This subpart describes Accredited Conformity Assessment Bodies and their accreditation for third party attestation and auditing of the information safeguarding requirement for certification of Persons under this part. NTIS will accept an attestation or audit of a Person or Certified Person from an Accredited Conformity Assessment Body that is:

(a) Independent of that Person or Certified Person; or

(b) Is firewalled from that Person or Certified Person, and that in either instance is itself accredited by a nationally or internationally recognized accreditation body.

(a) An Accredited Conformity Assessment Body that is an independent third party conformity assessment body is one that is not owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body.

(1) A Person or Certified Person is considered to own, manage, or control a third party conformity assessment body if any one of the following characteristics applies:

(i) The Person or Certified Person holds a 10 percent or greater ownership interest, whether direct or indirect, in the third party conformity assessment body. Indirect ownership interest is calculated by successive multiplication of the ownership percentages for each link in the ownership chain;

(ii) The third party conformity assessment body and the Person or Certified Person are owned by a common “parent” entity;

(iii) The Person or Certified Person has the ability to appoint a majority of the third party conformity assessment body's senior internal governing body (such as, but not limited to, a board of directors), the ability to appoint the presiding official (such as, but not limited to, the chair or president) of the third party conformity assessment body's senior internal governing body, and/or the ability to hire, dismiss, or set the compensation level for third party conformity assessment body personnel; or

(iv) The third party conformity assessment body is under a contract to the Person or Certified Person that explicitly limits the services the third party conformity assessment body may perform for other customers and/or explicitly limits which or how many other entities may also be customers of the third party conformity assessment body.

(2) A state or local government office of Inspector General or Auditor General and a Person or Certified Person that is a department or agency of the same state or local government, respectively, are not considered to be owned by a common “parent” entity under paragraph (a)(1)(ii) of this section.

(b) [Reserved]

(a) A third party conformity assessment body must apply to NTIS for firewalled status if it is owned, managed, or controlled by a Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, applying the characteristics set forth under § 1110.501(a)(1).

(b) The application for firewalled status of a third party conformity assessment body under paragraph (a) of this section will be accepted by NTIS where NTIS finds that:

(1) Acceptance of the third party conformity assessment body for firewalled status would provide equal or greater assurance that the Person or Certified Person has information security systems, facilities, and procedures in place to protect the security of the Limited Access DMF than would the Person's or Certified Person's use of an independent third party third party conformity assessment body; and

(2) The third party conformity assessment body has established procedures to ensure that:

(i) Its attestations and audits are protected from undue influence by the Person or Certified Person that is the subject of attestation or audit by the Accredited Conformity Assessment Body, or by any other interested party;

(ii) NTIS is notified promptly of any attempt by the Person or Certified Person that is the subject of attestation or audit by the third party conformity assessment body, or by any other interested party, to hide or exert undue influence over an attestation, assessment or audit; and

(iii) Allegations of undue influence may be reported confidentially to NTIS. To the extent permitted by Federal law, NTIS will undertake to protect the confidentiality of witnesses reporting allegations of undue influence.

(c) NTIS will review each application and may contact the third party conformity assessment body with questions or to request submission of missing information, and will communicate its decision on each application in writing to the applicant, which may be by electronic mail.

(a) In any attestation or audit of a Person or Certified Person that will be submitted to NTIS under this part, an Accredited Conformity Assessment Body must attest that it is independent of that Person or Certified Person. The Accredited Conformity Assessment Body also must attest that it has read, understood, and agrees to the regulations in this part. The Accredited Conformity Assessment Body must also attest that it is accredited to a nationally or internationally recognized standard such as the ISO/IEC Standard 27006-2011 “Information technology—Security techniques—Requirements for bodies providing audit and certification of information security management systems,” or any other similar nationally or internationally recognized standard for bodies providing audit and certification of information security management systems. The Accredited Conformity Assessment Body must also attest that the scope of its accreditation encompasses the safeguarding and security requirements as set forth in this part.

(b) Where a Person seeks certification, or where a Certified Person seeks renewal of certification or is audited under this part, an Accredited Conformity Assessment Body may provide written attestation that such Person or Certified Person has systems, facilities, and procedures in place as required under § 1110.102(a)(2). Such attestation must be based on the Accredited Conformity Assessment Body's review or assessment conducted no more than three years prior to the date of submission of the Person's or Certified Person's completed certification statement, and, if an audit of a Certified Person by an Accredited Conformity Assessment Body is required by NTIS, no more than three years prior to the date upon which NTIS notifies the Certified Person of NTIS's requirement for audit, but such review or assessment or audit need not have been conducted specifically or solely for the purpose of submission under this part.

(c) Where review or assessment or audit by an Accredited Conformity Assessment Body was not conducted specifically or solely for the purpose of submission under this part, the written attestation or assessment report (if an audit) shall describe the nature of that review or assessment or audit, and the Accredited Conformity Assessment Body shall attest that on the basis of such review or assessment or audit, the Person or Certified Person has systems, facilities, and procedures in place as required under § 1110.102(a)(2).

(d) Notwithstanding paragraphs (a) through (c) of this section, NTIS may, in its sole discretion, require that review or assessment or audit by an Accredited Conformity Assessment Body be conducted specifically or solely for the purpose of submission under this part.

(a) NTIS will accept written attestations and assessment reports from an Accredited Conformity Assessment Body that attests, to the satisfaction of NTIS, as provided in § 1110.503.

(b) NTIS may decline to accept written attestations or assessment reports from an Accredited Conformity Assessment Body, whether or not it has attested as provided in § 1110.503, for any of the following reasons:

(1) When it is in the public interest under Section 203 of the Bipartisan Budget Act of 2013, and notwithstanding any other provision of this part;

(2) Submission of false or misleading information concerning a material fact(s) in an Accredited Conformity Assessment Body's attestation under § 1110.503;

(3) Knowing submission of false or misleading information concerning a material fact(s) in an attestation or assessment report by an Accredited Conformity Assessment Body of a Person or Certified Person;

(4) Failure of an Accredited Conformity Assessment Body to cooperate in response to a request from NTIS to verify the accuracy, veracity, and/or completeness of information received in connection with an attestation under § 1110.503 or an attestation or assessment report by that Body of a Person or Certified Person. An Accredited Conformity Assessment Body “fails to cooperate” when it does not respond to NTIS inquiries or requests, or it responds in a manner that is unresponsive, evasive, deceptive, or substantially incomplete; or

(5) Where NTIS is unable for any reason to verify the accuracy of the Accredited Conformity Assessment Body's attestation.