[Federal Register Volume 87, Number 19 (Friday, January 28, 2022)]
[Notices]
[Pages 4590-4592]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-01733]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

[FRL-9303-01-OMS]


Privacy Act of 1974; System of Records

AGENCY: Office of Mission Support (OMS), Environmental Protection 
Agency (EPA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: The U.S. Environmental Protection Agency's (EPA) Office of 
Mission Support (OMS) is giving notice that it proposes to modify a 
system of records pursuant to the provisions of the Privacy Act of 
1974. Fleet Access (FA) is being modified to add a routine use that is 
related to Federal Automotive Statistical Tool (FAST) reporting and to 
move Fleet Access infrastructure from an externally-hosted non-Federal 
Risk and Authorization Management Program (FedRAMP) authorized cloud 
service provider to EPA's National Computing Center (NCC).

DATES: Persons wishing to comment on this system of records notice must 
do so by February 28, 2022. New routine uses for this modified system 
of records will be effective February 28, 2022.

ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OMS-2020-0137, by one of the following methods:
    Federal eRulemaking Portal: https://www.regulations.gov. Follow the 
online instructions for submitting comments.
    Email: [email protected]. Include the Docket ID number in the 
subject line of the message.
    Fax: (202) 566-1752.
    Mail: OMS Docket, Environmental Protection Agency, Mail Code: 
2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
    Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 
1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are 
only accepted during the Docket's normal hours of operation, and 
special arrangements should be made for deliveries of boxed 
information.
    Instructions: Direct your comments to Docket ID No. EPA-HQ-OMS-
2020-0137. The EPA's policy is that all comments received will be 
included in the public docket without change and may be made available 
online at https://www.regulations.gov, including any personal 
information provided, unless the comment includes information claimed 
to be Controlled Unclassified Information (CUI) or other information 
for which disclosure is restricted by statute. Do not submit 
information that you consider to be CUI or otherwise protected through 
https://www.regulations.gov. The https://www.regulations.gov website is 
an ``anonymous access'' system for the EPA, which means the EPA will 
not know your identity or contact information. If you submit an 
electronic comment, the EPA recommends that you include your name and 
other contact information in the body of your comment. If the EPA 
cannot read your comment due to technical difficulties and cannot 
contact you for clarification, the EPA may not be able to consider your 
comment. If you send an email comment directly to the EPA without going 
through https://www.regulations.gov, your email address will be 
automatically captured and included as part of the comment that is 
placed in the public docket and made available on the internet. 
Electronic files should avoid the use of special characters, any form 
of encryption, and be free of any defects or viruses. For additional 
information about the EPA public docket, visit the EPA Docket Center 
homepage at https://www.epa.gov/dockets.
    Docket: All documents in the docket are listed in the https://www.regulations.gov index. Although listed in the index, some 
information is not publicly available, e.g., CUI or other information 
for which disclosure is restricted by statute. Certain other material, 
such as copyrighted material, will be publicly available only in hard 
copy. Publicly available docket materials are available either 
electronically in https://www.regulations.gov or in hard copy at the 
OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution 
Ave. NW, Washington, DC 20460. The Public Reading Room is normally open 
from 8:30 a.m. to 4:30 p.m., Monday through Friday excluding legal 
holidays. The telephone number for the Public Reading Room is (202) 
566-1744, and the telephone number for the OMS Docket is (202) 566-
1752.

Temporary Hours During COVID-19

    Out of an abundance of caution for members of the public and our 
staff, the EPA Docket Center and Reading Room are closed to the public, 
with limited exceptions, to reduce the risk of transmitting COVID-19. 
Our Docket Center staff will continue to provide remote customer 
service via email, phone, and webform. We encourage the public to 
submit comments via https://www.regulations.gov/ or email, as there may 
be a delay in processing mail and faxes. Hand deliveries and couriers 
may be received by scheduled appointment only. For further information 
about EPA Docket Center services and the current status, please visit 
us online at https://www.epa.gov/dockets.

FOR FURTHER INFORMATION CONTACT: General questions about the Fleet 
Access system should be made in writing to James Cunningham, (202) 564-
7212, [email protected]; Jackie Brown, (202) 564-0313, 
[email protected]; and Jonathan Barnes, (202) 564-1950, 
[email protected].

