Proposed FOIA and Privacy Act Regulations

Content

ACTION:

Notice of proposed rulemaking and request for public comment.

SUMMARY:

The Office of the National Cyber Director (ONCD) is issuing its first Freedom of Information Act (FOIA) and Privacy Act regulations.
These regulations reflect ONCD's process for responding to requests for information and affirm its commitment to provide the
fullest possible disclosure of records to the public.

DATES:

Comments must be received by May 15, 2026.

ADDRESSES:

Comments must be submitted through the Federal eRulemaking Portal at http://www.regulations.gov following the instructions it provides. All comments will be posted without change including any provided personal information.

FOR FURTHER INFORMATION CONTACT:

Carina Bergal, Deputy General Counsel, ONCD, 202-456-8708, foia@oncd.eop.gov with the subject line: “FOIA/PRIVACY ACT PROPOSED RULEMAKING.”

SUPPLEMENTARY INFORMATION:

A. The FOIA. The FOIA, 5 U.S.C. 552, provides a right of access to certain records that Federal agencies maintain and control. The FOIA
directs each Federal agency to publish regulations that describe how the agency will process FOIA requests it receives from
members of the public. The FOIA Improvement Act of 2016, Public Law 114-185, requires each agency to promulgate regulations,
pursuant to notice and receipt of public comment, specifying its FOIA policies, practices, and procedures.

B. The Privacy Act. The Privacy Act, 5 U.S.C. 552a, governs each federal agency's collection, maintenance, use, and dissemination of any information
about individuals that it maintains in a system of records. The Privacy Act directs each Federal agency to publish regulations
that describe the agency's procedures for carrying out the provisions of the Privacy Act.

Statutory and Executive Order Reviews

Regulatory Impact Analysis

This proposed regulatory action is not a significant regulatory action subject to review by the Office of Management and Budget
under section 3(f) of Executive Order 12866. Since this regulatory action is not a significant regulatory action under section
3(f) of Executive Order 12866, it is not considered an Executive Order 14192 regulatory action.

Paperwork Reduction Act

ONCD has determined that the Paperwork Reduction Act, 44 U.S.C. 3501 et seq., does not apply because these regulations do not contain any information collection requirements subject to ONCD's approval.

Executive Order 12988—Civil Justice Reform

These regulations meet the applicable standards set forth in Executive Order 12988, Civil Justice Reform.

Executive Order 13132—Federalism

These regulations will not have substantial direct effects on the States, on the relationship between the national government
and the States, or on the distribution of power and responsibilities among the various levels of government. Therefore, in
accordance with Executive Order 13132, ONCD has determined that these regulations do not have sufficient federalism implications
to warrant the preparation of a federalism summary impact statement.

Regulatory Flexibility Act

ONCD, in accordance with the Regulatory Flexibility Act, 5 U.S.C. 605(b), has reviewed these regulations and certifies that
it will not have a significant economic impact on a substantial number of small entities because they pertain to administrative
matters affecting the agency.

Unfunded Mandates Reform Act of 1995

These regulations will not result in the expenditure by State, local, and tribal governments, in the aggregate, or by the
private sector, of $100 million or more in any one year, and will not significantly or uniquely affect small governments.
Therefore, no actions are necessary under the provisions of the Unfunded Mandates Reform Act of 1995, 2 U.S.C. 1501, et seq.

Small Business Regulatory Enforcement Fairness Act of 1996

These regulations are not major rules as defined by section 251 of the Small Business Regulatory Enforcement Fairness Act
of 1996, 5 U.S.C. 804. They will not result in an annual effect on the economy of $100 million or more; a major increase in
costs or prices; or significant adverse effects on competition, employment, investment, productivity, innovation, or the ability
of United States-based enterprises to compete with foreign-based enterprises in domestic and export markets.

National Environmental Policy Act of 1969

ONCD has reviewed these regulations under the National Environmental Policy Act of 1969 (NEPA), 42 U.S.C. 4321-4347, and has
determined that this action will not have a significant effect on the human environment.

List of Subjects

Administrative practice and procedure, Courts, Freedom of information, Records.

Administrative practice and procedure, Courts, Privacy, Records.

For the reasons discussed in the preamble, the Office of the National Cyber Director proposes to add chapter XXII, consisting
of parts 2200 through 2299, to subtitle B of title 32 to read as follows:

Title 32—National Defense

Subtitle B—Other Regulations Relating to National Defense

Chapter XXII—Office of the National Cyber Director

PART 2200—REGULATIONS IMPLEMENTING THE FREEDOM OF INFORMATION ACT

PART 2201—REGULATIONS IMPLEMENTING THE PRIVACY ACT

PARTS 2202-2299 [RESERVED]

PART 2200—REGULATIONS IMPLEMENTING THE FREEDOM OF INFORMATION ACT

Sec. 2200.1 Purpose and scope. 2200.2 Delegation of authority and responsibilities. 2200.3 General policy and definitions. 2200.4 Procedure for requesting records. 2200.5 Responses to requests. 2200.6 Timing of responses to requests. 2200.7 Confidential commercial information. 2200.8 Appeal of denials. 2200.9 Fees. 2200.10 Waiver of fees. 2200.11 Maintenance of statistics. 2200.12 Disclaimer.

Authority:

5 U.S.C. 552; E.O. 13392, 70 FR 75373, 3 CFR, 2005 Comp., p. 216.

§ 2200.1 Purpose and scope. The regulations in this part prescribe procedures by which individuals may obtain access to the Office of the National Cyber
Director (ONCD) agency records under the Freedom of Information Act (FOIA), 5 U.S.C. 552, as amended, as well as the procedures
ONCD will follow in response to requests for records under the FOIA. This part should be read together with the FOIA and the
Office of Management and Budget's (OMB's) “Uniform Freedom of Information Fee Schedule and Guidelines,” which provides information
about access to records. All requests for access to information contained within a system of records pursuant to the Privacy
Act of 1974, 5 U.S.C. 552a, shall be processed in accordance with this part.

§ 2200.2 Delegation of authority and responsibilities. (a) The Director of ONCD designates the ONCD General Counsel as the Chief FOIA Officer, and hereby delegates to the Chief
FOIA Officer the authority to act upon all requests for agency records and to re-delegate such authority at his or her discretion.

(b) The Chief FOIA Officer shall designate a FOIA Public Liaison, who shall serve as the supervisory official to whom a FOIA
requester can raise concerns about the service the FOIA requestor has received following an initial response. The FOIA Public
Liaison will be listed on the ONCD website (https://www.whitehouse.gov/oncd/information-resources/) and may re-delegate the FOIA Public Liaison's authority at his or her discretion.

(c) The Director establishes a FOIA Requester Service Center that shall be staffed by the FOIA Public Liaison. The contact
information for the FOIA Requester Service Center is: Office of the National Cyber Director, New Executive Office Building,
725 17th Street NW, Washington, DC 20504; Telephone: 202-395-1925; Email: foia@ncd.eop.gov. Updates to this contact information will be made on the ONCD website.

