Under 44 U.S.C. 3506(e) and 13 U.S.C. Section 9, the U.S. Census Bureau is seeking comments on revisions to the confidentiality pledge it provides to its respondents under Title 13, United States Code, Section 9. These revisions are required by the passage and implementation of provisions of the Federal Cybersecurity Enhancement Act of 2015 (6 U.S.C. 1501 note), which require the Secretary of Homeland Security to provide Federal civilian agencies' information technology systems with cybersecurity protection for their Internet traffic. More details on this announcement are presented in the SUPPLEMENTARY INFORMATION section below. The previous notice for public comment, titled “Agency Information Collection Activities; Request for Comments; Revision of the Confidentiality Pledge under Title 13 United States Code, Section 9” was published in the Federal Register on December 23, 2016 (Vol. 81, No. 247, pp. 94321-94324), allowing for a 60 day comment period. The Census Bureau received two comments, which are addressed within this notice.

SUPPLEMENTARY INFORMATION:

I. Background

On December 18, 2015, Congress passed the Federal Cybersecurity Enhancement Act of 2015 (the Act) (6 U.S.C. 1501 note). The Act requires the Department of Homeland Security to deploy for use by other agencies a program with the “capability to detect cybersecurity risks in network traffic transiting or traveling to or from an agency information system.” ^[1] The Act requires each agency to “apply and continue to utilize the capabilities to all information traveling between an agency information system and any information system other than an agency information system.” ^[2] The DHS program is known as EINSTEIN, and DHS currently operates version 3A (E3A). Importantly, the Act provides that DHS may use the information collected through EINSTEIN “only to protect information and information systems from cybersecurity risks.” ^[3] The Act does not authorize DHS to use information collected through EINSTEIN for any other purposes, including law enforcement purposes.

In response to the passage of the Act, the Census Bureau considered whether it should revise its confidentially pledge. The Census Bureau's Center for Survey Measurement (CSM) joined the interagency Statistical Community of Practice and Engagement (SCOPE) Confidentiality Pledge Revision Subcommittee, which developed and evaluated the revision to the confidentiality pledge language. SCOPE and CSM conducted remote and in-person cognitive testing of the potential revised confidentiality pledge. The Census Bureau based its revised confidentiality pledge on the results of these tests. The revised confidentiality pledge utilizes the language the Census Bureau determined would best communicate the essential information to respondents while not negatively affecting response rates. The following is the revised statistical confidentiality pledge for the Census Bureau's data collections:

The U.S. Census Bureau is required by law to protect your information. The Census Bureau is not permitted to publicly release your responses in a way that could identify you. Per the Federal Cybersecurity Enhancement Act of 2015, your data are protected from cybersecurity risks through screening of the systems that transmit your data.

On December 23, 2016, the Census Bureau requested comments on the revised confidentiality pledge. During the public comment period, the Census Bureau received two comments from the Asian Americans Advancing Justice (AAJC) and American-Arab Anti-Discrimination Committee (ADC).

II. Comments and Responses

In response to the Census Bureau's revised confidentiality pledge, AAJC and the ADC provided comments and suggestions to the Census Bureau. These comments and suggestions, along with the Census Bureau's responses are below.

1. The AAJC and the ADC both expressed concerns about the effect of the revised confidentiality pledge on the accuracy of the results of the Census Bureau's survey.

Response: The Census Bureau is committed to collecting the most complete and accurate data. The Census Bureau takes the collection and protection of respondent information very seriously and has since the first Decennial Census in 1790. As a statistical agency committed to ensuring the collection and publication of accurate data, the Census Bureau continually conducts extensive research and testing to inform census and survey design. This research and testing confirms key technologies, outreach and promotional strategies, data collection methods, and management and response processes to allow the Census Bureau to maximize response rates and ensure the accuracy of the data collected. We also uphold a strong data stewardship culture to ensure that any decisions we make will fulfill our legal and ethical obligations to respect your privacy and protect the confidentiality of your information. The revised confidentiality pledge utilizes language that the Census Bureau determined, after cognitive testing, would not negatively affect response rates, and hence the accuracy of the survey results.

2. The “ADC has serious concerns on the ability of [DHS] to . . . access . . . people's personal information on the server.”

