To provide analysis to the Congress, the Congressional Budget Office requires access to a wide array of data from other federal agencies. CBO uses those data to produce baseline budget projections, economic projections, cost estimates, and reports. Some of those data are sensitive, and agencies that collect and house such data may require a data use agreement to share them with CBO. This report describes the process of drafting such agreements, the agreements that CBO has with other federal agencies, and the successes and challenges that CBO has experienced in accessing data over the past twelve months (since September 30, 2024). Some of the most salient challenges relate to agencies’ responsiveness, and others relate to the legal authority to access particularly sensitive data.
Background
CBO has productive working relationships with many executive branch agencies and can often obtain information simply by asking for it. When it is lawful to do so, agencies can provide the requested information without further steps. Sometimes, however, formal arrangements are required. In those instances, three types of legal authority allow CBO to obtain information: general authority, which broadly requires agencies to share information with CBO; specific authority, which requires agencies to provide particular information to CBO; and other authority, which applies in particular circumstances, such as when the work also benefits those agencies.
In 2024, lawmakers enacted two pieces of legislation to improve CBO’s access to information:
- The Congressional Budget Office Data Sharing Act (Public Law 118-89), which amended the Congressional Budget Act of 1974, and
- The Congressional Budget Office Data Access Act (Public Law 118-104), which amended the Privacy Act of 1974.
The Congressional Budget Office Data Sharing Act (hereafter, the Data Sharing Act) clarifies CBO’s general authority to request and receive information from other federal agencies.1 The law also highlights that CBO is obligated to protect data it receives and maintain the same level of confidentiality as the data’s originating agencies.2 The law does not supersede disclosure rules that are outlined in statute for certain types of data.3 For example, data that are protected from disclosure under title 13 or title 26 of the U.S. Code are still protected under those statutes.
The Congressional Budget Office Data Access Act (hereafter, the Data Access Act) amended the Privacy Act (5 U.S.C. § 552a) so that agencies may share Privacy Act–protected records with CBO when requested. The Privacy Act generally prohibits executive branch agencies from disclosing certain records without the prior written consent of the people to whom the records pertain, though it includes specific exceptions. The Data Access Act added an exception for disclosures to CBO because analyses requested by the Congress often require individually identifiable data protected by the Privacy Act rather than aggregate data or summary statistics. The Data Access Act thus provided CBO with data access similar to that of the Joint Committee on Taxation (JCT) and the Government Accountability Office.
The Data Sharing Act requires CBO to produce a report about its requests for data from other federal agencies and the challenges it has faced accessing those data within one year of the law’s enactment; this report satisfies that requirement. In addition, the House Committee on Appropriations directed CBO to report any challenges in accessing federal data and to identify whether the Congress can take any actions to ensure CBO’s continuous and real-time access to such data. CBO began including that information in its annual budget requests starting with its budget request for fiscal year 2024.4
Data Use Agreements
CBO often relies on formal agreements to access data that are sensitive or have restricted uses (typically because of limitations on the agency that collects or holds the data outlined in relevant statutes).5 Such agreements lay out the scope of the data, the responsibilities of CBO and the agency providing the data, measures to ensure the security of the data, and information the data are expected to provide. They also typically specify how CBO’s analysts should access the data, which analysts are allowed access, and how long the data access period will last. Obtaining data from other federal agencies through those agreements requires time and resources.
Since the Data Sharing Act and the Data Access Act were enacted in 2024, CBO has entered into or renewed five data use agreements with other federal agencies in accordance with section 201(d) of the Congressional Budget Act. At the time of this publication, there are four pending agreements. CBO also has several ongoing agreements that predate those data access laws and has continued to receive data through those agreements and through agreements under other authorities.
Steps in Forming Data Use Agreements
The typical steps involved in creating a data use agreement are as follows:
- Requesting data and engaging with the agency,
- Drafting an agreement through iterations between analysts and attorneys at both agencies, and
- Implementing and renewing the agreement.