§ 2200.3 General policy and definitions. (a) Non-exempt records available to public. Except for records exempt from disclosure by 5 U.S.C. 552(b) or published in the
Federal Register
under 5 U.S.C. 552(a)(1), ONCD's agency records subject to the FOIA are available to any requester who requests them in accordance
with this part.

(b) Record availability on the ONCD website. ONCD shall make records available on its website in accordance with 5 U.S.C. 552(a)(2), as amended, and other documents that,
because of the nature of their subject matter, are likely to be the subject of FOIA requests. To save both time and money,
ONCD strongly urges requesters to review documents available on the ONCD website before submitting a request.

(c) Definitions. For purposes of this part:

(1) All of the terms defined in the Freedom of Information Act apply, unless otherwise defined in this part.

(2) The term agency record means a record that is:

(i) Either created or obtained by ONCD; and

(ii) Under ONCD control at the time the FOIA request is received.

(3) The term commercial use request means a request from or on behalf of a person who seeks information for a use or purpose that furthers his or her

  commercial, trade, or profit interests, which can include furthering those interests through litigation. ONCD shall determine,
  whenever reasonably possible, the use to which a requester will put the requested records. When it appears that the requester
  will put the records to a commercial use, either because of the nature of the request itself or because ONCD has reasonable
  cause to doubt a requester's stated use, ONCD shall provide the requester a reasonable opportunity to submit further clarification.

(4) The terms disclose and disclosure refer to making records available, upon request, for examination and copying, or furnishing a copy of records.

(5) The term direct cost means those expenditures ONCD actually incurred in searching for and duplicating (and, in the case of commercial use requests,
reviewing) records in response to a FOIA request. Direct costs include the salary of the personnel performing the work (i.e., the basic rate of pay for the employee plus 16 percent of that rate to cover benefits) and the cost of operating computers
and other electronic equipment, such as photocopiers and scanners. Direct costs do not include overhead expenses, such as
the cost of space, heating, or lighting of the facility in which the records are stored.

(6) The term duplication means the making of a copy of a record, or of the information contained in it, necessary to respond to a FOIA request. Copies
can take the form of paper, microform, audiovisual materials, or electronic records (e.g., magnetic tape or disk), among others.

(7) The term educational institution means a preschool, a public or private elementary or secondary school, an institution of undergraduate higher education, an
institution of graduate higher education, an institution of professional education, or an institution of vocational education
that operates a program of scholarly research. To fall within this category, a requester must show that the request is authorized
by and is made under the auspices of a qualifying institution and that the records are not sought for a commercial use, but
rather are sought to further scholarly research.

(8) The term fee waiver means the waiver or reduction of processing fees if a requester can demonstrate that certain statutory standards are satisfied.

(9) The term FOIA Public Liaison means an agency official who is responsible for assisting requesters in defining the scope of their request to reduce processing
time, increasing transparency and understanding of the status of requests, and assisting in the resolution of disputes.

(10) The term non-commercial scientific institution means an institution that is not operated on a commercial basis, as that term is defined in these regulations, and that is
operated solely for the purpose of conducting scientific research, the results of which are not intended to promote any particular
product or industry. To fall within this category, a requester must show that the request is authorized by and is made under
the auspices of a qualifying institution and that the records are not sought for a commercial use, but rather are sought to
further scientific research.

(11) The term perfected request means a FOIA request for records that reasonably describes the records sought and has been received by ONCD in accordance
with the requirements set forth in § 2200.4.

(12) The terms representative of the news media and news media requester mean any person or entity that gathers information of potential interest to a segment of the public, uses its editorial skills
to turn the raw materials into a distinct work, and distributes that work to an audience. In this clause, the term news means information that is about current events or that would be of current interest to the public. Examples of news media
entities are television or radio stations broadcasting to the public at large and publishers of periodicals (but only if such
entities qualify as disseminators of news) who make their products available for purchase by, subscription by, or through free distribution to the general public.
These examples are not all-inclusive. Moreover, as methods of news delivery evolve, such as through electronic or digital
means, such news sources shall be considered to be news media entities. A freelance journalist shall be regarded as working
for a news media entity if the journalist can demonstrate a solid basis for expecting publication through that entity, whether
or not the journalist is actually employed by the entity. A publication contract would present a solid basis for such an expectation;
the Government may also consider the past publication record of the requester in making such a determination.

(13) The term requester means any person, including an individual, partnership, corporation, association, Native American tribe, or other public or
private organization, other than a Federal agency that requests access to records.

(14) The term review means the process of examining documents located in response to a request that is for a commercial use to determine whether
any portion of any document located is permitted to be withheld. It includes the processing of any documents for disclosure— i.e., doing all that is necessary to excise exempt information and otherwise prepare them for release. Review does not include time
spent resolving general legal or policy issues regarding the application of exemptions.

(15) The term search refers to the process of looking for and retrieving records or information responsive to a request. It includes page-by-page
or line-by-line identification of information within records and also includes reasonable efforts to locate and retrieve information
from records maintained in electronic form or format.

(16) The term working day means a regular Federal working day between the hours of 9:00 a.m. and 5:00 p.m. It does not include Saturdays, Sundays, or
legal Federal holidays. Any requests received after 5:00 p.m. on any given working day will be considered received on the
next working day.

§ 2200.4 Procedure for requesting records. (a) Format of requests— (1) In general. Requests for information must be made in writing and may be delivered by mail or electronic mail, as specified in § 2200.2(c).
All requests must be made in English. Requests for information may specify the preferred format (including electronic formats)
of the response. When a requester does not specify the preferred format of the response, ONCD shall produce scanned records
to be delivered electronically.

(2) Records in electronic formats. (i) ONCD shall provide responsive records in the format requested if the record or records are readily reproducible by ONCD
in that format. ONCD shall make reasonable efforts to maintain its records in formats that are reproducible for the purposes
of disclosure. For purposes of this paragraph (a)(2)(i), the term readily reproducible means, with respect to electronic format, a record that can be downloaded or transferred intact to an electronic medium using
equipment currently in use by the agency processing the request. Even though some records may initially be readily reproducible,
the need to segregate exempt records from nonexempt records may cause the releasable material to be not readily reproducible.

(ii) In responding to a request for records, ONCD shall make reasonable efforts to search for the records in electronic format,
except where such efforts would interfere with the operation of the agency's automated information system(s). For purposes
of this paragraph (a)(2)(ii), the term search means to locate, manually or by automated means, agency records for the purpose of identifying those records that are responsive
to a request.

(iii) Searches for records maintained in electronic format may require the application of codes, queries, or other minor forms
of programming to retrieve the requested records.

