[Federal Register Volume 87, Number 237 (Monday, December 12, 2022)]
[Notices]
[Pages 76036-76038]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-26903]
=======================================================================
-----------------------------------------------------------------------
ENVIRONMENTAL PROTECTION AGENCY
[FRL-10299-01-OMS]
Privacy Act of 1974; System of Records
AGENCY: Office of Mission Support (OMS), Environmental Protection
Agency (EPA).
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: The U.S. Environmental Protection Agency's (EPA) Office of
Mission Support (OMS) is giving notice that it proposes to create a new
system of records pursuant to the provisions of the Privacy Act of
1974. EPA is creating the Enterprise Physical Access Control System
(ePACS) to collect and maintain employee and contractor information
that is used to determine suitability for physical access to EPA-
managed facilities and certain restricted areas within these
facilities.
DATES: Persons wishing to comment on this system of records notice must
do so by January 11, 2023.
Routine uses; for this new system of records will be effective
January 11, 2023.
ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OMS-2022-0847, by one of the following methods:
Federal eRulemaking Portal: https://www.regulations.gov. Follow the
online instructions for submitting comments.
Email: [email protected]. Include the Docket ID number in the
subject line of the message.
Fax: (202) 566-1752.
Mail: OMS Docket, Environmental Protection Agency, Mail Code:
2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334,
1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are
only accepted during the Docket's normal hours of operation, and
special arrangements should be made for deliveries of boxed
information.
Instructions: Direct your comments to Docket ID No. EPA-HQ-OMS-
2022-0847. The EPA's policy is that all comments received will be
included in the public docket without change and may be made available
online at https://www.regulations.gov, including any personal
information provided, unless the comment includes information claimed
to be Controlled Unclassified Information (CUI) or other information
for which disclosure is restricted by statute. Do not submit
information that
[[Page 76037]]
you consider to be CUI or otherwise protected through https://www.regulations.gov. The https://www.regulations.gov website is an
``anonymous access'' system for the EPA, which means the EPA will not
know your identity or contact information. If you submit an electronic
comment, the EPA recommends that you include your name and other
contact information in the body of your comment. If the EPA cannot read
your comment due to technical difficulties and cannot contact you for
clarification, the EPA may not be able to consider your comment. If you
send an email comment directly to the EPA without going through https://www.regulations.gov, your email address will be automatically captured
and included as part of the comment that is placed in the public docket
and made available on the internet. Electronic files should avoid the
use of special characters, any form of encryption, and be free of any
defects or viruses. For additional information about the EPA public
docket, visit the EPA Docket Center homepage at https://www.epa.gov/dockets.
Docket: All documents in the docket are listed in the https://www.regulations.gov index. Although listed in the index, some
information is not publicly available, e.g., CUI or other information
for which disclosure is restricted by statute. Certain other material,
such as copyrighted material, will be publicly available only in hard
copy. Publicly available docket materials are available either
electronically in https://www.regulations.gov or in hard copy at the
OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution
Ave. NW, Washington, DC 20460. The Public Reading Room is normally open
from 8:30 a.m. to 4:30 p.m., Monday through Friday excluding legal
holidays. The telephone number for the Public Reading Room is (202)
566-1744, and the telephone number for the OMS Docket is (202) 566-
1752. Further information about EPA Docket Center services and current
operating status is available at https://www.epa.gov/dockets.
FOR FURTHER INFORMATION CONTACT:
James Cunningham, Information Technology (IT) Project Manager,
Office of Mission Support, Environmental Protection Agency, 1301
Constitution Ave. NW, Washington, DC 20460, [email protected].
Jackie Brown, Information System Security Officer, Office of
Mission Support, Environmental Protection Agency, 1301 Constitution
Ave. NW, Washington, DC 20460, [email protected].
