[Federal Register Volume 81, Number 38 (Friday, February 26, 2016)]
[Notices]
[Pages 9922-9924]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2016-04192]


=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF STATE

[Public Notice 9455]


Privacy Act; System of Records: Protocol Records, State-33.

SUMMARY: Notice is hereby given that the Department of State proposes 
to amend an existing system of records, Protocol Records, State-33, 
pursuant to the provisions of the Privacy Act of 1974, as amended (5 
U.S.C. 552a) and Office of Management and Budget Circular No. A-130, 
Appendix I.

DATES: This system of records will be effective on April 6, 2016, 
unless we receive comments that will result in a contrary 
determination.

ADDRESSES: Any persons interested in commenting on the amended system 
of records may do so by writing to the Director; Office of Information 
Programs and Services, A/GIS/IPS; Department of State, SA-2; 515 22nd 
Street NW., Washington, DC 20522-8100.

FOR FURTHER INFORMATION CONTACT: John Hackett, Director; Office of 
Information Programs and Services, A/GIS/IPS; Department of State, SA-
2; 515 22nd Street NW., Washington, DC 20522-8100, or at 
[email protected].

SUPPLEMENTARY INFORMATION: The Department of State proposes that the 
current system will retain the name ``Protocol Records'' (previously 
published at 78 FR 54945). The information in this system of records is 
an accounting of those U.S. Government officials receiving gifts and 
decorations from foreign governments and to record for historical, 
organizational, and logistical purposes the names of the individuals 
applying to participate, invited to, supporting, and attending official 
Department of State functions or other events co-sponsored with the 
Federal Government or other partners, and to verify individuals 
nominated as a diplomatic representative on behalf of a foreign 
government. The proposed system will include modifications to the 
following sections: System location, Categories of individuals, 
Categories of records, Purpose, Routine Uses, Safeguards, System 
managers, and administrative updates.
    The Department's report was filed with the Office of Management and 
Budget. The amended system description, ``Protocol Records, State-33,'' 
will read as set forth below.

Joyce A. Barr,
Assistant Secretary for Administration, U.S. Department of State.
STATE-33

SYSTEM NAME:
    Protocol Records.

SYSTEM CLASSIFICATION:
    Unclassified and Classified.

SYSTEM LOCATION:
    Department of State, 2201 C Street NW., Washington, DC 20520. 
Abroad at U.S. embassies, U.S. consulates general, and U.S. consulates; 
U.S. missions; Department of State annexes; various field and regional 
offices throughout the United States. Within a government cloud, 
implemented by the Department of State and provided by a cloud-based 
software as a service (SaaS) provider.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals covered by this system include those receiving gifts 
and decorations from foreign governments; individuals invited to and 
supporting official Department of State functions or other events co-
sponsored with the federal government or other partners; applicants for 
participation and attendees of Department of State conferences or other 
events co-sponsored with the federal government or other partners; 
individuals who are part of foreign delegations; individuals working at 
foreign embassies, missions and organizations; and nominees for foreign 
ambassadorships to the United States.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Records in this system include descriptions of gifts and 
decorations received from foreign governments; donors; guest lists; 
type of function; sample invitations; contact information, address and 
occupation; biographical information (this includes, but is not limited 
to: Names, nationalities and citizenship, r[eacute]sum[eacute]s, 
curricula vitae, copies of passports, copies of visas, dates of birth, 
and photographs), special needs, requests and accommodations, travel 
arrangements and related information, security information, and 
application and registration information.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    22 U.S.C. 2621, 22 U.S.C. 2625, 22 U.S.C. 4301 et seq.

[[Page 9923]]

PURPOSE:
    The information in this system of records is an accounting of those 
U.S. Government officials receiving gifts and decorations from foreign 
governments and to record for historical, organizational, and 
logistical purposes the names of the individuals applying to 
participate, invited to, supporting, and attending official Department 
of State functions or other events co-sponsored with the Federal 
Government or other partners, and to verify individuals nominated as a 
diplomatic representative on behalf of a foreign government.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    The information contained in these records may be shared with:
    (a) The Executive Office of the President; Congress; and other 
government agencies having statutory or other lawful authority to 
maintain such information.
    (b) A contractor of the Department having need for the information 
in the performance of the contract, but not operating a system of 
records within the meaning of 5 U.S.C. 552a(m);
    (c) Nongovernmental organizations, individuals, and panels to 
review applications and otherwise aid in the selection of participants 
in Department of State conferences and related functions;
    (d) The news media and the public, with the approval of the Chief 
of Mission or Bureau Assistant Secretary who supervises the office 
responsible for the outreach effort, provided that the approving 
official determines that there is legitimate public interest in the 
information disclosed, except to the extent that release of the 
information would constitute an unwarranted invasion of personal 
privacy;
    (e) Foreign governments where there is a need to verify the 
information provided for their delegates;
    (f) Other Federal, State, and Local Governments for uses within 
their statutory missions, which may include law enforcement, 
transportation and border security, critical infrastructure protection, 
and fraud prevention; and
    (g) Other individuals and organizations applying to, invited to, 
attending, or supporting a given conference, provided that the subject 
of the information opts-in to such sharing.
    The Department of State publishes periodically in the Federal 
Register its Prefatory Statement of Routine Uses which applies to all 
of its Privacy Act System of Records. These standard routine uses apply 
to Protocol Records, State-33.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Electronic and hard copy media.

