’’ generally refers
to ortho-phthalate diesters (phthalate
esters, phthalates), which are a class of
organic compounds used primarily as
plasticizers for polyvinyl chloride
(PVC). Phthalates also are used as
solvents and stabilizers for fragrances.
Phthalates have been used in teethers,
plastic toys, home furnishings, air
fresheners, automobile interiors,
cosmetics, medications, medical
devices, and many other products.
E:\FR\FM\30DEP1.SGM
30DEP1
Agencies
[Federal Register Volume 79, Number 249 (Tuesday, December 30, 2014)]
[Proposed Rules]
[Pages 78314-78324]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: 2014-30199]
========================================================================
Proposed Rules
Federal Register
________________________________________________________________________
This section of the FEDERAL REGISTER contains notices to the public of
the proposed issuance of rules and regulations. The purpose of these
notices is to give interested persons an opportunity to participate in
the rule making prior to the adoption of the final rules.
========================================================================
Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 /
Proposed Rules
[[Page 78314]]
DEPARTMENT OF COMMERCE
National Technical Information Service
15 CFR Part 1110
[Docket Number: 141219001-4999-02]
RIN 0692-AA21
Certification Program for Access to the Death Master File
AGENCY: National Technical Information Service, U.S. Department of
Commerce.
ACTION: Notice of proposed rulemaking; request for comments.
-----------------------------------------------------------------------
SUMMARY: The National Technical Information Service (NTIS) issues a
proposed rule that would, if implemented, establish a program pursuant
to Section 203 of the Bipartisan Budget Act of 2013 (Act) through which
persons may become ``certified'' and thereby be eligible to obtain
access to Death Master File (DMF) information about an individual
within three years of that individual's death (``Limited Access DMF,''
as defined in the proposed rule). The rule is established to provide
immediate access to the DMF to those users who demonstrate a legitimate
fraud prevention interest or a legitimate business purpose for the
information, and to otherwise delay the release of the DMF to all other
users, thereby reducing opportunities for identity theft and
restricting information sources used to file fraudulent tax returns.
This rule sets forth requirements to become a certified person,
establishes a process for third party attestation and auditing of the
information safeguarding requirement for certification, provides that
certified persons will be subject to periodic scheduled and unscheduled
audits, and sets out penalties for persons who disclose or use DMF
information in a manner not in accordance with the Act. This rule would
also establish the process for appealing denials or revocations of
certification, the imposition penalties, and a fee program.
DATES: Comments are due on this proposed rule on January 29, 2015.
ADDRESSES: Written comments on this proposed rule must be submitted via
https://www.regulations.gov. Comments sent by any other method, to any
other address or individual, or received after the end of the comment
period, may not be considered. All comments received are a part of the
public record and will generally be posted for public viewing on
www.regulations.gov without change. However, comments that contain
profanity, vulgarity, threats, or other inappropriate language will not
be posted. All personal identifying information (e.g., name, address)
submitted voluntarily by the sender will be publicly accessible. Do not
submit confidential business information, or otherwise sensitive or
protected information. Attachments to electronic comments will be
accepted in Microsoft Word or Excel, WordPerfect, or Adobe PDF formats
only.
FOR FURTHER INFORMATION CONTACT: Henry Wixon, Chief Counsel for NIST,
at henry.wixon@nist.gov, or by telephone at 301-975-2803. Information
about the DMF made available to the public by NTIS may be found at
https://dmf.ntis.gov.
SUPPLEMENTARY INFORMATION:
Background
On December 26, 2013, the Bipartisan Budget Act of 2013, Pub. L.
113-67, (the Act) became law. Section 203 of the Act prohibits the
Secretary of Commerce (Secretary) from disclosing DMF information
during the three-calendar-year period following an individual's death
(the ``Limited Access DMF''), unless the person requesting the
information has been certified to receive that information under a
program established by the Secretary. The Act further requires the
Secretary to establish a fee-based certification program that will
certify these persons. It also provides for penalties for those who
receive or distribute DMF information without being certified. Finally,
the Act sets March 26, 2014, as the date after which any party seeking
access to the Limited Access DMF must be certified in order to access
Limited Access DMF. The Secretary has delegated the authority to carry
out Section 203 to the Director of NTIS.
On March 3, 2014, NTIS published a Request for Information (RFI)
and Advance Notice of Public Meeting on the Certification Program for
Access to the Death Master File (RFI) at 79 FR 11735, available at
https://www.gpo.gov/fdsys/pkg/FR-2014-03-03/pdf/2014-04584.pdf. The
public meeting was held March 4, 2014, from 9:00 a.m. to 12:00 p.m.
Eastern time at the United States Patent and Trademark Office, Madison
Building West, 600 Dulany Street, Alexandria, VA 22314. The public
meeting was also webcast. Written comments received in response to the
RFI, and a transcription of oral comments made and comments submitted
via webcast at the public meeting, may be viewed at https://dmf.ntis.gov.
On March 26, 2014, NTIS published an interim final rule,
``Temporary Certification Program for Access to the Death Master
File,'' at 79 FR 16668, available at https://www.gpo.gov/fdsys/pkg/FR-2014-03-26/pdf/2014-06701.pdf (the Interim Final Rule). That rule
codified an interim approach to implementing the Act's provisions
pertaining to the certification program and the penalties for violating
the Act, and set out an interim fee schedule for the program. NTIS
published the Interim Final Rule in order to provide a mechanism for
persons to access the DMF immediately on the effective date prescribed
in Section 203 of the Act. Written comments received in response to the
Interim Final Rule may be viewed at https://www.regulations.gov.
The preambles for both the RFI and the Interim Final Rule set out
the specific provisions of the Act, and also noted that several Members
of Congress described their understanding of the purpose and meaning of
Section 203 during Congressional debate on the Joint Resolution which
became the Act. Citations to those Member statements were provided in
the RFI, which also provided background on the component of the DMF
covered by Section 203, which originates from the Social Security
Administration. The Interim Rule was established to provide immediate
access to the DMF to those users who demonstrate a legitimate fraud
prevention interest or a legitimate business purpose for the
information, and to otherwise delay the release of the DMF to all other
users, thereby reducing opportunities for identity theft and
restricting information sources used to file fraudulent tax returns.
[[Page 78315]]
This rule, if adopted, would replace the regulatory structure put
into place by the Interim Final Rule. It describes who may become a
``Certified Person'' under the Act, creates a process by which NTIS can
certify such persons, establishes a process for third party attestation
and auditing of the information safeguarding requirement for
certification, establishes a fee program, establishes penalties for
disseminating or receiving DMF information in violation of the Act, and
creates a process to appeal some penalties. However, until this rule
becomes final and effective, the Temporary Certification Program
established under the Interim Final Rule shall remain in force and
effect.
The Proposed Rule
This proposed rule would amend subparts and add a new subpart E to
the DMF Certification Program in part 1110 of title 15 of the Code of
Federal Regulations. The following describes specific provisions being
amended.
Under Section 1110.2, ``Definitions,'' NTIS proposes to revise the
definition of ``Person'' to recite ``state and local government
departments and agencies,'' so that ``Person'' will be defined as
including ``corporations, companies, associations, firms, partnerships,
societies, joint stock companies, and other private organizations, and
state and local government departments and agencies, as well as
individuals.'' However, Executive departments or agencies of the United
States Government would not be considered ``Persons'' for the purposes
of this rule. Accordingly, Executive departments or agencies will not
have to complete the Certification Form as set forth in the rule, and
will be able to access Limited Access DMF under a subscription or
license agreement with NTIS, describing the purpose(s) for which
Limited Access DMF is collected, used, maintained and shared. Those
working on behalf of and authorized by Executive departments or
agencies may access the Limited Access DMF from their sponsoring
Executive department or agency, which will be responsible for ensuring
that such access is solely for the authorized purposes described by the
agency. Unauthorized secondary use of Limited Access DMF by Executive
departments or agencies or those working for them or on their behalf is
prohibited. If an Executive department or agency wishes those working
on its behalf to access the Limited Access DMF directly from NTIS, then
those working on behalf of that Executive department or agency will be
required to complete and submit the Certification Form as set forth in
the rule and enter into a subscription agreement with NTIS in order to
access the Limited Access DMF. Under this proposed rule, a Certified
Person will be eligible to access the Limited Access DMF made available
by NTIS through subscription or license.