SUPPLEMENTARY INFORMATION: Enterprise Physical Access Control System
(ePACS) comprises non-traditional IT hardware such as Personal Identity
Verification (PIV) card readers, control panels, closed circuit video
cameras, building intrusion detection sensors, alarm keypads, and
emergency door buttons that are tightly integrated into one ePACS
system that is centrally managed in a virtual server environment. An
employee or contractor must register their PIV card with ePACS. During
the registration process, the following information is collected and
stored in an ePACS centralized database: first name, last name, PIV
card serial number, image, expiration date, affiliation (employee or
contractor), and organization. Specific access clearances are then
granted to a PIV card credential which allows access to EPA buildings,
doors, rooms, elevators, and other physical access points. Information
collected each time the PIV card credential is used is stored in the
ePACS centralized database. This information assists EPA in monitoring
its facilities, buildings, and other physical access points to ensure
that only authorized personnel gain entry.
EPA is developing ePACS to comply with Homeland Security
Presidential Directive-12: Policy for a Common Identification Standard
for Federal Employees and Contractors (HSPD-12), and with the Office of
Management and Budget (OMB) Memorandum M-11-11 Continued Implementation
of HSPD-12. HSPD-12 mandates a government-wide standard for secure and
reliable forms of identification issued by the Federal Government to
its employees and contractors. M-11-11 requires use of a PIV credential
as the common means of authentication for access to Federally-
controlled facilities, networks, and information systems. To allow
physical entry to EPA-controlled facilities and logical access to EPA
information systems, ePACS uses PIV smartcard credentials issued to EPA
employees and contractors. A PIV smartcard links an individual's
identity to an identification credential that enables that person to
gain physical access to federally-controlled buildings and logical
access to information systems.
SYSTEM NAME AND NUMBER:
Enterprise Physical Access Control System (ePACS), EPA-99.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
The system will be managed by the Office of Mission Support,
Environmental Protection Agency, 1301 Constitution Ave. NW, Washington,
DC 20460.
Electronically stored information is hosted at the EPA National
Computer Center (NCC), 109 TW Alexander Drive, Research Triangle Park,
Durham, NC 27711.
SYSTEM MANAGER(S):
Alexandria DeLaCruz-Matthews, Program Manager, Office of Mission
Support, Environmental Protection Agency, 1301 Constitution Ave. NW,
Washington, DC 20460, [email protected].
James Cunningham, IT Project Manager, Office of Mission Support,
Environmental Protection Agency, 1301 Constitution Ave. NW, Washington,
DC 20460, [email protected].
Jackie Brown, Information System Security Officer, Office of
Mission Support, Environmental Protection Agency, 1301 Constitution
Ave. NW, Washington, DC 20460, [email protected].
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Government Organization and Employees, 5 U.S.C. 301; Management of
buildings by Administrator of General Services, 40 U.S.C. 582; Lease
agreements, 40 U.S.C. 585; Public Buildings under the control of
Administrator of General Services, 40 U.S.C. 3101; Agency Chief
Information Officer, 40 U.S.C. 11315; Federal Information Security
Management Act of 2002, 44 U.S.C. 3501; 44 U.S.C. 3505, 44 U.S.C. 3506,
44 U.S.C. 3541; E-Government Act of 2002, 44 U.S.C. 101, Chapter 35;
Federal Information Processing Standards Publication (FIPS) 201-3,
Personal Identity Verification (PIV) of Federal Employees and
Contractors, and HSPD-12.
PURPOSE(S) OF THE SYSTEM:
The Agency will use the ePACS system to collect and maintain
information required for and related to authorized physical access to
all EPA-managed facilities and restricted areas within these facilities
across the United States.
Collection and maintenance of this information will help to:
1. Ensure the safety and security of Federal facilities, systems,
and information, and of facility occupants and users.
2. Provide for interoperability between systems and locations to
individuals entering EPA facilities.
3. Ensure that all personnel (employees and contractors) entering
[[Page 76038]]
EPA buildings have proper credentials and to protect against
unauthorized access. The information will also provide an audit trail
for investigations, if needed.
4. Allow logical access to Federal information systems, networks,
and resources on a government-wide basis.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
EPA employees, contractor employees, interns, and volunteers that
have valid credentials programmed for specific access points.
CATEGORIES OF RECORDS IN THE SYSTEM:
Full name, photographs, surveillance video recordings and camera
images, Full Cardholder Unique Identifier (CHUID), credential ID, PIV
card number, Public Key Infrastructure (PKI) certificate--(X509), Card
Authentication Key (CAK) certificate, person classification, badge
expiration date, card state, User Principal Name (UPN), Federal Agency
Smart Card Number (FASC-N), and Globally Unique Identifier (GUID).
