[Federal Register Volume 80, Number 89 (Friday, May 8, 2015)]
[Notices]
[Pages 26534-26537]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2015-10452]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF COMMERCE

[Docket No. 150324295-5295-01]


Privacy Act of 1974, New System of Records

AGENCY: Office of the Secretary, U.S. Department of Commerce.

ACTION: Notice of a New Privacy Act System of Records; ``COMMERCE/
DEPARTMENT-25, Access Control and Identity Management System.''

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended, Title 
5 United States Code (U.S.C.) 552(e)(4) and (11); and Office of 
Management and Budget (OMB) Circular A-130, Appendix I, Federal Agency 
Responsibilities for Maintaining Records About Individuals, the 
Department of Commerce is issuing this notice of its intent to 
establish a new system of records entitled ``COMMERCE/DEPARTMENT-25, 
Access Control and Identity Management System.'' This action is being 
taken to update the Privacy Act notice and Department of Commerce, 
Notice to Amend All Privacy Act System of Records. We invite the public 
to comment on the items noted in this publication. The purpose of this 
system of records is to establish identity, accountability, and audit 
control of electronic or other digital certificates of assigned 
personnel who require access to Department of Commerce electronic and 
physical assets. The records are created and maintained to provide 
assurance that the digital certificates/electronic access is granted to 
the correct individual, who typically has been issued an identification 
card by the Department of Commerce.

DATES: To be considered, written comments must be submitted on or 
before June 8, 2015.
    Unless comments are received, the amended system of records will 
become effective as proposed on the date of publication of a subsequent 
notice in the Federal Register.

ADDRESSES: You may submit written comments by any of the following 
methods:
    Email: [email protected]. Include ``Privacy Act COMMERCE/DEPARTMENT-
25, Access Control and Identity Management System'' in the subtext of 
the message.
    Fax: (202) 482-6089, marked to the attention of Mr. Nicholas 
Schnare.
    Mail: Mr. Nicholas Schnare, Office of Security, U.S. Department of 
Commerce, 1401 Constitution Ave. NW., Room 1511, Washington, DC 20230.

FOR FURTHER INFORMATION CONTACT: Mr. Nicholas Schnare, Office of 
Security, U.S. Department of Commerce, 1401 Constitution Ave. NW., Room 
1511, Washington, DC 20230. (202) 482-8333.

SUPPLEMENTARY INFORMATION: This notice announces the Department of 
Commerce's proposal for a new system of records being established under 
the

[[Page 26535]]

Privacy Act of 1974 for Access Control and Identity Management System. 
This new system of records is to account for the electronic collection, 
maintenance and use of information in connection with access to 
Department of Commerce electronic and physical assets.
    In a notice of proposed rulemaking, which is published separately 
in today's Federal Register, the Department of Commerce is proposing to 
exempt records maintained in this system from certain provisions of the 
Privacy Act pursuant to 5 U.S.C. 552a(j)(2), (k)(2), and (k)(5).
    The system will be effective as proposed, on the date of 
publication of a subsequent notice in the Federal Register, unless 
comments are received which would require a contrary determination. The 
Department of Commerce will publish a revised notice if changes are 
made based upon a review of the comments received.
COMMERCE/DEPT-25

