[Federal Register Volume 83, Number 193 (Thursday, October 4, 2018)]
[Proposed Rules]
[Pages 50053-50055]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2018-21440]



[[Page 50053]]

=======================================================================
-----------------------------------------------------------------------

DEPARTMENT OF TRANSPORTATION

Office of the Secretary

49 CFR Part 10

[Docket No. OST-2016-0028]
RIN 2105-AE46


Maintenance of and Access to Records Pertaining to Individuals

AGENCY: Office of the Secretary (OST), U.S. Department of 
Transportation (DOT).

ACTION: Noticed of proposed rulemaking.

-----------------------------------------------------------------------

SUMMARY: This proposed rulemaking would amend the Department of 
Transportation's Privacy Act regulations to exempt the Department of 
Transportation's new insider threat program system of records from 
certain requirements of the Privacy Act to protect properly classified 
information from disclosure, preserve the integrity of insider threat 
inquiries, and protect the identities of sources in such inquiries and 
any related investigations.

DATES: Submit comments on or before December 3, 2018.

ADDRESSES: You may file comments identified by the docket number DOT-
OST-2016-0028 by any of the following methods:
     Federal Rulemaking Portal: Go to http://www.regulations.gov and follow the online instructions for submitting 
comments.
     Mail: Docket Management Facility, U.S. Department of 
Transportation, 1200 New Jersey Ave. SE, West Building Ground Floor, 
Room W12-140, Washington, DC 20590-0001.
     Hand Delivery or Courier: West Building Ground Floor, Room 
W12-140, 1200 New Jersey Ave. SE, between 9:00 a.m. and 5:00 p.m. ET, 
Monday through Friday, except Federal holidays.
     Fax: 202-493-2251.
    Instructions: You must include the agency name and docket number 
DOT-OST-2016-0028 or the Regulatory Identification Number (RIN) for the 
rulemaking at the beginning of your comment. All comments received will 
be posted without change to http://www.regulations.gov, including any 
personal information provided.
    Privacy Act: Anyone is able to search the electronic form of all 
comments received in any of our dockets by the name of the individual 
submitting the comment (or signing the comment, if submitted on behalf 
of an association, business, labor union, etc.) You may review DOT's 
system of records notice for dockets in the Federal Register notice 
published on January 17, 2008 (73 FR 3316-3317).
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.regulations.gov or to the street 
address listed above. Follow the online instructions for accessing the 
docket.

FOR FURTHER INFORMATION CONTACT: Claire Barrett, Departmental Chief 
Privacy Officer, Office of the Chief Information Officer, U.S. 
Department of Transportation, 1200 New Jersey Avenue SE, Washington, DC 
20590 or [email protected] or (202) 366-8135.

