[Federal Register Volume 71, Number 207 (Thursday, October 26, 2006)]
[Notices]
[Pages 62653-62654]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: E6-17973]


-----------------------------------------------------------------------

DEPARTMENT OF STATE

[Public Notice 5595]


STATE-72 Identity Management System (IDMS)

    Summary: Notice is hereby given that the Department of State 
proposes to create a new system of records, STATE-72, pursuant to the 
provisions of the Privacy Act of 1974, as amended (5 U.S.C. 552a), and 
Office of Management and Budget Circular No. A-130, Appendix I. The 
Department's report was filed with the Office of Management and Budget 
on October 23, 2006.
    It is proposed that the new system will be named ``Identity 
Management System.'' This system description is proposed in order to 
support the Bureau of Diplomatic Security's (DS) administration of the 
Homeland Security Presidential Directive 12 Program that directs the 
use of a common identification credential for both logical and physical 
access to federally controlled facilities and information systems. The 
system description will reflect the DS personal identity verification 
(PIV) card record-keeping system, and Department of State 
identification card issuance activities and operations.
    Any persons interested in commenting on this new system of records 
may do so by submitting comments in writing to Margaret P. Grafeld, 
Director; Office of Information Programs and Services; A/ISS/IPS; 
Department of State, SA-2; Washington, DC 20522-8100. This system of 
records will be effective 40 days from the date of publication, unless 
we receive comments that will result in a contrary determination.
    This new system description, ``Identity Management System, State-
72,'' will read as set forth below.

Raj Chellaraj,
Assistant Secretary for the Bureau of Administration, Department of 
State.
STATE-72

SYSTEM NAME:
    Identity Management System (IDMS)

SECURITY CLASSIFICATION:
    Sensitive But Unclassified

SYSTEM LOCATION:
    Data covered by this system is maintained at the following 
locations: Department of State; 2201 C Street, NW.; Washington, DC 
20520; domestic and overseas posts.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The system will cover (1) Current and former Department of State, 
U.S. Agency for International Development (AID), and Peace Corps 
employees; (2) other individuals who require regular, ongoing access to 
agency facilities, including but not limited to certain applicants for 
employment or contracts; federal employees of other agencies; 
contractors; students; interns; volunteers; affiliates and other 
individuals authorized to perform or use services provided in agency 
facilities (e.g., Credit Union, Fitness Center, etc.), and (3) 
individuals formerly in any of these positions.
    The system does not apply to occasional visitors or short-term 
guests to whom the Department of State will issue temporary 
identification and credentials.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records maintained on individuals issued identification by the 
Department of State include the following data fields: full name; 
Social Security number; date of birth; image (photograph); 
fingerprints; organization/office of assignment; company name; 
telephone number; Personal Identity Verification (PIV) card issue and 
expiration dates; personal identification number (PIN); PIV request 
form; PIV registrar approval signature; PIV card number; emergency 
responder designation (if applicable); copies of documents used to 
verify identification or information derived from those documents such 
as document title, document issuing authority, document number, 
document expiration date and other document information; level of 
national security clearance and date granted; computer system user 
name; authentication certificates; digital signature information.
    Records maintained on card holders entering Department of State 
facilities or using Department of State systems include: Name; PIV Card 
number; date, time, and location of entry and exit; company name; level 
of national security clearance and expiration date; digital signature 
information; and computer networks/applications/data accessed.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301; Federal Information Security Act (Pub. L. 104-106, 
sec. 5113); Electronic Government Act (Pub. L. 104-347, sec. 203); the 
Paperwork Reduction Act of 1995 (44 U.S.C. Sec.  3501); and the 
Government Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C. 3504); 
Homeland Security Presidential Directive (HSPD) 12, Policy for a Common 
Identification Standard for Federal Employees and Contractors, August 
27, 2004; Federal Property and Administrative Act of 1949, as amended.