SYSTEM NAME:
    COMMERCE/DEPT-25 Access Control and Identity Management System.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATIONS:
    a. For Office of Security, Office of the Secretary, U.S. Department 
of Commerce, Room 1033, 1401 Constitution Avenue NW., Washington, DC 
20230.
    b. For Office of Security, U.S. Census Bureau, Room 2J438, 4600 
Silver Hill Road, Washington, DC 20233-3700.
    c. For Office of Security, U.S. Census Bureau Indiana, Room 104, 
Building 66, 1201 E. 10th Street, Jeffersonville, IN 47132.
    d. For Office of Security, National Institute of Standards and 
Technology, Room A-105, Building 318, 100 Bureau Drive, Gaithersburg, 
MD 20899.
    e. For Office of Security, National Oceanic and Atmospheric 
Administration, Room G-101, SSMC-OFA543, 1335 East-West Highway, Silver 
Spring, MD 20910.
    f. For Office of Security, National Oceanic and Atmospheric 
Administration, Western Region, Building 1, 7600 Sand Point Way NE., 
Seattle, WA 38115.
    g. For Office of Security, FirstNet, John W. Powell Federal 
Building, 12201 Sunrise Valley, Drive, Reston, VA 22091.
    h. For Office of Security, U.S. Patent and Trademark Office, 600 
Dulany Street, Madison Building, West, Alexandria, Virginia 22313.
    i. For Office of the Secretary, Minority Business Development 
Agency, Economic and Statistics Administration, and Economic 
Development Administration: Office of the Secretary, Chief Information 
Officer, 1401 Constitution Avenue NW., Washington, DC 20230.
    j. For U.S. Census Bureau, Chief Information Officer, 4600 Silver 
Hill Road, Suitland, MD 20746.
    k. For Bureau of Industry and Security, Chief Information Officer, 
1401 Constitution Avenue NW., Washington, DC 20230.
    l. For International Trade Administration, Chief Information 
Officer, 1401 Constitution Avenue NW., Washington, DC 20230.
    m. For National Institute of Standards and Technology, Chief 
Information Officer, 100 Bureau Drive, Gaithersburg, MD 20899.
    n. For National Telecommunications and Information Administration, 
Chief Information Officer, 1401 Constitution Avenue NW., Washington, DC 
20230.
    o. For National Oceanic and Atmospheric Administration, Chief 
Information Officer, 1305 East-West Highway, SSMC3, Silver Spring, MD 
20910.
    p. For U.S. Patent and Trademark Office, Chief Information Officer, 
600 Dulany Street, Madison Building, Alexandria, VA 22314.
    q. For Office of Inspector General, Chief Information Officer, 
Chief Information Officer, 1401 Constitution Avenue NW., Washington, DC 
20230.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Employees, contractors, and other affiliates requiring access to 
Department of Commerce electronic (including PKI-authenticated) and 
physical assets.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records may include the individual's name; organization; work 
telephone number; cellular telephone number; home telephone number, 
work email; Federal agency Smart Card Number (FASC-N); social security 
number; employee number; status as an employee, contractor or other 
affiliation with the Department of Commerce; PIN number (encrypted); 
sign-in/out, badge-in/out, time-in/out, log-in/out data; computer 
transaction data to include, but not limited to, key stroke monitoring; 
IP address of access; logs of internet activity and records on the 
authentication of the access request; key fob identifier; token 
identifier; Personal Identity Verification (PIV) Card identifier; 
computer access login name; and any computer generated identifier 
assigned to a user.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301; 35 U.S.C. 2; the Electronic Signatures in Global and 
National Commerce Act, Public Law 106-229; 28 U.S.C. 533-535; 44 U.S.C. 
1301; Homeland Security Presidential Directive 12 and IRS Publication-
1075.

PURPOSES:
    Records in this system are used by authorized personnel to improve 
security for Department of Commerce physical facilities for purposes 
including: Ensuring process integrity; enabling employees to carry out 
their lawful and authorized responsibilities; verifying individuals' 
authorization to access buildings and facilities; creating a record of 
individuals' access to buildings and facilities; facilitating the 
issuance and retrieval of visitor and temporary badges; and providing 
statistical data on building and facility access patterns including 
electronic and physical sign/badge-in and sign/badge-out data for 
resource planning and emergency management purposes.
    Records may also be used to secure electronic assets; to maintain 
accountability for issuance and disposition of security access; to 
maintain an electronic system to facilitate secure on-line 
communication between Federal automated systems, between Federal 
employees or contractors, and with the public, using digital signature 
technologies to authenticate and verify identity; to provide a means of 
access to electronic assets, desktops, and laptops; and to provide 
mechanisms for non-repudiation of personal identification and access to 
electronic systems, including but not limited to human resource, 
financial, procurement, travel and property systems, as well as systems 
containing information on intellectual property and other mission 
critical systems. The system also maintains records relating to the 
issuance of digital certificates utilizing public key cryptography to 
employees and contractors for the transmission of sensitive electronic 
material that requires protection.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    1. Records in this system are accessed on a daily basis by 
authorized personnel to verify individuals' authorized access to 
buildings and facilities; electronic systems and computers; facilitate 
the issuance and retrieval of visitor and temporary badges; determine 
whether administrative action (including disciplinary action) should be 
taken regarding any employee, contractor, or

