[Federal Register Volume 76, Number 234 (Tuesday, December 6, 2011)]
[Notices]
[Pages 76215-76217]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2011-31270]
=======================================================================
-----------------------------------------------------------------------
DEPARTMENT OF STATE
[Public Notice 7709]
Privacy Act; System of Records: State-78, Risk Analysis and
Management Records
SUMMARY: Notice is hereby given that the Department of State proposes
to create a system of records, Risk Analysis and Management Records,
State-78, pursuant to the provisions of the Privacy Act of 1974, as
amended (5 U.S.C. 552a) and Office of Management and Budget Circular
No. A-130, Appendix I.
DATES: This system of records will be effective on January 17, 2012,
unless we receive comments that will result in a contrary
determination.
ADDRESSES: Any persons interested in commenting on the new system of
[[Page 76216]]
records may do so by writing to the Director; Office of Information
Programs and Services, A/GIS/IPS; Department of State, SA-2; 515 22nd
Street NW.; Washington, DC 20522-8001.
FOR FURTHER INFORMATION CONTACT: Director; Office of Information
Programs and Services, A/GIS/IPS; Department of State, SA-2; 515 22nd
Street NW.; Washington, DC 20522-8001.
SUPPLEMENTARY INFORMATION: The Department of State proposes that the
new system will be ``Risk Analysis and Management Records.'' The
proposed system will support the vetting of directors, officers, or
other employees of organizations who apply for Department of State
contracts, grants, cooperative agreements, or other funding. The
information collected from these organizations and individuals is
specifically used to conduct screening to ensure that Department funds
are not used to provide support to entities or individuals deemed to be
a risk to U.S. national security interests. The records may contain
criminal investigation records, investigatory material for law
enforcement purposes, and confidential source information.
The Department's report was filed with the Office of Management and
Budget. The new system description, Risk Analysis and Management (RAM)
Records, State 78, will read as set forth below.
Dated: November 16, 2011.
Keith D. Miller,
Director, Office of Operations, Bureau of Administration, U.S.
Department of State.
STATE-78
SYSTEM NAME:
Risk Analysis and Management (RAM) Records.
SECURITY CLASSIFICATION:
Classified and Unclassified.
SYSTEM LOCATION:
Department of State, 2201 C Street NW., Washington, DC 20520; other
Department of State annexes, posts and missions abroad; and the United
States Agency for International Development (USAID), Office of
Security, 1300 Pennsylvania Avenue NW., Washington, DC 20523.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
The system covers key personnel of organizations who have applied
for contracts, grants, cooperative agreements or other funding from the
Department of State. These individuals may include but are not limited
to principal officers or directors, program managers, chief of party
for the program, and other individuals employed by the organization.
CATEGORIES OF RECORDS IN THE SYSTEM:
Unclassified information in this system includes, but is not
limited to: name, aliases, date and place of birth, gender (as shown in
a government-issued foreign or U.S. photo ID), citizenship(s),
government-issued identification information (including but not limited
to Social Security number if U.S. citizen or Legal Permanent Resident,
passport number, or any other numbers originated by a government that
specifically identifies an individual), mailing address, telephone
number(s), fax number, email address, current employer and job title.
The type of grant, U.S. dollar value of contract/grant, the contract/
grant start and end date, and the purpose of the contract/grant are
also contained in the system.
Classified information in this system includes, but is not limited
to: results generated from the screening of individuals covered by this
Notice; intelligence and law enforcement information related to
national security; and national security vetting and terrorism
screening information provided to the Department by other agencies.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
18 U.S.C. 2339A, 2339B, 2339C; 22 U.S.C. 2151 et seq.; Executive
Orders 13224, 13099 and 12947; and Homeland Security Presidential
Directive-6.
PURPOSE:
The information in the system supports the vetting of directors,
officers, or other employees of organizations who apply for Department
of State contracts, grants, cooperative agreements, or other funding.
The information collected from these organizations and individuals is
specifically used to conduct screening to ensure that Department funds
are not used to provide support to entities or individuals deemed to be
a risk to U.S. national security interests.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
Information may be disclosed to the United States Agency for
International Development (USAID) and to federal government agencies
for vetting programs.
The Department of State periodically publishes in the Federal
Register its standard routine uses which apply to all of its Privacy
Act systems of records. These notices appear in the form of a Prefatory
Statement. These standard routine uses apply to State-78, Risk Analysis
and Management Records.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING,
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
Records in this system are stored in both paper and electronic
format.
RETRIEVABILITY:
Records are retrieved by name, date and place of birth, government-
issued identifying numbers (such as Social Security numbers or passport
numbers), and solicitation number.