SUPPLEMENTARY INFORMATION: Executive Order 13587, Structural Reforms to 
Improve the Security of Classified Networks and the Responsible Sharing 
and Safeguarding of Classified Information, directs Federal departments 
and agencies to establish insider threat programs consistent with 
guidance and standards developed by the National Insider Threat Task 
Force, which was established under section 6 of Executive Order 13587. 
The National Insider Threat Policy and Minimum Standards for Executive 
Branch Insider Threat Programs were issued in November 2012. As 
described in Executive Order 13587 and the National Insider Threat 
Policy and Minimum Standards for Executive Branch Insider Threat 
Programs, insider threat programs are intended to deter and detect 
insider threats and mitigate the risks associated with an individual 
using his or her authorized access to Government information and 
facilities to do harm to the security of the United States. The 
potential harms posed by an insider threat can include espionage, 
terrorism, unauthorized disclosure of national security information, or 
the loss or degradation of Government resources or capabilities.
    The DOT has established an Insider Threat Program within the Office 
of the Secretary (OST) and the Federal Aviation Administration (FAA). 
Together, these programs are referred to as the ``DOT Insider Threat 
Program.'' The DOT Insider Threat Program will adhere to the 
requirements of Executive Order 13587, and the National Insider Threat 
Policy and Minimum Standards for Executive Branch Insider Threat 
Programs, and include protocols for reporting and responding to 
potential or suspected insider threat activity.
    The Privacy Act of 1974, 5 U.S.C. 552a, requires that agencies tell 
the public when they maintain information about a person in a file 
which is retrieved by reference to that person's name or some other 
identifying particular. A group of these files is a ``system of 
records,'' and the existence of each system must be published in a 
``system of records notice'' (SORN). In accordance with the Privacy 
Act, DOT proposes to create a new DOT system of records titled, ``DOT/
ALL 26 Insider Threat Program'' for insider threat program records. 
This notice will be published in the Federal Register.
    The DOT Insider Threat Program will maintain information about DOT 
employees about whom the DOT Insider Threat Program has received 
reports of indicia of potential insider threats from other Federal 
agencies, DOT employees, or any other source. As defined in Executive 
Order 12968, a DOT employee, for purposes of the DOT Insider Threat 
Program, means ``a person, other than the President and Vice President, 
employed by, detailed or assigned to, an agency, including members of 
the Armed Forces; an expert or consultant to an agency; an industrial 
or commercial contractor, licensee, certificate holder; or any other 
category of person who acts for or on behalf of an agency, as 
determined by the'' Secretary of Transportation or, for the FAA, the 
FAA Administrator. A licensee, certificate holder (such an airman), or 
grantee, who is not also a DOT employee, is generally excluded from the 
DOT Insider Threat Program; however, such individuals may be included 
if a determination is made that the nature and extent of an 
individual's access to DOT personnel, facilities, equipment, systems, 
networks, operations, and information necessitates their inclusion.
    The DOT Insider Threat Program will review reports of indicia of 
potential insider threats in accordance with established DOT and FAA 
Insider Threat Program management policy and procedures, as applicable. 
Based on this review, an appropriate authorized OST or FAA official 
will determine whether to proceed with an insider threat inquiry, refer 
the matter to appropriate law enforcement officials, close the matter, 
or take other appropriate action. Insider threat inquiries will be 
comprised primarily of existing DOT information assets, including, but 
not limited to, records from information security, personnel security, 
and human resources, and also may include information obtained from 
other Federal agencies or from publicly available resources (such as 
internet searches). The DOT Insider Threat Program records also will be 
used to track reports of indicia of potential insider threats, whether 
or not an inquiry was opened, the rationale for opening or not opening 
an inquiry; the disposition of all inquiries, and referrals to law

[[Page 50054]]

enforcement (such as the DOT Office of the Inspector General or the 
Federal Bureau of Investigation), and to report on DOT's Insider Threat 
Program activities.
    An agency wishing to exempt portions of some systems of records 
from certain provisions of the Privacy Act must notify the public of 
that exemption in both the SORN and in an exemption rule. This proposed 
rule would exempt certain records maintained by the DOT Insider Threat 
Program from the access and notification provisions of the Privacy Act. 
An exemption from these requirements would be necessary to: Protect 
classified national security information; preclude the subject of an 
inquiry from frustrating an inquiry or evading detection; avoid 
disclosure of insider threat inquiry techniques; protect the identity 
of confidential informants and third parties; and support DOT and FAA's 
ability to obtain information relevant to resolving an insider threat 
concern. The DOT or FAA may take administrative or other appropriate 
action within scope of their respective legal authorities in response 
to an insider threat inquiry or, if circumstances indicate a potential 
violation of law or a national security concern, refer the matter to 
the appropriate law enforcement or intelligence entity, such as the DOT 
Office of Inspector General or the Federal Bureau of Investigation. 
Thus, the system of records may include some classified national 
security information and, thus, insofar as it does, the subsection 
(k)(1) exemption (5 U.S.C. 552a(k)(1)) would be applicable. In 
addition, an insider threat inquiry is comprised of records compiled 
for law enforcement and the subsection (k)(2) exemption (5 U.S.C. 
552a(k)(2) would be applicable to this system of records.
    In appropriate circumstances, where compliance with the request 
would not appear to interfere with or adversely affect the conduct of 
an insider threat inquiry or result in the unauthorized disclosure of 
classified information, OST or FAA may opt to waive these exemptions. 
In addition, some information may be available under the Freedom of 
Information Act, 5 U.S.C. 552 (FOIA). Any request for information from 
this system under the FOIA would be assessed on a case-by-case basis to 
determine what, if any, information could be released consistent with 
section (b)(2) of the Privacy Act, 5 U.S.C. 552a(b)(2).
    The DOT identifies a system of records that is exempt from one or 
more provisions of the Privacy Act (pursuant to 5 U.S.C. 552a(j) or 
(k)) both in the SORN published in the Federal Register for public 
comment and in an Appendix to DOT's regulations implementing the 
Privacy Act (49 CFR part 10, Appendix). This rule would exempt records 
in the Insider Threat Program system of records from subsections (c)(3) 
(Accounting of Certain Disclosures), (d) (Access to Records), (e)(1) 
and (e)(4)(G) through (I) (Agency Requirements) and (f) (Agency Rules) 
of the Privacy Act to the extent that records are properly classified, 
in accordance with 5 U.S.C. 552a(k)(1), or consist of investigatory 
material compiled for law enforcement purposes in accordance with 5 
U.S.C. 552a(k)(2).

