1 / 20

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies. Eve Powell-Griner National Center for Health Statistics. Background. November 2010 – Interagency Council on Statistical Policy (ICSP) suggested a unified federal statistical agency response to EO 13556

varuna
Download Presentation

CUI Statistical: Collaborative Efforts of Federal Statistical Agencies

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. CUI Statistical:Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics

  2. Background • November 2010 – Interagency Council on Statistical Policy (ICSP) suggested a unified federal statistical agency response to EO 13556 • Chief Statistician of OMB established a CUI Taskforce under ICSP auspices

  3. Taskforce Membership • Bureau of Economic Analysis • Bureau of Justice Statistics • Bureau of Labor Statistics • Bureau of Transportation Statistics • Census Bureau • Economic Research Service • Energy Information Administration • Office of Environmental Information, EPA • Federal Reserve Board • National Agricultural Statistics Service • National Center for Education Statistics • National Center for Health Statistics • NCSES, National Science Foundation • Office of Management and Budget • Office of Research, Evaluation, and Statistics, SSA • Statistics of Income Division, IRS • Center for Behavioral Health Statistics and Quality, SAMHSA

  4. Taskforce Process • Collaborative effort focusing on common objective rather than individual agencies • Regular consultation with Executive Agent, NARA for guidance and concurrence • Provided draft materials to ICSP • Briefed statistical agency heads

  5. Taskforce Products • CUI Statistical Matrix • CUI Statistical Best Practices

  6. CUI Statistical Matrix • Contents • Definition and description of category • Proposed marking • Authority– statutes citations • Federal Regulation (CFR) • Government-wide policy • Required safeguarding controls • Required dissemination controls

  7. Definition of CUI Statistical • Information collected by a Federal statistical agency, unit, or program • for statistical purposes or used for statistical activities • under law, regulation, or Government-wide policy such 'Statistical' CUI requires • (1) protection from unauthorized disclosure • (2) special handling safeguards; and/or • (3) prescribed limits on access or dissemination

  8. Authorities • (1) Pub. L. 107-347, Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), Title V of the E-Government Act of 2002 • (2) 5 USC 552a, Privacy Act of 1974 • (3) 5 USC. 552, exemptions 3, 4, and 6, Freedom of Information Act • (4) 18 USC 1905, Trade Secrets Act • other agency specific items as identified in attachments

  9. Government-Wide Policy • OMB Directives, Circulars and Guidance • Release and Dissemination of Statistical Products Produced by Federal Statistical Agencies • Safeguarding Personally Identifiable Information • Implementing the Privacy Provisions of the E-Government Act of 2002 • Reporting Incidents Involving Personally Identifiable Information • Sharing Data While Protecting Privacy • NIST Guidance • SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)

  10. Safeguarding and Dissemination Controls • (1) Federal Register Vol 72 No 115, 06/15/2007 Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical Efficiency Act of 2002 • (2) OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information • (3) NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations • (4) 44 USC 3541,Federal Information Security Management Act of 2002 (FISMA) • Plus other agency specific items as identified in attachments

  11. CUI Statistical Best Practices • Memorandum from ICSP to the Executive Agent • Best practices offered as reference to each Executive Agency with a statistical agency/unit • Contents of Document • Purpose • Governance • Policy • Within the agency • With external entities • Training • Technology • Self-Inspection

  12. Governance • Designate a person to oversee all procedures for handling CUI statistical • the statistical agency’s point of contact for CUI statistical, • coordinates CUI statistical policies with the Departmental Senior Agency Official for CUI, • responsible for the implementation of the statistical agency’s policies, procedures, training, and compliance with CUI statistical regulations.

  13. Policy • Comply with general and agency-specific laws and regulations for CUI statistical, including maintaining confidentiality in a manner consistent with those laws and regulations • Inform those accessing CUI statistical that violations of laws and regulations protecting CUI statistical may subject persons to penalties • Develop CUI statistical access policies, guidelines, and practices addressing internal and external uses of CUI statistical

  14. Policy Within the Agency • Secure storage • Safeguarding or dissemination controls • Labeling or markings • Statements describing appropriate safeguards; • Practices and procedures for transmitting & receiving CUI statistical; • Telework policies; • Records management of CUI statistical; and • Procedures for reporting loss or violation of conditions of use of CUI statistical.

  15. Policy With External Entities • For permitted external access, require written agreements that include a clear and detailed description of: • the relevant laws and regulations protecting CUI statistical; • the purpose of the information sharing; • how the information will be used; • the timeline for which it will be available; • the process for returning and/or destroying the information at expiration of the agreement; and • the data protection plan, including CUI information transfer and storage processes. • Procedures for inspection of non-governmental external sites granted access to CUI statistical. • Procedures for security certification of governmental external sites granted access to CUI statistical.

  16. Agency Personnel Training • CUI statistical training for agency personnel should cover • Labeling of CUI statistical information • Data management procedures • Access agreements with external entities including Interagency Agreements, Licenses, or Designated Agent Agreements. Track completion of training • Track completion of training

  17. Training for Data Sharing Partners • CUI statistical training for data sharing partners should cover • Labeling and records management of CUI statistical information • Data management procedures • Description of processes to be followed when CUI statistical information is received from government agencies • Description of processes to be followed when CUI statistical information is destroyed and/or returned to government agencies

  18. Technology • Develop and maintain information systems security where CUI statistical is accessed and stored at both the sending agency and receiving partner/agency • Establish appropriate administrative and technical safeguards consistent with FISMA and other controls to ensure the electronic and/or physical security of CUI statistical • Establish process for security breach monitoring and notification

  19. Self-inspection • Provide self-inspection guidelines (modify existing guidelines or develop new guidelines) • Frequency • Ensuring purpose and time period for sharing is stated • Ensure general and agency-specific laws are being upheld

  20. Challenges • Language in communicating with potential respondents • Effect on data sharing activity among federal agencies • Marking policies • Decontrol • Integrating Statistical CUI with other Agency categories

More Related