[Federal Register Volume 79, Number 249 (Tuesday, December 30, 2014)]
[Proposed Rules]
[Pages 78314-78324]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-30199]


========================================================================
Proposed Rules
                                                Federal Register
________________________________________________________________________

This section of the FEDERAL REGISTER contains notices to the public of 
the proposed issuance of rules and regulations. The purpose of these 
notices is to give interested persons an opportunity to participate in 
the rule making prior to the adoption of the final rules.

========================================================================


Federal Register / Vol. 79, No. 249 / Tuesday, December 30, 2014 / 
Proposed Rules

[[Page 78314]]



DEPARTMENT OF COMMERCE

National Technical Information Service

15 CFR Part 1110

[Docket Number: 141219001-4999-02]
RIN 0692-AA21


Certification Program for Access to the Death Master File

AGENCY: National Technical Information Service, U.S. Department of 
Commerce.

ACTION: Notice of proposed rulemaking; request for comments.

-----------------------------------------------------------------------

SUMMARY: The National Technical Information Service (NTIS) issues a 
proposed rule that would, if implemented, establish a program pursuant 
to Section 203 of the Bipartisan Budget Act of 2013 (Act) through which 
persons may become ``certified'' and thereby be eligible to obtain 
access to Death Master File (DMF) information about an individual 
within three years of that individual's death (``Limited Access DMF,'' 
as defined in the proposed rule). The rule is established to provide 
immediate access to the DMF to those users who demonstrate a legitimate 
fraud prevention interest or a legitimate business purpose for the 
information, and to otherwise delay the release of the DMF to all other 
users, thereby reducing opportunities for identity theft and 
restricting information sources used to file fraudulent tax returns. 
This rule sets forth requirements to become a certified person, 
establishes a process for third party attestation and auditing of the 
information safeguarding requirement for certification, provides that 
certified persons will be subject to periodic scheduled and unscheduled 
audits, and sets out penalties for persons who disclose or use DMF 
information in a manner not in accordance with the Act. This rule would 
also establish the process for appealing denials or revocations of 
certification, the imposition penalties, and a fee program.

DATES: Comments are due on this proposed rule on January 29, 2015.

ADDRESSES: Written comments on this proposed rule must be submitted via 
http://www.regulations.gov. Comments sent by any other method, to any 
other address or individual, or received after the end of the comment 
period, may not be considered. All comments received are a part of the 
public record and will generally be posted for public viewing on 
www.regulations.gov without change. However, comments that contain 
profanity, vulgarity, threats, or other inappropriate language will not 
be posted. All personal identifying information (e.g., name, address) 
submitted voluntarily by the sender will be publicly accessible. Do not 
submit confidential business information, or otherwise sensitive or 
protected information. Attachments to electronic comments will be 
accepted in Microsoft Word or Excel, WordPerfect, or Adobe PDF formats 
only.

FOR FURTHER INFORMATION CONTACT: Henry Wixon, Chief Counsel for NIST, 
at [email protected], or by telephone at 301-975-2803. Information 
about the DMF made available to the public by NTIS may be found at 
https://dmf.ntis.gov.

SUPPLEMENTARY INFORMATION: 

Background

    On December 26, 2013, the Bipartisan Budget Act of 2013, Pub. L. 
113-67, (the Act) became law. Section 203 of the Act prohibits the 
Secretary of Commerce (Secretary) from disclosing DMF information 
during the three-calendar-year period following an individual's death 
(the ``Limited Access DMF''), unless the person requesting the 
information has been certified to receive that information under a 
program established by the Secretary. The Act further requires the 
Secretary to establish a fee-based certification program that will 
certify these persons. It also provides for penalties for those who 
receive or distribute DMF information without being certified. Finally, 
the Act sets March 26, 2014, as the date after which any party seeking 
access to the Limited Access DMF must be certified in order to access 
Limited Access DMF. The Secretary has delegated the authority to carry 
out Section 203 to the Director of NTIS.
    On March 3, 2014, NTIS published a Request for Information (RFI) 
and Advance Notice of Public Meeting on the Certification Program for 
Access to the Death Master File (RFI) at 79 FR 11735, available at 
http://www.gpo.gov/fdsys/pkg/FR-2014-03-03/pdf/2014-04584.pdf. The 
public meeting was held March 4, 2014, from 9:00 a.m. to 12:00 p.m. 
Eastern time at the United States Patent and Trademark Office, Madison 
Building West, 600 Dulany Street, Alexandria, VA 22314. The public 
meeting was also webcast. Written comments received in response to the 
RFI, and a transcription of oral comments made and comments submitted 
via webcast at the public meeting, may be viewed at https://dmf.ntis.gov.
    On March 26, 2014, NTIS published an interim final rule, 
``Temporary Certification Program for Access to the Death Master 
File,'' at 79 FR 16668, available at http://www.gpo.gov/fdsys/pkg/FR-2014-03-26/pdf/2014-06701.pdf (the Interim Final Rule). That rule 
codified an interim approach to implementing the Act's provisions 
pertaining to the certification program and the penalties for violating 
the Act, and set out an interim fee schedule for the program. NTIS 
published the Interim Final Rule in order to provide a mechanism for 
persons to access the DMF immediately on the effective date prescribed 
in Section 203 of the Act. Written comments received in response to the 
Interim Final Rule may be viewed at http://www.regulations.gov.
    The preambles for both the RFI and the Interim Final Rule set out 
the specific provisions of the Act, and also noted that several Members 
of Congress described their understanding of the purpose and meaning of 
Section 203 during Congressional debate on the Joint Resolution which 
became the Act. Citations to those Member statements were provided in 
the RFI, which also provided background on the component of the DMF 
covered by Section 203, which originates from the Social Security 
Administration. The Interim Rule was established to provide immediate 
access to the DMF to those users who demonstrate a legitimate fraud 
prevention interest or a legitimate business purpose for the 
information, and to otherwise delay the release of the DMF to all other 
users, thereby reducing opportunities for identity theft and 
restricting information sources used to file fraudulent tax returns.

[[Page 78315]]

    This rule, if adopted, would replace the regulatory structure put 
into place by the Interim Final Rule. It describes who may become a 
``Certified Person'' under the Act, creates a process by which NTIS can 
certify such persons, establishes a process for third party attestation 
and auditing of the information safeguarding requirement for 
certification, establishes a fee program, establishes penalties for 
disseminating or receiving DMF information in violation of the Act, and 
creates a process to appeal some penalties. However, until this rule 
becomes final and effective, the Temporary Certification Program 
established under the Interim Final Rule shall remain in force and 
effect.

The Proposed Rule

    This proposed rule would amend subparts and add a new subpart E to 
the DMF Certification Program in part 1110 of title 15 of the Code of 
Federal Regulations. The following describes specific provisions being 
amended.
    Under Section 1110.2, ``Definitions,'' NTIS proposes to revise the 
definition of ``Person'' to recite ``state and local government 
departments and agencies,'' so that ``Person'' will be defined as 
including ``corporations, companies, associations, firms, partnerships, 
societies, joint stock companies, and other private organizations, and 
state and local government departments and agencies, as well as 
individuals.'' However, Executive departments or agencies of the United 
States Government would not be considered ``Persons'' for the purposes 
of this rule. Accordingly, Executive departments or agencies will not 
have to complete the Certification Form as set forth in the rule, and 
will be able to access Limited Access DMF under a subscription or 
license agreement with NTIS, describing the purpose(s) for which 
Limited Access DMF is collected, used, maintained and shared. Those 
working on behalf of and authorized by Executive departments or 
agencies may access the Limited Access DMF from their sponsoring 
Executive department or agency, which will be responsible for ensuring 
that such access is solely for the authorized purposes described by the 
agency. Unauthorized secondary use of Limited Access DMF by Executive 
departments or agencies or those working for them or on their behalf is 
prohibited. If an Executive department or agency wishes those working 
on its behalf to access the Limited Access DMF directly from NTIS, then 
those working on behalf of that Executive department or agency will be 
required to complete and submit the Certification Form as set forth in 
the rule and enter into a subscription agreement with NTIS in order to 
access the Limited Access DMF. Under this proposed rule, a Certified 
Person will be eligible to access the Limited Access DMF made available 
by NTIS through subscription or license.
    NTIS proposes to revise the definition of ``Limited Access DMF'' by 
adding a sentence that clarifies that an individual element of 
information (name, social security number, date of birth, or date of 
death) in the possession of a Person, whether or not certified, but 
obtained by such Person through a source independent of the Limited 
Access DMF, will not be considered ``DMF information'' for the purposes 
of the rule, and requests comment on the proposed definition. The 
additional sentence is as follows:

    As used in this part, Limited Access DMF does not include an 
individual element of information (name, social security number, 
date of birth, or date of death) in the possession of a Person, 
whether or not certified, but obtained by such Person through a 
source independent of the Limited Access DMF. If a Certified Person 
obtains, or a third party subsequently provides to a Certified 
Person, death information (i.e., the name, social security account 
number, date of birth, or date of death) independently, the 
information is not considered part of the Limited Access DMF if the 
NTIS source information is replaced with the newly provided 
information.

