[Federal Register Volume 69, Number 239 (Tuesday, December 14, 2004)]
[Notices]
[Pages 74500-74502]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 04-27321]


-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

Patent and Trademark Office


Privacy Act of 1974; System of Records

AGENCY: United States Patent and Trademark Office, Commerce.

ACTION: Notice of proposed new Privacy Act system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the requirements of the Privacy Act of 
1974, as amended, the United States Patent and Trademark Office (USPTO) 
gives notice of a proposed new system of records entitled ``COMMERCE/
PAT-TM-17 USPTO Security Access Control and Certificate Systems.'' We 
invite the public to comment on the system announced in this 
publication.

DATES: Written comments must be received no later than January 13, 
2005. The proposed system of records will be effective on January 13, 
2005, unless the

[[Page 74501]]

USPTO receives comments that would result in a contrary determination.

ADDRESSES: You may submit written comments by any of the following 
methods:
     E-mail: [email protected].
     Fax: (571) 273-5357, marked to the attention of Chris 
Rutherford.
     Mail: Chris Rutherford, IT Security Program Office, United 
States Patent and Trademark Office, Madison Building West-Room 5A19, 
600 Dulany Street, Alexandria, VA 22314.
    All comments received will be available for public inspection at 
the Public Search Facilities, Madison East-1st Floor, 600 Dulany 
Street, Alexandria, VA 22314.

FOR FURTHER INFORMATION CONTACT: Director, IT Security Program Office, 
United States Patent and Trademark Office, Madison Building West-Room 
5A05, 600 Dulany Street, Alexandria, VA 22314, (571) 272-5356.

SUPPLEMENTARY INFORMATION: The United States Patent and Trademark 
Office (USPTO) is giving notice of a new system of records that is 
subject to the Privacy Act of 1974. The proposed system of records will 
maintain information on all employees and contractors and other 
affiliates who require public key infrastructure (PKI) authenticated 
access to USPTO automated information systems (AISs).
    The proposed system of records is necessary in order to implement a 
new internal PKI in which the digital certificates produced by the PKI 
are carried on smart cards that also support the physical Access 
Control System for the USPTO, including the main offices at the Carlyle 
campus in Alexandria, VA. The smart card-based system will use 
electronic access credentials, such as digital public key or PKI 
certificates. Access to electronic agency assets, including the USPTO 
computer network and the USPTO desktop and laptop computers, will be 
controlled using this new process. This will provide a high level of 
security authentication in accord with recent Office of Management and 
Budget (OMB) and Federal Identity Credentialing Committee guidance.
    The proposed new system of records, ``COMMERCE/PAT-TM-17 USPTO 
Security Access Control and Certificate Systems,'' is published in its 
entirety below.
COMMERCE/PAT-TM-17

System name:
    USPTO Security Access Control and Certificate Systems.

Security classification:
    Unclassified.

System location:
    IT Security Program Office, United States Patent and Trademark 
Office, Madison Building West-Room 5A29, 600 Dulany Street, Alexandria, 
VA 22314.

Categories of individuals covered by the system:
    USPTO employees, contractors, and other affiliates requiring PKI-
authenticated access to USPTO electronic assets including the network, 
desktops, and laptops.

Categories of records in the system:
    The system contains information needed to establish identity, 
accountability, and audit control of digital certificates issued by the 
new USPTO internal PKI that have been assigned to personnel who require 
access to USPTO electronic assets, including the USPTO network, as well 
as those who transmit electronic data that requires the protection of 
PKI security services. The records are created and maintained to 
provide assurance that the digital certificates are issued and 
delivered to the correct individual, who typically has been issued a 
smart card by the USPTO Office of Security.
    Records may include the individual's name; organization; work 
telephone number; social security number; driver's license number; 
passport number; date of birth; employee number; smart card serial 
number; work e-mail address; status as an employee, contractor or other 
affiliation with the USPTO; title; home address and phone number.
    Records also include information on the creation, renewal, 
replacement or revocation of digital certificates, including evidence 
provided by applicants for proof of identity and authority, sources 
used to verify an applicant's identity and authority, and the 
certificates issued, denied and revoked, including reasons for denial 
and revocation.