[[Page 26536]]

visitor; and provide statistical data on computer information systems, 
building and facility access patterns including electronic and physical 
sign/badge-in and sign/badge-out data for resource planning, emergency 
management purposes, assuring the security of computer information 
systems, and implementing Executive Order 13587.
    2. In the event that a system of records maintained by the 
Department to carry out its functions indicates or relates to a 
violation or potential violation of law or contract, whether civil, 
criminal or regulatory in nature, and whether arising by general 
statute or particular program statute or contract, or rule, regulation, 
or order issued pursuant thereto, or where necessary to protect an 
interest of the Department, the relevant records in the system of 
records may be referred, as a routine use, to the appropriate agency, 
whether Federal, state, local or foreign, charged with the 
responsibility of investigating or prosecuting such violation or 
charged with enforcing or implementing the statute or contract, or 
rule, regulation or order issued pursuant thereto, or protecting the 
interest of the Department.
    3. A record from this system of records may be disclosed to a 
Federal, state or local agency maintaining civil, criminal or other 
relevant enforcement information or other pertinent information, such 
as current licenses, if necessary to obtain information relevant to a 
Department decision concerning the assignment, hiring or retention of 
an individual, the issuance of a security clearance, the letting of a 
contract, or the issuance of a license, grant or other benefit.
    4. A record from this system of records may be disclosed to a 
Federal, state, local, or international agency, in response to its 
request, in connection with the assignment, hiring or retention of an 
individual, the issuance of a security clearance, the reporting of an 
investigation of an individual, the letting of a contract, or the 
issuance of a license, grant, or other benefit by the requesting 
agency, to the extent that the information is relevant and necessary to 
the requesting agency's decision on the matter.
    5. A record from this system of records may be disclosed in the 
course of presenting evidence to a court, magistrate or administrative 
tribunal, including disclosures to opposing counsel in the course of 
settlement negotiations.
    6. A record in this system of records may be disclosed to a Member 
of Congress submitting a request involving an individual when the 
individual has requested assistance from the Member with respect to the 
subject matter of the record.
    7. A record in this system of records may be disclosed to the 
Office of Management and Budget in connection with the review of 
private relief legislation as set forth in OMB Circular No. A-19 at any 
stage of the legislative coordination and clearance process as set 
forth in that Circular.
    8. A record in this system of records may be disclosed to the 
Department of Justice in connection with determining whether disclosure 
thereof is required by the Freedom of Information Act (5 U.S.C. 552).
    9. A record in this system of records may be disclosed to a 
contractor of the Department having need for the information in the 
performance of the contract, but not operating a system of records 
within the meaning of 5 U.S.C. 552a(m).
    10. A record in this system may be transferred to the Office of 
Personnel Management for personnel research purposes; as a data source 
for management information; for the production of summary descriptive 
statistics and analytical studies in support of the function for which 
the records are collected and maintained; or for related manpower 
studies.
    11. A record from this system of records may be disclosed to the 
Administrator, General Services, or his designee, during an inspection 
of records conducted by the General Services Administration as part of 
that agency's responsibility to recommend improvements in records 
management practices and programs, under authority of 44 U.S.C. 2904 
and 2906. Such disclosure shall be made in accordance with the GSA 
regulations governing inspection of records for this purpose, and any 
other relevant (i.e. GSA or Commerce) directive. Such disclosure shall 
not be used to make determinations about individuals.
    12. A record in this system of records may be disclosed to 
appropriate agencies, entities and persons when (1) it is suspected or 
determined that the security or confidentiality of information in the 
system of records has been compromised; (2) the DOC has determined that 
as a result of the suspected or confirmed compromise there is a risk of 
harm to economic or property interests, identity theft or fraud, or 
harm to the security or integrity of this system or whether systems or 
programs (whether maintained by the DOC or another agency or entity) 
that rely upon the compromised information; and (3) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with the DOC's efforts to respond to the suspected 
or confirmed compromise and to prevent, minimize, or remedy such harm.
    13. A record in this system of records may be disclosed to 
appropriate agencies, entities and persons for the purpose of 
performing audit or oversight operations as authorized by law, but only 
such information as is necessary and relevant to such audit or 
oversight function.