PURPOSE:
    The primary purposes of the system are: (a) To ensure the safety 
and security of Department of State facilities, systems, or 
information, and our occupants and users; (b) to verify that all 
persons entering federal facilities, using federal information 
resources, or accessing classified information are authorized to do so; 
(c) to track and control PIV cards issued to persons entering and 
exiting the facilities, using systems, or accessing classified 
information.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Information about covered individuals may be disclosed without 
consent as permitted by the Privacy Act of 1974, 5 U.S.C. 552a(b), and:
    (1) To a Federal, State, or local agency, or other appropriate 
entities or individuals, or through established liaison channels to 
selected foreign governments, in order to enable an intelligence agency 
to carry out its responsibilities under the National Security Act of 
1947 as amended, the CIA Act of 1949 as amended, Executive Order 12333 
or any successor order, applicable national security directives, or 
classified implementing procedures approved by the Attorney General and 
promulgated pursuant to such statutes, orders or directives.
    (2) To notify another federal agency when, or verify whether, a PIV 
card is no longer valid.
    (3) To the news media or the general public, factual information 
the disclosure of which would be in the public interest and which would 
not constitute an unwarranted invasion of personal privacy, consistent 
with Freedom of Information Act standards. Also see ``Routine Uses'' of 
Prefatory Statement published in the Federal Register.

[[Page 62654]]

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored in electronic media and in paper files.

RETRIEVABILITY:
    Records are retrievable by name; Social Security number; other 
identification number; PIV card number; image (photograph) and 
fingerprint.

SAFEGUARDS:
    Paper records are kept in locked cabinets in secure facilities and 
access to them is restricted to individuals whose role requires use of 
the records. The computer servers in which records are stored are 
located in facilities that are secured by alarm systems and off-master 
key access. The computer servers themselves are password-protected. 
Access to individuals working at guard stations is password-protected; 
each person granted access to the system at guard stations must be 
individually authorized to use the system. A Privacy Act Warning Notice 
appears on the computer screen prior to display of records containing 
information about individuals. Data exchanged between the servers and 
the client at the guard stations and badging office are encrypted. 
Backup tapes are stored in a locked and controlled room in a secure, 
off-site location.
    An audit trail is maintained and reviewed periodically to identify 
unauthorized access. Persons given roles in the PIV process must 
complete training specific to their roles to ensure they are 
knowledgeable about how to protect individually identifiable 
information.

RETENTION AND DISPOSAL:
    Records relating to persons' access covered by this system are 
retained, retired and destroyed in accordance with Department of State 
Records Disposition Schedules approved by NARA. More information may be 
obtained by writing the Director; Office of Information Programs and 
Services; SA-2, Department of State; 515 22nd Street; Washington, DC; 
20522-8100.
    In accordance with HSPD-12, Department of State Identification 
Cards are deactivated within 18 hours of cardholder separation, loss of 
card, or expiration. Department of State Identification Cards are 
destroyed by cross-cut shredding no later than 90 days after 
deactivation.

SYSTEM MANAGER(S) AND ADDRESS:
    Director; Domestic Facility Protection; Bureau of Diplomatic 
Security; Department of State; 2201 C Street, NW., 20522.

NOTIFICATION PROCEDURES:
    An individual can determine if this system contains a record 
pertaining to him/her by sending an originally signed request in 
writing, to the Director; Office of Information Programs and Services 
(address above).
    The individual must specify that he or she wants the Bureau of 
Diplomatic Security's Identity Management System to be checked. When 
requesting notification of or access to records covered by this Notice, 
an individual should provide his/her full name, date and place of 
birth, current mailing address and zip code, signature, brief 
description of the circumstances which may have caused the creation of 
the record, agency name, and work location in order to establish 
identity.

RECORDS ACCESS PROCEDURES:
    Same as notification procedures. Requesters should also reasonably 
specify the record contents being sought. Rules regarding access to 
Privacy Act records appear in 22 CFR part 171. If additional 
information or assistance is required, contact the Director (address 
above).

CONTESTING RECORD PROCEDURES:
    Same as notification procedures. Requesters should also reasonably 
identify the record, specify the information they are contesting, state 
the corrective action sought and the reasons for the correction along 
with supporting justification showing why the record is not accurate, 
timely, relevant, or complete. Rules regarding amendment of Privacy Act 
records appear in 22 CFR part 171. If additional information or 
assistance is required, contact the Director; Office of Information 
Programs and Services (address above).

RECORD SOURCE CATEGORIES:
    Employee, contractor, or applicant; sponsoring agency; former 
sponsoring agency; other federal agencies; contract employer; and 
former employer.

EXEMPTIONS CLAIMED FOR THE SYSTEM:
    None.

[FR Doc. E6-17973 Filed 10-25-06; 8:45 am]
BILLING CODE 4710-24-P