(3) Attachment restrictions. To protect ONCD's computer systems, ONCD will not accept files sent as email attachments or as web links. A requester may
submit a request by postal mail, by fax, or in the body of the email text.

(b) Contents. A request must describe the records sought in sufficient detail to enable ONCD personnel to locate the records with a reasonable
amount of effort. To the extent possible, a requester should include specific information that may assist ONCD personnel in
identifying the requested records, such as the date, title or name, author, recipient, and subject matter of the record. In
general, a requester should include as much detail as possible about the specific records or the types of records sought.
Before submitting a request, a requester may contact the ONCD FOIA Public Liaison to discuss the records sought and to receive
assistance in describing the records. If, after receiving a request, ONCD determines that it does not reasonably describe
the records sought or that the request will be unduly burdensome to process, ONCD shall inform the requester of the additional
information that is needed or how the request may be modified. A Requester attempting to reformulate or modify such a request
may discuss their requests with ONCD's FOIA Public Liaison.

(c) Date of receipt. A request that complies with paragraphs (a) and (b) of this section is deemed a “perfected request.” A perfected request is
deemed received on the actual date it is received by ONCD. A request that does not comply with paragraphs (a) and (b) of this
section is deemed received when information sufficient to perfect the request is actually received by ONCD.

(d) Contact information. A request must contain contact information, such as the requester's phone number, email address, or mailing address, to enable
ONCD to communicate with the requester about the request and provide released records. If ONCD cannot contact the requester,
or the requester does not respond within 30 calendar days to ONCD's requests for clarification, ONCD will administratively
close the request.

(e) Types of records not available. The FOIA does not require ONCD to:

(1) Compile or create records solely for the purpose of satisfying a request for records;

(2) Provide records not yet in existence, even if such records may be expected to come into existence at some future time;
or

(3) Restore records destroyed or otherwise disposed of, except that ONCD must notify the requester of the destruction or disposal
of the requested records.

§ 2200.5 Responses to requests. (a) In general. In determining which records are responsive to a request, ONCD will ordinarily include only records in its possession as of
the date it begins its search for records. If any other date is used, ONCD shall inform the requester of that date.

(b) Authority to grant or deny requests. ONCD shall make initial determinations to grant or deny, in whole or in part, a request for records.

(c) Granting of requests. When ONCD determines that any responsive records shall be made available, ONCD shall notify the requester in writing and provide
copies of the requested records in whole or in part. Records disclosed in part shall be marked or annotated to show the exemption(s)
applied to the withheld information and the amount of information withheld unless doing so would harm the interest protected
by an applicable exemption. If a requested record contains exempted material along with nonexempt material, all reasonably
segregable material shall be disclosed.

(d) Adverse determinations. If ONCD makes an adverse determination denying a request in any respect, it must notify the requester of that adverse determination
in writing. Adverse determinations include decisions that: The requested record is exempt from disclosure, in whole or in
part; the request does not reasonably describe the records sought, but only if, after discussion with the FOIA Public Liaison,
the requester refuses to modify the terms of the request; the information requested is not a record subject to the FOIA; the
requested record does not exist, cannot be located, or has been destroyed; or the requested record is not not readily reproducible
in the form or format sought by the requester; denials involving fee or fee waiver matters; and denials of requests for expedited
processing.

(e) Content of adverse determinations. Any adverse determination issued by ONCD must include:

(1) A brief statement, including any FOIA exemption applied by the agency in denying access to a record unless such inclusion
would harm the interest protected by an applicable exemption;

(2) An estimate of the volume of any records or information withheld, although such an estimate is not required if the volume
is otherwise indicated by deletions marked on records that are disclosed in part or if providing an estimate would harm an
interest protected by an applicable exemption;

(3) A statement that the adverse determination may be appealed under § 2200.8 and a description of the appeal requirements;
and

(4) A statement notifying the requester of the assistance available from ONCD's FOIA Public Liaison and the dispute resolution
services offered by the Office of Government Information Services.

(f) Transfer of records to the National Archives and Records Administration (NARA). Permanent records of ONCD which have been transferred to the control of NARA under the Federal Records Act are not in the
control of ONCD and are therefore not accessible by a FOIA request to ONCD. Requests for such records should be directed to
NARA.

(g) Consultations, referrals, and coordinations. When ONCD receives a request for a record in its possession, it shall determine whether another agency of the Federal Government
is better able to determine whether the record is exempt from disclosure under the FOIA and, if so, whether it should be disclosed
as a matter of administrative discretion. If ONCD determines that it is best able to process the record in response to the
request, then it shall do so. If ONCD determines that it is not best able to process the record, then it shall proceed in
one of the following ways:

(1) Consultation. When records originating with ONCD contain information of interest to another Federal agency, ONCD should typically consult
with that Federal agency prior to making a release determination.

(2) Referral. (i) When ONCD believes that a different Federal agency is best able to determine whether to disclose the record, ONCD should
typically refer the responsibility for responding to the request regarding that record to that agency. Ordinarily, the agency
creating the record is presumed to be the agency best able to determine whether the record should be disclosed. If ONCD and
another Federal agency jointly agree that the agency processing the request is in the best position to respond regarding the
record, then the record may be handled as a consultation.

(ii) Whenever ONCD refers any part of the responsibility for responding to a

  request to another agency it will notify the requester of the referral and the agency which will be processing the record.

(iii) After ONCD refers a record to another Federal agency, the agency receiving the referral shall make a disclosure determination
and respond directly to the requester. The referral of a record is not an adverse determination and no appeal rights accrue
to the requester therefrom.

(3) Coordination. The standard referral procedure is not appropriate where disclosure of the identity of the Federal agency to which a referral
would be made could harm an interest protected by an applicable exemption, such as an exemption that protects personal privacy
or national security interests. For example, if a non-law enforcement agency responding to a request for records on a living
third party locates within its files records originating with a law enforcement agency, and if the existence of that law enforcement
interest in the third party is not publicly known, then to disclose that law enforcement interest could cause an unwarranted
invasion into the personal privacy of the third party. Similarly, if an agency locates within its files material originating
with an Intelligence Community agency, and the involvement of that agency in the matter is classified and not publicly acknowledged,
then to disclose or give attribution to the involvement of that Intelligence Community agency could harm national security
interests.

§ 2200.6 Timing of responses to requests. (a) In general. ONCD shall ordinarily respond to requests in order of their receipt.

(b) Initial determinations. ONCD will exercise all reasonable efforts to make an initial determination acknowledging and granting, partially granting,
or denying a request for records within twenty working days (excepting Saturdays, Sundays, and legal public holidays) after
receiving a perfected request. ONCD may toll this twenty (20) day period either one time while ONCD is awaiting information
that it has reasonably requested from the requester or any time when necessary to clarify with the requester issues regarding
fee assessment. ONCD's receipt of the requester's response to ONCD's request for information ends the tolling period.

