[Federal Register Volume 86, Number 63 (Monday, April 5, 2021)]
[Notices]
[Pages 17616-17619]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2021-06874]


-----------------------------------------------------------------------

DEPARTMENT OF HOMELAND SECURITY

[Docket No. CISA-2021-0004]


Privacy Act of 1974; System of Records

AGENCY: Cybersecurity and Infrastructure Security Agency, U.S. 
Department of Homeland Security.

ACTION: Notice of a New System of Records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, the U.S. 
Department of Homeland Security (DHS) proposes to establish a new DHS 
system of records titled, ``DHS/Cybersecurity and Infrastructure 
Security Agency (CISA)-005 Administrative Subpoenas for Cybersecurity 
Vulnerability Identification and Notification System of Records.'' This 
system of records allows DHS/CISA (``Agency'') to receive and collect 
customer or subscriber contact information from electronic 
communications service providers to

[[Page 17617]]

identify and notify entities at risk of security vulnerabilities 
relating to critical infrastructure information systems and devices. 
This newly established system will be included in DHS's inventory of 
record systems.

DATES: Submit comments on or before May 5, 2021. This new system will 
be effective upon publication. Routine uses will be effective May 5, 
2021.

ADDRESSES: You may submit comments, identified by docket number CISA-
2021-0004 by one of the following methods:
     Federal e-Rulemaking Portal: http://www.regulations.gov. 
Follow the instructions for submitting comments.
     Fax: 202-343-4010.
     Mail: Lynn Parker Dupree, Chief Privacy Officer, Privacy 
Office, U.S. Department of Homeland Security, Washington, DC 20528-
0655.
    Instructions: All submissions received must include the agency name 
and docket number CISA-2021-0004. All comments received will be posted 
without change to http://www.regulations.gov, including any personal 
information provided.
    Docket: For access to the docket to read background documents or 
comments received, go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: For general questions, please contact: 
James Burd, (703) 235-1919, [email protected], Chief Privacy 
Officer, Office of the Privacy Office, Cybersecurity and Infrastructure 
Security Agency, Washington, DC 20528-0655. For privacy questions, 
please contact: Lynn Parker Dupree, (202) 343-1717, [email protected], 
Chief Privacy Officer, Privacy Office, U.S. Department of Homeland 
Security, Washington, DC 20528-0655.

SUPPLEMENTARY INFORMATION:

I. Background

    In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the U.S. 
Department of Homeland Security (DHS) Cybersecurity and Infrastructure 
Security Agency (CISA) proposes to establish a new CISA system of 
records entitled, ``DHS/CISA--Administrative Subpoenas for 
Cybersecurity Vulnerability Identification System of Records.'' 
Subsection (o) of Section 2209 of the Homeland Security Act, as 
amended, 6 U.S.C. 659(o), grants CISA the authority to issue a subpoena 
for the production of information necessary to identify and notify an 
entity at risk, where the entity owns or operates what CISA has reason 
to believe is a ``covered device or system'' \1\ with a specific 
security vulnerability relating to critical infrastructure, and if CISA 
itself is unable to identify the entity at risk that owns or operates 
such covered device or system. CISA will issue subpoenas to providers 
of public electronic communications services, such as Internet Service 
Providers (ISP), that have relevant customer or subscriber information 
to identify the owners or operators of covered devices or systems with 
a specific security vulnerability, often identified through their 
internet protocol (IP) address. The Electronic Communications Privacy 
Act of 1986 (18 U.S.C. 2510 et seq.) permits the federal government to 
subpoena such service providers for basic subscriber information. The 
information to be collected by CISA is not for intelligence or 
prosecution activities, but rather to notify entities of potential 
cybersecurity risks to covered devices or systems with a specific 
security vulnerability relating to critical infrastructure.
---------------------------------------------------------------------------

    \1\ ``Covered device or system'' means a device or system 
commonly used to perform industrial, commercial, scientific, or 
government functions or processes related to critical 
infrastructure, including operational and industrial control 
systems, distributed control systems, and programmable logic 
controllers. The term ``covered device or system'' does not include 
personal devices or systems, such as consumer mobile devices, home 
computers, residential wireless routers, or residential internet 
enabled consumer devices. See 6 U.S.C. 659(o)(1).
---------------------------------------------------------------------------

