[Federal Register Volume 84, Number 22 (Friday, February 1, 2019)]
[Notices]
[Pages 1079-1081]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-00608]
-----------------------------------------------------------------------
DEPARTMENT OF DEFENSE
Office of the Secretary
[Docket ID: DOD-2019-OS-0003]
Privacy Act of 1974; System of Records
AGENCY: Defense Information Systems Agency, DoD.
ACTION: Notice of a New System of Records.
-----------------------------------------------------------------------
SUMMARY: The Defense Information Systems Agency (DISA) proposes to
establish a new system of records entitled ``Electronic Security System
(ESS), K890.28'' to control physical access to DISA Headquarters. DISA,
as a classified collateral open storage area, has security
responsibilities mandated by DoD Manual 5200.01, volume 3, DoD
Information Security Program: Protection of Classified Information.
This includes the use of an integrated electronic access control
system. The system identifies and verifies
[[Page 1080]]
individuals through the use of data registered into the access control
system from an individual's Common Access Card (CAC). The system tracks
the entry/exit times of personnel who enter/exit the DISA Headquarters
Complex and some rooms within the complex.
DATES: Comments will be accepted on or before March 4, 2019. This
proposed action will be effective the date following the end of the
comment period unless comments are received which result in a contrary
determination.
ADDRESSES: You may submit comments, identified by docket number and
title, by any of the following methods:
* Federal Rulemaking Portal: http://www.regulations.gov.
Follow the instructions for submitting comments.
* Mail: Department of Defense, Office of the Chief Management
Officer, Directorate for Oversight and Compliance, 4800 Mark Center
Drive, Mailbox #24, Suite 08D09, Alexandria, VA 22350-1700.
Instructions: All submissions received must include the agency name
and docket number for this Federal Register document. The general
policy for comments and other submissions from members of the public is
to make these submissions available for public viewing on the internet
at http://www.regulations.gov as they are received without change,
including any personal identifiers or contact information.
FOR FURTHER INFORMATION CONTACT: Mrs. Jeanette M. Weathers-Jenkins,
DISA Privacy Officer, 6914 Cooper Ave., Fort Meade, MD 20755-7090, or
by phone at (301) 225-8158.
SUPPLEMENTARY INFORMATION: DISA's security responsibilities include
identifying or verifying individuals through the use of matching PKI
(Public Key Infrastructure) information on the CAC to the information
registered into the ESS (from the CAC), to retrieve CACs upon
separation, to maintain visitor statistics, collect information to
adjudicate access to facility, and track the entry/exit times of
personnel for purposes of verifying times of entry and exit. For entry
into building, the guards have the ability to match picture on CAC to
person holding CAC and the picture on file in system.
The DISA notices for systems of records subject to the Privacy Act
of 1974 (5 U.S.C. 552a), as amended, have been published in the Federal
Register and are available from the address in FOR FURTHER INFORMATION
CONTACT or at the Defense Privacy, Civil Liberties, and Transparency
Division website at https://defense.gov/privacy.
The proposed system reports, as required by 5 U.S.C. 552a(r) of the
Privacy Act of 1974, as amended, was submitted on November 5, 2018, to
the House Committee on Oversight and Government Reform, the Senate
Committee on Governmental Affairs, and the Office of Management and
Budget (OMB) pursuant to Section 6 to OMB Circular No. A-108, ``Federal
Agency Responsibilities for Review, Reporting, and Publication under
the Privacy Act,'' revised December 23, 2016 (December 23, 2016, 81 FR
94424).
Dated: January 28, 2019.
Aaron T. Siegel,
Alternate OSD Federal Register Liaison Officer, Department of Defense.
SYSTEM NAME AND NUMBER
Electronic Security System (ESS), K890.28
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Defense Information Systems Agency (DISA), 6910 Cooper Ave., Ft.
Meade, MD 20755-7090.
SYSTEM MANAGER(S):
Chief, Security Division, Workforce Services Directorate (WSD)/
MP61, Defense Information Systems Agency, 6910 Cooper Ave., Ft. Meade,
MD 20755-7090, (301) 225-1235.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
10 U.S.C. 193 and 10 U.S.C. 142; Department of Defense Directive
5105.19, Defense Information Systems Agency (DISA); Department of
Defense Directive 5200.08, Security of DoD Installations and Resources
and the DoD Physical Security Review Board (PSRB) and HSPD-12, Policy
for a Common Identification Standard for Federal Employees and
Contractors.
PURPOSE(S) OF THE SYSTEM:
The purpose of the system is to control physical access to DISA
Headquarters controlled information. DISA's security responsibilities
include identifying or verifying individuals through the use of
matching PKI (Public Key Infrastructure) information on the CAC to the
information registered into the ESS (from the CAC). For entry into
building guards also have ability to match picture on CAC to person
holding CAC and the picture on file in system.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
DISA military and civilian employees and contractors, and others
with issued common access card and authorized (regular or frequent)
entry to DISA facilities.
CATEGORIES OF RECORDS IN THE SYSTEM:
Name, DoD ID Number or credential barcode, photograph of person,
information that reflects time of entry/exit from facility or secure
location, and identification expiration dates.
RECORD SOURCE CATEGORIES:
Individuals; Defense Enrollment Eligibility Reporting Systems,
Department of Defense, other Federal Departments and Agencies,
Department of Army, Department of the Air Force, Department of Navy,
and U.S. Marine Corps security offices; system managers; computer
facility managers; commercial businesses whose employees require access
to the facilities or locations; and automated interfaces for user codes
on file at Department of Defense sites.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
In addition to those disclosures generally permitted under 5 U.S.C.
