Certification Program for Access to the Death Master File, 34882-34895 [2016-12479]

Agencies

• DEPARTMENT OF COMMERCE
• National Technical Information Service

[Federal Register Volume 81, Number 105 (Wednesday, June 1, 2016)]
[Rules and Regulations]
[Pages 34882-34895]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-12479]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

National Technical Information Service

15 CFR Part 1110

[Docket Number: 160511004-4999-04]
RIN 0692-AA21


Certification Program for Access to the Death Master File

AGENCY: National Technical Information Service, U.S. Department of 
Commerce.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The National Technical Information Service (NTIS) issues this 
final rule establishing a program through which persons may become 
eligible to obtain access to Death Master File (DMF) information about 
an individual within three years of that individual's death. This final 
rule supersedes and replaces the interim final rule that NTIS 
promulgated following passage of Section 203 of the Bipartisan Budget 
Act of 2013 to provide immediate and ongoing access to persons who 
qualified for temporary certification. The program established under 
this final rule contains some changes from the proposed rule published 
by NTIS.

DATES: This final rule is effective November 28, 2016.

FOR FURTHER INFORMATION CONTACT: Brian Lieberman, Senior Counsel for 
NTIS, at blieberman@ntis.gov, or by telephone at 703-605-6404. 
Information about the DMF made available to the public by NTIS may be 
found at https://dmf.ntis.gov.

SUPPLEMENTARY INFORMATION: 

Background

    This final rule is promulgated under Section 203 of the Bipartisan 
Budget Act of 2013, Public Law 113-67 (Act), passed into law on 
December 26, 2013. The Act prohibits the Secretary of Commerce 
(Secretary) from disclosing DMF information during the three-calendar-
year period following an individual's death (referred to as the 
``Limited Access DMF,'' or ``LADMF''), unless the person requesting the 
information has been certified to access that information pursuant to 
certain criteria in a program that the Secretary establishes. The Act 
further requires the Secretary to establish a fee-based program to 
certify Persons for access to LADMF. In addition, it provides for 
penalties for Persons who receive or distribute LADMF without being 
certified or otherwise satisfying the requirements of the Act. The 
Secretary has delegated the authority to carry out Section 203 to the 
Director of NTIS.
    The Act mandated that no person could receive LADMF without 
certification after March 26, 2014 (i.e., 90 days from enactment of the 
Act). NTIS acted promptly to ensure that a suitable certification 
program was in place by that date, and to avoid interruption of access 
by legitimate users of the data. On March 3, 2014, NTIS published a 
Request for Information (RFI) and Advance Notice of Public Meeting on 
the Certification Program for Access to the Death Master File (79 FR 
11735). NTIS held the public meeting, with webcast, on March 4, 2014. 
Written comments received in response to the RFI, and a transcription 
of oral comments submitted at the public meeting, may be viewed at 
https://dmf.nist.gov.
    On March 26, 2014, NTIS published an interim final rule, 
``Temporary Certification Program for Access to the Death Master File'' 
(interim final rule) (79 FR 16668). That rule codified an interim 
approach to implementing the Act's provisions pertaining to the 
certification program and the penalties for violating the Act, and set 
out an interim fee schedule for the program. NTIS published the interim 
final rule in order to provide a mechanism for Persons to access LADMF 
immediately on the effective date prescribed in the Act. Written 
comments received in response to the Interim Final Rule may be viewed 
at https://www.regulations.gov.
    The preambles for both the RFI and the interim final rule set out 
the specific provisions of the Act, and also noted that several Members 
of Congress described their understanding of the purpose and meaning of 
Section 203 during Congressional debate on the Joint Resolution which 
became the Act. Citations to those Member statements were provided in 
the RFI, which also provided background on the component of the DMF, 
which originates from the Social Security Administration, covered by 
Section 203. The interim final rule was established to provide 
immediate access to the LADMF to those users who demonstrated a 
legitimate fraud prevention interest, or a legitimate business purpose 
for the information, and to otherwise delay the release of the LADMF to 
all other users, thereby reducing opportunities for identity theft and 
restricting information sources used to file fraudulent tax returns.
    In addition, in December, 2014, NTIS issued an initial public draft 
of ``Limited Access Death Master File (Limited Access DMF) 
Certification Program Publication 100,'' (Publication 100), available 
at https://dmf.ntis.gov. Publication 100 is the NTIS security guideline 
document for persons certified under this final rule. Publication 100 
sets forth suggested security controls, standards and protocols for the 
protection of LADMF in the possession of Certified Persons.
    On December 30, 2014, NTIS published the proposed rule (79 FR 
78314). The proposed rule introduced changes, clarifications and 
additions to the interim final rule, based in part upon comments 
received. For example, the proposed rule introduced a ``safe harbor'' 
provision, Sec.  1110.103, which would exempt a Certified Person from 
penalty for disclosure of LADMF to another Certified Person. The 
proposed rule set forth a provision for review, assessment, audit and 
attestation of a Person's information and information security controls 
by independent, third party conformity assessment bodies. Section 
1110.201 of the proposed rule would permit Certified Persons to provide 
the attestation of an ``Accredited Certification Body'' (as defined in 
Sec.  1110.2) concerning the

[[Page 34883]]

adequacy of the Certified Person's ``systems, facilities and procedures 
in place to safeguard DMF information.''
    NTIS requested that all written comments on the proposed rule be 
submitted to Regulations.gov by January 31, 2015. The agency, however, 
received requests to extend the public comment period. In response, on 
January 28, 2015, NTIS published a notice extending the comment period 
until March 30, 2015 (80 FR 4519). Written comments received in 
response to the proposed rule may be viewed at https://www.regulations.gov.

Comments in Response to the Proposed Rule

    In response to the proposed rule, NTIS received 62 written 
comments. The commenters included one foreign government, twenty 
industry and trade associations, five service providers, three 
financial services companies, two insurance companies, four health care 
and medical research organizations and five service providers. The 
remainder of the commenters were primarily individuals, including a 
number identifying themselves as genealogists.
    In preparing this final rule, NTIS has carefully considered all 
comments received in response to the proposed rule. Many commenters 
requested that NTIS provide unrestricted access to LADMF. However, NTIS 
cannot revise the rule to accommodate such comments, since access to 
and use of LADMF is governed by the statutory provisions set forth in 
Section 203 of the Act. A number of commenters requested changes to the 
composition of the DMF itself; however, the composition of the DMF is 
explicitly defined in Section 203(d) of the Act as consisting of ``the 
name, social security account number, date of birth and date of death 
of deceased individuals maintained by the Commissioner of Social 
Security.'' NTIS, therefore, has no discretion to alter the composition 
of the DMF. Some commenters suggested that NTIS should enhance search 
capabilities available to DMF subscribers. NTIS has no present plans to 
alter database search capabilities, but may consider doing so in the 
future. However, NTIS's database search capabilities are not an element 
of this final rule. NTIS also received multiple comments to the effect 
that the proposed subscription cost of the LADMF should be reduced; 
however, Section 203(b)(3) mandates the charge of fees sufficient to 
cover costs associated with the certification program. The 
certification fee that NTIS charges covers the costs of receiving and 
processing applications, including authenticating the statements made 
in the application, and ensuring access to the Limited Access DMF.
    A number of comments were received asserting that some Certified 
Persons need to provide LADMF date of death information in the ordinary 
course of their business, for example, to retirement plans and others 
who have a legal obligation to provide death benefits payments to 
beneficiaries or for other legitimate purposes, and some suggested that 
the rule should specifically provide for the disclosure of date of 
death information alone as an exception to requirement for 
certification. However, as noted above, ``date of death'' is one of the 
four elements (the others being name, social security number, and date 
of birth) expressly set forth in the statutory definition of the term 
``Death Master File'' under the Act, and NTIS is without discretion to 
categorically exclude it through rulemaking. NTIS notes that it 
received no comments suggesting that retirement plans and others having 
a legal obligation to provide death benefits would be unable to 
demonstrate one or more of a legitimate fraud prevention interest, 
business purpose, or fiduciary duty, to qualify for certification or, 
if not certified, that they would be unable to demonstrate, first, that 
they meet the requirements for LADMF access (i.e., the legitimate fraud 
prevention or business purpose and security requirements of Sec.  
1110.102(a)(1), (2), and (3)), and, second, that they would not misuse 
or further disclose LADMF to a person who would either wrongfully use 
LADMF or could not comply with the security requirements set forth in 
Sec.  1110.200(a)(1)(ii) or (iii) respectively. NTIS points out that 
``fact of death,'' i.e., the fact that a person is no longer living, 
confirmation of which was identified by some commenters as important 
for legitimate business purposes, is not an element of the statutory 
definition of the term ``Death Master File,'' and will not be 
considered by NTIS to be equivalent to ``date of death'' under the 
final rule.
    NTIS also notes that the proposed rule would revise the definition 
of ``Limited Access DMF'' to provide that an individual element of 
information (name, social security number, date of birth, or date of 
death) in the possession of a Person, whether or not certified, but 
obtained by such Person through a source independent of the Limited 
Access DMF, would not be considered ``DMF information.'' That revision 
is retained in the final rule, and has been further clarified in 
response to comments. Specifically, NTIS has replaced the term 
``Certified Person'' in the last sentence of the LADMF definition with 
``Person'' to make clear that any Person, whether or not certified, who 
obtains an individual element of information independently is not 
considered to possess ``Limited Access DMF.''
    Comments were received suggesting that, for clarity and simplicity, 
the final rule should refer to the defined term ``Limited Access DMF'' 
to the extent possible. NTIS has incorporated these comments into the 
final rule, including Sec. Sec.  1110.102(a)(4) and 1110.200(a)(1).
    NTIS received comments supporting the provision of the proposed 
rule that would amend Sec.  1110.102(a)(2) and (3) to clarify that, to 
be certified to obtain access to the Limited Access DMF, a Person must 
certify both that the Person has systems, facilities, and procedures in 
place to safeguard the accessed information, and experience in 
maintaining the confidentiality, security, and appropriate use of 
accessed information, pursuant to requirements similar to the 
requirements of section 6103(p)(4) of the Internal Revenue Code of 
1986, and that the Person ``agrees to satisfy such similar 
requirements.''
    This standard differs from the requirement of Section 203 of the 
Act, because that Section contains contradictory statements about the 
types of systems to safeguard information that a Certified Person must 
have in place. In Section 203(b)(2)(B), the Act states that in order to 
receive Limited Access DMF, a Person must agree to comply with 
requirements ``similar to'' Section 6103(p)(4) of the Internal Revenue 
Code (IRC). Section 6103(p)(4) of the IRC is directed to Federal 
government agencies, and as such the ``similar to'' statement makes 
sense for non-government actors which are the subject of the Act. 
However, Section 203(b)(2)(C) requires a Certified Person to also 
``satisfy the requirements of such section 6103(p)(4) as if such 
section applied to such person.'' It is unclear how or why a Certified 
Person could or should satisfy safeguarding requirements ``similar to'' 
section 6103(p)(4) of the IRC, while also satisfying section 6103(p)(4) 
of the IRC. In addition, commenters pointed out that some of the 
provisions of section 6103(p)(4) could not reasonably be imposed on 
non-government actors, because, for example, in contrast to Federal Tax 
Information, Limited Access DMF under Section 203 is not subject to 
restriction when beyond the three-calendar-year period following the 
date of death.
    To resolve this ambiguity and address these comments, NTIS 
interprets