RECORD SOURCE CATEGORIES:
ePACS obtains information from employees, contractor employees,
interns, and volunteers using their EPA PIV credential. This
information is stored in a secure ePACS database and updated when the
PIV credential is used at an access point. In addition, ePACS collects
information from video cameras and video recording devices located at
and within EPA facilities in the United States.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
The routine uses below are both related to and compatible with the
original purpose for which the information was collected. The following
general routine uses apply to this system (86 FR 62527): A, B, C, D, E,
F, G, H, I, J, K, L, and M.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records are stored on secure servers within the ePACS Master and
Satellite Application Databases and can be accessed only by authorized
users over EPA secure intranet using encryption software. These records
are maintained electronically on computer storage devices located at
the U.S. EPA National Computer Center, 109 T.W. Alexander Drive,
Research Triangle Park, NC 27711.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Authorized user login/password credentials and administrative
privileges are required to access the ePACS software application. ePACS
records can only be accessed when logged in to the ePACS application
that pulls these records from the ePACS database. Records may be
retrieved by first name, last name, full name, email address, FACSN, or
Object ID Number.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Records are retained and disposed of in accordance with applicable
NARA retention schedules as well as EPA records schedules 089, 1008,
and 1012.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
PII is safeguarded and protected in conformance with all Federal
statutes and OMB requirements. Security controls used to protect
personal sensitive data in ePACS are commensurate with those required
for an information system rated MODERATE for confidentiality,
integrity, and availability, as prescribed in National Institute of
Standards and Technology (NIST) Special Publication, 800-53, ``Security
and Privacy Controls for Information Systems and Organizations,''
Revision 5.
1. Administrative Safeguards: Only authorized users are allowed
access to ePACS. Each authorized user must complete a background
investigation with favorable results, must be assigned to the
appropriate security group, acknowledge agency rules of behavior, and
complete annual privacy and security training. In addition, personnel
are instructed to lock their computers when they leave their desks.
2. Technical Safeguards: All ePACS user access is limited by role-
based restrictions. In addition, ePACS operators are required to enter
a valid username and password to gain access to the system. Individuals
granted access privileges are screened for proper credentials and added
to the appropriate Microsoft Windows security group based on their
Local Area Network account. EPA maintains an audit log trail for ePACS,
which accounts for all instances of users accessing the system. EPA
reviews audit logs periodically to identify any unauthorized access.
3. Physical Safeguards: All ePACS records are stored on database
servers located in secure, access-controlled buildings. ePACS database
and application servers are in access-controlled rooms that require PIV
credentials for access. Only authorized users are allowed access to
administrative accounts for ePACS application and database servers.
RECORD ACCESS PROCEDURES:
All requests for access to personal records should cite the Privacy
Act of 1974 and reference the type of request being made (i.e.,
access). Requests must include: (1) the name and signature of the
individual making the request; (2) the name of the Privacy Act system
of records to which the request relates; (3) a statement whether a
personal inspection of the records or a copy of them by mail is
desired; and (4) proof of identity. A full description of EPA's Privacy
Act procedures for requesting access to records is included in EPA's
Privacy Act regulations at 40 CFR part 16.
CONTESTING RECORD PROCEDURES:
Requests for correction or amendment must include: (1) the name and
signature of the individual making the request; (2) the name of the
Privacy Act system of records to which the request relates; (3) a
description of the information sought to be corrected or amended and
the specific reasons for the correction or amendment; and (4) proof of
identity. A full description of EPA's Privacy Act procedures for the
correction or amendment of a record is included in EPA's Privacy Act
regulations at 40 CFR part 16.
NOTIFICATION PROCEDURES:
Individuals who wish to be informed whether a Privacy Act system of
records maintained by EPA contains any record pertaining to them,
should make a written request to the EPA, Attn: Agency Privacy Officer,
MC 2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, or by email
at: [email protected]. A full description of EPA's Privacy Act procedures
is included in EPA's Privacy Act regulations at 40 CFR part 16.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
None.
Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2022-26903 Filed 12-9-22; 8:45 am]
BILLING CODE 6560-50-P