[Federal Register Volume 82, Number 125 (Friday, June 30, 2017)]
[Notices]
[Pages 29843-29844]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-13778]
[[Page 29843]]
-----------------------------------------------------------------------
DEPARTMENT OF COMMERCE
Submission for OMB Review; Comment Request
Under 44 U.S.C. 3506(e) and 13 U.S.C. Section 9, the U.S. Census
Bureau is seeking comments on revisions to the confidentiality pledge
it provides to its respondents under Title 13, United States Code,
Section 9. These revisions are required by the passage and
implementation of provisions of the Federal Cybersecurity Enhancement
Act of 2015 (6 U.S.C. 1501 note), which require the Secretary of
Homeland Security to provide Federal civilian agencies' information
technology systems with cybersecurity protection for their Internet
traffic. More details on this announcement are presented in the
SUPPLEMENTARY INFORMATION section below. The previous notice for public
comment, titled ``Agency Information Collection Activities; Request for
Comments; Revision of the Confidentiality Pledge under Title 13 United
States Code, Section 9'' was published in the Federal Register on
December 23, 2016 (Vol. 81, No. 247, pp. 94321-94324), allowing for a
60 day comment period. The Census Bureau received two comments, which
are addressed within this notice.
SUPPLEMENTARY INFORMATION:
I. Background
On December 18, 2015, Congress passed the Federal Cybersecurity
Enhancement Act of 2015 (the Act) (6 U.S.C. 1501 note). The Act
requires the Department of Homeland Security to deploy for use by other
agencies a program with the ``capability to detect cybersecurity risks
in network traffic transiting or traveling to or from an agency
information system.'' \1\ The Act requires each agency to ``apply and
continue to utilize the capabilities to all information traveling
between an agency information system and any information system other
than an agency information system.'' \2\ The DHS program is known as
EINSTEIN, and DHS currently operates version 3A (E3A). Importantly, the
Act provides that DHS may use the information collected through
EINSTEIN ``only to protect information and information systems from
cybersecurity risks.'' \3\ The Act does not authorize DHS to use
information collected through EINSTEIN for any other purposes,
including law enforcement purposes.
---------------------------------------------------------------------------
\1\ Sec. 230(b)(1)(A) of the Homeland Security Act of 2002 (6
U.S.C. 151(b)(1)(A)), as added by section 223((a)(6) of the Federal
Cybersecurity Enhancement Act of 2015.
\2\ Section 223 (b)(1)(A) (6 U.S.C. 151 note) of the Federal
Cybersecurity Enhancement Act of 2015.
\3\ Section 230(c)(3) of the Homeland Security Act of 2002 (6
U.S.C. 151(c)(3)), as added by section 223(a)(6) of the Federal
Cybersecurity Enhancement Act of 2015.
---------------------------------------------------------------------------
In response to the passage of the Act, the Census Bureau considered
whether it should revise its confidentially pledge. The Census Bureau's
Center for Survey Measurement (CSM) joined the interagency Statistical
Community of Practice and Engagement (SCOPE) Confidentiality Pledge
Revision Subcommittee, which developed and evaluated the revision to
the confidentiality pledge language. SCOPE and CSM conducted remote and
in-person cognitive testing of the potential revised confidentiality
pledge. The Census Bureau based its revised confidentiality pledge on
the results of these tests. The revised confidentiality pledge utilizes
the language the Census Bureau determined would best communicate the
essential information to respondents while not negatively affecting
response rates. The following is the revised statistical
confidentiality pledge for the Census Bureau's data collections:
The U.S. Census Bureau is required by law to protect your
information. The Census Bureau is not permitted to publicly release
your responses in a way that could identify you. Per the Federal
Cybersecurity Enhancement Act of 2015, your data are protected from
cybersecurity risks through screening of the systems that transmit your
data.
On December 23, 2016, the Census Bureau requested comments on the
revised confidentiality pledge. During the public comment period, the
Census Bureau received two comments from the Asian Americans Advancing
Justice (AAJC) and American-Arab Anti-Discrimination Committee (ADC).
II. Comments and Responses
In response to the Census Bureau's revised confidentiality pledge,
AAJC and the ADC provided comments and suggestions to the Census
Bureau. These comments and suggestions, along with the Census Bureau's
responses are below.
1. The AAJC and the ADC both expressed concerns about the effect of
the revised confidentiality pledge on the accuracy of the results of
the Census Bureau's survey.
Response: The Census Bureau is committed to collecting the most
complete and accurate data. The Census Bureau takes the collection and
protection of respondent information very seriously and has since the
first Decennial Census in 1790. As a statistical agency committed to
ensuring the collection and publication of accurate data, the Census
Bureau continually conducts extensive research and testing to inform
census and survey design. This research and testing confirms key
technologies, outreach and promotional strategies, data collection
methods, and management and response processes to allow the Census
Bureau to maximize response rates and ensure the accuracy of the data
collected. We also uphold a strong data stewardship culture to ensure
that any decisions we make will fulfill our legal and ethical
obligations to respect your privacy and protect the confidentiality of
your information. The revised confidentiality pledge utilizes language
that the Census Bureau determined, after cognitive testing, would not
negatively affect response rates, and hence the accuracy of the survey
results.
