Privacy Act of 1974; System of Records
| Published date | 28 July 2021 |
| Record Number | 2021-16016 |
| Section | Notices |
| Court | Federal Retirement Thrift Investment Board |
Federal Register, Volume 86 Issue 142 (Wednesday, July 28, 2021)
[Federal Register Volume 86, Number 142 (Wednesday, July 28, 2021)]
[Notices]
[Pages 40564-40566]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-16016]
=======================================================================
-----------------------------------------------------------------------
FEDERAL RETIREMENT THRIFT INVESTMENT BOARD
Privacy Act of 1974; System of Records
AGENCY: Federal Retirement Thrift Investment Board (FRTIB).
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: Pursuant to the Privacy Act of 1974, the Federal Retirement
Thrift Investment Board (FRTIB) proposes to establish a new system of
records. Records contained in this system will be used to implement
FRTIB's Insider Threat Program.
DATES: This system will become effective upon its publication in
today's Federal Register, with the exception of the routine uses which
will be effective on August 27, 2021. FRTIB invites written comments on
the routine uses and other aspects of this system of records. Submit
any comments by August 27, 2021.
ADDRESSES: You may submit written comments to FRTIB by any one of the
following methods:
Federal eRulemaking Portal: http://www.regulations.gov.
Follow the website instructions for submitting comments.
Fax: 202-942-1676.
Mail or Hand Delivery: Office of General Counsel, Federal
Retirement Thrift Investment Board, 77 K Street NE, Suite 1000,
Washington, DC 20002.
FOR FURTHER INFORMATION CONTACT: Dharmesh Vashee, General Counsel and
Senior Agency Official for Privacy, Federal Retirement Thrift
Investment Board, Office of General Counsel, 77 K Street NE, Suite
1000, Washington, DC 20002, (202) 942-1600. For access to any of the
FRTIB's systems of records, contact Amanda Haas, FOIA Officer, Office
of General Counsel, at the above address and phone number.
SUPPLEMENTARY INFORMATION: FRTIB proposes to establish a new system of
records entitled, ``FRTIB-23, Insider Threat Program Records.'' FRTIB
is committed to protecting FRTIB facilities, information, and
information systems. In order to better protect these resources, FRTIB
has established an Insider Threat Program to prevent, detect, and
mitigate the effects of insider threats. An insider threat is an
individual who has or had authorized access to an organization's
assets, and uses their access, either maliciously or unintentionally,
to act in a way that could cause harm to FRTIB facilities, information
systems, or data.
FRTIB is not legally required to have an insider threat program
under Executive Order 13587, as the agency does not maintain classified
information. However, FRTIB has implemented this program as a best
practice in order to protect the information that it maintains,
including controlled unclassified information. FRTIB's Insider Threat
Program is based on standards developed by the National Institute of
Standards and Technology and the National Insider Threat Task Force.
The records compiled to administer the insider threat program may be
from any program, record, or source, and may contain records pertaining
to information security, personnel security, or physical security.
FRTIB will publish regulations to exempt such material in the new
system of records from certain requirements under the Privacy Act of
1974 (5 U.S.C.
[[Page 40565]]
552a), based on subsection (k)(2) of the Act.
The collection and maintenance of these records is new. The
implementation of this new system of records will be effective on July
28, 2021. FRTIB proposes to apply eleven routine uses to FRTIB-23.
Dharmesh Vashee,
General Counsel and Senior Agency Official for Privacy.
SYSTEM NAME AND NUMBER:
FRTIB-23, Insider Threat Program Records.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Records are located at the Federal Retirement Thrift Investment
Board, 77 K Street NE, Suite 1000, Washington, DC 20002. Records may
also be maintained at the business offices of third-party service
providers. Records may also be maintained at additional locations for
Business Continuity purposes.
SYSTEM MANAGER:
Insider Threat Program Manager, Federal Retirement Thrift
Investment Board, 77 K Street NE, Suite 1000, Washington, DC 20002,
(202) 942-1600.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
5 U.S.C. 8474; 44 U.S.C. Chapter 35; 44 U.S.C. 3101.
PURPOSE(S) OF THE SYSTEM:
FRTIB's Insider Threat Program is being implemented to prevent,
detect, and mitigate the effects of insider threats, defined as, ``the
potential for an individual who has or had authorized access to an
organization's assets to use their access, either maliciously or
unintentionally, to act in a way that could negatively affect the
organization.''