552a(b) of the Privacy Act of 1974, as amended, the records contained
herein may specifically be disclosed outside the DoD as a routine use
pursuant to 5 U.S.C. 552a(b)(3) as follows:
a. To contractors, grantees, experts, consultants, students, and
others performing or working on a contract, service, grant, cooperative
agreement, or other assignment for the Federal Government when
necessary to accomplish an agency function related to this system of
records.
b. To the appropriate Federal, State, local, territorial, tribal,
foreign, or international law enforcement authority or other
appropriate entity where a record, either alone or in conjunction with
other information, indicates a violation or potential violation of law,
whether criminal, civil, or regulatory in nature.
c. To any component of the Department of Justice for the purpose of
representing the DoD, or its components, officers, employees, or
members in pending or potential litigation to which the record is
pertinent.
d. In an appropriate proceeding before a court, grand jury, or
administrative or adjudicative body or official, when the DoD or other
Agency representing the DoD determines that the records are relevant
and necessary to the proceeding; or in an appropriate proceeding before
an administrative or adjudicative body when the adjudicator determines
the records to be relevant to the proceeding.
[[Page 1081]]
e. To the National Archives and Records Administration for the
purpose of records management inspections conducted under the authority
of 44 U.S.C. 2904 and 44 U.S.C. 2906.
f. To a Member of Congress or staff acting upon the Member's behalf
when the Member or staff requests the information on behalf of, and at
the request of, the individual who is the subject of the record.
g. To appropriate agencies, entities, and persons when (1) the DoD
suspects or has confirmed that there has been a breach of the system of
records; (2) the DoD has determined that as a result of the suspected
or confirmed breach there is a risk of harm to individuals, the DoD
(including its information systems, programs, and operations), the
Federal Government, or national security; and (3) the disclosure made
to such agencies, entities, and persons is reasonably necessary to
assist in connection with the DoD's efforts to respond to the suspected
or confirmed breach or to prevent, minimize, or remedy such harm.
h. To another Federal agency or Federal entity, when the DoD
determines that information from this system of records is reasonably
necessary to assist the recipient agency or entity in (1) responding to
a suspected or confirmed breach or (2) preventing, minimizing, or
remedying the risk of harm to individuals, the recipient agency or
entity (including its information systems, programs and operations),
the Federal Government, or national security, resulting from a
suspected or confirmed breach.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
These electronic records are stored on secure servers with access
controlled, access restricted by the use of logon, password, and/or
card swipe protocols.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Information is retrieved by name and DoD ID number.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Data elements housed in the agency identity management system are
destroyed 6 years after terminating an employee or contractor's
employment, but longer retention is authorized if required for business
use.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Access to the type and amount of data is governed by privilege
management software and policies developed and enforced by Federal
Government personnel. Data is protected by repository and interfaces,
including, but not limited to multi-layered firewalls, Secure Sockets
Layer/Transport Layer Security (SSL/TLS) connections, access control
lists, file system permissions, intrusion detection and prevention
systems and log monitoring. Complete access to all records is
restricted to and controlled by certified system management personnel,
who are responsible for maintaining the e-App system integrity and the
data confidentiality. Access to computerized data is restricted by
Common Access Card (CAC).
Access is provided on a need-to-know basis only. The office space
in which the servers are located is locked outside of official working
hours. Computer terminals are located in supervised areas. The
electronic security system utilized to safeguard is password protected.
Computerized records maintained in a controlled area are accessible
only to authorized personnel. Records are maintained in a controlled
facility. Physical entry is restricted by the use of locks, guards, the
access control system, and is accessible only to authorized personnel.
Physical and electronic access is restricted to designated individuals
having a need therefore in the performance of official duties and who
are properly screened and cleared for need-to-know. Access is
restricted to only authorized persons who are properly screened.
RECORD ACCESS PROCEDURES:
Individuals seeking access to records about themselves should
address written inquiries to the Defense Information Systems Agency
(DISA), Workforce Services Directorate (WSD)/MP61, 6910 Cooper Ave.,
Ft. Meade, MD 20755-7090.
Signed, written requests should include the individual's full name,
current address, telephone number, and the name and number of this
System of Records. In addition, the requester must provide either a
notarized statement or an unsworn declaration made in accordance with
28 U.S.C. 1746, in the following format:
If executed outside the United States: ``I declare (or certify,
verify, or state) under penalty of perjury under the laws of the United
States of America that the foregoing is true and correct. Executed on
(date). (Signature).''
If executed within the United States, its territories, possessions,
or commonwealths: ``I declare (or certify, verify, or state) under
penalty of perjury that the foregoing is true and correct. Executed on
(date). (Signature).''
CONTESTING RECORD PROCEDURES:
The Defense Information Systems Agency (DISA) rules for contesting
contents and appealing initial agency determinations are published in
DISA Instruction 210-225-2; 32 CFR part 316; or may be obtained from
the system manager.
NOTIFICATION PROCEDURES:
Individuals seeking to determine whether information about
themselves is contained in this system should address written inquiries
to Defense Information Systems Agency (DISA), Workforce Services
Directorate (WSD)/MP61, 6910 Cooper Ave., Ft. Meade, MD 20755-7090.
Signed, written requests should include the individual's full name,
current address, telephone number, and the name and number of this
system of records notice. In addition, the requester must provide
either a notarized statement or an unsworn declaration made in
accordance with 28 U.S.C. 1746, in the following format:
If executed outside the United States: ``I declare (or certify,
verify, or state) under penalty of perjury under the laws of the United
States of America that the foregoing is true and correct. Executed on
(date). (Signature).''
If executed within the United States, its territories, possessions,
or commonwealths: ``I declare (or certify, verify, or state) under
penalty of perjury that the foregoing is true and correct. Executed on
(date). (Signature).''
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
None.
[FR Doc. 2019-00608 Filed 1-31-19; 8:45 am]
BILLING CODE 5001-06-P