[[Page 34884]]

Section 203(b) of the Act as requiring Persons to certify that they 
have systems, facilities, and procedures in place that are ``reasonably 
similar to'' those required by section 6103(p)(4) of the IRC in order 
to become Certified Persons. This interpretation allows NTIS to meet 
the interest of protecting personal data generally and deterring fraud, 
while also allowing NTIS to set the data integrity standards 
appropriate to safeguard Limited Access DMF specifically. The final 
rule amends Sec.  1110.102(a)(2) and (3) accordingly.
    A number of commenters suggested that the final rule should 
expressly classify certain categories of activities or enterprises, 
such as health care research and insurance investigation, as ``a 
legitimate fraud prevention interest'' or ``a legitimate business 
purpose.'' Other commenters suggested that the final rule should 
specifically provide that when an applicant or Certified Person is 
subject to other laws governing the use of personal information, the 
applicant or Certified Person should for that reason be deemed to have 
a ``legitimate fraud prevention interest'' or ``legitimate business 
purpose.'' It was urged that codification of such categories would 
further the purpose of the Act and benefit businesses and other 
entities reliant upon the LADMF by eliminating the threat of 
interrupted access. NTIS has carefully considered these suggestions, 
and observes that each Person applying for certification must certify 
to NTIS that such Person satisfies each of three requirements specified 
under Section 203(b)(2) of the Act, and that NTIS will evaluate each 
application individually to ensure that an individual applicant is 
properly certified. NTIS does acknowledge that it received numerous 
comments to the effect that awardees of federal research grants and 
others conducting extramural and intramural research under federal 
programs should be eligible for certification, provided that they 
otherwise satisfy the requirements of the final rule. NTIS notes that, 
while it appreciates the commenters' position, such Persons must, like 
any applicants, demonstrate that they satisfy the requirements for 
LADMF access.
    A commenter observed that use of the term ``Accredited 
Certification Body'' in the proposed rule could create confusion, 
particularly since the concept of ``certification'' appears and is used 
separately in the rule. Accordingly, the final rule uses the term 
``Accredited Conformity Assessment Body'' rather than ``Accredited 
Certification Body,'' and NTIS uses the former term in the preamble as 
well.
    A number of commenters urged that particular activities and 
enterprises, such as direct marketing and life insurance companies, 
should not be subject to DMF-related audits or required to obtain a 
written third party attestation, where such activities and enterprises 
are independently subject to regulatory scrutiny and must comply with 
the privacy security requirements of other laws, such as the Gramm-
Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the 
Health Insurance Portability and Accountability Act of 1996 (HIPAA). 
While NTIS will decline to exclude Persons from the requirement for 
attestation as part of the certification process under the final rule, 
and will decline to exclude Certified Persons from being subject to 
audit, NTIS emphasizes that it is NTIS's intent under this final rule 
that applicants and Certified Persons should not incur the burden or 
expense of a DMF-specific audit when they have already had, or will 
have, an appropriate independent assessment or audit performed for 
other purposes, including but not limited to those noted above. To this 
end, Sec.  1110.503(c) of the final rule explicitly contemplates 
reliance upon a review or assessment or audit by an Accredited 
Conformity Assessment Body that was not conducted specifically or 
solely for the purpose of submission to NTIS. NTIS intends that when a 
review, assessment or audit has been or can be performed in the course 
of satisfying other Federal, state, tribal, or local government laws or 
regulations, such as those mentioned by commenters, or other regulatory 
or fiduciary requirements flowing from such laws or regulations, a 
Person or Certified Person will be able to rely upon that review, 
assessment or audit, to the extent that the requirements of the final 
rule are satisfied. In these circumstances, NTIS intends that it will 
accept an Accredited Conformity Assessment Body's attestation regarding 
a non-DMF audit, which attestation includes an explanation of the 
nature of that non-DMF audit and represents that, based on its review, 
the Accredited Conformity Assessment Body is satisfied that the LADMF 
security and safeguard requirements are met.
    NTIS will not at this time accept the suggestion of some commenters 
to permit ``self-assessments'' or ``a self-certified written 
attestation'' in lieu of a written attestation from an independent 
Accredited Conformity Assessment Body. With respect to state and local 
government departments and agencies, which are included within the 
definition of Persons in the final rule, NTIS notes some commenters' 
concerns that the proposed rule could burden such departments and 
agencies given state-established information security and safeguarding 
procedures, and agrees with the recommendation of a commenter that it 
should accept written attestation from an independent state or local 
government Inspector General or Auditor General office.
    Accordingly, provided that a state or local government Inspector 
General or Auditor General satisfies the requirements of the final rule 
for Accredited Conformity Assessment Bodies, new Sec.  1110.501(a)(2) 
of the final rule provides that a state or local government office of 
Inspector General or Auditor General and a Person or Certified Person 
that is a department or agency of the same state or local government, 
respectively, are not considered to be owned by a common ``parent'' 
entity under Sec.  1110.501(a)(1)(ii) for the purpose of determining 
independence, and attestation by the Inspector General or Auditor 
General will be possible.
    With respect to comments urging that provision should be made for 
self-assessments and attestations by organizations having the capacity 
to perform assessments and audits, NTIS recognizes that some 
organizations have such capacity, and are able in exercising it to 
address safeguarding and security requirements under other laws and 
regulations. Accordingly, new Sec.  1110.502 of the final rule provides 
that, in addition to ``independent'' Accredited Conformity Assessment 
Bodies, a Person or Certified Person may engage a ``firewalled'' 
Accredited Conformity Assessment Body, as defined in the final rule and 
with the approval of NTIS, under conditions, as defined in the rule, 
which ensure that concerns about independence and actual or apparent 
conflicts of interest or undue influence are satisfactorily addressed.
    Under new Sec.  1110.502(a), a third party conformity assessment 
body must apply to NTIS for firewalled status if it is owned, managed, 
or controlled by a Person or Certified Person that is the subject of 
attestation or audit by the Accredited Conformity Assessment Body, 
applying the characteristics set forth under Sec.  1110.501(a)(1) for 
independence. Under new Sec.  1110.502(b), NTIS will accept an 
application for firewalled status when it finds that: (1) Acceptance of 
the third party conformity assessment body for firewalled status would 
provide equal or greater assurance that the Person or Certified Person 
has information

[[Page 34885]]