The Insider Threat Program system of records is being established
to manage insider threat matters; facilitate insider threat activities,
inquiries, and investigations; identify insider threats to FRTIB
facilities, information, and information systems; track referrals of
potential insider threats from FRTIB's hotline; and to track referrals
of potential insider threats to internal and external partners.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
This system collects information on current or former FRTIB
employees, contractors, subcontractors, or any other individuals who
have or have previously had authorized access to FRTIB facilities,
information, or information systems.
CATEGORIES OF RECORDS IN THE SYSTEM:
The categories of records compiled for each insider threat report,
inquiry, or investigation may vary significantly based on the nature of
each actual or potential insider threat incident.
Categories of records in the Insider Threat Program system of
records may include name; social security number; date of birth; place
of birth; personal and business email address; personal and business
phone number; work history; background investigation information
(including any information derived from SF-85, SF-85P, and SF-86 forms
and background investigation processes); user ID; user activity
performed on FRTIB devices; correspondence sent or received on an FRTIB
device or network; personnel records (including disciplinary records
and performance records); records of access to FRTIB facilities;
records of security violations; reports from FRTIB's hotline for fraud,
waste, abuse, and other misconduct; and law enforcement referrals.
RECORD SOURCE CATEGORIES:
To monitor, identify, and respond to potential insider threats,
information in the system will be received on an as-needed basis
depending on the nature of the inquiry or investigation from: FRTIB
employees, contractors, vendors, or other individuals with access to
FRTIB facilities, information, or information systems; FRTIB's hotline
for reporting fraud, waste, abuse, and other misconduct; information
collected through user activity monitoring; officials from other
foreign, federal, tribal, state, and local government agencies and
organizations; non-government, commercial, public, and private agencies
and organizations; and from relevant records, including information
security databases and files; personnel security databases and files;
FRTIB human resources databases and files; access records for FRTIB
facilities; FRTIB contractor files; FRTIB's Office of Technology
Services; FRTIB telephone usage records; federal, state, tribal,
territorial, and local law enforcement and investigatory records; other
Federal agencies; and publicly available information.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
Information about covered individuals may be disclosed without
consent as permitted by the Privacy Act of 1974, as amended, 5 U.S.C.
552a(b); and:
1. Routine Use--Audit: A record from this system of records may be
disclosed to an agency, organization, or individual for the purpose of
performing an audit or oversight operations as authorized by law, but
only such information as is necessary and relevant to such audit or
oversight function when necessary to accomplish an agency function
related to this system of records. Individuals provided information
under this routine use are subject to the same Privacy Act requirements
and limitations on disclosure as are applicable to FRTIB officers and
employees.
2. Routine Use--Breach Mitigation and Notification: Response to
Breach of FRTIB Records: A record from this system of records may be
disclosed to appropriate agencies, entities, and persons when (1) FRTIB
suspects or has confirmed that there has been a breach of the system of
records; (2) FRTIB has determined that as a result of the suspected or
confirmed breach there is a risk of harm to individuals, FRTIB
(including its information systems, programs, and operations), the
Federal Government, or national security; and (3) the disclosure made
to such agencies, entities, and persons is reasonably necessary to
assist in connection with FRTIB's efforts to respond to the suspected
or confirmed breach or to prevent, minimize, or remedy such harm.
3. Routine Use--Response to Breach of Other Records: A record from
this system of records may be disclosed to another Federal agency or
Federal entity, when FRTIB determines that information from this system
of records is reasonably necessary to assist the recipient agency or
entity in (1) responding to a suspected or confirmed breach or (2)
preventing, minimizing, or remedying the risk of harm to individuals,
the recipient agency or entity (including its information systems,
programs, and operations), the Federal Government, or national
security, resulting from a suspected or confirmed breach.
4. Routine Use--Congressional Inquiries: A record from this system
of records may be disclosed to a Congressional office from the record
of an individual in response to an inquiry from that Congressional
office made at the request of the individual to whom the record
pertains.