Response: E3A does not provide DHS with access to a respondent's personal information. E3A does not currently decrypt respondent information or scan data at rest on Census Bureau information systems. Moreover, the Act limits the use of any information collected, stating that the DHS may use information obtained through activities authorized under this section “only to protect information and information systems from cybersecurity risks.” (6 U.S.C. 151(c)(3)).

EINSTEIN also provides greater protection for the Census Bureau's information and information systems than would otherwise exist. EINSTEIN enables DHS to detect cyber threat indicators traveling or transiting to or from one agency's information system, and to share those indicators with other agencies, thereby making all agencies' information systems more secure. The necessity of providing DHS limited access to such information—information which DHS can only use for cybersecurity purposes—is not only required by the Federal Cybersecurity Enhancement Act, but has a net positive impact of the security of information respondents provide to the Census Bureau.

3. The ADC is concerned that “there is a lack of safeguards in place on who has access to information through EINSTEIN.”

Response: In addition to the safeguards contained in the Act, the Census Bureau works with DHS to protect information DHS may access through EINSTEIN. These additional safeguards cover the collection, retention, use, and disclosure of information. The safeguards also Start Printed Page 29844include notification and reporting requirements in the unlikely event that any unauthorized access, use, or dissemination of any Census Bureau information would occur.

To reiterate, the information at issue is not a respondent's personal information, rather, it is cyber threat information. E3A does not provide DHS with access to a respondent's personal information. E3A does not currently decrypt respondent information or scan data at rest on Census Bureau information systems.

4. The ADC is concerned that the revised confidentiality pledge “raises flags on improper use of such information.”

Response: The Act limits DHS's use of information collected pursuant to the Act to the protection of “information and information systems from cybersecurity risks.” To be clear, DHS's use of the information for any other purpose would be unlawful.

5. The AAJC suggests that the protections contained in Title 13 and the Confidential Information Protection and Statistical Efficiency Act (CIPSEA), both of which limit the use and disclosure of information collected, should control the information at issue.

Response: Pursuant to the Act, each agency must “apply and continue to utilize the capabilities to all information traveling between an agency information system and any information system other than an agency information system.” Congress authorized that, notwithstanding the protections previously afforded to information by other laws, such as Title 13, for the purpose of protecting agency information systems from cyber attacks, DHS may access information transiting and traveling to or from an agency information system. Census Bureau employees remain subject to the penalties contained in Title 13, including a federal prison sentence of up to five years and a fine of up to $250,000, or both.

6. The AAJC suggests that either the Census Bureau employees “perform Einstein 3A functions for Census Bureau internet traffic” or that “DHS employees monitoring Census Bureau internet traffic under Einstein 3A take the current Title 13 confidentiality pledge.”

Response: The Act provides DHS access to network traffic transiting or traveling to or from the Census Bureau's information systems, notwithstanding the protections previously afforded to information by other laws, such as Title 13. The Act also requires each agency to “apply and continue to utilize the capabilities to all information traveling between an agency information system and any information system other than an agency information system.”

In addition to the safeguards contained in the Act, the Census Bureau works with DHS to safeguard respondent information. These additional safeguards cover the collection, retention, use, and disclosure of information. The safeguards also include notification and reporting requirements that would apply in the unlikely event that any unauthorized access, use, or dissemination of any Census Bureau information would occur.

III. Data

Agency: U.S. Census Bureau, Department of Commerce.

Title: Revision of the Confidentiality Pledge under Title 13 United States Code, Section 9.

OMB Control Number: 0607-0993.

Form Number(s): None.

Affected Public: All survey respondents to Census Bureau data collections.

Legal Authority: 44 U.S.C. 3506(e) and 13 U.S.C. Section 9.

This information collection request may be viewed at www.reginfo.gov. Follow the instructions to view Department of Commerce collections currently under review by OMB.

IV. Request for Comments

Comments are invited on the necessity and efficacy of the Census Bureau's revised confidentiality pledge above. Comments submitted in response to this notice will become a matter of public record. Comments should be sent within 30 days of publication of this notice to OIRA_Submission@omb.eop.gov or fax to (202)395-5806.

Footnotes