[Federal Register Volume 79, Number 160 (Tuesday, August 19, 2014)]
[Notices]
[Pages 49076-49078]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-19689]
=======================================================================
-----------------------------------------------------------------------
ENVIRONMENTAL PROTECTION AGENCY
[FRL-9915-14-OARM; EPA-HQ-OEI-2012-0836]
Notification of a New System of Records Notice for the EPA
Personnel Access and Security System (EPASS)
AGENCY: Environmental Protection Agency.
ACTION: Notice.
-----------------------------------------------------------------------
SUMMARY: The U.S. Environmental Protection Agency's (EPA) Office of
Administration and Resource Management, Office of Administration,
Security Management Division is giving notice that it proposes to
create a new system of records pursuant to the provisions of the
Privacy Act of 1974 (5 U.S.C. 552a). The EPA Personnel Access and
Security System (EPASS) is being created to comply with the Homeland
Security Presidential Directive-12 (HSPD-12), which was issued on
August 12, 2004 and signed on August 27, 2004. HSPD-12 mandates a
government-wide federal standard for ensuring that identification cards
issued to government employees and contractors are reliable and secure.
EPASS complies with the federal requirements and will enhance security,
increase efficiency, reduce identity fraud, and protect personal
privacy.
DATES: Persons wishing to comment on this new system of records notice
must do so by September 29, 2014.
ADDRESS: Submit your comments, identified by Docket ID No. EPA-HQ-2012-
0836, by mail:
www.regulations.gov: Follow the online instructions for
submitting comments.
Email: [email protected].
Fax: 202-566-1752.
Mail: OEI Docket, Environmental Protection Agency, Mail
code: 2822T, 1200 Pennsylvania Ave. NW., Washington, DC 20460.
Hand Delivery: OEI Docket, EPA/DC, EPA West Building, Room
3334, 1301 Constitution Ave. NW., Washington, DC. Such deliveries are
only accepted during the docket's normal hours of operation, and
special arrangements should be made for deliveries of boxed
information.
Instructions: Direct your comments to Docket ID No. EPA-HQ-OEI-
2012-0836. EPA's policy is that all comments received will be included
in the public docket without change and may be made available online at
www.regulations.gov, including any personal information provided,
unless the comment includes information
[[Page 49077]]
claimed to be Confidential Business Information (CBI) or other
information for which disclosure is restricted by statute. Do not
submit information that you consider to be CBI or otherwise protected
through www.regulations.gov. The www.regulations.gov Web site is an
``anonymous access'' system, which means EPA will not know your
identity or contact information unless you provide it in the body of
your comment. If you send an email comment directly to EPA without
going through www.regulations.gov your email address will be
automatically captured and included as part of the comment that is
placed in the public docket and made available on the Internet. If you
submit an electronic comment, EPA recommends that you include your name
and other contact information in the body of your comment and with any
disk or CD-ROM you submit. If EPA cannot read your comment due to
technical difficulties and cannot contact you for clarification, EPA
may not be able to consider your comment. Electronic files should avoid
the use of special characters, any form of encryption, and be free of
any defects or viruses. For additional information about EPA's public
docket visit the EPA Docket Center homepage at http://www.epa.gov/epahome/dockets.htm.
Docket: All documents in the docket are listed in the
www.regulations.gov index. Although listed in the index, some
information is not publicly available (e.g., CBI or other information
for which disclosure is restricted by statute). Certain other material,
such as copyrighted material, will be publicly available only in hard
copy. Publicly available docket materials are available either
electronically in www.regulations.gov or in hard copy at the OEI
Docket, EPA/DC, EPA West Building, Room 3334, 1301 Constitution Ave.
NW., Washington, DC. The Public Reading Room is open from 8:30 a.m. to
4:30 p.m., Monday through Friday excluding legal holidays. The
telephone number for the Public Reading Room is (202) 566-1744, and the
telephone number for the OEI Docket is (202) 566-1745.