SUPPLEMENTARY INFORMATION: EPA implemented Fleet Access (FA) in 
response to General Services Administration (GSA) Bulletin FMR B-15, 
which includes the requirement that each federal agency store and 
maintain vehicle asset data collected in a Fleet Management Information 
System (FMIS). FA stores vehicle-level data such as license plate, 
vehicle identification number (VIN), make, model, acquisition value/
lease rates, and designations regarding alternative fuel, energy, and 
sustainability mandates. FA is also used to produce the yearly FAST 
Report. This end-of-year report is submitted to the federal agency that 
maintains the Federal Automotive Statistical Tool (FAST). The FAST 
Report summarizes each vehicle's annual data with respect to fuel, 
mileage, maintenance, acquisition, and disposal.
    EPA is modifying FA to add a routine use that is related to FAST 
reporting, and to move FA information technology

[[Page 4591]]

infrastructure from a vendor-hosted system to an EPA-hosted system 
because the vendor for Fleet Access, AgileFleet, is not FedRAMP 
certified. In addition, moving FA to an EPA-hosted system will ensure 
that NIST-required security controls for a system categorized as low 
are in place, operating as expected, and producing the desired results. 
See National Institute of Standards and Technology (NIST) Special 
Publication 800-53, ``Security and Privacy Controls for Information 
Systems and Organizations,'' Revision 5. In addition, the vendor-hosted 
infrastructure is not FedRAMP compliant.
    FA will continue to serve as a comprehensive standardized vehicle 
reservation system used by agency staff needing to reserve and utilize 
fleet vehicles for official agency business. FA will still require 
system users to register personal business information to reserve 
agency fleet assets. Other components of FA, including operational, 
functional, and day-to-day management will not change except for 
planned upgrades.

SYSTEM NAME AND NUMBER:
    Fleet Access, EPA-85.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    FA is managed by the Office of Mission Support, Office of 
Administration, Environmental Protection Agency, 1301 Constitution Ave. 
NW, Washington, DC 20460. Electronically stored information is hosted 
at the EPA National Computer Center (NCC), 109 TW Alexander Drive, 
Research Triangle Park, Durham, NC 27711.

SYSTEM MANAGER(S):
    James Cunningham, IT Project Manager, Office of Mission Support, 
Office of Administration, Environmental Protection Agency, 1200 
Pennsylvania Ave. NW, Washington, DC 20460, Mail code 3101M, 
[email protected], 202-564-7212.
    Jonathan Barnes, Fleet Project Manager, Office of Mission Support, 
Office of Administration, Environmental Protection Agency, 1200 
Pennsylvania Ave. NW, Washington, DC 20460, Mail code 3101M, 
[email protected], 202-564-1950.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    40 U.S.C. 17502 and 17503--Federal Motor Vehicle Expenditure 
Control; and General Services Administration (GSA) FMR B-15.

PURPOSE(S) OF THE SYSTEM:
    FA is a commercial off-the-shelf software solution installed on EPA 
systems and operated by EPA personnel and contractors. EPA uses FA to 
manage the Agency's fleet resources, and specifically to store and 
maintain vehicle asset data collected in the Agency's Fleet Management 
Information System (FMIS). The FA system serves two primary purposes: 
First, to store vehicle level data such as license plate, VIN, make, 
model, acquisition value/lease rates, designations regarding 
alternative fuel, energy and sustainability mandates, all of which are 
used to produce the FAST Report. This end-of-year report is submitted 
jointly to the Department of Energy (DOE), the GSA, and the Idaho 
National Lab (INL). The FAST Report summarizes each vehicle's annual 
data with respect to fuel, mileage, maintenance, acquisition, and 
disposal. Second, FA is used by EPA's Fleet program management, 
regional and local staff, and support contractors as a standardized 
vehicle reservation system to reserve and utilize fleet vehicles for 
official agency business.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The categories of individuals covered by this system include EPA 
employees and EPA contractors.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Personally Identifiable Information (PII) collected includes: Last 
Name, First Name, Work Phone Number, Work Email Address, Driver's 
License Expiration Date, and Profile Picture.