security systems, facilities, and procedures in place to protect the 
security of the Limited Access DMF than would the Person's or Certified 
Person's use of an independent third party third party conformity 
assessment body; and (2) the third party conformity assessment body has 
established procedures to ensure that: (1) Its attestations and audits 
are protected from undue influence by the Person or Certified Person 
that is the subject of attestation or audit by the Accredited 
Conformity Assessment Body, or by any other interested party; (2) NTIS 
is notified promptly of any attempt by the Person or Certified Person 
that is the subject of attestation or audit by the third party 
conformity assessment body, or by any other interested party, to hide 
or exert undue influence over an attestation, assessment or audit; and 
(3) allegations of undue influence may be reported confidentially to 
NTIS. To the extent permitted by Federal law, NTIS will undertake to 
protect the confidentiality of witnesses reporting allegations of undue 
influence. Under new Sec.  1110.502(c), NTIS will review each 
application and may contact the third party conformity assessment body 
with questions or to request submission of missing information, and 
will communicate its decision on each application in writing to the 
applicant.
    Some commenters expressed concern that in attesting to its 
credentials under Sec.  1110.503(a), an Accredited Conformity 
Assessment Body must indicate that it is accredited to a nationally or 
internationally recognized standard such as the ISO/IEC Standard 27006-
2011 or any other similar recognized standard for bodies providing 
audit and certification for information security management systems, 
pointing to other potentially applicable standards, such as the 
American Institute of Public Accountants (AICPA) Service Organization 
Control Report (SOC) Type 2 Audit Report. NTIS wishes to emphasize that 
it is not NTIS's intent, in reciting ISO/IEC 27006-2011, to exclude 
from consideration AICPA SOC2 or other appropriate accreditation 
standards. The regulation identifies the ISO/IEC standard as one 
example of an acceptable national or international accreditation 
standard. NTIS selected the ISO/IEC standard, as noted in the original 
discussion of the proposed rule, to serve ``as a baseline for 
accreditation,'' because it was prepared by the International 
Organization for Standardization (ISO) Committee on conformity 
assessment (79 FR at 78316). Moreover, NTIS emphasized that it is ``is 
aware that standards other than ISO/IEC 27006-2001 exist that may be 
equally appropriate for the purposes of accreditation under the Act, 
and that additional standards may be developed in the future . . . an 
[Accredited Conformity Assessment Body] may attest, subject to the 
conditions of verification in [final rule] Section 1110.503, that it is 
accredited to a nationally or internationally recognized standard for 
management systems other than ISO/IEC Standard 27006-2011.'' NTIS 
further observes that the burden rests with the Person or Certified 
Person to identify and submit an attestation by an Accredited 
Conformity Assessment Body certified or credentialed by an appropriate 
accrediting body. Accordingly, NTIS concludes that Sec.  1110.503(a) 
provides appropriate guidance as to the accreditation standard for 
Accredited Conformity Assessment Bodies.
    A few commenters suggested that NTIS should directly accredit 
Accredited Conformity Assessment Bodies to conduct assessments and 
audits or provide a list of acceptable accreditations for Accredited 
Conformity Assessment Bodies. NTIS does not intend to do so. Recognized 
professional accreditation organizations with well-established, 
rigorous accreditation processes already exist in the private sector. 
Such organizations have either adopted or established nationally and 
internationally accepted standards for entities which may serve as 
Accredited Conformity Assessment Bodies under the final rule. In 
considering how to establish a permanent certification program as 
required under Section 203, NTIS carefully considered developing, 
within the agency, the capacity to evaluate the information systems, 
facilities and procedures of Persons to safeguard Limited Access DMF, 
as well as to conduct audits of Certified Persons and to itself 
accredit conformity assessment bodies. NTIS has consulted with the 
National Institute of Standards and Technology (NIST), which has 
expertise in testing, standard setting, certification and conformity 
assessment. Based on NIST recommendations, NTIS believes it appropriate 
for private sector, third party, Accredited Conformity Assessment 
Bodies to attest to a Person's information security safeguards under 
Sec.  1110.102(a)(2) of the rule, for NTIS to rely upon such 
attestation in certifying a Person under the final rule, and for NTIS 
to rely as well upon third party, private sector accreditation of 
Accredited Conformity Assessment Bodies, while reserving to itself the 
ability to perform assessments and audits itself, in its discretion.
    A number of commenters expressed concerns regarding the 
identification, in Sec.  1110.502(b) of the proposed rule, of the 
``Limited Access Death Master File Publication 100'' (Publication 100) 
as a source of guidance to which an Accredited Conformity Assessment 
Body could refer in its attestation as to the adequacy of an 
applicant's or Certified Person's safeguards for Limited Access DMF. 
These commenters stated that, even though Publication 100 is intended 
to set forth recommended guidelines, procedures and best practices, 
reference to that publication in the proposed rule implied a limitation 
to those safeguarding approaches set forth in Publication 100. These 
commenters offered other sources of security requirements for personal 
information they thought were pertinent and should be expressly 
included in the rule, such as the security standards for the GLBA.
    NTIS notes, however, that the language of the rule makes clear that 
Publication 100 merely offers an example of security controls and 
protocols that an applicant or Certified Person may use, and is not 
intended to be prescriptive (79 FR at 78316). Moreover, NTIS recognizes 
that ``a number of different approaches exist to safeguarding 
information.'' Id. In the December 2014 Draft Version of Publication 
100, NTIS stated:

    ``These information security guidelines are derived from NIST 
SP800-53 Revision 4, Security and Privacy Controls for Federal 
Information Systems and Organizations. Only NIST SP 800-53 controls 
believed to be essential to the protection of Limited Access DMF 
information are included in this publication as a baseline. 
Applicability was determined by selecting controls relevant to 
protecting the confidentiality of Limited Access DMF information. 
The NIST controls [discussed here] are intended by NTIS to be 
illustrative, not exclusive. Other controls that can be assessed and 
used as guidelines include the NIST Framework for Improving Critical 
Infrastructure Cybersecurity v1.0. The Framework Core provides a 
common set of activities for managing risks, and associated 
controls. The references provided in the Framework Core represent a 
diverse set of information security guidelines including: 
International Organization for Standardization ISO 27001; 
International Society for Automation ISA/IEC 62443; Control 
Objectives for Information and Related Technology COBIT; Council on 
Cybersecurity Critical Security Controls CCS CSC2; and NIST 800-53 
rev. 4. Again, these references are illustrative.''

    Nevertheless, in response to commenters' concerns, NTIS has removed 
reference to Publication 100 from Sec.  1110.503(b) of the final rule.

[[Page 34886]]

Given the continuously evolving nature of information technology 
security and safeguard guidelines, procedures and best practices, NTIS 
intends that Publication 100 will be a living document. NTIS has 
invited comments on Publication 100 from the public on an ongoing 
basis, and contemplates interactive public dialog regarding its 
contents.
    The proposed rule introduced a ``safe harbor'' provision in Sec.  
1110.200(c) that would exempt from penalty a first Certified Person who 
discloses LADMF to a second Certified Person, where the first Certified 
Person's liability rests solely on the fact that the second Certified 
Person has been determined to be subject to penalty. The provision was 
specifically drafted to apply to each disclosure and to limit the 
presumption of compliance to the first Certified Person, while the 
second Certified Person (i.e., the recipient of the LADMF) remained 
subject to penalty for violations of the Act (79 FR at 78317.) NTIS 
invited comments as to whether the ``safe harbor'' provision should be 
extended to circumstances where the recipient is believed to be 
certified but, in fact, is not. NTIS did not receive comment on this 
point. A Certified Person desiring to rely upon the ``safe harbor'' 
provision as set forth in this final rule will bear responsibility for 
ensuring that a recipient of LADMF is, in fact, a Certified Person at 
the time of disclosure. NTIS notes that it maintains and publishes a 
list of Certified Persons, available at https://dmf.ntis.gov.
    NTIS received many comments suggesting that it should promulgate a 
broader ``safe harbor'' for a Certified Person who discloses LADMF to 
Persons whom the Certified Person knows are not certified 
(``uncertified Persons''). Many commenters urged that, unless the final 
rule made further allowance for Certified Persons to share LADMF with 
uncertified Persons, the commenters' businesses would suffer and their 
clients or other users would be deprived of data they need for critical 
purposes including fraud prevention, record-keeping and meeting legal 
and regulatory obligations. Many of these commenters also urged the 
extension of the ``safe harbor'' to Certified and uncertified Persons 
under certain circumstances, such as where an uncertified Person 
attests in writing that it meets the requirements for certification and 
to disclose the LADMF only to other uncertified Persons who could also 
meet the requirements, or where private contractual obligations were 
incurred. Some commenters contended that it would be unreasonable and 
unrealistic for NTIS to require their clients or other users to become 
certified and thus be subject to the rule's security and auditing 
requirements.
    NTIS will not extend the ``safe harbor'' provision of Sec.  
1110.102(c) in this manner. However, NTIS emphasizes that Certified 
Person status has not been and is not required in order for a Certified 
Person to disclose LADMF to another Person. A Certified Person may, 
without penalty under Sec.  1110.200 (but without ``safe harbor'' 
protection), disclose LADMF to another Person who, although not 
certified, meets the requirements of Sec.  1110.102(a)(1) through (3), 
and who does not misuse or further disclose the LADMF in violation of 
Sec.  1110.200(a)(1)(ii) or (iii). Indeed, many of the comments 
described above reflect the types of procedures that Certified Persons 
have successfully adopted under the Temporary Certification Program, 
and might be expected to adopt successfully in disclosing LADMF to 
uncertified Persons under the final rule. However, under such 
circumstances not involving a certified recipient, NTIS will not apply 
a ``safe harbor'' such as is applied under the final rule to a 
Certified Person who discloses Limited Access DMF to another who is 
also a Certified Person.
    A few commenters were critical of the appeals process set forth in 
Sec.  1110.300. One commenter opined that entities facing potential 
liability through ``unscheduled audits'' and ``substantial financial 
penalties'' needed ``well-developed procedural rights'' such as the 
right of appeal to an administrative law judge and federal court. NTIS 
has carefully considered these comments, but concludes that the process 
and procedures set forth in Sec.  1110.300 are legally sufficient. NTIS 
has provided an appropriate administrative and appeal process in Sec.  
1110.300. Pursuant to the Administrative Procedure Act (Pub. L. 79-404, 
60 Stat. 237), any Person or Certified Person can seek review of any 
adverse action or decision by the Director of NTIS in federal district 
court.
    A comment was received suggesting that the exclusion of Executive 
departments or agencies of the United States Government from the 
definition of ``Persons,'' noted initially under the interim final rule 
and continued in the proposed rule, should be extended as well to the 
governments of foreign countries. NTIS has carefully considered this 
comment, but will not adopt such a categorical exclusion. NTIS will 
continue to consider applications by foreign governments on a case-by-
case basis, in accordance with general principles of comity and 
consistent with the purposes of Section 203 and the requirements of the 
final rule.