DISCLOSURE TO CONSUMER REPORTING AGENCIES:
    Not applicable.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records in this system are on paper and/or in digital or other 
electronic form. Paper records are stored in secure rooms and storage 
cabinets and electronic records are stored as electronic/digital media 
and stored in secure file-servers within controlled environment. Both 
paper and electronic/digital records are accessed only by authorized 
personnel.

RETRIEVABILITY:
    Records are retrieved by individual's name, employment status, 
organization and/or security access badge number, or other Department 
of Commerce identifier. Information may be retrieved from this system 
of records by automated search based on extant indices and automated 
capabilities utilized in the normal course of business.

SAFEGUARDS:
    Entrance to data centers and support organization offices is 
restricted to those employees whose work requires them to be there for 
the system to operate. Identification cards are verified to ensure that 
records are in areas accessible only to authorized personnel who are 
properly screened, cleared, and trained. Disclosure of electronic 
information through remote terminals is restricted through the use of 
passwords and sign-on protocols that are periodically changed. Reports 
produced from the remote printers are subject to the same privacy 
controls as other documents of like sensitivity.
    Electronic and digital certificates ensure secure local and remote 
access and allow only authorized employees, contractor employees, or 
other affiliated individuals to gain access to federal information 
assets available through secured systems access.

[[Page 26537]]

    Access to sensitive records is available only to authorized 
employees and contractor employees responsible for the management of 
the system and/or employees of program offices who have a need for such 
information. Electronic records are password-protected or PKI-
protected, consistent with the requirements of the Federal Information 
Security Management Act (Pub. L. 107-296), and associated OMB policies, 
standards and guidance from the National Institute of Standards and 
Technology, and the General Services Administration, all records are 
protected from unauthorized access through appropriate administrative, 
physical, and technical safeguards. Access is restricted on a ``need to 
know'' basis, utilization of PIV Card access, secure VPN for Web 
access, and locks on doors and approved storage containers. Buildings 
have security guards and secured doors. Entrances are monitored through 
electronic surveillance equipment.

RETENTION AND DISPOSAL:
    Records are disposed of in accordance with the appropriate records 
disposition schedule approved by the Archivist of the United States.

SYSTEM MANAGER(S) AND ADDRESS:
    System managers are the same as stated in the System Location 
section above.