(c) Extensions of response time in “unusual circumstances.” (1) The twenty (20) working day period provided in paragraph (b) of this section may be extended if unusual circumstances
arise. If an extension is necessary, ONCD shall promptly notify the requester of the extension, briefly state the reasons
for the extension, and estimate when a response will be issued. Unusual circumstances warranting extension are:

(i) The need to search for and collect the requested records from field facilities or other establishments that are separate
from the office processing the request;

(ii) The need to search for, collect, and appropriately examine a voluminous amount of separate and distinct records which
are demanded in a single request; or

(iii) The need for consultation, which shall be conducted with all practicable speed, with another agency having a substantial
interest in the determination of the request or among two or more components of the agency having substantial subject-matter
interest therein.

(2) After ONCD notifies the requester of the reasons for the delay, the requester will have an opportunity to modify the request
or arrange for an alternative time frame for completion of the request. To assist in this process, ONCD shall advise the requester
of the availability of ONCD's FOIA Public Liaison to aid in the resolution of any disputes between the requester and ONCD,
and notify the requester of his or her right to seek dispute resolution services from the Office of Government Information
Services.

(d) Expedited processing of request. (1) A requester may make a request for expedited processing at any time.

(2) When a request for expedited processing is received, ONCD must determine whether to grant the request for expedited processing
within ten (10) calendar days of its receipt. Such requests will be approved only when a compelling need is established to
the satisfaction of ONCD. A compelling need is deemed to exist when:

(i) The requester can establish that failure to receive the records quickly could reasonably be expected to pose an imminent
threat to the life or physical safety of an individual; or

(ii) The requester is primarily engaged in disseminating information (e.g., you are a member of the news media), and can demonstrate that an urgency to inform the public concerning actual or alleged
Federal Government activity exists.

(3)(i) A requester who seeks expedited processing must submit a statement, certified to be true and correct, explaining in
detail:

(A) The basis for making the request for expedited processing; and

(b) Why your request or appeal satisfies the requirements of paragraph (d)(2)(i) or (ii) of this section.

(ii) If you believe that you have an urgent need to inform the public about an actual alleged Federal Government activity,
you should provide examples of other coverage of the same or related subjects. As a matter of administrative discretion, ONCD
may waive the formal certification requirement.

(4) ONCD will notify you within 10 calendar days whether we will grant or deny you expedited processing.

(5) If ONCD denies you expedited processing, you may appeal that determination using the procedures in this part.

(e) Multi-track processing. (1) ONCD may use multi-track processing in responding to requests. Multi-track processing means placing simple requests that
require limited review in one processing track and placing more voluminous and complex requests in one or more other processing
tracks. Requests in each track are processed on a first-in, first-out basis.

(i) Track one—expedited requests. Track one is made up of requests that sought and received expedited processing as provided for in paragraph (d)(2) of this
section.

(ii) Track two—simple requests. Track two is for requests of simple to moderate complexity that do not require consultations with other entities and do not
involve voluminous records.

(iii) Track three—complex requests. Track three is for complex requests that involve voluminous records, require lengthy or numerous consultations, raise unique
or novel legal questions, or require submitter review under § 2200.7.

(2) ONCD may provide requesters with requests in slower track(s) the opportunity to limit the scope of their requests to qualify
for faster processing within the specified limits of faster track(s). ONCD will do so by contacting the requester by letter,
telephone, email, or facsimile, whichever is more efficient in each case. When providing a requester with the opportunity
to limit the scope of a request, ONCD shall also advise the requester of ONCD's FOIA Public Liaison to aid in the resolution
of any dispute arising between the requester and ONCD as well as the requester's right to seek dispute resolution services
from the Office of Government Information Services.

(f) Aggregating requests. ONCD may aggregate requests if it reasonably appears that multiple requests, submitted either by a single requester or by
a group of requesters, act in concert and involve related matters. For example, ONCD may aggregate multiple

  requests for similar information filed by a single requester within a short period of time. ONCD may also aggregate requests
  where a requester or associated requesters file a series of multiple requests, which are merely discrete subdivisions of the
  information actually sought for the purpose of avoiding or reducing applicable fees. In such instances, ONCD may aggregate
  the requests and charge the applicable fees.

§ 2200.7 Confidential commercial information. (a) In general. Business information obtained by ONCD from a submitter will be disclosed under the FOIA only under this section.

(b) Definitions. For purposes of this section:

(1) Confidential commercial information means records provided to the government by a submitter that arguably contain material exempt from release under 5 U.S.C.
552(b)(4).

(2) Submitter means any person or entity from whom ONCD directly or indirectly obtains confidential commercial information. The term includes
corporations; State, local, and tribal governments; universities; non-profit organizations; associations; and foreign governments.

(c) Designation of business information. Either at the time of submission or at a reasonable time thereafter, a submitter of business information will use good-faith
efforts to designate, by appropriate markings, any portions of its submission that it considers to be protected from disclosure
under 5 U.S.C. 552(b)(4). These designations will expire ten years after the date of submission unless the submitter requests,
and provides justification for, a longer designation period.

(d) Notice to submitters. ONCD shall provide a submitter with prompt written notice of a FOIA request or administrative appeal that seeks its business
information to give the submitter an opportunity to object to disclosure of any specified portion of that information. The
notice shall either describe the business information requested or include copies of the requested records or record portions
containing the information. When notification of a voluminous number of submitters is required, notification may be made by
posting or publishing the notice in a place reasonably likely to accomplish notification.

(e) Where notice is required. Notice shall be given to a submitter whenever:

(1) The information has been designated in good faith by the submitter as information considered protected from disclosure
under 5 U.S.C. 552(b)(4); or

(2) ONCD has reason to believe that the information may be protected from disclosure under 5 U.S.C. 552(b)(4).

(f) Opportunity to object to disclosure. ONCD will allow a submitter reasonable time to respond to the notice described in paragraph (d) of this section and will specify
that time period within the notice. If a submitter has any objection to disclosure, the submitter must provide a detailed
written statement of objections. The statement must specify all grounds for withholding any portion of the information under
any exemption of the FOIA and, in the case of information withheld under 5 U.S.C. 552(b)(4), the submitter must demonstrate
the reasons the submitter believes the information is a trade secret or commercial or financial information that is privileged
or confidential. In the event that a submitter fails to adequately respond to the notice within the time specified, the submitter
will be considered to have no objection to disclosure of the information. Information provided by the submitter that ONCD
does not receive within the time specified shall not be considered by ONCD. Information provided by a submitter under this
paragraph (f) may itself be subject to disclosure under the FOIA.

