81 FR 34882 - Certification Program for Access to the Death Master File
DEPARTMENT OF COMMERCE
National Technical Information Service Federal Register Volume 81, Issue 105 (June 1, 2016)
National Technical Information Service
Federal Register Volume 81, Issue 105 (June 1, 2016)
| Page Range | 34882-34895 | |
| FR Document | 2016-12479 |
[Federal Register Volume 81, Number 105 (Wednesday, June 1, 2016)] [Rules and Regulations] [Pages 34882-34895] From the Federal Register Online [www.thefederalregister.org] [FR Doc No: 2016-12479] ======================================================================= ----------------------------------------------------------------------- DEPARTMENT OF COMMERCE National Technical Information Service 15 CFR Part 1110 [Docket Number: 160511004-4999-04] RIN 0692-AA21 Certification Program for Access to the Death Master File AGENCY: National Technical Information Service, U.S. Department of Commerce. ACTION: Final rule. ----------------------------------------------------------------------- SUMMARY: The National Technical Information Service (NTIS) issues this final rule establishing a program through which persons may become eligible to obtain access to Death Master File (DMF) information about an individual within three years of that individual's death. This final rule supersedes and replaces the interim final rule that NTIS promulgated following passage of Section 203 of the Bipartisan Budget Act of 2013 to provide immediate and ongoing access to persons who qualified for temporary certification. The program established under this final rule contains some changes from the proposed rule published by NTIS. DATES: This final rule is effective November 28, 2016. FOR FURTHER INFORMATION CONTACT: Brian Lieberman, Senior Counsel for NTIS, at [email protected], or by telephone at 703-605-6404. Information about the DMF made available to the public by NTIS may be found at https://dmf.ntis.gov. SUPPLEMENTARY INFORMATION: Background This final rule is promulgated under Section 203 of the Bipartisan Budget Act of 2013, Public Law 113-67 (Act), passed into law on December 26, 2013. The Act prohibits the Secretary of Commerce (Secretary) from disclosing DMF information during the three-calendar- year period following an individual's death (referred to as the ``Limited Access DMF,'' or ``LADMF''), unless the person requesting the information has been certified to access that information pursuant to certain criteria in a program that the Secretary establishes. The Act further requires the Secretary to establish a fee-based program to certify Persons for access to LADMF. In addition, it provides for penalties for Persons who receive or distribute LADMF without being certified or otherwise satisfying the requirements of the Act. The Secretary has delegated the authority to carry out Section 203 to the Director of NTIS. The Act mandated that no person could receive LADMF without certification after March 26, 2014 (i.e., 90 days from enactment of the Act). NTIS acted promptly to ensure that a suitable certification program was in place by that date, and to avoid interruption of access by legitimate users of the data. On March 3, 2014, NTIS published a Request for Information (RFI) and Advance Notice of Public Meeting on the Certification Program for Access to the Death Master File (79 FR 11735). NTIS held the public meeting, with webcast, on March 4, 2014. Written comments received in response to the RFI, and a transcription of oral comments submitted at the public meeting, may be viewed at https://dmf.nist.gov. On March 26, 2014, NTIS published an interim final rule, ``Temporary Certification Program for Access to the Death Master File'' (interim final rule) (79 FR 16668). That rule codified an interim approach to implementing the Act's provisions pertaining to the certification program and the penalties for violating the Act, and set out an interim fee schedule for the program. NTIS published the interim final rule in order to provide a mechanism for Persons to access LADMF immediately on the effective date prescribed in the Act. Written comments received in response to the Interim Final Rule may be viewed at http://www.regulations.gov. The preambles for both the RFI and the interim final rule set out the specific provisions of the Act, and also noted that several Members of Congress described their understanding of the purpose and meaning of Section 203 during Congressional debate on the Joint Resolution which became the Act. Citations to those Member statements were provided in the RFI, which also provided background on the component of the DMF, which originates from the Social Security Administration, covered by Section 203. The interim final rule was established to provide immediate access to the LADMF to those users who demonstrated a legitimate fraud prevention interest, or a legitimate business purpose for the information, and to otherwise delay the release of the LADMF to all other users, thereby reducing opportunities for identity theft and restricting information sources used to file fraudulent tax returns. In addition, in December, 2014, NTIS issued an initial public draft of ``Limited Access Death Master File (Limited Access DMF) Certification Program Publication 100,'' (Publication 100), available at https://dmf.ntis.gov. Publication 100 is the NTIS security guideline document for persons certified under this final rule. Publication 100 sets forth suggested security controls, standards and protocols for the protection of LADMF in the possession of Certified Persons. On December 30, 2014, NTIS published the proposed rule (79 FR 78314). The proposed rule introduced changes, clarifications and additions to the interim final rule, based in part upon comments received. For example, the proposed rule introduced a ``safe harbor'' provision, Sec. 1110.103, which would exempt a Certified Person from penalty for disclosure of LADMF to another Certified Person. The proposed rule set forth a provision for review, assessment, audit and attestation of a Person's information and information security controls by independent, third party conformity assessment bodies. Section 1110.201 of the proposed rule would permit Certified Persons to provide the attestation of an ``Accredited Certification Body'' (as defined in Sec. 1110.2) concerning the [[Page 34883]] adequacy of the Certified Person's ``systems, facilities and procedures in place to safeguard DMF information.'' NTIS requested that all written comments on the proposed rule be submitted to Regulations.gov by January 31, 2015. The agency, however, received requests to extend the public comment period. In response, on January 28, 2015, NTIS published a notice extending the comment period until March 30, 2015 (80 FR 4519). Written comments received in response to the proposed rule may be viewed at http://www.regulations.gov. Comments in Response to the Proposed Rule In response to the proposed rule, NTIS received 62 written comments. The commenters included one foreign government, twenty industry and trade associations, five service providers, three financial services companies, two insurance companies, four health care and medical research organizations and five service providers. The remainder of the commenters were primarily individuals, including a number identifying themselves as genealogists. In preparing this final rule, NTIS has carefully considered all comments received in response to the proposed rule. Many commenters requested that NTIS provide unrestricted access to LADMF. However, NTIS cannot revise the rule to accommodate such comments, since access to and use of LADMF is governed by the statutory provisions set forth in Section 203 of the Act. A number of commenters requested changes to the composition of the DMF itself; however, the composition of the DMF is explicitly defined in Section 203(d) of the Act as consisting of ``the name, social security account number, date of birth and date of death of deceased individuals maintained by the Commissioner of Social Security.'' NTIS, therefore, has no discretion to alter the composition of the DMF. Some commenters suggested that NTIS should enhance search capabilities available to DMF subscribers. NTIS has no present plans to alter database search capabilities, but may consider doing so in the future. However, NTIS's database search capabilities are not an element of this final rule. NTIS also received multiple comments to the effect that the proposed subscription cost of the LADMF should be reduced; however, Section 203(b)(3) mandates the charge of fees sufficient to cover costs associated with the certification program. The certification fee that NTIS charges covers the costs of receiving and processing applications, including authenticating the statements made in the application, and ensuring access to the Limited Access DMF. A number of comments were received asserting that some Certified Persons need to provide LADMF date of death information in the ordinary course of their business, for example, to retirement plans and others who have a legal obligation to provide death benefits payments to beneficiaries or for other legitimate purposes, and some suggested that the rule should specifically provide for the disclosure of date of death information alone as an exception to requirement for certification. However, as noted above, ``date of death'' is one of the four elements (the others being name, social security number, and date of birth) expressly set forth in the statutory definition of the term ``Death Master File'' under the Act, and NTIS is without discretion to categorically exclude it through rulemaking. NTIS notes that it received no comments suggesting that retirement plans and others having a legal obligation to provide death benefits would be unable to demonstrate one or more of a legitimate fraud prevention interest, business purpose, or fiduciary duty, to qualify for certification or, if not certified, that they would be unable to demonstrate, first, that they meet the requirements for LADMF access (i.e., the legitimate fraud prevention or business purpose and security requirements of Sec. 1110.102(a)(1), (2), and (3)), and, second, that they would not misuse or further disclose LADMF to a person who would either wrongfully use LADMF or could not comply with the security requirements set forth in Sec. 1110.200(a)(1)(ii) or (iii) respectively. NTIS points out that ``fact of death,'' i.e., the fact that a person is no longer living, confirmation of which was identified by some commenters as important for legitimate business purposes, is not an element of the statutory definition of the term ``Death Master File,'' and will not be considered by NTIS to be equivalent to ``date of death'' under the final rule. NTIS also notes that the proposed rule would revise the definition of ``Limited Access DMF'' to provide that an individual element of information (name, social security number, date of birth, or date of death) in the possession of a Person, whether or not certified, but obtained by such Person through a source independent of the Limited Access DMF, would not be considered ``DMF information.'' That revision is retained in the final rule, and has been further clarified in response to comments. Specifically, NTIS has replaced the term ``Certified Person'' in the last sentence of the LADMF definition with ``Person'' to make clear that any Person, whether or not certified, who obtains an individual element of information independently is not considered to possess ``Limited Access DMF.'' Comments were received suggesting that, for clarity and simplicity, the final rule should refer to the defined term ``Limited Access DMF'' to the extent possible. NTIS has incorporated these comments into the final rule, including Sec. Sec. 1110.102(a)(4) and 1110.200(a)(1). NTIS received comments supporting the provision of the proposed rule that would amend Sec. 1110.102(a)(2) and (3) to clarify that, to be certified to obtain access to the Limited Access DMF, a Person must certify both that the Person has systems, facilities, and procedures in place to safeguard the accessed information, and experience in maintaining the confidentiality, security, and appropriate use of accessed information, pursuant to requirements similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986, and that the Person ``agrees to satisfy such similar requirements.'' This standard differs from the requirement of Section 203 of the Act, because that Section contains contradictory statements about the types of systems to safeguard information that a Certified Person must have in place. In Section 203(b)(2)(B), the Act states that in order to receive Limited Access DMF, a Person must agree to comply with requirements ``similar to'' Section 6103(p)(4) of the Internal Revenue Code (IRC). Section 6103(p)(4) of the IRC is directed to Federal government agencies, and as such the ``similar to'' statement makes sense for non-government actors which are the subject of the Act. However, Section 203(b)(2)(C) requires a Certified Person to also ``satisfy the requirements of such section 6103(p)(4) as if such section applied to such person.'' It is unclear how or why a Certified Person could or should satisfy safeguarding requirements ``similar to'' section 6103(p)(4) of the IRC, while also satisfying section 6103(p)(4) of the IRC. In addition, commenters pointed out that some of the provisions of section 6103(p)(4) could not reasonably be imposed on non-government actors, because, for example, in contrast to Federal Tax Information, Limited Access DMF under Section 203 is not subject to restriction when beyond the three-calendar-year period following the date of death. To resolve this ambiguity and address these comments, NTIS interprets [[Page 34884]] Section 203(b) of the Act as requiring Persons to certify that they have systems, facilities, and procedures in place that are ``reasonably similar to'' those required by section 6103(p)(4) of the IRC in order to become Certified Persons. This interpretation allows NTIS to meet the interest of protecting personal data generally and deterring fraud, while also allowing NTIS to set the data integrity standards appropriate to safeguard Limited Access DMF specifically. The final rule amends Sec. 1110.102(a)(2) and (3) accordingly. A number of commenters suggested that the final rule should expressly classify certain categories of activities or enterprises, such as health care research and insurance investigation, as ``a legitimate fraud prevention interest'' or ``a legitimate business purpose.'' Other commenters suggested that the final rule should specifically provide that when an applicant or Certified Person is subject to other laws governing the use of personal information, the applicant or Certified Person should for that reason be deemed to have a ``legitimate fraud prevention interest'' or ``legitimate business purpose.'' It was urged that codification of such categories would further the purpose of the Act and benefit businesses and other entities reliant upon the LADMF by eliminating the threat of interrupted access. NTIS has carefully considered these suggestions, and observes that each Person applying for certification must certify to NTIS that such Person satisfies each of three requirements specified under Section 203(b)(2) of the Act, and that NTIS will evaluate each application individually to ensure that an individual applicant is properly certified. NTIS does acknowledge that it received numerous comments to the effect that awardees of federal research grants and others conducting extramural and intramural research under federal programs should be eligible for certification, provided that they otherwise satisfy the requirements of the final rule. NTIS notes that, while it appreciates the commenters' position, such Persons must, like any applicants, demonstrate that they satisfy the requirements for LADMF access. A commenter observed that use of the term ``Accredited Certification Body'' in the proposed rule could create confusion, particularly since the concept of ``certification'' appears and is used separately in the rule. Accordingly, the final rule uses the term ``Accredited Conformity Assessment Body'' rather than ``Accredited Certification Body,'' and NTIS uses the former term in the preamble as well. A number of commenters urged that particular activities and enterprises, such as direct marketing and life insurance companies, should not be subject to DMF-related audits or required to obtain a written third party attestation, where such activities and enterprises are independently subject to regulatory scrutiny and must comply with the privacy security requirements of other laws, such as the Gramm- Leach-Bliley Act (GLBA), the Fair Credit Reporting Act (FCRA), and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). While NTIS will decline to exclude Persons from the requirement for attestation as part of the certification process under the final rule, and will decline to exclude Certified Persons from being subject to audit, NTIS emphasizes that it is NTIS's intent under this final rule that applicants and Certified Persons should not incur the burden or expense of a DMF-specific audit when they have already had, or will have, an appropriate independent assessment or audit performed for other purposes, including but not limited to those noted above. To this end, Sec. 1110.503(c) of the final rule explicitly contemplates reliance upon a review or assessment or audit by an Accredited Conformity Assessment Body that was not conducted specifically or solely for the purpose of submission to NTIS. NTIS intends that when a review, assessment or audit has been or can be performed in the course of satisfying other Federal, state, tribal, or local government laws or regulations, such as those mentioned by commenters, or other regulatory or fiduciary requirements flowing from such laws or regulations, a Person or Certified Person will be able to rely upon that review, assessment or audit, to the extent that the requirements of the final rule are satisfied. In these circumstances, NTIS intends that it will accept an Accredited Conformity Assessment Body's attestation regarding a non-DMF audit, which attestation includes an explanation of the nature of that non-DMF audit and represents that, based on its review, the Accredited Conformity Assessment Body is satisfied that the LADMF security and safeguard requirements are met. NTIS will not at this time accept the suggestion of some commenters to permit ``self-assessments'' or ``a self-certified written attestation'' in lieu of a written attestation from an