[Federal Register Volume 88, Number 106 (Friday, June 2, 2023)]
[Notices]
[Pages 36272-36274]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-11753]


 ========================================================================
 Notices
                                                 Federal Register
 ________________________________________________________________________
 
 This section of the FEDERAL REGISTER contains documents other than rules 
 or proposed rules that are applicable to the public. Notices of hearings 
 and investigations, committee meetings, agency decisions and rulings, 
 delegations of authority, filing of petitions and applications and agency 
 statements of organization and functions are examples of documents 
 appearing in this section.
 
 ========================================================================
 

  Federal Register / Vol. 88, No. 106 / Friday, June 2, 2023 / 
Notices  

[[Page 36272]]



DEPARTMENT OF AGRICULTURE


Privacy Act of 1974; System of Records

AGENCY: Office of the Safety, Security, and Protection, USDA.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended, and 
Office of Management and Budget Circular No. A-108 Federal Agency 
Responsibilities for Review, Reporting, and Publication under the 
Privacy Act, the U.S. Department of Agriculture (USDA) proposes a new 
system of records, USDA/OSSP-1, the Enterprise Physical Access Control 
System (ePACS). The Office of the Safety, Security, and Protections 
maintains ePACS, which contains the information required to control 
physical access to USDA managed facilities and restricted areas within 
the facilities in all regions across the United States. The notice also 
conveys the system location, categories of records, routine uses (one 
of which permits records to be provided to the National Archives and 
Records Administration), storage, safeguards, retention and disposal, 
system manager and address, notification procedures, records access, 
and contesting procedures.

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11) this notice is 
applicable upon publication; subject to a 30-day notice and comment 
period in which to comment on the routine uses described in the routine 
uses section of this system of records notice. Please submit any 
comments by July 3, 2023.

ADDRESSES: Comments may be submitted by one of the following methods:

--Federal eRulemaking Portal: This website provides the ability to type 
short comments directly into the comment field on this web page or 
attach a file for lengthier comments. Go to https://www.regulations.gov. Follow the on-line instructions at that site for 
submitting comments.
--Postal Mail/Commercial Delivery: Office of Safety, Security and 
Protection, 1400 Independence Ave. SW, Washington, DC 20250.
    Instructions: All items submitted by mail or electronic mail must 
include the Agency name and docket number USDA-2021-13. Comments 
received in response to this docket will be made available for public 
inspection and posted without change, including any personal 
information, to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: For general questions, please contact 
Samuel Willis, System Owner/Manager, Office of Safety, Security and 
Protection, 1400 Independence Avenue SW, Washington, DC 20250, (833) 
682-4675.
    For Privacy Act questions concerning this system of records notice, 
please contact Michele Washington, USDA, Departmental Administration 
Information Technology Office, Office of the Chief Information Officer 
United States Department of Agriculture (202) 577-8021.
    For general USDA Privacy Act questions, please contact the USDA 
Chief Privacy Officer, Information Security Center, Office of Chief 
Information Officer, USDA, Jamie L. Whitten Building, 1400 Independence 
Ave. SW, Washington, DC 20250; email: [email protected].

SUPPLEMENTARY INFORMATION: USDA is proposing to establish a new system 
of records notice entitled USDA/OSSP-1, the Enterprise Physical Access 
Control System (ePACS). The primary purpose of this system is to 
collect data required to manage physical access to USDA operated 
facilities and restricted areas within the facilities in all regions 
across the United States. This system maintains individuals' personal 
individual verification (PIV) information to support the USDA's efforts 
related to protecting USDA facilities and operating the USDA visitor 
management program. Efforts have been made to safeguard records in 
accordance with applicable rules and policies, including all applicable 
USDA automated systems security and access policies. Strict controls 
have been imposed to minimize the risk of compromising the information 
that is being stored. Access to the computer system containing the 
records in this system is limited to those individuals who have a need 
to know the information for the performance of their official duties 
and who have appropriate clearances or permissions.

SYSTEM NAME AND NUMBER:
    USDA/OSSP-1, Enterprise Physical Access Control System (ePACS)

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The ePACS is maintained and physically located at USDA's Digital 
Infrastructure Services Center at 8930 Ward Parkway, Kansas City, 
Missouri 64114.

SYSTEM MANAGER(S):
    Director, Facility Protection Division, Office of Safety, Security, 
and Protection,1400 Independence Avenue SW, Washington, DC 20250, (202) 
260-8930.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    Homeland Security Presidential Directive-12 (HSPD-12), Departmental 
Physical Security Program, DR 1650-001, December 9, 2021, and Authority 
to Operate (ATO), 06/07/2022.