(g) Notice of intent to disclose. ONCD shall consider a submitter's objections and specific grounds for nondisclosure in deciding whether to disclose business
information. Whenever ONCD determines that disclosure is appropriate over the objection of a submitter, ONCD shall, within
a reasonable number of days prior to disclosure, provide the submitter with written notice of the intent to disclose, which
shall include:

(1) A statement of the reason(s) why each of the submitter's objections to disclosure was not sustained;

(2) A description of the business information to be disclosed; and

(3) A specified disclosure date, which shall be a reasonable time subsequent to the notice.

(h) Exceptions to notice requirements. The notice requirements of paragraphs (d) and (g) of this section shall not apply if:

(1) ONCD determines that the information should not be disclosed;

(2) The information has been lawfully published or has been officially made available to the public;

(3) Disclosure of the information is required by statute (other than the FOIA) or by a regulation issued in accordance with
the requirements of Executive Order 12600 of June 23, 1987;

(4) The designation made by the submitter under paragraph (c) of this section appears obviously frivolous. In such a case,
ONCD shall, within a reasonable time prior to a specified disclosure date, give the submitter written notice of any final
decision to disclose the information, but no opportunity to object will be offered; or

(5) The information requested was not designated by the submitter as exempt from disclosure in accordance with this part,
when the submitter had an opportunity to do so at the time of submission of the information or a reasonable time thereafter,
unless ONCD has substantial reason to believe that disclosure of the information would result in competitive harm.

(i) Notice of FOIA lawsuit. Whenever a requester files a lawsuit seeking to compel the disclosure of business information, ONCD shall promptly notify
the submitter. The submitter, as specified in paragraph (b)(2) of this section, shall provide such litigation assistance as
required by ONCD and the Department of Justice.

(j) Notice to requesters. Whenever ONCD provides a submitter with notice and an opportunity to object to disclosure under paragraph (d) of this section,
ONCD shall also notify the requester(s). Whenever ONCD notifies a submitter of its intent to disclose requested information
under paragraph (g) of this section, ONCD shall also notify the requester(s). Whenever a submitter files a lawsuit seeking
to prevent the disclosure of business information, ONCD shall notify the requester(s).

§ 2200.8 Appeal of denials. (a) Right to administrative appeal. A requester has the right to appeal to the FOIA Public Liaison any adverse determination.

(b) Notice of appeal— (1) Time for appeal. To be considered timely, an appeal must be postmarked, or in the case of electronic submissions, transmitted no later than
ninety (90) calendar days after the date of the initial adverse determination or after the time limit for response by ONCD
has expired. Prior to submitting an appeal, the requester must pay in full any outstanding fees associated with the request.

(2) Form of appeal. An appeal shall be initiated by filing a written notice of appeal. The notice shall specify the tracking number assigned to
the FOIA request by ONCD and be accompanied by copies of the original request and adverse determination. To expedite the appellate
process and give the requester an opportunity to present his or her

  arguments, the notice should contain a brief statement of the reason(s) why the requester believes the adverse determination
  to be in error. Requesters may submit appeals by mail or electronically. If sent by regular mail, appeals shall be sent to:
  FOIA Public Liaison, Office of the National Cyber Director, New Executive Office Building, 725 17th Street NW, Washington,
  DC 20504. Appeals sent via electronic mail shall be submitted to ONCD at *foia@ncd.eop.gov, with subject line: “Freedom of Information Act Appeal.”* If your email includes attachments, you must also explain your request in the body of the email, in addition to the attachment.
  Updates to this contact information will be made on the ONCD website. To facilitate handling, the requester should mark both
  the appeal letter and envelope, if submitted by mail, or subject line of the transmission, if submitted electronically, with
  “Freedom of Information Act Appeal.” Your appeal must include your request's individualized tracking number and must identify
  the specific ONCD determinations you are appealing. If you fail to properly appeal a determination that ONCD made in processing
  your request, you may lose your right to challenge that determination in federal court.

(c) Decisions on appeals. ONCD shall make a determination in writing on the appeal under 5 U.S.C. 552(a)(6)(A)(ii) within twenty (20) working days after
the receipt of the appeal. If the denial is wholly or partially upheld, ONCD shall:

(1) Notify the requester that judicial review is available pursuant to 5 U.S.C. 552(a)(4)(B)-(G); and

(2) Notify the requester that the Office of Government Information Services (OGIS) offers mediation services to resolve disputes
between FOIA requesters and Federal agencies as a non-exclusive alternative to litigation.

(d) Dispute resolution services. Dispute resolution is a voluntary process. If ONCD agrees to participate in the dispute resolution services provided by the
Office of Government Information Services, it will actively engage as a partner to the process in an attempt to resolve the
dispute.

(e) When appeal is required. Before seeking judicial review of ONCD's adverse determination in Federal district court, a requester generally must first
submit a timely administrative appeal.

§ 2200.9 Fees. (a) Fees generally required. ONCD shall use the most efficient and least costly methods to comply with requests for documents made under the FOIA. ONCD
shall charge fees in accordance with paragraph (b) of this section unless fees are waived or reduced in accordance with § 2200.10.

(b) Calculation of fees. In general, fees for searching, reviewing, and duplication will be based on the direct costs of these services, including
the average hourly salary (basic pay plus 16% for benefits) of the personnel conducting the search, reviewing the records
for exemption, or duplicating the records. Charges for time less than a full hour will be in increments of quarter hours.

(1) Search fees. Search fees may be charged even if responsive documents are not located or are located but withheld on the basis of an exemption.
However, search fees shall not be charged or shall be limited as follows:

(i) Educational, scientific, or news media requests. No search fee shall be charged if the request is not sought for a commercial use and is made by an educational or non-commercial
scientific institution, whose purpose is scholarly or scientific research, or by a representative of the news media.

(ii) Other non-commercial requests. No search fee shall be charged for the first two hours of searching if the request is not for a commercial use and is submitted
by an entity that is not an educational or scientific institution, whose purpose is scholarly or scientific research, or a
representative of the news media.

(2) Review fees. Review fees shall be assessed only with respect to those requesters who seek records for a commercial use. A review fee shall
be charged for the initial examination of documents located in response to a request to determine whether the documents may
be withheld from disclosure and for the redaction of document portions exempt from disclosure. Records or portions of records
withheld under an exemption that is subsequently determined not to apply may be reviewed again to determine the applicability
of other exemptions not previously considered. The costs for such subsequent review are also assessable.

(3) Duplication fees. Records will be photocopied at a rate of ten cents ($0.10) per page. For other methods of reproduction or duplication, ONCD
will charge the actual direct costs of producing the document(s). Duplication fees shall not be charged for the first 100
pages of copies unless the copies are requested for a commercial use.

(c) Aggregation of requests. When ONCD determines that a requester, or a group of requesters acting in concert, is attempting to evade the assessment of
fees by submitting multiple requests in place of a single, more complex request, ONCD may aggregate any such requests and
assess fees accordingly.

