[Federal Register Volume 81, Number 181 (Monday, September 19, 2016)]
[Notices]
[Pages 64198-64202]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-22410]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF JUSTICE
[CPCLO Order No. 007-2016]
Privacy Act of 1974; System of Records
AGENCY: Federal Bureau of Investigation, United States Department of
Justice
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: Pursuant to the Privacy Act of 1974, 5 U.S.C. 552a, and Office
of Management and Budget (OMB) Circular No. A-130, the Federal Bureau
of Investigation (FBI), a component of the United States Department of
Justice (Department or DOJ), proposes to establish a new system of
records titled, ``FBI Insider Threat Program Records (ITPR),'' JUSTICE/
FBI-023, to establish certain capabilities to detect, deter, and
mitigate threats by FBI personnel including, but not limited to,
employees, Joint Task Force Members, contractors, detailees, assignees,
and interns, with authorized access to FBI facilities, information
systems, or Classified information. FBI personnel assigned to the FBI
Insider Threat Prevention and Detection Program (ITPDP) will use the
system to facilitate management of insider threat inquiries and
activities associated with inquiries and referrals; identify potential
threats to FBI resources and information assets; track referrals of
potential insider threats to internal and external partners; and
provide statistical reports and meet other insider threat reporting
requirements. The FBI is concurrently
[[Page 64199]]
issuing a Notice of Proposed Rulemaking to exempt this system of
records from certain provisions of the Privacy Act elsewhere in this
Federal Register. For an overview of the Privacy Act, see: https://www.justice.gov/opcl/privacy-act-1974.
DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), the public is
given a 30-day period in which to comment. Therefore, please submit any
comments by October 19, 2016.
ADDRESSES: The public, OMB, and Congress are invited to submit any
comments to the U.S. Department of Justice, ATTN: Privacy Analyst,
Office of Privacy and Civil Liberties, National Place Building, 1331
Pennsylvania Avenue NW., Suite 1000, Washington, DC 20530-0001, or by
facsimile at 202-307-0693. To ensure proper handling, please reference
the above CPCLO Order No. on your correspondence.
FOR FURTHER INFORMATION CONTACT: Richard R. Brown, Federal Bureau of
Investigation, Assistant General Counsel, Privacy and Civil Liberties
Unit, Office of the General Counsel, J. Edgar Hoover Building, 935
Pennsylvania Avenue NW., Washington, DC 20535-0001, telephone (202)
324-3000.
SUPPLEMENTARY INFORMATION: The FBI has created a system of records,
known as the FBI Insider Threat Program Records (ITPR), to manage
insider threat matters within the FBI. Presidential Executive Order
(E.O.) 13587, Structural Reforms to Improve the Security of Classified
Networks and the Responsible Sharing and Safeguarding of Classified
Information, issued October 7, 2011, required Federal agencies to
establish an insider threat detection and prevention program to ensure
the security of Classified networks and the responsible sharing and
safeguarding of Classified information consistent with appropriate
protections for privacy and civil liberties. This system of records has
been established to enable the FBI to implement the requirements of
E.O. 13587, to meet operating capability requirements as defined by the
National Insider Threat Policy and Minimum Standards for Executive
Branch Insider Threat Programs (Nov. 21, 2012), and to fulfill
responsibilities under DOJ Order 0901, Insider Threat (Feb. 12, 2014).
The Presidential Memorandum--National Insider Threat Policy and
Minimum Standards for Executive Branch Insider Threat Programs (Nov.
21, 2012) states that an insider threat is the threat that any person
with authorized access to any United States Government resources, to
include personnel, facilities, information, equipment, networks or
systems, will use her/his authorized access, wittingly or unwittingly,
to do harm to the security of the United States through espionage,
terrorism, unauthorized disclosure of national security information, or
through the loss or degradation of departmental resources or
capabilities. The FBI ITPR may include information lawfully obtained by
the FBI from any FBI, DOJ, or United States Government component, from
other domestic or foreign government entities, or obtained from private
entities, which is necessary to identify, analyze, or resolve insider
threat matters. All FBI employees are cleared for access to handle
Classified information.
In accordance with Privacy Act requirements of 5 U.S.C. 552a(r),
the Department of Justice has provided a report to OMB and to Congress
on this new system of records.
September 2, 2016.
Erika Brown Lee,
Chief Privacy and Civil Liberties Officer, Department of Justice.
JUSTICE/FBI-023
SYSTEM NAME:
FBI Insider Threat Program Records (ITPR).
SYSTEM CLASSIFICATION:
This system includes both Classified and Unclassified information.
