[Federal Register Volume 90, Number 97 (Wednesday, May 21, 2025)]
[Notices]
[Pages 21815-21817]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2025-09116]
-----------------------------------------------------------------------
SMALL BUSINESS ADMINISTRATION
Privacy Act of 1974; Systems of Records
AGENCY: U.S. Small Business Administration.
ACTION: Notice of a Modified System of Records.
-----------------------------------------------------------------------
SUMMARY: The U.S. Small Business Administration (SBA) proposes a
modified system of records, Personnel Security Files (SBA 24), to
update its inventory of records systems subject to the Privacy Act of
1974, as amended. Publication of this notice complies with the Privacy
Act and the Office of Management and Budget (OMB) Circular A-108 and
Circular A-130. Personnel Security Files (SBA 24) serves as a
centralized repository for active and inactive personnel security files
to include information from authorized background investigations which
supports the SBA's clearance process. The changes include updating the
format, updating the system of records name/title, changing the
designation of the system manager, and updating information concerning
the location of the system of records, referencing the authority for
maintaining the records, modifying routine use (M), adding two new
routine uses (N) and (O), respectively, and making certain clerical and
clarifying revisions.
DATES: Submit written comments on or before June 20, 2025. This revised
system will be effective upon publication. Routine uses will become
effective on the date following the end of the comment period unless
comments are received which result in a contrary determination.
ADDRESSES: You may submit comment on this notice, identified by [SBA-
2024-0012], by any of the following methods.
Federal e-Rulemaking Portal: http://www.regulations.gov: Follow the
instructions for submitting comments. Mail/Hand Delivery/Courier:
Submit written comments to: Zina Hardy, Deputy Director, Office of
Personnel Security Office, U.S. Small Business Administration, 409 3rd
Street SW, Washington, DC 20416.
FOR FURTHER INFORMATION CONTACT: General or security questions please
contact Joseph L. Eitel, Director, Personnel Security, Small Business
Administration, 721 19th Street, Room 392, Denver, CO 80202, via email
[email protected], telephone 303-844-7750 or Cybersecurity
inquiries, Michael Post, (Acting) Chief Information Security Officer,
Office of the Chief Information Officer, U.S. Small Business
Administration, 4089 3rd Street SW, Suite 4000, Washington, DC 20416,
email address [email protected], telephone 202-205-3645. For Privacy
related matters, contact LaWanda Burnette, Chief Privacy Officer,
Office of the Chief Information Officer, or via email to
[email protected].
SUPPLEMENTARY INFORMATION: The Privacy Act of 1974 (5 U.S.C. 552a), as
amended, embodies fair information practice principles in a statutory
framework governing how federal agencies collect, maintain, use, and
disseminate individuals' personal information. The Privacy Act applies
to records about individuals that are maintained in a ``system of
records.'' A system of records is any group of records under the
control of a federal agency from which information is retrieved by the
name of an individual or by a number, symbol or any other identifier
assigned to the individual. The Privacy Act requires each federal
agency to publish a system of records notice (SORN) in the Federal
Register identifying and describing: (1) each system of record the
agency maintains, (2) the purpose for which the agency uses personally
identifiable information (PII) in the system, (3) the routine uses for
which the agency discloses such information outside the agency, and (4)
how individuals can exercise their rights related to their PII
information.
The SBA is required to complete background investigations for
suitability and security clearance determinations to ensure individuals
supporting the Agency are deemed reliable, trustworthy, and suitable
for the role they will fulfill. The Agency's Office of Personnel
Security utilizes the Automated Background Investigation System (ABIS),
a commercial off the shelf (COTS) web-based system, to support the
collection of data that is used by the Bureau to initiate background
investigations.
This system of records is comprised of electronic documents managed
by the Office of Personnel Security and the Office of the Chief
Information Officer.
SYSTEM NAME AND NUMBER:
Automated Background Investigation System Personnel Security Files
(SBA ABIS PSF 24).
SECURITY CLASSIFICATION:
Controlled Unclassified Information.
SYSTEM LOCATION:
SBA Headquarters, 409 3rd Street SW, Washington, DC.
SYSTEM MANAGER(S):
Joseph L. Eitel, Director, Personnel Security, SBA, 721 19th
Street, Room 392, Denver, CO 80202.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
15 U.S.C. Chapters 14A and 14B; 44 U.S.C. 3101, Executive Order
12968, 5 CFR 731, Executive Order 10450, as amended.