The Final Rule

    This final rule amends subparts A, B, C, D, and adds a new subpart 
E to the DMF Certification Program in part 1110 of title 15 of the Code 
of Federal Regulations. The following describes specific provisions 
being amended.
    Under Sec.  1110.2, ``Definitions,'' NTIS is revising the 
definition of ``Person'' to recite ``state and local government 
departments and agencies,'' so that ``Person'' will be defined as 
including corporations, companies, associations, firms, partnerships, 
societies, joint stock companies, and other private organizations, and 
state and local government departments and agencies, as well as 
individuals. However, Executive departments or agencies of the United 
States Government will not be considered ``Persons'' for the purposes 
of this rule. Accordingly, Executive departments or agencies will not 
have to complete the Certification Form as set forth in the rule, and 
will be able to access Limited Access DMF under a subscription or 
license agreement with NTIS, describing the purpose(s) for which 
Limited Access DMF is collected, used, maintained and shared. Those 
working on behalf of and authorized by Executive departments or 
agencies may access the Limited Access DMF from their sponsoring 
Executive department or agency, which will be responsible for ensuring 
that such access is solely for the authorized purposes described by the 
agency. Unauthorized secondary use of Limited Access DMF by Executive 
departments or agencies or those working for them or on their behalf is 
prohibited. If an Executive department or agency wishes those working 
on its behalf to access the Limited Access DMF directly from NTIS, then 
those working on behalf of that Executive department or agency will be 
required to complete and submit the Certification Form as set forth in 
the rule and enter into a subscription agreement with NTIS in order to 
directly access the Limited Access DMF. Under this final rule, a 
Certified Person will be eligible to access the Limited Access DMF made 
available by NTIS through subscription or license.
    The final rule adds a requirement that, in order to become 
certified, a Person must submit a written attestation from an 
Accredited Conformity Assessment Body, as defined in the final rule, 
that such Person has information security systems, facilities, and 
procedures in place to protect the

[[Page 34887]]

security of the Limited Access DMF, as required under Sec.  
1110.102(a)(2) of the rule. NTIS has consulted with NIST, which has 
expertise in testing, standard-setting, and certification of various 
systems. Based on NIST recommendations, the final rule provides for 
private sector, third party, Accredited Conformity Assessment Bodies to 
attest to a Person's information security safeguards under Sec.  
1110.102(a)(2) of the rule, and NTIS will rely upon such attestation in 
certifying a Person under the final rule. The final rule also provides 
for Accredited Conformity Assessment Bodies to conduct periodic 
scheduled and unscheduled audits of Certified Persons on behalf of 
NTIS.
    Under the final rule, an ``Accredited Conformity Assessment Body'' 
is defined as an independent third party conformity assessment body 
that is not owned, managed, or controlled by a Person or Certified 
Person which is the subject of attestation or audit, and that is 
accredited by an accreditation body under nationally or internationally 
recognized criteria such as, but not limited to, ISO and the 
International Electrotechnical Commission (IEC) publication ISO/IEC 
27006-2011, ``Information technology--Security techniques--Requirements 
for bodies providing audit and certification of information security 
management systems,'' to attest that a Person or Certified Person has 
information technology systems, facilities and procedures in place to 
safeguard Limited Access DMF. Based on NIST recommendations, NTIS 
believes it is appropriate to reference the ISO/IEC 27006-2001 as an 
exemplary baseline for accreditation under the final certification 
program. The ISO Committee on conformity assessment (CASCO) prepared 
ISO/IEC 27006-2001, and reference to the ISO/IEC standard will help 
ensure that attestations and audits under the final certification 
program operate in a manner consistent with national and international 
practices. Accreditation is a third-party attestation that a conformity 
assessment body operates in accordance with national and international 
standards. Accreditation is used nationally and internationally in many 
sectors where there is a need, through certification, for safety, 
health or security requirements to be met by products or services. 
Accreditation ensures that a conformity assessment body is technically 
competent in the subject matter (in this case, the information 
safeguarding and security requirements as set forth in the rule) and 
has a management system in place to ensure competency and acceptable 
certification program operations on a continuing basis. Accreditation 
requires that Accredited Conformity Assessment Bodies be re-accredited 
on a periodic basis.
    However, NTIS also acknowledges that standards other than ISO/IEC 
27006-2001 exist that are equally appropriate for the purposes of 
accreditation under the Act, and that additional appropriate standards 
may be developed in the future. The final rule provides that an 
Accredited Conformity Assessment Body may attest, subject to the 
conditions of verification in Sec.  1110.503 of the final rule, that it 
is accredited to a nationally or internationally recognized standard 
for bodies providing audit and certification of information security 
management systems other than ISO/IEC Standard 27006-2011. In addition, 
the rule provides that an Accredited Conformity Assessment Body must 
also attest that the scope of its accreditation encompasses the 
information safeguarding and security requirements as set forth in the 
rule.
    NTIS is aware that security and safeguarding of information and 
information systems is of great concern in many fields of endeavor 
other than with respect to Limited Access DMF. NTIS has consulted with 
subject matter experts from NIST, which in 2014 published the 
``Framework for Improving Critical Infrastructure Cybersecurity'' \1\ 
(Framework), in response to President Obama's Executive Order 13636, 
``Improving Critical Infrastructure Cybersecurity,'' which established 
that ``[i]t is the Policy of the United States to enhance the security 
and resilience of the Nation's critical infrastructure and to maintain 
a cyber environment that encourages efficiency, innovation, and 
economic prosperity while promoting safety, security, business 
confidentiality, privacy, and civil liberties.'' In articulating this 
policy, the Executive Order calls for the development of a voluntary 
risk-based Cybersecurity Framework--a set of industry standards and 
best practices to help organizations manage cybersecurity risks. The 
resulting Framework, created by NIST through collaboration between 
government and the private sector, uses a common language to address 
and manage cybersecurity risks in a cost-effective way based on 
business needs without placing additional regulatory requirements on 
businesses. The Framework enables organizations--regardless of size, 
degree of cybersecurity risk, or cybersecurity sophistication--to apply 
the principles and best practices of risk management to improving the 
security and resilience of critical infrastructure. The Framework 
provides organization and structure to today's multiple approaches to 
cybersecurity by assembling standards, guidelines, and practices that 
are working effectively in industry today. Accordingly, in addressing 
the requirements of Section 203 for ``systems, facilities, and 
procedures'' to safeguard Limited Access DMF, NTIS contemplates that 
Persons, as well as Accredited Conformity Assessment Bodies, may look 
to the Framework and to the Framework's Informative References. The 
Framework is referenced by NTIS in Publication 100. As set forth in 
Publication 100, as well as in the Framework's Informative References, 
a number of different approaches exist to safeguarding information. 
These include ISO/IEC, Control Objectives for Information and Related 
Technology (COBIT), International Society of Automation (ISA), and 
NIST's 800 series publications. Others include the Service Organization 
Controls (SOC) of the American Institute of CPAs (AICPA).
---------------------------------------------------------------------------

    \1\ This document can be found at: https://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.
---------------------------------------------------------------------------

    NTIS is aware that security and safeguarding assessments such as 
those contemplated under this final rule are routinely carried out in 
the private sector, including by entities which may satisfy the 
requirements for Accredited Conformity Assessment Bodies under the 
rule. Provided that such a routine assessment or audit of a Person 
would permit an Accredited Conformity Assessment Body to attest that 
such Person has systems, facilities, and procedures in place to 
safeguard Limited Access DMF as required under Sec.  1110.102(a)(2) of 
the final rule, albeit carried out for a purpose other than 
certification under the rule, NTIS will accept an attestation in 
support of a Person's certification with respect to the requirements 
under Sec.  1110.102(a)(2) of the rule, as well as in support of the 
renewal of a Certified Person's certification. The final rule provides 
that any attestation, whether for a Person seeking certification or for 
a Certified Person seeking renewal, must be based on the Accredited 
Conformity Assessment Body's review or assessment conducted no more 
than three years prior to the date of submission of the Person's 
completed certification statement or of the Certified Person's 
completed renewal certification statement. As noted, an

[[Page 34888]]

Accredited Conformity Assessment Body's review or assessment need not 
have been conducted specifically or solely for the purpose of 
submission of an attestation under the final rule. From NTIS's 
consultations with NIST subject matter experts, NTIS believes that the 
limitation of three years is appropriate as to frequency for 
assessments for the security and safeguarding of information and 
information systems, and that permitting Persons and Certified Persons 
to rely on attestations based on such assessments conducted for 
purposes other than solely for the rule is reasonable and cost-
effective.
    Persons previously certified under the interim final rule will need 
to become certified in accordance with the requirements of this final 
rule, when it becomes effective. Certification under this final rule 
will include an updated certification form (NTIS FM161), discussed 
under the heading, ``Paperwork Reduction Act,'' collecting additional 
information that will improve NTIS's ability to determine whether a 
Person meets, to the satisfaction of NTIS, the requirements of Section 
203 of the Act.
    Under Sec.  1110.103 of the final rule, a Certified Person may 
disclose Limited Access DMF to another Certified Person, and will be 
deemed to satisfy the disclosing Certified Person's obligation to 
ensure compliance with final Sec.  1110.102(a)(4)(i)-(iii) for the 
purposes of certification. Similarly, under Sec.  1110.200(c), NTIS 
will not impose a penalty, under Sec.  1110.200(a)(1)(i)-(iii) of the 
final rule, on a first Certified Person who discloses Limited Access 
DMF to a second Certified Person, where the first Certified Person's 
liability rests solely on the fact that the second Certified Person has 
been determined to be subject to penalty. While the final rule does not 
restrict disclosure of Limited Access DMF to Certified Persons, these 
provisions create an appropriately limited ``safe harbor'' for 
Certified Persons to disclose Limited Access DMF to other Certified 
Persons. However, note that any Person, including any Certified Person, 
who receives Limited Access DMF from a Certified Person, is still 
subject to penalty under Sec.  1110.200(a)(2), for violations of the 
Act. The safe harbor provision applies to each disclosure individually, 
and only the Certified Person disclosing the information, not the 
Certified Person recipient, receives the benefit of the presumed 
compliance with Sec.  1110.102(a)(4)(i)-(iii).
    Under Sec.  1110.201 of the final rule, NTIS may conduct, or may 
request that an Accredited Conformity Assessment Body conduct, at the 
Certified Person's expense, periodic scheduled and unscheduled audits 
of the systems, facilities, and procedures of any Certified Person 
relating to such Certified Person's access to, and use and distribution 
of, the Limited Access DMF. NTIS contemplates that many, if not most, 
audits of Certified Persons will be scheduled, but NTIS may also 
conduct, or request an Accredited Conformity Assessment Body conduct, 
unscheduled audits--for example, where a prior scheduled audit may have 
identified the need for adjustment to a Certified Person's systems, 
facilities, or procedures. Audits conducted by NTIS or by an Accredited 
Conformity Assessment Body may take place at a Certified Person's place 
of business (i.e., field audits), or may be conducted remotely (i.e., 
desk audits). The final rule provides that all Certified Persons be 
audited with respect to the requirements of Sec.  1110.102(a)(2) no 
less frequently than every three years under the program, and this 
requirement may be satisfied by a Certified Person based on an audit or 
assessment conducted for a purpose other than solely for the purpose of 
this program. The final rule does not require that Certified Persons 
undergo routine scheduled audits on the attestation regarding Sec.  
1110.102(a)(1), but does provide that unscheduled audits of this and 
other aspects of the requirements for certification may be conducted at 
NTIS's discretion. Under the final rule, NTIS' costs for conducting 
audits will be recoverable from the audited Person. Failure to submit 
to an audit, to cooperate fully with NTIS in its conduct of an audit or 
an Accredited Conformity Assessment Body conducting an audit on NTIS's 
request, or to pay an audit fee owed to NTIS, are grounds for 
revocation of certification under the final rule. NTIS intends that a 
Person or Certified Person will be directly responsible to an 
Accredited Conformity Assessment Body for any charges by that 
Accredited Conformity Assessment Body related to requirements under 
this final rule, as it would be responsible for NTIS' auditing costs 
under the Act.
    Section 1110.200(a)(2) and (b) of the final rule set out the 
penalties for unauthorized disclosures or uses of the Limited Access 
DMF. Each individual unauthorized disclosure is punishable by a fine of 
$1,000, payable to the United States Treasury. However, the total 
amount of the penalty imposed under this part on any Person for any 
calendar year shall not exceed $250,000, unless such Person's 
disclosure or use is determined to be willful or intentional. A 
disclosure or use is considered willful when it is a ``voluntary, 
intentional violation of a known legal duty.'' See U.S. v. Pomponio, 
429 US 10 (1976) (holding that for purposes of interpreting the 
criminal tax provisions of the Internal Revenue Code, the term 
``willful'' means a voluntary, intentional violation of a known legal 
duty).
    The final rule's Sec.  1110.300 establishes the procedures to 
appeal a denial or revocation of certification, or the imposition of 
penalties for violating the Act. An administrative appeal must be 
filed, in writing, within 30 days (or such longer period as the 
Director of NTIS may, for good cause shown in writing, establish in any 
case) after receiving a notice of denial, revocation or imposition of 
penalties. Appeals are to be directed to the Director of NTIS. Any such 
appeal must set forth the following: The name, street address, email 
address and telephone number of the Person seeking review; a copy of 
the notice of denial or revocation of certification, or the imposition 
of penalty, from which appeal is taken; a statement of arguments, 
together with any supporting facts or information, concerning the basis 
upon which the denial or revocation of certification, or the imposition 
of penalty, should be reversed; and a request for hearing of oral 
argument before a representative of the Director, if desired.
    Section 1110.300(a)-(d) sets forth the procedures for an 
administrative appeal. Under Sec.  1110.300(c), a Person may, but need 
not, retain an attorney to represent such Person in an appeal. A Person 
must designate an attorney by submitting to the Director of NTIS a 
written power of attorney. If a hearing is requested, the Person (or 
the Person's designated attorney) and a representative of NTIS familiar 
with the notice from which appeal has been taken will present oral 
arguments which, unless otherwise ordered before the hearing begins, 
will be limited to thirty minutes for each side. A Person need not 
retain an attorney or request an oral hearing to secure full 
consideration of the facts and the Person's arguments. Where no hearing 
is requested, the Director shall review the case and issue a decision, 
as set out below.
    Under Sec.  1110.300(e), the Director of NTIS shall issue a 
decision on the matter within 120 days after a hearing, or, if no 
hearing was requested, within 90 days of receiving the letter of 
appeal. In making decisions on appeal, the Director shall consider the 
arguments and statements of fact and information in the Person's 
appeal, and made at the oral argument hearing, if such was requested, 
but the Director at his or her discretion and with due respect for the

