[Federal Register Volume 70, Number 129 (Thursday, July 7, 2005)]
[Notices]
[Pages 39300-39323]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 05-13371]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[DHS-2005-0049]


United States Visitor and Immigrant Status Indicator Technology 
Program; Privacy Impact Assessment

AGENCY: Department of Homeland Security, United States Visitor and 
Immigrant Status Indicator Technology Program.

ACTION: Notice of availability of Privacy Impact Assessment.

-----------------------------------------------------------------------

SUMMARY: The Department of Homeland Security intends to modify the 
United States Visitor and Immigrant Status Indicator Technology Program 
to conduct a proof of concept in order to verify the utility of Radio 
Frequency Identification technology to automatically, passively, and 
remotely record the entry and exit of covered individuals. In 
conjunction with this change, US-VISIT is again revising its Privacy 
Impact Assessment to discuss the impact of this new technology on 
privacy. The revised Privacy Impact Assessment also covers the 
implementation of new technology and processes for recording the exit 
of covered individuals from air and sea ports. It is being published 
here and also is available on the Web site of the Privacy Office of the 
Department of Homeland Security, http://www.dhs.gov/privacy, and on the 
US-VISIT Web site, http://www.dhs.gov/usvisit.
    The original US-VISIT PIA was published in the Federal Register on 
January 16, 2004 (69 FR 2608); a revised version reflecting subsequent 
changes was published on September 23, 2004 (69 FR 57036), and a notice 
about the availability of the most recent revision made to the PIA was 
published in the Federal Register on June 16, 2005 (70 FR 35110).

FOR FURTHER INFORMATION CONTACT: Steve Yonkers, Privacy Officer, US-
VISIT, Department of Homeland Security, Washington, DC 20528, telephone 
(202) 298-5200, facsimile (202) 298-5201, e-mail: 
[email protected]; Nuala O'Connor Kelly, Chief Privacy Officer, 
Department of Homeland Security, Mail Stop 0550, 601 S. 12th Street, 
Arlington, VA 22202-4220; by telephone (571) 227-4127 or facsimile 
(571) 227-4171.

    Dated: July 1, 2005.
Nuala O'Connor Kelly,
Chief Privacy Officer, Department of Homeland Security.
BILLING CODE 4410-10-P

[[Page 39301]]

[GRAPHIC] [TIFF OMITTED] TN07JY05.032


[[Page 39302]]



US-VISIT Program Privacy Impact Assessment

1. Introduction

    United States Visitor and Immigrant Status Indicator Technology 
(US-VISIT) is the program established by the Department of Homeland 
Security (DHS) to implement an integrated entry and exit data system to 
record the entry into and exit out of the United States of covered 
individuals; verify identity; and confirm compliance with the terms of 
admission to the United States.
    The primary goals of US-VISIT are to:
     Enhance the security of our citizens and visitors;
     Facilitate legitimate travel and trade;
     Ensure the integrity of our immigration system; and
     Protect the privacy of our visitors.
    In accordance with the guidance issued by the Office of Management 
and Budget (OMB) on September 26, 2003 for implementing the E-
Government Act of 2002 and in an effort to make the program transparent 
and address any privacy concerns, DHS's Chief Privacy Officer directed 
that a Privacy Impact Assessment (PIA) be performed for the initial 
implementation of the program and that the PIA be updated as necessary 
to reflect future changes.
    The US-VISIT PIA was first published on January 4, 2004, in 
conjunction with the initial deployment of US-VISIT. The PIA was 
updated on September 14, 2004,\1\ to reflect inclusion of visa waiver 
program (VWP) travelers in US-VISIT, expansion of US-VISIT to the 50 
busiest land border ports of entry (POE) and changes in the business 
processes used by DHS to share information with Federal law enforcement 
agencies. The PIA was updated on June 15, 2005 to include the Live Test 
to read ICAO-compliant biometrically enabled travel documents by 
October 26, 2005.
---------------------------------------------------------------------------

    \1\ 69 FR 57036, US-VISIT Privacy Impact Assessment, September 
23, 2004.
---------------------------------------------------------------------------

    This revision of the PIA is prompted by the:
    1. Implementation of technology (Exit devices) and processes for 
recording the exit of covered individuals from air and sea ports by 
December 31, 2005; and
    2. The proof of concept for technology and processes for 
automatically recording the entry and exit of covered individuals at 
U.S. land border POEs using Radio Frequency Identification (RFID)-
enabled I-94 Arrival/Departure Forms. The proof of concept of the 
capability will begin in August 2005 and, if successful, will be 
deployed to the 50 busiest land ports by December 31, 2007.

2. Overview of US-VISIT Implementation

    Congress has directed DHS to establish an integrated and automated 
entry and exit system to record the arrival and departure of aliens, 
verify their identities, and authenticate their travel documents 
through comparison of biometric identifiers. Implementation has 
proceeded in increments for a variety of policy and operational 
reasons. The incremental implementation has been tied primarily to the 
analysis of the best technology available to accomplish the goals of 
the program. The following timeline provides a high-level overview of 
the US-VISIT Increments, followed by a narrative description of those 
increments.
BILLING CODE 4410-10-P

[[Page 39303]]

[GRAPHIC] [TIFF OMITTED] TN07JY05.033


[[Page 39304]]


Increment 1A--Entry at Air and Sea Ports of Entry
    Increment 1 was deployed on January 5, 2004, by modifying pre-
existing databases to accommodate the collection and maintenance of 
additional data fields and to establish interfaces required to share 
data between DHS record systems concerning entry and exit at certain 
POEs of covered individuals. Covered individuals were defined in 
Increment 1 as nonimmigrant visa holders and VWP entrants traveling 
through air, sea, and land border POEs. Since implementation of 
Increment 1, DHS has been collecting biometrics--two digital index 
fingerscans and a digital photograph--for each covered individual. The 
details of Increment 1 are provided in the PIA published on January 4, 
2004.
Increment 1B--Exit at Air and Sea Ports of Entry
    Increment 1 also involved the testing of Exit devices to collect 
exit data. Three alternatives to collect exit data--a kiosk, a mobile 
device, and a combination of the two devices that uses a specially-
configured mobile device to validate the receipt from the kiosk device 
\2\--were tested from October 2004 through May 2005. All were found to 
be useful in different environments and will be variously implemented 
based on the operational characteristics of each air and sea port. The 
changes to systems to accommodate Increment 1B included:
---------------------------------------------------------------------------

    \2\ This is referred to as the Validator Alternative in US-VISIT 
documents.
---------------------------------------------------------------------------

    1. Development of the three alternative Exit devices to capture 
traveler biometric and biographic information and forward it to the 
Automatic Biometric Identification System (IDENT).
    2. Modification to IDENT to accept and store the Exit Tracking 
Request and to search the US-VISIT biometric watch list and verify the 
traveler's identity against an arrival record.
    3. Modification to IDENT to forward the Record of Departure to the 
Arrival and Departure Information System (ADIS).
    4. Modification to ADIS to accept the Record of Departure from 
IDENT for use in confirmation on subsequent entry or exit by the 
traveler.
Increment 2A--Biometric Verification of VWP Passports and U.S.-Issued 
Travel Documents
    Increment 2A provides the capability to biometrically compare and 
authenticate valid documents at all POEs. Under the requirements of the 
Enhanced Border Security and Visa Entry Reform Act (Border Security 
Act) of 2002, as amended:
     All VWP Countries must implement a program of issuing 
International Civil Aviation Organization (ICAO)-compliant passports 
that are tamper-resistant and incorporate biometric and documentation 
authentication identifiers by October 26, 2005 \3\
---------------------------------------------------------------------------

    \3\ Congress extended the original implementation date of 
October 26, 2004 by one year.
---------------------------------------------------------------------------

     U.S. Ports of Entry must have the capability to read VWP 
ICAO-compliant biometrically enabled travel documents by October 26, 
2005
    As the next step in implementing these legislative requirements, an 
International Live Test will be conducted. Australia, New Zealand, and 
the U.S. are the participants in the International Live Test that will 
be conducted from June to September at the Los Angeles, CA Airport POE 
and at the Sydney, Australia Airport POE. The International Live Test 
will evaluate the operational impact of the new technology as well as 
the performance of the e-Passports and the reader solutions being 
tested. However, the International Live Test evaluation will be limited 
in scope due to the fact that only two of the Visa Waiver Program 
countries' passports will be tested. Other Visa Waiver Program 
countries' passports will have to be tested and evaluated as they begin 
the process of issuing e-Passports to their nationals.
    In conjunction with implementation of Increment 2A, a Notice on 
Authority to Collect Biometric Data from Additional Travelers will be 
published on June 30, 2005. DHS intends to solicit comments on a 
proposal to further expand the population of ``covered individuals'' to 
include all aliens under US-VISIT, as required by statute. Increment 2A 
development and implementation will be analyzed in a future update to 
this PIA.
Increment 2B--50 Busiest Land Ports of Entry
    The deployment of Increment 2B was completed by December 31, 2004. 
It provided the US-VISIT capability to collect information on entries 
at the 50 busiest land border POEs. In addition, it reduced the time 
required for the completion of I-94, Arrival/Departure Forms. Prior to 
Increment 2B, I-94 forms were hand written by the travelers. Completion 
of the forms is now done by CBP officers who enter the data 
electronically and then print the form. The changes made to these 
systems for Increment 2B included modification of secondary 
workstations at land POEs to capture biographic and biometric 
information. The details of Increment 2B were provided in the PIA dated 
September 14, 2004.
Increment 2C--RFID at Land Ports of Entry
    Increment 2C will provide the capability to automatically, 
passively, and remotely record the entry and exit of covered 
individuals using Radio Frequency Identification (RFID) tags. The RFID 
tag will be embedded in the I-94 Arrival/Departure Forms, and will use 
a unique ID number embedded in the tag to associate the I-94 holders 
with the tag. After the tag-enabled I-94 is issued to an individual, 
the ID number will be used as a pointer to the individual's biographic 
information located in the TECS database maintained by CBP. ADIS then 
receives and stores the crossing data from TECS. When the individual 
passes through the entry and exit lanes of a POE, the ID number will be 
read and used to retrieve the individual's immigration information for 
use in the entry and exit inspection processes by CBP officers.
    US-VISIT conducted an operational alternatives assessment and 
determined that passive RFID technology best satisfied its requirements 
for this increment of the program. A proof of concept is being 
conducted for the Increment 2C capability to verify this assessment. 
The proof of concept will begin in August 2005.
    A new DHS system of records, the Automated Identification 
Management System (AIDMS), has been created to link the unique and 
individually-assigned RFID tag number to existing biographic 
information received from TECS and the entry and exit event information 
for each covered individual crossing the land border. AIDMS is a new 
system and is separate from TECS, ADIS, IDENT and the other databases 
used in the US-VISIT process. AIDMS is undergoing the DHS certification 
and accreditation process, which includes having an approved detailed 
security plan and a comprehensive technical assessment of the risks of 
operating the system. A System of Records Notice (SORN) will be 
published at or about the time of publication of this PIA.
    Changes to systems to accommodate Increment 2C include:
    1. Development of the AIDMS to capture and store traveler border 
crossing events associated with RFID tag numbers and biographic 
information maintained in TECS.
    2. Development of the antenna and reader capability to capture RFID 
tag numbers and to transmit the unique tag

