[Federal Register Volume 79, Number 160 (Tuesday, August 19, 2014)]
[Pages 49076-49078]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2014-19689]



[FRL-9915-14-OARM; EPA-HQ-OEI-2012-0836]

Notification of a New System of Records Notice for the EPA 
Personnel Access and Security System (EPASS)

AGENCY: Environmental Protection Agency.

ACTION: Notice.


SUMMARY: The U.S. Environmental Protection Agency's (EPA) Office of 
Administration and Resource Management, Office of Administration, 
Security Management Division is giving notice that it proposes to 
create a new system of records pursuant to the provisions of the 
Privacy Act of 1974 (5 U.S.C. 552a). The EPA Personnel Access and 
Security System (EPASS) is being created to comply with the Homeland 
Security Presidential Directive-12 (HSPD-12), which was issued on 
August 12, 2004 and signed on August 27, 2004. HSPD-12 mandates a 
government-wide federal standard for ensuring that identification cards 
issued to government employees and contractors are reliable and secure. 
EPASS complies with the federal requirements and will enhance security, 
increase efficiency, reduce identity fraud, and protect personal 

DATES: Persons wishing to comment on this new system of records notice 
must do so by September 29, 2014.

ADDRESS: Submit your comments, identified by Docket ID No. EPA-HQ-2012-
0836, by mail:
     www.regulations.gov: Follow the online instructions for 
submitting comments.
     Email: [email protected].
     Fax: 202-566-1752.
     Mail: OEI Docket, Environmental Protection Agency, Mail 
code: 2822T, 1200 Pennsylvania Ave. NW., Washington, DC 20460.
     Hand Delivery: OEI Docket, EPA/DC, EPA West Building, Room 
3334, 1301 Constitution Ave. NW., Washington, DC. Such deliveries are 
only accepted during the docket's normal hours of operation, and 
special arrangements should be made for deliveries of boxed 
    Instructions: Direct your comments to Docket ID No. EPA-HQ-OEI-
2012-0836. EPA's policy is that all comments received will be included 
in the public docket without change and may be made available online at 
www.regulations.gov, including any personal information provided, 
unless the comment includes information

[[Page 49077]]

claimed to be Confidential Business Information (CBI) or other 
information for which disclosure is restricted by statute. Do not 
submit information that you consider to be CBI or otherwise protected 
through www.regulations.gov. The www.regulations.gov Web site is an 
``anonymous access'' system, which means EPA will not know your 
identity or contact information unless you provide it in the body of 
your comment. If you send an email comment directly to EPA without 
going through www.regulations.gov your email address will be 
automatically captured and included as part of the comment that is 
placed in the public docket and made available on the Internet. If you 
submit an electronic comment, EPA recommends that you include your name 
and other contact information in the body of your comment and with any 
disk or CD-ROM you submit. If EPA cannot read your comment due to 
technical difficulties and cannot contact you for clarification, EPA 
may not be able to consider your comment. Electronic files should avoid 
the use of special characters, any form of encryption, and be free of 
any defects or viruses. For additional information about EPA's public 
docket visit the EPA Docket Center homepage at http://www.epa.gov/epahome/dockets.htm.
    Docket: All documents in the docket are listed in the 
www.regulations.gov index. Although listed in the index, some 
information is not publicly available (e.g., CBI or other information 
for which disclosure is restricted by statute). Certain other material, 
such as copyrighted material, will be publicly available only in hard 
copy. Publicly available docket materials are available either 
electronically in www.regulations.gov or in hard copy at the OEI 
Docket, EPA/DC, EPA West Building, Room 3334, 1301 Constitution Ave. 
NW., Washington, DC. The Public Reading Room is open from 8:30 a.m. to 
4:30 p.m., Monday through Friday excluding legal holidays. The 
telephone number for the Public Reading Room is (202) 566-1744, and the 
telephone number for the OEI Docket is (202) 566-1745.