    NTIS believes this revision of the definition of Death Master File 
adds clarity to what is and is not Limited Access DMF, and requests 
comment on the proposed definition.
    Under Section 1110.102(a)(1) of the interim final rule, to become 
certified, a Person must certify that the Person has a ``legitimate 
fraud prevention interest,'' or has a ``legitimate business purpose 
pursuant to a law, governmental rule, regulation, or fiduciary duty,'' 
and must specify the basis for so certifying. NTIS is not proposing to 
change this requirement here. However, the Temporary Certification 
Program established under the Interim Final Rule did not provide for 
review, assessment or audit of the systems, facilities, and procedures 
of a Person with attestation by an independent, third party conformity 
assessment body, as NTIS is now proposing in this rule, and as 
discussed at length below. Given this proposed rule's emphasis on 
security and safeguarding of Limited Access DMF, the proposed rule's 
provision for procedures and processes addressing the proper 
safeguarding of Limited Access DMF, and the proposed rule's provision 
for review, assessment, audit and attestation of a Person's information 
and information security controls by independent, third party 
conformity assessment bodies, NTIS requests comments on the specificity 
with which a Person should be required to provide as the basis for 
certifying its fraud prevention interest or business purpose under the 
proposed rule.
    NTIS acknowledges that some entities may seek to provide NTIS with 
supplemental or supporting information over and above what may be 
required along with the attestation, to augment or support their 
request for certification for access to Limited Access DMF. If 
submitted, NTIS will evaluate such materials and may accept or reject 
that information when determining whether to certify a person. To 
assist NTIS in determining how to evaluate such materials, NTIS also 
requests comments on what types of materials NTIS should accept in 
support of a certification that a party has a legitimate business 
purpose or legitimate fraud prevention interest.
    This rule would add a requirement that, in order to become 
certified, a Person must submit a written attestation from an 
Accredited Certification Body (as defined below) that such Person has 
information security systems, facilities, and procedures in place to 
protect the security of the DMF information, as required under Section 
1110.102(a)(2) of the rule. Such a requirement was not made under the 
Interim Final Rule. In considering how to establish a permanent 
certification program as required under Section 203, NTIS carefully 
considered developing, within the agency, the capacity to evaluate the 
information systems, facilities and procedures of Persons to safeguard 
DMF information, as well as to conduct audits of Certified Persons. 
NTIS has consulted with the National Institute of Standards and 
Technology (NIST), which has expertise in testing, standard setting, 
and certification of various systems. Based on NIST recommendations, 
NTIS believes it appropriate for private sector, third party, 
Accredited Certification Bodies to attest to a Person's information 
security safeguards under Section 1110.102(a)(2) of the rule, and for 
NTIS to rely upon such attestation in certifying a Person under the 
proposed rule. NTIS also believes it appropriate for Accredited 
Certification Bodies to conduct periodic scheduled and unscheduled 
audits of Certified Persons on behalf of NTIS. NTIS requests comments 
on the proposal to accept attestations by private sector, third party, 
Accredited Certification Bodies under the rule.
    Under this rule, an ``Accredited Certification Body'' is an 
independent

[[Page 78316]]

third party conformity assessment body that is not owned, managed, or 
controlled by a Person or Certified Person which is the subject of 
attestation or audit, and that is accredited, by an accreditation body 
under nationally or internationally recognized criteria such as, but 
not limited to, the International Organization for Standardization 
(ISO) and the International Electrotechnical Commission (IEC) 
publication ISO/IEC 27006-2011, ``Information technology--Security 
techniques--Requirements for bodies providing audit and certification 
of information security management systems,'' to attest that a Person 
or Certified Person has information technology systems, facilities and 
procedures in place to safeguard DMF information. Based on NIST 
recommendations, NTIS believes it is appropriate to use the ISO/IEC 
27006-2001 as a baseline for accreditation under the proposed 
certification program. The ISO Committee on conformity assessment 
(CASCO) prepared ISO/IEC 27006-2001, and NTIS believes the use of the 
ISO/IEC standard will help ensure that attestations and audits under 
the proposed certification program operate in a manner consistent with 
national and international practices. Accreditation is a third-party 
attestation that a conformity assessment body operates in accordance 
with national and international standards. Accreditation is used 
nationally and internationally in many sectors where there is a need, 
through certification, that safety, health or security requirements are 
met by products or services. Accreditation ensures that a conformity 
assessment body is technically competent in the subject matter (in this 
case, the information safeguarding and security requirements as set 
forth in the rule) and has a management system in place to ensure 
competency and acceptable certification program operations on a 
continuing basis. Accreditation requires that Accredited Certification 
Bodies be re-accredited on a periodic basis.
    However, NTIS is also aware that standards other than ISO/IEC 
27006-2001 exist that may be equally appropriate for the purposes of 
accreditation under the Act, and that additional standards may be 
developed in the future. At this time, NTIS proposes that an Accredited 
Certification Body may attest, subject to the conditions of 
verification in proposed section 1110.503 of this rule, that it is 
accredited to a nationally or internationally recognized standard for 
bodies providing audit and certification of information security 
management systems other than ISO/IEC Standard 27006-2011. In addition, 
NTIS proposes that an Accredited Certification Body must also attest 
that the scope of its accreditation encompasses the information 
safeguarding and security requirements as set forth in the rule. NTIS 
requests comments on these proposals.
    NTIS is aware that security and safeguarding of information and 
information systems is of great concern in many fields of endeavor 
other than with respect to DMF information. NTIS has consulted with 
subject matter experts from NIST, which in 2014 published the 
``Framework for Improving Critical Infrastructure Cybersecurity'' 
(Framework), in response to President Obama's Executive Order 13636, 
``Improving Critical Infrastructure Cybersecurity,'' which established 
that ``[i]t is the Policy of the United States to enhance the security 
and resilience of the Nation's critical infrastructure and to maintain 
a cyber environment that encourages efficiency, innovation, and 
economic prosperity while promoting safety, security, business 
confidentiality, privacy, and civil liberties.'' In articulating this 
policy, the Executive Order calls for the development of a voluntary 
risk-based Cybersecurity Framework--a set of industry standards and 
best practices to help organizations manage cybersecurity risks. The 
resulting Framework, created by NIST through collaboration between 
government and the private sector, uses a common language to address 
and manage cybersecurity risks in a cost-effective way based on 
business needs without placing additional regulatory requirements on 
businesses. The Framework enables organizations--regardless of size, 
degree of cybersecurity risk, or cybersecurity sophistication--to apply 
the principles and best practices of risk management to improving the 
security and resilience of critical infrastructure. The Framework 
provides organization and structure to today's multiple approaches to 
cybersecurity by assembling standards, guidelines, and practices that 
are working effectively in industry today. Accordingly, in addressing 
the requirements of Section 203 for ``systems, facilities, and 
procedures'' to safeguard DMF information, NTIS contemplates that 
Persons, as well as Accredited Certification Bodies, may look to the 
Framework and to the Framework's Informative References. The Framework 
is referenced by NTIS in its security guideline document, ``Limited 
Access Death Master File (LADMF) Certification Program Publication 
100,'' which is similar to the Internal Revenue Service (IRS) 
Publication 1075, ``Tax Information Security Guidelines for Federal, 
State and Local Agencies,'' available at http://www.irs.gov/pub/irs-pdf/p1075.pdf, and IRS Publication 4812, ``Contractor Security 
Controls,'' available at http://www.irs.gov/pub/irs-procure/
Publication-4812_Contractor_Security-Controls.pdf. As set forth in 
the security guideline document as well as in the Framework's 
Informative References, a number of different approaches exist to 
safeguarding information. These include ISO/IEC, Control Objectives for 
Information and Related Technology (COBIT), International Society of 
Automation (ISA), and NIST's 800 series publications. Others include 
the Service Organization Controls (SOC) of the American Institute of 
CPAs (AICPA). NTIS intends that by following its security guideline 
document, Persons and Certified Persons will satisfy the requirements 
of the rule. NTIS requests comments on other relevant approaches that 
may exist and be suitable for the purposes of the rule.
    NTIS is aware that security and safeguarding assessments such as 
those contemplated under this proposed rule are routinely carried out 
in the private sector, including by entities which may satisfy the 
requirements for Accredited Certification Bodies under the rule. 
Provided that such a routine assessment or audit of a Person would 
permit an Accredited Certification Body to attest that such Person has 
systems, facilities, and procedures in place to safeguard DMF 
information as required under Section 1110.102(a)(2) of the rule, 
albeit carried out for a purpose other than certification under the 
rule, NTIS proposes to accept an attestation in support of a Person's 
certification with respect to the requirements under Section 
1110.102(a)(ii) of the rule, as well as in support of the renewal of a 
Certified Person's certification. NTIS proposes that any attestation, 
whether for a Person seeking certification or for a Certified Person 
seeking renewal, must be based on the Accredited Certification Body's 
review or assessment conducted no more than three years prior to the 
date of submission of the Person's completed certification statement or 
of the Certified Person's completed renewal certification statement. As 
noted, an Accredited Certification Body's review or assessment need not 
have been conducted specifically or

