CUI Statistical: Collaborative Efforts of Federal Statistical Agencies

1
CUI StatisticalCollaborative Efforts of Federal
Statistical Agencies
Eve Powell-Griner National Center for Health
Statistics
2
Background

• November 2010 Interagency Council on
  Statistical Policy (ICSP) suggested a unified
  federal statistical agency response to EO 13556
• Chief Statistician of OMB established a CUI
  Taskforce under ICSP auspices

3
Taskforce Membership

• Bureau of Economic Analysis
• Bureau of Justice Statistics
• Bureau of Labor Statistics
• Bureau of Transportation Statistics
• Census Bureau
• Economic Research Service
• Energy Information Administration
• Office of Environmental Information, EPA
• Federal Reserve Board

• National Agricultural Statistics Service
• National Center for Education Statistics
• National Center for Health Statistics
• NCSES, National Science Foundation
• Office of Management and Budget
• Office of Research, Evaluation, and Statistics,
  SSA
• Statistics of Income Division, IRS
• Center for Behavioral Health Statistics and
  Quality, SAMHSA

4
Taskforce Process

• Collaborative effort focusing on common objective
  rather than individual agencies
• Regular consultation with Executive Agent, NARA
  for guidance and concurrence
• Provided draft materials to ICSP
• Briefed statistical agency heads

5
Taskforce Products

• CUI Statistical Matrix
• CUI Statistical Best Practices

6
CUI Statistical Matrix

• Contents
• Definition and description of category
• Proposed marking
• Authority statutes citations
• Federal Regulation (CFR)
• Government-wide policy
• Required safeguarding controls
• Required dissemination controls

7
Definition of CUI Statistical

• Information collected by a Federal statistical
  agency, unit, or program
• for statistical purposes or used for statistical
  activities
• under law, regulation, or Government-wide policy
  such 'Statistical' CUI requires
• (1) protection from unauthorized disclosure
• (2) special handling safeguards and/or
• (3) prescribed limits on access or dissemination

8
Authorities

• (1) Pub. L. 107-347, Confidential Information
  Protection and Statistical Efficiency Act of 2002
  (CIPSEA), Title V of the E-Government Act of 2002
• (2) 5 USC 552a, Privacy Act of 1974
• (3) 5 USC. 552, exemptions 3, 4, and 6, Freedom
  of Information Act
• (4) 18 USC 1905, Trade Secrets Act
• other agency specific items as identified in
  attachments

9
Government-Wide Policy

• OMB Directives, Circulars and Guidance
• Release and Dissemination of Statistical Products
  Produced by Federal Statistical Agencies
• Safeguarding Personally Identifiable Information
• Implementing the Privacy Provisions of the
  E-Government Act of 2002
• Reporting Incidents Involving Personally
  Identifiable Information
• Sharing Data While Protecting Privacy
• NIST Guidance
• SP 800-122, Guide to Protecting the
  Confidentiality of Personally Identifiable
  Information (PII)

10
Safeguarding and Dissemination Controls

• (1) Federal Register Vol 72 No 115, 06/15/2007
  Implementation Guidance for Title V of the
  E-Government Act, Confidential Information
  Protection and Statistical Efficiency Act of 2002
  
• (2) OMB Memorandum M-07-16, Safeguarding Against
  and Responding to the Breach of Personally
  Identifiable Information
• (3) NIST SP 800-53, Recommended Security Controls
  for Federal Information Systems and Organizations
• (4) 44 USC 3541, Federal Information Security
  Management Act of 2002 (FISMA)
• Plus other agency specific items as identified in
  attachments

11
CUI Statistical Best Practices

• Memorandum from ICSP to the Executive Agent
• Best practices offered as reference to each
  Executive Agency with a statistical agency/unit

• Contents of Document
• Purpose
• Governance
• Policy
• Within the agency
• With external entities
• Training
• Technology
• Self-Inspection

12
Governance

• Designate a person to oversee all procedures for
  handling CUI statistical
• the statistical agencys point of contact for CUI
  statistical,
• coordinates CUI statistical policies with the
  Departmental Senior Agency Official for CUI,
• responsible for the implementation of the
  statistical agencys policies, procedures,
  training, and compliance with CUI statistical
  regulations.

13
Policy

• Comply with general and agency-specific laws and
  regulations for CUI statistical, including
  maintaining confidentiality in a manner
  consistent with those laws and regulations
• Inform those accessing CUI statistical that
  violations of laws and regulations protecting CUI
  statistical may subject persons to penalties
• Develop CUI statistical access policies,
  guidelines, and practices addressing internal and
  external uses of CUI statistical

14
Policy Within the Agency

• Secure storage
• Safeguarding or dissemination controls
• Labeling or markings
• Statements describing appropriate safeguards
• Practices and procedures for transmitting
  receiving CUI statistical

• Telework policies
• Records management of CUI statistical and
• Procedures for reporting loss or violation of
  conditions of use of CUI statistical.

15
Policy With External Entities

• For permitted external access, require written
  agreements that include a clear and detailed
  description of
• the relevant laws and regulations protecting CUI
  statistical
• the purpose of the information sharing
• how the information will be used
• the timeline for which it will be available
• the process for returning and/or destroying the
  information at expiration of the agreement and
• the data protection plan, including CUI
  information transfer and storage processes.
• Procedures for inspection of non-governmental
  external sites granted access to CUI statistical.
• Procedures for security certification of
  governmental external sites granted access to CUI
  statistical.
•  

16
Agency Personnel Training

• CUI statistical training for agency personnel
  should cover
• Labeling of CUI statistical information
• Data management procedures
• Access agreements with external entities
  including Interagency Agreements, Licenses, or
  Designated Agent Agreements. Track completion of
  training
• Track completion of training
•  

17
Training for Data Sharing Partners

• CUI statistical training for data sharing
  partners should cover
• Labeling and records management of CUI
  statistical information
• Data management procedures
• Description of processes to be followed when CUI
  statistical information is received from
  government agencies
• Description of processes to be followed when CUI
  statistical information is destroyed and/or
  returned to government agencies

18
Technology

• Develop and maintain information systems security
  where CUI statistical is accessed and stored at
  both the sending agency and receiving
  partner/agency
• Establish appropriate administrative and
  technical safeguards consistent with FISMA and
  other controls to ensure the electronic and/or
  physical security of CUI statistical
• Establish process for security breach monitoring
  and notification

19
Self-inspection

• Provide self-inspection guidelines (modify
  existing guidelines or develop new guidelines)
• Frequency
• Ensuring purpose and time period for sharing is
  stated
• Ensure general and agency-specific laws are being
  upheld

20
Challenges

• Language in communicating with potential
  respondents
• Effect on data sharing activity among federal
  agencies
• Marking policies
• Decontrol
• Integrating Statistical CUI with other Agency
  categories