FOR FURTHER INFORMATION CONTACT: Kelly Glazier, Security Management
Division (SMD) Acting Director, (202) 564-0351.
SUPPLEMENTARY INFORMATION:
General Information
The U.S. Environmental Protection Agency (EPA) plans to create a
Privacy Act system of records for the EPA Personnel Access and Security
System (EPASS). This system is being created for the purpose of issuing
credentials to EPA employees and its contractors that meet the
requirements of Homeland Security Presidential Directive 12 (HSPD-12)
issued on August 12, 2004. The Directive requires the development of a
mandatory, government-wide standard for issuing secure and reliable
forms of identification to executive branch employees and federal
contractors for access to federally controlled facilities and networks.
The National Institute of Standards and Technology (NIST) further
defined the issuance standards in Federal Information Processing (FIP)
Standards Publication 201which describes the minimum requirements for a
federal personal identification verification (PIV) system. EPA's
identification system, EPASS, complies with all HSPD-12 requirements.
It is designed to link a person's identity to an identification
credential and link the credential to a person's ability to physically
and logically access federally-controlled buildings and information
systems.
EPASS will contain information on all Agency employees,
contractors, consultants, volunteers and other workers who require
long-term, regular access, as required by their position, to federal
facilities, systems and networks. The personal information collected in
the personnel enrollment process consists of data elements necessary to
verify the identity of the individual and to perform background or
other investigations. EPASS will collect the applicant's name, date of
birth, Social Security Number, organizational affiliations,
fingerprints, work email address and phone number(s), other
verification and demographic information, and the applicant's
photograph.
Dated: June 24, 2014.
Renee P. Wynn,
Acting Assistant Administrator, and Acting Chief Information Officer.
EPA-62
System Name:
EPA Personnel Access and Security System (EPASS)
System Location:
Environmental Protection Agency, Office of Administration and
Resource Management (OARM), Office of Administration (OA), Ariel Rios
Building, MC3201A, 1200 Pennsylvania Ave. NW., Washington, DC 20460.
Categories of Individuals Covered by the System:
The System will collect and maintain information on individuals who
require long-term, regular access as required by their position, to
EPA-controlled facilities and information technology systems, including
federal employees, contractors, grantees, students, interns,
volunteers, other non-federal employees and individuals formerly in any
of these positions. The System does not collect information on
occasional visitors or short-term guests to whom the Agency may issue
temporary identification.
Categories of Records in the System:
Enrollment records: full name and history of name changes, social
security number, applicant ID number, date of birth, gender, race,
height, weight, hair color, eye color, digital color photograph,
fingerprints, biometric template (two fingerprints), employee
affiliation, work email address, work telephone number(s), office
location and organizational unit, employee status, foreign national
status, federal emergency response official status, National Agency
Check with Inquiries (NACI) status (permanent or provisional),
citizenship status, government agency code, computer login name/user
principal name (UPN), and personal identification verification (PIV)
card issuance location. Records in EPASS's Identity Management System
(IDMS) and Card Management System (CMS) are needed for credential
management of enrolled individuals and include PIV card serial number,
digital certificate serial number, PIV card issuance and expiration
dates, PIV card personal identification number (PIN), cardholder unique
identifier (CHUID), and card management keys. All sponsored individuals
enrolled within EPASS may be issued a PIV card. The PIV card contains
the following mandatory information: name, photograph, individual's
affiliation, organizational affiliation, PIV card expiration date,
Agency card serial number, and color-coding for employee affiliation.
The card also contains an integrated circuit chip which is encoded with
the following data elements: cardholder unique identifier (CHUID), PIV
authentication digital certificate, and two fingerprint biometric
minutiae templates.