[[Page 78317]]

solely for the purpose of submission of an attestation under the 
proposed rule, provided the review or assessment addresses the controls 
set forth in the ``Limited Access Death Master File (LADMF) 
Certification Program Publication 100.'' From NTIS's consultations with 
NIST subject matter experts, NTIS believes that the limitation of three 
years is appropriate as to frequency for assessments for the security 
and safeguarding of information and information systems, and that 
permitting Persons and Certified Persons to rely on attestations based 
on such assessments conducted for purposes other than solely for the 
rule is reasonable and cost-effective. NTIS requests comment on this 
aspect of the proposed rule.
    NTIS proposes to amend Section 1110.102(a)(2) and (3) to clarify 
that to be certified to obtain access to the Limited Access DMF, a 
Person must certify both that the Person ``has systems, facilities, and 
procedures in place to safeguard the accessed information, and 
experience in maintaining the confidentiality, security, and 
appropriate use of accessed information, pursuant to requirements 
similar to the requirements of section 6103(p)(4) of the Internal 
Revenue Code of 1986,'' and that the Person ``agrees to satisfy such 
similar requirements.'' This standard differs somewhat from the 
requirement of Section 203 of the Act, because that Section contains 
contradictory statements about the types of systems to safeguard 
information that a Certified Person must have in place. In Section 
203(b)(2)(B), the Act states that in order to receive Limited Access 
DMF, a Person must agree to comply with requirements ``similar to'' 
section 6103(p)(4) of the Internal Revenue Code (IRC). Section 
6103(p)(4) of the IRC is directed to Federal government agencies, and 
as such the ``similar to'' statement makes sense for non-government 
actors which are the subject of the Act. However, Section 203(b)(2)(C) 
also requires a Certified Person to ``satisfy the requirements of such 
section 6103(p)(4) as if such section applied to such person'' 
(emphasis added). It is unclear how or why a Certified Person could or 
should satisfy an information integrity requirement ``similar to'' 
section 6103(p)(4) of the IRC while also satisfying section 6103(p)(4) 
of the IRC. To resolve this ambiguity, NTIS interprets Section 203(b) 
of the Act as requiring Persons to certify that they have systems, 
facilities, and procedures in place that are ``similar to'' those 
required by section 6103(p)(4) of the IRC in order to become Certified 
Persons. NTIS requests comments on this interpretation, which NTIS 
believes will allow NTIS to meet the interest of protecting personal 
data generally and deterring fraud, while also allowing NTIS to set the 
data integrity standards appropriate to safeguard DMF information 
specifically. NTIS has developed a security guideline document, 
``Limited Access Death Master File (LADMF) Certification Program 
Publication 100,'' similar to the Internal Revenue Service (IRS) 
Publication 1075, ``Tax Information Security Guidelines for Federal, 
State and Local Agencies,'' available at http://www.irs.gov/pub/irs-pdf/p1075.pdf, as well as IRS Publication 4812, ``Contractor Security 
Controls,'' available at http://www.irs.gov/pub/irs-procure/
Publication-4812_Contractor_Security-Controls.pdf, and drawing on the 
National Institute of Standards and Technology ``Framework for 
Improving Critical Infrastructure Cybersecurity,'' and informative 
references cited therein, available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf, that sets out 
safeguard approaches adapted to the provisions of Section 203 of the 
Act. NTIS will invite the public to comment on and to contribute to 
this guidance document on a continuing basis. NTIS contemplates that 
conforming to the proposed NTIS security guideline document will permit 
Persons and Certified Persons to satisfy the Act. A draft of the 
proposed NTIS security guideline document is available for review at 
https://dmf.ntis.gov.
    NTIS believes that adherence to the information security controls 
and practices described in the LADMF Certification Program Publication 
100 will help protect LADMF information that resides on Certified 
Persons' information technology systems. Combined with the strict 
liability for misusing the LADMF information set out in section (c) of 
the Act, and in section 1110.102 of this proposed rule, LADMF 
Certification Program Publication 100 describes safeguards for 
minimizing occurrences of improper access to, and misuse of, LADMF 
data. Specifically, LADMF Certification Program Publication 100 
establishes the guidelines and practices that Certified Persons are to 
apply to their information security programs to protect LADMF 
information in their possession. Failure to adhere to these guidelines 
and practices increases the likelihood of unauthorized access to, and 
misuse of, LADMF data, including fraudulent misuse. Accordingly, the 
information security measures required by this rule and adherence to 
the guidelines and practices described in LADMF Certification Program 
Publication 100 require Certified Persons to maintain adequate security 
controls for LADMF information.
    Persons previously certified under the Interim Final Rule will need 
to become certified in accordance with the requirements of the proposed 
rule, when it becomes final and effective. Certification under this 
rule will include an updated certification form, discussed below under 
the heading, ``Description of the Projected Reporting, Recordkeeping, 
and Other Compliance Requirements of the Proposed Rule,'' collecting 
additional information that will improve NTIS's ability to determine 
whether a Person meets, to the satisfaction of NTIS, the requirements 
of Section 203 of the Act.
    Under Section 1110.103 of the proposed rule, a Certified Person may 
disclose Limited Access DMF to another Certified Person, and will be 
deemed to satisfy the disclosing Certified Person's obligation to 
ensure compliance with proposed Section 1110.102(a)(4)(i)-(iii) for the 
purposes of certification. Similarly, under Section 1110.200(c), NTIS 
will not impose a penalty, under Section 1110.200(a)(1)(i)-(iii) of the 
proposed rule, on a first Certified Person who discloses Limited Access 
DMF to a second Certified Person, where the first Certified Person's 
liability rests solely on the fact that the second Certified Person has 
been determined to be subject to penalty. While the proposed rule does 
not restrict disclosure of Limited Access DMF to Certified Persons, 
NTIS believes that these provisions create an appropriately limited 
``safe harbor'' for Certified Persons to disclose Limited Access DMF to 
other Certified Persons. However, note that any Person that receives 
Limited Access DMF from a Certified Person is still subject to penalty 
under Section 1110.200(a)(1)-(4), for violations of the Act. The safe 
harbor provision applies to each disclosure individually, and only the 
Certified Person disclosing the information, not the recipient, 
receives the benefit of the presumed compliance with Section 
1110.102(a)(4)(i)-(iii). NTIS requests comment on this provision of the 
proposed rule, including on whether or not the ``safe harbor'' should 
also apply when a first Certified Person discloses Limited Access DMF 
to a second Person, believed to be a Certified Person, but who is not, 
in fact, certified under the proposed rule.