[[Page 34889]]

rights and convenience of the Person and the agency, may call for 
further statements on specific questions of fact, or may request 
additional evidence in the form of affidavits on specific facts in 
dispute. An appellant may seek reconsideration of the decision, but 
must do so in writing, and the request for reconsideration must be 
received within 30 days of the Director's decision or within such an 
extension of time thereof as may be set by the Director of NTIS before 
the original period expires. A decision shall become final either after 
the 30-day period for requesting reconsideration expires and no request 
has been submitted, or on the date of final disposition of a decision 
on a petition for reconsideration.
    Under Sec.  1110.500 of the final rule, an Accredited Conformity 
Assessment Body must be independent of the Person or Certified Person 
seeking certification, unless it is a third party conformity assessment 
body which a Certified Person has qualified for ``firewalled'' status 
pursuant to Sec.  1110.502, and must itself be accredited by a 
recognized accreditation body. The requirement for independence from 
the Person seeking certification, or from the Certified Person seeking 
renewal or subject to audit, is important to ensure integrity of any 
assessment and attestation or audit. The final rule provides that an 
Accredited Conformity Assessment Body must be an independent third 
party conformity assessment body that is not owned, managed, or 
controlled by a Person or Certified Person that is the subject of 
attestation or audit by the Accredited Conformity Assessment Body, 
except where the third party conformity assessment body qualifies for 
``firewalled'' status under Sec.  1110.502.
    Accordingly, under the final rule, a Person or Certified Person is 
considered to own, manage, or control a third party conformity 
assessment body if the Person or Certified Person holds a 10 percent or 
greater ownership interest, whether direct or indirect, in the third 
party conformity assessment body; if the third party conformity 
assessment body and the Person or Certified Person are owned by a 
common ``parent'' entity; if the Person or Certified Person has the 
ability to appoint a majority of the third party conformity assessment 
body's senior internal governing body, the ability to appoint the 
presiding official of the third party conformity assessment body's 
senior internal governing body, and/or the ability to hire, dismiss, or 
set the compensation level for third party conformity assessment body 
personnel; or if the third party conformity assessment body is under a 
contract to the Person or Certified Person that explicitly limits the 
services the third party conformity assessment body may perform for 
other customers and/or explicitly limits which or how many other 
entities may also be customers of the third party conformity assessment 
body.
    In order for NTIS to accept an attestation as to, or audit of, a 
Person or Certified Person submitted to NTIS under the final rule, the 
Accredited Conformity Assessment Body must attest that it is 
independent of that Person or Certified Person. The Accredited 
Conformity Assessment Body also must attest that it has read, 
understood, and agrees to the regulations as set forth in the final 
rule. The Accredited Conformity Assessment Body must also attest that 
it is accredited to ISO/IEC Standard 27006-2011 ``Information 
technology--Security techniques--Requirements for bodies providing 
audit and certification of information security management systems,'' 
or to another nationally or internationally recognized standard for 
bodies providing audit and certification of information security 
management systems. The Accredited Conformity Assessment Body must also 
attest that the scope of its accreditation encompasses the safeguarding 
and security requirements as set forth in the final rule.
    Where review or assessment or audit by an Accredited Conformity 
Assessment Body was not conducted specifically or solely for the 
purpose of submission under this part, the final rule requires that the 
written attestation or assessment report (if an audit) describe the 
nature of that review or assessment or audit, and that the Accredited 
Conformity Assessment Body attest that on the basis of such review or 
assessment or audit, the Person or Certified Person has systems, 
facilities, and procedures in place to safeguard Limited Access DMF as 
required under Sec.  1110.102(a)(2).
    While NTIS will normally accept written attestations and assessment 
reports from an Accredited Conformity Assessment Body that attests, to 
the satisfaction of NTIS, as provided in Sec.  1110.503 of the final 
rule, the final rule also provides that NTIS may decline to accept 
written attestations or assessment reports from an Accredited 
Conformity Assessment Body, whether or not it has attested as provided 
in Sec.  1110.503, for any of the following reasons: when NTIS 
determines that doing so is in the public interest under Section 203 of 
the Bipartisan Budget Act of 2013, and notwithstanding any other 
provision of these regulations; submission of false or misleading 
information concerning a material fact(s) in an Accredited Conformity 
Assessment Body's attestation under Sec.  1110.503; knowing submission 
of false or misleading information concerning a material fact(s) in an 
attestation or assessment report by an Accredited Conformity Assessment 
Body of a Person or Certified Person; failure of an Accredited 
Conformity Assessment Body to cooperate (as defined in this section) in 
response to a request from NTIS to verify the accuracy, veracity, and/
or completeness of information received in connection with an 
attestation under Sec.  1110.503 or an attestation or assessment report 
by that Body of a Person or Certified Person; or where NTIS is unable 
for any reason to verify the accuracy of the Accredited Conformity 
Assessment Body's attestation.
    In addition, with respect to audits under the final rule, NTIS may 
in its discretion decline to accept an attestation or assessment report 
conducted for other purposes, and may conduct or require that an 
Accredited Conformity Assessment Body conduct a review solely for the 
purpose of the final rule.

Executive Order 12866

    This final rule has been determined to be significant as that term 
is defined in Executive Order 12866.

Executive Order 13132

    A rule has implications for federalism under Executive Order 13132, 
Federalism, if it has a substantial direct effect on State or local 
governments and would either preempt State law or impose a substantial 
direct cost of compliance on States or localities. NTIS has analyzed 
this rule under that Order and has determined that it does not have 
implications for federalism.

Final Regulatory Flexibility Analysis

    The Regulatory Flexibility Act of 1980, as amended, (RFA), requires 
agencies to analyze impacts of regulatory actions on small entities 
(businesses, non-profit organizations, and governments), and to 
consider alternatives that minimize such impacts while achieving 
regulatory objectives. Agencies must first conduct a threshold analysis 
to determine whether regulatory actions are expected to have 
significant economic impact on a substantial number of small entities. 
If the threshold analysis indicates a significant economic impact on a 
substantial number of small entities, an initial regulatory flexibility 
analysis must be produced and made available

[[Page 34890]]

for public review and comment along with the proposed regulatory 
action. A final regulatory flexibility analysis that considers public 
comments must then be produced and made publicly available with the 
final regulatory action.
    An Initial Regulatory Flexibility Act Analysis (``IRFA'') was 
incorporated into the NTIS proposed rule. NTIS sought written public 
comment on the proposed rule, including comment on the IRFA. This Final 
Regulatory Flexibility Act Analysis (``FRFA'') conforms to the RFA, and 
incorporates the IRFA pursuant to Section 603 and comments received, to 
analyze the impact that this final rule will have on small entities.

Description of the Reasons Why Action Is Being Considered

    The policy reasons for issuing this rule are discussed in the 
preamble of this document, and not repeated here.

