Privacy Act of 1974; System of Records
| Published date | 29 May 2020 |
| Citation | 85 FR 32380 |
| Record Number | 2020-11356 |
| Section | Notices |
| Court | Environmental Protection Agency |
Federal Register, Volume 85 Issue 104 (Friday, May 29, 2020)
[Federal Register Volume 85, Number 104 (Friday, May 29, 2020)]
[Notices]
[Pages 32380-32382]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2020-11356]
=======================================================================
-----------------------------------------------------------------------
ENVIRONMENTAL PROTECTION AGENCY
[FRL-10009-74-OMS]
Privacy Act of 1974; System of Records
AGENCY: Office of Mission Support, Environmental Protection Agency
(EPA).
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, the
Office of Mission Support (OMS) gives notice that it proposes to create
a new system of records for the Personnel Security System (PSS) 2.0.
OMS is replacing the current PSS (1.0), which is a module of the Office
of Administrative Services Information System (OASIS, EPA-41), with a
new stand-alone system, PSS 2.0, outside of the OASIS portal. All
exemptions and provisions included in the SORN for PSS 1.0 under the
OASIS portal will transfer to the new SORN for PSS 2.0.
DATES: Persons wishing to comment on this system of records notice must
do so by June 29, 2020. New routine uses for this new system of records
will be effective June 29, 2020.
ADDRESSES: Submit your comments, identified by Docket ID No. OMS-2019-
0371, by one of the following methods:
Regulations.gov: www.regulations.gov. Follow the online
instructions for submitting comments.
Email: [email protected].
Fax: 202-566-1752.
Mail: OMS Docket, Environmental Protection Agency, Mailcode: 2822T,
1200 Pennsylvania Ave. NW, Washington, DC 20460.
Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334,
1301 Constitution Ave. NW, Washington, DC. Such deliveries are only
accepted during the Docket's normal hours of operation, and special
arrangements should be made for deliveries of boxed information.
Instructions: Direct your comments to Docket ID No. EPA-HQ-OMS-
2019-0371. The EPA's policy is that all comments received will be
included in the public docket without change and may be made available
online at www.regulations.gov, including any personal information
provided, unless the comment includes information claimed to be
Controlled Unclassified Information (CUI) or other information for
which disclosure is restricted by statute. Do not submit information
that you consider to be CUI or otherwise protected through
www.regulations.gov. The www.regulations.gov website is an ``anonymous
access'' system for EPA, which means the EPA will not know your
identity or contact information unless you provide it in the body of
your comment. Each agency determines submission requirements within
their own internal processes and standards. EPA has no requirement of
personal information. If you send an email comment directly to the EPA
without going through www.regulations.gov your email address will be
automatically captured and included as part of the comment that is
placed in the public docket and made available on the internet. If you
submit an electronic comment, the EPA recommends that you include your
name and other contact information in the body of your comment. If the
EPA cannot read your comment due to technical difficulties and cannot
contact you for clarification, the EPA may not be able to consider your
comment. Electronic files should avoid the use of special characters,
any form of encryption, and be free of any defects or viruses. For
additional information about the EPA's public docket visit the EPA
Docket Center homepage at http://www.epa.gov/epahome/dockets.htm.
Docket: All documents in the docket are listed in the
www.regulations.gov index. Although listed in the index, some
information is not publicly available, e.g., CUI or other information
for which disclosure is restricted by statute. Certain other material,
such as copyrighted material, will be publicly available only in hard
copy. Publicly available docket materials are available either
electronically in www.regulations.gov or in hard copy at the OMS
Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave.
NW, Washington, DC. The Public Reading Room is open from 8:30 a.m. to
4:30 p.m., Monday through Friday, excluding legal holidays. The
telephone number for the Public Reading Room is (202) 566-1744, and the
telephone number for the OMS Docket is (202) 566-1752.
FOR FURTHER INFORMATION CONTACT: Jon Ross, Office of Mission Support,
Environmental Protection Agency, William Jefferson Clinton North
Building, Mailcode 3206A, 1200 Pennsylvania Avenue NW, Washington, DC
20460; telephone number, (202) 564-6153; email address,
[email protected].
SUPPLEMENTARY INFORMATION: The Office of Mission Support (OMS) plans to
replace the current PSS (1.0), which is a module of OASIS (EPA-41),
with a new system, PSS 2.0, outside of the OASIS portal. OMS is
creating a stand-alone Privacy Act system of records for the Personnel
Security System (PSS) 2.0. All exemptions and provisions included in
the SORN for PSS 1.0 under the OASIS portal will transfer to the new
SORN for PSS 2.0. Details regarding the system of records are contained
in this Federal Register Notice. The PSS 2.0 assists the Security
Management Division (SMD) with tracking the documentation associated
with security investigations for Federal and non-Federal personnel
working for EPA. This includes reporting requirements that meet the
Security Executive Agent Directive (SEAD) 3, which establishes
reporting requirements for all ``covered individuals'' who have access
to classified information or who hold a sensitive position. Access to
the system is restricted to authorized users and will be maintained in
a secure, password protected computer system, in secure areas and
buildings with physical access controls and environmental controls. In
the performance of their official duties, EPA federal personnel must
input and manage Sensitive Personally Identifiable Information (such as
SSN) and Personally Identifiable Information (such as home address and
email address). The data is required in the system to start the
onboarding process and to manage personnel through lifecycle activity
at EPA (such as background investigations).