[[Page 39305]]

number and associated event information to AIDMS.
    3. Modification of POE workstations to accept reads from RFID tag 
antennae and to process information from the RFID tag and associated 
information from AIDMS and from TECS.
    4. Modification of TECS to enable direct interaction with AIDMS and 
pre-position information so that it can be rapidly accessed on the POE 
workstations by CBP officers.
    5. Modification of ADIS to accept the RFID tag number from AIDMS 
via TECS.
Increment 3--Remaining Land Ports of Entry
    Increment 3 will extend the basic US-VISIT functionality introduced 
by Increment 2B to the remaining land border POEs. The changes to these 
systems for Increment 2B included modification of secondary 
workstations at land POEs to capture biographic and biometric 
information. In order to complete this rollout by December 31, 2005, 
implementation at some POEs will begin as early as July 2005. No 
additional changes to the architecture are anticipated for this 
Increment.

3. System Overview

What Information Is To Be Collected?
    All aliens are subject to the principal data collection 
requirements and processes (including biometric collection, biographic 
collection, and watch list checks) of the US-VISIT Program. Because US-
VISIT has been implemented in increments, currently covered individuals 
consist of nonimmigrant visa holders and VWP applicants for admission 
traveling through all air, sea, and land border POEs where US-VISIT has 
been implemented.\4\ US-VISIT verifies the identity of these travelers 
and the authenticity of their U.S.-issued travel documents.
---------------------------------------------------------------------------

    \4\ DHS intends to fully implement its statutory authority to 
cover all aliens, but it intends to afford public notice and comment 
before determining the most appropriate way to implement the 
relevant statutes.
---------------------------------------------------------------------------

    The information to be collected from covered individuals includes 
complete name, date of birth, gender, country of citizenship, passport 
number and country of issuance, country of residence, travel document 
type (e.g., visa), number, date and country of issuance, complete U.S. 
destination address, arrival and departure information, a digital 
photograph, digital fingerscans, and for travelers using land POEs 
after implementation of Increment 2C, a unique and individually-
assigned RFID tag number for each traveler.
Why Is the Information Being Collected?
    Numerous statutes require an entry/exit program to be put in place 
to verify the identity of covered individuals who enter or leave the 
United States. In keeping with expressed congressional intent, and in 
furtherance of the mission of DHS, information is being collected about 
covered individuals to enhance national security while facilitating 
legitimate travel and trade. In accordance with this purpose, US-VISIT 
collects, maintains, and shares information in order to determine 
whether the individual:
     Should be prohibited from entering the U.S.;
     Can receive, extend, change, or adjust immigration status;
     Has overstayed or otherwise violated the terms of his or 
her admission;
     Should be apprehended or detained for law enforcement 
action; or
     Needs special protection/attention (e.g., Refugees).
What Opportunities Do Individuals Have To Consent or Decline To Provide 
Information?
    The admission into the United States of any covered individual is 
contingent upon submission of the information required by US-VISIT, 
including biometric identifiers. A covered individual who declines to 
provide required biometrics is inadmissible.\5\ An individual who 
declines to provide required biometrics may withdraw his or her 
application for admission, or be subject to removal proceedings. The 
biometric requirement may be modified or waived at the discretion of 
the CBP secondary officer for those applicants with physical 
limitations or mental incapacity that prevent the collection of 
biometrics.
---------------------------------------------------------------------------

    \5\ An individual may apply for a discretionary waiver of 
inadmissibility under Section 212(d)(3) of the Immigration and 
Nationality Act, 8 U.S.C. 1182(d)(3).
---------------------------------------------------------------------------

    The US-VISIT Program has its own privacy officer to ensure that the 
privacy of all covered individuals is respected and to respond to 
individual concerns raised about the collection of the required 
information. Extensive stakeholder outreach and information 
dissemination activities have taken place and will be continued as the 
program is expanded. These activities are reviewed and adjusted on an 
ongoing basis to ensure maximum effectiveness. Further, the DHS Chief 
Privacy Officer, who serves as the administrative appellate review 
authority for all individual complaints and concerns about the program, 
exercises comprehensive oversight of all phases of the program to 
ensure that privacy concerns are respected throughout implementation.
What Are the Intended Uses of the Information?
    DHS uses the information collected and maintained by US-VISIT to 
carry out its national security, law enforcement, and immigration 
control functions. Through the enhancement and integration of its 
database systems, DHS is able to ensure the entry of legitimate 
travelers, identify, investigate, apprehend and/or remove individuals 
unlawfully entering or present in the United States beyond the lawful 
limitations of their visit, and prevent the entry of inadmissible 
individuals. US-VISIT will also help DHS prevent covered individuals 
from obtaining immigration benefits to which they are not entitled. DHS 
may share information obtained through US-VISIT with other federal, 
state, local, tribal, and foreign law enforcement partners to 
accomplish common goals through data sharing agreements that address 
privacy and security concerns as well as operational requirements for 
sharing.

4. System Architecture

    US-VISIT is a system of systems. US-VISIT accomplishes its goals 
primarily through the integration and modification of the capabilities 
of three pre-existing DHS systems and, with Increment 2C, through the 
creation of a new system, AIDMS. The pre-existing DHS systems are:
    1. The Arrival and Departure Information System (ADIS).\6\
---------------------------------------------------------------------------

    \6\ System of Records Notice for Arrival and Departure 
Information System (ADIS), DHS/ICE-CBP-001, 68 FR 69412-69414 
(December 12, 2003).
---------------------------------------------------------------------------

    2. The Passenger Processing Component of the TECS.\7\
---------------------------------------------------------------------------

    \7\ System of Records Notice for Treasury Enforcement 
Communications System (TECS), TREASURY/CS.244, 63 FR 60809 (December 
17, 1998). As indicated in the US-VISIT Increment 1 Functional 
Requirements Document (FRD), the Passenger Processing Component of 
TECS consists of two systems, where ``system'' is used in the sense 
of the E-Government Act, 44 U.S.C. sec. 3502 (i.e., ``a discrete set 
of information resources organized for the collection, processing, 
maintenance, use, sharing, dissemination, or disposition of 
information.''). The two systems, and the process relevant to US-
VISIT that they support, are (1) Interagency Border Inspection 
System (IBIS) (including the Nonimmigrant visa (NIV) database), 
supporting the lookout process; and (2) Advance Passenger 
Information System (APIS), supporting the entry/exit process by 
receiving airline passenger manifest information.

---------------------------------------------------------------------------

[[Page 39306]]

    3. The Automated Biometric Identification System (IDENT).\8\
---------------------------------------------------------------------------

    \8\ System of Records Notice for Enforcement Operational 
Immigration Records (ENFORCE/IDENT), DHS/ICE-CBP-CIS-001, 68 FR 
69414-69417 (December 12, 2003).
---------------------------------------------------------------------------

    US-VISIT interfaces with other DHS systems for relevant purposes, 
including status updates and benefit adjudication. In particular, US-
VISIT exchanges biographic information with the Student and Exchange 
Visitor Information System (SEVIS) and the Computer Linked Application 
Information Management System (CLAIMS 3). Some of these systems, such 
as IDENT and the new AIDMS, are under the direct control of US-VISIT, 
while some systems are under the control of other organizational 
entities within DHS, including TECS and ADIS under CBP, SEVIS under 
Immigration and Customs Enforcement (ICE), and CLAIMS 3 under United 
States Citizenship and Immigration Services (USCIS).
    US-VISIT interfaces with other, non-DHS systems for relevant 
purposes, including watch list updates and checks. In particular, US-
VISIT receives biographic and biometric information from the Department 
of State's (DOS) Consular Affairs Consolidated Database (CCD) as part 
of the visa application process, and returns fingerscan information and 
watchlist changes.
    Figure 1 presents the data flows in the context of the high-level 
system architecture.