PURPOSE(S) OF THE SYSTEM:
In accordance with E.O. 10450 and E.O. 12968 and 5 CFR 731, the
system is used receive requests for background investigations, pre-
screen applicants and contractors (granting them approval to enter on
duty), forward investigative requests to DCSA for processing,
adjudicate completed investigations, grant or deny national security
clearances, make final determinations, provide due process, and report
the adjudication results.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Active, inactive, and former SBA employees.
CATEGORIES OF RECORDS IN THE SYSTEM:
Personnel security files for persons covered by this system,
including names, both former and aliases, date and place of birth,
contact information, addresses, employment and education history,
financial information, health records, personnel actions, Office of
Personnel Management (OPM), and/or
[[Page 21816]]
authorized contracting firm background investigations.
RECORD SOURCE CATEGORIES:
SBA active, inactive, and former employees, Office of Human
Resources Solutions, Office of Personnel Security, Office of the
Administrator--Chief Operating Officer, witnesses, and OPM.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
A. To the federal, state, local or foreign agency or professional
organization which investigates, prosecutes, or enforces violations,
statutes, rules, regulations, or orders issued when the Agency
identifies a violation or potential violation of law whether arising by
general or program statute, or by regulation, rule, or order.
B. To other federal agencies, upon request, that are conducting
background checks.
C. To a grand jury, court, magistrate, administrative tribunal, or
to opposing counsel in the course of hearings, trials, or settlement
negotiations.
D. To a congressional office in response to an inquiry on an
individual's record, when that office is inquiring at the request of,
and on behalf of, the individual, when the congressional member's
access rights are no greater than the individual's.
E. To SBA volunteers, contractors, interns, grantees, experts and
who have been engaged by SBA to assist in the performance of a service
related to this system of records and who need access to the records in
order to perform this activity. Recipients of these records shall be
required to comply with the requirements of the Privacy Act of 1974, as
amended, 5 U.S.C. 552a.
F. To OPM in accordance with that agency's authority to evaluate
federal personnel management.
G. To the Merit Systems Protection Board in connection with its
consideration of appeals of personnel actions.
H. To any federal, state, local, foreign, or international agency,
in connection with their assignment, hiring or retention of an
individual, issuance of a security clearance, reporting of an
investigation of an individual, letting of a contract or issuance of a
license, grant or other benefit, to the extent the information is
relevant to their decision on the matter.
I. To a grand jury agent pursuant either to a federal or state
grand jury subpoena or to a prosecution request that record be released
for introduction to a grand jury.
J. To the Office of Government Ethics for any purpose consistent
with their mission.
K. To the Department of Justice (DOJ) when any of the following is
a party to litigation or has an interest in such litigation, and the
use of such records by DOJ is deemed by SBA to be relevant and
necessary to the litigation, provided, however, that in each case, SBA
determines the disclosure of the records to DOJ is a use of the
information contained in the records that is compatible with the
purpose for which the records were collected: SBA, or any component
thereof; any SBA employee in their official capacity; any SBA employee
in their individual capacity where DOJ has agreed to represent the
employee; or The United States Government, where SBA determines that
litigation is likely to affect SBA or any of its components.
L. In a proceeding before a court, or adjudicative body, or a
dispute resolution body before which SBA is authorized to appear or
before which any of the following is a party to litigation or has an
interest in litigation, provided, however, that SBA determines that the
use of such records is relevant and necessary to the litigation, and
that, in each case, SBA determines that disclosure of the records to a
court or other adjudicative body is a use of the information contained
in the records that is a compatible purpose for which the records were
collected: SBA, or any SBA component; any SBA employee in their
official capacity; any SBA employee in their individual capacity where
DOJ has agreed to represent the employee; or The United States
Government, where SBA determines that litigation is likely to affect
SBA or any of its components.
M. To appropriate agencies, entities, and persons when (1) SBA
suspects or has confirmed that there has been a breach of the system of
records,[middot] (2) the SBA has determined that as a result of the
suspected or confirmed breach there is a risk of harm to individuals,
SBA (including its information systems, programs, and operations), the
Federal Government, or national security; and (3) the disclosure made
to such agencies, entities, and persons is reasonably necessary to
assist in connection with SBA's efforts to respond to the suspected or
confirmed breach or to prevent, minimize, or remedy such harm.