[[Page 32381]]
System Name and Number:
Personnel Security System (PSS) 2.0--EPA-83.
Security Classification:
Unclassified.
System Location:
National Computer Center (NCC), 109 TW Alexander Drive, Research
Triangle Park, Durham, NC 27711.
System Manager (s):
Jon Ross, Security Management Division, Environmental Protection
Agency, William Jefferson Clinton North Building, Mailcode 3206A, 1200
Pennsylvania Avenue NW, Washington, DC 20460; telephone number, (202)
564-6153; email address, [email protected].
Authority for Maintenance of the System:
5 U.S.C. 301; Federal Information Security Modernization Act (Pub.
L. 104-106, sec. 5113); Electronic Government Act (Pub. L. 104-347,
sec. 203); the Paperwork Reduction Act of 1995 (44 U.S.C. 3501); and
the Government Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C.
3504); Federal Property and Administrative Act of 1949, as amended.
Purpose of the System:
The purpose of the Personnel Security System is to assist the
members of the Security Management Division with tracking the
documentation associated with background investigations for potential
and current Federal and non-Federal personnel working for EPA.
Categories of Individuals Covered by the System:
Individuals who require access to EPA-controlled facilities,
information technology systems, or information classified in the
interest of national security, including applicants for employment or
to work on a contract, grant etc. Federal employees, contractors,
grantees, students, interns, volunteers, other non-Federal employees
and individuals formerly in any of these positions. The system does not
apply to occasional visitors or short-term guests to whom the Agency
will issue temporary identification.
Categories of Records in the System:
Employee name, social security number (SSN), date and place of
birth, organization, office and home addresses, office and home and
cell phone, job series, pay grade, previous employments, overseas
travel, military service, credit information, fingerprint results,
OPM's background investigation reports, driver's license information,
passport information, photograph, emergency contact, foreign passport,
foreign travel, foreign involvement, foreign contacts, ownership of
foreign property, foreign bank accounts and arrests in foreign
countries.
Record Source Categories:
The sources of data within PSS 2.0 are from internal EPA systems
such as the Human Resources Line of Business (HRLoB) and the General
Service Administration (GSA) external system, USAccess, and from
external sources such as vendors, applicants and onboard personnel. The
HRLoB SORN is EPA-1 and the USAccess SORN is GSA/GOVT-7.
Routine Uses of Records Maintained in the System, including Categories
of Users and Purposes of Such Uses:
The following routine uses are both related to and compatible with
the original purpose for which the information was collected. General
routine uses A, B, C, D E, F, G, H, I, J, and K apply to this system
(73 FR 2245). In addition, the two routine uses below (L and M) are
required by M-17-12.
L. Disclosure to Persons or Entities in Response to an Actual or
Suspected Breach of Personally Identifiable Information. To appropriate
agencies, entities, and persons when (1) the Agency suspects or has
confirmed that there has been a breach of the system of records, (2)
the Agency has determined that as a result of the suspected or
confirmed breach there is a risk of harm to individuals, the Agency
(including its information systems, programs, and operations), the
Federal Government, or national security; and (3) the disclosure made
to such agencies, entities, and persons is reasonably necessary to
assist in connection with the Agency's efforts to respond to the
suspected or confirmed breach or to prevent, minimize, or remedy such
harm.
M. Disclosure to assist another agency in its efforts to respond to
a breach. To another Federal agency or Federal entity, when the Agency
determines that information from this system of records is reasonably
necessary to assist the recipient agency or entity in (1) responding to
a suspected or confirmed breach or (2) preventing, minimizing, or
remedying the risk of harm to individuals, the recipient agency or
entity (including its information systems, programs, and operations),
the Federal Government, or national security, resulting from a
suspected or confirmed breach.
Policies and Practices for Storage of Records:
The information collected within PSS 2.0 is maintained and stored
in the database located at NCC. These records are maintained
electronically on computer storage devices such as computer tapes and
disks. Backup will be maintained at a disaster recovery site. Computer
records are maintained in a secure password protected environment.
Access to computer records is limited to those who have a need to know.
Permission level assignments will allow users access only to those
functions for which they are authorized. All records are maintained in
secure, access-controlled areas or buildings.
Policies and Practices for Retrieval of Records:
Personal information will be retrieved by SSN, name, date of birth,
email address, personal identification number or background
investigation case number.
Policies and Practices for Retention and Disposal of Records:
Records are retained and disposed of in accordance with NARA
records retention schedules appropriate to the retention of background
investigation related data, as well as EPA's Records Schedule 1008.