RECORD SOURCE CATEGORIES:
    FA is a data management system that allows authorized EPA employees 
and contractors to store/maintain vehicle asset data and reserve agency 
vehicles across various programs/regions. PII information is collected 
directly from the user via an online registration form.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The routine uses below are both related to and compatible with the 
original purpose for which the information was collected. The following 
general routine uses apply to this system (86FR 62527): A, B, C, D, E, 
F, G, H, I, J, K, L, and M.
    The following additional routine use applies to this system:
    1. Per 40 CFR 102-34.335, information may be disclosed to the 
federal agency that maintains the Federal Automotive Statistical Tool 
(FAST) in connection with Federal Fleet Reporting. requirements and 
other required reporting.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    The information collected within FA is maintained and stored in a 
database hosted by the EPA National Computer Center (NCC) located at 
109 T.W. Alexander Drive, Research Triangle Park, NC 27711, per EPA 
Records Schedule 0090--Administrative Support Databases and EPA Records 
Schedule 1009--Motor Vehicles and Personal Property.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records for FA are retrievable by User ID and last name.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    FA complies with EPA Records Schedule 0090--Administrative Support 
Databases and EPA Records Schedule 1009--Motor Vehicles and Personal 
Property. Personnel information is retained for as long as the user or 
administrator determines necessary; generally, as long as the 
individual is employed by EPA and requires vehicle reservation access. 
If a person no longer needs to reserve a vehicle for agency business, 
their user information is deleted permanently, in accordance with EPA 
Records Schedule 1009. Vehicle data are stored for a minimum of 3 
years.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Security controls used to protect personal sensitive data in FA are 
commensurate with those required for an information system rated low 
for confidentiality, integrity, and availability, as prescribed in NIST 
Special Publication, 800-53, ``Security and Privacy Controls for 
Information Systems and Organizations,'' Revision 5.
    1. Administrative Safeguards: Personnel are required to complete 
annual agency Information Security and Privacy training. Personnel are 
instructed to lock their computers when they leave their desks.
    2. Technical Safeguards: Access to FA is restricted to authorized 
users via login by username and password. All application passwords are 
encrypted in the database. User passwords cannot be seen by the 
administrators. The application is web-based, and user sessions are 
encrypted.
    3. Physical Safeguards: Equipment used for hosting FA is in a 
secure facility. Access to the secure facility is logged and restricted 
to employees displaying valid identification badges.

[[Page 4592]]

Power to the facility is insured by both battery backup and diesel 
generator. Fire suppression systems are in place. The facility is 
staffed 24 hours a day, seven days a week.

RECORD ACCESS PROCEDURES:
    All requests for access to personal records should cite the Privacy 
Act of 1974 and reference the type of request being made (i.e., 
access). Requests must include: (1) The name and signature of the 
individual making the request; (2) the name of the Privacy Act system 
of records to which the request relates; (3) a statement whether a 
personal inspection of the records or a copy of them by mail is 
desired; and (4) proof of identity (e.g., driver's license, military 
identification card, employee badge or identification card). Additional 
identity verification procedures may be required, as warranted. 
Requests must meet the requirements of EPA regulations that implement 
the Privacy Act of 1974, at 40 CFR part 16. A full description of EPA's 
Privacy Act procedures for requesting access to records is available at 
40 CFR part 16.

CONTESTING RECORD PROCEDURES:
    Requests for correction or amendment must include: (1) The name and 
signature of the individual making the request; (2) the name of the 
Privacy Act system of records to which the request relates; (3) a 
description of the information sought to be corrected or amended and 
the specific reasons for the correction or amendment; and (4) proof of 
identity A full description of EPA's Privacy Act procedures for the 
correction or amendment of a record is included in EPA's Privacy Act 
regulations at 40 CFR part 16.

NOTIFICATION PROCEDURES:
    Individuals who wish to be informed whether a Privacy Act system of 
records maintained by EPA contains any record pertaining to them, 
should make a written request to the EPA, Attn: Agency Privacy Officer, 
MC 2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, or by email 
at: [email protected]. A full description of EPA's Privacy Act procedures 
is included in EPA's Privacy Act regulations at 40 CFR part 16.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    86 FR 10955 (February 23, 2021).


Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2022-01733 Filed 1-27-22; 8:45 am]
BILLING CODE 6560-50-P