NTIS proposes to revise the definition of ``Limited Access DMF'' by
adding a sentence that clarifies that an individual element of
information (name, social security number, date of birth, or date of
death) in the possession of a Person, whether or not certified, but
obtained by such Person through a source independent of the Limited
Access DMF, will not be considered ``DMF information'' for the purposes
of the rule, and requests comment on the proposed definition. The
additional sentence is as follows:
As used in this part, Limited Access DMF does not include an
individual element of information (name, social security number,
date of birth, or date of death) in the possession of a Person,
whether or not certified, but obtained by such Person through a
source independent of the Limited Access DMF. If a Certified Person
obtains, or a third party subsequently provides to a Certified
Person, death information (i.e., the name, social security account
number, date of birth, or date of death) independently, the
information is not considered part of the Limited Access DMF if the
NTIS source information is replaced with the newly provided
information.
NTIS believes this revision of the definition of Death Master File
adds clarity to what is and is not Limited Access DMF, and requests
comment on the proposed definition.
Under Section 1110.102(a)(1) of the interim final rule, to become
certified, a Person must certify that the Person has a ``legitimate
fraud prevention interest,'' or has a ``legitimate business purpose
pursuant to a law, governmental rule, regulation, or fiduciary duty,''
and must specify the basis for so certifying. NTIS is not proposing to
change this requirement here. However, the Temporary Certification
Program established under the Interim Final Rule did not provide for
review, assessment or audit of the systems, facilities, and procedures
of a Person with attestation by an independent, third party conformity
assessment body, as NTIS is now proposing in this rule, and as
discussed at length below. Given this proposed rule's emphasis on
security and safeguarding of Limited Access DMF, the proposed rule's
provision for procedures and processes addressing the proper
safeguarding of Limited Access DMF, and the proposed rule's provision
for review, assessment, audit and attestation of a Person's information
and information security controls by independent, third party
conformity assessment bodies, NTIS requests comments on the specificity
with which a Person should be required to provide as the basis for
certifying its fraud prevention interest or business purpose under the
proposed rule.
NTIS acknowledges that some entities may seek to provide NTIS with
supplemental or supporting information over and above what may be
required along with the attestation, to augment or support their
request for certification for access to Limited Access DMF. If
submitted, NTIS will evaluate such materials and may accept or reject
that information when determining whether to certify a person. To
assist NTIS in determining how to evaluate such materials, NTIS also
requests comments on what types of materials NTIS should accept in
support of a certification that a party has a legitimate business
purpose or legitimate fraud prevention interest.
This rule would add a requirement that, in order to become
certified, a Person must submit a written attestation from an
Accredited Certification Body (as defined below) that such Person has
information security systems, facilities, and procedures in place to
protect the security of the DMF information, as required under Section
1110.102(a)(2) of the rule. Such a requirement was not made under the
Interim Final Rule. In considering how to establish a permanent
certification program as required under Section 203, NTIS carefully
considered developing, within the agency, the capacity to evaluate the
information systems, facilities and procedures of Persons to safeguard
DMF information, as well as to conduct audits of Certified Persons.
NTIS has consulted with the National Institute of Standards and
Technology (NIST), which has expertise in testing, standard setting,
and certification of various systems. Based on NIST recommendations,
NTIS believes it appropriate for private sector, third party,
Accredited Certification Bodies to attest to a Person's information
security safeguards under Section 1110.102(a)(2) of the rule, and for
NTIS to rely upon such attestation in certifying a Person under the
proposed rule. NTIS also believes it appropriate for Accredited
Certification Bodies to conduct periodic scheduled and unscheduled
audits of Certified Persons on behalf of NTIS. NTIS requests comments
on the proposal to accept attestations by private sector, third party,
Accredited Certification Bodies under the rule.
Under this rule, an ``Accredited Certification Body'' is an
independent
[[Page 78316]]
third party conformity assessment body that is not owned, managed, or
controlled by a Person or Certified Person which is the subject of
attestation or audit, and that is accredited, by an accreditation body
under nationally or internationally recognized criteria such as, but
not limited to, the International Organization for Standardization
(ISO) and the International Electrotechnical Commission (IEC)
publication ISO/IEC 27006-2011, ``Information technology--Security
techniques--Requirements for bodies providing audit and certification
of information security management systems,'' to attest that a Person
or Certified Person has information technology systems, facilities and
procedures in place to safeguard DMF information. Based on NIST
recommendations, NTIS believes it is appropriate to use the ISO/IEC
27006-2001 as a baseline for accreditation under the proposed
certification program. The ISO Committee on conformity assessment
(CASCO) prepared ISO/IEC 27006-2001, and NTIS believes the use of the
ISO/IEC standard will help ensure that attestations and audits under
the proposed certification program operate in a manner consistent with
national and international practices. Accreditation is a third-party
attestation that a conformity assessment body operates in accordance
with national and international standards. Accreditation is used
nationally and internationally in many sectors where there is a need,
through certification, that safety, health or security requirements are
met by products or services. Accreditation ensures that a conformity
assessment body is technically competent in the subject matter (in this
case, the information safeguarding and security requirements as set
forth in the rule) and has a management system in place to ensure
competency and acceptable certification program operations on a
continuing basis. Accreditation requires that Accredited Certification
Bodies be re-accredited on a periodic basis.
However, NTIS is also aware that standards other than ISO/IEC
27006-2001 exist that may be equally appropriate for the purposes of
accreditation under the Act, and that additional standards may be
developed in the future. At this time, NTIS proposes that an Accredited
Certification Body may attest, subject to the conditions of
verification in proposed section 1110.503 of this rule, that it is
accredited to a nationally or internationally recognized standard for
bodies providing audit and certification of information security
management systems other than ISO/IEC Standard 27006-2011. In addition,
NTIS proposes that an Accredited Certification Body must also attest
that the scope of its accreditation encompasses the information
safeguarding and security requirements as set forth in the rule. NTIS
requests comments on these proposals.