(d) Fees likely to exceed $25. If total fee charges are likely to exceed $25, ONCD shall notify the requester of the estimated amount to be charged. The
notification shall offer the requester an opportunity to confer with the FOIA Public Liaison to reformulate the request to
meet the requester's needs at a lower cost. ONCD may administratively close a submitted FOIA request if the requester does
not respond in writing within thirty (30) calendar days after the date on which ONCD notifies the requester of the fee estimate.

(e) Advance payments. Fees may be paid upon provision of the requested records, except that payment may be required prior to that time if the requester
has previously failed to pay fees or if ONCD determines that the total fees will exceed $250. When payment is required in
advance of the processing of a request, the time limits prescribed in § 2200.6 shall not be deemed to begin until ONCD has
received payment of the assessed fees. If the requester has previously failed to pay fees or charges are likely to exceed
$250, ONCD shall notify the requester of the estimated cost and:

(1) Obtain satisfactory assurance from the requester, in writing, of full payment; or

(2) ONCD may require the requester to pay the full amount of any fees owed or make an advance payment of the full amount of
ONCD's estimated charges.

(3) If ONCD does not receive an adequate response, assurance, or advance payment within thirty (30) calendar days of a fee
determination or notification issued under the authority of this section, ONCD will administratively close the corresponding
request.

(f) Other charges. ONCD will recover the full costs of providing services, such as those enumerated below, when it elects to provide them:

(1) Certifying that records are true copies; or

(2) Sending records by special methods, such as express mail.

(g) Remittances. Remittances shall be made either via personal check or bank draft drawn on a bank in the United States, or by postal money
order. Remittances shall be made payable to the order of the Treasury of the United States and mailed to the Chief FOIA Officer,
Office of the Office of the National Cyber Director, New Executive Office Building, 725 17th Street NW,

  Washington, DC 20504. Updates to this contact information will be made on the ONCD website.

(h) Receipts and refunds. ONCD will provide a receipt for fees paid upon request. ONCD will not refund fees paid for services actually rendered.

§ 2200.10 Waiver of fees. (a) In general. ONCD shall waive part or all of the fees assessed under § 2200.9 if, based upon information provided by a requester or otherwise
made known to ONCD the disclosure of the requested information is in the public interest. Disclosure is in the public interest
if it is likely to contribute significantly to public understanding of government operations or activities and is not primarily
for commercial purposes. Requests for a waiver or reduction of fees shall be considered on a case-by-case basis. To determine
whether a fee waiver requirement is met, ONCD shall consider the following factors:

(1) Disclosure of the requested information would shed light on the operations or activities of the Federal Government. The
subject of the request must concern identifiable operations or activities of the Federal Government with a connection that
is direct and clear, not remote or attenuated.

(2) Disclosure of the requested information is likely to contribute significantly to public understanding of those operations
or activities. This factor is satisfied when the following criteria are met:

(i) Disclosure of the requested records must be meaningfully informative about government operations or activities. The disclosure
of information already in the public domain, in either the same or a substantially similar form, would not be meaningfully
informative if nothing new would be added to the public's understanding.

(ii) The disclosure must contribute to the understanding of a reasonably broad audience of persons interested in the subject,
as opposed to the individual understanding of the requester. A requester's expertise in the subject area as well as the requester's
ability and intention to effectively convey information to the public must be considered. ONCD will presume that a representative
of the news media will satisfy this consideration.

(3) The disclosure must not be primarily in the commercial interest of the requester. To determine whether disclosure of the
requested information is primarily in the commercial interest of the requester, ONCD will consider the following criteria:

(i) ONCD will identify whether the requester has any commercial interest that would be furthered by the requested disclosure.
A commercial interest includes any commercial, trade, or profit interest. Requesters are encouraged to provide explanatory
information regarding this consideration.

(ii) If there is an identified commercial interest, ONCD will determine whether that is the primary interest furthered by
the request. ONCD will ordinarily presume that when a news media requester has satisfied the conditions in paragraphs (a)(1)
and (2) of this section, the request is not primarily in the commercial interest of the requester. Data brokers or others
who merely compile and market government information for direct economic return will not receive the benefit of this presumption.

(b) Timing of fee waivers. A request for a waiver or reduction of fees should be made when a request for records is first submitted to the agency and
should address the criteria referenced in paragraph (a) of this section. A requester may submit a fee waiver request at a
later time so long as the underlying record request is pending or on administrative appeal. When a requester who has committed
to pay fees subsequently asks for a waiver of those fees and that waiver is denied, the requester must pay any costs incurred
up to the date of the fee waiver request was received.

(c) Clarification. Where ONCD has reasonable cause to doubt the use to which a requester will put the records sought, or where that use is not
clear from the request itself, ONCD may seek clarification from the requester before assigning the request to a specific category
for fee assessment purposes.

(d) Restrictions on charging fees. Except as described in paragraphs (d)(1) through (3) of this section, if ONCD fails to comply with the FOIA's time limits
for responding to a request, it may not charge search fees. In addition, subject to the exceptions set forth in paragraphs
(d)(1) through (3) of this section, if ONCD does not comply with the FOIA's time limits for responding to a request, it may
not charge duplication fees when records are not sought for a commercial use and the request is made by an educational institution,
non-commercial scientific institution, or representative of the news media.

(1) If ONCD determines that unusual circumstances, as defined by the FOIA, apply and provides timely written notice to the
requester in accordance with the FOIA, then a failure to comply with the statutory time limit shall be excused for an additional
ten days.

(2) If ONCD determines that unusual circumstances, as defined by the FOIA, apply and more than 5,000 pages are necessary to
respond to the request, then ONCD may charge search fees and duplication fees, where applicable, if the following steps are
taken. ONCD must:

(i) Provide timely written notice of unusual circumstances to the requester in accordance with the FOIA; and

(ii) Discuss with the requester via postal mail, email, or telephone (or made not less than three good-faith attempts to do
so) how the requester could effectively limit the scope of the request in accordance with 5 U.S.C. 552(a)(6)(B)(ii).

(3) If a court determines that exceptional circumstances exist, as defined by the FOIA, then a failure to comply with the
statutory time limits shall be excused for the length of time provided by the court order.

§ 2200.11 Maintenance of statistics. (a) ONCD shall maintain records sufficient to allow accurate reporting of FOIA processing statistics, as required under 5
U.S.C. 552(e) and all guidelines for the preparation of annual FOIA reports issued by the Department of Justice.

(b) ONCD shall annually, on or before February 1 of each year, prepare and submit to the Attorney General an annual report
compiling the statistics maintained in accordance with paragraph (a) of this section for the previous fiscal year. A copy
of the report will be available for public inspection on the ONCD website.

§ 2200.12 Disclaimer. Nothing in this part shall be construed to entitle any person, as a right, to any service or to the disclosure of any record
to which such person is not entitled under the FOIA.

