[Federal Register Volume 87, Number 32 (Wednesday, February 16, 2022)]
[Notices]
[Pages 8838-8840]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-03347]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

[FRL-9368-01-OMS]


Privacy Act of 1974; System of Records

AGENCY: Office of Mission Support (OMS), Environmental Protection 
Agency (EPA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: The U.S. Environmental Protection Agency's (EPA) Office of 
Acquisition Solutions is giving notice that it proposes to modify a 
system of records pursuant to the provisions of the Privacy Act of 
1974. EPA's Acquisition System (EAS) is an automated contract writing 
and management system with configurable workflow used to initiate, 
award, modify, and track acquisition actions for the procurement of 
goods and services. The system of records notice for EPA Acquisition 
System (EAS) is being modified to reflect that the system is now hosted 
and data stored in Unison's Amazon Web Services (AWS) cloud hosting 
environment, which is Federal Risk and Authorization Management Program 
(FedRAMP) authorized.

DATES: Persons wishing to comment on this system of records notice must 
do so by March 18, 2022.

ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OMS-2020-0210, by one of the following methods:
    Federal eRulemaking Portal: https://www.regulations.gov Follow the 
online instructions for submitting comments.
    Email: [email protected]. Include the Docket ID number in the 
subject line of the message.
    Fax: 202-566-1752.
    Mail: OMS Docket, Environmental Protection Agency, Mail Code: 
2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
    Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 
1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are 
only accepted during the Docket's normal hours of operation, and 
special arrangements should be made for deliveries of boxed 
information.

[[Page 8839]]

    Instructions: Direct your comments to Docket ID No. EPA-HQ-OMS-
2020-0210. The EPA policy is that all comments received will be 
included in the public docket without change and may be made available 
online at https://www.regulations.gov, including any personal 
information provided, unless the comment includes information claimed 
to be Controlled Unclassified Information (CUI) or other information 
for which disclosure is restricted by statute. Do not submit 
information that you consider to be CUI or otherwise protected through 
https://www.regulations.gov. The https://www.regulations.gov website is 
an ``anonymous access'' system for EPA, which means the EPA will not 
know your identity or contact information unless you provide it in the 
body of your comment. Each agency determines submission requirements 
within their own internal processes and standards. EPA has no 
requirement to include personal information. If you send an email 
comment directly to the EPA without going through https://www.regulations.gov your email address will be automatically captured 
and included as part of the comment that is placed in the public docket 
and made available on the internet. If you submit an electronic 
comment, the EPA recommends that you include your name and other 
contact information in the body of your comment. If the EPA cannot read 
your comment due to technical difficulties and cannot contact you for 
clarification, the EPA may not be able to consider your comment. 
Electronic files should avoid the use of special characters, any form 
of encryption, and be free of any defects or viruses. For additional 
information about the EPA public docket, visit the EPA Docket Center 
homepage at https://www.epa.gov/dockets.
    Docket: All documents in the docket are listed in the https://www.regulations.gov index. Although listed in the index, some 
information is not publicly available, e.g., CUI or other information 
for which disclosure is restricted by statute. Certain other material, 
such as copyrighted material, will be publicly available only in hard 
copy. Publicly available docket materials are available either 
electronically in https://www.regulations.gov or in hard copy at the 
OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution 
Ave. NW, Washington, DC 20460.

Temporary Hours During COVID-19

    Out of an abundance of caution for members of the public and our 
staff, the EPA Docket Center and Reading Room are closed to the public, 
with limited exceptions, to reduce the risk of transmitting COVID-19. 
Our Docket Center staff will continue to provide remote customer 
service via email, phone, and webform. We encourage the public to 
submit comments via https://www.regulations.gov or email, as there may 
be a delay in processing mailand faxes. Hand deliveries and couriers 
may be received by scheduled appointment only. For further information 
on EPA Docket Center services and the current status, please visit us 
online at https://www.epa.gov/dockets. The telephone number for the 
Public Reading Room is (202) 566-1744, and the telephone number for the 
OMS Docket is (202) 566-1752.

FOR FURTHER INFORMATION CONTACT: Please submit questions to Victor 
Rodriguez, [email protected], 202-564-2212 or Richard Belles, 
[email protected], 202-564-4339.

SUPPLEMENTARY INFORMATION: EAS is built using a commercial off-the-
shelf product called PRISM from Unison that includes a purchase request 
form and workflow. EAS is hosted, and its data stored, in Unison's AWS 
cloud hosting environment, which is FedRAMP authorized. EPA is moving 
applications like EAS to the cloud for scalability and improved 
security. EAS collects and stores personally identifiable information 
(PII) of EPA employees who initiate acquisition actions or are assigned 
to work on these actions. This information may include: Employee first 
name, last name, work email, work telephone number, and Local Area 
Network User Identification. This information is collected and used for 
internal EPA communication purposes and approval routing of the 
acquisition action. Privacy information is protected by limiting EAS 
access to authenticated users. Authentication is controlled using the 
agency's central authentication security controls.

SYSTEM NAME AND NUMBER:
    EPA Acquisition System (EAS), EPA-86.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Office of Acquisition Solutions, Environmental Protection Agency, 
Ronald Reagan Building, 1200 Pennsylvania Avenue NW, Washington, DC 
20460. EAS is hosted as a Software as a Service (SaaS) by Unison's 
Amazon Web Services (AWS) Cloud hosting environment which is FedRAMP 
authorized.

SYSTEM MANAGER(S):
    Kimberly Patrick, Director, Office of Acquisition Solutions, 
Environmental Protection Agency, Ronald Reagan Building, 1200 
Pennsylvania Avenue NW, Washington, DC 20460, [email protected], 
202-566-2605.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Executive Order 12072 (August 16, 1978); Federal Property and 
Administrative Services Act of 1949, 40 U.S.C. 121; Office of Federal 
Procurement Policy Act of 1974, 41 U.S.C. 1702.