NTIS is aware that security and safeguarding of information and
information systems is of great concern in many fields of endeavor
other than with respect to DMF information. NTIS has consulted with
subject matter experts from NIST, which in 2014 published the
``Framework for Improving Critical Infrastructure Cybersecurity''
(Framework), in response to President Obama's Executive Order 13636,
``Improving Critical Infrastructure Cybersecurity,'' which established
that ``[i]t is the Policy of the United States to enhance the security
and resilience of the Nation's critical infrastructure and to maintain
a cyber environment that encourages efficiency, innovation, and
economic prosperity while promoting safety, security, business
confidentiality, privacy, and civil liberties.'' In articulating this
policy, the Executive Order calls for the development of a voluntary
risk-based Cybersecurity Framework--a set of industry standards and
best practices to help organizations manage cybersecurity risks. The
resulting Framework, created by NIST through collaboration between
government and the private sector, uses a common language to address
and manage cybersecurity risks in a cost-effective way based on
business needs without placing additional regulatory requirements on
businesses. The Framework enables organizations--regardless of size,
degree of cybersecurity risk, or cybersecurity sophistication--to apply
the principles and best practices of risk management to improving the
security and resilience of critical infrastructure. The Framework
provides organization and structure to today's multiple approaches to
cybersecurity by assembling standards, guidelines, and practices that
are working effectively in industry today. Accordingly, in addressing
the requirements of Section 203 for ``systems, facilities, and
procedures'' to safeguard DMF information, NTIS contemplates that
Persons, as well as Accredited Certification Bodies, may look to the
Framework and to the Framework's Informative References. The Framework
is referenced by NTIS in its security guideline document, ``Limited
Access Death Master File (LADMF) Certification Program Publication
100,'' which is similar to the Internal Revenue Service (IRS)
Publication 1075, ``Tax Information Security Guidelines for Federal,
State and Local Agencies,'' available at https://www.irs.gov/pub/irs-pdf/p1075.pdf, and IRS Publication 4812, ``Contractor Security
Controls,'' available at https://www.irs.gov/pub/irs-procure/
Publication-4812_Contractor_Security-Controls.pdf. As set forth in
the security guideline document as well as in the Framework's
Informative References, a number of different approaches exist to
safeguarding information. These include ISO/IEC, Control Objectives for
Information and Related Technology (COBIT), International Society of
Automation (ISA), and NIST's 800 series publications. Others include
the Service Organization Controls (SOC) of the American Institute of
CPAs (AICPA). NTIS intends that by following its security guideline
document, Persons and Certified Persons will satisfy the requirements
of the rule. NTIS requests comments on other relevant approaches that
may exist and be suitable for the purposes of the rule.
NTIS is aware that security and safeguarding assessments such as
those contemplated under this proposed rule are routinely carried out
in the private sector, including by entities which may satisfy the
requirements for Accredited Certification Bodies under the rule.
Provided that such a routine assessment or audit of a Person would
permit an Accredited Certification Body to attest that such Person has
systems, facilities, and procedures in place to safeguard DMF
information as required under Section 1110.102(a)(2) of the rule,
albeit carried out for a purpose other than certification under the
rule, NTIS proposes to accept an attestation in support of a Person's
certification with respect to the requirements under Section
1110.102(a)(ii) of the rule, as well as in support of the renewal of a
Certified Person's certification. NTIS proposes that any attestation,
whether for a Person seeking certification or for a Certified Person
seeking renewal, must be based on the Accredited Certification Body's
review or assessment conducted no more than three years prior to the
date of submission of the Person's completed certification statement or
of the Certified Person's completed renewal certification statement. As
noted, an Accredited Certification Body's review or assessment need not
have been conducted specifically or
[[Page 78317]]
solely for the purpose of submission of an attestation under the
proposed rule, provided the review or assessment addresses the controls
set forth in the ``Limited Access Death Master File (LADMF)
Certification Program Publication 100.'' From NTIS's consultations with
NIST subject matter experts, NTIS believes that the limitation of three
years is appropriate as to frequency for assessments for the security
and safeguarding of information and information systems, and that
permitting Persons and Certified Persons to rely on attestations based
on such assessments conducted for purposes other than solely for the
rule is reasonable and cost-effective. NTIS requests comment on this
aspect of the proposed rule.
NTIS proposes to amend Section 1110.102(a)(2) and (3) to clarify
that to be certified to obtain access to the Limited Access DMF, a
Person must certify both that the Person ``has systems, facilities, and
procedures in place to safeguard the accessed information, and
experience in maintaining the confidentiality, security, and
appropriate use of accessed information, pursuant to requirements
similar to the requirements of section 6103(p)(4) of the Internal
Revenue Code of 1986,'' and that the Person ``agrees to satisfy such
similar requirements.'' This standard differs somewhat from the
requirement of Section 203 of the Act, because that Section contains
contradictory statements about the types of systems to safeguard
information that a Certified Person must have in place. In Section
203(b)(2)(B), the Act states that in order to receive Limited Access
DMF, a Person must agree to comply with requirements ``similar to''
section 6103(p)(4) of the Internal Revenue Code (IRC). Section
6103(p)(4) of the IRC is directed to Federal government agencies, and
as such the ``similar to'' statement makes sense for non-government
actors which are the subject of the Act. However, Section 203(b)(2)(C)
also requires a Certified Person to ``satisfy the requirements of such
section 6103(p)(4) as if such section applied to such person''
(emphasis added). It is unclear how or why a Certified Person could or
should satisfy an information integrity requirement ``similar to''
section 6103(p)(4) of the IRC while also satisfying section 6103(p)(4)
of the IRC. To resolve this ambiguity, NTIS interprets Section 203(b)
of the Act as requiring Persons to certify that they have systems,
facilities, and procedures in place that are ``similar to'' those
required by section 6103(p)(4) of the IRC in order to become Certified
Persons. NTIS requests comments on this interpretation, which NTIS
believes will allow NTIS to meet the interest of protecting personal
data generally and deterring fraud, while also allowing NTIS to set the
data integrity standards appropriate to safeguard DMF information
specifically. NTIS has developed a security guideline document,
``Limited Access Death Master File (LADMF) Certification Program
Publication 100,'' similar to the Internal Revenue Service (IRS)
Publication 1075, ``Tax Information Security Guidelines for Federal,
State and Local Agencies,'' available at https://www.irs.gov/pub/irs-pdf/p1075.pdf, as well as IRS Publication 4812, ``Contractor Security
Controls,'' available at https://www.irs.gov/pub/irs-procure/
Publication-4812_Contractor_Security-Controls.pdf, and drawing on the
National Institute of Standards and Technology ``Framework for
Improving Critical Infrastructure Cybersecurity,'' and informative
references cited therein, available at https://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf, that sets out
safeguard approaches adapted to the provisions of Section 203 of the
Act. NTIS will invite the public to comment on and to contribute to
this guidance document on a continuing basis. NTIS contemplates that
conforming to the proposed NTIS security guideline document will permit
Persons and Certified Persons to satisfy the Act. A draft of the
proposed NTIS security guideline document is available for review at
https://dmf.ntis.gov.
NTIS believes that adherence to the information security controls
and practices described in the LADMF Certification Program Publication
100 will help protect LADMF information that resides on Certified
Persons' information technology systems. Combined with the strict
liability for misusing the LADMF information set out in section (c) of
the Act, and in section 1110.102 of this proposed rule, LADMF
Certification Program Publication 100 describes safeguards for
minimizing occurrences of improper access to, and misuse of, LADMF
data. Specifically, LADMF Certification Program Publication 100
establishes the guidelines and practices that Certified Persons are to
apply to their information security programs to protect LADMF
information in their possession. Failure to adhere to these guidelines
and practices increases the likelihood of unauthorized access to, and
misuse of, LADMF data, including fraudulent misuse. Accordingly, the
information security measures required by this rule and adherence to
the guidelines and practices described in LADMF Certification Program
Publication 100 require Certified Persons to maintain adequate security
controls for LADMF information.
Persons previously certified under the Interim Final Rule will need
to become certified in accordance with the requirements of the proposed
rule, when it becomes final and effective. Certification under this
rule will include an updated certification form, discussed below under
the heading, ``Description of the Projected Reporting, Recordkeeping,
and Other Compliance Requirements of the Proposed Rule,'' collecting
additional information that will improve NTIS's ability to determine
whether a Person meets, to the satisfaction of NTIS, the requirements
of Section 203 of the Act.