independent Accredited Conformity Assessment Body. With respect to state and local government departments and agencies, which are included within the definition of Persons in the final rule, NTIS notes some commenters' concerns that the proposed rule could burden such departments and agencies given state-established information security and safeguarding procedures, and agrees with the recommendation of a commenter that it should accept written attestation from an independent state or local government Inspector General or Auditor General office. Accordingly, provided that a state or local government Inspector General or Auditor General satisfies the requirements of the final rule for Accredited Conformity Assessment Bodies, new Sec. 1110.501(a)(2) of the final rule provides that a state or local government office of Inspector General or Auditor General and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common ``parent'' entity under Sec. 1110.501(a)(1)(ii) for the purpose of determining independence, and attestation by the Inspector General or Auditor General will be possible. With respect to comments urging that provision should be made for self-assessments and attestations by organizations having the capacity to perform assessments and audits, NTIS recognizes that some organizations have such capacity, and are able in exercising it to address safeguarding and security requirements under other laws and regulations. Accordingly, new Sec. 1110.502 of the final rule provides that, in addition to ``independent'' Accredited Conformity Assessment Bodies, a Person or Certified Person may engage a ``firewalled'' Accredited Conformity Assessment Body, as defined in the final rule and with the approval of NTIS, under conditions, as defined in the rule, which ensure that concerns about independence and actual or apparent conflicts of interest or undue influence are satisfactorily addressed. Under new Sec. 1110.502(a), a third party conformity assessment body must apply to NTIS for firewalled status if it is owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, applying the characteristics set forth under Sec. 1110.501(a)(1) for independence. Under new Sec. 1110.502(b), NTIS will accept an application for firewalled status when it finds that: (1) Acceptance of the third party conformity assessment body for firewalled status would provide equal or greater assurance that the Person or Certified Person has information [[Page 34885]] security systems, facilities, and procedures in place to protect the security of the Limited Access DMF than would the Person's or Certified Person's use of an independent third party third party conformity assessment body; and (2) the third party conformity assessment body has established procedures to ensure that: (1) Its attestations and audits are protected from undue influence by the Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, or by any other interested party; (2) NTIS is notified promptly of any attempt by the Person or Certified Person that is the subject of attestation or audit by the third party conformity assessment body, or by any other interested party, to hide or exert undue influence over an attestation, assessment or audit; and (3) allegations of undue influence may be reported confidentially to NTIS. To the extent permitted by Federal law, NTIS will undertake to protect the confidentiality of witnesses reporting allegations of undue influence. Under new Sec. 1110.502(c), NTIS will review each application and may contact the third party conformity assessment body with questions or to request submission of missing information, and will communicate its decision on each application in writing to the applicant. Some commenters expressed concern that in attesting to its credentials under Sec. 1110.503(a), an Accredited Conformity Assessment Body must indicate that it is accredited to a nationally or internationally recognized standard such as the ISO/IEC Standard 27006- 2011 or any other similar recognized standard for bodies providing audit and certification for information security management systems, pointing to other potentially applicable standards, such as the American Institute of Public Accountants (AICPA) Service Organization Control Report (SOC) Type 2 Audit Report. NTIS wishes to emphasize that it is not NTIS's intent, in reciting ISO/IEC 27006-2011, to exclude from consideration AICPA SOC2 or other appropriate accreditation standards. The regulation identifies the ISO/IEC standard as one example of an acceptable national or international accreditation standard. NTIS selected the ISO/IEC standard, as noted in the original discussion of the proposed rule, to serve ``as a baseline for accreditation,'' because it was prepared by the International Organization for Standardization (ISO) Committee on conformity assessment (79 FR at 78316). Moreover, NTIS emphasized that it is ``is aware that standards other than ISO/IEC 27006-2001 exist that may be equally appropriate for the purposes of accreditation under the Act, and that additional standards may be developed in the future . . . an [Accredited Conformity Assessment Body] may attest, subject to the conditions of verification in [final rule] Section 1110.503, that it is accredited to a nationally or internationally recognized standard for management systems other than ISO/IEC Standard 27006-2011.'' NTIS further observes that the burden rests with the Person or Certified Person to identify and submit an attestation by an Accredited Conformity Assessment Body certified or credentialed by an appropriate accrediting body. Accordingly, NTIS concludes that Sec. 1110.503(a) provides appropriate guidance as to the accreditation standard for Accredited Conformity Assessment Bodies. A few commenters suggested that NTIS should directly accredit Accredited Conformity Assessment Bodies to conduct assessments and audits or provide a list of acceptable accreditations for Accredited Conformity Assessment Bodies. NTIS does not intend to do so. Recognized professional accreditation organizations with well-established, rigorous accreditation processes already exist in the private sector. Such organizations have either adopted or established nationally and internationally accepted standards for entities which may serve as Accredited Conformity Assessment Bodies under the final rule. In considering how to establish a permanent certification program as required under Section 203, NTIS carefully considered developing, within the agency, the capacity to evaluate the information systems, facilities and procedures of Persons to safeguard Limited Access DMF, as well as to conduct audits of Certified Persons and to itself accredit conformity assessment bodies. NTIS has consulted with the National Institute of Standards and Technology (NIST), which has expertise in testing, standard setting, certification and conformity assessment. Based on NIST recommendations, NTIS believes it appropriate for private sector, third party, Accredited Conformity Assessment Bodies to attest to a Person's information security safeguards under Sec. 1110.102(a)(2) of the rule, for NTIS to rely upon such attestation in certifying a Person under the final rule, and for NTIS to rely as well upon third party, private sector accreditation of Accredited Conformity Assessment Bodies, while reserving to itself the ability to perform assessments and audits itself, in its discretion. A number of commenters expressed concerns regarding the identification, in Sec. 1110.502(b) of the proposed rule, of the ``Limited Access Death Master File Publication 100'' (Publication 100) as a source of guidance to which an Accredited Conformity Assessment Body could refer in its attestation as to the adequacy of an applicant's or Certified Person's safeguards for Limited Access DMF. These commenters stated that, even though Publication 100 is intended to set forth recommended guidelines, procedures and best practices, reference to that publication in the proposed rule implied a limitation to those safeguarding approaches set forth in Publication 100. These commenters offered other sources of security requirements for personal information they thought were pertinent and should be expressly included in the rule, such as the security standards for the GLBA. NTIS notes, however, that the language of the rule makes clear that Publication 100 merely offers an example of security controls and protocols that an applicant or Certified Person may use, and is not intended to be prescriptive (79 FR at 78316). Moreover, NTIS recognizes that ``a number of different approaches exist to safeguarding information.'' Id. In the December 2014 Draft Version of Publication 100, NTIS stated: ``These information security guidelines are derived from NIST SP800-53 Revision 4, Security and Privacy Controls for Federal Information Systems and Organizations. Only NIST SP 800-53 controls believed to be essential to the protection of Limited Access DMF information are included in this publication as a baseline. Applicability was determined by selecting controls relevant to protecting the confidentiality of Limited Access DMF information. The NIST controls [discussed here] are intended by NTIS to be illustrative, not exclusive. Other controls that can be assessed and used as guidelines include the NIST Framework for Improving Critical Infrastructure Cybersecurity v1.0. The Framework Core provides a common set of activities for managing risks, and associated controls. The references provided in the Framework Core represent a diverse set of information security guidelines including: International Organization for Standardization ISO 27001; International Society for Automation ISA/IEC 62443; Control Objectives for Information and Related Technology COBIT; Council on Cybersecurity Critical Security Controls CCS CSC2; and NIST 800-53 rev. 4. Again, these references are illustrative.'' Nevertheless, in response to commenters' concerns, NTIS has removed reference to Publication 100 from Sec. 1110.503(b) of the final rule. [[Page 34886]] Given the continuously evolving nature of information technology security and safeguard guidelines, procedures and best practices, NTIS intends that Publication 100 will be a living document. NTIS has invited comments on Publication 100 from the public on an ongoing basis, and contemplates interactive public dialog regarding its contents. The proposed rule introduced a ``safe harbor'' provision in Sec. 1110.200(c) that would exempt from penalty a first Certified Person who discloses LADMF to a second Certified Person, where the first Certified Person's liability rests solely on the fact that the second Certified Person has been determined to be subject to penalty. The provision was specifically drafted to apply to each disclosure and to limit the presumption of compliance to the first Certified Person, while the second Certified Person (i.e., the recipient of the LADMF) remained subject to penalty for violations of the Act (79 FR at 78317.) NTIS invited comments as to whether the ``safe harbor'' provision should be extended to circumstances where the recipient is believed to be certified but, in fact, is not. NTIS did not receive comment on this point. A Certified Person desiring to rely upon the ``safe harbor'' provision as set forth in this final rule will bear responsibility for ensuring that a recipient of LADMF is, in fact, a Certified Person at the time of disclosure. NTIS notes that it maintains and publishes a list of Certified Persons, available at https://dmf.ntis.gov. NTIS received many comments suggesting that it should promulgate a broader ``safe harbor'' for a Certified Person who discloses LADMF to Persons whom the Certified Person knows are not certified (``uncertified Persons''). Many commenters urged that, unless the final rule made further allowance for Certified Persons to share LADMF with uncertified Persons, the commenters' businesses would suffer and their clients or other users would be deprived of data they need for critical purposes including fraud prevention, record-keeping and meeting legal and regulatory obligations. Many of these commenters also urged the extension of the ``safe harbor'' to Certified and uncertified Persons under certain circumstances, such as where an uncertified Person attests in writing that it meets the requirements for certification and to disclose the LADMF only to other uncertified Persons who could also meet the requirements, or where private contractual obligations were incurred. Some commenters contended that it would be unreasonable and unrealistic for NTIS to require their clients or other users to become certified and thus be subject to the rule's security and auditing requirements. NTIS will not extend the ``safe harbor'' provision of Sec. 1110.102(c) in this manner. However, NTIS emphasizes that Certified Person status has not been and is not required in order for a Certified Person to disclose LADMF to another Person. A Certified Person may, without penalty under Sec. 1110.200 (but without ``safe harbor'' protection), disclose LADMF to another Person who, although not certified, meets the requirements of Sec. 1110.102(a)(1) through (3), and who does not misuse or further disclose the LADMF in violation of Sec. 1110.200(a)(1)(ii) or (iii). Indeed, many of the comments described above reflect the types of procedures that Certified Persons have successfully adopted under the Temporary Certification Program, and might be expected to adopt successfully in disclosing LADMF to uncertified Persons under the final rule. However, under such circumstances not involving a certified recipient, NTIS will not apply a ``safe harbor'' such as is applied under the final rule to a Certified Person who discloses Limited Access DMF to another who is also a Certified Person. A few commenters were critical of the appeals process set forth in Sec. 1110.300. One commenter opined that entities facing potential liability through ``unscheduled audits'' and ``substantial financial penalties'' needed ``well-developed procedural rights'' such as the right of appeal to an administrative law judge and federal court. NTIS has carefully considered these comments, but concludes that the process and procedures set forth in Sec. 1110.300 are legally sufficient. NTIS has provided an appropriate administrative and appeal process in Sec. 1110.300. Pursuant to the Administrative Procedure Act (Pub. L. 79-404, 60 Stat. 237), any Person or Certified Person can seek review of any adverse action or decision by the Director of NTIS in federal district court. A comment was received suggesting that the exclusion of Executive departments or agencies of the United States Government from the definition of ``Persons,'' noted initially under the interim final rule and continued in the proposed rule, should be extended as well to the governments of foreign countries. NTIS has carefully considered this comment, but will not adopt such a categorical exclusion. NTIS will continue to consider applications by foreign governments on a case-by- case basis, in accordance with general principles of comity and consistent with the purposes of Section 203 and the requirements of the final rule. The Final Rule This final rule amends subparts A, B, C, D, and adds a new subpart E to the DMF Certification Program in part 1110 of title 15 of the Code of Federal Regulations. The following describes specific provisions being amended. Under Sec. 1110.2, ``Definitions,'' NTIS is revising the definition of ``Person'' to recite ``state and local government departments and agencies,'' so that ``Person'' will be defined as including corporations, companies, associations, firms, partnerships, societies, joint stock companies, and other private organizations, and state and local government departments and agencies, as well as individuals. However, Executive departments or agencies of the United States Government will not be considered ``Persons'' for the purposes of this rule. Accordingly, Executive departments or agencies will not have to complete the Certification Form as set forth in the rule, and will be able to access Limited Access DMF under a subscription or license agreement with NTIS, describing the purpose(s) for which Limited Access DMF is collected, used, maintained and shared. Those working on behalf of and authorized by Executive departments or agencies may access the Limited Access DMF from their sponsoring Executive department or agency, which will be responsible for ensuring that such access is solely for the authorized purposes described by the agency. Unauthorized secondary use of Limited Access DMF by Executive departments or agencies or those working for them or on their behalf is prohibited. If an Executive department or agency wishes those working on its behalf to access the Limited Access DMF directly from NTIS, then those working on behalf of that Executive department or agency will be required to complete and submit the Certification Form as set forth in the rule and enter into a subscription agreement with NTIS in order to directly access the Limited Access DMF. Under this final rule, a Certified Person will be eligible to access the Limited Access DMF made available by NTIS through subscription or license. The final rule adds a requirement that, in order to become certified, a Person must submit a written attestation from an Accredited Conformity Assessment Body, as defined in the final rule, that such Person has information security systems, facilities, and procedures in place to protect the [[Page 34887]] security of the Limited Access DMF, as required under Sec. 1110.102(a)(2) of the rule. NTIS has consulted with NIST, which has expertise in testing, standard-setting, and certification of various systems. Based on NIST recommendations, the final rule provides for private sector, third party, Accredited Conformity Assessment Bodies to attest to a Person's information security safeguards under Sec. 1110.102(a)(2) of the rule, and NTIS will rely upon such attestation in certifying a Person under the final rule. The final rule also provides for Accredited Conformity Assessment Bodies to conduct periodic scheduled and unscheduled audits of Certified Persons on behalf of NTIS. Under the final rule, an ``Accredited Conformity Assessment Body'' is defined as an independent third party conformity assessment body that is not owned, managed, or controlled by a Person or Certified Person which is the subject of attestation or audit, and that is accredited by an accreditation body under nationally or internationally recognized criteria such as, but not limited to, ISO and the International Electrotechnical Commission (IEC) publication