Regulatory Analysis and Notices

A. Executive Order 12866 (Regulatory Planning and Review) and DOT 
Regulatory Policies and Procedures

    The DOT has considered the impact of this proposed rulemaking 
action under Executive Orders 12866 and 13563 (January 18, 2011, 
``Improving Regulation and Regulatory Review''), and the DOT's 
regulatory policies and procedures (44 FR 11034; February 26, 1979). 
The DOT has determined that this action would not constitute a 
significant regulatory action within the meaning of Executive Order 
12866 and within the meaning of DOT regulatory policies and procedures. 
This rulemaking has not been reviewed by the Office of Management and 
Budget. This rulemaking is not anticipated to result in any costs. 
Since these records would be exempt from certain provisions of the 
Privacy Act, DOT would not have to expend any funds in order to 
administer those aspects of the Act.

B. Regulatory Flexibility Act

    DOT has evaluated the effect these changes would have on small 
entities and does not believe that this rulemaking would impose any 
costs on small entities because the reporting requirements themselves 
are not changed and because the rule applies only to information on 
individuals that is maintained by the Federal Government or that is 
already publically available. Therefore, I hereby certify that this 
proposal would not have a significant economic impact on a substantial 
number of small entities.

C. National Environmental Policy Act

    The Department has analyzed the environmental impacts of this 
proposed action pursuant to the National Environmental Policy Act of 
1969 (42 U.S.C. 4321 et seq.) and has determined that it is 
categorically excluded pursuant to DOT Order 5610.1C, Procedures for 
Considering Environmental Impacts (44 FR 56420, Oct. 1, 1979). 
Categorical exclusions are actions identified in an agency's NEPA 
implementing procedures that do not normally have a significant impact 
on the environment and therefore do not require either an environmental 
assessment (EA) or environmental impact statement (EIS). See 40 CFR 
1508.4. In analyzing the applicability of a categorical exclusion, the 
agency must also consider whether extraordinary circumstances are 
present that would warrant the preparation of an EA or EIS. Id. 
Paragraph 3.c.5 of DOT Order 5610.1C incorporates by reference the 
categorical exclusions for all DOT Operating Administrations. This 
action is covered by the categorical exclusion listed in the Federal 
Highway Administration's implementing procedures, ``[p]romulgation of 
rules, regulations, and directives.'' 23 CFR 771.117(c)(20). The 
purpose of this rulemaking is to amend the Appendix to DOT's Privacy 
Act regulations. The Department does not anticipate any environmental 
impacts and there are no extraordinary circumstances present in 
connection with this rulemaking.