[[Page 78318]]

    Under Section 1110.201 of the proposed rule, NTIS may conduct, or 
may request an Accredited Certification Body conduct, at the Certified 
Person's expense, periodic scheduled and unscheduled audits of the 
systems, facilities, and procedures of any Certified Person relating to 
such Certified Person's access to, and use and distribution of, the 
Limited Access DMF. NTIS contemplates that many, if not most, audits of 
Certified Persons will be scheduled, but NTIS may also conduct, or 
request an Accredited Certification Body conduct, unscheduled audits--
for example, where a prior scheduled audit may have identified the need 
for adjustment to a Certified Person's systems, facilities, or 
procedures. Audits conducted by NTIS or by an Accredited Certification 
Body may take place at a Certified Person's place of business (i.e., 
field audits), or may be conducted remotely (i.e., desk audits). As 
discussed above, NTIS is proposing that all Certified Persons be 
audited with respect to the requirements of Section 1110.102(a)(2) no 
less frequently than every three years under the program, and that this 
requirement may be satisfied by a Certified Person based on an audit or 
assessment conducted for a purpose other than solely for the rule. NTIS 
is not proposing routine scheduled audits on the attestation regarding 
Section 1110.102(a)(1), though unscheduled audits of this and other 
aspects of the requirements for certification may be conducted in 
NTIS's discretion. NTIS requests comment on these aspects of the 
proposed rule. NTIS' costs for conducting audits will be recoverable 
from the audited Person. Failure to submit to audit, to cooperate fully 
with NTIS in its conduct of an audit, or to pay an audit fee owed to 
NTIS, will be grounds for revocation of certification. NTIS intends 
that a Person or Certified Person will be directly responsible to an 
Accredited Certification Body for any charges by that Accredited 
Certification Body related to requirements under this proposed rule, as 
it would be responsible for NTIS' auditing costs under the Act, and 
requests comments.
    Section 1110.200(c) of the proposed rule sets out the penalties for 
unauthorized disclosures or uses of the Limited Access DMF. Each 
individual unauthorized disclosure is punishable by a fine of $1,000, 
payable to the United States Treasury. However, the total amount of the 
penalty imposed under this part on any Person for any calendar year 
shall not exceed $250,000, unless such Person's disclosure or use is 
determined to be willful or intentional. A disclosure or use is 
considered willful when it is a ``voluntary, intentional violation of a 
known legal duty.'' See, U.S. v. Pomponio, 429 US 10 (1976) (holding 
that for purposes of interpreting the criminal tax provisions of the 
Internal Revenue Code, the term ``willful'' means a voluntary, 
intentional violation of a known legal duty).
    The proposed rule's Section 1110.300 establishes the procedures to 
appeal a denial or revocation of certification, or of penalties for 
violating the Act. An administrative appeal must be filed, in writing, 
within 30 days (or such longer period as the Director of NTIS may, for 
good cause shown in writing, establish in any case) after receiving a 
notice of denial, revocation or imposition of penalties. Appeals should 
be directed to the Director of NTIS. Any such appeal must set forth the 
following: The name, street address, email address and telephone number 
of the Person seeking review; a copy of the notice of denial or 
revocation of certification, or the imposition of penalty, from which 
appeal is taken; a statement of arguments, together with any supporting 
facts or information, concerning the basis upon which the denial or 
revocation of certification, or the imposition of penalty, should be 
reversed; and a request for hearing of oral argument before a 
representative of the Director, if desired.
    Section 1110.300(a)-(d) proposes the procedures for an 
administrative appeal. Under section 1110.300(c), a Person may, but 
need not, retain an attorney to represent such Person in an appeal. 
Those with attorneys shall designate such attorney by submitting to the 
Director of NTIS a written power of attorney. If a hearing is 
requested, the Person (or the Person's designated attorney) and a 
representative of NTIS familiar with the notice from which appeal has 
been taken will present oral arguments which, unless otherwise ordered 
before the hearing begins, will be limited to thirty minutes for each 
side. A Person need not retain an attorney or request an oral hearing 
to secure full consideration of the facts and the Person's arguments. 
Where no hearing is requested, the Director shall review the case and 
issue a decision as set out below.
    Under Section 1110.300(e), the Director of NTIS shall issue a 
decision on the matter within 120 days after a hearing, or, if no 
hearing was requested, within 90 days of receiving the letter of 
appeal. In making decisions on appeal, the Director shall consider the 
arguments and statements of fact and information in the Person's 
appeal, and made at the oral argument hearing, if such was requested, 
but the Director at his or her discretion and with due respect for the 
rights and convenience of the Person and the agency, may call for 
further statements on specific questions of fact or may request 
additional evidence in the form of affidavits on specific facts in 
dispute. An appellant may seek reconsideration of the decision, but 
must do so in writing, and the request for reconsideration must be 
received within 30 days of the Director's decision or within such an 
extension of time thereof as may be set by the Director of NTIS before 
the original period expires. A decision shall become final either after 
the 30-day period for requesting reconsideration expires and no request 
has been submitted, or on the date of final disposition of a decision 
on a petition for reconsideration.
    As discussed above, for certification of a Person under the rule, 
as well as renewal of a Certified Person's certification, NTIS proposes 
requiring submission of a third party attestation as to the information 
safeguarding requirement. Third party attestation is accordingly a key 
element of the certification program under the rule. In view of this, 
the rule provides that an Accredited Certification Body must be 
independent of the Person or Certified Person, and must itself be 
accredited by a recognized accreditation body. The requirement for 
independence from the Person seeking certification, or from the 
Certified Person seeking renewal or subject to audit, is important to 
ensure integrity of any assessment and attestation. NTIS requests 
comment on this requirement.
    NTIS proposes that an Accredited Certification Body must be an 
independent third party certification body that is not owned, managed, 
or controlled by a Person or Certified Person that is the subject of 
attestation or audit by the Accredited Certification Body. Under the 
rule, a Person or Certified Person is considered to own, manage, or 
control a third party certification body if any one of the following 
characteristics applies:
    (1) The Person or Certified Person holds a 10 percent or greater 
ownership interest, whether direct or indirect, in the third party 
certification body. Indirect ownership interest is calculated by 
successive multiplication of the ownership percentages for each link in 
the ownership chain;
    (2) The third party certification body and the Person or Certified 
Person are owned by a common ``parent'' entity;
    (3) The Person or Certified Person has the ability to appoint a 
majority of the third party certification body's senior internal 
governing body (such as, but