NOTIFICATION PROCEDURE:
    An individual requesting notification of existence of records on 
himself or herself should send a signed, written inquiry to the 
locations listed below. The request letter should be clearly marked, 
``PRIVACY ACT REQUEST.'' The written inquiry must be signed and 
notarized or submitted with certification of identity under penalty of 
perjury. Requesters should reasonably specify the record contents being 
sought.
    For records at locations a., g., and i.: Departmental Freedom of 
Information and Privacy Act Officer, Room A300, U.S. Department of 
Commerce, 1401 Constitution Avenue NW., Washington, DC 20230.
    For records at locations b., c., and j.: U.S. Census Bureau, 
Freedom of Information and Privacy Act Officer, Room 8H027, 4600 Silver 
Hill Road, Washington, DC 20233-3700.
    For records at locations d. and m.: National Institute of Standards 
and Technology, Freedom of Information and Privacy Act Officer, Room 
1710, 100 Bureau Drive, Gaithersburg, MD 20899.
    For records at locations e., f., and o.: National Oceanic and 
Atmospheric Administration, Freedom of Information and Privacy Act 
Officer, Room 9719, SSMC3, 1315 East-West Highway, Silver Spring, MD 
20910.
    For records at locations h.and p.: U.S. Patent and Trademark 
Office, Freedom of Information and Privacy Act Officer, 600 Dulany 
Street, Madison Building, East, Room 10B20, Alexandria, Virginia 22313.
    For records at location k.: Bureau of Industry and Security, 
Freedom of Information and Privacy Act Officer, Room 6622, 1401 
Constitution Avenue NW., Washington, DC 20230.
    For records at location l.: International Trade Administration, 
Freedom of Information and Privacy Act Officer, Room 40003, 1401 
Constitution Avenue NW., Washington, DC 20230.
    For records at location n.: National Telecommunications and 
Information Administration, Freedom of Information and Privacy Act 
Officer, Room 4713, 1401 Constitution Avenue NW., Washington, DC 20230.
    For records at location q.: Office of Inspector General, Freedom of 
Information and Privacy Act Officer, Room 7892, 1401 Constitution 
Avenue NW., Washington, DC 20230.

RECORD ACCESS PROCEDURES:
    An individual requesting access to records on himself or herself 
should send a signed, written inquiry to the same address as stated in 
the Notification Procedure section above. The request letter should be 
clearly marked, ``PRIVACY ACT REQUEST.'' The written inquiry must be 
signed and notarized or submitted with certification of identity under 
penalty of perjury. Requesters should specify the record contents being 
sought.

CONTESTING RECORD PROCEDURES:
    An individual requesting corrections or contesting information 
contained in his or her records must send a signed, written request 
inquiry to the same address as stated in the Notification Procedure 
section above. Requesters should reasonable identify the records, 
specify the information they are contesting and state the corrective 
action sought and the reasons for the correction with supporting 
justification showing how the record is incomplete, untimely, 
inaccurate, or irrelevant.
    The Department's rules for access, for contesting contents, and for 
appealing initial determination by the individual concerned appear in 
15 CFR part 4, Appendix B.

RECORD SOURCE CATEGORIES:
    The information contained in these records is provided by or 
verified by: The subject individual of the record, supervisors, other 
personnel documents, other Department systems, access log records and 
sensors and non-Federal sources such as private employers and their 
agents, along with those authorized by the individuals to furnish 
information.

SYSTEM EXEMPTIONS FROM CERTAIN PROVISIONS OF THE ACT:
    Pursuant to 5 U.S.C. 552a(j)(2), (k)(1), (k)(2), and (k)(5), all 
information and material in the record which meets the criteria of 
these subsections are exempted from the notice, access, and contest 
requirements under 5 U.S.C. 552a(c)3, (d), (e)(1), (e)(4) (G), (H), and 
(I), and (f) of the agency regulations because of the necessity to 
exempt this information and material in order to accomplish the law 
enforcement function of the agency, to prevent disclosure of classified 
information as required by Executive Order 12958, as amended by 
Executive Order 13292, to assure the protection of the President, to 
prevent subjects of investigation from frustrating the investigatory 
process, to prevent the disclosure of investigative techniques, to 
fulfill commitments made to protect the confidentiality of information, 
and to avoid endangering these sources and law enforcement personnel. 
In a notice of proposed rulemaking, which is published separately in 
today's Federal Register, the Department of Commerce is proposing to 
exempt records maintained in this system from certain provisions of the 
Privacy Act pursuant to 5 U.S.C. 552a(j)(2), (k)(2), and (k)(5).

    Dated: April 28, 2015.
Brenda Dolan,
Department of Commerce, Freedom of Information and Privacy Act Officer.
[FR Doc. 2015-10452 Filed 5-7-15; 8:45 am]
 BILLING CODE 3510-BX-P