Under Section 1110.103 of the proposed rule, a Certified Person may
disclose Limited Access DMF to another Certified Person, and will be
deemed to satisfy the disclosing Certified Person's obligation to
ensure compliance with proposed Section 1110.102(a)(4)(i)-(iii) for the
purposes of certification. Similarly, under Section 1110.200(c), NTIS
will not impose a penalty, under Section 1110.200(a)(1)(i)-(iii) of the
proposed rule, on a first Certified Person who discloses Limited Access
DMF to a second Certified Person, where the first Certified Person's
liability rests solely on the fact that the second Certified Person has
been determined to be subject to penalty. While the proposed rule does
not restrict disclosure of Limited Access DMF to Certified Persons,
NTIS believes that these provisions create an appropriately limited
``safe harbor'' for Certified Persons to disclose Limited Access DMF to
other Certified Persons. However, note that any Person that receives
Limited Access DMF from a Certified Person is still subject to penalty
under Section 1110.200(a)(1)-(4), for violations of the Act. The safe
harbor provision applies to each disclosure individually, and only the
Certified Person disclosing the information, not the recipient,
receives the benefit of the presumed compliance with Section
1110.102(a)(4)(i)-(iii). NTIS requests comment on this provision of the
proposed rule, including on whether or not the ``safe harbor'' should
also apply when a first Certified Person discloses Limited Access DMF
to a second Person, believed to be a Certified Person, but who is not,
in fact, certified under the proposed rule.
[[Page 78318]]
Under Section 1110.201 of the proposed rule, NTIS may conduct, or
may request an Accredited Certification Body conduct, at the Certified
Person's expense, periodic scheduled and unscheduled audits of the
systems, facilities, and procedures of any Certified Person relating to
such Certified Person's access to, and use and distribution of, the
Limited Access DMF. NTIS contemplates that many, if not most, audits of
Certified Persons will be scheduled, but NTIS may also conduct, or
request an Accredited Certification Body conduct, unscheduled audits--
for example, where a prior scheduled audit may have identified the need
for adjustment to a Certified Person's systems, facilities, or
procedures. Audits conducted by NTIS or by an Accredited Certification
Body may take place at a Certified Person's place of business (i.e.,
field audits), or may be conducted remotely (i.e., desk audits). As
discussed above, NTIS is proposing that all Certified Persons be
audited with respect to the requirements of Section 1110.102(a)(2) no
less frequently than every three years under the program, and that this
requirement may be satisfied by a Certified Person based on an audit or
assessment conducted for a purpose other than solely for the rule. NTIS
is not proposing routine scheduled audits on the attestation regarding
Section 1110.102(a)(1), though unscheduled audits of this and other
aspects of the requirements for certification may be conducted in
NTIS's discretion. NTIS requests comment on these aspects of the
proposed rule. NTIS' costs for conducting audits will be recoverable
from the audited Person. Failure to submit to audit, to cooperate fully
with NTIS in its conduct of an audit, or to pay an audit fee owed to
NTIS, will be grounds for revocation of certification. NTIS intends
that a Person or Certified Person will be directly responsible to an
Accredited Certification Body for any charges by that Accredited
Certification Body related to requirements under this proposed rule, as
it would be responsible for NTIS' auditing costs under the Act, and
requests comments.
Section 1110.200(c) of the proposed rule sets out the penalties for
unauthorized disclosures or uses of the Limited Access DMF. Each
individual unauthorized disclosure is punishable by a fine of $1,000,
payable to the United States Treasury. However, the total amount of the
penalty imposed under this part on any Person for any calendar year
shall not exceed $250,000, unless such Person's disclosure or use is
determined to be willful or intentional. A disclosure or use is
considered willful when it is a ``voluntary, intentional violation of a
known legal duty.'' See, U.S. v. Pomponio, 429 US 10 (1976) (holding
that for purposes of interpreting the criminal tax provisions of the
Internal Revenue Code, the term ``willful'' means a voluntary,
intentional violation of a known legal duty).
The proposed rule's Section 1110.300 establishes the procedures to
appeal a denial or revocation of certification, or of penalties for
violating the Act. An administrative appeal must be filed, in writing,
within 30 days (or such longer period as the Director of NTIS may, for
good cause shown in writing, establish in any case) after receiving a
notice of denial, revocation or imposition of penalties. Appeals should
be directed to the Director of NTIS. Any such appeal must set forth the
following: The name, street address, email address and telephone number
of the Person seeking review; a copy of the notice of denial or
revocation of certification, or the imposition of penalty, from which
appeal is taken; a statement of arguments, together with any supporting
facts or information, concerning the basis upon which the denial or
revocation of certification, or the imposition of penalty, should be
reversed; and a request for hearing of oral argument before a
representative of the Director, if desired.
Section 1110.300(a)-(d) proposes the procedures for an
administrative appeal. Under section 1110.300(c), a Person may, but
need not, retain an attorney to represent such Person in an appeal.
Those with attorneys shall designate such attorney by submitting to the
Director of NTIS a written power of attorney. If a hearing is
requested, the Person (or the Person's designated attorney) and a
representative of NTIS familiar with the notice from which appeal has
been taken will present oral arguments which, unless otherwise ordered
before the hearing begins, will be limited to thirty minutes for each
side. A Person need not retain an attorney or request an oral hearing
to secure full consideration of the facts and the Person's arguments.
Where no hearing is requested, the Director shall review the case and
issue a decision as set out below.
Under Section 1110.300(e), the Director of NTIS shall issue a
decision on the matter within 120 days after a hearing, or, if no
hearing was requested, within 90 days of receiving the letter of
appeal. In making decisions on appeal, the Director shall consider the
arguments and statements of fact and information in the Person's
appeal, and made at the oral argument hearing, if such was requested,
but the Director at his or her discretion and with due respect for the
rights and convenience of the Person and the agency, may call for
further statements on specific questions of fact or may request
additional evidence in the form of affidavits on specific facts in
dispute. An appellant may seek reconsideration of the decision, but
must do so in writing, and the request for reconsideration must be
received within 30 days of the Director's decision or within such an
extension of time thereof as may be set by the Director of NTIS before
the original period expires. A decision shall become final either after
the 30-day period for requesting reconsideration expires and no request
has been submitted, or on the date of final disposition of a decision
on a petition for reconsideration.
As discussed above, for certification of a Person under the rule,
as well as renewal of a Certified Person's certification, NTIS proposes
requiring submission of a third party attestation as to the information
safeguarding requirement. Third party attestation is accordingly a key
element of the certification program under the rule. In view of this,
the rule provides that an Accredited Certification Body must be
independent of the Person or Certified Person, and must itself be
accredited by a recognized accreditation body. The requirement for
independence from the Person seeking certification, or from the
Certified Person seeking renewal or subject to audit, is important to
ensure integrity of any assessment and attestation. NTIS requests
comment on this requirement.
NTIS proposes that an Accredited Certification Body must be an
independent third party certification body that is not owned, managed,
or controlled by a Person or Certified Person that is the subject of
attestation or audit by the Accredited Certification Body. Under the
rule, a Person or Certified Person is considered to own, manage, or
control a third party certification body if any one of the following
characteristics applies:
(1) The Person or Certified Person holds a 10 percent or greater
ownership interest, whether direct or indirect, in the third party
certification body. Indirect ownership interest is calculated by
successive multiplication of the ownership percentages for each link in
the ownership chain;
(2) The third party certification body and the Person or Certified
Person are owned by a common ``parent'' entity;
(3) The Person or Certified Person has the ability to appoint a
majority of the third party certification body's senior internal
governing body (such as, but
[[Page 78319]]
not limited to, a board of directors), the ability to appoint the
presiding official (such as, but not limited to, the chair or
president) of the third party certification body's senior internal
governing body, and/or the ability to hire, dismiss, or set the
compensation level for third party certification body personnel; or
(4) The third party certification body is under a contract to the
Person or Certified Person that explicitly limits the services the
third party certification body may perform for other customers and/or
explicitly limits which or how many other entities may also be
customers of the third party certification body.
