[Federal Register Volume 88, Number 44 (Tuesday, March 7, 2023)]
[Notices]
[Pages 14161-14163]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-04633]


=======================================================================
-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

[FRL-10499-01-OMS]


Privacy Act of 1974; System of Records

AGENCY: Office of Mission Support, Environmental Protection Agency 
(EPA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: The U.S. Environmental Protection Agency (EPA) is giving 
notice that it proposes to modify a system of records pursuant to the 
provisions of the Privacy Act of 1974. The Mass Alert Notification 
System (MANS) is being modified to update the system location, contact 
information, and record source categories, and to add one additional 
General Routine Use. The purpose of the system is to manage 
communications to agency personnel during critical events. EPA uses 
MANS for operational response to critical events to keep individuals 
safe and ensure continuity of business operations. During public safety 
threats such as active shooter situations, terrorist attacks, or severe 
weather conditions, as well as critical business events such as IT 
outages, cyber-attacks, or other incidents such as product recalls or 
supply-chain interruptions, customers rely on MANS to quickly and 
reliably aggregate and assess threat data, locate people at risk and 
responders able to assist, automate the execution of pre-defined 
communications processes, and track progress on executing incident 
response plans.

DATES: Persons wishing to comment on this system of records notice must 
do so by April 6, 2023. Routine uses for this modified system of 
records will be effective April 6, 2023.

ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OEI-2016-0235, by one of the following methods:
    Federal eRulemaking Portal: https://www.regulations.gov. Follow the 
online instructions for submitting comments.
    Email: [email protected]. Include the Docket ID number in the 
subject line of the message.
    Fax: (202) 566-1752.
    Mail: OMS Docket, Environmental Protection Agency, Mail Code: 
2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
    Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 
1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are 
only accepted during the Docket's normal hours of operation, and 
special arrangements should be made for deliveries of boxed 
information.
    Instructions: Direct your comments to Docket ID No. EPA-HQ-OEI-
2016-0235. The EPA's policy is that all comments received will be 
included in the public docket without change and may be made available 
online at https://www.regulations.gov, including any personal 
information provided, unless the comment includes information claimed 
to be Controlled Unclassified Information (CUI) or other information 
for which disclosure is restricted by

[[Page 14162]]

statute. Do not submit information that you consider to be CUI or 
otherwise protected through https://www.regulations.gov. The https://www.regulations.gov website is an ``anonymous access'' system for the 
EPA, which means the EPA will not know your identity or contact 
information. If you submit an electronic comment, the EPA recommends 
that you include your name and other contact information in the body of 
your comment. If the EPA cannot read your comment due to technical 
difficulties and cannot contact you for clarification, the EPA may not 
be able to consider your comment. If you send an email comment directly 
to the EPA without going through https://www.regulations.gov, your 
email address will be automatically captured and included as part of 
the comment that is placed in the public docket and made available on 
the internet. Electronic files should avoid the use of special 
characters, any form of encryption, and be free of any defects or 
viruses. For additional information about the EPA public docket, visit 
the EPA Docket Center homepage at https://www.epa.gov/dockets.
    Docket: All documents in the docket are listed in the https://www.regulations.gov index. Although listed in the index, some 
information is not publicly available, e.g., CUI or other information 
for which disclosure is restricted by statute. Certain other material, 
such as copyrighted material, will be publicly available only in hard 
copy. Publicly available docket materials are available either 
electronically in https://www.regulations.gov or in hard copy at the 
OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution 
Ave. NW, Washington, DC 20460. The Public Reading Room is normally open 
from 8:30 a.m. to 4:30 p.m., Monday through Friday excluding legal 
holidays. The telephone number for the Public Reading Room is (202) 
566-1744, and the telephone number for the OMS Docket is (202) 566-
1752. Further information about EPA Docket Center services and current 
operating status is available at https://www.epa.gov/dockets.

FOR FURTHER INFORMATION CONTACT: Tiye Houston, Physical Security and 
Preparedness Branch, Security Management Division, (202) 564-1787.

SUPPLEMENTARY INFORMATION: EPA uses MANS to disseminate emergency 
alerts and notification information rapidly and effectively to EPA 
personnel, contractors, grantees, consultants, volunteers, and other 
support staff, and their emergency contacts. The MANS system of records 
is being modified to (1) update the system location to reflect the 
correct system location (i.e., Amazon Web Services cloud), (2) update 
the ``system manager(s)'' section to include the current system manager 
of MANS, (3) update the General Routine Uses to add routine use M, and 
(4) update the ``record source categories'' section to include the 
current records sources.

SYSTEM NAME AND NUMBER:
    Mass Alert and Notification Systems (MANS), EPA-44.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The EPA component responsible for the system is the Office of 
Mission Support, Environmental Protection Agency, 1301 Constitution 
Ave. NW, Washington, DC 20460. Records are cloud hosted at the third-
party service provider Amazon Web Services US East (Northern Virginia) 
and US West (Oregon, Northern California) data centers.

SYSTEM MANAGER(S):
    Director, Security Management Division, Office of Administration, 
Office of Mission Support, William Jefferson Clinton North Building, 
Suite B400, 1200 Pennsylvania Avenue NW, Washington, DC 20460.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    42 U.S.C. 5121 et seq.; Executive Order 12656 (Nov. 18, 1989); 
Federal Continuity Directive 1 (2012).