Authority for maintenance of the system:
    5 U.S.C. 301; 35 U.S.C. 2; the Electronic Signatures in Global and 
National Commerce Act, Pub. L. 106-229; and E.O. 9397.

Purpose(s):
    To improve security for USPTO electronic assets; to maintain 
accountability for issuance and disposition of security access; to 
maintain an electronic system to facilitate secure on-line 
communication between Federal automated systems, between Federal 
employees or contractors, and with the public, using digital signature 
technologies to authenticate and verify identity; to provide a means of 
access to USPTO electronic assets including the USPTO network, 
desktops, and laptops; and to provide mechanisms for non-repudiation of 
personal identification and access to sensitive electronic systems, 
including but not limited to human resource, financial, procurement, 
travel and property systems, as well as systems containing information 
on intellectual property and other mission critical systems. The system 
also maintains records relating to the issuance of digital certificates 
utilizing public key cryptography to employees and contractors for the 
transmission of sensitive electronic material that requires protection.
    Routine uses of records maintained in the system, including 
categories of users and the purposes of such uses:
    See Prefatory Statement of General Routine Uses Nos. 1-13, as found 
at 46 FR 63501-63502 (December 31, 1981).

Disclosure to consumer reporting agencies:
    Not applicable.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system:
Storage:
    Records are stored as electronic media and paper records.

Retrievability:
    Records are retrieved by individual's name, social security number, 
employment status, organization and/or security access badge number.

Safeguards:
    Entrance to data centers and support organization offices is 
restricted to those employees whose work requires them to be there for 
the system to operate. Identification cards are verified to ensure that 
records are in areas accessible only to authorized personnel who are 
properly screened, cleared, and trained. Disclosure of electronic 
information through remote terminals is restricted through the use of 
passwords and sign-on protocols that are periodically changed. Reports 
produced from the remote printers are in the custody of personnel and 
financial management officers and are subject to the same privacy 
controls as other documents of like sensitivity.
    Digital certificates ensure secure local and remote access and 
allow only authorized employees, contractor employees, or other 
affiliated

[[Page 74502]]

individuals to gain access to federal information assets available 
through secured systems access.
    Access to sensitive records is available only to authorized 
employees and contractor employees responsible for the management of 
the system and/or employees of program offices who have a need for such 
information. Paper records are maintained in locked safes and/or file 
cabinets. Electronic records are password-protected or PKI-protected. 
During non-work hours, records are stored in locked safes and/or 
cabinets in locked rooms.

Retention and disposal:
    The records on government employees and contractor employees are 
retained for the duration of their employment at the USPTO. Other 
individuals' records are kept for the duration of their affiliation 
with the USPTO and then treated as employee records. The records on 
separated employees are destroyed or sent to the Federal Records Center 
in accordance with General Records Schedule 18.

System manager(s) and address:
    Director, IT Security Program Office, United States Patent and 
Trademark Office, Madison Building West--Room 5A05, 600 Dulany Street, 
Alexandria, VA 22314.

Notification procedure:
    Information may be obtained from either the Director, IT Security 
Program Office, United States Patent and Trademark Office, Madison 
Building West--Room 5A05, 600 Dulany Street, Alexandria, VA 22314; or 
the Chief Information Officer, United States Patent and Trademark 
Office, P.O. Box 1450, Alexandria, VA 22313-1450. Requesters should 
provide the appropriate information in accordance with the inquiry 
provisions appearing at 37 CFR Part 102 Subpart B.

Record access procedures:
    USPTO employees wishing to inquire whether this system of records 
contains information about them should contact the system manager 
indicated. Individuals must furnish their full names for their records 
to be located and identified. See ``Notification procedure'' above.

Contesting record procedures:
    USPTO employees wishing to request amendment of their records 
should contact the system manager indicated. Individuals must furnish 
their full names for their records to be located and identified. See 
``Notification procedure'' above.

Record source categories:
    The information contained in these records is provided by or 
verified by the subject individual of the record, supervisors, other 
personnel documents, and non-Federal sources such as private employers.

Exemptions claimed for the system:
    None.

    Dated: December 7, 2004.
Susan K. Brown,
Records Officer, USPTO, Office of the Chief Information Officer, Office 
of Data Architecture and Services, Data Administration Division.
[FR Doc. 04-27321 Filed 12-13-04; 8:45 am]
BILLING CODE 3510-16-P