ISO/IEC 27006-2011, ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' to attest that a Person or Certified Person has information technology systems, facilities and procedures in place to safeguard Limited Access DMF. Based on NIST recommendations, NTIS believes it is appropriate to reference the ISO/IEC 27006-2001 as an exemplary baseline for accreditation under the final certification program. The ISO Committee on conformity assessment (CASCO) prepared ISO/IEC 27006-2001, and reference to the ISO/IEC standard will help ensure that attestations and audits under the final certification program operate in a manner consistent with national and international practices. Accreditation is a third-party attestation that a conformity assessment body operates in accordance with national and international standards. Accreditation is used nationally and internationally in many sectors where there is a need, through certification, for safety, health or security requirements to be met by products or services. Accreditation ensures that a conformity assessment body is technically competent in the subject matter (in this case, the information safeguarding and security requirements as set forth in the rule) and has a management system in place to ensure competency and acceptable certification program operations on a continuing basis. Accreditation requires that Accredited Conformity Assessment Bodies be re-accredited on a periodic basis. However, NTIS also acknowledges that standards other than ISO/IEC 27006-2001 exist that are equally appropriate for the purposes of accreditation under the Act, and that additional appropriate standards may be developed in the future. The final rule provides that an Accredited Conformity Assessment Body may attest, subject to the conditions of verification in Sec. 1110.503 of the final rule, that it is accredited to a nationally or internationally recognized standard for bodies providing audit and certification of information security management systems other than ISO/IEC Standard 27006-2011. In addition, the rule provides that an Accredited Conformity Assessment Body must also attest that the scope of its accreditation encompasses the information safeguarding and security requirements as set forth in the rule. NTIS is aware that security and safeguarding of information and information systems is of great concern in many fields of endeavor other than with respect to Limited Access DMF. NTIS has consulted with subject matter experts from NIST, which in 2014 published the ``Framework for Improving Critical Infrastructure Cybersecurity'' \1\ (Framework), in response to President Obama's Executive Order 13636, ``Improving Critical Infrastructure Cybersecurity,'' which established that ``[i]t is the Policy of the United States to enhance the security and resilience of the Nation's critical infrastructure and to maintain a cyber environment that encourages efficiency, innovation, and economic prosperity while promoting safety, security, business confidentiality, privacy, and civil liberties.'' In articulating this policy, the Executive Order calls for the development of a voluntary risk-based Cybersecurity Framework--a set of industry standards and best practices to help organizations manage cybersecurity risks. The resulting Framework, created by NIST through collaboration between government and the private sector, uses a common language to address and manage cybersecurity risks in a cost-effective way based on business needs without placing additional regulatory requirements on businesses. The Framework enables organizations--regardless of size, degree of cybersecurity risk, or cybersecurity sophistication--to apply the principles and best practices of risk management to improving the security and resilience of critical infrastructure. The Framework provides organization and structure to today's multiple approaches to cybersecurity by assembling standards, guidelines, and practices that are working effectively in industry today. Accordingly, in addressing the requirements of Section 203 for ``systems, facilities, and procedures'' to safeguard Limited Access DMF, NTIS contemplates that Persons, as well as Accredited Conformity Assessment Bodies, may look to the Framework and to the Framework's Informative References. The Framework is referenced by NTIS in Publication 100. As set forth in Publication 100, as well as in the Framework's Informative References, a number of different approaches exist to safeguarding information. These include ISO/IEC, Control Objectives for Information and Related Technology (COBIT), International Society of Automation (ISA), and NIST's 800 series publications. Others include the Service Organization Controls (SOC) of the American Institute of CPAs (AICPA). --------------------------------------------------------------------------- \1\ This document can be found at: http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf. --------------------------------------------------------------------------- NTIS is aware that security and safeguarding assessments such as those contemplated under this final rule are routinely carried out in the private sector, including by entities which may satisfy the requirements for Accredited Conformity Assessment Bodies under the rule. Provided that such a routine assessment or audit of a Person would permit an Accredited Conformity Assessment Body to attest that such Person has systems, facilities, and procedures in place to safeguard Limited Access DMF as required under Sec. 1110.102(a)(2) of the final rule, albeit carried out for a purpose other than certification under the rule, NTIS will accept an attestation in support of a Person's certification with respect to the requirements under Sec. 1110.102(a)(2) of the rule, as well as in support of the renewal of a Certified Person's certification. The final rule provides that any attestation, whether for a Person seeking certification or for a Certified Person seeking renewal, must be based on the Accredited Conformity Assessment Body's review or assessment conducted no more than three years prior to the date of submission of the Person's completed certification statement or of the Certified Person's completed renewal certification statement. As noted, an [[Page 34888]] Accredited Conformity Assessment Body's review or assessment need not have been conducted specifically or solely for the purpose of submission of an attestation under the final rule. From NTIS's consultations with NIST subject matter experts, NTIS believes that the limitation of three years is appropriate as to frequency for assessments for the security and safeguarding of information and information systems, and that permitting Persons and Certified Persons to rely on attestations based on such assessments conducted for purposes other than solely for the rule is reasonable and cost- effective. Persons previously certified under the interim final rule will need to become certified in accordance with the requirements of this final rule, when it becomes effective. Certification under this final rule will include an updated certification form (NTIS FM161), discussed under the heading, ``Paperwork Reduction Act,'' collecting additional information that will improve NTIS's ability to determine whether a Person meets, to the satisfaction of NTIS, the requirements of Section 203 of the Act. Under Sec. 1110.103 of the final rule, a Certified Person may disclose Limited Access DMF to another Certified Person, and will be deemed to satisfy the disclosing Certified Person's obligation to ensure compliance with final Sec. 1110.102(a)(4)(i)-(iii) for the purposes of certification. Similarly, under Sec. 1110.200(c), NTIS will not impose a penalty, under Sec. 1110.200(a)(1)(i)-(iii) of the final rule, on a first Certified Person who discloses Limited Access DMF to a second Certified Person, where the first Certified Person's liability rests solely on the fact that the second Certified Person has been determined to be subject to penalty. While the final rule does not restrict disclosure of Limited Access DMF to Certified Persons, these provisions create an appropriately limited ``safe harbor'' for Certified Persons to disclose Limited Access DMF to other Certified Persons. However, note that any Person, including any Certified Person, who receives Limited Access DMF from a Certified Person, is still subject to penalty under Sec. 1110.200(a)(2), for violations of the Act. The safe harbor provision applies to each disclosure individually, and only the Certified Person disclosing the information, not the Certified Person recipient, receives the benefit of the presumed compliance with Sec. 1110.102(a)(4)(i)-(iii). Under Sec. 1110.201 of the final rule, NTIS may conduct, or may request that an Accredited Conformity Assessment Body conduct, at the Certified Person's expense, periodic scheduled and unscheduled audits of the systems, facilities, and procedures of any Certified Person relating to such Certified Person's access to, and use and distribution of, the Limited Access DMF. NTIS contemplates that many, if not most, audits of Certified Persons will be scheduled, but NTIS may also conduct, or request an Accredited Conformity Assessment Body conduct, unscheduled audits--for example, where a prior scheduled audit may have identified the need for adjustment to a Certified Person's systems, facilities, or procedures. Audits conducted by NTIS or by an Accredited Conformity Assessment Body may take place at a Certified Person's place of business (i.e., field audits), or may be conducted remotely (i.e., desk audits). The final rule provides that all Certified Persons be audited with respect to the requirements of Sec. 1110.102(a)(2) no less frequently than every three years under the program, and this requirement may be satisfied by a Certified Person based on an audit or assessment conducted for a purpose other than solely for the purpose of this program. The final rule does not require that Certified Persons undergo routine scheduled audits on the attestation regarding Sec. 1110.102(a)(1), but does provide that unscheduled audits of this and other aspects of the requirements for certification may be conducted at NTIS's discretion. Under the final rule, NTIS' costs for conducting audits will be recoverable from the audited Person. Failure to submit to an audit, to cooperate fully with NTIS in its conduct of an audit or an Accredited Conformity Assessment Body conducting an audit on NTIS's request, or to pay an audit fee owed to NTIS, are grounds for revocation of certification under the final rule. NTIS intends that a Person or Certified Person will be directly responsible to an Accredited Conformity Assessment Body for any charges by that Accredited Conformity Assessment Body related to requirements under this final rule, as it would be responsible for NTIS' auditing costs under the Act. Section 1110.200(a)(2) and (b) of the final rule set out the penalties for unauthorized disclosures or uses of the Limited Access DMF. Each individual unauthorized disclosure is punishable by a fine of $1,000, payable to the United States Treasury. However, the total amount of the penalty imposed under this part on any Person for any calendar year shall not exceed $250,000, unless such Person's disclosure or use is determined to be willful or intentional. A disclosure or use is considered willful when it is a ``voluntary, intentional violation of a known legal duty.'' See U.S. v. Pomponio, 429 US 10 (1976) (holding that for purposes of interpreting the criminal tax provisions of the Internal Revenue Code, the term ``willful'' means a voluntary, intentional violation of a known legal duty). The final rule's Sec. 1110.300 establishes the procedures to appeal a denial or revocation of certification, or the imposition of penalties for violating the Act. An administrative appeal must be filed, in writing, within 30 days (or such longer period as the Director of NTIS may, for good cause shown in writing, establish in any case) after receiving a notice of denial, revocation or imposition of penalties. Appeals are to be directed to the Director of NTIS. Any such appeal must set forth the following: The name, street address, email address and telephone number of the Person seeking review; a copy of the notice of denial or revocation of certification, or the imposition of penalty, from which appeal is taken; a statement of arguments, together with any supporting facts or information, concerning the basis upon which the denial or revocation of certification, or the imposition of penalty, should be reversed; and a request for hearing of oral argument before a representative of the Director, if desired. Section 1110.300(a)-(d) sets forth the procedures for an administrative appeal. Under Sec. 1110.300(c), a Person may, but need not, retain an attorney to represent such Person in an appeal. A Person must designate an attorney by submitting to the Director of NTIS a written power of attorney. If a hearing is requested, the Person (or the Person's designated attorney) and a representative of NTIS familiar with the notice from which appeal has been taken will present oral arguments which, unless otherwise ordered before the hearing begins, will be limited to thirty minutes for each side. A Person need not retain an attorney or request an oral hearing to secure full consideration of the facts and the Person's arguments. Where no hearing is requested, the Director shall review the case and issue a decision, as set out below. Under Sec. 1110.300(e), the Director of NTIS shall issue a decision on the matter within 120 days after a hearing, or, if no hearing was requested, within 90 days of receiving the letter of appeal. In making decisions on appeal, the Director shall consider the arguments and statements of fact and information in the Person's appeal, and made at the oral argument hearing, if such was requested, but the Director at his or her discretion and with due respect for the [[Page 34889]] rights and convenience of the Person and the agency, may call for further statements on specific questions of fact, or may request additional evidence in the form of affidavits on specific facts in dispute. An appellant may seek reconsideration of the decision, but must do so in writing, and the request for reconsideration must be received within 30 days of the Director's decision or within such an extension of time thereof as may be set by the Director of NTIS before the original period expires. A decision shall become final either after the 30-day period for requesting reconsideration expires and no request has been submitted, or on the date of final disposition of a decision on a petition for reconsideration. Under Sec. 1110.500 of the final rule, an Accredited Conformity Assessment Body must be independent of the Person or Certified Person seeking certification, unless it is a third party conformity assessment body which a Certified Person has qualified for ``firewalled'' status pursuant to Sec. 1110.502, and must itself be accredited by a recognized accreditation body. The requirement for independence from the Person seeking certification, or from the Certified Person seeking renewal or subject to audit, is important to ensure integrity of any assessment and attestation or audit. The final rule provides that an Accredited Conformity Assessment Body must be an independent third party conformity assessment body that is not owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, except where the third party conformity assessment body qualifies for ``firewalled'' status under Sec. 1110.502. Accordingly, under the final rule, a Person or Certified Person is considered to own, manage, or control a third party conformity assessment body if the Person or Certified Person holds a 10 percent or greater ownership interest, whether direct or indirect, in the third party conformity assessment body; if the third party conformity assessment body and the Person or Certified Person are owned by a common ``parent'' entity; if the Person or Certified Person has the ability to appoint a majority of the third party conformity assessment body's senior internal governing body, the ability to appoint the presiding official of the third party conformity assessment body's senior internal governing body, and/or the ability to hire, dismiss, or set the compensation level for third party conformity assessment body personnel; or if the third party conformity assessment body is under a contract to the Person or Certified Person that explicitly limits the services the third party conformity assessment body may perform for other customers and/or explicitly limits which or how many other entities may also be customers of the third party conformity assessment body. In order for NTIS to accept an attestation as to, or audit of, a Person or Certified Person submitted to NTIS under the final rule, the Accredited Conformity Assessment Body must attest that it is independent of that Person or Certified Person. The Accredited Conformity Assessment Body also must attest that it has read, understood, and agrees to the regulations as set forth in the final rule. The Accredited Conformity Assessment Body must also attest that it is accredited to ISO/IEC Standard 27006-2011 ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' or to another nationally or internationally recognized standard for bodies providing audit and certification of information security management systems. The Accredited Conformity Assessment Body must also attest that the scope of its accreditation encompasses the safeguarding and security requirements as set forth in the final rule. Where review or assessment or audit by an Accredited Conformity Assessment Body was not conducted specifically or solely for the purpose of submission under this part, the final rule requires that the written attestation or assessment report (if an audit) describe the nature of that review or assessment or audit, and that the Accredited Conformity Assessment Body attest that on the basis of such review or assessment or audit, the Person or Certified Person has systems, facilities, and procedures in place to safeguard Limited Access DMF as required under Sec. 1110.102(a)(2). While NTIS will normally accept written attestations and assessment reports from an Accredited Conformity Assessment Body that attests, to the satisfaction of NTIS, as provided in Sec. 1110.503 of the final rule, the final rule also provides that NTIS may decline to accept written attestations or assessment reports from an Accredited Conformity Assessment Body, whether or not it has attested as provided in Sec. 1110.503, for any of the following