[Federal Register Volume 79, Number 146 (Wednesday, July 30, 2014)]
[Notices]
[Pages 44161-44165]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-17944]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF DEFENSE

Office of the Secretary

[Docket ID DoD-2014-OS-0115]


Privacy Act of 1974; System of Records

AGENCY: Department of Defense.

ACTION: Notice to add a new Privacy Act System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended, the 
Office of the Secretary of Defense proposes to establish a new system 
of records for Continuous Evaluation (CE).\1\ These records will be 
used to conduct CE, as defined in Executive Order 13467, to: (1) 
Identify DoD-affiliated personnel who have engaged in conduct of 
security concern; (2) identify and initiate needed follow-on inquiries 
and/or investigative activity and enable security officials and 
adjudicators to determine and take appropriate actions; and (3) perform 
research, development, and analyses related to DoD's CE program. These 
analyses are conducted to: (a) Evaluate and improve DoD and Federal 
personnel security, insider threat,\2\ and other

[[Page 44162]]

background vetting and continuous evaluation procedures, programs, and 
policies; (b) assist in providing training, instruction, and advice on 
personnel security and insider threats, and assess continuing 
reliability of subjects; (c) encourage cooperative research within and 
among DoD Components, the Intelligence Community, and the Executive 
branch on initiatives having DoD or Federal Government-wide 
implications in order to ensure that appropriate information is shared 
efficiently when authorized to do so and to avoid duplication of 
efforts; (d) address items of special interest to personnel security 
officials within DoD Components, the Intelligence Community, and the 
Executive branch (e.g., evaluating responses to excessive indebtedness, 
auditing information to ensure individuals with mental health issues 
are being protected appropriately, monitoring numbers and types of 
security incidents); (e) conduct personnel security pilot test projects 
related to DoD's CE program for purposes of research and development.
---------------------------------------------------------------------------

    \1\ E.O. 13467 defines continuous evaluation as ``reviewing the 
background of an individual who has been determined to be eligible 
for access to classified information (including additional or new 
checks of commercial databases, Government databases, and other 
information lawfully available to security officials) at any time 
during the period of eligibility to determine whether that 
individual continues to meet the requirements for eligibility for 
access to classified information.''
    \2\ The November 21, 2012 Presidential Memorandum, ``National 
Insider Threat Policy and Minimum Standards for Executive Branch 
Insider Threat Programs'' identified insider threat programs as 
including the following: Monitoring user activity on U.S. government 
networks; continued evaluation of personnel security information; 
and employee awareness training on risks posed by malicious insiders 
and recognition of malicious behaviors.

DATES: Comments will be accepted on or before August 29, 2014. This 
proposed action will be effective the date following the end of the 
comment period unless comments are received which result in a contrary 
---------------------------------------------------------------------------
determination.

ADDRESSES: You may submit comments, identified by docket number and 
title, by any of the following methods:
    * Federal Rulemaking Portal: http://www.regulations.gov. Follow the 
instructions for submitting comments.
    * Mail: Federal Docket Management System Office, 4800 Mark Center 
Drive, East Tower, 2nd Floor, Suite 02G09, Alexandria, VA 22350-3100.
    Instructions: All submissions received must include the agency name 
and docket number for this Federal Register document. The general 
policy for comments and other submissions from members of the public is 
to make these submissions available for public viewing on the Internet 
at http://www.regulations.gov as they are received without change, 
including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT: Ms. Cindy Allard, Chief, OSD/JS 
Privacy Office, Freedom of Information Directorate, Washington 
Headquarters Service, 1155 Defense Pentagon, Washington, DC 20301-1155, 
or by phone at (571) 372-0461. The Office of the Secretary of Defense 
notices for systems of records subject to the Privacy Act of 1974 (5 
U.S.C. 552a), as amended, have been published in the Federal Register 
and are available from the address in FOR FURTHER INFORMATION CONTACT 
or at the Defense Privacy and Civil Liberties Office Web site at http://dpclo.defense.gov/.
    The proposed system report, as required by 5 U.S.C. 552a(r) of the 
Privacy Act of 1974, as amended, was submitted on June 30, 2014, to the 
House Committee on Oversight and Government Reform, the Senate 
Committee on Governmental Affairs, and the Office of Management and 
Budget (OMB) pursuant to paragraph 4c of Appendix I to OMB Circular No. 
A-130, ``Federal Agency Responsibilities for Maintaining Records About 
Individuals,'' dated February 8, 1996 (February 20, 1996, 61 FR 6427).