[[Page 39307]]

[GRAPHIC] [TIFF OMITTED] TN07JY05.034


[[Page 39308]]



5. Administrative Controls on Access to the Data

With Whom Will the Information Be Shared?
    Employees of DHS components, including CBP, ICE, and USCIS, and of 
DOS access the personal information collected and maintained by US-
VISIT for immigration and border management purposes.
    The information may also be shared with other agencies at the 
federal, state, local, foreign, or tribal level, who are lawfully 
engaged in collecting law enforcement information (whether civil or 
criminal) and national security intelligence information and/or who are 
investigating, prosecuting, enforcing, or implementing civil and/or 
criminal laws, related rules, regulations, or orders. The Privacy Act 
SORNs for the systems on which US-VISIT draws provide notice as to the 
conditions of disclosure and routine uses for the information collected 
by US-VISIT. Any disclosure by DHS must be compatible with the purpose 
for which the information was collected. Additionally, any non-DHS 
agency granted direct access to this information must sign a data 
sharing agreement that will govern protection and usage of the 
information. US-VISIT currently has data sharing agreements in place 
with federal, state and local agencies for each system, which are 
consistent with the US-VISIT privacy policy and which require each 
agency to coordinate with DHS before taking any further action based on 
the shared data.

How Will the Information Be Secured?

    The US-VISIT Program secures information and the systems on which 
that information resides by complying with the requirements of DHS 
information technology security policy, particularly the DHS 
Information Technology (IT) Security Program Handbook for Sensitive 
Systems (Attachment A to DHS Management Directive 4300.1). This 
handbook establishes a comprehensive program to provide complete 
information security, including directives on roles and 
responsibilities, management policies, operational policies, technical 
controls, and application rules, which are applied to component 
systems, communications between component systems, and at all 
interfaces between component systems and external systems. In addition, 
ADIS (10/2003), TECS (2/2003), and IDENT (5/2004) have been 
individually certified and accredited as satisfying applicable DHS 
security requirements. The new system, AIDMS, has a certification plan 
under development that will adhere to the DHS security requirements for 
new systems.
    One aspect of the DHS comprehensive program to provide information 
security involves the establishment of strict rules of behavior for 
each major application, including US-VISIT. The security policy also 
requires that all users be adequately trained regarding the security of 
their systems. The program also requires a periodic assessment of 
physical, technical, and administrative controls to enhance 
accountability and data integrity. All system users must participate in 
a security training program and contractors and consultants must also 
sign a non-disclosure agreement. External connections must be 
documented and approved with both parties signature in an 
interconnection security agreement (ISA), which outlines controls in 
place to protect the confidentiality, integrity, and availability of 
information being shared or processed. In addition, the comprehensive 
information technology security program already in effect for each of 
the component systems on which US-VISIT draws will be applied to the 
program, adding an additional layer of security protection.

6. Information Life Cycle and Privacy Impacts

Overview
    The following analysis is structured according to the information 
life cycle. For each life-cycle stage--collection, use and disclosure, 
processing, and retention and destruction--key issues are assessed, 
privacy risks are identified, and mitigation measures are discussed. 
Risks are related to fair information principles--notice/awareness, 
choice/consent, access/participation, integrity/security, and 
enforcement/redress--that form the basis of many statutes and codes and 
which represent internationally accepted norms for the handling of 
personal information.\9\ US-VISIT has its own set of privacy 
principles, which are based on the more well-known fair information 
principles. Table E-1 in Appendix E provides an overview of the kinds 
of privacy risks associated with US-VISIT and the general types of 
mitigation measures that address those risks.
---------------------------------------------------------------------------

    \9\ Notice/awareness involves being informed of an entity's 
information handling practices and requires limitation of 
collection, use, disclosure, and retention to that which is 
consistent with stated purposes. Choice/consent requires that, to 
the extent possible, options be provided regarding the collection 
and handling of personal information. Access/participation involves 
the ability to view and/or contest the data held about oneself. 
Integrity/security requires that steps be taken to ensure that 
personal information is both accurate and protected. Enforcement/
redress involves compliance mechanisms.
---------------------------------------------------------------------------

    General privacy risks resulting from the collection, use and 
disclosure, processing, and retention and destruction of personal 
information are mitigated by a privacy policy (available at http://www.dhs.gov/us-visit) supported and enforced by a comprehensive privacy 
program. This program includes a separate Privacy Officer for US-VISIT, 
mandatory privacy training for system operators, appropriate safeguards 
for data handling in accordance with existing procedures and 
guidelines, and ongoing consultation with stakeholders and 
representative organizations. Additionally, US-VISIT conducts periodic 
strategic reviews to ensure that the data collected are limited to that 
which is necessary for US-VISIT purposes.
    US-VISIT has implemented a comprehensive redress process to 
facilitate the amendment or correction by individuals of data that are 
not accurate, relevant, timely, or complete. The full US-VISIT redress 
policy, including request form, is available at http://www.dhs.gov/us-visit. The US-VISIT Privacy Officer has set a goal of processing 
redress requests within 20 business days.
Increment 1B `` Exit at Air and Sea Ports of Entry
Collection
    The use of mobile Exit devices presents the low potential security 
risk that individuals might be persuaded by someone masquerading as an 
authorized official to allow their personal information and 
fingerprints to be captured by a counterfeit device. This risk is 
mitigated by workstation attendant (WSA) identification devices, 
appropriate training of airport staff, and awareness measures aimed at 
covered individuals (for example, signage that describes the precise 
circumstances under which covered individuals would be expected to 
undergo data collection). The physical size of the kiosks, along with 
the physical security at air and sea ports, which only allows ticketed 
passengers into the boarding area, makes it unlikely that someone could 
successfully collect personal data using a counterfeit device.
Use and Disclosure
    US-VISIT conducted a privacy risk assessment of the privacy risks 
specific to the Exit pilot environment and the three alternative 
solutions that the Exit pilot was designed to evaluate. The risks 
associated with issuing receipts that

[[Page 39309]]

include biographic and biometric data have been recognized and 
addressed by minimizing the amount of human readable information, 
minimizing biometric information, and encrypting machine readable 
biographic and biometric information.
    The Exit devices generate a receipt for the covered individual to 
confirm that the exit process was successfully completed and, when a 
combination of kiosk and mobile device is used, to verify that the 
individual boarding at the gate is the same individual who completed 
the exit process at the kiosk. To enable this verification, the receipt 
printed by the kiosk includes biographic information read from the 
machine-readable zone (MRZ) of the individual's travel document and 
biometric data in the form of a low-resolution photograph and the 
individual's fingerscan. This information is stored in an encrypted bar 
code on the receipt. Receipts printed by mobile devices (when used 
alone) do not include this bar code. In all cases, receipts include a 
human-readable area with minimal personal information (name, date and 
time, departure port and terminal) along with a unique receipt number. 
The personal information printed in the human-readable area of the 
receipts is no greater than the information printed on other travel 
documents, including boarding passes. Therefore, the existence of the 
human readable areas represents a minimal security risk if a receipt is 
lost or stolen. The bar codes are encrypted in accordance with federal 
information processing standards (FIPS) 140-2 using site-specific keys 
that are changed daily. Moreover, the fingerscan templates on the 
receipt are one-way mathematical transformations of the actual 
fingerscans that, even if obtainable, would be extremely difficult to 
use for any purpose. These mitigations effectively address the security 
risks of the bar code.
Processing
    Data flows between US-VISIT component systems and/or applications 
are encrypted using FIPS-compliant mechanisms. This includes the 
wireless transmissions from some of the Exit devices, in which the data 
itself is encrypted prior to transmission (rather than relying on 
encryption of the connection). As with the receipts, site-specific keys 
are used and changed daily. This greatly mitigates the security risks 
associated with wireless transmission. Although it is possible that the 
encrypted transmissions could be intercepted, the data would remain 
inaccessible and key variation would make unauthorized decryption 
extremely difficult. US-VISIT will use wired networks for the kiosks 
wherever practicable to lower the risk even further.
Retention and Destruction
    Fingerscans and biographic information are also temporarily stored 
on the Exit devices. Under normal operating conditions, this 
information is securely transmitted to a server upon completion of each 
transaction, at which time the information is deleted so as to be 
unrecoverable. However, if an Exit device encounters communication 
problems, it will retain the information until it can be transmitted. 
To mitigate the security risk inherent in this situation, all personal 
information stored on Exit devices is encrypted in a FIPS-compliant 
manner using site-specific keys that change daily. Mobile Exit devices 
present additional security risk by virtue of their potential for being 
lost or stolen. This risk is mitigated by authentication of device 
users and appropriate physical and procedural controls, in addition to 
the measures described above.
    The policies of the pre-existing individual component systems, as 
stated in the SORNs, govern the retention of personal information 
collected by US-VISIT. Because the component systems were created at 
different times for varied purposes, there are inconsistencies across 
the SORNs with respect to data retention periods. There is also some 
duplication in the types of data collected by each system. These 
inconsistencies and duplication result in some heightened degree of 
integrity/security, access, and/or redress risk as personal information 
could be deleted from one or more component systems while being 
retained in others. In order to most appropriately and effectively 
mitigate these risks, a comprehensive assessment of retention 
requirements has been initiated. When complete, this assessment will be 
used to establish a uniform retention policy for personal information 
collected by US-VISIT.
Increment 2C--RFID at Land Ports of Entry
Collection
    Entry and exit data collected from the Form I-94 at land border 
POEs are transferred to a non-US-VISIT component of TECS. However, the 
unique ID number of the RFID tag embedded in the I-94 forms will be 
retained in the AIDMS. This system has been created to link the unique 
and individually-assigned RFID tag number to existing biographic 
information received from TECS and the entry and exit event information 
for each covered individual crossing the land border. The RFID tag 
number will not contain or be derived from any personal information. 
Otherwise, the continued expansion of US-VISIT capabilities to land 
border POEs provides for the same data collection as currently 
implemented at air, sea, and land POEs, with identical risks and 
mitigations, as discussed in previously published PIAs for US-VISIT.
Use and Disclosure
    AIDMS is undergoing the DHS certification and accreditation 
process, which includes having an approved detailed security plan and a 
comprehensive technical assessment of the risks of operating the 
system. The certification and accreditation process will be completed 
before the proof of concept becomes operational. AIDMS is a new system 
and is separate from TECS, ADIS, IDENT and the other systems used by 
US-VISIT. A SORN will be published at or about the time of publication 
of this PIA.
    While RFID tag numbers are not encrypted and could be subject to 
interception, the RFID tag contains no personal information and can 
only be used to obtain personal information when combined with other 
data within AIDMS. AIDMS is a secure database that can only be accessed 
by authorized personnel signed into authorized workstations that 
communicate with the AIDMS via a secure network.
Processing
    The unencrypted information on the I-94 RFID tags is even more 
minimal than that on the exit process receipts. In this case, the only 
information contained and read is a unique identification number, which 
is linked to the individual's biographic information retrieved from 
TECS. AIDMS records the entry and exit data automatically captured at 
U.S. land border POEs for a particular RFID tag rather than for a 
specific individual. It is when this information on the RFID tag 
entries and exits along with the biographic information from TECS is 
sent to ADIS that the individual's complete travel history is created.
    Over a covered individual's lifetime an individual may be issued 
more than one RFID-enabled I-94, each with a unique ID number. Only in 
rare circumstances where travelers request a supplemental I-94 under a 
different class of admission would more than one RFID-enabled I-94 be 
valid at any given time.