reasons: when NTIS determines that doing so is in the public interest under Section 203 of the Bipartisan Budget Act of 2013, and notwithstanding any other provision of these regulations; submission of false or misleading information concerning a material fact(s) in an Accredited Conformity Assessment Body's attestation under Sec. 1110.503; knowing submission of false or misleading information concerning a material fact(s) in an attestation or assessment report by an Accredited Conformity Assessment Body of a Person or Certified Person; failure of an Accredited Conformity Assessment Body to cooperate (as defined in this section) in response to a request from NTIS to verify the accuracy, veracity, and/ or completeness of information received in connection with an attestation under Sec. 1110.503 or an attestation or assessment report by that Body of a Person or Certified Person; or where NTIS is unable for any reason to verify the accuracy of the Accredited Conformity Assessment Body's attestation. In addition, with respect to audits under the final rule, NTIS may in its discretion decline to accept an attestation or assessment report conducted for other purposes, and may conduct or require that an Accredited Conformity Assessment Body conduct a review solely for the purpose of the final rule. Executive Order 12866 This final rule has been determined to be significant as that term is defined in Executive Order 12866. Executive Order 13132 A rule has implications for federalism under Executive Order 13132, Federalism, if it has a substantial direct effect on State or local governments and would either preempt State law or impose a substantial direct cost of compliance on States or localities. NTIS has analyzed this rule under that Order and has determined that it does not have implications for federalism. Final Regulatory Flexibility Analysis The Regulatory Flexibility Act of 1980, as amended, (RFA), requires agencies to analyze impacts of regulatory actions on small entities (businesses, non-profit organizations, and governments), and to consider alternatives that minimize such impacts while achieving regulatory objectives. Agencies must first conduct a threshold analysis to determine whether regulatory actions are expected to have significant economic impact on a substantial number of small entities. If the threshold analysis indicates a significant economic impact on a substantial number of small entities, an initial regulatory flexibility analysis must be produced and made available [[Page 34890]] for public review and comment along with the proposed regulatory action. A final regulatory flexibility analysis that considers public comments must then be produced and made publicly available with the final regulatory action. An Initial Regulatory Flexibility Act Analysis (``IRFA'') was incorporated into the NTIS proposed rule. NTIS sought written public comment on the proposed rule, including comment on the IRFA. This Final Regulatory Flexibility Act Analysis (``FRFA'') conforms to the RFA, and incorporates the IRFA pursuant to Section 603 and comments received, to analyze the impact that this final rule will have on small entities. Description of the Reasons Why Action Is Being Considered The policy reasons for issuing this rule are discussed in the preamble of this document, and not repeated here. Statement of the Objectives of, and Legal Basis for, the Rule; Identification of All Relevant Federal Rules Which May Duplicate, Overlap, or Conflict With the Rule The legal basis for this rule is Section 203 of the Bipartisan Budget Act of 2013, Pub. L. 113-67, codified at 42 U.S.C. 1306c (the Act). The rule, which replaces NTIS' interim final rule, implements the Act, which requires the Secretary of Commerce to create a program to certify that persons given access to the Limited Access DMF satisfy the statutory requirements for accessing that information. Accordingly, this rule creates a permanent program for certifying persons eligible to access Limited Access DMF. It requires that Certified Persons annually re-certify as eligible to access the Limited Access DMF, and that they agree to be subject to scheduled and unscheduled audits. The rule also sets out the penalties for violating the Act's disclosure provisions, establishes a process to appeal penalties or revocations of certification, and adopts a fee program for the certification program, audits, and appeals. When this final rule becomes effective, it will replace the interim final rule promulgated by NTIS to establish a Temporary Certification Program, in order to avoid the complete loss of access to the Limited Access DMF when the Act became effective. No other rules duplicate, overlap, or conflict with this rule. Number and Description of Small Entities Regulated by the Action The final rule applies to all persons seeking to become certified to obtain the Limited Access DMF from NTIS. The entities affected by this rule could include banks and other financial institutions, pension plans, health research institutes or companies, state and local governments, information companies, and similar research services, and others not identified. Many of the impacted entities likely are considered ``large'' entities under the applicable United States Small Business Administration (SBA) size standards. The SBA defines a ``small business'' (or ``small entity'') as one with annual revenue that meets or is below an established size standard. The SBA ``small business'' size standard is $550 million in annual revenue for Commercial Banking, Savings Institutions, Credit Unions, and Credit Card Issuing (North American Industry Code (NAICS) 522110, 522120, 522130, and 522210). The size standard is $38.5 million for Consumer Lending and Trust, Fiduciary and Custody Activities, and Direct Health and Medical Insurance Carriers (NAICS 52291, 523991, and 524114), $7.5 million for Mortgage and Nonmortgage Loan Brokers, and Insurance Agencies and Brokerages (NAICS 522310, and 524210), and $32.5 million for Third Party Administration of Insurance and Pension Funds (NAICS 524292). NTIS anticipates that this rule will have an impact on various small entities. Projected Reporting, Recordkeeping and Other Compliance Requirements of the Rule Under this final rule, a ``Limited Access Death Master File (LADMF) Systems Safeguards Attestation Form'' would require Accredited Conformity Assessment Bodies to attest that a Person seeking to be certified to access Limited Access DMF has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(ii) of the rule. NTIS estimates that the type of professional skills necessary for the preparation of an attestation will be those of a senior auditor at an Accredited Conformity Assessment Body, to conduct an assessment under the rule. Steps NTIS Has Taken To Minimize the Significant Economic Impact on Small Entities NTIS carefully considered a number of alternatives to ensure compliance with the safeguarding requirements of Section 203 of the Act. These alternatives included requiring all Persons desiring to become certified to comply with the same requirements as those set forth in Section 6103(p)(4) of the Internal Revenue Code; Section 203(b)(2)(C) of the Act recites that a Certified Person ``satisfy the requirements of such section 6103(p)(4) as if such section applied to such person.'' Such a requirement would have had a very significant impact on small entities. As pointed out in some comments on the proposed rule, some of the provisions of section 6103(p)(4) would have been extremely burdensome, because, for example, in contrast to Federal Tax Information, Limited Access DMF under Section 203 is not subject to restriction when beyond the three-calendar-year period following the date of death. Accordingly, NTIS rejected this burdensome alternative, and the final rule instead requires Persons to certify that they have systems, facilities, and procedures in place that are ``reasonably similar to'' those required by section 6103(p)(4) of the IRC in order to become Certified Persons. This interpretation allows NTIS to meet the interest of protecting personal data generally and deterring fraud, while also allowing NTIS to set the data integrity standards appropriate to safeguard Limited Access DMF specifically, and lessens the burden on small entities which, as noted by a number of commenters, tend not to have in place some more advanced information system controls. NTIS carefully considered, but rejected, the alternative of requiring Certified Persons to undergo audits annually for the purpose of re-certification. This alternative would have necessitated that a Certified Person bear the expense of assessment for the purpose of attestation by a third party Accredited Conformity Assessment Body each year as part of the annual re-certification process under the rule. Based on consultations with NIST subject matter experts, NTIS concluded instead that a limitation of three years is appropriate as to frequency for assessments for the security and safeguarding of information and information systems, thus lessening the economic impact on small entities under the rule. NTIS carefully considered, but rejected, the suggestion by a commenter that NTIS itself should accredit third party Accredited Conformity Assessment Bodies. This would have required that NTIS independently develop government-specific accreditation expertise and capacity. Because the Act requires NTIS to obtain full cost recovery, the cost of such an [[Page 34891]] effort would have to be borne by Certified Persons, including small entities. This would have been inefficient as well as burdensome. Instead, the final rule provides that an Accredited Conformity Assessment Body attest that it is accredited to a nationally or internationally recognized standard for bodies providing audit and certification of information security management systems, and that the scope of its accreditation encompasses the information safeguarding and security requirements as set forth in the rule. NTIS carefully considered, and rejected, a proposed requirement that Persons desiring to become certified under the rule be limited to program-specific assessments and audits carried out by third party Accredited Conformity Assessment Bodies. This requirement would have necessitated that any Person, including a Person otherwise subject to periodic audit and assessment in the normal course of such Person's business, bear the burden of an additional program-specific audit or assessment for the purposes of the rule. NTIS, however, in consultation with NIST subject matter experts, considered and adopted a less burdensome approach: Provided that a routine assessment or audit of a Person would permit an Accredited Conformity Assessment Body to attest that such Person has systems, facilities, and procedures in place to safeguard Limited Access DMF as required under Sec. 1110.102(a)(2) of the final rule, albeit carried out for a purpose other than certification under the rule, NTIS will accept an attestation in support of a Person's certification with respect to the requirements under Sec. 1110.102(a)(ii) of the rule, as well as in support of the renewal of a Certified Person's certification. Thus, under the final rule, an Accredited Conformity Assessment Body's review or assessment need not have been conducted specifically or solely for the purpose of submission of an attestation under the rule, reducing the economic impact that the rejected alternative would have been imposed on small entities. NTIS carefully considered, but rejected, the alternative of requiring that a first Certified Person who discloses Limited Access DMF to a second Certified Person be subject to penalty under the rule where, through no fault of the first Certified Person, the second Certified Person is determined to be subject to penalty under the rule. This alternative would have exposed to penalty under the rule a first Certified Person, who disclosed Limited Access DMF to another Person certified by NTIS, even absent any violation by the first Certified Person. Instead, the Final Rule provides for a ``safe harbor'' that exempts from penalty a first Certified Person who discloses LADMF to a second Certified Person, where the first Certified Person's liability rests solely on the fact that the second Certified Person has been determined to be subject to penalty. The less burdensome approach chosen by NTIS will reduce the potential economic impact on Certified Persons, including those that are small entities, under such circumstances. Based on its analysis, NTIS estimates that the rule reflects alternatives placing the least economic impact on small entities, and that the rule will not disproportionately impact small entities as opposed to large ones. Paperwork Reduction Act Notwithstanding any other provision of law, no person is required to comply with, and neither shall any person be subject to penalty for failure to comply with, a collection of information subject to the requirements of the Paperwork Reduction Act, unless that collection of information displays a currently valid OMB Control Number. This final rule contains collection of information requirements subject to review and approval by OMB under the Paperwork Reduction Act (PRA). Approval from OMB will be obtained prior to the final rule becoming effective and prior to the collection of such information, except that NTIS will continue to collect information already approved by OMB under OMB Control No. 0692-0013. List of Subjects in 15 CFR Part 1110 Administrative appeal, Certification program, Fees, Imposition of penalty. Dated: May 23, 2016. Bruce Borzino, Director. For reasons set forth in the preamble, the National Technical Information Service amends 15 CFR part 1110 as follows: PART 1110--CERTIFICATION PROGRAM FOR ACCESS TO THE DEATH MASTER FILE 0 1. The authority for part 1110 continues to read as follows: Authority: Pub. L. 113-67, Sec. 203. 0 2. Amend Sec. 1110.2 by: 0 a. Adding, in alphabetical order, the definition, ``Accredited Conformity Assessment Body;'' and 0 b. Revising the definitions of ``Limited Access DMF'' and ``Person''. The addition and revision read as follows: Sec. 1110.2 Definitions used in this part. * * * * * Accredited Conformity Assessment Body. A third party conformity assessment body that is accredited by an accreditation body under nationally or internationally recognized criteria such as, but not limited to, International Organization for Standardization (ISO)/ International Electrotechnical Commission (IEC) 27006-2011, ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' to attest that a Person or Certified Person has systems, facilities and procedures in place to safeguard Limited Access DMF. * * * * * Limited Access DMF. The DMF product made available by NTIS which includes DMF with respect to any deceased individual at any time during the three-calendar-year period beginning on the date of the individual's death. As used in this part, Limited Access DMF does not include an individual element of information (name, social security number, date of birth, or date of death) in the possession of a Person, whether or not certified, but obtained by such Person through a source independent of the Limited Access DMF. If a Person obtains, or a third party subsequently provides to such Person, death information (i.e., the name, social security account number, date of birth, or date of death) independently, such information in the possession of such Person is not part of the Limited Access DMF or subject to this part. * * * * * Person. Includes corporations, companies, associations, firms, partnerships, societies, joint stock companies, and other private organizations, and state and local government departments and agencies, as well as individuals. 0 3. Revise the section heading of Sec. 1110.100 to read as follows: Sec. 1110.100 Scope; term. * * * * * 0 4. Revise Sec. 1110.101 to read as follows: Sec. 1110.101 Submission of certification; attestation. (a) In order to become certified under the certification program established under this part, a Person must submit a completed certification statement and any required documentation, using the [[Page 34892]] most current version of the Limited Access Death Master File Subscriber Certification Form, and its accompanying instructions at https://dmf.ntis.gov, together with the required fee. (b) In addition to the requirements under paragraph (a) of this section, in order to become certified, a Person must submit a written attestation from an Accredited Conformity Assessment Body that such Person has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(2). Such attestation must be based on the Accredited Conformity Assessment Body's review or assessment conducted no more than three years prior to the date of submission of the Person's completed certification statement, but such review or assessment need not have been conducted specifically or solely for the purpose of submission under this part. 0 5. Amend Sec. 1110.102 by revising paragraphs (a)(2), (3), and (4) to read as follows: Sec. 1110.102 Certification. * * * * * (a) * * * (2) Such Person has systems, facilities, and procedures in place to safeguard the accessed information, and experience in maintaining the confidentiality, security, and appropriate use of accessed information, pursuant to requirements reasonably similar to the requirements of section 6103(p)(4) of the Internal Revenue Code of 1986; (3) Such Person agrees to satisfy such similar requirements; and (4) Such Person shall not, with respect to Limited Access DMF of any deceased individual: (i) Disclose such deceased individual's Limited Access DMF to any person other than a person who meets the requirements of paragraphs (a)(1) through (3) of this section; (ii) Disclose such deceased individual's Limited Access DMF to any person who uses the information for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty; (iii) Disclose such deceased individual's Limited Access DMF to any person who further discloses the information to any person other than a person who meets the requirements of paragraphs (a)(1) through (3) of this section; or (iv) Use any such deceased individual's Limited Access DMF for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty. * * * * * 0 6. In subpart B of part 1110, add Sec. Sec. 1110.103, 1110.104, and 1110.105 to read as follows: Sec. 1110.103 Disclosure to a certified person. Disclosure by a Person certified under this part of Limited Access DMF to another Person certified under this part shall be deemed to satisfy the disclosing Person's obligation to ensure compliance with Sec. 1110.102(a)(4)(i) through (iii). Sec. 