Requesting Data and Engaging With the Agency. The first step involved in creating an agreement is a request for data, which usually occurs when an analyst at CBO finds a dataset that would improve CBO’s ability to answer questions for the Congress. That dataset could be one that was not available before, one that was newly made known to the analyst, or one with information about a new topic of interest. Sometimes an analyst identifies highly sensitive information that is collected but not published in a public dataset and requires a formal agreement to access.
Frequently, CBO has a point of contact at the agency that collects or houses the data, but not always. When pursuing new data, working with knowledgeable people who collect or maintain those data can help CBO analysts better understand how the data are structured, the quality of the data, any nuances in what the data measure, and potential issues with using the dataset. Often it takes time to identify an appropriate point of contact at an agency who has deep knowledge of the data, is authorized on behalf of the agency to enable data sharing with CBO, or can draft and sign the data use agreement. In addition to the requesting analyst, the analyst’s manager and CBO’s attorneys and information technology (IT) and information security teams contribute to the process of shaping the data use agreement. Typically, individuals in similar roles at the data-sharing agency contribute.
Drafting a Data Use Agreement. Once the dataset and the people who can grant access to those data have been identified, the data-sharing agency and CBO discuss the broad outlines of an agreement: the scope of the relevant data, the responsibilities of each agency, the expected output of CBO’s analysis, and the allowed uses by analysts. Then, as the legal agreement is drafted, details are clarified. CBO currently has four agreements in that beginning stage: Points of contact have been identified, and discussions and drafting are ongoing, but the agreements have not yet been finalized or signed by the agencies (see Table 1). Those pending agreements cover data on a broad range of topics, including immigrants’ employment authorizations, new drug development, and gas transmission pipelines.
Table 1.
CBO’s Pending Data Use Agreements as of September 2025
Notes
Data source: Congressional Budget Office.
This table includes unsigned agreements in the drafting stage that are required to access or continue accessing data. Exploratory conversations regarding future access to data or access to additional data are not included.
HOME = HOME Investment Partnerships Program.
Common terms in data use agreements include the specific data being accessed, the duration of CBO’s access to the data, the conditions under which the agreement may be modified or terminated, and the statutory authorities under which the agency can share and CBO can receive the data. They also establish the responsibilities of each agency, including whether and how the data-sharing agency will securely transmit the data to CBO and how CBO can safely store and use those data. In some cases, the originating agency provides access remotely, such as through a secure portal. Agreements also typically specify who from CBO will be able to access the data and how long that access will last.
CBO must maintain the same level of confidentiality as is required of the agency providing the data.6 Protocols related to physical access to the data may require locks on offices, electronic credential control for offices or office suites, and privacy shields on computer monitors. Other types of security protocols relating to IT infrastructure or the credentials of those accessing the data are also discussed at this stage and included in agreements.
Sometimes a dataset includes information from multiple sources that are linked together. In those cases, CBO may need to negotiate with multiple agencies that provided inputs because the components of the dataset are covered by separate legal authorities. Data that are merged from multiple sources are known as commingled data. Because commingled data carry a greater risk of unauthorized disclosure, they may require additional security measures.
The output that CBO expects to produce may be difficult to define early in the process. Throughout the iterative agreement process, CBO analysts may learn more about what is feasible with the data and what additional steps are needed to ensure data security. For example, minimum sample sizes or aggregations may be needed to protect the privacy of individuals represented in the data but still allow CBO to provide useful analysis.
Agreements also reference allowed uses of the data; for example, a prohibition against browsing (that is, reviewing data without a specific work-related need) could be included. Some short-term agreements are useful for narrow questions. Long-term agreements (or renewable agreements) are useful for repeated questions and long-term analysis.
Implementing and Renewing the Agreement. Finally, after the agreement is signed, CBO must implement the agreement’s terms to access the data. That implementation could include developing and maintaining confidential computing environments with enhanced cybersecurity tailored to the dataset, purchasing equipment for physical security, creating partitions on a server, purchasing storage for the data, completing training, or initiating in-depth background checks. Over time, the requirements for securely storing data have become more complex and expensive to implement.