D. Executive Order 12898 (Environmental Justice)

    The Department evaluated the environmental effects of this proposed 
rule in accordance with Executive Order 12898, Federal Actions to 
Address Environmental Justice in Minority Populations and Low-Income 
Populations, and DOT Order, 5010.2(a), 91 FR 27534 (May 10, 2012) 
(available online at www.fhwa.dot.gov/enviornment/environmental_justice/ej_at_dot/order_56102a/index.cfm), which require 
DOT to achieve environmental justice (EJ) as part of its mission by 
identifying and addressing, as appropriate, disproportionately high and 
adverse human health or environmental effects, including interrelated 
social and economic effects, of its programs, policies, and activities 
on minority and low income populations in the United States. The DOT 
Order requires DOT to address compliance with the Executive Order and 
the DOT Order in all rulemaking activities. The Department has 
evaluated this proposed rule under the Executive Order and the DOT 
Order, and has determined preliminarily that the rule would not cause 
disproportionately high and adverse human health and environmental 
effects on minority or low income populations.

[[Page 50055]]

E. Executive Order 13132 (Federalism)

    This proposed action has been analyzed in accordance with the 
principles and criteria contained in Executive Order 13132, Federalism, 
dated August 4, 1999, and it has been determined that it would not have 
a substantial direct effect on, or sufficient Federalism implications 
for, the States, nor would it limit the policymaking discretion of the 
States. Therefore, the preparation of a Federalism Assessment is not 
necessary.

F. Executive Order 13084 (Consultation and Coordination With Indian 
Tribal Governments)

    This action has been analyzed in accordance with the principles and 
criteria contained in Executive Order 13084 (``Consultation and 
Coordination with Indian Tribal Governments''). Because it would not 
effect on Indian Tribal Governments, the funding and consultation 
requirements of Executive Order 13084 do not apply.

G. Paperwork Reduction Act

    Under the Paperwork Reduction Act of 1995 (PRA) (44 U.S.C. 3501, et 
seq.), Federal agencies must obtain approval from the Office of 
Management and Budget for each collection of information they conduct, 
sponsor, or require through regulations. The DOT has determined that 
this action would not contain a collection of information requirement 
for the purposes of the PRA.

H. Unfunded Mandates Reform Act

    Title II of the Unfunded Mandates Reform Act of 1995 (UMRA) (Pub. 
L. 104-4, 109 Stat. 48, March 22, 1995) requires Federal agencies to 
assess the effects of certain regulatory actions on State, local, and 
tribal governments; and the private sector. The UMRA requires a written 
statement of economic and regulatory alternatives for proposed and 
final rules that contain Federal mandates. A ``Federal mandate'' is a 
new or additional enforceable duty, imposed on any State, local, or 
tribal Government; or the private sector. If any Federal mandate causes 
those entities to spend, in aggregate, $143.1 million or more in any 
one year (adjusted for inflation), an UMRA analysis is required. This 
proposed rule would not impose Federal mandates on any State, local, or 
tribal governments; or the private sector.

List of Subjects in 49 CFR Part 10

    Penalties, Privacy.

    In consideration of the foregoing, DOT proposes to amend part 10 of 
title 49, Code of Federal Regulations, as follows:

0
1. The authority citation for part 10 continues to read as follows:

    Authority: 5 U.S.C. 552a; 49 U.S.C. 322.

0
2. Amend the Appendix to Part 10 by:
0
a. In Part II, adding paragraphs A.10, B.4., F.5., and G.2.
    The revisions and additions read as follows:

APPENDIX TO PART 10--EXEMPTIONS

    Part II. Specific Exemptions
    A. * * *
    10. Insider Threat Program (DOT/ALL 26),
    B. * * *
    4. Insider Threat Program (DOT/ALL 26).
* * * * *
    F. * * *
    5. Insider Threat Program (DOT/ALL 26).
* * * * *
    G. * * *
    2. Insider Threat Program (DOT/ALL 26).

    Issued in Washington, DC, on August 17, 2018.
Elaine L. Chao,
Secretary.
[FR Doc. 2018-21440 Filed 10-3-18; 8:45 am]
 BILLING CODE 4910-9X-P