1110.104 Revocation of certification. False certification as to any element of Sec. 1110.102(a)(1) through (4) shall be grounds for revocation of certification, in addition to any other penalties at law. A Person properly certified who thereafter becomes aware that the Person no longer satisfies one or more elements of Sec. 1110.102(a) shall promptly inform NTIS thereof in writing. Sec. 1110.105 Renewal of certification. (a) A Certified Person may renew its certification status by submitting, on or before the date of expiration of the term of its certification, a completed certification statement in accordance with Sec. 1110.101, together with the required fee, indicating on the form NTIS FM161 that it is a renewal, and also indicating whether or not there has been any change in any basis previously relied upon for certification. (b) Except as may otherwise be required by NTIS, where a Certified Person seeking certification status renewal has, within a three-year period preceding submission under paragraph (a) of this section, previously submitted a written attestation under Sec. 1110.101(b), or has within such period been subject to a satisfactory audit under Sec. 1110.201, such Certified Person shall so indicate on the form NTIS FM161, and shall not be required to submit a written attestation under Sec. 1110.101(b). (c) A Certified Person who submits a certification statement, attestation (if required) and fee pursuant to paragraph (a) of this section shall continue in Certified Person status pending notification of renewal or non-renewal from NTIS. (d) A Person who is a Certified Person before November 28, 2016 shall be considered a Certified Person under this part, and shall continue in Certified Person status until the date which is one year from the date of acceptance of such Person's certification by NTIS under the Temporary Certification Program, provided that if such expiration date falls on a weekend or a federal holiday, the term of certification shall be considered to extend to the next business day. 0 7. Revise Sec. 1110.200 to read as follows: Sec. 1110.200 Imposition of penalty. (a) General. (1) Any Person certified under this part who receives Limited Access DMF, and who: (i) Discloses Limited Access DMF to any person other than a person who meets the requirements of Sec. 1110.102(a)(1) through (3); (ii) Discloses Limited Access DMF to any person who uses the Limited Access DMF for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty; (iii) Discloses Limited Access DMF to any person who further discloses the Limited Access DMF to any person other than a person who meets the requirements of Sec. 1110.102(a)(1) through (3); or (iv) Uses any such Limited Access DMF for any purpose other than a legitimate fraud prevention interest or a legitimate business purpose pursuant to a law, governmental rule, regulation, or fiduciary duty; and (2) Any Person to whom such Limited Access DMF is disclosed, whether or not such Person is certified under this part, who further discloses or uses such Limited Access DMF as described in paragraphs (a)(1)(i) through (iv) of this section, shall pay to the General Fund of the United States Department of the Treasury a penalty of $1,000 for each such disclosure or use, and, if such Person is certified, shall be subject to having such Person's certification revoked. (b) Limitation on penalty. The total amount of the penalty imposed under this part on any Person for any calendar year shall not exceed $250,000, unless such Person's disclosure or use is determined to be willful or intentional. For the purposes of this part, a disclosure or use is willful when it is a ``voluntary, intentional violation of a known legal duty.'' (c) Disclosure to a Certified Person. No penalty shall be imposed under paragraphs (a)(1)(i) through (iii) of this section on a first Certified Person who discloses, to a second Certified Person, Limited Access DMF, where the sole basis for imposition of penalty on such first Certified Person is that such second [[Page 34893]] Certified Person has been determined to be subject to penalty under this part. 0 8. Revise Sec. 1110.201 to read as follows: Sec. 1110.201 Audits. Any Person certified under this part shall, as a condition of certification, agree to be subject to audit by NTIS, or, at the request of NTIS, by an Accredited Conformity Assessment Body, to determine the compliance by such Person with the requirements of this part. NTIS may conduct, or request that an Accredited Conformity Assessment Body conduct, periodic scheduled and unscheduled audits of the systems, facilities, and procedures of any Certified Person relating to such Certified Person's access to, and use and distribution of, the Limited Access DMF. NTIS may conduct, or request that an Accredited Conformity Assessment Body conduct, field audits (during regular business hours) or desk audits of a Certified Person. Failure of a Certified Person to submit to or cooperate fully with NTIS, or with an Accredited Conformity Assessment Body acting pursuant to this section, in its conduct of an audit, or to pay an audit fee to NTIS, will be grounds for revocation of certification. Subpart E--[Redesignated as Subpart E] 0 9. Redesignate subpart D as subpart E. 0 10. Add new subpart D to read as follows: Subpart D--Administrative Appeal Sec. 1110.3000 Appeal. Subpart D--Administrative Appeal Sec. 1110.300 Appeal. (a) General. Any Person adversely affected or aggrieved by reason of NTIS denying or revoking such Person's certification under this part, or imposing upon such Person under this part a penalty, may obtain review by filing, within 30 days (or such longer period as the Director of NTIS may, for good cause shown in writing, fix in any case) after receiving notice of such denial, revocation or imposition, an administrative appeal to the Director of NTIS. (b) Form of appeal. An appeal shall be submitted in writing to Director, National Technical Information Service, at NTIS's current mailing address as found on its Web site: www.ntis.gov., ATTENTION DMF APPEAL, and shall include the following: (1) The name, street address, email address and telephone number of the Person seeking review; (2) A copy of the notice of denial or revocation of certification, or the imposition of penalty, from which appeal is taken; (3) A statement of arguments, together with any supporting facts or information, concerning the basis upon which the denial or revocation of certification, or the imposition of penalty, should be reversed; (4) A request for hearing of oral argument before the Director, if desired. (c) Power of attorney. A Person may, but need not, retain an attorney to represent such Person in an appeal. A Person shall designate any such attorney by submitting to the Director of NTIS a written power of attorney. (d) Hearing. If requested in the appeal, a date will be set for hearing of oral argument before a representative of the Director of NTIS, by the Person or the Person's designated attorney, and a representative of NTIS familiar with the notice from which appeal has been taken. Unless it shall be otherwise ordered before the hearing begins, oral argument will be limited to thirty minutes for each side. A Person need not retain an attorney or request an oral hearing to secure full consideration of the facts and the Person's arguments. (e) Decision. After a hearing on the appeal, if a hearing was requested, the Director of NTIS shall issue a decision on the matter within 120 days, or, if no hearing was requested, within 90 days of receiving the appeal. The decision of the Director of NTIS shall be made after consideration of the arguments and statements of fact and information in the Person's appeal, and the hearing of oral argument if a hearing was requested, but the Director of NTIS at his or her discretion and with due respect for the rights and convenience of the Person and the agency, may call for further statements on specific questions of fact or may request additional evidence in the form of affidavits on specific facts in dispute. After the original decision is issued, an appellant shall have 30 days (or a date as may be set by the Director of NTIS before the original period expires) from the date of the decision to request a reconsideration of the matter. The Director's decision becomes final 30 days after being issued, if no request for reconsideration is filed, or on the date of final disposition of a decision on a petition for reconsideration. 0 11. Revise newly redesignated subpart E to read as follows: Subpart E--Fees Sec. 1110.400 Fees. Subpart E--Fees Sec. 1110.400 Fees. Fees sufficient to cover (but not to exceed) all costs to NTIS associated with evaluating Certification Forms and auditing, inspecting, and monitoring certified persons under the certification program established under this part, as well as appeals, will be published (as periodically reevaluated and updated by NTIS) and available at https://dmf.ntis.gov. NTIS will not set fees for attestations or audits by an Accredited Conformity Assessment Body. 0 12. Add subpart F to read as follows: Subpart F--Accredited Conformity Assessment Bodies Sec. 1110.500 Accredited conformity assessment bodies. 1110.501 Independent. 1110.502 Firewalled. 1110.503 Attestation by accredited conformity assessment body. 1110.504 Acceptance of accredited conformity assessment bodies. Subpart F--Accredited Conformity Assessment Bodies Sec. 1110.500 Accredited conformity assessment bodies. This subpart describes Accredited Conformity Assessment Bodies and their accreditation for third party attestation and auditing of the information safeguarding requirement for certification of Persons under this part. NTIS will accept an attestation or audit of a Person or Certified Person from an Accredited Conformity Assessment Body that is: (a) Independent of that Person or Certified Person; or (b) Is firewalled from that Person or Certified Person, and that in either instance is itself accredited by a nationally or internationally recognized accreditation body. Sec. 1110.501 Independent. (a) An Accredited Conformity Assessment Body that is an independent third party conformity assessment body is one that is not owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body. (1) A Person or Certified Person is considered to own, manage, or control a third party conformity assessment body if any one of the following characteristics applies: (i) The Person or Certified Person holds a 10 percent or greater ownership interest, whether direct or indirect, in [[Page 34894]] the third party conformity assessment body. Indirect ownership interest is calculated by successive multiplication of the ownership percentages for each link in the ownership chain; (ii) The third party conformity assessment body and the Person or Certified Person are owned by a common ``parent'' entity; (iii) The Person or Certified Person has the ability to appoint a majority of the third party conformity assessment body's senior internal governing body (such as, but not limited to, a board of directors), the ability to appoint the presiding official (such as, but not limited to, the chair or president) of the third party conformity assessment body's senior internal governing body, and/or the ability to hire, dismiss, or set the compensation level for third party conformity assessment body personnel; or (iv) The third party conformity assessment body is under a contract to the Person or Certified Person that explicitly limits the services the third party conformity assessment body may perform for other customers and/or explicitly limits which or how many other entities may also be customers of the third party conformity assessment body. (2) A state or local government office of Inspector General or Auditor General and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common ``parent'' entity under paragraph (a)(1)(ii) of this section. (b) [Reserved] Sec. 1110.502 Firewalled. (a) A third party conformity assessment body must apply to NTIS for firewalled status if it is owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, applying the characteristics set forth under Sec. 1110.501(a)(1). (b) The application for firewalled status of a third party conformity assessment body under paragraph (a) of this section will be accepted by NTIS where NTIS finds that: (1) Acceptance of the third party conformity assessment body for firewalled status would provide equal or greater assurance that the Person or Certified Person has information security systems, facilities, and procedures in place to protect the security of the Limited Access DMF than would the Person's or Certified Person's use of an independent third party third party conformity assessment body; and (2) The third party conformity assessment body has established procedures to ensure that: (i) Its attestations and audits are protected from undue influence by the Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, or by any other interested party; (ii) NTIS is notified promptly of any attempt by the Person or Certified Person that is the subject of attestation or audit by the third party conformity assessment body, or by any other interested party, to hide or exert undue influence over an attestation, assessment or audit; and (iii) Allegations of undue influence may be reported confidentially to NTIS. To the extent permitted by Federal law, NTIS will undertake to protect the confidentiality of witnesses reporting allegations of undue influence. (c) NTIS will review each application and may contact the third party conformity assessment body with questions or to request submission of missing information, and will communicate its decision on each application in writing to the applicant, which may be by electronic mail. Sec. 1110.503 Attestation by accredited conformity assessment body. (a) In any attestation or audit of a Person or Certified Person that will be submitted to NTIS under this part, an Accredited Conformity Assessment Body must attest that it is independent of that Person or Certified Person. The Accredited Conformity Assessment Body also must attest that it has read, understood, and agrees to the regulations in this part. The Accredited Conformity Assessment Body must also attest that it is accredited to a nationally or internationally recognized standard such as the ISO/IEC Standard 27006- 2011 ``Information technology--Security techniques--Requirements for bodies providing audit and certification of information security management systems,'' or any other similar nationally or internationally recognized standard for bodies providing audit and certification of information security management systems. The Accredited Conformity Assessment Body must also attest that the scope of its accreditation encompasses the safeguarding and security requirements as set forth in this part. (b) Where a Person seeks certification, or where a Certified Person seeks renewal of certification or is audited under this part, an Accredited Conformity Assessment Body may provide written attestation that such Person or Certified Person has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(2). Such attestation must be based on the Accredited Conformity Assessment Body's review or assessment conducted no more than three years prior to the date of submission of the Person's or Certified Person's completed certification statement, and, if an audit of a Certified Person by an Accredited Conformity Assessment Body is required by NTIS, no more than three years prior to the date upon which NTIS notifies the Certified Person of NTIS's requirement for audit, but such review or assessment or audit need not have been conducted specifically or solely for the purpose of submission under this part. (c) Where review or assessment or audit by an Accredited Conformity Assessment Body was not conducted specifically or solely for the purpose of submission under this part, the written attestation or assessment report (if an audit) shall describe the nature of that review or assessment or audit, and the Accredited Conformity Assessment Body shall attest that on the basis of such review or assessment or audit, the Person or Certified Person has systems, facilities, and procedures in place as required under Sec. 1110.102(a)(2). (d) Notwithstanding paragraphs (a) through (c) of this section, NTIS may, in its sole discretion, require that review or assessment or audit by an Accredited Conformity Assessment Body be conducted specifically or solely for the purpose of submission under this part. Sec. 1110.504 Acceptance of accredited conformity assessment bodies. (a) NTIS will accept written attestations and assessment reports from an Accredited Conformity Assessment Body that attests, to the satisfaction of NTIS, as provided in Sec. 1110.503. (b) NTIS may decline to accept written attestations or assessment reports from an Accredited Conformity Assessment Body, whether or not it has attested as provided in Sec. 1110.503, for any of the following reasons: (1) When it is in the public interest under Section 203 of the Bipartisan Budget Act of 2013, and notwithstanding any other provision of this part; (2) Submission of false or misleading information concerning a material fact(s) in an Accredited Conformity Assessment Body's attestation under Sec. 1110.503; (3) Knowing submission of false or misleading information concerning a material fact(s) in an attestation or [[Page 34895]] assessment report by an Accredited Conformity Assessment Body of a Person or Certified Person; (4) Failure of an Accredited Conformity Assessment Body to cooperate in response to a request from NTIS to verify the accuracy, veracity, and/or completeness of information received in connection with an attestation under Sec. 1110.503 or an attestation or assessment report by that Body of a Person or Certified Person. An Accredited Conformity Assessment Body ``fails to cooperate'' when it does not respond to NTIS inquiries or requests, or it responds in a manner that is unresponsive, evasive, deceptive, or substantially incomplete; or (5) Where NTIS is unable for any reason to verify the accuracy of the Accredited Conformity Assessment Body's attestation. [FR Doc. 2016-12479 Filed 5-31-16; 8:45 am] BILLING CODE P
![34882 Federal Register / Vol. 81, No. 105 / Wednesday, June 1, 2016 / Rules and Regulations
radius of Belle Fourche Municipal Airport, to persons who qualified for temporary certification program and the penalties
and within 1 mile each side of the 142° certification. The program established for violating the Act, and set out an
bearing from Belle Fourche Municipal under this final rule contains some interim fee schedule for the program.