FOR FURTHER INFORMATION CONTACT: Kelly Glazier, Security Management 
Division (SMD) Acting Director, (202) 564-0351.


General Information

    The U.S. Environmental Protection Agency (EPA) plans to create a 
Privacy Act system of records for the EPA Personnel Access and Security 
System (EPASS). This system is being created for the purpose of issuing 
credentials to EPA employees and its contractors that meet the 
requirements of Homeland Security Presidential Directive 12 (HSPD-12) 
issued on August 12, 2004. The Directive requires the development of a 
mandatory, government-wide standard for issuing secure and reliable 
forms of identification to executive branch employees and federal 
contractors for access to federally controlled facilities and networks.
    The National Institute of Standards and Technology (NIST) further 
defined the issuance standards in Federal Information Processing (FIP) 
Standards Publication 201which describes the minimum requirements for a 
federal personal identification verification (PIV) system. EPA's 
identification system, EPASS, complies with all HSPD-12 requirements. 
It is designed to link a person's identity to an identification 
credential and link the credential to a person's ability to physically 
and logically access federally-controlled buildings and information 
    EPASS will contain information on all Agency employees, 
contractors, consultants, volunteers and other workers who require 
long-term, regular access, as required by their position, to federal 
facilities, systems and networks. The personal information collected in 
the personnel enrollment process consists of data elements necessary to 
verify the identity of the individual and to perform background or 
other investigations. EPASS will collect the applicant's name, date of 
birth, Social Security Number, organizational affiliations, 
fingerprints, work email address and phone number(s), other 
verification and demographic information, and the applicant's 

    Dated: June 24, 2014.
Renee P. Wynn,
Acting Assistant Administrator, and Acting Chief Information Officer.

System Name:
    EPA Personnel Access and Security System (EPASS)

System Location:
    Environmental Protection Agency, Office of Administration and 
Resource Management (OARM), Office of Administration (OA), Ariel Rios 
Building, MC3201A, 1200 Pennsylvania Ave. NW., Washington, DC 20460.

Categories of Individuals Covered by the System:
    The System will collect and maintain information on individuals who 
require long-term, regular access as required by their position, to 
EPA-controlled facilities and information technology systems, including 
federal employees, contractors, grantees, students, interns, 
volunteers, other non-federal employees and individuals formerly in any 
of these positions. The System does not collect information on 
occasional visitors or short-term guests to whom the Agency may issue 
temporary identification.

Categories of Records in the System:
    Enrollment records: full name and history of name changes, social 
security number, applicant ID number, date of birth, gender, race, 
height, weight, hair color, eye color, digital color photograph, 
fingerprints, biometric template (two fingerprints), employee 
affiliation, work email address, work telephone number(s), office 
location and organizational unit, employee status, foreign national 
status, federal emergency response official status, National Agency 
Check with Inquiries (NACI) status (permanent or provisional), 
citizenship status, government agency code, computer login name/user 
principal name (UPN), and personal identification verification (PIV) 
card issuance location. Records in EPASS's Identity Management System 
(IDMS) and Card Management System (CMS) are needed for credential 
management of enrolled individuals and include PIV card serial number, 
digital certificate serial number, PIV card issuance and expiration 
dates, PIV card personal identification number (PIN), cardholder unique 
identifier (CHUID), and card management keys. All sponsored individuals 
enrolled within EPASS may be issued a PIV card. The PIV card contains 
the following mandatory information: name, photograph, individual's 
affiliation, organizational affiliation, PIV card expiration date, 
Agency card serial number, and color-coding for employee affiliation. 
The card also contains an integrated circuit chip which is encoded with 
the following data elements: cardholder unique identifier (CHUID), PIV 
authentication digital certificate, and two fingerprint biometric 
minutiae templates.