Authority for Maintenance of the System:
Government Organization and Employees (5 U.S.C. 301); Public
Buildings under the control of Administrator of General Services (40
U.S.C. 3101); Federal Information Security Management Act of 2002 (44
U.S.C. 3541); E-Government Act of 2002 (44 U.S.C. 101); Paperwork
Reduction Act of 1995 (44 U.S.C. 3501); Executive Order 9347 (Nov. 22,
1943); and
[[Page 49078]]
Homeland Security Presidential Directive 12 (HSPD-12) (August 27,
2004).
Purpose(s):
The primary purposes of the System are to: (1) Ensure the safety
and security of Federal facilities, systems, or information, and of
facility occupants and users; (2) provide for interoperability and
trust in allowing physical access to individuals entering Federal
facilities; and (3) allow logical access to Federal information
systems, networks, and resources on a government-wide basis.
Routine Uses of Records Maintained in the System, Including Categories
of Users and the Purposes of Such Uses:
General routine uses A, B, C, D E, F, G, H, I, J, K, and L apply to
this System.
Policies and Practices for Storing, Retrieving, Accessing, Retaining,
and Disposing of Records in the System:
Storage: Records are stored on a secure server within the
EPASS sub-system Fingerprint Transmission System (FTS) and can be
accessed over the Web using encryption software. The records are kept
for 120 days and are either manually or automatically deleted.
Retrievability: Records can only be retrieved within the
System database, which requires authorized user login/password
credentials and administrative privileges to retrieve personal data
within a Web instance of the system by using a combination of first
name and last name.
Safeguards: Consistent with the requirements of the
Federal Information Security Management Act and associated OMB
policies, standards and guidance from the National Institute of
Standards and Technology, EPA protects all records from unauthorized
access through appropriate administrative, physical, and technical
safeguards. Buildings have security guards and secured doors. All
entrances are monitored through electronic surveillance equipment.
Physical security controls include indoor and outdoor security
monitoring and surveillance, badge and picture ID access screening and
biometric access screening. Personally identifiable information (PII)
is safeguarded and protected in conformance with all Federal statutes
and Office of Management and Budget (OMB) requirements. All access has
role-based restrictions. Individuals granted access privileges must be
screened for proper credentials. EPA maintains an audit trail and
performs random periodic reviews to identify any unauthorized access.
Persons given roles in the EPASS HSPD-12 process must be screened and
complete training specific to their roles to ensure they are
knowledgeable about how to protect PII.
Retention and Disposal: Records are retained and disposed
of in accordance with EPA's records schedule 089.
System Manager(s) and Address:
Director, Office of Administration and Resources Management (OARM),
Office of Administration (OA), Environmental Protection Agency, 1200
Pennsylvania Avenue NW., Washington, DC 20460.
Notification Procedures:
Any individual who wants to know whether this System of records
contains a record about him or her, who wants access to his or her
record, or who wants to contest the contents of a record, should make a
written request to the EPA FOIA Office, Attn: Privacy Act Officer,
MC2822T, 1200 Pennsylvania Avenue NW., Washington, DC 20460.
Record Access Procedure:
Requests for access must be made in accordance with the procedures
described in EPA's Privacy Act regulations at 40 CFR part 16.
Requesters will be required to provide adequate identification, such as
a driver's license, employee identification card, or other identifying
document. Additional identification procedures may be required in some
instances.
Contesting Records Procedure:
Requests for correction or amendment must identify the record to be
changed and the corrective action sought. Complete EPA Privacy Act
procedures are described in EPA's Privacy Act regulations at 40 CFR
part 16.
Record Source Categories:
The sources for information in the system are the individuals about
whom, the records are maintained, the supervisors of those individuals,
existing EPA systems, the sponsoring agency, the former sponsoring
agency, other Federal agencies, the contract employer, the former
contract employer and the U.S. Office of Personnel Management (OPM).
Systems Exempted From Certain Provisions of the Act:
None.
[FR Doc. 2014-19689 Filed 8-18-14; 8:45 am]
BILLING CODE 6560-50-P