[[Page 39310]]

    Two potential privacy risks have been identified and are addressed 
here. If the format or some other characteristic of the RFID tag number 
renders it recognizable as a US-VISIT RFID tag, this would allow an 
unauthorized reader to surreptitiously determine an individual's status 
(i.e., within US-VISIT covered population). However, it is contemplated 
that the unencrypted RFID tag number will not be structured in such a 
way that it can be used to identify the individual as a non-immigrant. 
There is also a low risk that the RFID tag could be used to conduct 
surreptitious locational surveillance of an individual; i.e., to use 
the presence of the tag to follow an individual as he or she moves 
about in the U.S. However, ensuring that RFID tag numbers do not 
exhibit properties that can be readily attributed to US-VISIT and using 
a limited radio frequency range effectively mitigates this risk. The 
design process is also taking into account methods of reducing 
eavesdropping and skimming possibilities.
Retention and Destruction
    The Increment has the same retention and destruction issues as 
discussed with Increment 1B. In order to most appropriately and 
effectively mitigate the associated privacy risks, a comprehensive 
assessment of retention requirements has been initiated. When complete, 
this assessment will be used to establish a uniform retention policy 
for personal information collected by US-VISIT.

7. Design Choices (Including Whether a New System of Records Is Being 
Created)

    US-VISIT was originally intended by Congress to address concerns 
with visa overstays, the number of illegal foreign nationals in the 
country, and overall border security issues. After September 11, 2001, 
terrorism-related concerns expanded the scope to include all aliens and 
added urgency to the development and deployment of this program. Many 
of the characteristics of US-VISIT were pre-determined because of 
legislation \10\ enacted both before and after the events of September 
11, 2001. These characteristics include, among others:
---------------------------------------------------------------------------

    \10\ The legislation includes: the Illegal Immigration Reform 
and Immigrant Responsibility Act of 1996 (IIRIRA), Public Law 104-
208; The Immigration and Naturalization Service Data Management 
Improvement Act of 2000 (DMIA), Public Law 106-215; The Visa Waiver 
Permanent Program Act of 2000 (VWPPA), Public Law 106-396; The USA 
PATRIOT Act, Public Law 107-56; and The Enhanced Border Security and 
Visa Entry Reform Act (``Border Security Act''), Public Law 107-173.
---------------------------------------------------------------------------

     Working with NIST to implement biometric standard for 
identifying and verifying foreign nationals;
     Use of biometric identifiers in travel and entry documents 
issued to foreign nationals, and the ability to read such documents at 
U.S. POEs;
     Integration of arrival/departure data on covered 
individuals, including data from commercial carrier passenger 
manifests; and
     Integration with other law enforcement and security 
systems.
Increment 1--Exit at Air and Sea Ports of Entry
    Three alternatives were evaluated for recording exit information at 
air and sea ports: kiosks, mobile devices, and a combination of the two 
devices that uses a specially-configured mobile device to validate the 
receipt from the kiosk device. In some cases, constraints on physical 
space rendered kiosks impractical. In other cases, boarding area 
layouts were not conducive to the use of mobile devices. The 
combination alternative was preferred for situations characterized by 
heightened security concerns. From a privacy perspective, the kiosk--
particularly when using wired networks--introduces the fewest potential 
risks, followed by the mobile device (due to its portability), and 
finally, the combination alternative. Therefore, appropriate privacy 
risk mitigations are being implemented in order to successfully utilize 
all three alternatives. Examples of privacy-risk mitigation efforts 
include strong access controls to Exit devices, limited retention of 
data on the devices, privacy training for Exit workstation attendants, 
and encryption. These efforts added greater costs and complexity, but 
enabled operational needs to be satisfied in a privacy-protective 
manner.
Increment 2C--RFID at Land Ports of Entry
    The requirement to facilitate land border traffic while capturing 
information about entries and exits has led to DHS developing a proof 
of concept for using RFID technology. In addition, US-VISIT has 
developed a new component system of records, the Automated 
Identification Management System (AIDMS), to enable the use of RFID 
tags for automatically recording entry and exit information at land 
border POEs.
    Increment 2C will provide the capability to automatically, 
passively, and remotely record the entry and exit of RFID tags issued 
to covered individuals. For purposes of the proof of concept, the RFID 
tags will be embedded in the Forms I-94, Arrival/Departure documents 
and use a unique ID number to associate the I-94 holders with entry and 
exit data at U.S. land border POEs and link that information with 
biographic information for CBP officers to review. US-VISIT conducted 
an operational alternatives assessment and determined that passive RFID 
technology best satisfied the following defined criteria:
     Protect personal privacy by controlling the use of 
personal information outside of DHS systems and minimizing the 
surreptitious tracking of travelers outside the port of entry.
     The chosen technology and business process should require 
no direct action on the part of the traveler, driven by the need not to 
impede traveler movement across the border while facilitating 
legitimate travel and trade.
     Manage traveler border crossings from a distance, driven 
by the need to detect traveler departures while minimally impacting the 
unconstrained POE setting.
     No increase in wait times as a result of implementation.
     No degradation in level of service for exit lanes.
     No significant degradation in traffic patterns.
     Chosen technology should be currently commercially 
available and not require significant time or levels of research and 
development for deployment.
     Chosen technology should support ease of use, be compact 
in size, and not require any maintenance by the part of the traveler.
    A solution incorporating passive RFID technology would not increase 
wait times, degrade the level of service at exit or degrade traffic 
patterns since the passive RFID tag could be read automatically with 
minimal need for traveler participation. Passive RFID, in this 
application, will also protect personal privacy by reading only a 
unique number from an embedded chip in a new Form I-94 that will be 
issued to travelers. The chip does not contain any information about 
the individual traveler--it contains only a unique code number linked 
to the specific Form I-94 for that specific traveler and the entry/exit 
data recorded in DHS systems. Passive RFID also minimizes privacy 
impacts and significantly reduces the chance of travelers being 
surreptitiously tracked in that it does not constantly transmit 
information or beacon a signal. Passive RFID does not require batteries 
or activation for use and does not cause undue burden or inconvenience 
on the traveler.

[[Page 39311]]

    Other alternatives considered consisted of Global Positioning 
System (GPS) devices and various forms of RFID. GPS and active forms of 
RFID, which constantly transmit signals, were eliminated on privacy 
grounds due to their ability to facilitate locational surveillance. 
This resulted in the decision to use the passive RFID option, which 
transmits information only when activated by a reader as the preferred 
alternative. While passive RFID is not without privacy risks, it 
presents a lower level of risk that can be substantially mitigated. 
Moreover, capturing RFID tag identification numbers that do not contain 
any personal information presents fewer privacy (including security) 
risks than collecting biometrics in the relatively open primary 
processing environment of a land border POE.
    A proof of concept is being conducted for the Increment 2C 
capability and will begin in August 2005. If the concept is proved to 
be successful, deployment to the 50 busiest land ports must be 
completed by December 31, 2007.

8. Summary and Conclusions

    This updated PIA focuses on changes to US-VISIT resulting 
principally from Increment 1B implementation of technology (Exit 
devices) and processes for recording the exit of covered individuals 
from air and sea ports; and the Increment 2C proof of concept for 
technology and processes for automatically recording the entry and exit 
of covered individuals at U.S. land border Ports of Entry (POEs) using 
Radio Frequency Identification (RFID)-enabled I-94.
    As a result of this analysis, it is concluded that:
     While most of the initial high-level design choices for 
US-VISIT were statutorily pre-determined, more recent design choices 
have been made so that privacy risks are either avoided or mitigated 
while meeting operational requirements;
     US-VISIT creates a pool of individuals whose personal 
information is at risk (covered individuals), which is effectively 
growing as a result of the expanded functionality, data sharing, and 
implementation of US-VISIT; but
     US-VISIT mitigates the specific privacy risks associated 
with its new functionality and increased data sharing through numerous 
mitigation efforts, including access controls, education and training, 
encryption, minimizing collection and use of personal information; and
     US-VISIT through its Privacy Officer and in collaboration 
with the DHS Chief Privacy Officer will continue to track and assess 
privacy issues throughout the life of the US-VISIT Program and will 
address those issues by adjusting existing and implementing new privacy 
risk mitigations as necessary.