N. To another federal agency or federal entity, when SBA determines
that information from this system of records is reasonably necessary to
assist the recipient agency or entity in (1) responding to a suspected
or confirmed breach or (2) preventing, minimizing, or remedying the
risk of harm to individuals, the recipient agency or entity (including
its information systems, programs, and operations), the Federal
Government, or national security, resulting from a suspected or
confirmed breach.
O. To Department of Defense the adjudication of investigative files
and verification of all National Security clearance holders.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Compliance with federal laws, executive orders, SBA policies and
procedures, and other applicable guidelines. Records in this system are
stored in a locked, controlled access room and restricted access
electronic data systems. OPM National Agency checks that are not
immediately referred to OPM are maintained in a physically locked
controlled access room with restricted access electronic data systems.
POLICIES AND PRACITICES FOR RETRIEVAL OF RECORDS:
Records are retrieved by employee's full name, social security
number.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Compliance with federal laws, (Federal Records Act), executive
orders, SBA policies and procedures (SOP 90-47 and SOP 00-41 latest
editions, and other applicable guidelines.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Administrative controls include all users must take Cybersecurity
Awareness Training which includes a Privacy module and Rules of
Behavior annually and prior to using the system. User access is
provided based upon approval of the system administrator.
Technical controls include multi factor authentication, least
privilege, encryption in transit and at rest, event logging and
monitoring, dynamic IP, Discretionary Access Control Lists (DACLs) and
Role Based permissions. ABIS generates event logs that record all
activity in the system, including successful and unsuccessful login
attempts, the user that attempted the action, the IP address the action
originated from, records that were accessed and any additional
information about the requests. These requests are monitored routinely.
Servers are protected within a controlled and secure room in SBA
headquarters. Computers are accessed
[[Page 21817]]
by the user's Personal Identity Verification card.
RECORDS ACCESS PROCEDURES:
Individuals wishing to request access to records about them should
submit a Privacy Act request to the SBA Chief, Freedom of Information
and Privacy Act Office, U.S. Small Business Administration, 409 Third
St. SW, Eighth Floor, Washington, DC 20416 or [email protected]. Individuals
must provide their full name, mailing address, personal email address,
telephone number, and a detailed description of the records being
requested. Individuals requesting access must also follow SBA's Privacy
Act regulations regarding verification of identity and access to
records (13 CFR part 102 subpart B). The section of this notice titled
EXEMPTIONS PROMULGATED FOR THE SYSTEM indicates the kinds of material
exempted and the authority for exempting them from access. Individuals
wishing to request access to their records which may fall under
exemptions or are uncertain of the request, should contact the
Director, Office of Personnel Security, 721 19th Street, Rm. 392,
Denver, CO 80202.
CONTESTING RECORD PROCEDURES:
Notify system manager, Joseph L. Eitel, Director, Personnel
Security, SBA, 721 19th Street, Room 392, Denver, CO 80202, and state
reason(s) for contesting and the proposed amendment(s) sought.
NOTIFICATION PROCEDURES:
Individuals may make record inquiries in writing to the system
manager, Joseph L. Eitel, Director, Personnel Security, SBA, 721 19th
Street, Room 392, Denver, CO 80202.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
Pursuant to 5 U.S.C. 552a(k)(5), all investigatory material in the
record compiled for law enforcement purposes or for the purpose of
determining suitability, eligibility, or qualifications for federal
civilian employment, federal contracts, or access to classified
information is exempt from the notification, access and contest
requirements under 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H),
and (I) and (f) of the Privacy Act of 1974. This exemption is necessary
in order to fulfill commitments made to protect the confidentiality of
sources and to maintain access to sources necessary in making
determinations of suitability for employment.
Small Business Administration Record Rules: 72 FR 17367 (April 9,
2007) and 82 FR 46369 (October 5, 2017).
HISTORY:
[FR Doc. 2009-14896, Vol. 74, No. 61] and [FR Doc. 2004-58598, Vol.
69, No. 189].
Joseph L. Eitel,
Executive Director (Acting), Office of Executive Management,
Installation and Support Services, U.S. Small Business Administration.
[FR Doc. 2025-09116 Filed 5-20-25; 8:45 am]
BILLING CODE 8025-09-P