SYSTEM LOCATION:
Records may be maintained at all locations at which the Federal
Bureau of Investigation (FBI) operates or at which FBI operations are
supported, including: J. Edgar Hoover Bldg., 935 Pennsylvania Avenue
NW., Washington, DC 20535-0001; FBI Academy and FBI Laboratory,
Quantico, VA 22135; FBI Criminal Justice Information Services (CJIS)
Division, 1000 Custer Hollow Rd., Clarksburg, WV 22602-4843; and FBI
field offices, legal attaches, information technology centers, and
other components as listed on the FBI's Internet Web site, https://www.fbi.gov. Some or all system information may also be duplicated at
other locations where the FBI has granted direct access for support of
FBI missions, for purposes of system backup, emergency preparedness,
and/or continuity of operations.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The categories of individuals covered by this system are persons
with authorized access to FBI facilities, information systems, or
Classified information, including but not limited to present and former
FBI employees, Joint Task Force Members, contractors, detailees,
assignees, and interns.
CATEGORIES OF RECORDS IN THE SYSTEM:
An insider threat is defined as the threat that any person with
authorized access to any FBI resource, to include personnel,
facilities, information, equipment, networks, or systems may use his/
her authorized access, wittingly or unwittingly, to do harm to the
security of the United States, including damage to the United States
through espionage, terrorism, unauthorized disclosure of national
security information, or through the loss or degradation of FBI
resources or capabilities. See Presidential Memorandum, National
Insider Threat Policy and Minimum Standards for Executive Branch
Insider Threat Programs (Nov. 21, 2012). Records in the ITPR system
consist of information necessary to identify, analyze, or resolve
insider threat matters. Such records and information may include or be
derived from, but are not limited to:
A. All relevant counterintelligence and security databases and
files, including personnel security files, polygraph examination
reports, facility access records, security violation files, travel
records, foreign contact reports, and financial disclosure filings.
B. All relevant Unclassified and Classified network information
generated by Information Assurance elements, including, but not limited
to, personnel usernames and aliases, levels of network access, audit
data, unauthorized use of removable media, print logs, and other data
needed for clarification or resolution of an insider threat concern.
C. All relevant Human Resources databases and files including, but
not limited to: Personnel files, payroll and voucher files, outside
work and activities requests, disciplinary files, and personal contact
records, as may be necessary for resolving or clarifying insider threat
matters.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Executive Order (E.O.) 12968, Access to Classified Information,
issued August 2, 1995, 60 FR 40245 (Aug. 7, 1995), as amended by E.O.
13467, Reforming Processes Related to Suitability for Government
Employment, Fitness for Contractor Employees, and Eligibility for
Access to Classified National Security Information, issued June 30,
2008, 73 FR 38103 (July 2, 2008); E.O. 13526, Classified National
Security Information, issued December 29, 2009, 75 FR 707 (Jan. 5,
2010); and E.O. 13587, Structural Reforms to Improve
[[Page 64200]]
the Security of Classified Networks and the Responsible Sharing and
Safeguarding of Classified Information, issued October 7, 2011, 76 FR
63811 (Oct. 13, 2011); and Presidential Memorandum, National Insider
Threat Policy and Minimum Standards for Executive Branch Insider Threat
Programs (Nov. 21, 2012). DOJ Order 901, Insider Threat (Feb. 12,
2014), also directs the head of each Department Component to implement
DOJ policy and minimum standards issued pursuant to this policy and in
coordination with the DOJ ITPDP and ``[p]romulgate additional Component
guidance, if needed, to reflect unique mission requirements consistent
with meeting the minimum standards and guidance issued pursuant to this
policy.''
PURPOSE(S):
To monitor, detect, deter, and/or mitigate FBI insider threats. The
FBI has established the FBI ITPDP and this system of records in order
to implement the requirements of E.O. 13587, Structural Reforms to
Improve the Security of Classified Networks and the Responsible Sharing
and Safeguarding of Classified Information (Oct. 7, 2011), and the
National Insider Threat Policy and Minimum Standards for Executive
Branch Insider Threat Programs (Nov. 21, 2012). These authorities
require agencies with access to Classified information to establish
certain capabilities for detecting, deterring, and/or mitigating
insider threats, including: Accessing, gathering, integrating,
assessing, and sharing information and data derived from offices across
the organization for a centralized analysis, reporting, and response;
monitoring user activity on Classified computer networks controlled by
the federal government; evaluating personnel security information; and
establishing procedures for insider threat response actions, such as
inquiries, to clarify or resolve insider threat matters.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
In addition to those disclosures generally permitted under 5 U.S.C.
