From:
Mierzwa, Charles [mailto:Charles.Mierzwa@rrb.gov]
Sent:
Monday, December 10, 2007 6:15 PM
To:
Matsuoka, Karen Y.
Subject:
RE: 3220-0008;3220-0005; 3220-0173; 3220-0132
Karen,
This is really timely as I was just about to inquire as to where OMB was with the reviews. This initiative has a high priority with our Board Members (Chairmen, Management Member, and Labor Member) and I was just asked by Executive Assistants of each for a status report. We need to implement on our about January 1, 2008.
The RRB has a very active computer security program that is aware of NIST requirements. The bottom of the first page of the proposed program letter (2008-xx) Subject: FTP and E-mail submission of Forms BA-3, BA-4, BA-6a, BA-9 and BA-11, the section titled “Privacy and Security Considerations”, states “Accordingly, we are required to take security precautions that meet standards currently prescribed by the National Institute of Standards (NIST)”. The second page of the same letter under the heading E-mail Submissions states, “To meet NIST security requirements, all E-mail messages we exchange must be encrypted and signed with a Digital ID, and information will be protected in accordance with security controls outlined in NIST guidance 800-53”.
Our computer security staff (which is part of my office) reviewed the process and the draft program letter before it was submitted and found it to be in accordance with the guidelines. I further confirmed with them that the process for secure E-mail is in accordance with NIST guidance 800-53. The RRB would not object to language in the Terms of Clearance for each ICR that it is approved on the understanding “that security controls for E-mail submissions are in accordance with NIST 800-53”.
3220-175 which consists of RRB Form BA-10 is expiring on 2/29/2008. It was the RRB’s intent to submit a “discontinue OMB control number” through ROCIS upon approval of 3220-0008. Regarding 3220-0070 (4,000 responses and 400 burden hours) and 3220-0156 (4,000 responses and 133 burden hours), it is our intent to begin the revision/renewal process just as soon as the submitted collections were approved by OMB. We thought that was the proper way to proceed. There will be no material changes made to the forms, just the burden estimate and the circumstances regarding the forms use, resulting in the decreased burden. The situation regarding these two collections make us fondly remember the days of the OMB-83c, Change Worksheet.
I have talked to staff from the RRB’s Actuary (they coordinate the RRB’s exchange of information with BEA) and they have determined that the changes that the RRB is proposing will not affect the RRB’s ability to provide BEA the data they find useful.
If anything needs further clarification or you have any other questions, just let me know. We appreciate OMB’s cooperation in helping us meet our deadline.
Chuck Mierzwa
RRB Records Officer/PRA Officer
(312) 751-3363
From:
Matsuoka, Karen Y.
Sent:
Friday, December 07, 2007 4:42 PM
To:
Mierzwa, Charles
Subject:
3220-0008;3220-0005; 3220-0173; 3220-0132
Chuck, here are OMB’s questions on the 4 ICRs you submitted on 10/26/07. Can you provide responses by COB Thursday, the 13th? Thanks. – Karen
Please confirm whether the security controls for email submissions of these forms are in accordance with NIST guidance 800-53;
When will the ICRs affected by these ICRs be submitted to OMB? For example, the ICR for form BA-3a says that 3220-0175 will no longer be needed, and that form BA-10 and 3220-0070 and 3220-0156 will have their burdens significantly reduced. The former ICR should be discontinued, and the latter 2 should be sent in as revisions.
Please clarify whether the changes RRB is proposing to make to these forms will affect the data BEA finds useful.
File Type | application/msword |
File Title | From: Mierzwa, Charles [mailto:Charles |
Author | Matsuoka_k |
Last Modified By | Matsuoka_k |
File Modified | 2007-12-10 |
File Created | 2007-12-10 |