PURPOSE(S) OF THE SYSTEM:
    To contact EPA personnel, contractors, grantees, consultants, 
volunteers, and other support staff who have an active EPA 
identification badge or are in the process of obtaining an EPA 
identification badge, for the purposes of providing emergency alerts 
and notifications and conducting accountability activities in support 
of affected persons following an emergency, or, as a means to account 
for EPA employees, contractors, grantees, consultants, and any other 
support staff personnel following an emergency event. Records may also 
be used for mass alert and notification system test, drill, and 
exercise evolutions. This system will provide EPA with the ability to 
disseminate emergency alerts and notification information rapidly and 
effectively to EPA personnel and their emergency contacts.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    EPA personnel, contractors, grantees, consultants, volunteers, and 
any other support staff personnel.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Personnel information includes first name, last name, middle 
initial, office location, scope of the record subject's 
responsibilities, work email address, work telephone number and work 
mobile telephone number, work short message service (SMS) (texting) and 
work telephone typewriter, teletypewriter, or text phone/
Telecommunications Device for the Deaf (TTY/TDD). Records are from 
various communications mediums such as telephones, emails, and SMS. 
Record subjects have the option to add their own personal contact 
information voluntarily and securely, and emergency contact(s), 
including home address, personal email address(es), home telephone 
number(s) and personal mobile telephone number(s), short message 
service (SMS) (texting), telephone typewriter, teletypewriter, or text 
phone/Telecommunications Device for the Deaf (TTY/TDD) by establishing 
a personal account on the MANS web-portal.

RECORD SOURCE CATEGORIES:
    Records contained in this system of records are obtained from 
individuals including: EPA personnel, contractors, grantees, 
consultants, volunteers and any other support staff personnel. Records 
contained in this system of records are obtained from the following EPA 
systems: Human Resources Line of Business (HR LoB), EPA 
Telecommunication Detail Records, and Personnel Security System (PSS) 
2.0.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The routine uses below are both related to and compatible with the 
original purpose for which the information was collected. The following 
general routine uses apply to this system (86 FR 62527): A, E, F, G, H, 
K, L, and M.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    These records are maintained electronically on computer storage 
devices managed by Amazon Web Services, located in US East (Northern 
Virginia) and US West (Oregon, Northern California) data centers.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Information will be retrieved primarily by employee name.

[[Page 14163]]

Information may also be retrieved by any collected data element.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records stored in this system are subject to EPA's records schedule 
1012, Information Technology Management. Records are kept as long as 
the record subject is affiliated with EPA.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Security controls used to protect personal sensitive data in MANS 
are commensurate with those required for an information system rated 
MODERATE for confidentiality, integrity, and availability, as 
prescribed in National Institute of Standards and Technology (NIST) 
Special Publication, 800-53, ``Security and Privacy Controls for 
Information Systems and Organizations,'' Revision 5.
    1. Administrative Safeguards: The MANS cloud service provider and 
EPA information security and privacy policies require all employees and 
contractors to take security awareness training on an annual basis. All 
personnel are instructed to lock their computers when they leave their 
desks.
    2. Technical Safeguards: MANS is a cloud-based Software-as-a-
Service platform that is designed to be accessed over the internet. All 
remote communication must be encrypted, and all users are required to 
be authorized. Access control policy does not permit shared account 
credentials within the cloud environment. Each user is assigned unique 
credentials and can only access the cloud environment using their 
assigned unique credentials. Group accounts are explicitly disabled. 
MANS customers and personnel are prohibited from sharing accounts. MANS 
also implements session timeout period after 15 minutes of user 
inactivity. Non-privileged users do not have the capability to perform 
privileged functions. Access to the system is restricted to a limited 
number of authorized users with the appropriate security clearances and 
password permissions. Access to the system is further limited by user 
type. System administrators have full access to the tool suite, 
including the ability to perform administrative functions. Other users 
have limited access particularized to the specific functions and data 
they need to perform. This access is controlled by a series of 
permissions within dedicated workspaces/databases for each specific 
request. Authorized users include federal and contract staff located 
throughout the country.
    3. Physical Safeguards: The system is maintained in secure areas 
and buildings with physical access controls.

RECORD ACCESS PROCEDURES:
    All requests for access to personal records should cite the Privacy 
Act of 1974 and reference the type of request being made (i.e., 
access). Requests must include: (1) the name and signature of the 
individual making the request; (2) the name of the Privacy Act system 
of records to which the request relates; (3) a statement whether a 
personal inspection of the records or a copy of them by mail is 
desired; and (4) proof of identity. A full description of EPA's Privacy 
Act procedures for requesting access to records is included in EPA's 
Privacy Act regulations at 40 CFR part 16.

CONTESTING RECORD PROCEDURES:
    Requests for correction or amendment must include: (1) the name and 
signature of the individual making the request; (2) the name of the 
Privacy Act system of records to which the request relates; (3) a 
description of the information sought to be corrected or amended and 
the specific reasons for the correction or amendment; and (4) proof of 
identity. A full description of EPA's Privacy Act procedures for the 
correction or amendment of a record is included in EPA's Privacy Act 
regulations at 40 CFR part 16.

NOTIFICATION PROCEDURES:
    Individuals who wish to be informed whether a Privacy Act system of 
records maintained by EPA contains any record pertaining to them, 
should make a written request to the EPA, Attn: Agency Privacy Officer, 
MC 2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, or by email 
at: [email protected]. A full description of EPA's Privacy Act procedures 
is included in EPA's Privacy Act regulations at 40 CFR part 16.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    81 FR 76580 (November 3, 2016).

Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2023-04633 Filed 3-6-23; 8:45 am]
BILLING CODE 6560-50-P