552a(b), relevant information contained in this system of records may
be disclosed as a routine use, under 5 U.S.C. 552a(b)(3), in accordance
with the blanket routine uses established for FBI record systems. See
Blanket Routine Uses (BRU) Applicable to More Than One FBI Privacy Act
System of Records, JUSTICE/FBI-BRU, published at 66 FR 33558 (June 22,
2001), and amended at 70 FR 7513 (Feb. 14, 2005), and 72 FR 3410 (Jan.
25, 2007). In addition, relevant information contained in this system
of records may be disclosed as a routine use, under 5 U.S.C.
552a(b)(3), under the circumstances or for the purposes described
below, to the extent such disclosures are compatible with the purposes
for which the information was collected:
A. Where a record, either alone or in conjunction with other
information, indicates a violation or potential violation of law--
criminal, civil, or regulatory in nature--the relevant records may be
referred to the appropriate federal, state, local, territorial, tribal,
or foreign law enforcement authority or other appropriate entity
charged with the responsibility for investigating or prosecuting such
violation or charged with enforcing or implementing such law.
B. To a governmental entity lawfully engaged in collecting law
enforcement, law enforcement intelligence, or national security
intelligence information for such purposes when determined to be
relevant by the FBI.
C. To any person, organization, or governmental entity in order to
notify them of a potential terrorist threat for the purpose of guarding
against or responding to such threat.
D. To an agency of a foreign government or international agency or
entity where the FBI determines that the information is relevant to the
recipient's responsibilities, dissemination serves the best interests
of the U.S. Government, and where the purpose in making the disclosure
is compatible with the purpose for which the information was collected.
E. To any entity or individual where there is reason to believe the
recipient is or could become the target of a particular criminal
activity, conspiracy, or other threat, to the extent the information is
relevant to the protection of life, health, or property. Information
may similarly be disclosed to other recipients to the extent the
information is relevant to the protection of life, health, or property.
F. To appropriate agencies, entities, and persons when (1) the FBI
suspects or has confirmed that the security or confidentiality of
information in the system of records has been compromised; (2) the FBI
has determined that as a result of the suspected or confirmed
compromise there is a risk of harm to economic or property interests,
identity theft or fraud, or harm to the security or integrity of this
system or other systems or programs (whether maintained by the FBI or
another agency or entity) that rely upon the compromised information;
and (3) the disclosure made to such agencies, entities, and persons is
reasonably necessary to assist in connection with the FBI's efforts to
respond to the suspected or confirmed compromise and prevent, minimize,
or remedy such harm.
G. To contractors, grantees, experts, consultants, detailees,
students, or others performing or working on a contract, service,
grant, cooperative agreement, or other assignment for the FBI, when
necessary to accomplish an agency function related to this system of
records.
H. To the news media or members of the general public in
furtherance of a legitimate law enforcement or public safety function
as determined by the FBI and, where applicable, consistent with 28 CFR
50.2, unless it is determined that release of the specific information
in the context of a particular case would constitute an unwarranted
invasion of personal privacy.
I. In an appropriate proceeding before a court, grand jury, or
administrative or adjudicative body, when the FBI determines that the
records are arguably relevant to the proceeding; or in an appropriate
proceeding before an administrative or adjudicative body when the
adjudicator determines the records to be relevant to the proceeding.
J. To an actual or potential party to litigation or the party's
authorized representative for the purpose of negotiation or discussion
of such matters as settlement, plea bargaining, or informal discovery
proceedings.
K. To such recipients and under such circumstances and procedures
as are mandated by federal statute or treaty.
L. To a Member of Congress or staff acting upon the Member's behalf
when the Member or staff requests the information on behalf of, and the
request of, the individual who is the subject of the record.
M. To any agency, organization, or individual for the purposes of
performing authorized audit or oversight operations of the FBI and
meeting related reporting requirements.
N. To the National Archives and Records Administration (NARA) for
purposes of records management inspections conducted under the
authority of 44 U.S.C. 2904 and 2906.
O. To a former employee of the FBI for purposes of: Responding to
an official inquiry by a federal, state, or local government entity or
professional licensing authority, in accordance with applicable FBI or
Department of Justice regulations; or facilitating communications with
a former
[[Page 64201]]
employee that may be necessary for personnel-related or other official
purposes where the Department requires information and/or consultation
assistance from the former employee regarding a matter within that
person's former area of responsibility.