PURPOSE(S) OF THE SYSTEM:
    The ePACS provides a centralized infrastructure for the use of the 
USDA standard personal individual verification (PIV) card for access to 
federally controlled facilities as mandated by HSPD-12. The ePACS 
provides a means for USDA Agencies to deploy electronic access control 
to its facilities; supports the mitigation of identified threats and 
vulnerabilities; and ensures that unauthorized individuals do not have 
access to critical USDA assets. Incorporated into ePACS is the Visitor 
Management System (VMS), which allows visitors to log into a website 
and request to visit USDA locations where VMS is implemented.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Categories of individuals covered by this system include 
individuals with electronic facility physical access credentials 
including USDA employees, contractor employees, building

[[Page 36273]]

occupants, interns, visitors, and volunteers.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Categories of records in the system consists of records created for 
individuals to obtain electronic facility access credentials as well as 
temporary badges for facility access. The ePACS generally handles 
physical access security management information including physical 
access card status, physical access card category, physical access card 
expiration date, and physical access card holder emergency response 
responsibilities.
    The data stored in ePACS includes: Federal Agency Smart Credential 
Number (FASC-N), Card Category, Card Status, Card Expiration Date, 
Photo, First Name, Middle Name, Last Name, Employee type, Employee 
Status, Emergency Responder, Department, Agency, Sub-agency, City, 
State, date of birth, and entry and exit date and time.

RECORD SOURCE CATEGORIES:
    Information in this system is obtained from an official Department 
information technology system and is loaded into the system of records 
from the following source system: the Department's system of records 
entitled USDA/OCIO-2, eAuthentication Service--71 FR 42346--July 26, 
2006, USDA/OCIO-2, eAuthentication Service (eAuth)--77 FR 15024--March 
14, 2012, USDA/OCIO-2 eAuthentication Service--82 FR 8503--January 26, 
2017.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act of 1974, records contained in this system 
may be disclosed outside USDA as a routine use pursuant to 5 U.S.C. 
552a(b)(3), to the extent that such uses are compatible with the 
purposes for which the information was collected. Such permitted 
routine uses include the following:
    A. To the Department of Justice (DOJ) when: (a) USDA or any 
component thereof; or (b) any employee of USDA in his or her official 
capacity where the Department of Justice has agreed to represent the 
employee; or (c) the United States Government, is a party to litigation 
or has an interest in such litigation, and USDA determines that the 
records are both relevant and necessary to the litigation and the use 
of such records by the Department of Justice is deemed by USDA to be 
for a purpose that is compatible with the purpose for which USDA 
collected the records.
    B. To a Congressional Office in response to an inquiry from that 
Congressional Office made at the written request of the individual 
about whom the record pertains.
    C. To the National Archives and Records Administration (NARA) or 
other Federal Government agencies pursuant to records management 
activities being conducted under 44 U.S.C. 2904 and 2906.
    To appropriate agencies, entities, and persons when (1) USDA 
suspects or has confirmed that the security or confidentiality of 
information in the system of records has been compromised; (2) USDA has 
determined that as a result of the suspected or confirmed breach, there 
is a risk of harm to individuals, USDA (including its information 
systems, programs, and operations), the Federal Government, or national 
security; and (3) the disclosure to such agencies, entities, and 
persons is reasonably necessary to assist in connection with USDA's 
efforts to respond to the suspected or confirmed compromise and 
prevent, minimize, or remedy such harm; or to another Federal agency or 
Federal entity, when information from this system of records is 
reasonably necessary to assist the recipient agency or entity in (1) 
responding to a suspected or confirmed breach; or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the agency 
(including its information systems, programs, and operations), the 
Federal Government, or national security.
    When a record on its face, or in conjunction with other records, 
indicates a violation or potential violation of law, whether civil, 
criminal or regulatory in nature, and whether arising by general 
statute or particular program, statute, or by regulation, rule, or 
order issued pursuant thereto, disclosure may be made to the 
appropriate Federal, State, local, foreign, Tribal, or other public 
authority responsible for enforcing, investigating, or prosecuting such 
violation or charged with enforcing or implementing the statute, or 
rule, regulation, or order issued pursuant thereto, if the information 
disclosed is relevant to any enforcement, regulatory, investigative or 
prosecutive responsibility of the receiving entity. Referral to the 
appropriate agency, whether Federal, State, local, or foreign, charged 
with the responsibility of investigating or prosecuting violation of 
law, or of enforcing or implementing a statute, rule, regulation, or 
order issued pursuant thereto, of any record within this system when 
information available indicates a violation or potential violation of 
law, whether civil, criminal, or regulatory in nature.
    D. To a court or adjudicative body in a proceeding when: (a) USDA 
or any component thereof; or (b) any employee of USDA in his or her 
official capacity; or (c) any employee of USDA in his or her individual 
capacity where USDA has agreed to represent the employee; or the United 
States Government is a party to litigation or has an interest in such 
litigation, and USDA determines that the records are both relevant and 
necessary to the litigation, and that use of such records is therefore 
deemed by USDA to be for a purpose that is compatible with the purpose 
for which USDA collected the records.
    To contractors and their agents, grantees, experts, consultants, 
and others performing or working on a contract, service, grant, 
cooperative agreement, or other assignment for the USDA, when necessary 
to accomplish an agency function related to this system of records. 
Individuals providing information under this routine use are subject to 
the same Privacy Act requirements and limitations on disclosure as are 
applicable to USDA officers and employees.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored on encrypted servers within a secured and 
controlled environment. Records backup storage is maintained by the 
USDA's Digital Infrastructure Services Center (DISC) in a virtual tape 
library at the USDA's DISC facility in Kansas City, MO. Copies of the 
backup records are maintained at the USDA DISC facility in St. Louis, 
MO. The ePACS has no hardcopy paper records that require storage.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records are retrieved by a combination of name and date range.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records compiled under this SORN will be maintained in accordance 
with NARA General Records Schedule (GRS) Transmittal 32 issued March 
2022, Items 110 and 120, and NARA records retention schedules DAA-
GRS2017-0006-0014, and DAA-GRS2021-0001-0005, to the extent applicable. 
Records may be retained for a longer period as required by litigation, 
investigation, and/or audit. A master file backup is created at the end 
of the calendar year and maintained in St. Louis, Mo. The St. Louis 
offsite storage site is located approximately 250 miles from the 
primary data facility and is not susceptible to the same hazards.