SUPPLEMENTARY INFORMATION: Further background: The DoD is implementing 
a program to help ensure that DoD-affiliated personnel who have been 
approved for eligibility for access to classified information or 
assignment to national security positions remain reliable, loyal, and 
trustworthy as well as non-threatening to the safety and well-being of 
the people they work with. The Department will implement CE based on 
signed consent of participants in compliance with the Privacy Act. 
System capabilities will be coordinated and aligned with the Office of 
the Director of National Intelligence as the Security Executive Agent 
pursuant to Executive Order 13467 and other Government agencies to 
ensure the development of a fully integrated, non-duplicative, and 
cost-effective CE solution that is implemented in accordance with 
Departmental and Federal law and policy.
    Following the 2013 Washington Navy Yard shooting, the President 
directed the Office of Management and Budget (OMB) to conduct, within 
120 days, a review of suitability and security clearance procedures for 
Federal employees and contractors. In response, OMB established an 
interagency review team to assess risks and vulnerabilities inherent in 
current security, suitability, and credentialing processes and 
identified solutions to safeguard our personnel and protect our 
nation's most sensitive information. The resulting report to the 
President committed the DoD to expanding its current CE pilots in FY14 
and expanding overall CE capability beginning in FY15. Concurrent with 
the OMB review, the Secretary of Defense directed internal and 
independent reviews to identify and recommend actions that address gaps 
or deficiencies in DoD programs, policies, and procedures regarding 
security at DoD installations and the issuance and renewal of security 
clearances for DoD and contractor personnel. On March 18, 2014, the 
Secretary of Defense approved the internal review's four resulting 
recommendations, including: Task 1--Implement Continuous Evaluation and 
Task 2--Establish the DoD Insider Threat Management and Analysis 
Center.
    To implement CE, the Department is developing an efficient and 
cost-effective technical solution that supplements existing Federal 
Investigative Standards and Departmental security processes (such as 
periodic reinvestigations and self-reporting) to more quickly and 
reliably identify and prioritize new information that gives cause to 
question whether individuals who are affiliated with the DoD should 
retain eligibility for access to classified information or be allowed 
unescorted access to controlled facilities. A technical CE solution 
will play a crucial role in improving personnel security and 
identifying potential insider threats.
    The CE capability will use automated records checks of 
authoritative commercial and Government data sources (e.g., criminal, 
financial, or credit records) consistent with source records' 
permissible uses and will flag issues of security concern when 
behaviors are detected that could potentially disqualify an individual 
for eligibility for access to classified information or assignment to 
national security positions. Disqualifiers within the realm of security 
clearance eligibility are described in the Federal Adjudicative 
Guidelines. The CE capability will utilize business rules that are 
aligned with these guidelines and the revised Federal Investigative 
Standards and will only be applied to personnel who have consented to 
CE.
    At all points during the development and implementation of the 
Department's CE solution, any issues related to privacy, civil 
liberties, and accuracy will be addressed and appropriate safeguards, 
consistent with national security, will be put into place.

    Dated: July 25, 2014.
Aaron Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
DMDC 17 DoD

System name
    Continuous Evaluation Records for Personnel Security.

[[Page 44163]]

System location
    Defense Manpower Data Center, DoD Center Monterey Bay, 400 Gigling 
Road, Seaside, CA 93955-6771.