In order for NTIS to accept an attestation as to, or audit of, a
Person or Certified Person submitted to NTIS under the rule, the
Accredited Certification Body must attest that it is independent of
that Person or Certified Person. The Accredited Certification Body also
must attest that it has read, understood, and agrees to the regulations
as set forth in the rule. The Accredited Certification Body must also
attest that it is accredited to ISO/IEC Standard 27006-2011
``Information technology--Security techniques--Requirements for bodies
providing audit and certification of information security management
systems,'' or to another nationally or internationally recognized
standard for bodies providing audit and certification of information
security management systems. The Accredited Certification Body must
also attest that the scope of its accreditation encompasses the
safeguarding and security requirements as set forth in the rule. NTIS
requests comments on these aspects of the proposed rule.
Where review or assessment or audit by an Accredited Certification
Body was not conducted specifically or solely for the purpose of
submission under this part, the rule requires that the written
attestation or assessment report (if an audit) describe the nature of
that review or assessment or audit, and that the Accredited
Certification Body attest that on the basis of such review or
assessment or audit, the Person or Certified Person has systems,
facilities, and procedures in place to safeguard DMF information as
required under Section 1110.102(a)(2) of this part. The rule provides
that in so attesting, an Accredited Certification Body may reference
``Limited Access Death Master File (LADMF) Certification Program
Publication 100,'' guidelines published by NTIS and available at
https://dmf.ntis.gov.
While NTIS will normally accept written attestations and assessment
reports from an Accredited Certification Body that attests, to the
satisfaction of NTIS, as provided in Section 1110.502 of the rule, the
rule also provides that NTIS may decline to accept written attestations
or assessment reports from an Accredited Certification Body, whether or
not it has attested as provided in Section 1110.502, for any of the
following reasons:
(1) When it is in the public interest under Section 203 of the
Bipartisan Budget Act of 2013, and notwithstanding any other provision
of this part;
(2) Submission of false or misleading information concerning a
material fact(s) in an Accredited Certification Body's attestation
under Section 1110.502;
(3) Knowing submission of false or misleading information
concerning a material fact(s) in an attestation or assessment report by
an Accredited Certification Body of a Person or Certified Person;
(4) Failure of an Accredited Certification Body to cooperate in
response to a request from NTIS verify the accuracy, veracity, and/or
completeness of information received in connection with an attestation
under Section 1110.502 or an attestation or assessment report by that
Body of a Person or Certified Person. An Accredited Certification Body
``fails to cooperate'' when it does not respond to NTIS inquiries or
requests, or it responds in a manner that is unresponsive, evasive,
deceptive, or substantially incomplete.
(5) Where NTIS is unable for any reason to verify the accuracy of
the Accredited Certification Body's attestation.
In addition, with respect to audits under the proposed rule, NTIS
may in its discretion decline to accept an attestation or assessment
report conducted for other purposes, and may conduct or require that an
Accredited Certification Body conduct a review solely for the purpose
of the rule, and requests comments on this proposal.
Classification
Executive Order 12630
This rule does not effect a taking of private property or otherwise
have taking implications under Executive Order 12630, Governmental
Actions and Interference with Constitutionally Protected Property
Rights.
Executive Order 12866
This proposed rule has been determined to be significant under
Executive Order 12866.
Executive Order 12898
NTIS evaluated the environmental effects of this proposed rule in
accordance with Executive Order 12898 and determined that there are no
environmental justice issues associated with its provisions and no
collective environmental impact resulting from its promulgation.
Executive Order 13132
A rule has implications for federalism under Executive Order 13132,
Federalism, if it has a substantial direct effect on State or local
governments and would either preempt State law or impose a substantial
direct cost of compliance on States or localities. NTIS has analyzed
this proposed rule under that Order and has determined that it does not
have implications for federalism.
Initial Regulatory Flexibility Analysis (IRFA)
Pursuant to Section 603 of the Regulatory Flexibility Act, NTIS has
prepared the following IRFA to analyze the potential impact that this
proposed rule, if adopted, would have on small entities.
Description of the Reasons Why Action Is Being Considered
The policy reasons for issuing this proposed rule are discussed in
the preamble of this document, and not repeated here.
Statement of the Objectives of, and Legal Basis for, the Proposed Rule;
Identification of All Relevant Federal Rules Which May Duplicate,
Overlap, or Conflict With the Proposed Rule
The legal basis for this rule is Section 203 of the Bipartisan
Budget Act of 2013, Pub. L. 113-67, codified at 42 USCA Sec. 1306c
(the Act). The proposed rule is intended to implement the Act, which
requires the Secretary of Commerce to create a program to certify that
persons given access to information contained on the DMF with respect
to any deceased individual at any time during the 3-calendar-year
period following that individual's death satisfy the statutory
requirements for accessing the Limited Access DMF. Accordingly, this
rule creates a program for certifying persons eligible to access the
Limited Access DMF. It requires that Certified Persons annually re-
certify as eligible to access the Limited Access DMF, and that they
agree to be subject to scheduled and unscheduled audits. The rule also
sets out the penalties for violating the Act's disclosure provisions,
establishes a process to appeal penalties or revocations of
[[Page 78320]]
certification, and adopts a fee program for the certification program,
audits, and appeals.
When the proposed rule becomes final, it will replace the Interim
Final Rule NTIS put in place to establish a Temporary Certification
Program, in order to avoid the complete loss of access to the Limited
Access DMF when the Act became effective. No other rules duplicate,
overlap, or conflict with this proposed rule.
Number and Description of Small Entities Regulated by the Proposed
Action
The proposed rule will apply to all persons seeking to become
certified to obtain the Limited Access DMF from NTIS. The entities
affected by this rule could include banks and other financial
institutions, pension plans, health research institutes or companies,
state and local governments, information companies, and similar
research services, and others not identified. NTIS therefore requests
comments on the nature and types of affected entities.
Many of the impacted entities likely are considered ``large''
entities under the applicable Small Business Administration (SBA) size
standards. While NTIS anticipates that this rule will have an impact on
various small entities, NTIS is unable at this time to estimate the
number of impacted entities that may be considered small entities.
Because NTIS cannot estimate the type, number, or other details about
the small entities potentially impacted by this rule, it cannot make an
estimate about the level of impact this rule will have on those
entities. Nor can it estimate whether the rule's impacts will
disproportionately impact small entities as opposed to large ones.
Because NTIS lacks information about the types and sizes of
entities impacted by this rule, it cannot determine the impacts.
Accordingly, NTIS requests that the public provide it with information
about the types of entities impacted by this rule, whether those are
small or large entities under SBA's size standards, and the level of or
a description of the type of impacts that this rule will have on those
entities.
Description of the Projected Reporting, Recordkeeping, and Other
Compliance Requirements of the Proposed Rule
This proposed rule will require Persons seeking certification to
access the Limited Access DMF to provide NTIS with information about
the basis upon which they are seeking certification (i.e., legitimate
fraud prevention or business purpose), using an updated version of the
Limited Access Death Master File Subscriber Certification Form, Form
NTIS FM161 (Certification Form), approved by the Office of Management
and Budget (OMB) under Control Number 0692-0013. Specifically, the
Certification Form will be updated to include collection of additional
information that will improve NTIS's ability to determine whether a
Person meets, to the satisfaction of NTIS, the requirements of Section
203 of the Act. This additional information will also facilitate NTIS's
ability to carry out audits, and Certified Persons agree to be subject
to periodic scheduled and unscheduled audits of their systems and
operations to ensure compliance with the Act's data integrity
standards. Therefore, the proposed rule requires Certified Persons to
maintain their records for these audits. Additionally, to maintain
their status as Certified Persons, applicants must re-certify with NTIS
on an annual basis.