PART 2201—REGULATIONS IMPLEMENTING THE PRIVACY ACT

Sec. 2201.1 General provisions. 2201.2 Requirements for making requests for access. 2201.3 Responsibility for responding to requests. 2201.4 Requests for an accounting. 2201.5 Requests for an amendment or correction. 2201.6 Appeals. 2201.7 Fees.

Authority:

5 U.S.C. 552a.

§ 2201.1 General provisions. (a) Purpose and scope. This part implements the rules that the Office of the National Cyber Director (ONCD) follows under the Privacy Act of 1974,

  codified as amended at 5 U.S.C. 552a (Privacy Act). This part applies to all records in systems of records maintained by ONCD
  that are retrieved by an individual's name or personal identifier. This part describes the procedures by which individuals
  may request access to records about themselves, request amendment or correction of those records, and request an accounting
  of disclosures of those records by ONCD.

(b) Definitions. As used in this part:

Request for access to a record means a request made under 5 U.S.C. 552a(d)(1).

Request for amendment or correction of a record means a request made under 5 U.S.C. 552a(d)(2).

Request for an accounting means a request made under 5 U.S.C. 552a(c)(3).

Requester means an individual who makes a request for access, a request for amendment or correction, or a request for an accounting
under the Privacy Act. An individual is a citizen of the United States or an alien lawfully admitted for permanent residence.

System manager means the ONCD official identified in a system of records notice as the manager of a system of records; and for Government-wide
systems of records, the individual designated by the agency to act on behalf of the system manager.

(c) Providing written consent to disclose records protected under the Privacy Act. ONCD may disclose any record contained in a system of records by any means of communication to any person, or to another agency,
pursuant to a written request by, or with the prior written consent of, the individual about whom the record pertains. An
individual must verify the individual's identity in the same manner as required by § 2201.2(d) when providing written consent
to disclose a record protected under the Privacy Act and pertaining to the individual.

§ 2201.2 Requirements for making requests for access. (a) How made and addressed. You may make a Privacy Act request for access to an ONCD record by mail or delivery service, to Office of General Counsel,
Office of the National Cyber Director, 725 17th Street NW, Washington, DC 20503 or by electronic means via email to FOIA@ncd.eop.gov.

(b) Description of the records sought. In making a request for access, you must describe the records that you want in enough detail to enable ONCD to locate the
system of records containing them with a reasonable amount of effort. Your access request should name the system of records
or contain a concise description of such system of records. If you are not sure which system of records you are interested
in, you may request that ONCD inform you which of its systems of records, if any, contain records about you.

(c) Information about yourself. Your access request should also contain sufficient information to identify yourself in order to allow ONCD to determine if
there is a record pertaining to you in a particular system of records.

(d) Verification of identity. To ensure that information about you is disclosed only to you or your authorized representative, you are required to verify
your identity when making a Privacy Act request for access, as detailed in paragraphs (d)(1) through (3) of this section.

(1) You must state your name, current address, and date and place of birth and provide either a notarized statement of identity
or a signed submission under 28 U.S.C. 1746; or

(2) When available, verify your identity through remote identity-proofing and authentication using digital processes.

(3) ONCD may require you to supply additional information as necessary in order to verify your identity.

(e) Verification of guardianship. When making a request for access as the parent or guardian of a minor or as the guardian of someone determined by a court
of competent jurisdiction to be incompetent, for access to records about that individual, you must establish the criteria
listed in paragraphs (e)(1) through (4) of this section. If ONCD cannot verify your identity, disclosure will be limited to
information that would be required to be made available if requested under 5 U.S.C. 552 by any person.

(1) The identity of the individual who is the subject of the record, by stating the name, current address, and date and place
of birth;

(2) Your own identity, as required in this paragraph (e);

(3) That you are the parent or guardian of that individual, which you may prove by providing a copy of the individual's birth
certificate showing your parentage or by providing a court order establishing your guardianship; and

(4) That you are acting on behalf of that individual in making the request.

(f) Submit identifying information only using approved ONCD processes. In order to safeguard information you submit in making a request for access for purposes of verifying your identity or verifying
guardianship, or any information about yourself that may assist in the rapid identification of the record to which you are
requesting access (e.g., prior names, dates of employment, etc.) as well as any other identifying information contained in an ONCD system of records,
you must use one of ONCD's approved processes as described on ONCD's privacy program web page. Failure to submit identifying
information through an ONCD approved process may result in the failure to expunge your information in accordance with approved
ONCD records schedules after your access request has been processed.

(g) Subsequent requests for access. If your request for access follows a prior request under this section, and you already provided appropriate verifications
with that prior request, you do not need to include the same verification or identifying information in the subsequent request
for access if you reference that prior request or attach a copy of the ONCD response to that request.

§ 2201.3 Responsibility for responding to requests. (a) Acknowledgment of requests. ONCD will acknowledge your request for access in writing and provide an individualized tracking number. Upon request, ONCD
will make information available to you about the status of your request using the assigned tracking number.

(b) Timing of responses to a Privacy Act request for access. ONCD will respond to Privacy Act requests for access to records according to the order in which ONCD receives the requests.
Consistent with ONCD's Freedom of Information Act (FOIA) procedures at 32 CFR part 2200, ONCD may designate multiple processing
tracks that distinguish between simple and more complex Privacy Act requests for access, based on the estimated amount of
work or time needed to process the request.

(c) Additional information. If, after receiving a request, ONCD determines that your request does not reasonably describe the records sought, ONCD will
inform you what additional information is needed and why the request is otherwise insufficient. If a request does not reasonably
describe the records sought, ONCD's response to the request may be delayed.

(d) Grant of request for access. Once ONCD makes a determination to grant a request for access, ONCD will provide you a written response, which may include
the following:

(1) A statement as to whether ONCD will grant access by providing a copy of the record through electronic means or the mail;
and

(2) The amount of fees charged, if any (see § 2201.7). (Fees are applicable only to requests for duplicates.)

(e) Adverse determination of request for access. ONCD will notify you of an adverse determination denying a request for access in writing. Adverse determinations, or denials
of requests, may consist of: A determination to withhold any requested record in whole or in part; a determination that a
requested record does not exist or cannot be located; a determination that what has been requested is not a record subject
to the Privacy Act or the Privacy Act exempts the system containing your records from the requirement ONCD provide those records
upon request; a determination that ONCD prepared the records you are seeking in reasonable anticipation of a civil action
or proceeding (that is, a lawsuit or a similar proceeding); a determination on any disputed fee matter; or a denial of a request
for expedited treatment. ONCD's notification letter to you will include the reason for its decision and explain how you can
appeal.

§ 2201.4 Requests for an accounting. You may request an accounting of disclosures by the same rules governing requests for access, outlined in § 2201.2.