[[Page 36274]]

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records in this system are safeguarded by restricting 
accessibility, in accordance with USDA security and access policies. 
The safeguarding includes secured severs, firewall(s), network 
protection, and an encrypted password. Each user is assigned a level of 
role-based access, which is strictly controlled and granted through 
USDA-approved, secure application (after the user has successfully 
completed the Government National Agency Check with Inquiries (NACI) 
investigation).
    Physical security measures are in place to prevent unauthorized 
persons from accessing ePACS as only government furnished equipment is 
allowed. The ePACS users are also required to complete appropriate 
training to learn requirements for safeguarding records maintained 
under the Privacy Act. USDA's Digital Infrastructure Services Center 
(DISC) safeguards records and ensures that privacy requirements are met 
in accordance with Federal and cyber security mandates. DISC provides 
continuous storage management, encryption, security administration, 
regular dataset backups, and contingency planning/disaster recovery.

RECORD ACCESS PROCEDURES:
    Individuals seeking to gain access to a record in this system of 
records, must contact the system manager at the address listed above 
and provide the system manager with the necessary particulars such as 
full name, date of birth, work address, country of citizenship. 
Requesters must also reasonably specify the record contents sought. The 
request must meet the requirements of the regulations at 34 CFR 5b.5, 
including proof of identity. All requests for access to records must be 
in writing and should be submitted to the system manager at the address 
listed above. A determination whether a record may be accessed will be 
made at the time a request is received. All inquiries should be 
addressed in accordance with the ``Notification Procedures'' below.

CONTESTING RECORD PROCEDURES:
    Individuals seeking to contest or amend information maintained in 
the system should direct their request to the above listed System 
Manager and should include the reason for contesting it and the 
proposed amendment to the information with supporting information to 
show how the record is inaccurate. A request for contesting records 
should contain: Name, address including zip code, name of the system of 
records, year of records in question, and any other pertinent 
information to help identify the data requested.

NOTIFICATION PROCEDURES:
    Any individual may request information regarding this system of 
records, or information as to whether the system contains records 
pertaining to the individual, from the System Manager listed above: See 
RECORD ACCESS PROCEDURES.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

Samuel Willis,
Director--Facility Protection Division, Office of Safety, Security and 
Protection, Departmental Administration, United States Department of 
Agriculture.
[FR Doc. 2023-11753 Filed 6-1-23; 8:45 am]
BILLING CODE 3410-98-P