200 likes | 368 Views
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies. Eve Powell-Griner National Center for Health Statistics. Background. November 2010 – Interagency Council on Statistical Policy (ICSP) suggested a unified federal statistical agency response to EO 13556
E N D
CUI Statistical:Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics
Background • November 2010 – Interagency Council on Statistical Policy (ICSP) suggested a unified federal statistical agency response to EO 13556 • Chief Statistician of OMB established a CUI Taskforce under ICSP auspices
Taskforce Membership • Bureau of Economic Analysis • Bureau of Justice Statistics • Bureau of Labor Statistics • Bureau of Transportation Statistics • Census Bureau • Economic Research Service • Energy Information Administration • Office of Environmental Information, EPA • Federal Reserve Board • National Agricultural Statistics Service • National Center for Education Statistics • National Center for Health Statistics • NCSES, National Science Foundation • Office of Management and Budget • Office of Research, Evaluation, and Statistics, SSA • Statistics of Income Division, IRS • Center for Behavioral Health Statistics and Quality, SAMHSA
Taskforce Process • Collaborative effort focusing on common objective rather than individual agencies • Regular consultation with Executive Agent, NARA for guidance and concurrence • Provided draft materials to ICSP • Briefed statistical agency heads
Taskforce Products • CUI Statistical Matrix • CUI Statistical Best Practices
CUI Statistical Matrix • Contents • Definition and description of category • Proposed marking • Authority– statutes citations • Federal Regulation (CFR) • Government-wide policy • Required safeguarding controls • Required dissemination controls
Definition of CUI Statistical • Information collected by a Federal statistical agency, unit, or program • for statistical purposes or used for statistical activities • under law, regulation, or Government-wide policy such 'Statistical' CUI requires • (1) protection from unauthorized disclosure • (2) special handling safeguards; and/or • (3) prescribed limits on access or dissemination
Authorities • (1) Pub. L. 107-347, Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), Title V of the E-Government Act of 2002 • (2) 5 USC 552a, Privacy Act of 1974 • (3) 5 USC. 552, exemptions 3, 4, and 6, Freedom of Information Act • (4) 18 USC 1905, Trade Secrets Act • other agency specific items as identified in attachments
Government-Wide Policy • OMB Directives, Circulars and Guidance • Release and Dissemination of Statistical Products Produced by Federal Statistical Agencies • Safeguarding Personally Identifiable Information • Implementing the Privacy Provisions of the E-Government Act of 2002 • Reporting Incidents Involving Personally Identifiable Information • Sharing Data While Protecting Privacy • NIST Guidance • SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
Safeguarding and Dissemination Controls • (1) Federal Register Vol 72 No 115, 06/15/2007 Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical Efficiency Act of 2002 • (2) OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information • (3) NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations • (4) 44 USC 3541,Federal Information Security Management Act of 2002 (FISMA) • Plus other agency specific items as identified in attachments
CUI Statistical Best Practices • Memorandum from ICSP to the Executive Agent • Best practices offered as reference to each Executive Agency with a statistical agency/unit • Contents of Document • Purpose • Governance • Policy • Within the agency • With external entities • Training • Technology • Self-Inspection
Governance • Designate a person to oversee all procedures for handling CUI statistical • the statistical agency’s point of contact for CUI statistical, • coordinates CUI statistical policies with the Departmental Senior Agency Official for CUI, • responsible for the implementation of the statistical agency’s policies, procedures, training, and compliance with CUI statistical regulations.
Policy • Comply with general and agency-specific laws and regulations for CUI statistical, including maintaining confidentiality in a manner consistent with those laws and regulations • Inform those accessing CUI statistical that violations of laws and regulations protecting CUI statistical may subject persons to penalties • Develop CUI statistical access policies, guidelines, and practices addressing internal and external uses of CUI statistical
Policy Within the Agency • Secure storage • Safeguarding or dissemination controls • Labeling or markings • Statements describing appropriate safeguards; • Practices and procedures for transmitting & receiving CUI statistical; • Telework policies; • Records management of CUI statistical; and • Procedures for reporting loss or violation of conditions of use of CUI statistical.
Policy With External Entities • For permitted external access, require written agreements that include a clear and detailed description of: • the relevant laws and regulations protecting CUI statistical; • the purpose of the information sharing; • how the information will be used; • the timeline for which it will be available; • the process for returning and/or destroying the information at expiration of the agreement; and • the data protection plan, including CUI information transfer and storage processes. • Procedures for inspection of non-governmental external sites granted access to CUI statistical. • Procedures for security certification of governmental external sites granted access to CUI statistical.
Agency Personnel Training • CUI statistical training for agency personnel should cover • Labeling of CUI statistical information • Data management procedures • Access agreements with external entities including Interagency Agreements, Licenses, or Designated Agent Agreements. Track completion of training • Track completion of training
Training for Data Sharing Partners • CUI statistical training for data sharing partners should cover • Labeling and records management of CUI statistical information • Data management procedures • Description of processes to be followed when CUI statistical information is received from government agencies • Description of processes to be followed when CUI statistical information is destroyed and/or returned to government agencies
Technology • Develop and maintain information systems security where CUI statistical is accessed and stored at both the sending agency and receiving partner/agency • Establish appropriate administrative and technical safeguards consistent with FISMA and other controls to ensure the electronic and/or physical security of CUI statistical • Establish process for security breach monitoring and notification
Self-inspection • Provide self-inspection guidelines (modify existing guidelines or develop new guidelines) • Frequency • Ensuring purpose and time period for sharing is stated • Ensure general and agency-specific laws are being upheld
Challenges • Language in communicating with potential respondents • Effect on data sharing activity among federal agencies • Marking policies • Decontrol • Integrating Statistical CUI with other Agency categories