[[Page 78319]]

not limited to, a board of directors), the ability to appoint the 
presiding official (such as, but not limited to, the chair or 
president) of the third party certification body's senior internal 
governing body, and/or the ability to hire, dismiss, or set the 
compensation level for third party certification body personnel; or
    (4) The third party certification body is under a contract to the 
Person or Certified Person that explicitly limits the services the 
third party certification body may perform for other customers and/or 
explicitly limits which or how many other entities may also be 
customers of the third party certification body.
    In order for NTIS to accept an attestation as to, or audit of, a 
Person or Certified Person submitted to NTIS under the rule, the 
Accredited Certification Body must attest that it is independent of 
that Person or Certified Person. The Accredited Certification Body also 
must attest that it has read, understood, and agrees to the regulations 
as set forth in the rule. The Accredited Certification Body must also 
attest that it is accredited to ISO/IEC Standard 27006-2011 
``Information technology--Security techniques--Requirements for bodies 
providing audit and certification of information security management 
systems,'' or to another nationally or internationally recognized 
standard for bodies providing audit and certification of information 
security management systems. The Accredited Certification Body must 
also attest that the scope of its accreditation encompasses the 
safeguarding and security requirements as set forth in the rule. NTIS 
requests comments on these aspects of the proposed rule.
    Where review or assessment or audit by an Accredited Certification 
Body was not conducted specifically or solely for the purpose of 
submission under this part, the rule requires that the written 
attestation or assessment report (if an audit) describe the nature of 
that review or assessment or audit, and that the Accredited 
Certification Body attest that on the basis of such review or 
assessment or audit, the Person or Certified Person has systems, 
facilities, and procedures in place to safeguard DMF information as 
required under Section 1110.102(a)(2) of this part. The rule provides 
that in so attesting, an Accredited Certification Body may reference 
``Limited Access Death Master File (LADMF) Certification Program 
Publication 100,'' guidelines published by NTIS and available at 
https://dmf.ntis.gov.
    While NTIS will normally accept written attestations and assessment 
reports from an Accredited Certification Body that attests, to the 
satisfaction of NTIS, as provided in Section 1110.502 of the rule, the 
rule also provides that NTIS may decline to accept written attestations 
or assessment reports from an Accredited Certification Body, whether or 
not it has attested as provided in Section 1110.502, for any of the 
following reasons:
    (1) When it is in the public interest under Section 203 of the 
Bipartisan Budget Act of 2013, and notwithstanding any other provision 
of this part;
    (2) Submission of false or misleading information concerning a 
material fact(s) in an Accredited Certification Body's attestation 
under Section 1110.502;
    (3) Knowing submission of false or misleading information 
concerning a material fact(s) in an attestation or assessment report by 
an Accredited Certification Body of a Person or Certified Person;
    (4) Failure of an Accredited Certification Body to cooperate in 
response to a request from NTIS verify the accuracy, veracity, and/or 
completeness of information received in connection with an attestation 
under Section 1110.502 or an attestation or assessment report by that 
Body of a Person or Certified Person. An Accredited Certification Body 
``fails to cooperate'' when it does not respond to NTIS inquiries or 
requests, or it responds in a manner that is unresponsive, evasive, 
deceptive, or substantially incomplete.
    (5) Where NTIS is unable for any reason to verify the accuracy of 
the Accredited Certification Body's attestation.
    In addition, with respect to audits under the proposed rule, NTIS 
may in its discretion decline to accept an attestation or assessment 
report conducted for other purposes, and may conduct or require that an 
Accredited Certification Body conduct a review solely for the purpose 
of the rule, and requests comments on this proposal.

Classification

Executive Order 12630

    This rule does not effect a taking of private property or otherwise 
have taking implications under Executive Order 12630, Governmental 
Actions and Interference with Constitutionally Protected Property 
Rights.

Executive Order 12866

    This proposed rule has been determined to be significant under 
Executive Order 12866.

Executive Order 12898

    NTIS evaluated the environmental effects of this proposed rule in 
accordance with Executive Order 12898 and determined that there are no 
environmental justice issues associated with its provisions and no 
collective environmental impact resulting from its promulgation.

Executive Order 13132

    A rule has implications for federalism under Executive Order 13132, 
Federalism, if it has a substantial direct effect on State or local 
governments and would either preempt State law or impose a substantial 
direct cost of compliance on States or localities. NTIS has analyzed 
this proposed rule under that Order and has determined that it does not 
have implications for federalism.

Initial Regulatory Flexibility Analysis (IRFA)

    Pursuant to Section 603 of the Regulatory Flexibility Act, NTIS has 
prepared the following IRFA to analyze the potential impact that this 
proposed rule, if adopted, would have on small entities.

Description of the Reasons Why Action Is Being Considered

    The policy reasons for issuing this proposed rule are discussed in 
the preamble of this document, and not repeated here.

Statement of the Objectives of, and Legal Basis for, the Proposed Rule; 
Identification of All Relevant Federal Rules Which May Duplicate, 
Overlap, or Conflict With the Proposed Rule

    The legal basis for this rule is Section 203 of the Bipartisan 
Budget Act of 2013, Pub. L. 113-67, codified at 42 USCA Sec.  1306c 
(the Act). The proposed rule is intended to implement the Act, which 
requires the Secretary of Commerce to create a program to certify that 
persons given access to information contained on the DMF with respect 
to any deceased individual at any time during the 3-calendar-year 
period following that individual's death satisfy the statutory 
requirements for accessing the Limited Access DMF. Accordingly, this 
rule creates a program for certifying persons eligible to access the 
Limited Access DMF. It requires that Certified Persons annually re-
certify as eligible to access the Limited Access DMF, and that they 
agree to be subject to scheduled and unscheduled audits. The rule also 
sets out the penalties for violating the Act's disclosure provisions, 
establishes a process to appeal penalties or revocations of

[[Page 78320]]

certification, and adopts a fee program for the certification program, 
audits, and appeals.
    When the proposed rule becomes final, it will replace the Interim 
Final Rule NTIS put in place to establish a Temporary Certification 
Program, in order to avoid the complete loss of access to the Limited 
Access DMF when the Act became effective. No other rules duplicate, 
overlap, or conflict with this proposed rule.

Number and Description of Small Entities Regulated by the Proposed 
Action

    The proposed rule will apply to all persons seeking to become 
certified to obtain the Limited Access DMF from NTIS. The entities 
affected by this rule could include banks and other financial 
institutions, pension plans, health research institutes or companies, 
state and local governments, information companies, and similar 
research services, and others not identified. NTIS therefore requests 
comments on the nature and types of affected entities.
    Many of the impacted entities likely are considered ``large'' 
entities under the applicable Small Business Administration (SBA) size 
standards. While NTIS anticipates that this rule will have an impact on 
various small entities, NTIS is unable at this time to estimate the 
number of impacted entities that may be considered small entities. 
Because NTIS cannot estimate the type, number, or other details about 
the small entities potentially impacted by this rule, it cannot make an 
estimate about the level of impact this rule will have on those 
entities. Nor can it estimate whether the rule's impacts will 
disproportionately impact small entities as opposed to large ones.
    Because NTIS lacks information about the types and sizes of 
entities impacted by this rule, it cannot determine the impacts. 
Accordingly, NTIS requests that the public provide it with information 
about the types of entities impacted by this rule, whether those are 
small or large entities under SBA's size standards, and the level of or 
a description of the type of impacts that this rule will have on those 
entities.

Description of the Projected Reporting, Recordkeeping, and Other 
Compliance Requirements of the Proposed Rule

    This proposed rule will require Persons seeking certification to 
access the Limited Access DMF to provide NTIS with information about 
the basis upon which they are seeking certification (i.e., legitimate 
fraud prevention or business purpose), using an updated version of the 
Limited Access Death Master File Subscriber Certification Form, Form 
NTIS FM161 (Certification Form), approved by the Office of Management 
and Budget (OMB) under Control Number 0692-0013. Specifically, the 
Certification Form will be updated to include collection of additional 
information that will improve NTIS's ability to determine whether a 
Person meets, to the satisfaction of NTIS, the requirements of Section 
203 of the Act. This additional information will also facilitate NTIS's 
ability to carry out audits, and Certified Persons agree to be subject 
to periodic scheduled and unscheduled audits of their systems and 
operations to ensure compliance with the Act's data integrity 
standards. Therefore, the proposed rule requires Certified Persons to 
maintain their records for these audits. Additionally, to maintain 
their status as Certified Persons, applicants must re-certify with NTIS 
on an annual basis.