P. To the White House (the President, Vice President, their staffs,
and other entities of the Executive Office of the President (EOP)),
and, during Presidential transitions, the President-elect and Vice
President-elect and their designees for appointment, employment,
security, and access purposes compatible with the purposes for which
the records were collected by the FBI, e.g., disclosure of information
to assist the White House in making a determination whether an
individual should be: (1) Granted, denied, or permitted to continue in
employment on the White House Staff; (2) given a Presidential
appointment or Presidential recognition; (3) provided access, or
continued access, to Classified or sensitive information; or (4)
permitted access, or continued access, to personnel or facilities of
the White House/EOP complex. System records may also be disclosed to
the White House and, during Presidential transitions, to the President-
elect and Vice-President-elect and their designees, for Executive
Branch coordination of activities that relate to or have an effect upon
the carrying out of the constitutional, statutory, or other official or
ceremonial duties of the President, President-elect, Vice-President or
Vice-President-elect. System records or information may also be
disclosed during a Presidential campaign to a major-party Presidential
candidate, including the candidate's designees, to the extent the
disclosure is reasonably related to a clearance request submitted by
the candidate for the candidate's transition team members pursuant to
Section 7601 of the Intelligence Reform and Terrorism Prevention Act of
2004, as amended.
Q. To complainants and/or victims to the extent necessary to
provide such persons with information and explanations concerning the
progress and/or results of the investigations or cases arising from the
matters of which they complained and/or of which they were a victim.
R. To appropriate officials and employees of a federal agency or
entity that requires information relevant to a decision concerning the
hiring, appointment, or retention of an employee; the assignment,
detail, or deployment of an employee; the issuance, renewal,
suspension, or revocation of a security clearance; the execution of a
security or suitability investigation; the letting of a contract; or
the issuance of a grant or benefit.
S. To federal, state, local, tribal, territorial, foreign, or
international licensing agencies or associations, when the FBI
determines the information is relevant to the suitability or
eligibility of an individual for a license or permit.
T. To designated officers and employees of state, local,
territorial, or tribal law enforcement or detention agencies in
connection with the hiring or continued employment of an employee or
contractor, where the employee or contractor would occupy or occupies a
position of public trust as a law enforcement officer or detention
officer having direct contact with the public or with prisoners or
detainees, to the extent that the information is relevant to the
recipient agency's decision.
U. To such agencies, entities, and persons as is necessary to
ensure the continuity of government functions in the event of any
actual or potential disruption of normal government operations. This
use encompasses all manner of such situations in which government
operations may be disrupted, including: Military, terrorist, cyber, or
other attacks, natural or manmade disasters, and other national or
local emergencies; inclement weather and other acts of nature;
infrastructure/utility outages; failures, renovations, or maintenance
of buildings or building systems; problems arising from planning,
testing or other development efforts; and other operational
interruptions. This also includes all related pre-event planning,
preparation, backup/redundancy, training and exercises, and post-event
operations, mitigation, and recovery.
V. To any person or entity, if necessary to elicit information or
cooperation from the recipient for use by the FBI in the performance of
an authorized law enforcement, national security, or intelligence
function.
DISCLOSURE TO CONSUMER REPORTING AGENCIES:
None.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
Records in this system are stored on paper and/or in electronic
form. Electronic records are stored in enterprise information
technology platforms and networks, databases and/or on hard disks,
removable storage devices or other electronic media. Paper records may
be stored in individual file folders and file cabinets with controlled
access, or other appropriate GSA-approved security containers.
Classified information is stored in accordance with applicable legal,
administrative, and other requirements.
RETRIEVABILITY:
Information in this system may be retrieved by an individual's
name, user ID, email address, Social Security number, unique employee
identifier, as well as by use of key word search terms, including the
names of persons with whom covered individuals have interacted or to
whom they have been linked.
SAFEGUARDS:
Records are maintained in secure, restricted areas and are accessed
only by authorized personnel. Physical security protections include
guarded and locked facilities requiring badges and passwords for access
and other physical and technological safeguards (such as role-based
access and strong passwords) to prevent unauthorized access. All
visitors must be accompanied by authorized staff personnel at all
times. Highly Classified or sensitive privacy information is
electronically transmitted on secure lines and in encrypted form to
prevent interception and interpretation. Users accessing system
components through mobile or portable computers or electronic devices
such as laptop computers, multi-purpose cell phones, and personal
digital assistants (PDAs) must comply with the FBI's remote access
policy, which requires encryption. All FBI employees receive a complete
background investigation prior to being hired. Other persons with
authorized access to system records receive comparable vetting. All
personnel are required to undergo privacy and annual information
security training, and are cautioned about divulging confidential
information or any information contained in FBI files. Failure to abide
by this provision violates DOJ regulations and may violate certain
civil and criminal statutes providing for penalties of fine or
imprisonment or both. As a condition of employment, FBI personnel also
sign nondisclosure agreements which encompass both Classified and
Unclassified information and remain in force even after FBI employment.