PURPOSE(S) OF THE SYSTEM:
    EPA uses EAS to initiate, award, modify and track acquisition 
actions. EAS identifies employees who initiate acquisition actions or 
are assigned to work on these actions. Specifically, the system tracks 
the requisitioner, contract official, contract specialist, and 
approving officials for each acquisition action.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Categories of individuals covered are EPA employees including the: 
(a) EPA Project Officer, i.e., the individual who is responsible for 
the review and evaluation of the application or proposal and the 
monitoring of a resulting contract acquisition; (b) EPA Program 
Official, i.e., the individual who is responsible for review and 
approval of applications or proposals for funding; (c) EPA Budget 
Official, i.e., the individual who is responsible for certifying 
availability of funds for approved applications or proposals; (d) EPA 
Contracting Officer or Contract Specialist, i.e., individuals who are 
responsible for awarding and administering contracts, and (e) EPA 
Merit/Peer Reviewers, i.e., individuals who provide a written review or 
evaluation of the application or proposal to the EPA Project Officer.

CATEGORIES OF RECORDS IN THE SYSTEM:
    EAS collects EPA employee first name, last name, work email, work 
telephone, EPA employee ID and LAN User ID information. The system also 
collects other information required for the tracking or approval of a 
contract action including contract proposals, technical reviews by a 
peer reviewer, records of contract awards, financial data, and other 
information. EAS also collects Vendor Contact information including: 
Vendor Code, Legal Name, Data Universal Numbering System (DUNS) ID (a 9 
character identifier used for identifying the Vendor), Cage Code

[[Page 8840]]

(used to provide a standardized method of identifying a given facility 
at a specific location.), address, phone number, fax number, and email 
address.

RECORD SOURCE CATEGORIES:
    EAS collects EPA employee information from EPA's directory service. 
Contract proposals and vendor information are collected directly from 
the user via the Federal Government's System for Award Management 
(SAM).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The routine uses below are both related to and compatible with the 
original purpose for which the information was collected. The following 
general routine uses apply to this system (86 FR 62527): A, B, C, D, E, 
F, G, H, I, J, K, L, and M.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    These records are maintained electronically on computer storage 
devices located at Unison's Amazon Web Services (AWS) Cloud hosting 
environments (production and disaster recovery) which are Federal Risk 
and Authorization Management Program (FedRAMP) authorized. Backups will 
be maintained at production and disaster recovery sites, located at 
Unison's Amazon Web Services (AWS) Cloud hosting environments 
(production and disaster recovery). Computer records are maintained in 
a secure, password protected environment. Access to computer records is 
limited to those who have a need to know. All EAS user accounts are 
assigned permissions as needed based on their job functions. Permission 
level assignments will allow users access only to those functions for 
which they are authorized. All records are maintained in secure, 
access-controlled areas or buildings.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by the first name, last name and/or User ID 
of EPA employees or Vendor ID (DUNS codes) associated with contracts.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    EPA will retain and dispose of EAS records in accordance with the 
National Archives and Records Administration General Records Schedule 
and EPA Records Schedule 055--Contracts Management Systems. EAS records 
are retained for at least 6 years after contract closeout for non-
Superfund actions, and 30 years after contract closeout for Superfund 
site actions.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Security controls used to protect personally identifiable 
information in EAS are commensurate with those required for an 
information system rated moderate for confidentiality, integrity, and 
availability, as prescribed in NIST Special Publication, 800-53, 
``Security and Privacy Controls for Information Systems and 
Organizations,'' Revision 5.
    1. Administrative Safeguards: EPA personnel are required to 
complete annual agency Information Security and Privacy training. EPA 
personnel are instructed to lock their computers when they leave their 
desks.
    2. Technical Safeguards: Electronic records are maintained in a 
secure, password protected electronic system. EAS access is limited to 
authorized, authenticated users. All of the system's electronic 
communication utilizes Transport Layer Security (TLS) secure 
communication protocol for all transactions.
    3. Physical Safeguards: All records are maintained in secure, 
access-controlled areas or buildings.

RECORD ACCESS PROCEDURES:
    All requests for access to personal records should cite the Privacy 
Act of 1974 and reference the type of request being made (i.e., 
access). Requests must include: (1) The name and signature of the 
individual making the request; (2) the name of the Privacy Act system 
of records to which the request relates; (3) a statement whether a 
personal inspection of the records or a copy of them by mail is 
desired; and (4) proof of identity. A full description of EPA's Privacy 
Act procedures for requesting access to records is available at 40 CFR 
part 16.

CONTESTING RECORD PROCEDURES:
    Requests for correction or amendment must include: (1) The name and 
signature of the individual making the request; (2) the name of the 
Privacy Act system of records to which the request relates; (3) a 
description of the information sought to be corrected or amended and 
the specific reasons for the correction or amendment; and (4) proof of 
identity. A full description of EPA's Privacy Act procedures for the 
correction or amendment of a record are described in EPA's Privacy Act 
regulations at 40 CFR part 16.

NOTIFICATION PROCEDURES:
    Individuals who wish to be informed whether a Privacy Act system of 
records maintained by EPA contains any record pertaining to them, 
should make a written request to EPA, Attn: Agency Privacy Officer, MC 
2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, 
[email protected]. A full description of EPA's Privacy Act procedures is 
included in EPA's Privacy Act regulations at 40 CFR part 16.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    86 FR 10949 (February 23, 2021).

Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2022-03347 Filed 2-15-22; 8:45 am]
BILLING CODE 6560-50-P