    This system of records will cover records of individuals identified 
in the information provided by the ISP as the owner or operator of a 
covered device or system connected to the internet with a specific 
security vulnerability related to critical infrastructure. CISA 
maintains this information to identify and notify the individual of the 
vulnerability on the covered device or system.\2\
---------------------------------------------------------------------------

    \2\ Pursuant to 6 U.S.C. 659(o)(8), the Agency may not require 
an owner or operator of critical infrastructure to take any action 
as a result of a notice of vulnerability made pursuant to 6 U.S.C. 
659(o).
---------------------------------------------------------------------------

    This newly established system will be included in DHS's inventory 
of record systems.

II. Privacy Act

    The Privacy Act embodies fair information practice principles in a 
statutory framework governing the means by which federal government 
agencies collect, maintain, use, and disseminate individuals' records. 
The Privacy Act applies to information that is maintained in a ``system 
of records.'' A ``system of records'' is a group of any records under 
the control of an agency from which information is retrieved by the 
name of an individual or by some identifying number, symbol, or other 
identifying particular assigned to the individual. In the Privacy Act, 
an individual is defined to encompass U.S. citizens and lawful 
permanent residents. Additionally, the Judicial Redress Act (JRA) 
provides covered persons with a statutory right to make requests for 
access and amendment to covered records, as defined by the JRA, along 
with judicial review for denials of such requests. In addition, the JRA 
prohibits disclosures of covered records, except as otherwise permitted 
by the Privacy Act.
    Below is the description of the DHS/CISA-005 Administrative 
Subpoenas for Cybersecurity Vulnerability Identification and 
Notification System of Records.
    In accordance with 5 U.S.C. 552a(r), DHS has provided a report of 
this system of records to the Office of Management and Budget and to 
Congress.

SYSTEM NAME AND NUMBER:
    DHS/CISA-005 Administrative Subpoenas for Cybersecurity 
Vulnerability Identification and Notification.

SECURITY CLASSIFICATION:
    Controlled Unclassified Information.

SYSTEM LOCATION:
    Records are maintained at CISA locations such as Arlington, 
Virginia and Pensacola, Florida.

SYSTEM MANAGER(S):
    Division Director, National Cybersecurity and Communications 
Integration Center (NCCIC) Hunt & Incident Response, 1110 North Glebe 
Rd. Arlington, VA 22201.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Subsection (o) of Section 2209 of the Homeland Security Act, as 
amended, 6 U.S.C. 659(o).

PURPOSE(S) OF THE SYSTEM:
    The purpose of this system is to maintain records for the purpose 
of identifying and notifying entities at risk of security 
vulnerabilities relating to critical infrastructure on covered devices 
and systems. The authority is available only in circumstances where 
CISA knows of a specific cybersecurity risk to a covered device or 
system but is unable to determine the owner or operator of the covered 
device or system. The information sought by subpoena is limited to only 
basic categories of subscriber information.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individual(s) whose contact information is provided by an 
electronic

[[Page 17618]]

communication service provider in response to a subpoena as described 
above.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Categories of records in this system include the following 
information obtained through subpoenas:
     Name;
     Address;
     Length of service (including start date) and types of 
service utilized; and
     Telephone or instrument number or other subscriber number 
or identity.
    In addition, the system will also include the following categories 
of records:
     IP address;
     Individual's position/title or organizational 
affiliations; and
     Identifier or ticket number created by CISA to retrieve 
information.

RECORD SOURCE CATEGORIES:
    Information is obtained from a subpoenaed individual, partnership, 
corporation, association, or entity. Information may also be obtained 
through public sources or contact with an individual identified through 
the issuing of a subpoena.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In accordance with subsection (o) of Section 2209 of the Homeland 
Security Act, as amended, (6 U.S.C. 659(o)), the Agency may not 
disseminate nonpublic information obtained through a subpoena that 
identifies the party that is subject to such subpoena or the entity at 
risk identified by information obtained, except that the Agency may 
share the nonpublic information with the Department of Justice for the 
purpose of enforcing such subpoena in non-compliance circumstances, and 
may share with a federal agency the nonpublic information of the entity 
at risk if the requirements of 6 U.S.C. 659(o)(7)(A) are met so long it 
is used by that federal agency for a cybersecurity purpose, as defined 
in 6 U.S.C. 1501, in accordance with 6 U.S.C. 659(o)(12).