Appendix A: List of References

1 Statutory Authorities

1.1 Statutory Authorities for Protection of Information and of 
Information Systems

5 U.S.C. 552, Freedom of Information Act (FOIA) of 1966, as Amended 
by Public Law No. 104-231, 110 Stat. 3048
5 U.S.C. 552a, Privacy Act of 1974, as Amended
Public Law 100-503, Computer Matching and Privacy Act of 1988
Public Law 107-347, E-Government Act of 2002, Section 208, Privacy 
Provisions, and Title III, Information Security (Federal Information 
Systems Management Act (FISMA))

1.2 Statutory Authorities for US-VISIT

Public Law 104-208, Illegal Immigration Reform and Immigrant 
Responsibility Act of 1996
Public Law 106-215, The Immigration and Naturalization Service Data 
Management Improvement Act of 2000 (DMIA)
Public Law 106-396, The Visa Waiver Permanent Program Act of 2000 
(VWPPA)
Public Law 107-56, The Uniting and Strengthening America by 
Providing Appropriate Tools Required to Intercept and Obstruct 
Terrorism Act
Public Law 107-173, Enhanced Border Security and Visa Entry Reform 
Act of 2002 (``Border Security Act'')

1.3 Federal Register Notices and Rules

Department of Homeland Security; Implementation of the United States 
Visitor and Immigrant Status Indicator Technology Program; Biometric 
Requirements, 69 FR 468 (January 5, 2004).
Department of Homeland Security; Border and Transportation Security; 
Notice to Aliens Included in the United States Visitor and Immigrant 
Status Indicator Technology System, 69 FR 46556 (August 3, 2004).
Department of Homeland Security; United States Visitor and Immigrant 
Status Indicator Technology Program; Authority to Collect Biometric 
Data From Additional Travelers and Expansion to the 50 Most Highly 
Trafficked Land Border Ports of Entry, 69 FR 53318 (August 31, 
2004).
Department of Homeland Security; United States Visitor and Immigrant 
Status Indicator Technology Program; Authority to Collect Biometric 
Data From Additional Travelers and Expansion to the 50 Most Highly 
Trafficked Land Border Ports of Entry, 69 FR 64964 (November 9, 
2004).

2 US-VISIT and Component Systems Documentation

Arrival Departure Information System Data Elements Document 
(Sensitive but Unclassified) (Draft), November 10, 2003.
Consolidated Functional Requirements Document, US-VISIT, Increment 
1, Information Technology Program Management Support, Draft, August 
28, 2003.
Consolidated Interface Control Document, US-VISIT, Increment 1, 
Draft, August 28, 2003.
DHS/ICE Baseline Security Requirements for Automated Information 
Systems, July 18, 2003.
DHS Sensitive Systems Policy Directive 4300A, March 31, 2005.
DoS--Department of Homeland Security Visa Applicant--US-VISIT/IDENT 
Lookup Interface Control Document, Version 1.0, Department of State, 
October 31, 2003.
ePassport Reader Request for Proposal, March 16, 2005.
ICE Security Requirements, printed October 30, 2003.
Increment 2C Operational Alternatives Assessment (Draft), US-VISIT, 
January 31, 2005.
Increment 2C Preliminary Design Review, US VISIT, March 28, 2005.
Increment 2C Proof of Concept--Phase 1 Functional Requirements 
Document, US VISIT, March 11, 2005.
Increment 2C RFID Feasibility Study--Final Report (Draft), US-VISIT, 
January 12, 2005.
Interagency Border Inspection System (IBIS) Security Features User 
Guide, Official Use Only, October 2, 2003.
IT Security Program Handbook, Version 2.1, Sensitive Systems, 
Department of Homeland Security, 4300A, July 26, 2004.
Privacy Risk Assessment for US VISIT EXIT (Draft), Version 3.0, 
March 23, 2005.
Security Evaluation Report (SER) for the Automated Biometric 
Identification System (IDENT), SMI-0039-SID-214-RG-40391, March 10, 
2003.
Security Evaluation Report (SER) for the Visa Waiver Permanent 
Program Act Support System Arrival Departure Information System 
(VWPPASS/ADIS), SMI-0039-SI-214-DTR-50446, October 8, 2003.
System of Records Notice for Arrival and Departure Information 
System (ADIS), DHS/ICE-CBP-001, 68 FR 69412 (December 12, 2003).
System of Records Notice for Enforcement Operational Immigration 
Records (ENFORCE/IDENT), DHS/ICE-CBP-CIS-001, 68 FR 69414 (December 
12, 2003).
System of Records Notice for Nonimmigrant Information System (NIIS), 
JUSTICE/INS-036, 68 FR 5048 (January 31, 2003).
System of Records Notice for Treasury Enforcement Communications 
System (TECS), TREASURY/CS.244, 63 FR 69865 (December 17, 1998).
Treasury Enforcement Communications System (TECS) Functional 
Security Requirements Document, United States Customs Service, 
February 20, 2003.
The United States Visitor and Immigrant Status Indicator Technology 
(US-VISIT) Program Increment 1 Concept of Operations: Process Flows 
and Operational Scenarios, Draft, July 15, 2003.
US-VISIT Information Brochure, undated.
US-VISIT Privacy Policy, November, 2003.
US-VISIT Program Overview (DHS briefing), undated.
US-VISIT Q&As: Background Information, Draft REV, October 17, 2003.

[[Page 39312]]

US-VISIT Redress Policy, April 15, 2004.

3 Related Guidance and Supporting Documentation

Federal Trade Commission, Privacy Online: A Report to Congress, 
June, 1998.
OMB Guidance for Implementing the Privacy Provisions of the E-
Government Act of 2002, Memorandum M-03-22, September 26, 2003.
Risk Management Guide for Information Technology Systems, NIST 
Special Publication 800-30, January 2002.
Roles for the National Institute of Standards and Technology (NIST) 
in Accelerating the Development of Critical Biometric Consensus 
Standards for U.S. Homeland Security and the Prevention of ID Theft, 
NIST, March 11, 2003.

Appendix B: List of Acronyms

AIDMS Automated Identification Management System
ADIS Arrival and Departure Information System
APIS Advance Passenger Information System
BLSR Baseline Security Requirements
CBP Customs and Border Protection
CIS Citizenship and Immigration Services
CLAIMS 3 Computer Linked Applications Information Management System
COA Class of Admission
CCD Consular Affairs Consolidated Database
CSRC Computer Security Resource Center
CVT Candidate Verification Tool
DHS Department of Homeland Security
DMIA Data Management Improvement Act
DoB Date of Birth
DocKey Document Key
DOS Department of State
ED Exit Device
ENFORCE Enforcement Operational Immigration Records
FBI Federal Bureau of Investigation
FIN Fingerscan Identification Number
FIPS Federal Information Processing Standard (140-2)
FOIA Freedom of Information Act
FRD Functional Requirements Document
GPS Global Positioning System
I&A Identification and Authentication
IAFIS Integrated Automated Fingerscan Identification System
IBIS Interagency Border Inspection System
ICD Interface Control Document
ICE Immigration and Customs Enforcement
ID Identifier
IDENT Automated Biometric Identification System
IFR Interim Final Rule
IIRIRA Illegal Immigration Reform and Immigrant Responsibility Act
IT Information Technology
LEO ED Law Enforcement Officer Exit Device
LPR Lawful Permanent Resident
MOU Memorandum of Understanding
NATO North Atlantic Treaty Organization
NIST National Institute of Standards and Technology
NIV Nonimmigrant Visa
OMB Office of Management and Budget
PA Privacy Act
PIA Privacy Impact Assessment
PICS Password Issuance Control System
POD Port of Departure
POE Port of Entry
Pub. L. Public Law
RFID Radio Frequency Identification
SER Security Evaluation Report
SEVIS Student and Exchange Visitor Information System
SM/I Systems Management and Integration
SOR System of Records
SORN System of Records Notice
SSN Social Security Number
STARS Service Technology Alliance Resources
TBD To Be Determined
TECS Treasury Enforcement Communications System
U.S.C. United States Code
USCIS United States Citizenship and Immigration Services
US-VISIT United States Visitor Immigrant Status Indicator Technology
VWP Visa Waiver Program
VWPPA Visa Waiver Permanent Program Act
VWPPASS Visa Waiver Permanent Program Act Support System
WAN Wide Area Network
W/S Workstation
WSA Workstation Attendant

Appendix C: Data Flows Detailed

    Pursuant to section 202 of the Enhanced Border Security and Visa 
Entry Reform Act of 2002, US-VISIT information will be integrated 
with other DHS databases and data systems, and US-VISIT information 
systems will be interfaced with data systems of other agencies US-
VISIT exchanges data on a routine basis with the Student and 
Exchange Visitor Information System (SEVIS), the Computer Linked 
Applications Information Management System (CLAIMS 3), and the State 
Department's Consular Affairs Consolidated Database (CCD). However, 
US-VISIT information is logically separated from other data and 
users on the component systems, which are not dedicated US-VISIT 
systems.
    Tables C-1 through C-4 detail the flows of personal information 
in US-VISIT. In general, internally generated administrative 
information (other than identifiers) that is associated with 
individuals is not included. However, information with special 
relevance for the treatment of individuals (e.g., Class of 
Admission) is included. Table C-1 defines sets of data elements that 
are handled as groups. To reduce complexity, the rest of the data 
flow tables refer, when appropriate, to these groups rather than to 
individual data elements. Table C-2 details the data flowing into 
and out of US-VISIT breaking it down by component system/
application. Table C-3 indicates what personal information 
individual US-VISIT processes are using and which systems/
applications are involved in those processes. Note that because the 
contexts of primary and secondary inspection are different for air/
sea POEs and land border POEs, Table C-3 refers instead to core and 
extended inspection. Table C-4 charts the flows of personal 
information between US-VISIT systems/applications and directly 
between US-VISIT systems/applications and selected other systems. A 
comprehensive assessment of external interfaces is underway. These 
tables facilitate analysis of the personal data requirements of US-
VISIT and identification of potentially unnecessary data collection 
or movement.