Categories of individuals covered by the system
    DoD-affiliated individuals who have signed and submitted the March 
2010 or later version of the SF-86, ``Questionnaire for National 
Security Positions'' (SF-86) and have thereby agreed to be subject to 
Continuous Evaluation (CE).\3\ This includes: DoD civilian employees, 
military members (Active Duty, National Guard, and Reserve military 
service members of the Army, Navy, Marine Corps, and Air Force) or DoD-
cleared contractor employees with an active eligibility for access to 
classified information, or those who otherwise occupy national security 
positions.
---------------------------------------------------------------------------

    \3\ E.O. 13467 defines continuous evaluation as ``reviewing the 
background of an individual who has been determined to be eligible 
for access to classified information (including additional or new 
checks of commercial databases, Government databases, and other 
information lawfully available to security officials) at any time 
during the period of eligibility to determine whether that 
individual continues to meet the requirements for eligibility for 
access to classified information.''
---------------------------------------------------------------------------

Categories of records in the system
    Applicable records containing the following information about the 
individual subject to continuous evaluation may be maintained:
    a. Evidence of the individual's signed consent to continuous 
evaluation.
    b. Responses from official questionnaires (e.g., SF 86 
Questionnaire for National Security Positions) that include: Name, 
former names, and aliases; date and place of birth; social security 
number; height; weight; hair and eye color; gender; mother's maiden 
name; current and former home addresses, phone numbers, and email 
addresses; employment history; military record information; selective 
service registration record; residential history; education and degrees 
earned; names of associates and references with their contact 
information; citizenship; passport information; criminal history; civil 
court actions; prior security clearance and investigative information; 
results of prior continuous evaluation checks; mental health history; 
records related to drug and/or alcohol use; financial record 
information; information from the Internal Revenue Service pertaining 
to income tax returns; credit reports; the name, date and place of 
birth, social security number, and citizenship information for spouse 
or cohabitant; the name and marriage information for current and former 
spouse(s); the citizenship, name, date and place of birth, and address 
for relatives; information on foreign contacts and activities; 
association records; information on loyalty to the United States; and 
other agency reports furnished to DoD in connection with background 
investigation, continuous evaluation, or insider threat detection 
processes, and other information developed from above.
    c. Reports of security violations and security-related incidents 
and data collected and actions taken to resolve them.
    d. Pre-employment screening reports, such as counter-intelligence 
screening or military accessions vetting.
    e. Dates and types of past investigations; dates and types of 
access granted based on qualifying investigations; indications of 
whether prior investigations were adjudicated based on exceptions, 
deviations, or waivers; denials, revocations, debarments, 
administrative actions, and other adverse actions based on adjudication 
of investigations.
    f. Records of personnel background investigations conducted by 
other Federal agency investigation service providers.
    g. Agency Use Block (AUB) question responses including type of 
investigation requested, case number, extra coverage/advance results, 
sensitivity level, access/eligibility, nature and date of action, 
geographic location, position code and title, Submitting Office Number 
(SON), location of official personnel folder, Security Office 
Identifier (SOI), use of the Intra-governmental Payment and Collection 
(IPAC) system, Treasury Account Symbol (TAS), obligating document 
number, Business Event Type Code (BETC), investigative requirement, 
requesting officials' name, title, email address, phone number, and 
applicant affiliation.
    h. Educational data on schools and dates of attendance; conduct 
information that includes disciplinary actions, transcripts, 
commendations, degrees, certificates, and subject's explanations 
regarding education conduct.
    i. Employment information on current and previous employment that 
includes: Name of employer, dates employed, address, name, and phone 
number of supervisor. Conduct information that includes promotions, 
dates and reasons for disciplinary actions to include termination; 
performance evaluation; and subject's explanations regarding employment 
conduct; employment references names, current address, phone number and 
email address; salary and wage information.
    j. Selective Service record, military history, and conduct 
information.
    k. Foreign contact and activities information that include names of 
individuals known, dates, country(ies) of citizenship, country(ies) of 
residence, type and nature or contact, financial interests, assets, 
benefits from foreign governments, countries and dates of arrival and 
departure for U.S. border crossings.
    l. Results of subject and reference interviews conducted during the 
course of Continuous Evaluation, Counterintelligence Screening, or 
security incident resolution.
    m. Information contained in local, state, and Federal criminal 
justice agency records and local, state, and Federal civil and criminal 
court records.
    n. Information that pertains to excessive use of alcohol or use of 
illegal drugs. (This does not include or authorize CE checks of 
individuals' health or medical records).
    o. Information about and evidence of unauthorized use of 
information technology systems.
    p. For purposes of detecting unexplained affluence: U.S. and 
foreign finance and real estate information that consists of names of 
financial institutions, number of accounts held, monthly and year-end 
account balances for bank and investment accounts, address, year of 
purchase and price, capital investment costs, lease or rental 
information, year of lease or rental, monthly payments, deeds, lender/
loan information and foreclosure history.
    q. For purposes of detecting unexplained affluence: Information on 
leased vehicles, boats, airplanes and other U.S. and foreign assets 
that include type, make model/year, plate or identification number, 
year leased, monthly rental payment; year of purchase and price, and 
year-end fair market value.
    r. For purposes of detecting unexplained affluence: Information 
pertaining to large currency transactions or other suspicious financial 
transactions.
    s. For purposes of detecting unexplained affluence: U.S. and 
foreign mortgages, loans, and liabilities information that consist of 
type of loan, names and addresses of creditors, original balance, 
monthly and year-end balance, monthly payments, payment history, and 
name and address of institution where safe deposit box is located.
    t. Publically available electronic information about or generated 
by the subject of continuous evaluation (e.g.,