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records in this system are stored electronically or on paper in 
secure facilities in a locked drawer behind a locked door.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    CISA will retrieve records by CISA-created ticket number associated 
with a covered device or system connected to the internet identified as 
having a security vulnerability. Records may also be retrieved by IP 
address or phone number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records that are stored in an individual's file will be purged 
according to the retention and disposition guidelines under 6 U.S.C. 
659(o)(7)(C)(ii), which requires destruction of any personally 
identifiable information not later than six (6) months after the date 
on which the Agency receives information obtained through subpoena, 
unless otherwise agreed to by the individual identified by the subpoena 
respondent. CISA is developing a records retention schedule for 
submission and approval by the National Archives Records 
Administration.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    CISA safeguards records in this system according to applicable 
rules and policies, including all applicable CISA automated systems 
security and access policies. CISA has imposed strict controls to 
minimize the risk of compromising the information that is being stored. 
Access to the computer system containing the records in this system is 
limited to those CISA officials who have a need to know the information 
for the performance of their official duties and who have appropriate 
clearances or permissions.

RECORD ACCESS PROCEDURES:
    Individuals seeking access to and notification of any record 
contained in this system of records, or seeking to contest its content, 
may submit a request in writing to the DHS Chief Privacy Officer or the 
appropriate Headquarters or component's FOIA Officer whose contact 
information can be found at https://www.dhs.gov/freedom-information-act-foia under ``Contact Information.'' If an individual believes more 
than one component maintains Privacy Act records concerning him or her, 
the individual may submit the request to the DHS Chief Privacy Officer 
and Chief Freedom of Information Act Officer, U.S. Department of 
Homeland Security, Washington, DC 20528-0655. Even if neither the 
Privacy Act nor the Judicial Redress Act provide a right of access, 
certain records about you may be available under the Freedom of 
Information Act.
    When an individual is seeking records about himself or herself from 
this system of records or any other Departmental system of records, the 
individual's request must conform with the Privacy Act regulations set 
forth in 6 CFR part 5. The individual must first verify his/her 
identity, meaning that the individual must provide his/her full name, 
current address, and date and place of birth. The individual must sign 
the request, and the individual's signature must either be notarized or 
submitted under 28 U.S.C. 1746, a law that permits statements to be 
made under penalty of perjury as a substitute for notarization. In 
addition, the individual should:
     Explain why he or she believes the Department would have 
information being requested;
     Identify which component(s) of the Department he or she 
believes may have the information;
     Specify when the individual believes the records would 
have been created; and
     Provide any other information that will help the FOIA 
staff determine which DHS component agency may have responsive records.
    If the request is seeking records pertaining to another living 
individual, the request must include an authorization from the 
individual whose record is being requested, authorizing the release to 
the requester.
    Without the above information, the component(s) may not be able to 
conduct an effective search, and the individual's request may be denied 
due to lack of specificity or lack of compliance with applicable 
regulations.

CONTESTING RECORD PROCEDURES:
    For records covered by the Privacy Act, individuals may make a 
request for amendment or correction of a record of the Department about 
the individual by writing directly to the Department component that 
maintains the record, unless the record is not subject to amendment or 
correction. The request should identify each particular record in 
question, state the amendment or correction desired, and state why the 
individual believes that the record is not accurate, relevant, timely, 
or complete. The individual may submit any documentation that would be 
helpful. If the individual believes that the same record is in more 
than one system of records, the request should state that and be 
addressed to each component that maintains a system of records 
containing the record.

NOTIFICATION PROCEDURES:
    See ``Record Access Procedures'' above.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

[[Page 17619]]

HISTORY:
    None.
* * * * *

Lynn Parker Dupree,
Chief Privacy Officer, U.S. Department of Homeland Security.
[FR Doc. 2021-06874 Filed 4-2-21; 8:45 am]
BILLING CODE 9110-9P-P