Description of Any Significant Alternatives to the Proposed Rule That 
Accomplish the Stated Objectives of Applicable Statutes and That 
Minimize Any Significant Economic Impact of the Proposed Rule on Small 
Entities

    As required by 5 U.S.C. 603(c), NTIS considered significant 
alternatives to the proposed rule to minimize the impacts of the 
proposed rule on small entities. NTIS considered a (1) no-action 
alternative; (2) setting different auditing requirements for small 
entities; (3) relaxing the systems requirements for small entities; and 
(4) the preferred alternative of setting a fee schedule to enable NTIS 
to achieve full cost recovery, and requiring Certified Persons to 
maintain data in a manner similar to the requirements of section 
6103(p)(4) of the IRC.
    NTIS rejected the no-action alternative because the Act requires 
that any person seeking Limited Access DMF become certified to access 
such information according to a program established by the Secretary. 
The no-action alternative would establish no new program, and therefore 
is contrary to the Act.
    Similarly, NTIS did not further consider alternatives 2 and 3, 
which would have created exceptions to the auditing requirements of the 
proposed rule and the systems requirements for becoming certified. 
Exempting small entities from the auditing or systems requirements 
would potentially risk allowing the Limited Access DMF to be released 
to non-certified persons or the public at large, and thus would counter 
the benefits to security and anti-fraud efforts the rule will create.
    The fourth alternative complies with the Act, creates a program to 
certify persons eligible to access the Limited Access DMF, and 
safeguards that information from unauthorized disclosures. The audits 
required by the rule further strengthen the oversight NTIS has over the 
redistribution and use of the Limited Access DMF, and thereby help 
ensure the data's security. Because alternative 4 accomplishes the 
statutory goals set out in the Act, and would not create the potential 
for security or data integrity breaches, NTIS prefers it and has 
proposed a rule based on this alternative.

Paperwork Reduction Act

    With this proposed rule, NTIS is requesting approval of a new 
information collection that will contain two forms. One form, the 
``Limited Access Death Master File (LADMF) Systems Safeguards 
Attestation Form,'' is new. The new information collection will also 
revise the ``Limited Access Death Master File Subscriber Certification 
Form'' (Certification Form), which is currently approved under OMB 
Control No. 0692-0013. In the Certification Form NTIS has added a 
description of the type of information required for each fill-in box to 
ensure that the respondents' answers show that they meet the 
requirements of Section 203 of the Act. The revised Certification Form 
also collects the following information in addition to the information 
collected in the existing Certification Form:
     URL (if applicable)--Collection of each respondent's URL 
is necessary for NTIS to perform due diligence. NTIS will use the 
information to ascertain that the organization seeking certification is 
a legitimate business performing the functions it claims to be 
performing.
     NTIS Customer Number--Collection of each respondent's NTIS 
Customer Number will allow NTIS to readily identify existing customers, 
streamlining the certification process.
     Dun and Bradstreet Number (if applicable)--Collection of 
each respondent's Dun and Bradstreet Number is necessary for NTIS to 
perform due diligence. NTIS will use the information to ascertain that 
the organization seeking certification is a legitimate business 
performing the functions it claims to be performing.
     Authorized Contact Person--Collection of each respondent's 
authorized contact person will expedite the certification process by 
permitting NTIS to contact the identified contact person without first 
having to spend

[[Page 78321]]

time identifying the correct person during the certification process.
     Authorized Contact Person's Phone Number and Email Address 
(if different than that collected for the organization)--Collection of 
this information is necessary to allow NTIS to contact the person if 
questions arise during review of the Certification Form.
    With these changes to the collection, and based also on its 
experience in administering the temporary certification program under 
the Interim Final Rule, NTIS expects the burden hours per respondent to 
increase from two hours to two and one-half hours, and will increase 
the cost per respondent in the form of a certification fee from $200 to 
$400. NTIS expects to receive approximately 550 Certification Forms, 
for a total burden of 2,200 hours and a total cost to the public of 
$220,000.
    The ``Limited Access Death Master File (LADMF) Systems Safeguards 
Attestation Form'' would require accredited certification bodies to 
attest that a party seeking to be certified to access Limited Access 
DMF has systems, facilities, and procedures in place as required under 
Sec.  1110.102(a)(ii) of this part. NTIS expects the additional burden 
hours for filling out this form to range from 2 hours to 200 hours, at 
a cost ranging from $270-$27,000. NTIS bases this estimated range on an 
average senior auditor rate of $135/hour, and assumes that the time 
required to fill out the form may or may not also include time required 
for an Accredited Certification Body to conduct a complete assessment 
under the proposed rule. Where a prior assessment has been conducted, 
for example, where a broader assessment has been conducted for other 
purposes, NTIS has assumed that the cost of the DMF-specific aspects 
may be small or even negligible. Conversely, where no prior assessment 
has been conducted within a three year period preceding a Person's 
application for certification under the proposed rule, NTIS has assumed 
that the cost of a complete assessment will be greater, and will depend 
as well on the nature of an applicant's systems and its use of Limited 
Access DMF. NTIS has submitted this form to OMB for review and addition 
to the collection approved at control number 0692-0013.
    Comments are invited on: (a) Whether the proposed collection of 
information is necessary for the proper performance of the functions of 
NTIS/Commerce, including whether the information will have practical 
utility; (b) the accuracy of the estimate of the burden of the proposed 
information collection; (c) ways to enhance the quality, utility, and 
clarity of the information to be collected; and (d) ways to minimize 
the burden of the information collection on respondents, including the 
use of automated collection techniques or other forms of information 
technology. Comments regarding the collection of information associated 
with this rule, including suggestions for reducing the burden, should 
be sent to OMB Desk Officer, New Executive Office Building, Washington, 
DC 20503, Attention: Jasmeet Seehra, or by email to 
[email protected], or by fax to (202) 395-7285, and to NTIS 
as set forth under ADDRESSES, above.
    Notwithstanding any other provision of law, no person is required 
to comply with, and neither shall any person be subject to penalty for 
failure to comply with, a collection of information subject to the 
requirements of the Paperwork Reduction Act, unless that collection of 
information displays a currently valid OMB Control Number.

List of Subjects in 15 CFR Part 1110

    Certification program; Administrative appeal; Imposition of 
penalty; Fees.

    Dated: December 19, 2014.
Bruce Borzino,
Director.

    For reasons set forth in the preamble, the National Technical 
Information Service proposes to amend 15 CFR part 1110 as follows:

PART 1110--CERTIFICATION PROGRAM FOR ACCESS TO THE DEATH MASTER 
FILE

0
1. The authority for this part continues to read as follows:

    Authority:  Pub. L. 113-67, Sec. 203.

0
2. Amend Sec.  1110.2 by
0
a. Adding, in alphabetical order, the definition, ``Accredited 
Certification Body,'' and
0
b. Revising the definitions of ``Limited Access DMF'' and ``Person'' to 
read as follows:


Sec.  1110.2  Definitions used in this part.

* * * * *
    Accredited Certification Body. An independent third party 
conformity assessment body that is not owned, managed, or controlled by 
a Person or Certified Person which is the subject of attestation or 
audit, and that is accredited, by an accreditation body under 
nationally or internationally recognized criteria such as ISO/IEC 
27006-2011, ``Information technology--Security techniques--Requirements 
for bodies providing audit and certification of information security 
management systems,'' to attest that a Person or Certified Person has 
systems, facilities and procedures in place to safeguard DMF 
information.
* * * * *
    Limited Access DMF. The DMF product made available by NTIS which 
includes DMF with respect to any deceased individual at any time during 
the three-calendar-year period beginning on the date of the 
individual's death. As used in this part, Limited Access DMF does not 
include an individual element of information (name, social security 
number, date of birth, or date of death) in the possession of a Person, 
whether or not certified, but obtained by such Person through a source 
independent of the Limited Access DMF. If a Certified Person obtains, 
or a third party subsequently provides to a Certified Person, death 
information (i.e., the name, social security account number, date of 
birth, or date of death) independently, the information is not 
considered part of the Limited Access DMF if the NTIS source 
information is replaced with the newly provided information.
* * * * *
    Person. Includes corporations, companies, associations, firms, 
partnerships, societies, joint stock companies, and other private 
organizations, and state and local government departments and agencies, 
as well as individuals.
0
3. Revise the section heading of Sec.  1110.100 to read as follows:


Sec.  1110.100  Scope; term.