Statement of the Objectives of, and Legal Basis for, the Rule; 
Identification of All Relevant Federal Rules Which May Duplicate, 
Overlap, or Conflict With the Rule

    The legal basis for this rule is Section 203 of the Bipartisan 
Budget Act of 2013, Pub. L. 113-67, codified at 42 U.S.C. 1306c (the 
Act). The rule, which replaces NTIS' interim final rule, implements the 
Act, which requires the Secretary of Commerce to create a program to 
certify that persons given access to the Limited Access DMF satisfy the 
statutory requirements for accessing that information. Accordingly, 
this rule creates a permanent program for certifying persons eligible 
to access Limited Access DMF. It requires that Certified Persons 
annually re-certify as eligible to access the Limited Access DMF, and 
that they agree to be subject to scheduled and unscheduled audits. The 
rule also sets out the penalties for violating the Act's disclosure 
provisions, establishes a process to appeal penalties or revocations of 
certification, and adopts a fee program for the certification program, 
audits, and appeals.
    When this final rule becomes effective, it will replace the interim 
final rule promulgated by NTIS to establish a Temporary Certification 
Program, in order to avoid the complete loss of access to the Limited 
Access DMF when the Act became effective. No other rules duplicate, 
overlap, or conflict with this rule.

Number and Description of Small Entities Regulated by the Action

    The final rule applies to all persons seeking to become certified 
to obtain the Limited Access DMF from NTIS. The entities affected by 
this rule could include banks and other financial institutions, pension 
plans, health research institutes or companies, state and local 
governments, information companies, and similar research services, and 
others not identified. Many of the impacted entities likely are 
considered ``large'' entities under the applicable United States Small 
Business Administration (SBA) size standards. The SBA defines a ``small 
business'' (or ``small entity'') as one with annual revenue that meets 
or is below an established size standard. The SBA ``small business'' 
size standard is $550 million in annual revenue for Commercial Banking, 
Savings Institutions, Credit Unions, and Credit Card Issuing (North 
American Industry Code (NAICS) 522110, 522120, 522130, and 522210). The 
size standard is $38.5 million for Consumer Lending and Trust, 
Fiduciary and Custody Activities, and Direct Health and Medical 
Insurance Carriers (NAICS 52291, 523991, and 524114), $7.5 million for 
Mortgage and Nonmortgage Loan Brokers, and Insurance Agencies and 
Brokerages (NAICS 522310, and 524210), and $32.5 million for Third 
Party Administration of Insurance and Pension Funds (NAICS 524292). 
NTIS anticipates that this rule will have an impact on various small 
entities.

Projected Reporting, Recordkeeping and Other Compliance Requirements of 
the Rule

    Under this final rule, a ``Limited Access Death Master File (LADMF) 
Systems Safeguards Attestation Form'' would require Accredited 
Conformity Assessment Bodies to attest that a Person seeking to be 
certified to access Limited Access DMF has systems, facilities, and 
procedures in place as required under Sec.  1110.102(a)(ii) of the 
rule. NTIS estimates that the type of professional skills necessary for 
the preparation of an attestation will be those of a senior auditor at 
an Accredited Conformity Assessment Body, to conduct an assessment 
under the rule.

Steps NTIS Has Taken To Minimize the Significant Economic Impact on 
Small Entities

    NTIS carefully considered a number of alternatives to ensure 
compliance with the safeguarding requirements of Section 203 of the 
Act. These alternatives included requiring all Persons desiring to 
become certified to comply with the same requirements as those set 
forth in Section 6103(p)(4) of the Internal Revenue Code; Section 
203(b)(2)(C) of the Act recites that a Certified Person ``satisfy the 
requirements of such section 6103(p)(4) as if such section applied to 
such person.'' Such a requirement would have had a very significant 
impact on small entities. As pointed out in some comments on the 
proposed rule, some of the provisions of section 6103(p)(4) would have 
been extremely burdensome, because, for example, in contrast to Federal 
Tax Information, Limited Access DMF under Section 203 is not subject to 
restriction when beyond the three-calendar-year period following the 
date of death.
    Accordingly, NTIS rejected this burdensome alternative, and the 
final rule instead requires Persons to certify that they have systems, 
facilities, and procedures in place that are ``reasonably similar to'' 
those required by section 6103(p)(4) of the IRC in order to become 
Certified Persons. This interpretation allows NTIS to meet the interest 
of protecting personal data generally and deterring fraud, while also 
allowing NTIS to set the data integrity standards appropriate to 
safeguard Limited Access DMF specifically, and lessens the burden on 
small entities which, as noted by a number of commenters, tend not to 
have in place some more advanced information system controls.
    NTIS carefully considered, but rejected, the alternative of 
requiring Certified Persons to undergo audits annually for the purpose 
of re-certification. This alternative would have necessitated that a 
Certified Person bear the expense of assessment for the purpose of 
attestation by a third party Accredited Conformity Assessment Body each 
year as part of the annual re-certification process under the rule. 
Based on consultations with NIST subject matter experts, NTIS concluded 
instead that a limitation of three years is appropriate as to frequency 
for assessments for the security and safeguarding of information and 
information systems, thus lessening the economic impact on small 
entities under the rule.
    NTIS carefully considered, but rejected, the suggestion by a 
commenter that NTIS itself should accredit third party Accredited 
Conformity Assessment Bodies. This would have required that NTIS 
independently develop government-specific accreditation expertise and 
capacity. Because the Act requires NTIS to obtain full cost recovery, 
the cost of such an

[[Page 34891]]

effort would have to be borne by Certified Persons, including small 
entities. This would have been inefficient as well as burdensome. 
Instead, the final rule provides that an Accredited Conformity 
Assessment Body attest that it is accredited to a nationally or 
internationally recognized standard for bodies providing audit and 
certification of information security management systems, and that the 
scope of its accreditation encompasses the information safeguarding and 
security requirements as set forth in the rule.
    NTIS carefully considered, and rejected, a proposed requirement 
that Persons desiring to become certified under the rule be limited to 
program-specific assessments and audits carried out by third party 
Accredited Conformity Assessment Bodies. This requirement would have 
necessitated that any Person, including a Person otherwise subject to 
periodic audit and assessment in the normal course of such Person's 
business, bear the burden of an additional program-specific audit or 
assessment for the purposes of the rule. NTIS, however, in consultation 
with NIST subject matter experts, considered and adopted a less 
burdensome approach: Provided that a routine assessment or audit of a 
Person would permit an Accredited Conformity Assessment Body to attest 
that such Person has systems, facilities, and procedures in place to 
safeguard Limited Access DMF as required under Sec.  1110.102(a)(2) of 
the final rule, albeit carried out for a purpose other than 
certification under the rule, NTIS will accept an attestation in 
support of a Person's certification with respect to the requirements 
under Sec.  1110.102(a)(ii) of the rule, as well as in support of the 
renewal of a Certified Person's certification. Thus, under the final 
rule, an Accredited Conformity Assessment Body's review or assessment 
need not have been conducted specifically or solely for the purpose of 
submission of an attestation under the rule, reducing the economic 
impact that the rejected alternative would have been imposed on small 
entities.
    NTIS carefully considered, but rejected, the alternative of 
requiring that a first Certified Person who discloses Limited Access 
DMF to a second Certified Person be subject to penalty under the rule 
where, through no fault of the first Certified Person, the second 
Certified Person is determined to be subject to penalty under the rule. 
This alternative would have exposed to penalty under the rule a first 
Certified Person, who disclosed Limited Access DMF to another Person 
certified by NTIS, even absent any violation by the first Certified 
Person. Instead, the Final Rule provides for a ``safe harbor'' that 
exempts from penalty a first Certified Person who discloses LADMF to a 
second Certified Person, where the first Certified Person's liability 
rests solely on the fact that the second Certified Person has been 
determined to be subject to penalty. The less burdensome approach 
chosen by NTIS will reduce the potential economic impact on Certified 
Persons, including those that are small entities, under such 
circumstances.
    Based on its analysis, NTIS estimates that the rule reflects 
alternatives placing the least economic impact on small entities, and 
that the rule will not disproportionately impact small entities as 
opposed to large ones.

Paperwork Reduction Act

    Notwithstanding any other provision of law, no person is required 
to comply with, and neither shall any person be subject to penalty for 
failure to comply with, a collection of information subject to the 
requirements of the Paperwork Reduction Act, unless that collection of 
information displays a currently valid OMB Control Number.
    This final rule contains collection of information requirements 
subject to review and approval by OMB under the Paperwork Reduction Act 
(PRA). Approval from OMB will be obtained prior to the final rule 
becoming effective and prior to the collection of such information, 
except that NTIS will continue to collect information already approved 
by OMB under OMB Control No. 0692-0013.

List of Subjects in 15 CFR Part 1110

    Administrative appeal, Certification program, Fees, Imposition of 
penalty.

    Dated: May 23, 2016.
Bruce Borzino,
 Director.

    For reasons set forth in the preamble, the National Technical 
Information Service amends 15 CFR part 1110 as follows:

PART 1110--CERTIFICATION PROGRAM FOR ACCESS TO THE DEATH MASTER 
FILE

0
1. The authority for part 1110 continues to read as follows:

    Authority: Pub. L. 113-67, Sec. 203.


0
2. Amend Sec.  1110.2 by:
0
a. Adding, in alphabetical order, the definition, ``Accredited 
Conformity Assessment Body;'' and
0
b. Revising the definitions of ``Limited Access DMF'' and ``Person''.
    The addition and revision read as follows:


Sec.  1110.2  Definitions used in this part.