The data-sharing agency must also spend time and resources to make the data accessible. That could include creating log-in credentials, writing code to extract data, sharing training materials, answering questions as the work progresses, and reviewing the final output to mitigate disclosure risks before releasing information from a secure space.
Often CBO will have an ongoing need for data beyond the original period of approved use. That may be because of continued interest from the Congress or because the data are used for recurring work and more recent data are required. Renewals may focus on extending the current agreement in its original form to prolong CBO’s access to the data. They may also make changes such as incorporating more recent data, including additional variables, changing the points of contact, prolonging the period of the agreement, and addressing new agency processes and priorities. If a dataset is not required for ongoing work, CBO is often required to destroy it once the access period expires.
Since the enactment of the Data Sharing Act and the Data Access Act, CBO has entered the implementation stage or signed renewals for five data use agreements in accordance with section 201(d) of the Congressional Budget Act (see Table 2). Data referenced in those agreements are currently available for projects to support the Congress.
Table 2.
CBO’s Data Use Agreements Signed Since the Enactment of the Congressional Budget Office Data Sharing Act
Notes
Data source: Congressional Budget Office.
FTI = federal tax information; TANF = Temporary Assistance for Needy Families.
a. Disclosure of FTI requires approval from the Internal Revenue Service. The data use agreements with the Internal Revenue Service authorizing the disclosure of the FTI data appear in Table 4.
Data Use Agreements in Place Before September 30, 2024
CBO has worked with other agencies for years to secure access to data needed for work supporting the Congress. For a list of agreements authorized under the Congressional Budget Act, as amended, that are active and were in place before the passage of the Data Sharing Act, see Table 3.
Table 3.
CBO’s Data Use Agreements Established Before the Enactment of the Congressional Budget Office Data Sharing Act
Notes
Data source: Congressional Budget Office.
a. Agreements labeled as “ongoing” do not have an expiration date.
b. This agreement with the Centers for Medicare & Medicaid Services is also listed in Table 4. It replaces multiple data agreements providing access to data for CBO’s analysis of federal health care programs. Table 4 identifies data that are not authorized to be shared under CBO’s specific data authority (section 201(d) of the Congressional Budget Act of 1974, as amended).
c. Congressional Budget Office, Growth in the 340B Drug Pricing Program (September 2025), www.cbo.gov/publication/60661.
d. Those models continue to be used in CBO’s baseline projections of the budgetary costs and savings of federal programs that guarantee mortgages. For examples of those projections, see www.cbo.gov/data/baseline-projections-selected-programs#5.
Data Use Under Specific Authority and Other Authority
When CBO secures access to confidential data under specific authority or other authority provided by law, the process is similar and usually requires agreements regarding the use of the data. For example, federal tax information (FTI) is subject to strict statutory requirements regarding who can use the data and for what purpose. The tax code provides that CBO can use FTI “for the purpose of, but only to the extent necessary for, long-term models of the Social Security and Medicare programs.”7 Even with that explicit statutory authority, CBO needs to enter into agreements with the Internal Revenue Service (IRS) and the Social Security Administration to secure access to FTI. Those agreements require CBO to ensure the confidentiality of the FTI in the same way those agencies do.
Currently, CBO does not have specific statutory authority to use FTI for other purposes. CBO can use other authority to lawfully access FTI for certain purposes when the work is beneficial to CBO and other agencies. For example, an agreement with JCT allows CBO employees to obtain access to FTI as agents of JCT’s Chief of Staff. That agreement allows for some limited uses of FTI for projects such as the development of baseline projections, which benefit both agencies. CBO is currently seeking specific statutory authority to use FTI related to the agency’s analyses of the Pell grant and student loan programs.
For a list of agreements under specific authorities and other authorities, see Table 4.
Table 4.
CBO’s Data Use Agreements Subject to Authorization by Additional Authorities
Notes
Data source: Congressional Budget Office.