                       Table C-1.--Data Aggregates
------------------------------------------------------------------------
          Aggregate name                        Data elements
------------------------------------------------------------------------
DocKey............................   Complete name.
                                     Date of birth.
                                     Citizenship.
                                     Gender.
                                     Travel document.
                                    [cir] Type.
                                    [cir] Number.
                                    [cir] Date of issuance.
                                    [cir] Country of issuance.
                                     Fingerscan Identification
                                     Number (FIN).
                                     Biographic and biometric
                                     watch list hit/match.\1\

[[Page 39313]]

 
RFID Tag Traveler Profile.........   RFID Tag ID number.
                                     US-VISIT ID number.
                                     First name Middle name.
                                     Last name.
                                     Date of birth.
                                     Travel document type.
                                     Travel document ID number.
                                     Travel document country of
                                     issuance.
RFID Tag Read.....................   RFID Tag Location.
                                     Timestamp.
                                     RFID Tag status.
RFID Tag Read Event...............   RFID Tag ID number.
                                     Event ID number.
                                     Event type.
                                     Timestamp.
                                     Event location.
                                     Transaction ID.
                                     Equipment read ID numbers.
                                     Crossing direction.
Biometric Data....................   Fingerscans.
                                     Photograph.
Admission data....................   Class of admission.
                                     Admit until date.
Visa data.........................   First name.
                                     Last name.
                                     Visa.
                                    [cir] Class.
                                    [cir] Number.
                                    [cir] Entry (multiple or one time
                                     entry).
                                    [cir] Issuance date.
                                    [cir] Expiration date.
                                     Passport type.
                                     Passport number.
                                     Gender.
                                     Date of birth.
                                     Nationality.
Travel document data..............  Dependent on document type but may
                                     include
                                     Complete name.
                                     Document.
                                    [cir] Number.
                                    [cir] Date of issuance.
                                     Country of issuance.
Passenger manifest................   Complete name.
                                     Date of birth.
                                     Gender.
                                     Document.
                                    [cir] Country of issuance.
                                    [cir] Type.
                                    [cir] Number.
                                    [cir] Expiration date.
                                    [cir] Issue date.
                                     Nationality.
                                     Carrier code, number.
                                     Vessel seaport.
                                     Vessel name.
                                     PNR Number.
                                     Arrival country, airport.
                                     Departure country, airport.
                                     Arrival date & time/
                                     Departure date.
                                     U.S. destination address.
                                     Passenger status, status
                                     code.
I-94 data.........................   Complete name.
                                     Date of birth.
                                     Citizenship.
                                     Gender.
                                     Passport number.
                                     Country of residence.
                                     Departure city.
                                     Visa city of issuance.
                                     Visa data of issuance.
                                     U.S. destination address.

[[Page 39314]]

 
Visa application..................   State Department case ID.
                                     Applicant ID.
                                     Complete name.
                                     Gender.
                                     Date of birth.
                                     Country of birth.
                                     Nationality.
                                     Passport.
                                    [cir] Number.
                                    [cir] Type.
                                    [cir] Date of issuance.
                                    [cir] Country of issuance.
                                    [cir] City of issuance.
                                    [cir] Expiration date.
                                     Visa type.
                                     Visa class.
Encounter data....................   Encounter date and time.
                                     Encounter applicant ID.
                                     Travel document.
                                    [cir] Type.
                                    [cir] Country of issuance.
                                    [cir] Number.
                                     Date of birth.
                                     Eye color.
                                     Hair color.
                                     Height.
                                     Complete name.
                                     Nationality.
                                     Country of birth.
                                     Race.
                                     Gender.
                                     Weight.
                                     State Department ID.
Audit log.........................   User ID.
                                     Date and time.
                                     System actions.
------------------------------------------------------------------------
\1\ This information is not retained in the event of a false positive.


         Table C-2.--US-VISIT Data In/Out by System/Application
------------------------------------------------------------------------
     System/application              Data In              Data Out
------------------------------------------------------------------------
TECS........................  Passenger manifest,   Visa data (NIV),
                               admission data,       passenger manifest,
                               photo (NIV), visa     DocKey (including
                               data (NIV), DocKey,   biographic watch
                               RFID tag Traveler     list hit/match),
                               Profile, RFIG tag     photo (NIV),
                               Event Read, RFID      admission data,
                               tag Read.             audit log, RFID tag
                                                     Traveler Profile,
                                                     RFID tag Event
                                                     Read, RFID tag
                                                     Read.
IDENT.......................  DocKey, photo,        DocKey (including
                               fingerscans,          watch list hit/
                               biographic data       match),
                               (watch list           fingerscans, audit
                               updates).             log.
ADIS........................  Passenger manifest,   DocKey, complete
                               admission data,       name, DoB, gender,
                               DocKey, complete      nationality, visa
                               name, DoB, gender,    type, visa number,
                               country of birth,     passport number,
                               nationality, U.S.     country of
                               destination           issuance, POE,
                               address, visa         entry date, POD,
                               class, visa number,   departure date,
                               passport number,      SEVIS ID, SEVIS
                               country of            status, status
                               issuance, SSN \1\,    change date, audit
                               alien number, I-94    log.
                               number, POE, entry
                               date, POD,
                               departure date,
                               admission data,
                               (current/
                               requested), case
                               status, SEVIS
                               status change date,
                               SEVIS ID (current/
                               requested), RFID
                               tag Traveler
                               Profile, RFID tag
                               Event Read, RFID
                               tag Read.
Workstation.................  Travel document       Updated passenger
                               data, visa data,      manifest, DocKey,
                               passenger manifest,   photo, fingerscans,
                               DocKey, (including    admission data, I-
                               biograhic and         94 data.
                               biometric watch
                               list hit/match),
                               photo, fingerscans,
                               admission data, I-
                               94 data.
Exit Device.................  Travel document       Travel document data
                               data, biometric.      data, biometric
                                                     data.
Law Enforcement Officer Exit  Travel document       Travel document
 Device.                       data, biometric       data, biometric
                               data.                 data, verification
                                                     of identity, watch
                                                     list hits.
Candidate Verification Tool   Candidate & subject   Verification
 (CVT).                        fingerscans, FINs,    decision.
                               photos,
                               verification
                               history.
Secondary Inspection Tool...  Encounter data, FIN
                               (previous
                               encounter).
AIDMS.......................  RFID tag Traveler     RFID tag Traveler
                               profile, RFID tag     Profile, RFID tag
                               Read, RFID tag Read   Read, RFID tag Read
                               Event.                Event.
------------------------------------------------------------------------
\1\ Received from CLAIMS 3 for non-immigrants authorized to work.


[[Page 39315]]


                                  Table C-3.--US-VISIT Processes and Data Usage
----------------------------------------------------------------------------------------------------------------
             Process                       Subprocess            System/application            Data usage
----------------------------------------------------------------------------------------------------------------
Pre-Arrival......................  Visa application check...  TECS, IDENT.............  Visa application, photo,
                                                                                         fingerscans, FIN.
                                   Manifest data check......  TECS....................  Passenger manifest.
                                   Biographical watchlist     TECS....................  Passenger manifest.
                                    check.
                                   Visa data check..........  TECS....................  Passenger manifest, visa
                                                                                         data (NIV).
                                   Passenger list analysis..  TECS....................  Results of passenger
                                                                                         manifest, biographical
                                                                                         watch list, and visa
                                                                                         data checks.
Arrival (core)...................  Biometric verification...  IDENT, Workstation......  DocKey, fingerscans.
                                   Biometric watch list       IDENT, Workstation......  DocKey, fingerscans.
                                    check.
                                   Document--visa comparison  TECS, Workstation.......  Travel document data,
                                                                                         visa data (NIV), photo
                                                                                         (NIV).
                                   Manifest/Admission update  TECS, ADIS Workstation..  Passenger, manifest,
                                                                                         admission data.
                                   I-94 data entry..........  Workstation.............  I-94 data.
Arrival (extended)...............  Queries..................  IDENT, Secondary          Encounter data, complete
                                                               Inspection Tool.          name, gender, DoB, doc
                                                                                         type, number, and
                                                                                         country of issuance,
                                                                                         FIN (previous
                                                                                         encounter).
                                   Admission update.........  TECS, ADIS, Workstation.  DocKey, admission data.
                                   Biometric comparison and   TECS, Workstation.......  Visa data (NIV), photo
                                    document authentication.                             (NIV).
Departure........................  Biometric verification...  IDENT, Exit Device......  DocKey, fingerscans.
                                   Biometric watch list       IDENT, Exist Device.....  DocKey, fingerscans.
                                    check.
Arrival/Departure reconciliation.  Arrival/Departure          ADIS....................  Passenger manifest,
                                    correlation.                                         admission data.
                                   Change of status.........  ADIS....................  Complete name, DoB,
                                                                                         gender, nationality,
                                                                                         visa type, visa number,
                                                                                         passport number,
                                                                                         country of issuance,
                                                                                         POE, entry data, POD,
                                                                                         departure data,
                                                                                         admission data, SEVIS
                                                                                         ID, SEVIS status,
                                                                                         status change date.
Watch list hit/match verification  .........................  IDENT, Candidate          Candidate & Subject
                                                               Verification Tool (CVT).  fingerscans, FINs,
                                                                                         photos, verification
                                                                                         history.
Audit log capture................  .........................  TECS, IDENT, ADIS, AIDMS  User, data and time,
                                                                                         system actions.
----------------------------------------------------------------------------------------------------------------