Airport extending from the 6.4 mile radius to changes from the proposed rule NTIS published the interim final rule in
7 miles southeast of the airport.
published by NTIS. order to provide a mechanism for
* * * * * DATES: This final rule is effective Persons to access LADMF immediately
AGL SD E5 Madison, SD [Amended] November 28, 2016. on the effective date prescribed in the
Madison Municipal Airport, SD FOR FURTHER INFORMATION CONTACT:
Act. Written comments received in
(Lat. 44°00′59″ N., long. 97°05′08″ W.) Brian Lieberman, Senior Counsel for response to the Interim Final Rule may
That airspace extending upward from 700 NTIS, at blieberman@ntis.gov, or by be viewed at http://
feet above the surface within a 6.5-mile telephone at 703–605–6404. Information www.regulations.gov.
radius of Madison Municipal Airport, and The preambles for both the RFI and
about the DMF made available to the
within 2 miles each side of the 334° bearing the interim final rule set out the specific
public by NTIS may be found at https://
from the airport extending from the 6.5-mile provisions of the Act, and also noted
dmf.ntis.gov.
radius to 10.5 miles northwest of the airport. that several Members of Congress
SUPPLEMENTARY INFORMATION: described their understanding of the
* * * * *
Background purpose and meaning of Section 203
AGL SD E5 Mobridge, SD [Amended] during Congressional debate on the Joint
Mobridge Municipal Airport, SD This final rule is promulgated under Resolution which became the Act.
(Lat. 45°32′47″ N., long. 100°24′23″ W.) Section 203 of the Bipartisan Budget Act Citations to those Member statements
That airspace extending upward from 700 of 2013, Public Law 113–67 (Act), were provided in the RFI, which also
feet above the surface within a 6.5-mile passed into law on December 26, 2013. provided background on the component
radius of Mobridge Municipal Airport. The Act prohibits the Secretary of of the DMF, which originates from the
* * * * * Commerce (Secretary) from disclosing Social Security Administration, covered
DMF information during the three- by Section 203. The interim final rule
AGL SD E5 Vermillion, SD [Amended] calendar-year period following an was established to provide immediate
Harold Davidson Field, SD individual’s death (referred to as the
(Lat. 42°45′55″ N., long. 96°56′03″ W.)
access to the LADMF to those users who
‘‘Limited Access DMF,’’ or ‘‘LADMF’’), demonstrated a legitimate fraud
That airspace extending upward from 700 unless the person requesting the prevention interest, or a legitimate
feet above the surface within a 6.4-mile information has been certified to access
radius of Harold Davidson Field. business purpose for the information,
that information pursuant to certain and to otherwise delay the release of the
Issued in Fort Worth, Texas, on May 18,
criteria in a program that the Secretary LADMF to all other users, thereby
2016. establishes. The Act further requires the reducing opportunities for identity theft
Walter Tweedy,
Secretary to establish a fee-based and restricting information sources used
program to certify Persons for access to to file fraudulent tax returns.
Acting Manager, Operations Support Group,
ATO Central Service Center.
LADMF. In addition, it provides for In addition, in December, 2014, NTIS
penalties for Persons who receive or issued an initial public draft of ‘‘Limited
[FR Doc. 2016–12638 Filed 5–31–16; 8:45 am]
distribute LADMF without being Access Death Master File (Limited
BILLING CODE 4910–13–P
certified or otherwise satisfying the Access DMF) Certification Program
requirements of the Act. The Secretary Publication 100,’’ (Publication 100),
has delegated the authority to carry out available at https://dmf.ntis.gov.
DEPARTMENT OF COMMERCE Section 203 to the Director of NTIS. Publication 100 is the NTIS security
The Act mandated that no person guideline document for persons
National Technical Information Service could receive LADMF without certified under this final rule.
certification after March 26, 2014 (i.e., Publication 100 sets forth suggested
15 CFR Part 1110 90 days from enactment of the Act). security controls, standards and
[Docket Number: 160511004–4999–04] NTIS acted promptly to ensure that a protocols for the protection of LADMF
suitable certification program was in in the possession of Certified Persons.
RIN 0692–AA21 place by that date, and to avoid On December 30, 2014, NTIS
Certification Program for Access to the interruption of access by legitimate published the proposed rule (79 FR
Death Master File users of the data. On March 3, 2014, 78314). The proposed rule introduced
NTIS published a Request for changes, clarifications and additions to
AGENCY: National Technical Information Information (RFI) and Advance Notice the interim final rule, based in part
Service, U.S. Department of Commerce. of Public Meeting on the Certification upon comments received. For example,
ACTION: Final rule. Program for Access to the Death Master the proposed rule introduced a ‘‘safe
File (79 FR 11735). NTIS held the public harbor’’ provision, § 1110.103, which
SUMMARY: The National Technical meeting, with webcast, on March 4, would exempt a Certified Person from
Information Service (NTIS) issues this 2014. Written comments received in penalty for disclosure of LADMF to
final rule establishing a program response to the RFI, and a transcription another Certified Person. The proposed
through which persons may become of oral comments submitted at the rule set forth a provision for review,
eligible to obtain access to Death Master public meeting, may be viewed at assessment, audit and attestation of a
File (DMF) information about an https://dmf.nist.gov. Person’s information and information
sradovich on DSK3TPTVN1PROD with RULES
individual within three years of that On March 26, 2014, NTIS published security controls by independent, third
individual’s death. This final rule an interim final rule, ‘‘Temporary party conformity assessment bodies.
supersedes and replaces the interim Certification Program for Access to the Section 1110.201 of the proposed rule
final rule that NTIS promulgated Death Master File’’ (interim final rule) would permit Certified Persons to
following passage of Section 203 of the (79 FR 16668). That rule codified an provide the attestation of an
Bipartisan Budget Act of 2013 to interim approach to implementing the ‘‘Accredited Certification Body’’ (as
provide immediate and ongoing access Act’s provisions pertaining to the defined in § 1110.2) concerning the
VerDate Sep<11>2014 16:11 May 31, 2016 Jkt 238001 PO 00000 Frm 00022 Fmt 4700 Sfmt 4700 E:\FR\FM\01JNR1.SGM 01JNR1](https://thefederalregister.org/doc/81_FR_34987/page/1.svg)
![Federal Register / Vol. 81, No. 105 / Wednesday, June 1, 2016 / Rules and Regulations 34885
security systems, facilities, and IEC 27006–2001 exist that may be ability to perform assessments and
procedures in place to protect the equally appropriate for the purposes of audits itself, in its discretion.
security of the Limited Access DMF accreditation under the Act, and that A number of commenters expressed
than would the Person’s or Certified additional standards may be developed concerns regarding the identification, in
Person’s use of an independent third in the future . . . an [Accredited § 1110.502(b) of the proposed rule, of
party third party conformity assessment Conformity Assessment Body] may the ‘‘Limited Access Death Master File
body; and (2) the third party conformity attest, subject to the conditions of Publication 100’’ (Publication 100) as a
assessment body has established verification in [final rule] Section source of guidance to which an
procedures to ensure that: (1) Its 1110.503, that it is accredited to a Accredited Conformity Assessment
attestations and audits are protected nationally or internationally recognized Body could refer in its attestation as to
from undue influence by the Person or standard for management systems other the adequacy of an applicant’s or
Certified Person that is the subject of than ISO/IEC Standard 27006–2011.’’ Certified Person’s safeguards for Limited
attestation or audit by the Accredited NTIS further observes that the burden Access DMF. These commenters stated
Conformity Assessment Body, or by any rests with the Person or Certified Person that, even though Publication 100 is
other interested party; (2) NTIS is to identify and submit an attestation by intended to set forth recommended
notified promptly of any attempt by the an Accredited Conformity Assessment guidelines, procedures and best
Person or Certified Person that is the Body certified or credentialed by an practices, reference to that publication
subject of attestation or audit by the appropriate accrediting body. in the proposed rule implied a
third party conformity assessment body, limitation to those safeguarding
Accordingly, NTIS concludes that
or by any other interested party, to hide approaches set forth in Publication 100.
§ 1110.503(a) provides appropriate
or exert undue influence over an These commenters offered other sources
guidance as to the accreditation
attestation, assessment or audit; and (3) of security requirements for personal
standard for Accredited Conformity
allegations of undue influence may be information they thought were pertinent
Assessment Bodies.
reported confidentially to NTIS. To the and should be expressly included in the
extent permitted by Federal law, NTIS A few commenters suggested that rule, such as the security standards for
will undertake to protect the NTIS should directly accredit the GLBA.
confidentiality of witnesses reporting Accredited Conformity Assessment NTIS notes, however, that the
allegations of undue influence. Under Bodies to conduct assessments and language of the rule makes clear that
new § 1110.502(c), NTIS will review audits or provide a list of acceptable Publication 100 merely offers an
each application and may contact the accreditations for Accredited example of security controls and
third party conformity assessment body Conformity Assessment Bodies. NTIS protocols that an applicant or Certified
with questions or to request submission does not intend to do so. Recognized Person may use, and is not intended to
of missing information, and will professional accreditation organizations be prescriptive (79 FR at 78316).
communicate its decision on each with well-established, rigorous Moreover, NTIS recognizes that ‘‘a
application in writing to the applicant. accreditation processes already exist in number of different approaches exist to
Some commenters expressed concern the private sector. Such organizations safeguarding information.’’ Id. In the
that in attesting to its credentials under have either adopted or established December 2014 Draft Version of
§ 1110.503(a), an Accredited Conformity nationally and internationally accepted Publication 100, NTIS stated:
Assessment Body must indicate that it standards for entities which may serve ‘‘These information security guidelines are
is accredited to a nationally or as Accredited Conformity Assessment derived from NIST SP800–53 Revision 4,
internationally recognized standard Bodies under the final rule. In Security and Privacy Controls for Federal
considering how to establish a Information Systems and Organizations. Only
such as the ISO/IEC Standard 27006– NIST SP 800–53 controls believed to be
2011 or any other similar recognized permanent certification program as
essential to the protection of Limited Access
standard for bodies providing audit and required under Section 203, NTIS
DMF information are included in this
certification for information security carefully considered developing, within publication as a baseline. Applicability was
management systems, pointing to other the agency, the capacity to evaluate the determined by selecting controls relevant to
potentially applicable standards, such information systems, facilities and protecting the confidentiality of Limited
as the American Institute of Public procedures of Persons to safeguard Access DMF information. The NIST controls
Accountants (AICPA) Service Limited Access DMF, as well as to [discussed here] are intended by NTIS to be
conduct audits of Certified Persons and illustrative, not exclusive. Other controls that
Organization Control Report (SOC) Type can be assessed and used as guidelines
2 Audit Report. NTIS wishes to to itself accredit conformity assessment include the NIST Framework for Improving
emphasize that it is not NTIS’s intent, bodies. NTIS has consulted with the Critical Infrastructure Cybersecurity v1.0.
in reciting ISO/IEC 27006–2011, to National Institute of Standards and The Framework Core provides a common set
exclude from consideration AICPA Technology (NIST), which has expertise of activities for managing risks, and
SOC2 or other appropriate accreditation in testing, standard setting, certification associated controls. The references provided
standards. The regulation identifies the and conformity assessment. Based on in the Framework Core represent a diverse
NIST recommendations, NTIS believes set of information security guidelines
ISO/IEC standard as one example of an
including: International Organization for
acceptable national or international it appropriate for private sector, third
Standardization ISO 27001; International
accreditation standard. NTIS selected party, Accredited Conformity Society for Automation ISA/IEC 62443;
the ISO/IEC standard, as noted in the Assessment Bodies to attest to a Control Objectives for Information and
original discussion of the proposed rule, Person’s information security safeguards Related Technology COBIT; Council on
sradovich on DSK3TPTVN1PROD with RULES
to serve ‘‘as a baseline for under § 1110.102(a)(2) of the rule, for Cybersecurity Critical Security Controls CCS
accreditation,’’ because it was prepared NTIS to rely upon such attestation in CSC2; and NIST 800–53 rev. 4. Again, these
by the International Organization for certifying a Person under the final rule, references are illustrative.’’