* * * * *
0
4. Revise Sec.  1110.101 to read as follows:


Sec.  1110.101  Submission of certification; attestation.

    (a) In order to become certified under the certification program 
established under this part, a Person must submit a completed 
certification statement and any required documentation, using the form 
NTIS FM161 with OMB Control Number 0692-0013, and its accompanying 
instructions at https://dmf.ntis.gov, together with the required fee.
    (b) In addition to the requirements under paragraph (a) of this 
section, in order to become certified, a Person must submit a written 
attestation from an Accredited Certification Body that such Person has 
systems, facilities, and procedures in place as required under Sec.  
1110.102(a)(2) of this part. Such attestation must be based on the 
Accredited Certification Body's review or assessment conducted no more 
than three years prior to the date of submission of the Person's 
completed

[[Page 78322]]

certification statement, but such review or assessment need not have 
been conducted specifically or solely for the purpose of submission 
under this part.
0
5. Amend Sec.  1110.102 by revising paragraphs (a)(3) and (a)(4)(iv) to 
read as follows:


Sec.  1110.102  Certification.

    (a) * * *
    (3) Such Person agrees to satisfy such similar requirements; and
    (4) * * *
    (iv) Use any such deceased individual's DMF for any purpose other 
than a legitimate fraud prevention interest or a legitimate business 
purpose pursuant to a law, governmental rule, regulation, or fiduciary 
duty.
* * * * *
0
6. In subpart B of Part 1110, add Sec. Sec.  1110.103, 1110.104, and 
1110.105 to read as follows:


Sec.  1110.103  Disclosure to a certified person.

    Disclosure by a Person certified under this part of Limited Access 
DMF to another Person certified under this part shall be deemed to 
satisfy the disclosing Person's obligation to ensure compliance with 
Sec.  1110.102(a)(4)(i)-(iii).


Sec.  1110.104  Revocation of certification.

    False certification as to any element of Sec.  1110.102(a) shall be 
grounds for revocation of certification, in addition to any other 
penalties at law. A Person properly certified who thereafter becomes 
aware that the Person no longer satisfies one or more elements of Sec.  
1110.102(a) of this part shall immediately inform NTIS thereof in 
writing.


Sec.  1110.105  Renewal of Certification.

    (a) A Certified Person may renew its certification status by 
submitting, on or before the date of expiration of the term of its 
certification, a completed certification statement in accordance with 
Sec.  1110.101, together with the required fee, indicating on the form 
NTIS FM161 that it is a renewal, and also indicating whether or not 
there has been any change in any basis previously relied upon for 
certification.
    (b) Except as may otherwise be required by NTIS, where a Certified 
Person seeking certification status renewal has, within a three-year 
period preceding submission under paragraph (a) of this section, 
previously submitted a written attestation under Sec.  1110.101(b), or 
has within such period been subject to a satisfactory audit under Sec.  
1110.201, such Certified Person shall so indicate on the form NTIS 
FM161, and shall not be required to submit a written attestation under 
Sec.  1110.101(b).
    (c) A Certified Person who submits a certification statement, 
attestation (if required) and fee pursuant to Sec.  1110.105(a) shall 
continue in Certified Person status pending notification of renewal or 
non-renewal from NTIS.
    (d) A Person who is a Certified Person before [EFFECTIVE DATE OF 
THIS RULE] shall be considered a Certified Person under this part, and 
shall continue in Certified Person status until the date which is one 
year from the date of acceptance of such Person's certification by NTIS 
under the Temporary Certification Program, provided that if such 
expiration date falls on a weekend or a federal holiday, the term of 
certification shall be considered to extend to the next business day.
0
7. Revise Sec.  1110.200 to read as follows:


Sec.  1110.200  Imposition of penalty.

    (a) General. (1) Any Person certified under this part who receives 
DMF information, including information about any deceased individual at 
any time during the three-calendar-year period beginning on the date of 
the individual's death, and who during such three-calendar-year period:
    (i) Discloses such deceased individual's DMF information to any 
person other than a person who meets the requirements of Sec.  
1110.102(a)(1) through (3);
    (ii) Discloses such deceased individual's DMF information to any 
person who uses the information for any purpose other than a legitimate 
fraud prevention interest or a legitimate business purpose pursuant to 
a law, governmental rule, regulation, or fiduciary duty;
    (iii) Discloses such deceased individual's DMF information to any 
person who further discloses the information to any person other than a 
person who meets the requirements of Sec.  1110.102(a)(1) through (3); 
or
    (iv) Uses any such deceased individual's DMF information for any 
purpose other than a legitimate fraud prevention interest or a 
legitimate business purpose pursuant to a law, governmental rule, 
regulation, or fiduciary duty; and
    (2) Any Person to whom such information is disclosed, whether or 
not such Person is certified under this part, who further discloses or 
uses such information as described in paragraphs (a)(1)(i) through (iv) 
of this section, shall pay to the General Fund of the United States 
Department of the Treasury a penalty of $1,000 for each such disclosure 
or use, and, if such Person is certified, shall be subject to having 
such Person's certification revoked.
    (b) Limitation on penalty. The total amount of the penalty imposed 
under this part on any Person for any calendar year shall not exceed 
$250,000, unless such Person's disclosure or use is determined to be 
willful or intentional. For the purposes of this part, a disclosure or 
use is willful when it is a ``voluntary, intentional violation of a 
known legal duty.''
    (c) Disclosure to a Certified Person. No penalty shall be imposed 
under paragraphs (a)(i) through(iii) of this section on a first 
Certified Person who discloses, to a second Certified Person, DMF 
information of any deceased individual at any time during the three-
calendar-year period beginning on the date of the individual's death, 
where the sole basis for imposition of penalty on such first Certified 
Person is that such second Certified Person has been determined to be 
subject to penalty under this part.
0
8. Revise Sec.  1110.201 to read as follows:


Sec.  1110.201  Audits.

    Any Person certified under this part shall, as a condition of 
certification, agree to be subject to audit by NTIS, or, at the request 
of NTIS, by an Accredited Certification Body, to determine the 
compliance by such Person with the requirements of this part. NTIS may 
conduct, or request that an Accredited Certification Body conduct, 
periodic scheduled and unscheduled audits of the systems, facilities, 
and procedures of any Certified Person relating to such Certified 
Person's access to, and use and distribution of, the Limited Access 
DMF. NTIS may conduct, or request that an Accredited Certification Body 
conduct, field audits (during regular business hours) or desk audits of 
a Certified Person. Failure of a Certified Person to submit to or 
cooperate fully with NTIS, or with an Accredited Certification Body 
acting pursuant to this section, in its conduct of an audit, or to pay 
an audit fee to NTIS, will be grounds for revocation of certification.
0
9. Redesignate subpart D to part 1110 as subpart E, add a new subpart 
D, and revise the newly redesignated subpart E to read as follows:

Subpart D--Administrative Appeal


Sec.  1110.300  Appeal.