2. The ``ADC has serious concerns on the ability of [DHS] to . . .
access . . . people's personal information on the server.''
Response: E3A does not provide DHS with access to a respondent's
personal information. E3A does not currently decrypt respondent
information or scan data at rest on Census Bureau information systems.
Moreover, the Act limits the use of any information collected, stating
that the DHS may use information obtained through activities authorized
under this section ``only to protect information and information
systems from cybersecurity risks.'' (6 U.S.C. 151(c)(3)).
EINSTEIN also provides greater protection for the Census Bureau's
information and information systems than would otherwise exist.
EINSTEIN enables DHS to detect cyber threat indicators traveling or
transiting to or from one agency's information system, and to share
those indicators with other agencies, thereby making all agencies'
information systems more secure. The necessity of providing DHS limited
access to such information--information which DHS can only use for
cybersecurity purposes--is not only required by the Federal
Cybersecurity Enhancement Act, but has a net positive impact of the
security of information respondents provide to the Census Bureau.
3. The ADC is concerned that ``there is a lack of safeguards in
place on who has access to information through EINSTEIN.''
Response: In addition to the safeguards contained in the Act, the
Census Bureau works with DHS to protect information DHS may access
through EINSTEIN. These additional safeguards cover the collection,
retention, use, and disclosure of information. The safeguards also
[[Page 29844]]
include notification and reporting requirements in the unlikely event
that any unauthorized access, use, or dissemination of any Census
Bureau information would occur.
To reiterate, the information at issue is not a respondent's
personal information, rather, it is cyber threat information. E3A does
not provide DHS with access to a respondent's personal information. E3A
does not currently decrypt respondent information or scan data at rest
on Census Bureau information systems.
4. The ADC is concerned that the revised confidentiality pledge
``raises flags on improper use of such information.''
Response: The Act limits DHS's use of information collected
pursuant to the Act to the protection of ``information and information
systems from cybersecurity risks.'' To be clear, DHS's use of the
information for any other purpose would be unlawful.
5. The AAJC suggests that the protections contained in Title 13 and
the Confidential Information Protection and Statistical Efficiency Act
(CIPSEA), both of which limit the use and disclosure of information
collected, should control the information at issue.
Response: Pursuant to the Act, each agency must ``apply and
continue to utilize the capabilities to all information traveling
between an agency information system and any information system other
than an agency information system.'' Congress authorized that,
notwithstanding the protections previously afforded to information by
other laws, such as Title 13, for the purpose of protecting agency
information systems from cyber attacks, DHS may access information
transiting and traveling to or from an agency information system.
Census Bureau employees remain subject to the penalties contained in
Title 13, including a federal prison sentence of up to five years and a
fine of up to $250,000, or both.
6. The AAJC suggests that either the Census Bureau employees
``perform Einstein 3A functions for Census Bureau internet traffic'' or
that ``DHS employees monitoring Census Bureau internet traffic under
Einstein 3A take the current Title 13 confidentiality pledge.''
Response: The Act provides DHS access to network traffic transiting
or traveling to or from the Census Bureau's information systems,
notwithstanding the protections previously afforded to information by
other laws, such as Title 13. The Act also requires each agency to
``apply and continue to utilize the capabilities to all information
traveling between an agency information system and any information
system other than an agency information system.''
In addition to the safeguards contained in the Act, the Census
Bureau works with DHS to safeguard respondent information. These
additional safeguards cover the collection, retention, use, and
disclosure of information. The safeguards also include notification and
reporting requirements that would apply in the unlikely event that any
unauthorized access, use, or dissemination of any Census Bureau
information would occur.
III. Data
Agency: U.S. Census Bureau, Department of Commerce.
Title: Revision of the Confidentiality Pledge under Title 13 United
States Code, Section 9.
OMB Control Number: 0607-0993.
Form Number(s): None.
Affected Public: All survey respondents to Census Bureau data
collections.
Legal Authority: 44 U.S.C. 3506(e) and 13 U.S.C. Section 9.
This information collection request may be viewed at
www.reginfo.gov. Follow the instructions to view Department of Commerce
collections currently under review by OMB.
IV. Request for Comments
Comments are invited on the necessity and efficacy of the Census
Bureau's revised confidentiality pledge above. Comments submitted in
response to this notice will become a matter of public record. Comments
should be sent within 30 days of publication of this notice to
[email protected] or fax to (202)395-5806.
Dated: June 27, 2017.
Sarah Brabson,
NOAA PRA Clearance Officer on behalf of the Department of Commerce.
[FR Doc. 2017-13778 Filed 6-29-17; 8:45 am]
BILLING CODE 3510-07-P