Standardization (ISO) Committee on and for NTIS to rely as well upon third Nevertheless, in response to
conformity assessment (79 FR at 78316). party, private sector accreditation of commenters’ concerns, NTIS has
Moreover, NTIS emphasized that it is Accredited Conformity Assessment removed reference to Publication 100
‘‘is aware that standards other than ISO/ Bodies, while reserving to itself the from § 1110.503(b) of the final rule.
VerDate Sep<11>2014 16:11 May 31, 2016 Jkt 238001 PO 00000 Frm 00025 Fmt 4700 Sfmt 4700 E:\FR\FM\01JNR1.SGM 01JNR1](https://thefederalregister.org/doc/81_FR_34987/page/4.svg)
![Federal Register / Vol. 81, No. 105 / Wednesday, June 1, 2016 / Rules and Regulations 34887
security of the Limited Access DMF, as place to ensure competency and Framework enables organizations—
required under § 1110.102(a)(2) of the acceptable certification program regardless of size, degree of
rule. NTIS has consulted with NIST, operations on a continuing basis. cybersecurity risk, or cybersecurity
which has expertise in testing, standard- Accreditation requires that Accredited sophistication—to apply the principles
setting, and certification of various Conformity Assessment Bodies be re- and best practices of risk management to
systems. Based on NIST accredited on a periodic basis. improving the security and resilience of
recommendations, the final rule However, NTIS also acknowledges critical infrastructure. The Framework
provides for private sector, third party, that standards other than ISO/IEC provides organization and structure to
Accredited Conformity Assessment 27006–2001 exist that are equally today’s multiple approaches to
Bodies to attest to a Person’s appropriate for the purposes of cybersecurity by assembling standards,
information security safeguards under accreditation under the Act, and that guidelines, and practices that are
§ 1110.102(a)(2) of the rule, and NTIS additional appropriate standards may be working effectively in industry today.
will rely upon such attestation in developed in the future. The final rule Accordingly, in addressing the
certifying a Person under the final rule. provides that an Accredited Conformity requirements of Section 203 for
The final rule also provides for Assessment Body may attest, subject to ‘‘systems, facilities, and procedures’’ to
Accredited Conformity Assessment the conditions of verification in safeguard Limited Access DMF, NTIS
Bodies to conduct periodic scheduled § 1110.503 of the final rule, that it is contemplates that Persons, as well as
and unscheduled audits of Certified accredited to a nationally or Accredited Conformity Assessment
Persons on behalf of NTIS. internationally recognized standard for Bodies, may look to the Framework and
bodies providing audit and certification to the Framework’s Informative
Under the final rule, an ‘‘Accredited
of information security management References. The Framework is
Conformity Assessment Body’’ is
systems other than ISO/IEC Standard referenced by NTIS in Publication 100.
defined as an independent third party
27006–2011. In addition, the rule As set forth in Publication 100, as well
conformity assessment body that is not
provides that an Accredited Conformity as in the Framework’s Informative
owned, managed, or controlled by a
Assessment Body must also attest that References, a number of different
Person or Certified Person which is the
the scope of its accreditation approaches exist to safeguarding
subject of attestation or audit, and that
encompasses the information information. These include ISO/IEC,
is accredited by an accreditation body
safeguarding and security requirements Control Objectives for Information and
under nationally or internationally
as set forth in the rule. Related Technology (COBIT),
recognized criteria such as, but not NTIS is aware that security and
limited to, ISO and the International International Society of Automation
safeguarding of information and (ISA), and NIST’s 800 series
Electrotechnical Commission (IEC) information systems is of great concern
publication ISO/IEC 27006–2011, publications. Others include the Service
in many fields of endeavor other than Organization Controls (SOC) of the
‘‘Information technology—Security with respect to Limited Access DMF.
techniques—Requirements for bodies American Institute of CPAs (AICPA).
NTIS has consulted with subject matter
providing audit and certification of experts from NIST, which in 2014 NTIS is aware that security and
information security management published the ‘‘Framework for safeguarding assessments such as those
systems,’’ to attest that a Person or Improving Critical Infrastructure contemplated under this final rule are
Certified Person has information Cybersecurity’’ 1 (Framework), in routinely carried out in the private
technology systems, facilities and sector, including by entities which may
response to President Obama’s
procedures in place to safeguard satisfy the requirements for Accredited
Executive Order 13636, ‘‘Improving
Limited Access DMF. Based on NIST Conformity Assessment Bodies under
Critical Infrastructure Cybersecurity,’’
recommendations, NTIS believes it is the rule. Provided that such a routine
which established that ‘‘[i]t is the Policy
appropriate to reference the ISO/IEC assessment or audit of a Person would
of the United States to enhance the
27006–2001 as an exemplary baseline permit an Accredited Conformity
security and resilience of the Nation’s
for accreditation under the final Assessment Body to attest that such
critical infrastructure and to maintain a
certification program. The ISO Person has systems, facilities, and
cyber environment that encourages
Committee on conformity assessment procedures in place to safeguard
efficiency, innovation, and economic
(CASCO) prepared ISO/IEC 27006–2001, Limited Access DMF as required under
prosperity while promoting safety,
and reference to the ISO/IEC standard § 1110.102(a)(2) of the final rule, albeit
security, business confidentiality,
will help ensure that attestations and carried out for a purpose other than
privacy, and civil liberties.’’ In
audits under the final certification certification under the rule, NTIS will
articulating this policy, the Executive
program operate in a manner consistent accept an attestation in support of a
Order calls for the development of a
with national and international Person’s certification with respect to the
voluntary risk-based Cybersecurity
practices. Accreditation is a third-party requirements under § 1110.102(a)(2) of
Framework—a set of industry standards
attestation that a conformity assessment the rule, as well as in support of the
and best practices to help organizations
body operates in accordance with renewal of a Certified Person’s
manage cybersecurity risks. The
national and international standards. certification. The final rule provides
resulting Framework, created by NIST
Accreditation is used nationally and that any attestation, whether for a
through collaboration between
internationally in many sectors where Person seeking certification or for a
government and the private sector, uses
there is a need, through certification, for Certified Person seeking renewal, must
a common language to address and
safety, health or security requirements be based on the Accredited Conformity
manage cybersecurity risks in a cost-
sradovich on DSK3TPTVN1PROD with RULES
to be met by products or services. Assessment Body’s review or
effective way based on business needs
Accreditation ensures that a conformity assessment conducted no more than
without placing additional regulatory
assessment body is technically three years prior to the date of
requirements on businesses. The
competent in the subject matter (in this submission of the Person’s completed
case, the information safeguarding and 1 This document can be found at: http:// certification statement or of the Certified
security requirements as set forth in the www.nist.gov/cyberframework/upload/ Person’s completed renewal
rule) and has a management system in cybersecurity-framework-021214.pdf. certification statement. As noted, an
VerDate Sep<11>2014 16:11 May 31, 2016 Jkt 238001 PO 00000 Frm 00027 Fmt 4700 Sfmt 4700 E:\FR\FM\01JNR1.SGM 01JNR1](https://thefederalregister.org/doc/81_FR_34987/page/6.svg)
![Federal Register / Vol. 81, No. 105 / Wednesday, June 1, 2016 / Rules and Regulations 34893
Certified Person has been determined to (1) The name, street address, email 1110.400 Fees.
be subject to penalty under this part. address and telephone number of the
Person seeking review; Subpart E—Fees
■ 8. Revise § 1110.201 to read as
(2) A copy of the notice of denial or § 1110.400 Fees.
follows:
revocation of certification, or the
Fees sufficient to cover (but not to
§ 1110.201 Audits. imposition of penalty, from which
exceed) all costs to NTIS associated
appeal is taken;
Any Person certified under this part (3) A statement of arguments, together with evaluating Certification Forms and
shall, as a condition of certification, with any supporting facts or auditing, inspecting, and monitoring
agree to be subject to audit by NTIS, or, information, concerning the basis upon certified persons under the certification
at the request of NTIS, by an Accredited which the denial or revocation of program established under this part, as
Conformity Assessment Body, to certification, or the imposition of well as appeals, will be published (as
determine the compliance by such penalty, should be reversed; periodically reevaluated and updated by
Person with the requirements of this (4) A request for hearing of oral NTIS) and available at https://
part. NTIS may conduct, or request that argument before the Director, if desired. dmf.ntis.gov. NTIS will not set fees for
an Accredited Conformity Assessment (c) Power of attorney. A Person may, attestations or audits by an Accredited
Body conduct, periodic scheduled and but need not, retain an attorney to Conformity Assessment Body.
unscheduled audits of the systems, represent such Person in an appeal. A ■ 12. Add subpart F to read as follows:
facilities, and procedures of any Person shall designate any such attorney Subpart F—Accredited Conformity
Certified Person relating to such by submitting to the Director of NTIS a Assessment Bodies
Certified Person’s access to, and use and written power of attorney. Sec.
distribution of, the Limited Access (d) Hearing. If requested in the appeal, 1110.500 Accredited conformity assessment
DMF. NTIS may conduct, or request that a date will be set for hearing of oral bodies.
an Accredited Conformity Assessment argument before a representative of the 1110.501 Independent.
Body conduct, field audits (during Director of NTIS, by the Person or the 1110.502 Firewalled.
regular business hours) or desk audits of Person’s designated attorney, and a 1110.503 Attestation by accredited
a Certified Person. Failure of a Certified representative of NTIS familiar with the conformity assessment body.
Person to submit to or cooperate fully notice from which appeal has been 1110.504 Acceptance of accredited
with NTIS, or with an Accredited taken. Unless it shall be otherwise conformity assessment bodies.
Conformity Assessment Body acting ordered before the hearing begins, oral
pursuant to this section, in its conduct Subpart F—Accredited Conformity
argument will be limited to thirty
of an audit, or to pay an audit fee to Assessment Bodies
minutes for each side. A Person need
NTIS, will be grounds for revocation of not retain an attorney or request an oral § 1110.500 Accredited conformity
certification. hearing to secure full consideration of assessment bodies.
the facts and the Person’s arguments. This subpart describes Accredited
Subpart E—[Redesignated as Subpart (e) Decision. After a hearing on the Conformity Assessment Bodies and
E] appeal, if a hearing was requested, the their accreditation for third party
Director of NTIS shall issue a decision attestation and auditing of the
■ 9. Redesignate subpart D as subpart E. on the matter within 120 days, or, if no information safeguarding requirement
■ 10. Add new subpart D to read as hearing was requested, within 90 days for certification of Persons under this
follows: of receiving the appeal. The decision of part. NTIS will accept an attestation or
the Director of NTIS shall be made after audit of a Person or Certified Person
Subpart D—Administrative Appeal
consideration of the arguments and from an Accredited Conformity
Sec. statements of fact and information in the
1110.3000 Appeal.
Assessment Body that is:
Person’s appeal, and the hearing of oral (a) Independent of that Person or
Subpart D—Administrative Appeal argument if a hearing was requested, but Certified Person; or
the Director of NTIS at his or her (b) Is firewalled from that Person or
§ 1110.300 Appeal. discretion and with due respect for the Certified Person, and that in either
(a) General. Any Person adversely rights and convenience of the Person instance is itself accredited by a
affected or aggrieved by reason of NTIS and the agency, may call for further nationally or internationally recognized
denying or revoking such Person’s statements on specific questions of fact accreditation body.
certification under this part, or or may request additional evidence in
the form of affidavits on specific facts in § 1110.501 Independent.
imposing upon such Person under this (a) An Accredited Conformity
part a penalty, may obtain review by dispute. After the original decision is
issued, an appellant shall have 30 days Assessment Body that is an independent
filing, within 30 days (or such longer third party conformity assessment body
period as the Director of NTIS may, for (or a date as may be set by the Director
of NTIS before the original period is one that is not owned, managed, or
good cause shown in writing, fix in any controlled by a Person or Certified
case) after receiving notice of such expires) from the date of the decision to
request a reconsideration of the matter. Person that is the subject of attestation
denial, revocation or imposition, an or audit by the Accredited Conformity
administrative appeal to the Director of The Director’s decision becomes final 30
days after being issued, if no request for Assessment Body.