FY = fiscal year; FTI = federal tax information; HEA = Higher Education Act; IRS = Internal Revenue Service; SNAP = Supplemental Nutrition Assistance Program; TANF = Temporary Assistance for Needy Families; WIC = Special Supplemental Nutrition Program for Women, Infants, and Children.
a. Agreements labeled as “ongoing” do not have an expiration date.
b. This agreement is also listed in Table 3. The data are shared with CBO as part of an umbrella agreement with the Centers for Medicare & Medicaid Services but required additional statutory authority provided by a 2022 amendment to the Social Security Act (sec. 4132(3) of the Consolidated Appropriations Act, 2023, Public Law 117-328 (2022)).
c. These data use agreements authorize the Social Security Administration’s release of data that include FTI.
Successes and Challenges in Fiscal Year 2025
Since the enactment of the Data Sharing Act and the Data Access Act, CBO has experienced both successes and challenges in accessing data from other federal agencies.
Successes
In fiscal year 2025, CBO benefited from effective communication with data-sharing agencies and assistance from House Budget Committee staff. The new data access laws facilitated the renewal of several data use agreements and the creation of new ones. For example, in the spring and summer of 2025, House Budget Committee staff aided CBO’s work with the Office of Management and Budget to obtain the data needed to produce cost estimates of rescissions as they were being debated.
CBO has collaborated with other agencies on agreements to access highly restricted and confidential data. For example, CBO coordinated with the National Center for Health Statistics (NCHS) to access data used for research regarding projections of mortality and fertility. NCHS approved the transmission of restricted data to CBO’s secure cloud environment, modifying its initial access policies after discussions with CBO’s IT and information security teams. The recently signed agreement, which was initiated this past spring, had an efficient drafting process and was completed in four months.
Several agencies have been forthcoming in communicating anticipated changes to data and why those data have changed. That has allowed for a collaborative process of modifying data use agreements. For example, following notice from the Social Security Administration, CBO reviewed updated data protection terms and was able to restore its access to certain variables that would otherwise have been eliminated from an existing agreement.
Challenges
CBO has also faced several challenges in accessing data over the past fiscal year. Those challenges have included limited resources, personnel turnover, changes in available data, and difficulties navigating specific statutes that protect data of interest.
Data use agreements often require additional cybersecurity protection measures, which generate sizable but necessary costs for CBO. For fiscal year 2026, CBO requested an additional $2.8 million for nonpersonnel costs in its budget, principally to enhance cybersecurity and IT infrastructure.8 Turnover among CBO’s cybersecurity professionals has led to additional costs for cybersecurity services from contractors.
The resources of the sharing agency can also pose challenges. For example, errors identified in existing databases and newly updated guidance for sharing different types of data have limited or slowed some agencies’ ability to deliver data to CBO.
Smooth and successful data access requires ongoing communication. Having a reliable point of contact at the agency that houses the data is crucial to that process and to CBO’s ongoing data access more generally. Reorganizations and personnel departures at executive branch agencies during fiscal year 2025 have made identifying a point of contact at some agencies more difficult. However, staff at those agencies have been helpful in navigating those changes.
Other challenges that CBO has experienced relate to changes in publicly available data released by executive branch agencies. In addition to data accessed through agreements, CBO uses data that are released to the public. In recent months, the publication of some of those data has been delayed or halted. Some of the data may no longer be collected or prepared for analysis, whereas other data are collected but no longer shared broadly and may require agreements for future access.
CBO has been able to access some of the unpublished data after agencies received Freedom of Information Act (FOIA) requests from nonprofit organizations. For example, in past years, the Environmental Protection Agency (EPA) published its annual Inventory of U.S. Greenhouse Gas Emissions and Sinks on the agency’s website in April. This year, the report was not published in April, although a draft version was made available in January for public comment. The final version was released through EPA’s FOIA library, but it is not accessible in the same way as the earlier reports, and it is uncertain whether the information will be publicly accessible in the future.