[[Page 44164]]

public records, civil court records, social media content, news 
articles, and web blog information). This only includes information 
that is accessible to any member of the public while browsing the Web.
    u. Results of automated record checks required to test new or 
alternative investigative data sources for purposes of improving 
efficiency or cost-effectiveness of CE.
    v. Information about affiliation with known criminal and/or 
terrorist organizations.

Authority for maintenance of the system
    5 U.S.C. 9101, Access to Criminal History Information for National 
Security and Other Purposes; 10 U.S.C. 137, Under Secretary of Defense 
for Intelligence; 10 U.S.C. 504, Persons Not Qualified; 10 U.S.C. 505, 
Regular components: Qualifications, term, grade; E.O. 10450, Security 
Requirements for Government Employment; E.O. 10865, Safeguarding 
Classified Information Within Industry; E.O. 12333, United States 
Intelligence Activities; E.O. 13526, Classified National Security 
Information; E.O. 12968, as amended, Access to Classified Information; 
E.O. 13467, Reforming Processes Related to Suitability for Government 
Employment, Fitness for Contractor Employees, and Eligibility for 
Access to Classified National Security Information; E.O. 13470, Further 
Amendments to Executive Order 12333; 32 CFR part 154, Department of 
Defense Personnel Security Program Regulation; 32 CFR part 155, Defense 
Industrial Personnel Security Clearance; 32 CFR part 156, Department of 
Defense Personnel Security Program (DoDPSP); DoD Directive 1145.03E, 
United States Military Entrance Processing Command (USMEPCOM); DoD 
Instruction (DoDI) 1304.26, Qualification Standards for Enlistment, 
Appointment and Induction; DoDI 5200.02, DoD Personnel Security Program 
(PSP); DoDI 5220.06, Defense Industrial Personnel Clearance Review 
Program; DODI 5220.22, National Industrial Security Program (NISP); DoD 
5200.2-R, Department of Defense Personnel Security Program Regulation; 
HSPD 12: Policy for a Common Identification Standard for Federal 
Employees and Contractors; FIPS 201-1: Personal Identity Verification 
(PIV) of Federal Employees and Contractors; Director of Central 
Intelligence Directive 8/1: Intelligence Community Policy on 
Intelligence Information Sharing; and E.O. 9397 (SSN), as amended.