5. Routine Use--Contractors, et al.: A record from this system of
records may be disclosed to contractors, grantees, experts,
consultants, the agents thereof, and others performing or working on a
contract, service, grant, cooperative agreement, interagency agreement,
or other assignment for FRTIB, when
[[Page 40566]]
necessary to accomplish an agency function related to this system of
records. Individuals provided information under this routine use are
subject to the same Privacy Act requirements and limitations on
disclosure as are applicable to FRTIB officers and employees.
6. Routine Use--Third-Party Service Providers: A record from this
system of records may be disclosed to third-party service providers,
including other government agencies, such as the Department of Justice,
that provide support for FRTIB's Insider Threat Program under a
contract or interagency agreement.
7. Routine Use--Disclosure to Law Enforcement: Where a record,
either alone or in conjunction with other information, indicates a
violation or potential violation of law--criminal, civil, or regulatory
in nature--the relevant records may be referred to the appropriate
federal, state, local, territorial, tribal, or foreign law enforcement
authority or other appropriate entity charged with the responsibility
for investigating or prosecuting such violation or charged with
enforcing or implementing such law.
8. Routine Use--Litigation, DOJ or Outside Counsel: A record from
this system of records may be disclosed to the Department of Justice,
FRTIB's outside counsel, other Federal agency conducting litigation or
in proceedings before any court, adjudicative or administrative body,
when: (1) FRTIB, or (2) any employee of FRTIB in his or her official
capacity, or (3) any employee of FRTIB in his or her individual
capacity where DOJ or FRTIB has agreed to represent the employee, or
(4) the United States or any agency thereof, is a party to the
litigation or has an interest in such litigation, and FRTIB determines
that the records are both relevant and necessary to the litigation and
the use of such records is compatible with the purpose for which FRTIB
collected the records.
9. Routine Use--Litigation, Opposing Counsel: A record from this
system of records may be disclosed to a court, magistrate, or
administrative tribunal in the course of presenting evidence, including
disclosures to opposing counsel or witnesses in the course of civil
discovery, litigation, or settlement negotiations or in connection with
criminal law proceedings or in response to a subpoena.
10. Routine Use--NARA/Records Management: A record from this system
of records may be disclosed to the National Archives and Records
Administration (NARA) or other Federal Government agencies pursuant to
the Federal Records Act.
11. Routine Use--Insider Threat Community of Practice: A record
from this system of records may be disclosed to any Federal agency or
group of agencies with responsibilities for activities related to
counterintelligence or the detection of insider threats.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records are maintained in paper and electronic form, including on
computer databases and cloud-based services, all of which are securely
stored.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records are retrieved by name, phone number, case number, or
internal FRTIB identification (including FRTIB email, username, etc.).
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
These records are maintained in accordance with General Records
Schedule 5.6 (Security Records), Items 210 through 240, issued by the
National Archives and Records Administration (NARA).
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
FRTIB has adopted appropriate administrative, technical, and
physical controls in accordance with FRTIB's security program to
protect the security, confidentiality, availability, and integrity of
the information and to ensure that records are not disclosed to or
accessed by unauthorized individuals. Access to the records in this
system is limited to individuals who have the appropriate permissions
and who have a need to know the information in order to perform their
official duties.
RECORD ACCESS PROCEDURES:
Individuals seeking to access records within this system must
submit a request pursuant to 5 CFR part 1630. Attorneys or other
persons acting on behalf of an individual must provide written
authorization from that individual, such as a Power of Attorney, in
order for the representative to act on their behalf.
CONTESTING RECORD PROCEDURES:
See Record Access Procedures above.
NOTIFICATION PROCEDURES:
See Record Access Procedures above.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
Records in this system will be exempt, based on 5 U.S.C.
552a(k)(2), from the requirements in subsections (c)(3), (d)(1)-(4),
(e)(1), (e)(4)(G)-(I), and (f) of the Privacy Act. The Agency has
promulgated regulations implementing the Privacy Act at 5 CFR 1632.15
that establish this exemption.
HISTORY:
None.
[FR Doc. 2021-16016 Filed 7-27-21; 8:45 am]
BILLING CODE P