[[Page 39316]]

[GRAPHIC] [TIFF OMITTED] TN07JY05.035


[[Page 39317]]

[GRAPHIC] [TIFF OMITTED] TN07JY05.038


[[Page 39318]]

[GRAPHIC] [TIFF OMITTED] TN07JY05.036


[[Page 39319]]

[GRAPHIC] [TIFF OMITTED] TN07JY05.037


[[Page 39320]]

Draft

Appendix D: Security Safeguards for Privacy Protection Detailed

    NIST Special Publication 800-30, Risk Management Guide for 
Information Technology Systems (January 2002) identifies classes of 
safeguards for information system security. Technical safeguards are 
applied (1) within component systems, (2) to communications between 
component systems, and (3) at interfaces between component systems 
and external (i.e., non-US-VISIT) systems. Physical safeguards are 
generally provided by the facilities in which component systems are 
housed. Administrative and procedural safeguards are provided by 
rules of behavior, as discussed in Section 4 above.
    The table below provides greater detail on the various physical 
and electronic measures employed to counter the various threats to 
the US-VISIT Program. Compliance of ADIS, the Passenger Processing 
Component of TECS, IDENT, AIDMS, and the POE workstations with ID-
4300A, the BLSR, and the DHS Physical Security Handbook is assumed. 
As reflected in the table, the same safeguards can mitigate many 
different threats.

                           Table D-1.--Privacy Threats and Mitigation Methods Detailed
----------------------------------------------------------------------------------------------------------------
                                       Architectural
         Nature of threat                placement            Safeguard                    Mechanism
----------------------------------------------------------------------------------------------------------------
Intentional physical threats from  ADIS................  Physical protection  The ADIS database and application
 unauthorized external entities.                                               is maintained at a Department of
                                                                               Justice Data Center. Physical
                                                                               controls of that facility (e.g.,
                                                                               guards, locks) apply and prevent
                                                                               entry by unauthorized entities.
Intentional physical threats from  Passenger Processing  Physical protection  The Passenger Processing Component
 unauthorized external entities.    Component of TECS.                         of TECS is maintained on a
                                                                               mainframe by CBP. Physical
                                                                               controls of the TECS facility
                                                                               (e.g., guards, locks) apply and
                                                                               prevent entry by unauthorized
                                                                               entities.
Intentional physical threats from  IDENT...............  Physical protection  IDENT is maintained on an IBM
 unauthorized external entities.                                               cluster at a Department of
                                                                               Justice Data Center. Physical
                                                                               controls of the facility (e.g.,
                                                                               guards, locks) apply and prevent
                                                                               entry by unauthorized entities.
Intentional physical threats from  POE Workstation,      Physical protection  Physical controls may be specific
 unauthorized external entities.    Exit Device.                               to each POE. Assumed to be in
                                                                               compliance with BLSR and DHS
                                                                               Handbook 4300A.
Intentional physical threats from  AIDMS...............  Physical protection  Physical controls may be specific
 unauthorized external entities.                                               to each POE. The AIDMS central
                                                                               server will be in a US-VISIT data
                                                                               center. All locations are assumed
                                                                               to be in compliance with BLSR and
                                                                               DHS Handbook 4300A.
Intentional and unintentional      US-VISIT-wide.......  Technical            User identifier and password,
 electronic threats from                                  protection:          managed by the Password Issuance
 authorized (internal and                                 Identification and   Control System (PICS) and the
 external) entities.                                      authentication       LDAP System. Role-based access
                                                          (I&A).               schema and auditing capabilities
                                                                               also in place.
                                                                              Issue to be addressed during
                                                                               system integration: Define
                                                                               procedures for correlation among
                                                                               different user identifiers
                                                                               (issued by PICS, LDAP and the
                                                                               legacy mechanisms in ADIS, the
                                                                               Passenger Processing Component of
                                                                               TECS, IDENT, and the POE
                                                                               workstations) to facilitate
                                                                               tracking and investigation of
                                                                               activities by individual
                                                                               users.\13\
Intentional and unintentional      ADIS................  Technical            User identifier and password in
 electronic threats from                                  protection: I&A.     concert with role based access
 authorized (internal and                                                      control and audit mechanisms to
 external) entities.                                                           respond appropriately as
                                                                               required.
Intentional and unintentional      IDENT...............  Technical            User identifier and password in
 electronic threats from                                  protection: I&A.     concert with role based access
 authorized (internal and                                                      control and audit mechanisms to
 external) entities.                                                           respond appropriately as
                                                                               required.
Intentional and unintentional      Passenger Processing  Technical            User identifier and password in
 electronic threats from            Component of TECS.    protection: I&A.     concert with role based access
 authorized (internal and                                                      control and audit mechanisms to
 external) entities.                                                           respond appropriately as
                                                                               required.
Intentional and unintentional      POE Workstation.....  Technical            User identifier and password in
 physical and electronic threat                           protection: I&A.     concert with role based access
 from unauthorized external                                                    control and audit mechanisms to
 entities.                                                                     respond appropriately as
                                                                               required. US-VISIT, Increment 2
                                                                               client software runs on Windows
                                                                               2000 workstations connected to
                                                                               the DHS network, with associated
                                                                               policies and procedures.
Intentional and unintentional      Exit Device.........  Technical            User identifier and password in
 electronic threats from                                  protection: I&A.     concert with role based access
 authorized (internal and                                                      control and audit mechanisms to
 external) entities.                                                           respond appropriately as
                                                                               required.
Intentional and unintentional      AIDMS...............  Technical            Role based access control and
 electronic threats from                                  protection: I&A.     audit mechanisms to respond
 authorized (internal and                                                      appropriately as required.
 external) entities.
Intentional and unintentional      ADIS................  Technical            Enforced by database management
 electronic threats from                                  protection:          system, via ADIS application
 authorized (internal and                                 Authorization and    interface.
 external) entities.                                      access control.
Intentional and unintentional      IDENT...............  Technical            Enforced by database management
 electronic threat from                                   protection:          system, via IDENT application
 authorized (internal and                                 Authorization and    interface.
 external) entities.                                      access control.

[[Page 39321]]

 
Intentional and unintentional      Passenger Processing  Technical            Enforced by database management
 electronic threat from             Component of TECS.    protection:          system via IBIS application
 authorized (internal and                                 Authorization and    interface.
 external) entities.                                      access control.
Intentional and unintentional      POE Workstation.....  Technical            Access to US-VISIT client
 physical and electronic threat                           protection:          applications is authorized, given
 from unauthorized external                               Authorization and    that access to the workstation is
 entities.                                                access control.      granted. Access controls to US-
                                                                               VISIT data on ADIS, TECS, and
                                                                               IDENT are enforced by the other
                                                                               component systems.
Intentional and unintentional      Exit Device.........  Technical            Access to US-VISIT client
 physical and electronic threat                           protection:          applications is authorized, given
 from unauthorized external                               Authorization and    that access to the Exit devices
 entities.                                                access control.      is granted.
Intentional and unintentional      AIDMS...............  Technical            Enforced by database management
 physical and electronic threat                           protection:          system.
 from unauthorized external                               Authorization and
 entities.                                                access control.
Intentional electronic and         ADIS, IDENT,          Technical            Assumed to be in compliance with
 physical threat from internal      Passenger             protection: Object   BLSR and DHS Handbook 4300A.
 entities.                          Processing            reuse (identified
                                    Component of TECS.    under system
                                                          protections).
Intentional electronic and         POE Workstation,      Technical            Issue to be addressed during
 physical threat from external      Exit Device.          protection:          system integration: How to ensure
 entities.                                                Residual             residual information protection
                                                          information          on the POE Workstation for
                                                          protection.          transient objects containing
                                                                               biometric or biographic
                                                                               information. See Encryption,
                                                                               below. \14\
Intentional electronic and         Exit Device.........  Technical            Since individual devices are
 physical threat from external                            protection:          projected to handle approximately
 entities.                                                Residual             500 transactions per day, in the
                                                          information          case of a breach or exposure of
                                                          protection.          data, the number of affected
                                                                               records will be minimal.
                                                                              Information to be retained only
                                                                               until a transaction is complete,
                                                                               then immediate transmission of
                                                                               captured data to the appropriate
                                                                               server.
                                                                              Use of FIPS 140-2 compliant
                                                                               encryption of stored data on each
                                                                               device.
Intentional electronic and         Registered Traveler   Technical            Daily changing of encryption keys
 physical threat from external      receipt from Exit     protection.          along with NIST-approved
 entities.                          Device.                                    encryption to be utilized.
Intentional physical and           POE Workstation.....  Technical            Issue to be addressed during
 electronic threats from external                         protection:          system integration: How will
 entities.                                                Encryption.          encryption be used to protect
                                                                               transiently stored biometric and
                                                                               biographic information? Will
                                                                               encryption address the residual
                                                                               information concern?
Intentional physical and           Exit Device.........  Technical            Daily changing of encryption keys
 electronic threats from external                         protection:          along with NIST-approved
 entities.                                                Encryption.          encryption to be utilized.
Intentional electronic threat      US-VISIT internal     Technical            Internal communications occur over
 from authorized and unauthorized   communication         protection:          the secured DHS WAN. The ICD
 entities.                          (between POE          Protected            states that exchange of data
                                    workstation,          communications and   between all systems will be
                                    Passenger             transaction          accomplished by a message queuing
                                    Processing            privacy.             service, using IBM Websphere
                                    Component of TECS,                         MQSeries. Websphere SSL and/or
                                    ADIS, IDENT, and                           PKI capabilities are not
                                    AIDMS).                                    currently used, but provide
                                                                               potential future capability for
                                                                               additional protection of the
                                                                               privacy of US-VISIT transactions.
Intentional electronic threat      US-VISIT              Technical            At times, communications may occur
 from authorized and unauthorized   communication         protection:          over non-government-owned
 entities.                          (between POE          Encryption.          external networks. Two
                                    workstation, and                           communication paths exist within
                                    Passenger                                  the server for data transmission.
                                    Processing                                 Encryption of data, utilizing a
                                    Component of TECS,                         FIPS 140-2-strength encryption
                                    ADIS, IDENT, and                           schema for data passage provides
                                    AIDMS).                                    data protection.