RETRIEVABILITY:
    By an individual name.

SAFEGUARDS:
    All users are given cyber security awareness training which covers 
the procedures for handling Sensitive But Unclassified (SBU) 
information, including personally identifiable information (PII). 
Annual refresher training is mandatory. In addition, all Foreign 
Service and Civil Service employees and those Locally Engaged Staff who 
handle PII are required to take the Foreign Service Institute distance 
learning course, PA 459, instructing employees on privacy and security 
requirements, including the rules of behavior for handling PII and the 
potential consequences if it is handled improperly.
    Access to the Department of State, its annexes and posts abroad is 
controlled by security guards and admission is limited to those 
individuals possessing a valid identification card or individuals under 
proper escort. All paper records containing personal information are 
maintained in secured file cabinets in restricted areas, access to 
which is limited to authorized personnel only. Access to computerized 
files is password-protected and under the direct supervision of the 
system manager. The system manager has the capability of printing audit 
trails of access from the computer media, thereby permitting regular 
and ad hoc monitoring of computer usage. When it is determined that a 
user no longer needs access, the user account is disabled.
    Before being granted access to Protocol Records, a user must first 
be granted access to the Department of State computer system. Remote 
access to the Department of State network from non-Department owned 
systems is authorized only to unclassified systems and only through a 
Department approved access program. Remote access to the network is 
configured with the Office of Management and Budget Memorandum M-07-16 
security requirements which include but are not limited to two-factor 
authentication and time out function. All Department of State employees 
and contractors with authorized access have undergone a thorough 
background security investigation.
    The safeguards in the following paragraphs apply only to records 
that are maintained in cloud systems. All cloud systems that provide IT 
services and process Department of State information must be: (1) 
Provisionally authorized to operate by the Federal Risk and 
Authorization Management Program (FedRAMP), and (2) specifically 
authorized by the Department of State Authorizing Official and Senior 
Agency Official for Privacy. Only information that conforms with 
Department-specific definitions for Federal Information Security 
Management Act (FISMA) low or moderate categorization are permissible 
for cloud usage. Specific security measures and safeguards will depend 
on the FISMA categorization of the information in a given cloud system. 
In accordance with Department policy, systems that process more 
sensitive information will require more stringent controls and review 
by Department cybersecurity experts prior to approval. Prior to 
operation, all Cloud systems must comply with applicable security 
measures that are outlined in FISMA, FedRAMP, OMB regulations, NIST 
Federal Information Processing Standards (FIPS) and Special Publication 
(SP), and Department of State policy and standards.
    All data stored in cloud environments categorized above a low FISMA 
impact risk level must be encrypted at rest and in-transit using a 
federally approved encryption mechanism. The encryption keys shall be 
generated, maintained, and controlled in a Department data center by 
the Department key management authority. Deviations from these 
encryption requirements must be approved in writing by the Authorizing 
Official.

RETENTION AND DISPOSAL:
    Records are retired and destroyed in accordance with published 
Department of State Records Disposition Schedules as approved by the 
National Archives and Records Administration (NARA). More specific 
information may be obtained by writing to the following address: 
Director, Office of Information Programs and Services, A/GIS/IPS; SA-2, 
Department of State; 515 22nd Street NW., Washington, DC 20522-8100.

SYSTEM MANAGER(S) AND ADDRESS:
    Assistant Chief of Protocol for Management and Executive Director, 
Office of the Chief of Protocol, Department of State, 2201 C Street 
NW., Washington, DC 20520.

[[Page 9924]]

    The Director of Major Events and Conferences Staff, Office of Major 
Events and Conferences, Department of State, 2201 C Street NW., 
Washington DC, 20520.

NOTIFICATION PROCEDURE:
    Individuals who have cause to believe that the Office of the Chief 
of Protocol or Office of Major Events and Conferences Staff may have 
records pertaining to him or her should write to the following address: 
Director; Office of Information Programs and Services, A/GIS/IPS; SA-2 
Department of State; 515 22nd Street NW., Washington, DC 20522-8100.
    The individual must specify that he or she requests the records of 
the Office of the Chief of Protocol or the Office of Major Events and 
Conferences Staff to be checked. At a minimum, the individual must 
include the following: Name, date and place of birth, current mailing 
address and zip code, signature, and any other information helpful in 
identifying the record.

RECORD ACCESS PROCEDURES:
    Individuals who wish to gain access to or amend records pertaining 
to themselves should write to the Director; Office of Information 
Programs and Services (address above).

CONTESTING RECORD PROCEDURES:
    (See above).

RECORD SOURCE CATEGORIES:
    These records contain information collected directly from: The 
individual who is the subject of these records; employers and public 
references; other officials in the Department of State; other 
government agencies; foreign governments; and other public and 
professional institutions possessing relevant information.

SYSTEMS EXEMPTED FROM CERTAIN PROVISIONS OF THE ACT:
    None.

[FR Doc. 2016-04192 Filed 2-25-16; 8:45 am]
BILLING CODE 4710-24-P