SAFEGUARDS:
The records are maintained in an authorized security container with
access limited to authorized government personnel and authorized
contractors. Physical security protections include guards and locked
facilities requiring badges. Only authorized government personnel and
authorized contractors can access records within the system. The
Department mandates and certifies that physical and technological
safeguards appropriate for classified and Sensitive but Unclassified
systems are used to protect the records against unauthorized access.
All authorized government personnel and authorized contractors with
access to the system must hold an appropriate security clearance, sign
a non-disclosure agreement, and undergo both privacy and security
training.
Classified and Sensitive but Unclassified paper records are kept in
an approved security container. Access to these records is limited to
those authorized government personnel and authorized contractors who
have a need for the records in the performance of their official
duties.
Electronic records are kept in a secure database. Access to the
records is restricted to those authorized government personnel and
authorized contractors with a specific role in the vetting process as
part of the performance of their official duties. The RAM database is
housed on and accessed from a Sensitive but Unclassified computer
network. Vetting requests, analyses, and results will be stored
separately on a classified computer network. Both computer networks and
the RAM database require a user identification name and password and
approval from the Office of Security. An audit trail is maintained and
periodically reviewed to monitor access to the system. When it is
determined that a user no longer needs access, the user account is
disabled.
[[Page 76217]]
Authorized government personnel and authorized contractors assigned
roles in the vetting process are provided role-specific training to
ensure that they are knowledgeable in how to protect personally
identifiable information. Access to the Department of State records
within the system will be controlled by the network firewall
configuration.
Within the Department of State, all users are given cyber security
awareness training which covers the procedures for handling Sensitive
but Unclassified information, including personally identifiable
information (PII). Annual refresher training is mandatory. In addition,
all Foreign Service and Civil Service employees and those Locally
Engaged Staff who handle PII are required to take the FSI distance
learning course instructing employees on privacy and security
requirements, including the rules of behavior for handling PII and the
potential consequences if it is handled improperly. Before being
granted access to RAM records, a user must first be granted access to
the Department of State computer system.
Remote access to the Department of State network from non-
Department owned systems is authorized only through a Department-
approved access program. Remote access to the network is configured
with the Office of Management and Budget Memorandum M-07-16 security
requirements, which include but are not limited to two-factor
authentication and time out function. All Department of State employees
and contractors with authorized access have undergone a thorough
background security investigation.
RETENTION AND DISPOSAL:
Records are retired in accordance with published Department of
State Records Disposition Schedules as approved by the National
Archives and Records Administration (NARA). More specific information
may be obtained by writing the Director; Office of Information Programs
and Services, A/GIS/IPS; Department of State, SA-2; 515 22nd Street,
NW., Washington, DC 20522-8001.
SYSTEM MANAGER(S) AND ADDRESS:
Office of Risk Analysis and Management, Department of State,
Washington, DC, 2201 C St. NW., Washington, DC 20520.
NOTIFICATION PROCEDURE:
Individuals who have cause to believe that Risk Analysis and
Management Records might have records pertaining to them should write
to the Director; Office of Information Programs and Services, A/GIS/
IPS, Department of State, SA-2; 515 22nd Street NW., Washington, DC
20522-8001. The individual must specify that he/she wishes the records
of the Risk Analysis and Management Records to be checked. At a
minimum, the individual must include: name; date and place of birth;
current mailing address and zip code; signature; and the approximate
dates of application for a contract, grant or other funding.
RECORD ACCESS PROCEDURES:
Individuals who wish to gain access to or amend records pertaining
to themselves should write to the Director, Office of Information
Programs and Services (address above).
CONTESTING RECORD PROCEDURES:
(See above.)
RECORD SOURCE CATEGORIES:
Information in this system is obtained from the application form
completed and submitted by an organization or individual applying for a
contract, grant, cooperative agreement, or other funding from the
Department of State. In the case of applications submitted by an
individual in his/her own capacity, the information will be collected
directly from the individual applicant. Information in this system may
also be obtained from public sources, agencies conducting national
security screening law enforcement and intelligence agency records, and
other government databases.
SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
Pursuant to 5 U.S.C. 552a(j)(2), records in this system may be
exempt from subsections (c)(3) and (4), (d), (e)(1), (2) and (3),
(e)(4)(G), (H), and (I), (e)(5) and (8), (f), (g) and (h) of the
Privacy Act. Pursuant to 5 U.S.C. 552a(k)(1), (k)(2), and (k)(5),
records in this system may be exempt from subsections 5 U.S.C.
552a(c)(3),(d), (e)(1), (e)(4)(G), (H), and (I), and (f) of the Privacy
Act.
If a record contains information from other exempt systems of
records, the Department of State will rely on the exemptions claimed
for those systems.
[FR Doc. 2011-31270 Filed 12-5-11; 8:45 am]
BILLING CODE 4710-24-P