    (a) General. Any Person adversely affected or aggrieved by reason 
of NTIS denying or revoking such Person's certification under this 
part, or

[[Page 78323]]

imposing upon such Person under this part a penalty, may obtain review 
by filing, within 30 days (or such longer period as the Director of 
NTIS may, for good cause shown in writing, fix in any case) after 
receiving notice of such denial, revocation or imposition, an 
administrative appeal to the Director of NTIS.
    (b) Form of Appeal. An appeal shall be submitted in writing to 
Director, National Technical Information Service, 5301 Shawnee Road, 
Alexandria, VA 22312, ATTENTION DMF APPEAL, and shall include the 
following:
    (1) The name, street address, email address and telephone number of 
the Person seeking review;
    (2) A copy of the notice of denial or revocation of certification, 
or the imposition of penalty, from which appeal is taken;
    (3) A statement of arguments, together with any supporting facts or 
information, concerning the basis upon which the denial or revocation 
of certification, or the imposition of penalty, should be reversed;
    (4) A request for hearing of oral argument before the Director, if 
desired.
    (c) Power of Attorney. A Person may, but need not, retain an 
attorney to represent such Person in an appeal. A Person shall 
designate any such attorney by submitting to the Director of NTIS a 
written power of attorney.
    (d) Hearing. If requested in the appeal, a date will be set for 
hearing of oral argument before a representative of the Director of 
NTIS, by the Person or the Person's designated attorney, and a 
representative of NTIS familiar with the notice from which appeal has 
been taken. Unless it shall be otherwise ordered before the hearing 
begins, oral argument will be limited to thirty minutes for each side. 
A Person need not retain an attorney or request an oral hearing to 
secure full consideration of the facts and the Person's arguments.
    (e) Decision. After a hearing on the appeal, if a hearing was 
requested, the Director of NTIS shall issue a decision on the matter 
within 120 days, or, if no hearing was requested, within 90 days of 
receiving the appeal. The decision of the Director of NTIS shall be 
made after consideration of the arguments and statements of fact and 
information in the Person's appeal, and the hearing of oral argument if 
a hearing was requested, but the Director of NTIS at his or her 
discretion and with due respect for the rights and convenience of the 
Person and the agency, may call for further statements on specific 
questions of fact or may request additional evidence in the form of 
affidavits on specific facts in dispute. After the original decision is 
issued, an appellant shall have 30 days (or a date as may be set by the 
Director of NTIS before the original period expires) from the date of 
the decision to request a reconsideration of the matter. The Director's 
decision becomes final 30 days after being issued, if no request for 
reconsideration is filed, or on the date of final disposition of a 
decision on a petition for reconsideration.

Subpart E--Fees


Sec.  1110.400  Fees.

    Fees sufficient to cover (but not to exceed) all costs to NTIS 
associated with evaluating Certification Forms and auditing, 
inspecting, and monitoring certified persons under the certification 
program established under this part, as well as appeals, will be 
published (as periodically reevaluated and updated by NTIS) and 
available at https://dmf.ntis.gov. NTIS will not set fees for 
attestations or audits by an Accredited Certification Body.
0
10. Add subpart F to read as follows:

Subpart F--Accredited Certification Bodies

Sec.
1110.500 Accredited certification bodies.
1110.501 Requirement for independence.
1110.502 Attestation by accredited certification body.
1110.503 Acceptance of accredited certification bodies.


Sec.  1110.500  Accredited certification bodies.

    This subpart describes Accredited Certification Bodies and their 
accreditation for third party attestation and auditing of the 
information safeguarding requirement for certification of Persons under 
this part. NTIS will accept an attestation or audit of a Person or 
Certified Person from an Accredited Certification Body that is 
independent of that Person or Certified Person and that is itself 
accredited by a recognized accreditation body.


Sec.  1110.501  Requirement for independence.

    (a) An Accredited Certification Body must be an independent third 
party certification body that is not owned, managed, or controlled by a 
Person or Certified Person that is the subject of attestation or audit 
by the Accredited Certification Body.
    (1) A Person or Certified Person is considered to own, manage, or 
control a third party certification body if any one of the following 
characteristics applies:
    (i) The Person or Certified Person holds a 10 percent or greater 
ownership interest, whether direct or indirect, in the third party 
certification body. Indirect ownership interest is calculated by 
successive multiplication of the ownership percentages for each link in 
the ownership chain;
    (ii) The third party certification body and the Person or Certified 
Person are owned by a common ``parent'' entity;
    (iii) The Person or Certified Person has the ability to appoint a 
majority of the third party certification body's senior internal 
governing body (such as, but not limited to, a board of directors), the 
ability to appoint the presiding official (such as, but not limited to, 
the chair or president) of the third party certification body's senior 
internal governing body, and/or the ability to hire, dismiss, or set 
the compensation level for third party certification body personnel; or
    (iv) The third party certification body is under a contract to the 
Person or Certified Person that explicitly limits the services the 
third party certification body may perform for other customers and/or 
explicitly limits which or how many other entities may also be 
customers of the third party certification body.


Sec.  1110.502  Attestation by accredited certification body.

    (a) In any attestation or audit of a Person or Certified Person 
that will be submitted to NTIS under this part, an Accredited 
Certification Body must attest that it is independent of that Person or 
Certified Person. The Accredited Certification Body also must attest 
that it has read, understood, and agrees to the regulations in this 
part. The Accredited Certification Body must also attest that it is 
accredited to a nationally or internationally recognized standard such 
as the ISO/IEC Standard 27006-2011 ``Information technology--Security 
techniques--Requirements for bodies providing audit and certification 
of information security management systems,'' or any other similar 
recognized standard for bodies providing audit and certification of 
information security management systems. The Accredited Certification 
Body must also attest that the scope of its accreditation encompasses 
the safeguarding and security requirements as set forth in this part.
    (b) Where a Person seeks certification, or where a Certified Person 
seeks renewal of certification or is audited under this part, an 
Accredited Certification Body may provide written attestation that such 
Person or Certified Person has systems, facilities, and procedures in 
place as required under Sec.  1110.102(a)(2). In so attesting, an 
Accredited Certification Body may reference ``Limited Access Death 
Master File (LADMF) Certification Program

[[Page 78324]]

Publication 100,'' guidelines published by NTIS and available at 
https://dmf.ntis.gov. Such attestation must be based on the Accredited 
Certification Body's review or assessment conducted no more than three 
years prior to the date of submission of the Person's or Certified 
Person's completed certification statement, and, if an audit of a 
Certified Person by an Accredited Certification Body is required by 
NTIS, no more than three years prior to the date upon which NTIS 
notifies the Certified Person of NTIS's requirement for audit, but such 
review or assessment or audit need not have been conducted specifically 
or solely for the purpose of submission under this part.
    (c) Where review or assessment or audit by an Accredited 
Certification Body was not conducted specifically or solely for the 
purpose of submission under this part, the written attestation or 
assessment report (if an audit) shall describe the nature of that 
review or assessment or audit, and the Accredited Certification Body 
shall attest that on the basis of such review or assessment or audit, 
the Person or Certified Person has systems, facilities, and procedures 
in place as required under Sec.  1110.102(a)(2). In so attesting, an 
Accredited Certification Body may reference ``Limited Access Death 
Master File (LADMF) Certification Program Publication 100,'' guidelines 
published by NTIS and available at https://dmf.ntis.gov.
    (d) Notwithstanding paragraphs (a) through (c) of this section, 
NTIS may, in its sole discretion, require that review or assessment or 
audit by an Accredited Certification Body be conducted specifically or 
solely for the purpose of submission under this part.


Sec.  1110.503  Acceptance of accredited certification bodies.

    (a) NTIS will accept written attestations and assessment reports 
from an Accredited Certification Body that attests, to the satisfaction 
of NTIS, as provided in Sec.  1110.502.
    (b) NTIS may decline to accept written attestations or assessment 
reports from an Accredited Certification Body, whether or not it has 
attested as provided in Sec.  1110.502, for any of the following 
reasons:
    (1) When it is in the public interest under Section 203 of the 
Bipartisan Budget Act of 2013, and notwithstanding any other provision 
of this part;
    (2) Submission of false or misleading information concerning a 
material fact(s) in an Accredited Certification Body's attestation 
under Sec.  1110.502;
    (3) Knowing submission of false or misleading information 
concerning a material fact(s) in an attestation or assessment report by 
an Accredited Certification Body of a Person or Certified Person;
    (4) Failure of an Accredited Certification Body to cooperate in 
response to a request from NTIS verify the accuracy, veracity, and/or 
completeness of information received in connection with an attestation 
under Sec.  1110.502 or an attestation or assessment report by that 
Body of a Person or Certified Person. An Accredited Certification Body 
``fails to cooperate'' when it does not respond to NTIS inquiries or 
requests, or it responds in a manner that is unresponsive, evasive, 
deceptive, or substantially incomplete; or
    (5) Where NTIS is unable for any reason to verify the accuracy of 
the Accredited Certification Body's attestation.

[FR Doc. 2014-30199 Filed 12-29-14; 8:45 am]
BILLING CODE 3510-04-P