* * * * *
    Accredited Conformity Assessment Body. A third party conformity 
assessment body that is accredited by an accreditation body under 
nationally or internationally recognized criteria such as, but not 
limited to, International Organization for Standardization (ISO)/
International Electrotechnical Commission (IEC) 27006-2011, 
``Information technology--Security techniques--Requirements for bodies 
providing audit and certification of information security management 
systems,'' to attest that a Person or Certified Person has systems, 
facilities and procedures in place to safeguard Limited Access DMF.
* * * * *
    Limited Access DMF. The DMF product made available by NTIS which 
includes DMF with respect to any deceased individual at any time during 
the three-calendar-year period beginning on the date of the 
individual's death. As used in this part, Limited Access DMF does not 
include an individual element of information (name, social security 
number, date of birth, or date of death) in the possession of a Person, 
whether or not certified, but obtained by such Person through a source 
independent of the Limited Access DMF. If a Person obtains, or a third 
party subsequently provides to such Person, death information (i.e., 
the name, social security account number, date of birth, or date of 
death) independently, such information in the possession of such Person 
is not part of the Limited Access DMF or subject to this part.
* * * * *
    Person. Includes corporations, companies, associations, firms, 
partnerships, societies, joint stock companies, and other private 
organizations, and state and local government departments and agencies, 
as well as individuals.

0
3. Revise the section heading of Sec.  1110.100 to read as follows:


Sec.  1110.100  Scope; term.

* * * * *

0
4. Revise Sec.  1110.101 to read as follows:


Sec.  1110.101  Submission of certification; attestation.

    (a) In order to become certified under the certification program 
established under this part, a Person must submit a completed 
certification statement and any required documentation, using the

[[Page 34892]]

most current version of the Limited Access Death Master File Subscriber 
Certification Form, and its accompanying instructions at https://dmf.ntis.gov, together with the required fee.
    (b) In addition to the requirements under paragraph (a) of this 
section, in order to become certified, a Person must submit a written 
attestation from an Accredited Conformity Assessment Body that such 
Person has systems, facilities, and procedures in place as required 
under Sec.  1110.102(a)(2). Such attestation must be based on the 
Accredited Conformity Assessment Body's review or assessment conducted 
no more than three years prior to the date of submission of the 
Person's completed certification statement, but such review or 
assessment need not have been conducted specifically or solely for the 
purpose of submission under this part.

0
5. Amend Sec.  1110.102 by revising paragraphs (a)(2), (3), and (4) to 
read as follows:


Sec.  1110.102  Certification.

* * * * *
    (a) * * *
    (2) Such Person has systems, facilities, and procedures in place to 
safeguard the accessed information, and experience in maintaining the 
confidentiality, security, and appropriate use of accessed information, 
pursuant to requirements reasonably similar to the requirements of 
section 6103(p)(4) of the Internal Revenue Code of 1986;
    (3) Such Person agrees to satisfy such similar requirements; and
    (4) Such Person shall not, with respect to Limited Access DMF of 
any deceased individual:
    (i) Disclose such deceased individual's Limited Access DMF to any 
person other than a person who meets the requirements of paragraphs 
(a)(1) through (3) of this section;
    (ii) Disclose such deceased individual's Limited Access DMF to any 
person who uses the information for any purpose other than a legitimate 
fraud prevention interest or a legitimate business purpose pursuant to 
a law, governmental rule, regulation, or fiduciary duty;
    (iii) Disclose such deceased individual's Limited Access DMF to any 
person who further discloses the information to any person other than a 
person who meets the requirements of paragraphs (a)(1) through (3) of 
this section; or
    (iv) Use any such deceased individual's Limited Access DMF for any 
purpose other than a legitimate fraud prevention interest or a 
legitimate business purpose pursuant to a law, governmental rule, 
regulation, or fiduciary duty.
* * * * *

0
6. In subpart B of part 1110, add Sec. Sec.  1110.103, 1110.104, and 
1110.105 to read as follows:


Sec.  1110.103  Disclosure to a certified person.

    Disclosure by a Person certified under this part of Limited Access 
DMF to another Person certified under this part shall be deemed to 
satisfy the disclosing Person's obligation to ensure compliance with 
Sec.  1110.102(a)(4)(i) through (iii).


Sec.  1110.104  Revocation of certification.

    False certification as to any element of Sec.  1110.102(a)(1) 
through (4) shall be grounds for revocation of certification, in 
addition to any other penalties at law. A Person properly certified who 
thereafter becomes aware that the Person no longer satisfies one or 
more elements of Sec.  1110.102(a) shall promptly inform NTIS thereof 
in writing.


Sec.  1110.105  Renewal of certification.

    (a) A Certified Person may renew its certification status by 
submitting, on or before the date of expiration of the term of its 
certification, a completed certification statement in accordance with 
Sec.  1110.101, together with the required fee, indicating on the form 
NTIS FM161 that it is a renewal, and also indicating whether or not 
there has been any change in any basis previously relied upon for 
certification.
    (b) Except as may otherwise be required by NTIS, where a Certified 
Person seeking certification status renewal has, within a three-year 
period preceding submission under paragraph (a) of this section, 
previously submitted a written attestation under Sec.  1110.101(b), or 
has within such period been subject to a satisfactory audit under Sec.  
1110.201, such Certified Person shall so indicate on the form NTIS 
FM161, and shall not be required to submit a written attestation under 
Sec.  1110.101(b).
    (c) A Certified Person who submits a certification statement, 
attestation (if required) and fee pursuant to paragraph (a) of this 
section shall continue in Certified Person status pending notification 
of renewal or non-renewal from NTIS.
    (d) A Person who is a Certified Person before November 28, 2016 
shall be considered a Certified Person under this part, and shall 
continue in Certified Person status until the date which is one year 
from the date of acceptance of such Person's certification by NTIS 
under the Temporary Certification Program, provided that if such 
expiration date falls on a weekend or a federal holiday, the term of 
certification shall be considered to extend to the next business day.

0
7. Revise Sec.  1110.200 to read as follows:


Sec.  1110.200  Imposition of penalty.

    (a) General. (1) Any Person certified under this part who receives 
Limited Access DMF, and who:
    (i) Discloses Limited Access DMF to any person other than a person 
who meets the requirements of Sec.  1110.102(a)(1) through (3);
    (ii) Discloses Limited Access DMF to any person who uses the 
Limited Access DMF for any purpose other than a legitimate fraud 
prevention interest or a legitimate business purpose pursuant to a law, 
governmental rule, regulation, or fiduciary duty;
    (iii) Discloses Limited Access DMF to any person who further 
discloses the Limited Access DMF to any person other than a person who 
meets the requirements of Sec.  1110.102(a)(1) through (3); or
    (iv) Uses any such Limited Access DMF for any purpose other than a 
legitimate fraud prevention interest or a legitimate business purpose 
pursuant to a law, governmental rule, regulation, or fiduciary duty; 
and
    (2) Any Person to whom such Limited Access DMF is disclosed, 
whether or not such Person is certified under this part, who further 
discloses or uses such Limited Access DMF as described in paragraphs 
(a)(1)(i) through (iv) of this section, shall pay to the General Fund 
of the United States Department of the Treasury a penalty of $1,000 for 
each such disclosure or use, and, if such Person is certified, shall be 
subject to having such Person's certification revoked.
    (b) Limitation on penalty. The total amount of the penalty imposed 
under this part on any Person for any calendar year shall not exceed 
$250,000, unless such Person's disclosure or use is determined to be 
willful or intentional. For the purposes of this part, a disclosure or 
use is willful when it is a ``voluntary, intentional violation of a 
known legal duty.''
    (c) Disclosure to a Certified Person. No penalty shall be imposed 
under paragraphs (a)(1)(i) through (iii) of this section on a first 
Certified Person who discloses, to a second Certified Person, Limited 
Access DMF, where the sole basis for imposition of penalty on such 
first Certified Person is that such second

[[Page 34893]]

Certified Person has been determined to be subject to penalty under 
this part.

0
8. Revise Sec.  1110.201 to read as follows:


Sec.  1110.201  Audits.

    Any Person certified under this part shall, as a condition of 
certification, agree to be subject to audit by NTIS, or, at the request 
of NTIS, by an Accredited Conformity Assessment Body, to determine the 
compliance by such Person with the requirements of this part. NTIS may 
conduct, or request that an Accredited Conformity Assessment Body 
conduct, periodic scheduled and unscheduled audits of the systems, 
facilities, and procedures of any Certified Person relating to such 
Certified Person's access to, and use and distribution of, the Limited 
Access DMF. NTIS may conduct, or request that an Accredited Conformity 
Assessment Body conduct, field audits (during regular business hours) 
or desk audits of a Certified Person. Failure of a Certified Person to 
submit to or cooperate fully with NTIS, or with an Accredited 
Conformity Assessment Body acting pursuant to this section, in its 
conduct of an audit, or to pay an audit fee to NTIS, will be grounds 
for revocation of certification.

Subpart E--[Redesignated as Subpart E]

0
9. Redesignate subpart D as subpart E.
0
10. Add new subpart D to read as follows:
Subpart D--Administrative Appeal
Sec.
1110.3000 Appeal.

Subpart D--Administrative Appeal


Sec.  1110.300  Appeal.

    (a) General. Any Person adversely affected or aggrieved by reason 
of NTIS denying or revoking such Person's certification under this 
part, or imposing upon such Person under this part a penalty, may 
obtain review by filing, within 30 days (or such longer period as the 
Director of NTIS may, for good cause shown in writing, fix in any case) 
after receiving notice of such denial, revocation or imposition, an 
administrative appeal to the Director of NTIS.
    (b) Form of appeal. An appeal shall be submitted in writing to 
Director, National Technical Information Service, at NTIS's current 
mailing address as found on its Web site: www.ntis.gov., ATTENTION DMF 
APPEAL, and shall include the following:
    (1) The name, street address, email address and telephone number of 
the Person seeking review;
    (2) A copy of the notice of denial or revocation of certification, 
or the imposition of penalty, from which appeal is taken;
    (3) A statement of arguments, together with any supporting facts or 
information, concerning the basis upon which the denial or revocation 
of certification, or the imposition of penalty, should be reversed;
    (4) A request for hearing of oral argument before the Director, if 
desired.
    (c) Power of attorney. A Person may, but need not, retain an 
attorney to represent such Person in an appeal. A Person shall 
designate any such attorney by submitting to the Director of NTIS a 
written power of attorney.
    (d) Hearing. If requested in the appeal, a date will be set for 
hearing of oral argument before a representative of the Director of 
NTIS, by the Person or the Person's designated attorney, and a 
representative of NTIS familiar with the notice from which appeal has 
been taken. Unless it shall be otherwise ordered before the hearing 
begins, oral argument will be limited to thirty minutes for each side. 
A Person need not retain an attorney or request an oral hearing to 
secure full consideration of the facts and the Person's arguments.
    (e) Decision. After a hearing on the appeal, if a hearing was 
requested, the Director of NTIS shall issue a decision on the matter 
within 120 days, or, if no hearing was requested, within 90 days of 
receiving the appeal. The decision of the Director of NTIS shall be 
made after consideration of the arguments and statements of fact and 
information in the Person's appeal, and the hearing of oral argument if 
a hearing was requested, but the Director of NTIS at his or her 
discretion and with due respect for the rights and convenience of the 
Person and the agency, may call for further statements on specific 
questions of fact or may request additional evidence in the form of 
affidavits on specific facts in dispute. After the original decision is 
issued, an appellant shall have 30 days (or a date as may be set by the 
Director of NTIS before the original period expires) from the date of 
the decision to request a reconsideration of the matter. The Director's 
decision becomes final 30 days after being issued, if no request for 
reconsideration is filed, or on the date of final disposition of a 
decision on a petition for reconsideration.