Administrative, Technical, and Physical Safeguards:
Security controls used to protect personal sensitive data in PSS
2.0 are commensurate with those required for an information system
rated MODERATE for confidentiality, integrity, and availability, as
prescribed in NIST Special Publication, 800-53, ``Recommended Security
Controls for Federal Information Systems,'' Revision 4.
Administrative Safeguards:
Access to PSS 2.0 requires two-factor authentication accomplished
by using Personal Identity Verification (PIV) cards that are issued to
all personnel based on the requirements of Homeland Security
Presidential Directive 12 (HSPD 12).
When a user is logged into PSS 2.0, they are asked by the system to
confirm that they still want to remain logged in. If there is no
response, or after 15 minutes of inactivity, the user is automatically
logged out of the system. Personnel are instructed to lock their
computer when they leave their desks. Personnel receive annual Privacy
Act awareness training and are regularly reminded about appropriate
SPII and PII handling procedures.
[[Page 32382]]
In addition to the agency's Rules of Behavior and Privacy Act
training that personnel undergo, PSS users are required to sign a PSS-
specific Rules of Behavior document prior to their access being granted
to the system.
Contracting Officer's Representatives (CORs) will be receiving
SPII/PII as a normal part of their operations. The COR's user guide
provides confirmation of how SPII/PII should be handled, and the
following is an excerpt of that guide:
``BE AWARE THAT YOU ARE HANDLING SENSITIVE PERSONALLY IDENTIFIABLE
INFORMATION (SPII) and need to do so under the following guidelines,
which will help prevent privacy breaches by ensuring the COR, who has a
need to know the information, is the only individual to see the PII/
SPII:
The COR will instruct the vendor to send the requested
information (name, email address, SSN) by email with the COR as the
only EPA email recipient.
The COR will enter the information into PSS 2.0 and will
then delete the email.
To properly delete the email, press the Shift key and the
Delete key at the same time--this will fully remove the email, so it
isn't even in the Deleted Items folder.
If the COR replies to the email, the COR will ensure that
all SPII and PII in their email response is removed prior to hitting
Send.
The COR will not save or print the email in any form.
The COR will not forward the email to others.''
Technical Safeguards:
Access to the data is strictly controlled and is limited to those
with an operational need to access the information. Access is granted
and managed by PSS 2.0 Administrators. A ``least-privilege'' role-based
access system is employed that restricts access to data on a ``need-to-
know'' basis; access to the data is limited to those with an
operational need to access the information. Additionally, all web-based
access to the application requires multi-factor authentication.
Physical Safeguards:
EPA employees and contractors involved in the management, design,
development, implementation and execution of the program will have
monitored access to the application. Only individuals who have the
proper authorization and who perform functions related to PSS 2.0 are
allowed to access any information. Entry to the EPA facility and within
the facility to specific spaces at the NCC is achieved using HSPD-12
PIV cards on door readers. PIV cards are only issued to personnel who
have met EPA's initial security screening requirements. Security Guards
at all entrances confirm that the PIV card is valid, unexpired and
reflects the identity of the card holder. Entry to the server rooms is
only available to personnel using their PIV cards on door readers,
where those personnel have been approved for elevated access (meaning
they have undergone a more rigorous security screening). The NCC
maintains an Access Control List to ensure access to server rooms is
limited to approved personnel only.
Record Access Procedures:
Any individual who wants access to his or her record, should make a
written request to the EPA Attn: Privacy Officer, MC2831T, 1200
Pennsylvania Avenue NW, Washington, DC 20460.
Contesting Record Procedures:
Requests for correction or amendment must identify the record to be
changed and the corrective action sought. Complete EPA Privacy Act
procedures are described in EPA's Privacy Act regulations at 40 CFR
part 16.
Notification Procedure:
Any individual who wants to know whether this system of records
contains a record about him or her, should make a written request to
the EPA, Attn: Privacy Officer, MC2831T, 1200 Pennsylvania Avenue NW,
Washington, DC 20460.
Exemptions Promulgated for the System:
Under 5 U.S.C. 552a(k)(1), (k)(2), and (k)(5), the Personnel
Security System is exempt from the following provisions of the Privacy
Act of 1974 as amended, subject to the limitations set forth in this
subsection; 5 U.S.C. 552a(c)(3); (d)(2), (d)(3), and (d)(4); (e)(1),
and (f)(2) through (5). Although the Personnel Security System has been
exempted, EPA may, in its discretion, fully grant individual requests
for access and correction if it determines that the exercise of these
rights will not interfere with an interest that the exemption is
intended to protect.
History:
The security files were previously covered under Office of
Administrative Services Information System (OASIS) EPA 41 Federal
Register (FR) Volume 71, Number 169, FR DOC No: 06-7319 until 2019 and
is being transferred to this existing PSS 2.0 SORN to include all
exemptions and provisions.
Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2020-11356 Filed 5-28-20; 8:45 am]
BILLING CODE 6560-50-P
