[Federal Register Volume 88, Number 106 (Friday, June 2, 2023)]
[Notices]
[Pages 36272-36274]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-11753]
�========================================================================
�Notices
� Federal Register
�________________________________________________________________________
�
�This section of the FEDERAL REGISTER contains documents other than rules
�or proposed rules that are applicable to the public. Notices of hearings
�and investigations, committee meetings, agency decisions and rulings,
�delegations of authority, filing of petitions and applications and agency
�statements of organization and functions are examples of documents
�appearing in this section.
�
�========================================================================
�
��Federal Register / Vol. 88, No. 106 / Friday, June 2, 2023 /
Notices��
[[Page 36272]]
DEPARTMENT OF AGRICULTURE
Privacy Act of 1974; System of Records
AGENCY: Office of the Safety, Security, and Protection, USDA.
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the Privacy Act of 1974, as amended, and
Office of Management and Budget Circular No. A-108 Federal Agency
Responsibilities for Review, Reporting, and Publication under the
Privacy Act, the U.S. Department of Agriculture (USDA) proposes a new
system of records, USDA/OSSP-1, the Enterprise Physical Access Control
System (ePACS). The Office of the Safety, Security, and Protections
maintains ePACS, which contains the information required to control
physical access to USDA managed facilities and restricted areas within
the facilities in all regions across the United States. The notice also
conveys the system location, categories of records, routine uses (one
of which permits records to be provided to the National Archives and
Records Administration), storage, safeguards, retention and disposal,
system manager and address, notification procedures, records access,
and contesting procedures.
DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11) this notice is
applicable upon publication; subject to a 30-day notice and comment
period in which to comment on the routine uses described in the routine
uses section of this system of records notice. Please submit any
comments by July 3, 2023.
ADDRESSES: Comments may be submitted by one of the following methods:
--Federal eRulemaking Portal: This website provides the ability to type
short comments directly into the comment field on this web page or
attach a file for lengthier comments. Go to https://www.regulations.gov. Follow the on-line instructions at that site for
submitting comments.
--Postal Mail/Commercial Delivery: Office of Safety, Security and
Protection, 1400 Independence Ave. SW, Washington, DC 20250.
Instructions: All items submitted by mail or electronic mail must
include the Agency name and docket number USDA-2021-13. Comments
received in response to this docket will be made available for public
inspection and posted without change, including any personal
information, to https://www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: For general questions, please contact
Samuel Willis, System Owner/Manager, Office of Safety, Security and
Protection, 1400 Independence Avenue SW, Washington, DC 20250, (833)
682-4675.
For Privacy Act questions concerning this system of records notice,
please contact Michele Washington, USDA, Departmental Administration
Information Technology Office, Office of the Chief Information Officer
United States Department of Agriculture (202) 577-8021.
For general USDA Privacy Act questions, please contact the USDA
Chief Privacy Officer, Information Security Center, Office of Chief
Information Officer, USDA, Jamie L. Whitten Building, 1400 Independence
Ave. SW, Washington, DC 20250; email: [email protected].
SUPPLEMENTARY INFORMATION: USDA is proposing to establish a new system
of records notice entitled USDA/OSSP-1, the Enterprise Physical Access
Control System (ePACS). The primary purpose of this system is to
collect data required to manage physical access to USDA operated
facilities and restricted areas within the facilities in all regions
across the United States. This system maintains individuals' personal
individual verification (PIV) information to support the USDA's efforts
related to protecting USDA facilities and operating the USDA visitor
management program. Efforts have been made to safeguard records in
accordance with applicable rules and policies, including all applicable
USDA automated systems security and access policies. Strict controls
have been imposed to minimize the risk of compromising the information
that is being stored. Access to the computer system containing the
records in this system is limited to those individuals who have a need
to know the information for the performance of their official duties
and who have appropriate clearances or permissions.
SYSTEM NAME AND NUMBER:
USDA/OSSP-1, Enterprise Physical Access Control System (ePACS)
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
The ePACS is maintained and physically located at USDA's Digital
Infrastructure Services Center at 8930 Ward Parkway, Kansas City,
Missouri 64114.
SYSTEM MANAGER(S):
Director, Facility Protection Division, Office of Safety, Security,
and Protection,1400 Independence Avenue SW, Washington, DC 20250, (202)
260-8930.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Homeland Security Presidential Directive-12 (HSPD-12), Departmental
Physical Security Program, DR 1650-001, December 9, 2021, and Authority
to Operate (ATO), 06/07/2022.