Purpose(s)
    Records in the system will be used to conduct CE to: (1) Identify 
DoD-affiliated personnel with eligibility for access to classified 
information who have engaged in conduct of security concern; (2) 
identify and initiate needed follow-on inquiries and/or investigative 
activity and enable security officials and adjudicators to determine 
and take appropriate actions; and (3) perform research, development, 
and analyses related to DoD's CE program. These analyses are conducted 
to: (a) Evaluate and improve DoD and federal personnel security, 
insider threat, and other background vetting and continuous evaluation 
procedures, programs, and policies; (b) assist in providing training, 
instruction, and advice on personnel security and insider threats, and 
assess continuing reliability of subjects; (c) encourage cooperative 
research within and among DoD Components, the Intelligence Community, 
and the Executive branch on initiatives having DoD or Federal 
Government-wide implications in order to ensure that appropriate 
information is shared efficiently when authorized to do so and to avoid 
duplication of efforts; (d) address items of special interest to 
personnel security officials within DoD Components, the Intelligence 
Community, and the Executive branch (e.g., evaluating responses to 
excessive indebtedness, auditing information to ensure individuals with 
mental health issues are being protected appropriately, monitoring 
numbers and types of security incidents); and (e) conduct personnel 
security pilot test projects related to DoD's CE program for purposes 
of research and development.

Routine uses of records maintained in the system, including categories 
of users and the purposes of such uses
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act of 1974, as amended, the records contained 
in the system may specifically be disclosed outside the DoD as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows, where release 
is not otherwise restricted by law or executive order:
     To Federal, State, local, tribal government agencies, if 
necessary, to obtain information from them for the purposes of CE, 
which will assist DoD in identifying security risks and areas in the 
personnel security field that may warrant more training, instruction, 
research, or intense scrutiny.
     To Federal Bureau of Investigation and U.S. Office of 
Personnel Management counterintelligence personnel to assist them with 
their investigations and inquiries.
     To the Office of Personnel Management, the Office of the 
Director of National Intelligence, and other Federal Government 
agencies responsible for conducting background investigations and 
continuing evaluation in order to provide them with information 
relevant to their inquiries and investigations.
     To law enforcement agencies, if a system of records 
maintained by a DoD Component to carry out its functions contains 
information indicative of a violation or potential violation of law, 
whether civil, criminal, or regulatory in nature, and whether arising 
by general statute or by regulation, rule, or order issued pursuant 
thereto, the relevant records in the system of records may be referred, 
as a routine use, to the agency concerned, whether Federal, state, 
local, tribal, or foreign, charged with the responsibility of 
investigating or prosecuting such violation or charged with enforcing 
or implementing the statute, rule, regulation, or order issued pursuant 
thereto.
     To the Director of National Intelligence, as Security 
Executive Agent, or his assignee, to perform any functions authorized 
by law or executive order in support of personnel security programs. 
Examples include the Intelligence Reform and Terrorism Prevention Act 
and E.O. 13467.
     To the Office of Personnel Management, to perform any 
functions authorized by law or executive order in support of personnel 
security programs. Examples include the Intelligence Reform and 
Terrorism Prevention Act of 2004 (Public Law 108-458) and E.O. 10450.
    The DoD Blanket Routine Uses set forth at the beginning of the 
Office of the Secretary of Defense (OSD) compilation of systems of 
records notices apply to this system. The complete list of DoD blanket 
routine uses can be found Online at: http://dpclo.defense.gov/Privacy/SORNsIndex/BlanketRoutineUses.aspx.

Policies and practices for storing, retrieving, accessing, retaining, 
and disposing of records in the system
Storage
    Electronic storage media and paper records maintained in file 
folders.

Retrievability
    Records may be retrieved by name and Social Security Number (SSN), 
and/or, where applicable, DoD identification number.