Authority for Maintenance of the System:
    Government Organization and Employees (5 U.S.C. 301); Public 
Buildings under the control of Administrator of General Services (40 
U.S.C. 3101); Federal Information Security Management Act of 2002 (44 
U.S.C. 3541); E-Government Act of 2002 (44 U.S.C. 101); Paperwork 
Reduction Act of 1995 (44 U.S.C. 3501); Executive Order 9347 (Nov. 22, 
1943); and

[[Page 49078]]

Homeland Security Presidential Directive 12 (HSPD-12) (August 27, 

    The primary purposes of the System are to: (1) Ensure the safety 
and security of Federal facilities, systems, or information, and of 
facility occupants and users; (2) provide for interoperability and 
trust in allowing physical access to individuals entering Federal 
facilities; and (3) allow logical access to Federal information 
systems, networks, and resources on a government-wide basis.

Routine Uses of Records Maintained in the System, Including Categories 
of Users and the Purposes of Such Uses:
    General routine uses A, B, C, D E, F, G, H, I, J, K, and L apply to 
this System.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, 
and Disposing of Records in the System:
     Storage: Records are stored on a secure server within the 
EPASS sub-system Fingerprint Transmission System (FTS) and can be 
accessed over the Web using encryption software. The records are kept 
for 120 days and are either manually or automatically deleted.
     Retrievability: Records can only be retrieved within the 
System database, which requires authorized user login/password 
credentials and administrative privileges to retrieve personal data 
within a Web instance of the system by using a combination of first 
name and last name.
     Safeguards: Consistent with the requirements of the 
Federal Information Security Management Act and associated OMB 
policies, standards and guidance from the National Institute of 
Standards and Technology, EPA protects all records from unauthorized 
access through appropriate administrative, physical, and technical 
safeguards. Buildings have security guards and secured doors. All 
entrances are monitored through electronic surveillance equipment. 
Physical security controls include indoor and outdoor security 
monitoring and surveillance, badge and picture ID access screening and 
biometric access screening. Personally identifiable information (PII) 
is safeguarded and protected in conformance with all Federal statutes 
and Office of Management and Budget (OMB) requirements. All access has 
role-based restrictions. Individuals granted access privileges must be 
screened for proper credentials. EPA maintains an audit trail and 
performs random periodic reviews to identify any unauthorized access. 
Persons given roles in the EPASS HSPD-12 process must be screened and 
complete training specific to their roles to ensure they are 
knowledgeable about how to protect PII.
     Retention and Disposal: Records are retained and disposed 
of in accordance with EPA's records schedule 089.

System Manager(s) and Address:
    Director, Office of Administration and Resources Management (OARM), 
Office of Administration (OA), Environmental Protection Agency, 1200 
Pennsylvania Avenue NW., Washington, DC 20460.

Notification Procedures:
    Any individual who wants to know whether this System of records 
contains a record about him or her, who wants access to his or her 
record, or who wants to contest the contents of a record, should make a 
written request to the EPA FOIA Office, Attn: Privacy Act Officer, 
MC2822T, 1200 Pennsylvania Avenue NW., Washington, DC 20460.

Record Access Procedure:
    Requests for access must be made in accordance with the procedures 
described in EPA's Privacy Act regulations at 40 CFR part 16. 
Requesters will be required to provide adequate identification, such as 
a driver's license, employee identification card, or other identifying 
document. Additional identification procedures may be required in some 

Contesting Records Procedure:
    Requests for correction or amendment must identify the record to be 
changed and the corrective action sought. Complete EPA Privacy Act 
procedures are described in EPA's Privacy Act regulations at 40 CFR 
part 16.

Record Source Categories:
    The sources for information in the system are the individuals about 
whom, the records are maintained, the supervisors of those individuals, 
existing EPA systems, the sponsoring agency, the former sponsoring 
agency, other Federal agencies, the contract employer, the former 
contract employer and the U.S. Office of Personnel Management (OPM).

Systems Exempted From Certain Provisions of the Act:

[FR Doc. 2014-19689 Filed 8-18-14; 8:45 am]