Description of Any Significant Alternatives to the Proposed Rule That
Accomplish the Stated Objectives of Applicable Statutes and That
Minimize Any Significant Economic Impact of the Proposed Rule on Small
Entities
As required by 5 U.S.C. 603(c), NTIS considered significant
alternatives to the proposed rule to minimize the impacts of the
proposed rule on small entities. NTIS considered a (1) no-action
alternative; (2) setting different auditing requirements for small
entities; (3) relaxing the systems requirements for small entities; and
(4) the preferred alternative of setting a fee schedule to enable NTIS
to achieve full cost recovery, and requiring Certified Persons to
maintain data in a manner similar to the requirements of section
6103(p)(4) of the IRC.
NTIS rejected the no-action alternative because the Act requires
that any person seeking Limited Access DMF become certified to access
such information according to a program established by the Secretary.
The no-action alternative would establish no new program, and therefore
is contrary to the Act.
Similarly, NTIS did not further consider alternatives 2 and 3,
which would have created exceptions to the auditing requirements of the
proposed rule and the systems requirements for becoming certified.
Exempting small entities from the auditing or systems requirements
would potentially risk allowing the Limited Access DMF to be released
to non-certified persons or the public at large, and thus would counter
the benefits to security and anti-fraud efforts the rule will create.
The fourth alternative complies with the Act, creates a program to
certify persons eligible to access the Limited Access DMF, and
safeguards that information from unauthorized disclosures. The audits
required by the rule further strengthen the oversight NTIS has over the
redistribution and use of the Limited Access DMF, and thereby help
ensure the data's security. Because alternative 4 accomplishes the
statutory goals set out in the Act, and would not create the potential
for security or data integrity breaches, NTIS prefers it and has
proposed a rule based on this alternative.
Paperwork Reduction Act
With this proposed rule, NTIS is requesting approval of a new
information collection that will contain two forms. One form, the
``Limited Access Death Master File (LADMF) Systems Safeguards
Attestation Form,'' is new. The new information collection will also
revise the ``Limited Access Death Master File Subscriber Certification
Form'' (Certification Form), which is currently approved under OMB
Control No. 0692-0013. In the Certification Form NTIS has added a
description of the type of information required for each fill-in box to
ensure that the respondents' answers show that they meet the
requirements of Section 203 of the Act. The revised Certification Form
also collects the following information in addition to the information
collected in the existing Certification Form:
URL (if applicable)--Collection of each respondent's URL
is necessary for NTIS to perform due diligence. NTIS will use the
information to ascertain that the organization seeking certification is
a legitimate business performing the functions it claims to be
performing.
NTIS Customer Number--Collection of each respondent's NTIS
Customer Number will allow NTIS to readily identify existing customers,
streamlining the certification process.
Dun and Bradstreet Number (if applicable)--Collection of
each respondent's Dun and Bradstreet Number is necessary for NTIS to
perform due diligence. NTIS will use the information to ascertain that
the organization seeking certification is a legitimate business
performing the functions it claims to be performing.
Authorized Contact Person--Collection of each respondent's
authorized contact person will expedite the certification process by
permitting NTIS to contact the identified contact person without first
having to spend
[[Page 78321]]
time identifying the correct person during the certification process.
Authorized Contact Person's Phone Number and Email Address
(if different than that collected for the organization)--Collection of
this information is necessary to allow NTIS to contact the person if
questions arise during review of the Certification Form.
With these changes to the collection, and based also on its
experience in administering the temporary certification program under
the Interim Final Rule, NTIS expects the burden hours per respondent to
increase from two hours to two and one-half hours, and will increase
the cost per respondent in the form of a certification fee from $200 to
$400. NTIS expects to receive approximately 550 Certification Forms,
for a total burden of 2,200 hours and a total cost to the public of
$220,000.
The ``Limited Access Death Master File (LADMF) Systems Safeguards
Attestation Form'' would require accredited certification bodies to
attest that a party seeking to be certified to access Limited Access
DMF has systems, facilities, and procedures in place as required under
Sec. 1110.102(a)(ii) of this part. NTIS expects the additional burden
hours for filling out this form to range from 2 hours to 200 hours, at
a cost ranging from $270-$27,000. NTIS bases this estimated range on an
average senior auditor rate of $135/hour, and assumes that the time
required to fill out the form may or may not also include time required
for an Accredited Certification Body to conduct a complete assessment
under the proposed rule. Where a prior assessment has been conducted,
for example, where a broader assessment has been conducted for other
purposes, NTIS has assumed that the cost of the DMF-specific aspects
may be small or even negligible. Conversely, where no prior assessment
has been conducted within a three year period preceding a Person's
application for certification under the proposed rule, NTIS has assumed
that the cost of a complete assessment will be greater, and will depend
as well on the nature of an applicant's systems and its use of Limited
Access DMF. NTIS has submitted this form to OMB for review and addition
to the collection approved at control number 0692-0013.
Comments are invited on: (a) Whether the proposed collection of
information is necessary for the proper performance of the functions of
NTIS/Commerce, including whether the information will have practical
utility; (b) the accuracy of the estimate of the burden of the proposed
information collection; (c) ways to enhance the quality, utility, and
clarity of the information to be collected; and (d) ways to minimize
the burden of the information collection on respondents, including the
use of automated collection techniques or other forms of information
technology. Comments regarding the collection of information associated
with this rule, including suggestions for reducing the burden, should
be sent to OMB Desk Officer, New Executive Office Building, Washington,
DC 20503, Attention: Jasmeet Seehra, or by email to
Jasmeet_K._Seehra@omb.eop.gov, or by fax to (202) 395-7285, and to NTIS
as set forth under ADDRESSES, above.
Notwithstanding any other provision of law, no person is required
to comply with, and neither shall any person be subject to penalty for
failure to comply with, a collection of information subject to the
requirements of the Paperwork Reduction Act, unless that collection of
information displays a currently valid OMB Control Number.
List of Subjects in 15 CFR Part 1110
Certification program; Administrative appeal; Imposition of
penalty; Fees.
Dated: December 19, 2014.
Bruce Borzino,
Director.
For reasons set forth in the preamble, the National Technical
Information Service proposes to amend 15 CFR part 1110 as follows:
PART 1110--CERTIFICATION PROGRAM FOR ACCESS TO THE DEATH MASTER
FILE
0
1. The authority for this part continues to read as follows:
Authority: Pub. L. 113-67, Sec. 203.
0
2. Amend Sec. 1110.2 by
0
a. Adding, in alphabetical order, the definition, ``Accredited
Certification Body,'' and
0
b. Revising the definitions of ``Limited Access DMF'' and ``Person'' to
read as follows:
Sec. 1110.2 Definitions used in this part.
* * * * *
Accredited Certification Body. An independent third party
conformity assessment body that is not owned, managed, or controlled by
a Person or Certified Person which is the subject of attestation or
audit, and that is accredited, by an accreditation body under
nationally or internationally recognized criteria such as ISO/IEC
27006-2011, ``Information technology--Security techniques--Requirements
for bodies providing audit and certification of information security
management systems,'' to attest that a Person or Certified Person has
systems, facilities and procedures in place to safeguard DMF
information.
* * * * *
Limited Access DMF. The DMF product made available by NTIS which
includes DMF with respect to any deceased individual at any time during
the three-calendar-year period beginning on the date of the
individual's death. As used in this part, Limited Access DMF does not
include an individual element of information (name, social security
number, date of birth, or date of death) in the possession of a Person,
whether or not certified, but obtained by such Person through a source
independent of the Limited Access DMF. If a Certified Person obtains,
or a third party subsequently provides to a Certified Person, death
information (i.e., the name, social security account number, date of
birth, or date of death) independently, the information is not
considered part of the Limited Access DMF if the NTIS source
information is replaced with the newly provided information.
* * * * *
Person. Includes corporations, companies, associations, firms,
partnerships, societies, joint stock companies, and other private
organizations, and state and local government departments and agencies,
as well as individuals.