Employees who resign or retire are also cautioned about divulging
information acquired in their FBI capacity.
RETENTION AND DISPOSAL:
Records in this system are maintained and destroyed in accordance
with applicable schedules and procedures
[[Page 64202]]
issued or approved by the National Archives and Records Administration.
SYSTEM MANAGER AND ADDRESS:
Director, Federal Bureau of Investigation, 935 Pennsylvania Avenue
NW., Washington, DC 20535-0001.
NOTIFICATION PROCEDURE:
Same as RECORD ACCESS PROCEDURES, below.
RECORD ACCESS PROCEDURES:
The Attorney General has exempted this system of records from the
notification, access, and contest procedures of the Privacy Act. These
exemptions apply only to the extent that the information in this system
is subject to exemption pursuant to 5 U.S.C. 552a(j) or (k). Where
compliance would not appear to interfere with or adversely affect the
purposes of the system, or the overall law enforcement/intelligence
process, the applicable exemption (in whole or in part) may be waived
by the FBI in its sole discretion.
All requests for access should follow the guidance provided on the
FBI's Web site at https://www.fbi.gov/services/records-management/foipa. Individuals may mail, fax or email a request, clearly marked
``Privacy Act Access Request,'' to the Federal Bureau of Investigation,
ATTN: FOI/PA Request, Record/Information Dissemination Section, 170
Marcel Drive, Winchester, VA 22602-4843; Fax: 540-868-4995/6/7; Email:
(scanned copy) [email protected]. The request should include a
general description of the records sought and must include either a
completed Department of Justice Certification of Identity Form, DOJ-
361, which can be located at the above link, or a letter that has been
notarized which includes: The requester's full name, current and
complete address, and place and date of birth. In the initial request
the requester may also include any other identifying data that the
requester may wish to furnish to assist the FBI in making a reasonable
search. The request should include a return address for use by the FBI
in responding; requesters are also encouraged to include a telephone
number to facilitate FBI contacts related to processing the request. A
determination of whether a record may be accessed will be made after a
request is received.
CONTESTING RECORD PROCEDURES:
Individuals desiring to contest or amend information maintained in
the system should direct their requests according to the RECORD ACCESS
PROCEDURES listed above, stating clearly and concisely what information
is being contested, the reasons for contesting it, and the proposed
amendment to the information sought. The envelope and letter should be
clearly marked ``Privacy Act Amendment Request'' and comply with 28 CFR
Sec. 16.46. Some information may be exempt from contesting record
procedures as described in the EXEMPTIONS CLAIMED FOR THE SYSTEM
paragraph. An individual who is the subject of a record in this system
may amend those records that are not exempt. A determination whether a
record may be amended will be made at the time a request is received.
RECORD SOURCE CATEGORIES:
Information may be provided by individuals covered by this system,
the FBI, DOJ and United States Government components, other domestic
and foreign government entities, or obtained from private entities.
EXEMPTIONS CLAIMED FOR THE SYSTEM:
The Attorney General has exempted this system of records from
subsection (c)(3) and (4); (d)(1), (2), (3) and (4); (e)(1), (2), and
(3); (e)(4) (G), (H) and (I); (e)(5) and (8); (f) and (g) of the
Privacy Act. These exemptions apply only to the extent that information
in the system is subject to exemption pursuant to 5 U.S.C. 552a(j) or
(k). Rules are being promulgated in accordance with the requirements of
5 U.S.C. 553(b), (c), and (e) and have been published in today's
Federal Register. In addition, the DOJ will continue in effect and
claim all exemptions claimed under 5 U.S.C. 552a(j) or (k) (or other
applicable authority) by an originating agency from which the DOJ
obtains records, where one or more reasons underlying an original
exemption claim remain valid. Where compliance with an exempted
provision could not appear to interfere with or adversely affect
interests of the United States or other stakeholders, the DOJ in its
sole discretion may waive an exemption in whole or in part; exercise of
the discretionary waiver prerogative in a particular matter shall not
create any entitlement to or expectations of waiver in that matter or
any other matter. As a condition of discretionary waiver, the DOJ in
its sole discretion may impose any restrictions deemed advisable by the
DOJ (including, but not limited to, restrictions on the location,
manner, or scope of notice, access or amendment).
[FR Doc. 2016-22410 Filed 9-16-16; 8:45 am]
BILLING CODE 4410-02-P