PURPOSE(S) OF THE SYSTEM:
The ePACS provides a centralized infrastructure for the use of the
USDA standard personal individual verification (PIV) card for access to
federally controlled facilities as mandated by HSPD-12. The ePACS
provides a means for USDA Agencies to deploy electronic access control
to its facilities; supports the mitigation of identified threats and
vulnerabilities; and ensures that unauthorized individuals do not have
access to critical USDA assets. Incorporated into ePACS is the Visitor
Management System (VMS), which allows visitors to log into a website
and request to visit USDA locations where VMS is implemented.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Categories of individuals covered by this system include
individuals with electronic facility physical access credentials
including USDA employees, contractor employees, building
[[Page 36273]]
occupants, interns, visitors, and volunteers.
CATEGORIES OF RECORDS IN THE SYSTEM:
Categories of records in the system consists of records created for
individuals to obtain electronic facility access credentials as well as
temporary badges for facility access. The ePACS generally handles
physical access security management information including physical
access card status, physical access card category, physical access card
expiration date, and physical access card holder emergency response
responsibilities.
The data stored in ePACS includes: Federal Agency Smart Credential
Number (FASC-N), Card Category, Card Status, Card Expiration Date,
Photo, First Name, Middle Name, Last Name, Employee type, Employee
Status, Emergency Responder, Department, Agency, Sub-agency, City,
State, date of birth, and entry and exit date and time.
RECORD SOURCE CATEGORIES:
Information in this system is obtained from an official Department
information technology system and is loaded into the system of records
from the following source system: the Department's system of records
entitled USDA/OCIO-2, eAuthentication Service--71 FR 42346--July 26,
2006, USDA/OCIO-2, eAuthentication Service (eAuth)--77 FR 15024--March
14, 2012, USDA/OCIO-2 eAuthentication Service--82 FR 8503--January 26,
2017.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
In addition to those disclosures generally permitted under 5 U.S.C.
552a(b) of the Privacy Act of 1974, records contained in this system
may be disclosed outside USDA as a routine use pursuant to 5 U.S.C.
552a(b)(3), to the extent that such uses are compatible with the
purposes for which the information was collected. Such permitted
routine uses include the following:
A. To the Department of Justice (DOJ) when: (a) USDA or any
component thereof; or (b) any employee of USDA in his or her official
capacity where the Department of Justice has agreed to represent the
employee; or (c) the United States Government, is a party to litigation
or has an interest in such litigation, and USDA determines that the
records are both relevant and necessary to the litigation and the use
of such records by the Department of Justice is deemed by USDA to be
for a purpose that is compatible with the purpose for which USDA
collected the records.
B. To a Congressional Office in response to an inquiry from that
Congressional Office made at the written request of the individual
about whom the record pertains.
C. To the National Archives and Records Administration (NARA) or
other Federal Government agencies pursuant to records management
activities being conducted under 44 U.S.C. 2904 and 2906.
To appropriate agencies, entities, and persons when (1) USDA
suspects or has confirmed that the security or confidentiality of
information in the system of records has been compromised; (2) USDA has
determined that as a result of the suspected or confirmed breach, there
is a risk of harm to individuals, USDA (including its information
systems, programs, and operations), the Federal Government, or national
security; and (3) the disclosure to such agencies, entities, and
persons is reasonably necessary to assist in connection with USDA's
efforts to respond to the suspected or confirmed compromise and
prevent, minimize, or remedy such harm; or to another Federal agency or
Federal entity, when information from this system of records is
reasonably necessary to assist the recipient agency or entity in (1)
responding to a suspected or confirmed breach; or (2) preventing,
minimizing, or remedying the risk of harm to individuals, the agency
(including its information systems, programs, and operations), the
Federal Government, or national security.
When a record on its face, or in conjunction with other records,
indicates a violation or potential violation of law, whether civil,
criminal or regulatory in nature, and whether arising by general
statute or particular program, statute, or by regulation, rule, or
order issued pursuant thereto, disclosure may be made to the
appropriate Federal, State, local, foreign, Tribal, or other public
authority responsible for enforcing, investigating, or prosecuting such
violation or charged with enforcing or implementing the statute, or
rule, regulation, or order issued pursuant thereto, if the information
disclosed is relevant to any enforcement, regulatory, investigative or
prosecutive responsibility of the receiving entity. Referral to the
appropriate agency, whether Federal, State, local, or foreign, charged
with the responsibility of investigating or prosecuting violation of
law, or of enforcing or implementing a statute, rule, regulation, or
order issued pursuant thereto, of any record within this system when
information available indicates a violation or potential violation of
law, whether civil, criminal, or regulatory in nature.
