Download presentation
Presentation is loading. Please wait.
Published byCordelia Bond Modified over 9 years ago
1
CUI Statistical: Collaborative Efforts of Federal Statistical Agencies Eve Powell-Griner National Center for Health Statistics
2
Background November 2010 – Interagency Council on Statistical Policy (ICSP) suggested a unified federal statistical agency response to EO 13556 Chief Statistician of OMB established a CUI Taskforce under ICSP auspices
3
Taskforce Membership Bureau of Economic Analysis Bureau of Justice Statistics Bureau of Labor Statistics Bureau of Transportation Statistics Census Bureau Economic Research Service Energy Information Administration Office of Environmental Information, EPA Federal Reserve Board National Agricultural Statistics Service National Center for Education Statistics National Center for Health Statistics NCSES, National Science Foundation Office of Management and Budget Office of Research, Evaluation, and Statistics, SSA Statistics of Income Division, IRS Center for Behavioral Health Statistics and Quality, SAMHSA
4
Taskforce Process Collaborative effort focusing on common objective rather than individual agencies Regular consultation with Executive Agent, NARA for guidance and concurrence Provided draft materials to ICSP Briefed statistical agency heads
5
Taskforce Products CUI Statistical Matrix CUI Statistical Best Practices
6
CUI Statistical Matrix Contents Definition and description of category Proposed marking Authority– statutes citations Federal Regulation (CFR) Government-wide policy Required safeguarding controls Required dissemination controls
7
Definition of CUI Statistical Information collected by a Federal statistical agency, unit, or program for statistical purposes or used for statistical activities under law, regulation, or Government-wide policy such 'Statistical' CUI requires (1) protection from unauthorized disclosure (2) special handling safeguards; and/or (3) prescribed limits on access or dissemination
8
Authorities (1) Pub. L. 107-347, Confidential Information Protection and Statistical Efficiency Act of 2002 (CIPSEA), Title V of the E-Government Act of 2002 (2) 5 USC 552a, Privacy Act of 1974 (3) 5 USC. 552, exemptions 3, 4, and 6, Freedom of Information Act (4) 18 USC 1905, Trade Secrets Act other agency specific items as identified in attachments
9
Government-Wide Policy OMB Directives, Circulars and Guidance Release and Dissemination of Statistical Products Produced by Federal Statistical Agencies Safeguarding Personally Identifiable Information Implementing the Privacy Provisions of the E-Government Act of 2002 Reporting Incidents Involving Personally Identifiable Information Sharing Data While Protecting Privacy NIST Guidance SP 800-122, Guide to Protecting the Confidentiality of Personally Identifiable Information (PII)
10
Safeguarding and Dissemination Controls (1) Federal Register Vol 72 No 115, 06/15/2007 Implementation Guidance for Title V of the E-Government Act, Confidential Information Protection and Statistical Efficiency Act of 2002 (2) OMB Memorandum M-07-16, Safeguarding Against and Responding to the Breach of Personally Identifiable Information (3) NIST SP 800-53, Recommended Security Controls for Federal Information Systems and Organizations (4) 44 USC 3541, Federal Information Security Management Act of 2002 (FISMA) Plus other agency specific items as identified in attachments
11
CUI Statistical Best Practices Memorandum from ICSP to the Executive Agent Best practices offered as reference to each Executive Agency with a statistical agency/unit Contents of Document Purpose Governance Policy Within the agency With external entities Training Technology Self-Inspection
12
Governance Designate a person to oversee all procedures for handling CUI statistical the statistical agency’s point of contact for CUI statistical, coordinates CUI statistical policies with the Departmental Senior Agency Official for CUI, responsible for the implementation of the statistical agency’s policies, procedures, training, and compliance with CUI statistical regulations.
13
Policy Comply with general and agency-specific laws and regulations for CUI statistical, including maintaining confidentiality in a manner consistent with those laws and regulations Inform those accessing CUI statistical that violations of laws and regulations protecting CUI statistical may subject persons to penalties Develop CUI statistical access policies, guidelines, and practices addressing internal and external uses of CUI statistical
14
Policy Within the Agency Secure storage Safeguarding or dissemination controls Labeling or markings Statements describing appropriate safeguards; Practices and procedures for transmitting & receiving CUI statistical; Telework policies; Records management of CUI statistical; and Procedures for reporting loss or violation of conditions of use of CUI statistical.
15
Policy With External Entities For permitted external access, require written agreements that include a clear and detailed description of: the relevant laws and regulations protecting CUI statistical; the purpose of the information sharing; how the information will be used; the timeline for which it will be available; the process for returning and/or destroying the information at expiration of the agreement; and the data protection plan, including CUI information transfer and storage processes. Procedures for inspection of non-governmental external sites granted access to CUI statistical. Procedures for security certification of governmental external sites granted access to CUI statistical.
16
Agency Personnel Training CUI statistical training for agency personnel should cover Labeling of CUI statistical information Data management procedures Access agreements with external entities including Interagency Agreements, Licenses, or Designated Agent Agreements. Track completion of training Track completion of training
17
Training for Data Sharing Partners CUI statistical training for data sharing partners should cover Labeling and records management of CUI statistical information Data management procedures Description of processes to be followed when CUI statistical information is received from government agencies Description of processes to be followed when CUI statistical information is destroyed and/or returned to government agencies
18
Technology Develop and maintain information systems security where CUI statistical is accessed and stored at both the sending agency and receiving partner/agency Establish appropriate administrative and technical safeguards consistent with FISMA and other controls to ensure the electronic and/or physical security of CUI statistical Establish process for security breach monitoring and notification
19
Self-inspection Provide self-inspection guidelines (modify existing guidelines or develop new guidelines) Frequency Ensuring purpose and time period for sharing is stated Ensure general and agency-specific laws are being upheld
20
Challenges Language in communicating with potential respondents Effect on data sharing activity among federal agencies Marking policies Decontrol Integrating Statistical CUI with other Agency categories
Similar presentations
© 2024 SlidePlayer.com. Inc.
All rights reserved.