NTIS. (1) A Person or Certified Person is
reconsideration is filed, or on the date
sradovich on DSK3TPTVN1PROD with RULES
(b) Form of appeal. An appeal shall be of final disposition of a decision on a considered to own, manage, or control
submitted in writing to Director, petition for reconsideration. a third party conformity assessment
National Technical Information Service, ■ 11. Revise newly redesignated subpart
body if any one of the following
at NTIS’s current mailing address as E to read as follows: characteristics applies:
found on its Web site: www.ntis.gov., (i) The Person or Certified Person
ATTENTION DMF APPEAL, and shall Subpart E—Fees holds a 10 percent or greater ownership
include the following: Sec. interest, whether direct or indirect, in
VerDate Sep<11>2014 16:11 May 31, 2016 Jkt 238001 PO 00000 Frm 00033 Fmt 4700 Sfmt 4700 E:\FR\FM\01JNR1.SGM 01JNR1](https://thefederalregister.org/doc/81_FR_34987/page/12.svg)
![34894 Federal Register / Vol. 81, No. 105 / Wednesday, June 1, 2016 / Rules and Regulations
the third party conformity assessment party third party conformity assessment provide written attestation that such
body. Indirect ownership interest is body; and Person or Certified Person has systems,
calculated by successive multiplication (2) The third party conformity facilities, and procedures in place as
of the ownership percentages for each assessment body has established required under § 1110.102(a)(2). Such
link in the ownership chain; procedures to ensure that: attestation must be based on the
(ii) The third party conformity (i) Its attestations and audits are Accredited Conformity Assessment
assessment body and the Person or protected from undue influence by the Body’s review or assessment conducted
Certified Person are owned by a Person or Certified Person that is the no more than three years prior to the
common ‘‘parent’’ entity; subject of attestation or audit by the date of submission of the Person’s or
(iii) The Person or Certified Person Accredited Conformity Assessment Certified Person’s completed
has the ability to appoint a majority of Body, or by any other interested party; certification statement, and, if an audit
the third party conformity assessment (ii) NTIS is notified promptly of any of a Certified Person by an Accredited
body’s senior internal governing body attempt by the Person or Certified Conformity Assessment Body is
(such as, but not limited to, a board of Person that is the subject of attestation required by NTIS, no more than three
directors), the ability to appoint the or audit by the third party conformity years prior to the date upon which NTIS
presiding official (such as, but not assessment body, or by any other notifies the Certified Person of NTIS’s
limited to, the chair or president) of the interested party, to hide or exert undue requirement for audit, but such review
third party conformity assessment influence over an attestation, or assessment or audit need not have
body’s senior internal governing body, assessment or audit; and been conducted specifically or solely for
and/or the ability to hire, dismiss, or set (iii) Allegations of undue influence the purpose of submission under this
the compensation level for third party may be reported confidentially to NTIS. part.
conformity assessment body personnel; To the extent permitted by Federal law, (c) Where review or assessment or
or NTIS will undertake to protect the audit by an Accredited Conformity
(iv) The third party conformity confidentiality of witnesses reporting Assessment Body was not conducted
assessment body is under a contract to allegations of undue influence. specifically or solely for the purpose of
(c) NTIS will review each application submission under this part, the written
the Person or Certified Person that
and may contact the third party attestation or assessment report (if an
explicitly limits the services the third
conformity assessment body with audit) shall describe the nature of that
party conformity assessment body may
questions or to request submission of review or assessment or audit, and the
perform for other customers and/or
missing information, and will Accredited Conformity Assessment
explicitly limits which or how many
communicate its decision on each Body shall attest that on the basis of
other entities may also be customers of
application in writing to the applicant, such review or assessment or audit, the
the third party conformity assessment
which may be by electronic mail. Person or Certified Person has systems,
body.
(2) A state or local government office § 1110.503 Attestation by accredited facilities, and procedures in place as
of Inspector General or Auditor General conformity assessment body. required under § 1110.102(a)(2).
and a Person or Certified Person that is (a) In any attestation or audit of a (d) Notwithstanding paragraphs (a)
a department or agency of the same state Person or Certified Person that will be through (c) of this section, NTIS may, in
or local government, respectively, are submitted to NTIS under this part, an its sole discretion, require that review or
not considered to be owned by a Accredited Conformity Assessment assessment or audit by an Accredited
common ‘‘parent’’ entity under Body must attest that it is independent Conformity Assessment Body be
paragraph (a)(1)(ii) of this section. of that Person or Certified Person. The conducted specifically or solely for the
(b) [Reserved] Accredited Conformity Assessment purpose of submission under this part.
Body also must attest that it has read, § 1110.504 Acceptance of accredited
§ 1110.502 Firewalled.
understood, and agrees to the conformity assessment bodies.
(a) A third party conformity regulations in this part. The Accredited (a) NTIS will accept written
assessment body must apply to NTIS for Conformity Assessment Body must also attestations and assessment reports from
firewalled status if it is owned, attest that it is accredited to a nationally an Accredited Conformity Assessment
managed, or controlled by a Person or or internationally recognized standard Body that attests, to the satisfaction of
Certified Person that is the subject of such as the ISO/IEC Standard 27006– NTIS, as provided in § 1110.503.
attestation or audit by the Accredited 2011 ‘‘Information technology—Security (b) NTIS may decline to accept
Conformity Assessment Body, applying techniques—Requirements for bodies written attestations or assessment
the characteristics set forth under providing audit and certification of reports from an Accredited Conformity
§ 1110.501(a)(1). information security management Assessment Body, whether or not it has
(b) The application for firewalled systems,’’ or any other similar attested as provided in § 1110.503, for
status of a third party conformity nationally or internationally recognized any of the following reasons:
assessment body under paragraph (a) of standard for bodies providing audit and (1) When it is in the public interest
this section will be accepted by NTIS certification of information security under Section 203 of the Bipartisan
where NTIS finds that: management systems. The Accredited Budget Act of 2013, and
(1) Acceptance of the third party Conformity Assessment Body must also notwithstanding any other provision of
conformity assessment body for attest that the scope of its accreditation this part;
firewalled status would provide equal or encompasses the safeguarding and (2) Submission of false or misleading
sradovich on DSK3TPTVN1PROD with RULES
greater assurance that the Person or security requirements as set forth in this information concerning a material
Certified Person has information part. fact(s) in an Accredited Conformity
security systems, facilities, and (b) Where a Person seeks certification, Assessment Body’s attestation under
procedures in place to protect the or where a Certified Person seeks § 1110.503;
security of the Limited Access DMF renewal of certification or is audited (3) Knowing submission of false or
than would the Person’s or Certified under this part, an Accredited misleading information concerning a
Person’s use of an independent third Conformity Assessment Body may material fact(s) in an attestation or
VerDate Sep<11>2014 16:11 May 31, 2016 Jkt 238001 PO 00000 Frm 00034 Fmt 4700 Sfmt 4700 E:\FR\FM\01JNR1.SGM 01JNR1](https://thefederalregister.org/doc/81_FR_34987/page/13.svg)
![Federal Register / Vol. 81, No. 105 / Wednesday, June 1, 2016 / Rules and Regulations 34895
assessment report by an Accredited June 11, 2016, for Item 9 in Table 1 of SUMMARY: The Coast Guard has issued a
Conformity Assessment Body of a § 100.1102. temporary deviation from the operating
Person or Certified Person; FOR FURTHER INFORMATION CONTACT: If schedule that governs the Marine
(4) Failure of an Accredited you have questions on this publication, Parkway Bridge across the Rockaway
Conformity Assessment Body to call or email Petty Officer Randolph Inlet, mile 3.0, at Queens, New York.
cooperate in response to a request from Pahilanga, Waterways Management, This deviation is necessary to allow the
NTIS to verify the accuracy, veracity, U.S. Coast Guard Sector San Diego, CA; bridge owner to facilitate asbestos
and/or completeness of information telephone 619–278–7656, D11-PF- abatement in the machinery room at the
received in connection with an MarineEventsSanDiego@uscg.mil. bridge.
attestation under § 1110.503 or an SUPPLEMENTARY INFORMATION: The Coast DATES: This deviation is effective from
attestation or assessment report by that Guard will enforce the regulations in 33 7 a.m. on June 6, 2016 to 5 p.m. on June
Body of a Person or Certified Person. An CFR 100.1102 for a special local 17, 2016.
Accredited Conformity Assessment regulation for the annual Great Western ADDRESSES: The docket for this
Body ‘‘fails to cooperate’’ when it does Tube Float in 33 CFR 100.1102, Table 1, deviation, [USCG–2016–0421] is
not respond to NTIS inquiries or Item 9 from 7 a.m. to 4 p.m. on June 11, available at http://www.regulations.gov.
requests, or it responds in a manner that 2016. Type the docket number in the
is unresponsive, evasive, deceptive, or Under the provisions of 33 CFR ‘‘SEARCH’’ box and click ‘‘SEARCH’’.
substantially incomplete; or 100.1102, persons and vessels are Click on Open Docket Folder on the line
(5) Where NTIS is unable for any
prohibited from entering into, transiting associated with this deviation.
reason to verify the accuracy of the
through, or anchoring within this FOR FURTHER INFORMATION CONTACT: If
Accredited Conformity Assessment
regulated area of the Colorado River you have questions on this temporary
Body’s attestation.
unless authorized by the Captain of the deviation, call or email Judy Leung-Yee,
[FR Doc. 2016–12479 Filed 5–31–16; 8:45 am] Port, or his designated representative. Project Officer, First Coast Guard
BILLING CODE P The Coast Guard may be assisted by District, telephone (212) 514–4330,
other Federal, State, or local law email judy.k.leung-yee@uscg.mil.
enforcement agencies in enforcing this
DEPARTMENT OF HOMELAND SUPPLEMENTARY INFORMATION: The
regulation.
SECURITY This document is issued under Marine Parkway Bridge, mile 3.0, across
authority of 33 CFR 100.1102 and 5 the Rockaway Inlet, has a vertical
Coast Guard U.S.C. 552 (a). In addition to this clearance in the closed position of 55
document in the Federal Register, the feet at mean high water and 59 feet at
33 CFR Part 100 Coast Guard will provide the maritime mean low water. The existing bridge
community with extensive advance operating regulations are found at 33
[Docket No. USCG–2016–0359] CFR 117.795(a).
notification of this enforcement period
Special Local Regulation; Annual via the Local Notice to Mariners and The waterway is transited by
Marine Events on the Colorado River, local advertising by the event sponsor. commercial oil barge traffic of various
Between Davis Dam (Bullhead City, If the Captain of the Port Sector San sizes.
Arizona) and Headgate Dam (Parker, Diego or his designated representative The bridge owner, MTA Bridges and
Arizona) Within the San Diego Captain determines that the regulated area need Tunnels, requested a temporary
of the Port Zone not be enforced for the full duration deviation from the normal operating
stated on this document, he or she may schedule to facilitate asbestos abatement
AGENCY: Coast Guard, DHS. in the machinery room at the bridge.
use a Broadcast Notice to Mariners or
ACTION: Notice of enforcement of other communications coordinated with Under this temporary deviation, the
regulation. the event sponsor to grant general Marine Parkway Bridge shall remain in
permission to enter the regulated area. the closed position from 7 a.m. on June
SUMMARY: The Coast Guard will enforce 6, 2016 to 5 p.m. June 17, 2016.
the Great Western Tube Float marine Dated: May 13, 2016.
Vessels able to pass under the bridge
event and associated waterway special E.M. Cooper, in the closed position may do so at
local regulations from 7 a.m. through 4 Commander, U.S. Coast Guard, Acting anytime. The bridge will not be able to
p.m. on June 11, 2016. This annual Captain of the Port San Diego. open for emergencies and there is no
marine event occurs in the navigable [FR Doc. 2016–12936 Filed 5–31–16; 8:45 am] immediate alternate route for vessels to
waters of the Colorado River in Parker, BILLING CODE 9110–04–P pass.
Arizona, covering eight miles of the The Coast Guard will inform the users
waterway from the La Paz County Park of the waterways through our Local
to the Headgate Dam. This action is DEPARTMENT OF HOMELAND Notice and Broadcast to Mariners of the
necessary to provide for the safety of the SECURITY change in operating schedule for the
participants, crew, spectators, safety bridge so that vessel operations can
vessels, and general users of the Coast Guard
arrange their transits to minimize any
waterway. During the enforcement impact caused by the temporary
period, persons and vessels are 33 CFR Part 117
deviation. The Coast Guard notified
prohibited from entering into, transiting [Docket No. USCG–2016–0421] various companies of the commercial oil
through, or anchoring within this
sradovich on DSK3TPTVN1PROD with RULES
and barge vessels and they have no
regulated area unless authorized by the Drawbridge Operation Regulation; objections to the temporary deviation.
Captain of the Port, or his designated Rockaway Inlet, Queens, NY In accordance with 33 CFR 117.35(e),
representative. the drawbridge must return to its regular
AGENCY: Coast Guard, DHS.
DATES: The regulations in 33 CFR operating schedule immediately at the
ACTION:Notice of deviation from
100.1102, Table 1, Item 9 will be end of the effective period of this
drawbridge regulation.
enforced from 7 a.m. through 4 p.m. on temporary deviation. This deviation
VerDate Sep<11>2014 16:11 May 31, 2016 Jkt 238001 PO 00000 Frm 00035 Fmt 4700 Sfmt 4700 E:\FR\FM\01JNR1.SGM 01JNR1](https://thefederalregister.org/doc/81_FR_34987/page/14.svg)
Document Created: 2018-02-08 07:27:04
Document Modified: 2018-02-08 07:27:04
| Category | Regulatory Information | |
| Collection | Federal Register | |
| sudoc Class | AE 2.7: GS 4.107: AE 2.106: | |
| Publisher | Office of the Federal Register, National Archives and Records Administration | |
| Section | Rules and Regulations | |
| Action | Final rule. | |
| Dates | This final rule is effective November 28, 2016. | |
| Contact | Brian Lieberman, Senior Counsel for NTIS, at [email protected], or by telephone at 703-605-6404. Information about the DMF made available to the public by NTIS may be found at https://dmf.ntis.gov. | |
| FR Citation | 81 FR 34882 | |
| RIN Number | 0692-AA21 | |
| CFR Associated | Administrative Appeal; Certification Program; Fees and Imposition of Penalty |
2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR