[Federal Register Volume 82, Number 125 (Friday, June 30, 2017)]
[Notices]
[Pages 29843-29844]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-13778]



[[Page 29843]]

-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE


Submission for OMB Review; Comment Request

    Under 44 U.S.C. 3506(e) and 13 U.S.C. Section 9, the U.S. Census 
Bureau is seeking comments on revisions to the confidentiality pledge 
it provides to its respondents under Title 13, United States Code, 
Section 9. These revisions are required by the passage and 
implementation of provisions of the Federal Cybersecurity Enhancement 
Act of 2015 (6 U.S.C. 1501 note), which require the Secretary of 
Homeland Security to provide Federal civilian agencies' information 
technology systems with cybersecurity protection for their Internet 
traffic. More details on this announcement are presented in the 
SUPPLEMENTARY INFORMATION section below. The previous notice for public 
comment, titled ``Agency Information Collection Activities; Request for 
Comments; Revision of the Confidentiality Pledge under Title 13 United 
States Code, Section 9'' was published in the Federal Register on 
December 23, 2016 (Vol. 81, No. 247, pp. 94321-94324), allowing for a 
60 day comment period. The Census Bureau received two comments, which 
are addressed within this notice.

SUPPLEMENTARY INFORMATION: 

I. Background

    On December 18, 2015, Congress passed the Federal Cybersecurity 
Enhancement Act of 2015 (the Act) (6 U.S.C. 1501 note). The Act 
requires the Department of Homeland Security to deploy for use by other 
agencies a program with the ``capability to detect cybersecurity risks 
in network traffic transiting or traveling to or from an agency 
information system.'' \1\ The Act requires each agency to ``apply and 
continue to utilize the capabilities to all information traveling 
between an agency information system and any information system other 
than an agency information system.'' \2\ The DHS program is known as 
EINSTEIN, and DHS currently operates version 3A (E3A). Importantly, the 
Act provides that DHS may use the information collected through 
EINSTEIN ``only to protect information and information systems from 
cybersecurity risks.'' \3\ The Act does not authorize DHS to use 
information collected through EINSTEIN for any other purposes, 
including law enforcement purposes.
---------------------------------------------------------------------------

    \1\ Sec. 230(b)(1)(A) of the Homeland Security Act of 2002 (6 
U.S.C. 151(b)(1)(A)), as added by section 223((a)(6) of the Federal 
Cybersecurity Enhancement Act of 2015.
    \2\ Section 223 (b)(1)(A) (6 U.S.C. 151 note) of the Federal 
Cybersecurity Enhancement Act of 2015.
    \3\ Section 230(c)(3) of the Homeland Security Act of 2002 (6 
U.S.C. 151(c)(3)), as added by section 223(a)(6) of the Federal 
Cybersecurity Enhancement Act of 2015.
---------------------------------------------------------------------------

    In response to the passage of the Act, the Census Bureau considered 
whether it should revise its confidentially pledge. The Census Bureau's 
Center for Survey Measurement (CSM) joined the interagency Statistical 
Community of Practice and Engagement (SCOPE) Confidentiality Pledge 
Revision Subcommittee, which developed and evaluated the revision to 
the confidentiality pledge language. SCOPE and CSM conducted remote and 
in-person cognitive testing of the potential revised confidentiality 
pledge. The Census Bureau based its revised confidentiality pledge on 
the results of these tests. The revised confidentiality pledge utilizes 
the language the Census Bureau determined would best communicate the 
essential information to respondents while not negatively affecting 
response rates. The following is the revised statistical 
confidentiality pledge for the Census Bureau's data collections:
    The U.S. Census Bureau is required by law to protect your 
information. The Census Bureau is not permitted to publicly release 
your responses in a way that could identify you. Per the Federal 
Cybersecurity Enhancement Act of 2015, your data are protected from 
cybersecurity risks through screening of the systems that transmit your 
data.
    On December 23, 2016, the Census Bureau requested comments on the 
revised confidentiality pledge. During the public comment period, the 
Census Bureau received two comments from the Asian Americans Advancing 
Justice (AAJC) and American-Arab Anti-Discrimination Committee (ADC).

II. Comments and Responses

    In response to the Census Bureau's revised confidentiality pledge, 
AAJC and the ADC provided comments and suggestions to the Census 
Bureau. These comments and suggestions, along with the Census Bureau's 
responses are below.
    1. The AAJC and the ADC both expressed concerns about the effect of 
the revised confidentiality pledge on the accuracy of the results of 
the Census Bureau's survey.
    Response: The Census Bureau is committed to collecting the most 
complete and accurate data. The Census Bureau takes the collection and 
protection of respondent information very seriously and has since the 
first Decennial Census in 1790. As a statistical agency committed to 
ensuring the collection and publication of accurate data, the Census 
Bureau continually conducts extensive research and testing to inform 
census and survey design. This research and testing confirms key 
technologies, outreach and promotional strategies, data collection 
methods, and management and response processes to allow the Census 
Bureau to maximize response rates and ensure the accuracy of the data 
collected. We also uphold a strong data stewardship culture to ensure 
that any decisions we make will fulfill our legal and ethical 
obligations to respect your privacy and protect the confidentiality of 
your information. The revised confidentiality pledge utilizes language 
that the Census Bureau determined, after cognitive testing, would not 
negatively affect response rates, and hence the accuracy of the survey 
results.
    2. The ``ADC has serious concerns on the ability of [DHS] to . . . 
access . . . people's personal information on the server.''
    Response: E3A does not provide DHS with access to a respondent's 
personal information. E3A does not currently decrypt respondent 
information or scan data at rest on Census Bureau information systems. 
Moreover, the Act limits the use of any information collected, stating 
that the DHS may use information obtained through activities authorized 
under this section ``only to protect information and information 
systems from cybersecurity risks.'' (6 U.S.C. 151(c)(3)).
    EINSTEIN also provides greater protection for the Census Bureau's 
information and information systems than would otherwise exist. 
EINSTEIN enables DHS to detect cyber threat indicators traveling or 
transiting to or from one agency's information system, and to share 
those indicators with other agencies, thereby making all agencies' 
information systems more secure. The necessity of providing DHS limited 
access to such information--information which DHS can only use for 
cybersecurity purposes--is not only required by the Federal 
Cybersecurity Enhancement Act, but has a net positive impact of the 
security of information respondents provide to the Census Bureau.
    3. The ADC is concerned that ``there is a lack of safeguards in 
place on who has access to information through EINSTEIN.''
    Response: In addition to the safeguards contained in the Act, the 
Census Bureau works with DHS to protect information DHS may access 
through EINSTEIN. These additional safeguards cover the collection, 
retention, use, and disclosure of information. The safeguards also

[[Page 29844]]

include notification and reporting requirements in the unlikely event 
that any unauthorized access, use, or dissemination of any Census 
Bureau information would occur.
    To reiterate, the information at issue is not a respondent's 
personal information, rather, it is cyber threat information. E3A does 
not provide DHS with access to a respondent's personal information. E3A 
does not currently decrypt respondent information or scan data at rest 
on Census Bureau information systems.
    4. The ADC is concerned that the revised confidentiality pledge 
``raises flags on improper use of such information.''
    Response: The Act limits DHS's use of information collected 
pursuant to the Act to the protection of ``information and information 
systems from cybersecurity risks.'' To be clear, DHS's use of the 
information for any other purpose would be unlawful.
    5. The AAJC suggests that the protections contained in Title 13 and 
the Confidential Information Protection and Statistical Efficiency Act 
(CIPSEA), both of which limit the use and disclosure of information 
collected, should control the information at issue.
    Response: Pursuant to the Act, each agency must ``apply and 
continue to utilize the capabilities to all information traveling 
between an agency information system and any information system other 
than an agency information system.'' Congress authorized that, 
notwithstanding the protections previously afforded to information by 
other laws, such as Title 13, for the purpose of protecting agency 
information systems from cyber attacks, DHS may access information 
transiting and traveling to or from an agency information system. 
Census Bureau employees remain subject to the penalties contained in 
Title 13, including a federal prison sentence of up to five years and a 
fine of up to $250,000, or both.
    6. The AAJC suggests that either the Census Bureau employees 
``perform Einstein 3A functions for Census Bureau internet traffic'' or 
that ``DHS employees monitoring Census Bureau internet traffic under 
Einstein 3A take the current Title 13 confidentiality pledge.''
    Response: The Act provides DHS access to network traffic transiting 
or traveling to or from the Census Bureau's information systems, 
notwithstanding the protections previously afforded to information by 
other laws, such as Title 13. The Act also requires each agency to 
``apply and continue to utilize the capabilities to all information 
traveling between an agency information system and any information 
system other than an agency information system.''
    In addition to the safeguards contained in the Act, the Census 
Bureau works with DHS to safeguard respondent information. These 
additional safeguards cover the collection, retention, use, and 
disclosure of information. The safeguards also include notification and 
reporting requirements that would apply in the unlikely event that any 
unauthorized access, use, or dissemination of any Census Bureau 
information would occur.

III. Data

    Agency: U.S. Census Bureau, Department of Commerce.
    Title: Revision of the Confidentiality Pledge under Title 13 United 
States Code, Section 9.
    OMB Control Number: 0607-0993.
    Form Number(s): None.
    Affected Public: All survey respondents to Census Bureau data 
collections.
    Legal Authority: 44 U.S.C. 3506(e) and 13 U.S.C. Section 9.
    This information collection request may be viewed at 
www.reginfo.gov. Follow the instructions to view Department of Commerce 
collections currently under review by OMB.

IV. Request for Comments

    Comments are invited on the necessity and efficacy of the Census 
Bureau's revised confidentiality pledge above. Comments submitted in 
response to this notice will become a matter of public record. Comments 
should be sent within 30 days of publication of this notice to 
[email protected] or fax to (202)395-5806.

    Dated: June 27, 2017.
Sarah Brabson,
NOAA PRA Clearance Officer on behalf of the Department of Commerce.
[FR Doc. 2017-13778 Filed 6-29-17; 8:45 am]
 BILLING CODE 3510-07-P