0
11. Revise newly redesignated subpart E to read as follows:
Subpart E--Fees
Sec.
1110.400 Fees.

Subpart E--Fees


Sec.  1110.400  Fees.

    Fees sufficient to cover (but not to exceed) all costs to NTIS 
associated with evaluating Certification Forms and auditing, 
inspecting, and monitoring certified persons under the certification 
program established under this part, as well as appeals, will be 
published (as periodically reevaluated and updated by NTIS) and 
available at https://dmf.ntis.gov. NTIS will not set fees for 
attestations or audits by an Accredited Conformity Assessment Body.

0
12. Add subpart F to read as follows:
Subpart F--Accredited Conformity Assessment Bodies
Sec.
1110.500 Accredited conformity assessment bodies.
1110.501 Independent.
1110.502 Firewalled.
1110.503 Attestation by accredited conformity assessment body.
1110.504 Acceptance of accredited conformity assessment bodies.

Subpart F--Accredited Conformity Assessment Bodies


Sec.  1110.500  Accredited conformity assessment bodies.

    This subpart describes Accredited Conformity Assessment Bodies and 
their accreditation for third party attestation and auditing of the 
information safeguarding requirement for certification of Persons under 
this part. NTIS will accept an attestation or audit of a Person or 
Certified Person from an Accredited Conformity Assessment Body that is:
    (a) Independent of that Person or Certified Person; or
    (b) Is firewalled from that Person or Certified Person, and that in 
either instance is itself accredited by a nationally or internationally 
recognized accreditation body.


Sec.  1110.501  Independent.

    (a) An Accredited Conformity Assessment Body that is an independent 
third party conformity assessment body is one that is not owned, 
managed, or controlled by a Person or Certified Person that is the 
subject of attestation or audit by the Accredited Conformity Assessment 
Body.
    (1) A Person or Certified Person is considered to own, manage, or 
control a third party conformity assessment body if any one of the 
following characteristics applies:
    (i) The Person or Certified Person holds a 10 percent or greater 
ownership interest, whether direct or indirect, in

[[Page 34894]]

the third party conformity assessment body. Indirect ownership interest 
is calculated by successive multiplication of the ownership percentages 
for each link in the ownership chain;
    (ii) The third party conformity assessment body and the Person or 
Certified Person are owned by a common ``parent'' entity;
    (iii) The Person or Certified Person has the ability to appoint a 
majority of the third party conformity assessment body's senior 
internal governing body (such as, but not limited to, a board of 
directors), the ability to appoint the presiding official (such as, but 
not limited to, the chair or president) of the third party conformity 
assessment body's senior internal governing body, and/or the ability to 
hire, dismiss, or set the compensation level for third party conformity 
assessment body personnel; or
    (iv) The third party conformity assessment body is under a contract 
to the Person or Certified Person that explicitly limits the services 
the third party conformity assessment body may perform for other 
customers and/or explicitly limits which or how many other entities may 
also be customers of the third party conformity assessment body.
    (2) A state or local government office of Inspector General or 
Auditor General and a Person or Certified Person that is a department 
or agency of the same state or local government, respectively, are not 
considered to be owned by a common ``parent'' entity under paragraph 
(a)(1)(ii) of this section.
    (b) [Reserved]


Sec.  1110.502  Firewalled.

    (a) A third party conformity assessment body must apply to NTIS for 
firewalled status if it is owned, managed, or controlled by a Person or 
Certified Person that is the subject of attestation or audit by the 
Accredited Conformity Assessment Body, applying the characteristics set 
forth under Sec.  1110.501(a)(1).
    (b) The application for firewalled status of a third party 
conformity assessment body under paragraph (a) of this section will be 
accepted by NTIS where NTIS finds that:
    (1) Acceptance of the third party conformity assessment body for 
firewalled status would provide equal or greater assurance that the 
Person or Certified Person has information security systems, 
facilities, and procedures in place to protect the security of the 
Limited Access DMF than would the Person's or Certified Person's use of 
an independent third party third party conformity assessment body; and
    (2) The third party conformity assessment body has established 
procedures to ensure that:
    (i) Its attestations and audits are protected from undue influence 
by the Person or Certified Person that is the subject of attestation or 
audit by the Accredited Conformity Assessment Body, or by any other 
interested party;
    (ii) NTIS is notified promptly of any attempt by the Person or 
Certified Person that is the subject of attestation or audit by the 
third party conformity assessment body, or by any other interested 
party, to hide or exert undue influence over an attestation, assessment 
or audit; and
    (iii) Allegations of undue influence may be reported confidentially 
to NTIS. To the extent permitted by Federal law, NTIS will undertake to 
protect the confidentiality of witnesses reporting allegations of undue 
influence.
    (c) NTIS will review each application and may contact the third 
party conformity assessment body with questions or to request 
submission of missing information, and will communicate its decision on 
each application in writing to the applicant, which may be by 
electronic mail.


Sec.  1110.503  Attestation by accredited conformity assessment body.

    (a) In any attestation or audit of a Person or Certified Person 
that will be submitted to NTIS under this part, an Accredited 
Conformity Assessment Body must attest that it is independent of that 
Person or Certified Person. The Accredited Conformity Assessment Body 
also must attest that it has read, understood, and agrees to the 
regulations in this part. The Accredited Conformity Assessment Body 
must also attest that it is accredited to a nationally or 
internationally recognized standard such as the ISO/IEC Standard 27006-
2011 ``Information technology--Security techniques--Requirements for 
bodies providing audit and certification of information security 
management systems,'' or any other similar nationally or 
internationally recognized standard for bodies providing audit and 
certification of information security management systems. The 
Accredited Conformity Assessment Body must also attest that the scope 
of its accreditation encompasses the safeguarding and security 
requirements as set forth in this part.
    (b) Where a Person seeks certification, or where a Certified Person 
seeks renewal of certification or is audited under this part, an 
Accredited Conformity Assessment Body may provide written attestation 
that such Person or Certified Person has systems, facilities, and 
procedures in place as required under Sec.  1110.102(a)(2). Such 
attestation must be based on the Accredited Conformity Assessment 
Body's review or assessment conducted no more than three years prior to 
the date of submission of the Person's or Certified Person's completed 
certification statement, and, if an audit of a Certified Person by an 
Accredited Conformity Assessment Body is required by NTIS, no more than 
three years prior to the date upon which NTIS notifies the Certified 
Person of NTIS's requirement for audit, but such review or assessment 
or audit need not have been conducted specifically or solely for the 
purpose of submission under this part.
    (c) Where review or assessment or audit by an Accredited Conformity 
Assessment Body was not conducted specifically or solely for the 
purpose of submission under this part, the written attestation or 
assessment report (if an audit) shall describe the nature of that 
review or assessment or audit, and the Accredited Conformity Assessment 
Body shall attest that on the basis of such review or assessment or 
audit, the Person or Certified Person has systems, facilities, and 
procedures in place as required under Sec.  1110.102(a)(2).
    (d) Notwithstanding paragraphs (a) through (c) of this section, 
NTIS may, in its sole discretion, require that review or assessment or 
audit by an Accredited Conformity Assessment Body be conducted 
specifically or solely for the purpose of submission under this part.


Sec.  1110.504  Acceptance of accredited conformity assessment bodies.

    (a) NTIS will accept written attestations and assessment reports 
from an Accredited Conformity Assessment Body that attests, to the 
satisfaction of NTIS, as provided in Sec.  1110.503.
    (b) NTIS may decline to accept written attestations or assessment 
reports from an Accredited Conformity Assessment Body, whether or not 
it has attested as provided in Sec.  1110.503, for any of the following 
reasons:
    (1) When it is in the public interest under Section 203 of the 
Bipartisan Budget Act of 2013, and notwithstanding any other provision 
of this part;
    (2) Submission of false or misleading information concerning a 
material fact(s) in an Accredited Conformity Assessment Body's 
attestation under Sec.  1110.503;
    (3) Knowing submission of false or misleading information 
concerning a material fact(s) in an attestation or

[[Page 34895]]

assessment report by an Accredited Conformity Assessment Body of a 
Person or Certified Person;
    (4) Failure of an Accredited Conformity Assessment Body to 
cooperate in response to a request from NTIS to verify the accuracy, 
veracity, and/or completeness of information received in connection 
with an attestation under Sec.  1110.503 or an attestation or 
assessment report by that Body of a Person or Certified Person. An 
Accredited Conformity Assessment Body ``fails to cooperate'' when it 
does not respond to NTIS inquiries or requests, or it responds in a 
manner that is unresponsive, evasive, deceptive, or substantially 
incomplete; or
    (5) Where NTIS is unable for any reason to verify the accuracy of 
the Accredited Conformity Assessment Body's attestation.

[FR Doc. 2016-12479 Filed 5-31-16; 8:45 am]
 BILLING CODE P