[[Page 39322]]

 
Intentional and unintentional      US-VISIT-wide,        Technical            Any US-VISIT-specific audit trail
 electronic threat from             Passenger             protection: Audit.   requirements will be determined
 authorized entities.               Processing                                 and documented as part of the US-
                                    Component of TECS,                         VISIT, Increment 1 Release 2
                                    ADIS, and IDENT.                           requirements/design phase.
                                                                              Issue to be addressed during
                                                                               integration: Define procedures
                                                                               for use of the auditing
                                                                               capabilities of the Passenger
                                                                               Processing Component of TECS,
                                                                               ADIS, and IDENT, as well as
                                                                               Websphere, to facilitate tracking
                                                                               and investigation of transactions
                                                                               that span component systems?
Intentional and unintentional      Exit Device.........  Technical            Identification and Authentication
 electronic threat from                                   protection: Audit.   of authorized users by individual
 authorized entities.                                                          mobile device is in place.
Intentional and unintentional      POE Workstation.....  Technical            The US-VISIT, Increment 1 FRD
 electronic threat from external                          protection: Audit.   requires that the IDENT Client
 and internal entities.                                                        System capture the user ID of the
                                                                               user collecting biometric and
                                                                               biographic information, and of
                                                                               the user submitting transactions
                                                                               to the Enforcement Integrated
                                                                               Database.
                                                                              Issues to be addressed during
                                                                               integration:
                                                                               How will the captured
                                                                               data on the client be protected
                                                                               against modification or deletion?
                                                                               If this captured data is
                                                                               considered to be a local audit
                                                                               trail (rather than a component of
                                                                               a store-and-forward transaction,
                                                                               deleted when the transaction is
                                                                               submitted), how and on what
                                                                               system will audit data from
                                                                               multiple clients be aggregated?
Intentional electronic threats     External interfaces.  Technical            Not specified. For US-VISIT
 from authorized and unauthorized                         protection:          Increment 1,
 external entities.                                       Boundary             Passenger Processing
                                                          protection (e.g.,    Component of TECS interfaces is
                                                          firewall, guard).    internal to US-VISIT.
                                                                               ADIS interfaces with
                                                                               SEVIS and CLAIMS 3.
                                                                               IDENT interfaces with
                                                                               IAFIS via the IDENT/IAFIS Gateway
                                                                               Server interface, Production
                                                                               IDENT, and the Department of
                                                                               State Consular Affairs
                                                                               Consolidated Database.
Intentional electronic threats     Registered Traveler   Technical            Human readable information is
 from authorized and unauthorized   receipt generated     protection.          minimized for viewing. Sub-
 external entities.                 from Exit Device.                          optimal stores of biometric
                                                                               information are employed. Non-
                                                                               human readable information is
                                                                               encrypted.
Unintentional electronic and       External interfaces.  Administrative       Memoranda of Understanding with
 physical threats from authorized                         protection:          appropriate parties have been
 external entities.                                       Routine use          completed. Agreements currently
                                                          agreements.          exist with the Department of
                                                                               State and the FBI.
Intentional electronic threats     Exit Device.........  Administrative       Warnings need to be posted in
 from authorized and unauthorized                         protection.          appropriate traveler literature.
 external entities.
Intentional electronic threats     Exit Device.........  Administrative/      Provision of training and
 from authorized and unauthorized                         Procedural           awareness for Workstation
 external entities.                                       protection.          Attendants is required.
----------------------------------------------------------------------------------------------------------------
\13\ Access to information on the system depends on, and accountability for user actions is ensured by, I&A of
  users. As indicated in the table, US-VISIT components provide user ID/password mechanisms. US-VISIT is moving
  to a single client with a single sign-on capability that will be controlled using role-based access with user
  IDs and complex passwords. Until that solution is implemented there are both role-based access controls and
  multiple logons to access various component systems.
\14\ Some Port of Entry (POE) workstations and Exit Devices will store various personal information, if only
  transiently.
Accountability for user actions is ensured by audit mechanisms. ADIS, the Passenger Processing Component of
  TECS, and IDENT provide auditing. The US-VISIT, Increment 1 Functional Requirements Document (FRD) states two
  audit requirements on the IDENT Client:
RTM 8.3-10 ``The IDENT Client System shall capture the user ID of the user collecting store-and-forward
  biographic and biometric information.''
RTM 8.3-20 ``The IDENT Client System shall capture the user ID of the user submitting store-and-forward
  transactions to the EID.''
Captured information is cached and retained in the workstation even after the encounter ends. It is not deleted
  until the authorized user logs out of the workstation. As a result of this approach, the risk arises that the
  captured user ID could be modified while stored on the workstation, thus impairing DHS's ability to ensure
  compliance with rules of behavior and impose penalties for noncompliance.

Draft

Appendix E: Privacy Threats and Mitigations

[[Page 39323]]



     Table E-1.--Overview of Privacy Threats and Mitigation Measures
------------------------------------------------------------------------
                                                     Type of measures to
       Type of threat            Description of       counter/mitigate
                                     threat                threat
------------------------------------------------------------------------
Unintentional threats from    Unintentional         These threats are
 insiders \15\.                threats include       addressed by a
                               gaps in the privacy   privacy policy
                               policy; mistakes in   consistent with
                               information system    Fair Information
                               design,               Practices, laws,
                               development,          regulations, and
                               integration,          OMB guidance; (b)
                               configuration, and    defining
                               operation; and        appropriate
                               errors made by        functional and
                               custodians (i.e.,     interface
                               personnel of          requirements;
                               organizations with    development,
                               custody of the        integrating, and
                               information). These   configuring the
                               threats can be        system in
                               physical (e.g.,       accordance with
                               leaving documents     these requirements
                               in plain view) or     and best security
                               electronic in         practices; and
                               nature. These         testing and
                               threats can result    validating the
                               in insiders being     system against
                               granted access to     those requirements;
                               information for       and (c) providing
                               which they are not    clear operating
                               authorized or not     instructions and
                               consistent with       training to users
                               their                 and system
                               responsibility.       administrators.
Intentional threat from       Threat actions can    These threats are
 insiders.                     be characterized as   addressed by a
                               improper use of       combination of
                               authorized            technical
                               capabilities (e.g.,   safeguards (e.g.,
                               browsing, removing    access control,
                               information from      auditing, and
                               trash) and            anomaly detection)
                               circumvention of      and administrative
                               controls to take      safeguards (e.g.,
                               unauthorized          procedures,
                               actions (e.g.,        training).
                               removing data from
                               a workstation that
                               has been not been
                               shut off)..
Intentional and               Intentional: Threats  These threats are
 unintentional threats from    can be                addressed by
 authorized external           characterized as      technical
 entities \16\.                improper use of       safeguards (in
                               authorized            particular,
                               capabilities (e.g.,   boundary controls
                               misuse of             such as firewalls)
                               information           and administrative
                               provided by (US-      safeguards in the
                               VISIT) and            form of periodic
                               circumvention of      privacy policy and
                               controls to take      practice compliance
                               unauthorized          audits and routine
                               actions (e.g.,        use agreements and
                               unauthorized access   memoranda of
                               to system)..          understanding which
                              Unintentional: Flaws   require external
                               in privacy policy     entities (a) to
                               definition;           conform with the
                               mistakes in           rules of behavior
                               information system    and (b) to provide
                               design,               safeguards
                               development,          consistent with, or
                               integration,          more stringent
                               configuration, and    than, those of the
                               operation; and        system or program.
                               errors made by
                               custodians.
Intentional threats from      Threats actions can   These threats are
 external unauthorized         be characterized by   addressed by
 entities.                     mechanism: physical   physical
                               attack (e.g., theft   safeguards,
                               of equipment),        boundary controls
                               electronic attack     at external
                               (e.g., hacking or     interfaces,
                               other unauthorized    technical
                               access,               safeguards (e.g.,
                               interception of       identification and
                               communications),      authentication,
                               and personnel         encrypted
                               attack (e.g.,         communications),
                               social engineering).  and clear operating
                                                     instructions and
                                                     training for users
                                                     and systems
                                                     administrators.
------------------------------------------------------------------------
\15\ Here, the term ``insider'' is intended to include individuals
  acting under the authority of the system owner or program manager.
  These include users, system administrators, maintenance personnel, and
  others authorized for physical access to system components.
\16\ These include individuals and systems that are not under the
  authority of the system owner or program manager, but are authorized
  to receive information from, provide information to, or interface
  electronically with the system.

[FR Doc. 05-13371 Filed 7-5-05; 8:45 am]
BILLING CODE 4410-10-C