§ 2201.5 Requests for an amendment or correction. (a) Requirement for written requests. If you want to amend a record that pertains to you in a system of records maintained by ONCD, you must submit your request
in writing following the procedures established in this section. ONCD is not required to amend records that are not subject
to the Privacy Act of 1974. However, individuals who believe that such records are inaccurate may bring this to the attention
of ONCD.

(b) Procedures. (1) You should address your request to amend a record in a system of records to the system manager. You should include the
name of the system and a brief description of the record proposed for amendment. If the request to amend the record is the
result of you gaining access to the record in accordance with the provisions concerning access to records as set forth in
§ 2201.2, you may attach a copy of previous correspondence between you and ONCD instead of providing a separate description
of the record.

(2) If a requester cannot determine where within ONCD to send the Privacy Act request to amend a record, the requester may
send by mail or delivery to Office of General Counsel, Office of the National Cyber Director, 725 17th Street NW, Washington,
DC 20506 or by electronic means as described on ONCD's privacy program web page: https://www.whitehouse.gov/oncd/information-resources/. ONCD will forward the request to the component(s) it believes most likely to have the relevant records. For the quickest possible
handling, the requester should specify “Privacy Act Record Amendment Request” on the letter.

(3) You must validate your identity as described in § 2201.2(d). If ONCD has previously verified your identity pursuant to
§ 2201.2(d), further verification of identity is not required as long as the communication does not suggest that a need for
verification is present.

(4) You should clearly indicate the exact portion of the record you seek to have amended. If possible, you should also propose
alternative language, or at a minimum, identify the facts that you believe are not accurate, relevant, timely, or complete,
with such particularity as to permit ONCD not only to understand the basis for your request, but also to make an appropriate
amendment to the record.

(5) Your request must also state why you believe your record is not accurate, relevant, timely, or complete, explain exactly
what change(s) you are requesting, and point out specific pieces of information in your ONCD records that are inaccurate,
irrelevant, outdated, or incomplete. The burden of persuading ONCD to amend a record will be upon you. You must furnish sufficient
facts to persuade the official in charge of the system of the inaccuracy, irrelevancy, timeliness, or incompleteness of the
record.

(c) ONCD action on the request. (1) ONCD will acknowledge, in writing, receipt of a request to amend a record within 10 business days (i.e., excluding Saturdays, Sundays, and legal Federal holidays) of ONCD's receipt.

(2) ONCD will promptly respond to a Privacy Act request for amendment or correction. ONCD ordinarily will respond to Privacy
Act requests for amendment or correction according to their order of receipt. Consistent with ONCD's FOIA procedures at 32
CFR part 2200, ONCD may designate multiple processing tracks that distinguish between simple and more complex Privacy Act
requests for amendment or correction, based on the estimated amount of work or time needed to process the request. The response
reflecting the decision upon a request for amendment will include the following:

(i) The decision of ONCD whether to grant in whole, or deny any part of, the request to amend the record;

(ii) The reasons for the determination for any portion of the request which is denied; and

(iii) A description of the procedure by which the ONCD decision to deny your request may be appealed, including the name and
address of the official with whom you may lodge such an appeal.

§ 2201.6 Appeals. (a) If you wish to appeal a decision by ONCD with regard to your request to access or amend a record in accordance with the
provisions of §§ 2201.2 and 2201.5, you should submit the appeal in writing and, to the extent possible, include the information
specified in paragraph (b) of this section.

(b) Your appeal should contain a brief description of the record involved or copies of the correspondence from ONCD in which
the request to access or to amend was denied and also the reasons why you believe that access should be granted or the information
amended, as relevant. Your appeal should refer to the information you furnished in support of your claim and the reasons set
forth by ONCD in its decision denying access or amendment, as required by §§ 2201.2 and 2201.5. In order to make the appeal
process as meaningful as possible, you should set forth your disagreement in an understandable manner. In order to avoid the
unnecessary retention of personal information, ONCD reserves the right to dispose of the material concerning the request to
access or amend a record if ONCD receives no appeal in accordance with this section within 180 days of the sending by ONCD
of its decision upon an initial request. ONCD may treat an appeal received after the 180-day period as an initial request
to access or amend a record.

(c) You may send your appeal by mail or delivery to the Office of General Counsel, Office of the National Cyber Director,
725 17th Street NW, Washington, DC 20506 or by electronic means as described on ONCD's web page: https://www.whitehouse.gov/oncd/information-resources/. For the quickest possible handling, the requester should specify “Privacy Act Record Appeal” on the letter.

(d) ONCD will review your appeal, decide whether to grant or deny it, and inform you of the decision within thirty (30) business
days (excluding Saturdays, Sundays, and legal Federal holidays) from the date on which the individual requests such review
or appeal. In the event it is necessary to extend the time for making a decision, the requestor will be informed of the delay
and provide an explanation in writing. If ONCD's

  decision does not grant in full the request, the notice of the decision will describe the steps you may take to obtain judicial
  review of such a decision.

§ 2201.7 Fees. (a) Prohibitions against charging fees for Privacy Act requests. ONCD will not charge you for:

(1) The search and review of requests for records subject to this part;

(2) Any copies of the record produced as a necessary part of the process of making the record available for access; or

(3) Any copies of the requested record when ONCD determines that the only way you can access the record is by providing a
copy to you through the mail.

(b) Waiver. ONCD may at no charge provide copies of a record if it is determined the production of the copies is in the interest of the
Government.

(c) Fee schedule and method of payment. ONCD will charge fees as provided in paragraphs (c)(1) through (5) of this section except as provided in paragraphs (a) and
(b) of this section.

(1) ONCD will duplicate records at a rate of $.10 per page for all copying of 4 pages or more. There is no charge for duplication
3 or fewer pages.

(2) Where ONCD anticipates that the fees chargeable under this section will amount to more than $25.00, ONCD shall promptly
notify you of the amount of the anticipated fee or such portion thereof as can readily be estimated. If the estimated fees
will greatly exceed $25.00, ONCD may require an advance deposit. ONCD's request for an advance deposit shall extend an offer
to the requester to consult with ONCD personnel in order to reformulate the request in a manner which will reduce the fees,
yet still meet the needs of the requester.

(3) You should pay fees in full before the requested copies are issued. If the requester is in arrears for previous requests,
ONCD will not provide copies for any subsequent request until the arrears have been paid in full.

(4) Remittances shall be in the form either of a personal check or bank draft drawn on a bank in the United States, or a postal
money order. Remittances shall be made payable to the order of the Treasury of the United States and mailed or delivered to
the Office of General Counsel, Office of the National Cyber Director, 725 17th Street NW, Washington, DC 20503.

(5) ONCD will provide a receipt for fees paid upon request.

PARTS 2202-2299 [RESERVED]

Dated: March 27, 2026. Carina Bergal, Deputy General Counsel, Office of the National Cyber Director. [FR Doc. 2026-06195 Filed 3-30-26; 8:45 am] BILLING CODE 3340-D3-P

Download File

Download