[[Page 44165]]

Safeguards
    Records are stored under lock and key, in secure containers, or on 
electronic media that contain intrusion safeguards. Access to these 
investigative, incident report and response, and adjudicative records 
is role-based and is limited to those individuals requiring access in 
the performance of their official duties. All individuals who are 
granted access must have a need-to-know, been investigated and granted 
security clearance eligibility level at a level equal to or higher than 
subjects of records to which they have access, and been advised as to 
the sensitivity of the records and their responsibilities to safeguard 
the information contained in them from unauthorized disclosure. All 
individuals granted access to this system of records will receive 
Information Assurance and Privacy Act training.
    Audit logs will be maintained to document access to data. All data 
transfers and information retrievals using remote communication 
facilities are encrypted. Records are maintained in a secure database 
in a controlled area accessible only to authorized personnel. Entry to 
these areas is restricted by the use of locks, guards, and 
administrative procedures.

Retention and disposal
    Disposition pending (until the National Achieves Records 
Administration (NARA) disposition schedule is approved, treat as 
permanent).

System manager(s) and address
    Deputy Director for Identity, Defense Manpower Data Center, 4800 
Mark Center Drive, Alexandria, VA 22350-6000 and Deputy Director, 
Defense Manpower Data Center, 400 Gigling Road, Seaside, CA 93955-6771.

Notification procedure
    Individuals seeking to determine whether this system contains 
information about them should address written inquiries to the Privacy 
Office, Defense Manpower Data Center, DoD Center Monterey Bay, 400 
Gigling Road, Seaside, CA 93955-6771.
    Written requests must contain the following information:
    a. Full name, former name, and any other names used.
    b. Date and place of birth.
    c. Social Security Number.
    d. The address to which the record information should be sent.
    e. Telephone number.
    f. You must sign your request.

Record access procedures
    Individuals wishing to request access to their records should 
address written inquiries to the Privacy Office, Defense Manpower Data 
Center, DoD Center Monterey Bay, 400 Gigling Road, Seaside, CA 93955-
6771.
    Written requests must contain the following information:
    a. Full name, former name, and any other names used.
    b. Date and place of birth.
    c. Social Security Number.
    d. The address to which the record information should be sent.
    e. You must sign your request.
    In addition, the requester must provide a notarized statement or an 
unsworn declaration made in accordance with 28 U.S.C. 1746, in the 
following format:
    If executed outside of the United States: 'I declare (or certify, 
verify, or state) under penalty of perjury under the laws of the United 
States of America that the foregoing is true and correct. Executed on 
(date). (Signature).'
    If executed within the United States, its territories, possessions, 
or commonwealths: 'I declare (or certify, verify, or state) under 
penalty of perjury that the foregoing is true and correct. Executed on 
(date). (Signature).'
    Attorneys or other persons acting on behalf of an individual must 
provide written authorization from that individual for the 
representative to act on their behalf.
    The written authorization must also include an original notarized 
statement or an unsworn declaration in accordance with 28 U.S.C. 1746, 
in the following format: I declare (or certify, verify, or state) under 
penalty of perjury that the foregoing is true and correct. Executed on 
(date). (Signature).

Contesting record procedures
    The OSD rules for accessing records, for contesting contents and 
appealing initial agency determinations are published in OSD 
Administrative Instruction 81; 32 CFR part 311; or may be obtained from 
the system manager.

Record source categories
    Information in this system may be provided by the individual based 
on responses on their signed SF-86 and investigative interviews; 
Department of Defense civilian, contractor, and military personnel, 
criminal, and security record systems; Military Component recruiting 
information systems; Federal Government systems of records (as 
authorized by their routine use clauses in system of records notices) 
that provide security-relevant information; publicly available 
electronic information sources; commercial data providers (e.g., credit 
reporting companies and online news sources); local, state, and tribal 
civil and criminal record systems; systems for monitoring misuse of 
government-owned information technology systems; past and present 
employers; personal references; education institutions.

Exemptions claimed for the system
    Exempt records received from other systems of records in the course 
of Continuous Evaluation record checks may, in turn, become part of the 
case records in this system. When records are exempt from disclosure in 
systems of records for record sources accessed by this system, the 
Defense Manpower Data Center hereby claims the same exemptions for any 
copies of such records received by and stored in this system.
[FR Doc. 2014-17944 Filed 7-29-14; 8:45 am]
BILLING CODE 5001-06-P