0
3. Revise the section heading of Sec. 1110.100 to read as follows:
Sec. 1110.100 Scope; term.
* * * * *
0
4. Revise Sec. 1110.101 to read as follows:
Sec. 1110.101 Submission of certification; attestation.
(a) In order to become certified under the certification program
established under this part, a Person must submit a completed
certification statement and any required documentation, using the form
NTIS FM161 with OMB Control Number 0692-0013, and its accompanying
instructions at https://dmf.ntis.gov, together with the required fee.
(b) In addition to the requirements under paragraph (a) of this
section, in order to become certified, a Person must submit a written
attestation from an Accredited Certification Body that such Person has
systems, facilities, and procedures in place as required under Sec.
1110.102(a)(2) of this part. Such attestation must be based on the
Accredited Certification Body's review or assessment conducted no more
than three years prior to the date of submission of the Person's
completed
[[Page 78322]]
certification statement, but such review or assessment need not have
been conducted specifically or solely for the purpose of submission
under this part.
0
5. Amend Sec. 1110.102 by revising paragraphs (a)(3) and (a)(4)(iv) to
read as follows:
Sec. 1110.102 Certification.
(a) * * *
(3) Such Person agrees to satisfy such similar requirements; and
(4) * * *
(iv) Use any such deceased individual's DMF for any purpose other
than a legitimate fraud prevention interest or a legitimate business
purpose pursuant to a law, governmental rule, regulation, or fiduciary
duty.
* * * * *
0
6. In subpart B of Part 1110, add Sec. Sec. 1110.103, 1110.104, and
1110.105 to read as follows:
Sec. 1110.103 Disclosure to a certified person.
Disclosure by a Person certified under this part of Limited Access
DMF to another Person certified under this part shall be deemed to
satisfy the disclosing Person's obligation to ensure compliance with
Sec. 1110.102(a)(4)(i)-(iii).
Sec. 1110.104 Revocation of certification.
False certification as to any element of Sec. 1110.102(a) shall be
grounds for revocation of certification, in addition to any other
penalties at law. A Person properly certified who thereafter becomes
aware that the Person no longer satisfies one or more elements of Sec.
1110.102(a) of this part shall immediately inform NTIS thereof in
writing.
Sec. 1110.105 Renewal of Certification.
(a) A Certified Person may renew its certification status by
submitting, on or before the date of expiration of the term of its
certification, a completed certification statement in accordance with
Sec. 1110.101, together with the required fee, indicating on the form
NTIS FM161 that it is a renewal, and also indicating whether or not
there has been any change in any basis previously relied upon for
certification.
(b) Except as may otherwise be required by NTIS, where a Certified
Person seeking certification status renewal has, within a three-year
period preceding submission under paragraph (a) of this section,
previously submitted a written attestation under Sec. 1110.101(b), or
has within such period been subject to a satisfactory audit under Sec.
1110.201, such Certified Person shall so indicate on the form NTIS
FM161, and shall not be required to submit a written attestation under
Sec. 1110.101(b).
(c) A Certified Person who submits a certification statement,
attestation (if required) and fee pursuant to Sec. 1110.105(a) shall
continue in Certified Person status pending notification of renewal or
non-renewal from NTIS.
(d) A Person who is a Certified Person before [EFFECTIVE DATE OF
THIS RULE] shall be considered a Certified Person under this part, and
shall continue in Certified Person status until the date which is one
year from the date of acceptance of such Person's certification by NTIS
under the Temporary Certification Program, provided that if such
expiration date falls on a weekend or a federal holiday, the term of
certification shall be considered to extend to the next business day.
0
7. Revise Sec. 1110.200 to read as follows:
Sec. 1110.200 Imposition of penalty.
(a) General. (1) Any Person certified under this part who receives
DMF information, including information about any deceased individual at
any time during the three-calendar-year period beginning on the date of
the individual's death, and who during such three-calendar-year period:
(i) Discloses such deceased individual's DMF information to any
person other than a person who meets the requirements of Sec.
1110.102(a)(1) through (3);
(ii) Discloses such deceased individual's DMF information to any
person who uses the information for any purpose other than a legitimate
fraud prevention interest or a legitimate business purpose pursuant to
a law, governmental rule, regulation, or fiduciary duty;
(iii) Discloses such deceased individual's DMF information to any
person who further discloses the information to any person other than a
person who meets the requirements of Sec. 1110.102(a)(1) through (3);
or
(iv) Uses any such deceased individual's DMF information for any
purpose other than a legitimate fraud prevention interest or a
legitimate business purpose pursuant to a law, governmental rule,
regulation, or fiduciary duty; and
(2) Any Person to whom such information is disclosed, whether or
not such Person is certified under this part, who further discloses or
uses such information as described in paragraphs (a)(1)(i) through (iv)
of this section, shall pay to the General Fund of the United States
Department of the Treasury a penalty of $1,000 for each such disclosure
or use, and, if such Person is certified, shall be subject to having
such Person's certification revoked.
(b) Limitation on penalty. The total amount of the penalty imposed
under this part on any Person for any calendar year shall not exceed
$250,000, unless such Person's disclosure or use is determined to be
willful or intentional. For the purposes of this part, a disclosure or
use is willful when it is a ``voluntary, intentional violation of a
known legal duty.''
(c) Disclosure to a Certified Person. No penalty shall be imposed
under paragraphs (a)(i) through(iii) of this section on a first
Certified Person who discloses, to a second Certified Person, DMF
information of any deceased individual at any time during the three-
calendar-year period beginning on the date of the individual's death,
where the sole basis for imposition of penalty on such first Certified
Person is that such second Certified Person has been determined to be
subject to penalty under this part.
0
8. Revise Sec. 1110.201 to read as follows:
Sec. 1110.201 Audits.
Any Person certified under this part shall, as a condition of
certification, agree to be subject to audit by NTIS, or, at the request
of NTIS, by an Accredited Certification Body, to determine the
compliance by such Person with the requirements of this part. NTIS may
conduct, or request that an Accredited Certification Body conduct,
periodic scheduled and unscheduled audits of the systems, facilities,
and procedures of any Certified Person relating to such Certified
Person's access to, and use and distribution of, the Limited Access
DMF. NTIS may conduct, or request that an Accredited Certification Body
conduct, field audits (during regular business hours) or desk audits of
a Certified Person. Failure of a Certified Person to submit to or
cooperate fully with NTIS, or with an Accredited Certification Body
acting pursuant to this section, in its conduct of an audit, or to pay
an audit fee to NTIS, will be grounds for revocation of certification.
0
9. Redesignate subpart D to part 1110 as subpart E, add a new subpart
D, and revise the newly redesignated subpart E to read as follows:
Subpart D--Administrative Appeal
Sec. 1110.300 Appeal.
(a) General. Any Person adversely affected or aggrieved by reason
of NTIS denying or revoking such Person's certification under this
part, or
[[Page 78323]]
imposing upon such Person under this part a penalty, may obtain review
by filing, within 30 days (or such longer period as the Director of
NTIS may, for good cause shown in writing, fix in any case) after
receiving notice of such denial, revocation or imposition, an
administrative appeal to the Director of NTIS.
(b) Form of Appeal. An appeal shall be submitted in writing to
Director, National Technical Information Service, 5301 Shawnee Road,
Alexandria, VA 22312, ATTENTION DMF APPEAL, and shall include the
following:
(1) The name, street address, email address and telephone number of
the Person seeking review;
(2) A copy of the notice of denial or revocation of certification,
or the imposition of penalty, from which appeal is taken;
(3) A statement of arguments, together with any supporting facts or
information, concerning the basis upon which the denial or revocation
of certification, or the imposition of penalty, should be reversed;
(4) A request for hearing of oral argument before the Director, if
desired.