Similarly, the Office of Homeland Security Statistics used to release monthly information about people leaving Customs and Border Protection custody and about repatriations. CBO used those data when developing population projections. However, at the time of this publication, those data have not been released since January 2025. (That release included information through November 2024.) Although some data on repatriations have been released through FOIA requests, and similar metrics are available elsewhere, those data may not be comparable to the data published in the past. CBO may need additional information and resources to use those indirect sources of data going forward, or more data use agreements may be required.
Another challenge has been shifting requirements for accessing data that are protected by specific statutes. For example, CBO has traditionally used data from the Free Application for Federal Student Aid (FAFSA) and the National Student Loan Data System (NSLDS) to project federal spending on Pell grants and student loans. Data on income in the FAFSA and the NSLDS now come directly from the IRS, which means they qualify as FTI. The Department of Education therefore will not be able to share updated data on the income of student borrowers and Pell grant applicants with CBO unless a change is made to the law. Without access to the updated data, CBO will need to use older data or other, less precise sources of information, which would make its work less reliable. CBO is seeking an amendment to section 6103 of the Internal Revenue Code that would allow the agency to receive those updated data. CBO already complies with the IRS’s security requirements to receive FTI for other purposes under section 6103.
1. Although the law refers to “any department, agency, or establishment of the executive branch of Government or any regulatory agency or commission of the Government,” such institutions are referred to as “agencies” throughout this report for simplicity. CBO also obtains information from nonfederal sources, including state governments and private institutions. Data use agreements with nonfederal entities are outside the scope of this report.
2. See 2 U.S.C. § 603(e).
3. Both the Senate and the President stated that the Data Sharing Act does not override those or other data protection laws. See Congressional Record—Senate, vol. 170, no. 140, 118th Cong., 2nd Sess. (September 10, 2024), pp. S5945–S5946, https://tinyurl.com/5y89c43y; and Joseph R. Biden Jr., statement on signing the Congressional Budget Office Data Sharing Act (September 30, 2024), www.govinfo.gov/app/details/DCPD-202400853.
4. For information about CBO’s access to data in its fiscal year 2026 budget request, see Congressional Budget Office, The Congressional Budget Office’s Request for Appropriations for Fiscal Year 2026 (April 2025), pp. 6–7, www.cbo.gov/publication/61161.
5. CBO previously described the different kinds of data that the agency receives from other federal agencies and how it receives such data in Congressional Budget Office, The Congressional Budget Office’s Access to Data From Federal Agencies (June 2021), www.cbo.gov/publication/57150.
6. That requirement is stated in the Congressional Budget Act at 2 U.S.C. § 603(e) and reiterated in the Data Sharing Act.
7. See 26 U.S.C. § 6103(j)(6).
8. Congressional Budget Office, The Congressional Budget Office’s Request for Appropriations for Fiscal Year 2026 (April 2025), www.cbo.gov/publication/61161.
Section 2(b) of the Congressional Budget Office Data Sharing Act requires the Congressional Budget Office to provide the Congress with a report detailing its requests for data, pursuant to written agreements, from other federal agencies and the challenges it has faced accessing those data. In keeping with CBO’s mandate to provide objective, impartial analysis, the report makes no recommendations.
Rebecca Heller and Emma Kugelmass wrote the report with guidance from Kevin Laden, Xiaotong Niu, and Julie Topoleski. Chayim Rosito contributed to the analysis. Xinzhe Cheng, Daniel Crown, Justin Falk, Sebastien Gay, Tamara Hayford, Claire Hou, Joseph Kile, Wendy Kiska, Leah Koestner, Scott Laughery, John McClelland, Garrett Quenneville, Mitchell Remy, Byoung Hark Yoo, and Chris Zogby offered comments. Ian Shayne fact-checked the report.
Mark Hadley, Jeffrey Kling, and Lara Robillard reviewed the report. Christine Browne edited it, and R. L. Rebach prepared the text for publication. The report is available at www.cbo.gov/publication/61548.
CBO seeks feedback to make its work as useful as possible. Please send comments to communications@cbo.gov.
Phillip L. Swagel
Director