Transcript The Nation’s Need for a Great Vital Statistics System

CUI Statistical:
Collaborative Efforts of Federal
Statistical Agencies
Eve Powell-Griner
National Center for Health Statistics
Background
•
November 2010 – Interagency
Council on Statistical Policy (ICSP)
suggested a unified federal statistical
agency response to EO 13556
•
Chief Statistician of OMB established
a CUI Taskforce under ICSP auspices
Taskforce Membership
•
•
•
•
Bureau of Economic Analysis
•
National Agricultural Statistics
Service
•
Bureau of Transportation
Statistics
National Center for Education
Statistics
•
•
•
•
Census Bureau
National Center for Health
Statistics
•
NCSES, National Science
Foundation
Energy Information
Administration
•
Office of Management and
Budget
•
Office of Environmental
Information, EPA
•
Office of Research, Evaluation,
and Statistics, SSA
•
Federal Reserve Board
•
•
Statistics of Income Division, IRS
Bureau of Justice Statistics
Bureau of Labor Statistics
Economic Research Service
Center for Behavioral Health
Statistics and Quality, SAMHSA
Taskforce Process
•
Collaborative effort focusing on
common objective rather than
individual agencies
•
Regular consultation with Executive
Agent, NARA for guidance and
concurrence
•
•
Provided draft materials to ICSP
Briefed statistical agency heads
Taskforce Products
• CUI Statistical Matrix
• CUI Statistical Best Practices
CUI Statistical Matrix
•
Contents
•
•
•
•
•
•
•
Definition and description of category
Proposed marking
Authority– statutes citations
Federal Regulation (CFR)
Government-wide policy
Required safeguarding controls
Required dissemination controls
Definition of CUI Statistical
•
Information collected by a Federal statistical
agency, unit, or program
• for statistical purposes or used for
statistical activities
• under law, regulation, or Government-wide
policy such 'Statistical' CUI requires
• (1) protection from unauthorized disclosure
• (2) special handling safeguards; and/or
• (3) prescribed limits on access or
dissemination
Authorities
•
(1) Pub. L. 107-347, Confidential Information
Protection and Statistical Efficiency Act of 2002
(CIPSEA), Title V of the E-Government Act of
2002
• (2) 5 USC 552a, Privacy Act of 1974
• (3) 5 USC. 552, exemptions 3, 4, and 6, Freedom
of Information Act
• (4) 18 USC 1905, Trade Secrets Act
• other agency specific items as identified in
attachments
Government-Wide Policy
•
•
OMB Directives, Circulars and Guidance
•
Release and Dissemination of Statistical Products Produced by Federal
Statistical Agencies
•
•
•
•
Safeguarding Personally Identifiable Information
Implementing the Privacy Provisions of the E-Government Act of 2002
Reporting Incidents Involving Personally Identifiable Information
Sharing Data While Protecting Privacy
NIST Guidance
•
SP 800-122, Guide to Protecting the Confidentiality of Personally
Identifiable Information (PII)
Safeguarding and Dissemination
Controls
• (1) Federal Register Vol 72 No 115, 06/15/2007
Implementation Guidance for Title V of the E-Government
Act, Confidential Information Protection and Statistical
Efficiency Act of 2002
• (2) OMB Memorandum M-07-16, Safeguarding Against and
Responding to the Breach of Personally Identifiable
Information
• (3) NIST SP 800-53, Recommended Security Controls for
Federal Information Systems and Organizations
• (4) 44 USC 3541, Federal Information Security
Management Act of 2002 (FISMA)
• Plus other agency specific items as identified in
attachments
CUI Statistical Best Practices
• Memorandum from
ICSP to the Executive
Agent
• Best practices offered
as reference to each
Executive Agency with
a statistical
agency/unit
• Contents of Document
•
•
•
•
•
Purpose
Governance
Policy
Within the agency
With external
entities
• Training
• Technology
• Self-Inspection
Governance
•
Designate a person to oversee all
procedures for handling CUI statistical
• the statistical agency’s point of contact for CUI
statistical,
• coordinates CUI statistical policies with the
Departmental Senior Agency Official for CUI,
• responsible for the implementation of the
statistical agency’s policies, procedures, training,
and compliance with CUI statistical regulations.
Policy
• Comply with general and agency-specific laws and
regulations for CUI statistical, including maintaining
confidentiality in a manner consistent with those
laws and regulations
• Inform those accessing CUI statistical that
violations of laws and regulations protecting CUI
statistical may subject persons to penalties
• Develop CUI statistical access policies, guidelines,
and practices addressing internal and external uses
of CUI statistical
Policy Within the Agency
•
•
Secure storage
•
•
Labeling or markings
•
Practices and procedures
for transmitting &
receiving CUI statistical;
Safeguarding or
dissemination controls
Statements describing
appropriate safeguards;
•
•
Telework policies;
•
Procedures for
reporting loss or
violation of conditions
of use of CUI
statistical.
Records management
of CUI statistical; and
Policy With External Entities
•
For permitted external access, require written agreements
that include a clear and detailed description of:
• the relevant laws and regulations protecting CUI
statistical;
• the purpose of the information sharing;
• how the information will be used;
• the timeline for which it will be available;
• the process for returning and/or destroying the
information at expiration of the agreement; and
• the data protection plan, including CUI information
transfer and storage processes.
•
Procedures for inspection of non-governmental external sites
granted access to CUI statistical.
•
Procedures for security certification of governmental external
sites granted access to CUI statistical.
Agency Personnel Training
• CUI statistical training for agency personnel should
cover
• Labeling of CUI statistical information
• Data management procedures
• Access agreements with external entities
including Interagency Agreements, Licenses, or
Designated Agent Agreements. Track completion
of training
• Track completion of training
Training for Data Sharing Partners
• CUI statistical training for data sharing partners
should cover
• Labeling and records management of CUI
statistical information
• Data management procedures
• Description of processes to be followed when CUI
statistical information is received from
government agencies
• Description of processes to be followed when CUI
statistical information is destroyed and/or
returned to government agencies
Technology
• Develop and maintain information systems security
where CUI statistical is accessed and stored at both
the sending agency and receiving partner/agency
• Establish appropriate administrative and technical
safeguards consistent with FISMA and other
controls to ensure the electronic and/or physical
security of CUI statistical
• Establish process for security breach monitoring and
notification
Self-inspection
•
Provide self-inspection guidelines (modify existing
guidelines or develop new guidelines)
•
•
•
Frequency
Ensuring purpose and time period for sharing is stated
Ensure general and agency-specific laws are being
upheld
Challenges
•
Language in communicating with
potential respondents
•
Effect on data sharing activity among
federal agencies
•
•
•
Marking policies
Decontrol
Integrating Statistical CUI with other
Agency categories