(c) Power of Attorney. A Person may, but need not, retain an
attorney to represent such Person in an appeal. A Person shall
designate any such attorney by submitting to the Director of NTIS a
written power of attorney.
(d) Hearing. If requested in the appeal, a date will be set for
hearing of oral argument before a representative of the Director of
NTIS, by the Person or the Person's designated attorney, and a
representative of NTIS familiar with the notice from which appeal has
been taken. Unless it shall be otherwise ordered before the hearing
begins, oral argument will be limited to thirty minutes for each side.
A Person need not retain an attorney or request an oral hearing to
secure full consideration of the facts and the Person's arguments.
(e) Decision. After a hearing on the appeal, if a hearing was
requested, the Director of NTIS shall issue a decision on the matter
within 120 days, or, if no hearing was requested, within 90 days of
receiving the appeal. The decision of the Director of NTIS shall be
made after consideration of the arguments and statements of fact and
information in the Person's appeal, and the hearing of oral argument if
a hearing was requested, but the Director of NTIS at his or her
discretion and with due respect for the rights and convenience of the
Person and the agency, may call for further statements on specific
questions of fact or may request additional evidence in the form of
affidavits on specific facts in dispute. After the original decision is
issued, an appellant shall have 30 days (or a date as may be set by the
Director of NTIS before the original period expires) from the date of
the decision to request a reconsideration of the matter. The Director's
decision becomes final 30 days after being issued, if no request for
reconsideration is filed, or on the date of final disposition of a
decision on a petition for reconsideration.
Subpart E--Fees
Sec. 1110.400 Fees.
Fees sufficient to cover (but not to exceed) all costs to NTIS
associated with evaluating Certification Forms and auditing,
inspecting, and monitoring certified persons under the certification
program established under this part, as well as appeals, will be
published (as periodically reevaluated and updated by NTIS) and
available at https://dmf.ntis.gov. NTIS will not set fees for
attestations or audits by an Accredited Certification Body.
0
10. Add subpart F to read as follows:
Subpart F--Accredited Certification Bodies
Sec.
1110.500 Accredited certification bodies.
1110.501 Requirement for independence.
1110.502 Attestation by accredited certification body.
1110.503 Acceptance of accredited certification bodies.
Sec. 1110.500 Accredited certification bodies.
This subpart describes Accredited Certification Bodies and their
accreditation for third party attestation and auditing of the
information safeguarding requirement for certification of Persons under
this part. NTIS will accept an attestation or audit of a Person or
Certified Person from an Accredited Certification Body that is
independent of that Person or Certified Person and that is itself
accredited by a recognized accreditation body.
Sec. 1110.501 Requirement for independence.
(a) An Accredited Certification Body must be an independent third
party certification body that is not owned, managed, or controlled by a
Person or Certified Person that is the subject of attestation or audit
by the Accredited Certification Body.
(1) A Person or Certified Person is considered to own, manage, or
control a third party certification body if any one of the following
characteristics applies:
(i) The Person or Certified Person holds a 10 percent or greater
ownership interest, whether direct or indirect, in the third party
certification body. Indirect ownership interest is calculated by
successive multiplication of the ownership percentages for each link in
the ownership chain;
(ii) The third party certification body and the Person or Certified
Person are owned by a common ``parent'' entity;
(iii) The Person or Certified Person has the ability to appoint a
majority of the third party certification body's senior internal
governing body (such as, but not limited to, a board of directors), the
ability to appoint the presiding official (such as, but not limited to,
the chair or president) of the third party certification body's senior
internal governing body, and/or the ability to hire, dismiss, or set
the compensation level for third party certification body personnel; or
(iv) The third party certification body is under a contract to the
Person or Certified Person that explicitly limits the services the
third party certification body may perform for other customers and/or
explicitly limits which or how many other entities may also be
customers of the third party certification body.
Sec. 1110.502 Attestation by accredited certification body.
(a) In any attestation or audit of a Person or Certified Person
that will be submitted to NTIS under this part, an Accredited
Certification Body must attest that it is independent of that Person or
Certified Person. The Accredited Certification Body also must attest
that it has read, understood, and agrees to the regulations in this
part. The Accredited Certification Body must also attest that it is
accredited to a nationally or internationally recognized standard such
as the ISO/IEC Standard 27006-2011 ``Information technology--Security
techniques--Requirements for bodies providing audit and certification
of information security management systems,'' or any other similar
recognized standard for bodies providing audit and certification of
information security management systems. The Accredited Certification
Body must also attest that the scope of its accreditation encompasses
the safeguarding and security requirements as set forth in this part.
(b) Where a Person seeks certification, or where a Certified Person
seeks renewal of certification or is audited under this part, an
Accredited Certification Body may provide written attestation that such
Person or Certified Person has systems, facilities, and procedures in
place as required under Sec. 1110.102(a)(2). In so attesting, an
Accredited Certification Body may reference ``Limited Access Death
Master File (LADMF) Certification Program
[[Page 78324]]
Publication 100,'' guidelines published by NTIS and available at
https://dmf.ntis.gov. Such attestation must be based on the Accredited
Certification Body's review or assessment conducted no more than three
years prior to the date of submission of the Person's or Certified
Person's completed certification statement, and, if an audit of a
Certified Person by an Accredited Certification Body is required by
NTIS, no more than three years prior to the date upon which NTIS
notifies the Certified Person of NTIS's requirement for audit, but such
review or assessment or audit need not have been conducted specifically
or solely for the purpose of submission under this part.
(c) Where review or assessment or audit by an Accredited
Certification Body was not conducted specifically or solely for the
purpose of submission under this part, the written attestation or
assessment report (if an audit) shall describe the nature of that
review or assessment or audit, and the Accredited Certification Body
shall attest that on the basis of such review or assessment or audit,
the Person or Certified Person has systems, facilities, and procedures
in place as required under Sec. 1110.102(a)(2). In so attesting, an
Accredited Certification Body may reference ``Limited Access Death
Master File (LADMF) Certification Program Publication 100,'' guidelines
published by NTIS and available at https://dmf.ntis.gov.
(d) Notwithstanding paragraphs (a) through (c) of this section,
NTIS may, in its sole discretion, require that review or assessment or
audit by an Accredited Certification Body be conducted specifically or
solely for the purpose of submission under this part.
Sec. 1110.503 Acceptance of accredited certification bodies.
(a) NTIS will accept written attestations and assessment reports
from an Accredited Certification Body that attests, to the satisfaction
of NTIS, as provided in Sec. 1110.502.
(b) NTIS may decline to accept written attestations or assessment
reports from an Accredited Certification Body, whether or not it has
attested as provided in Sec. 1110.502, for any of the following
reasons:
(1) When it is in the public interest under Section 203 of the
Bipartisan Budget Act of 2013, and notwithstanding any other provision
of this part;
(2) Submission of false or misleading information concerning a
material fact(s) in an Accredited Certification Body's attestation
under Sec. 1110.502;
(3) Knowing submission of false or misleading information
concerning a material fact(s) in an attestation or assessment report by
an Accredited Certification Body of a Person or Certified Person;
(4) Failure of an Accredited Certification Body to cooperate in
response to a request from NTIS verify the accuracy, veracity, and/or
completeness of information received in connection with an attestation
under Sec. 1110.502 or an attestation or assessment report by that
Body of a Person or Certified Person. An Accredited Certification Body
``fails to cooperate'' when it does not respond to NTIS inquiries or
requests, or it responds in a manner that is unresponsive, evasive,
deceptive, or substantially incomplete; or
(5) Where NTIS is unable for any reason to verify the accuracy of
the Accredited Certification Body's attestation.
[FR Doc. 2014-30199 Filed 12-29-14; 8:45 am]
BILLING CODE 3510-04-P