D. To a court or adjudicative body in a proceeding when: (a) USDA
or any component thereof; or (b) any employee of USDA in his or her
official capacity; or (c) any employee of USDA in his or her individual
capacity where USDA has agreed to represent the employee; or the United
States Government is a party to litigation or has an interest in such
litigation, and USDA determines that the records are both relevant and
necessary to the litigation, and that use of such records is therefore
deemed by USDA to be for a purpose that is compatible with the purpose
for which USDA collected the records.
To contractors and their agents, grantees, experts, consultants,
and others performing or working on a contract, service, grant,
cooperative agreement, or other assignment for the USDA, when necessary
to accomplish an agency function related to this system of records.
Individuals providing information under this routine use are subject to
the same Privacy Act requirements and limitations on disclosure as are
applicable to USDA officers and employees.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records are stored on encrypted servers within a secured and
controlled environment. Records backup storage is maintained by the
USDA's Digital Infrastructure Services Center (DISC) in a virtual tape
library at the USDA's DISC facility in Kansas City, MO. Copies of the
backup records are maintained at the USDA DISC facility in St. Louis,
MO. The ePACS has no hardcopy paper records that require storage.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records are retrieved by a combination of name and date range.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Records compiled under this SORN will be maintained in accordance
with NARA General Records Schedule (GRS) Transmittal 32 issued March
2022, Items 110 and 120, and NARA records retention schedules DAA-
GRS2017-0006-0014, and DAA-GRS2021-0001-0005, to the extent applicable.
Records may be retained for a longer period as required by litigation,
investigation, and/or audit. A master file backup is created at the end
of the calendar year and maintained in St. Louis, Mo. The St. Louis
offsite storage site is located approximately 250 miles from the
primary data facility and is not susceptible to the same hazards.
[[Page 36274]]
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Records in this system are safeguarded by restricting
accessibility, in accordance with USDA security and access policies.
The safeguarding includes secured severs, firewall(s), network
protection, and an encrypted password. Each user is assigned a level of
role-based access, which is strictly controlled and granted through
USDA-approved, secure application (after the user has successfully
completed the Government National Agency Check with Inquiries (NACI)
investigation).
Physical security measures are in place to prevent unauthorized
persons from accessing ePACS as only government furnished equipment is
allowed. The ePACS users are also required to complete appropriate
training to learn requirements for safeguarding records maintained
under the Privacy Act. USDA's Digital Infrastructure Services Center
(DISC) safeguards records and ensures that privacy requirements are met
in accordance with Federal and cyber security mandates. DISC provides
continuous storage management, encryption, security administration,
regular dataset backups, and contingency planning/disaster recovery.
RECORD ACCESS PROCEDURES:
Individuals seeking to gain access to a record in this system of
records, must contact the system manager at the address listed above
and provide the system manager with the necessary particulars such as
full name, date of birth, work address, country of citizenship.
Requesters must also reasonably specify the record contents sought. The
request must meet the requirements of the regulations at 34 CFR 5b.5,
including proof of identity. All requests for access to records must be
in writing and should be submitted to the system manager at the address
listed above. A determination whether a record may be accessed will be
made at the time a request is received. All inquiries should be
addressed in accordance with the ``Notification Procedures'' below.
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest or amend information maintained in
the system should direct their request to the above listed System
Manager and should include the reason for contesting it and the
proposed amendment to the information with supporting information to
show how the record is inaccurate. A request for contesting records
should contain: Name, address including zip code, name of the system of
records, year of records in question, and any other pertinent
information to help identify the data requested.
NOTIFICATION PROCEDURES:
Any individual may request information regarding this system of
records, or information as to whether the system contains records
pertaining to the individual, from the System Manager listed above: See
RECORD ACCESS PROCEDURES.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
Samuel Willis,
Director--Facility Protection Division, Office of Safety, Security and
Protection, Departmental Administration, United States Department of
Agriculture.
[FR Doc. 2023-11753 Filed 6-1-23; 8:45 am]
BILLING CODE 3410-98-P