AGENCY:

Nuclear Regulatory Commission.

ACTION:

Notice of new system of records.

SUMMARY:

The Nuclear Regulatory Commission (NRC) is providing notice of the establishment of a new system of records, NRC-45, Digital Certificates for Personal Identity Verification.

DATES:

The new system of records will become effective without further notice on January 31, 2007, unless comments received on or before that date cause a contrary decision. If changes are made based on NRC's review of comments received, a new final notice will be published.

ADDRESSES:

Comments may be provided to the Chief, Rulemaking, Directives, and Editing Branch, Division of Administrative Services, Office of Administration, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001. Written comments should also be transmitted to the Chief of the Rules and Directives Branch, either by means of facsimile transmission to (301) 415-5144, or by e-mail to nrcrep@nrc.gov.

FOR FURTHER INFORMATION CONTACT:

Sandra S. Northern, Privacy Program Officer, FOIA/Privacy Act Team, Records and FOIA/Privacy Services Branch, Information and Records Services Division, Office of Information Services, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, telephone: 301-415-6879; e-mail: ssn@nrc.gov.

SUPPLEMENTARY INFORMATION:

The establishment of this new system of records, NRC-45, Digital Certificates for Personal Identity Verification, will allow the NRC to collect and maintain information to facilitate secure, on-line communication between Federal automated information systems and the public; to authenticate individuals requiring access to federally controlled facilities, information systems and applications; and to track and control personal identity verification (PIV) cards (smartcards) issued to persons entering and exiting the facilities by the Start Printed Page 77073use of digital certificate technologies to authenticate and verify identity.

A report on the proposed new system is being sent to OMB, the Committee on Homeland Security and Governmental Affairs of the U.S. Senate, and the Committee on Government Reform of the U.S. House of Representatives as required by the Privacy Act and OMB Circular No. A-130, Appendix I, “Federal Agency Responsibilities for Maintaining Records About Individuals.”

Accordingly, the NRC proposes to add NRC-45 to read as follows:

NRC-45

System Name:

Digital Certificates for Personal Identity Verification-NRC.

System Location:

Primary system—Office of Information Services, NRC, White Flint North Complex, 11555 Rockville Pike, Rockville, Maryland, and contractor facility.

Duplicate system—Duplicate systems may exist, in whole or in part, at the locations listed in Addendum I, part 2, published on October 10, 2006 (71 FR 59614).

Categories Of Individuals Covered By The System:

Individuals covered are persons who have applied for the issuance of digital certificates for signature, encryption, and/or authentication purposes; have had their certificates renewed, replaced, suspended, revoked, or denied; have used their certificates to electronically make contact with, retrieve information from, or submit information to an automated information system; or have corresponded with NRC or its contractor concerning digital certificate services.

Categories Of Records In The System:

The system contains information needed to establish and verify the identity of users, to maintain the system, and to establish accountability and audit controls. System records may include: (a) Applications for the issuance, amendment, renewal, replacement, or revocation of digital certificates, including evidence provided by applicants or proof of identity and authority, and sources used to verify an applicant's identity and authority; (b) Certificates issued; (c) Certificates denied, suspended, or revoked, including reasons for denial, suspension, or revocation; (d) A list of currently valid certificates; (e) A list of currently invalid certificates; (f) A record of validation transactions attempted with digital certificates; and (g) A record of validation transactions completed with digital certificates.

Authority For Maintenance Of The System:

5 U.S.C. 301; Electronic Government Act of 2002, 44 U.S.C. Chapter 36; the Paperwork Reduction Act of 1995, 44 U.S.C. 3501; Government Paperwork Elimination Act, 44 U.S.C. 3504; Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004; Executive Order 9397.

Routine Uses Of Records Maintained In The System, Including Categories Of Users And The Purposes Of Such Uses:

In addition to the disclosures permitted under subsection (b) of the Privacy Act, the NRC may disclose information contained in this system of records without the consent of the subject individual if the disclosure is compatible with the purpose for which the record was collected under the following routine uses:

a. To agency digital certificate program contractors to compile and maintain documentation on applicants for verifying applicants' identity and authority to access information system applications; to establish and maintain documentation on information sources for verifying applicants' identities; to ensure proper management, data accuracy, and evaluation of the system;

b. To Federal authorities to determine the validity of subscriber digital certificates and other identity attributes;

c. To the National Archives and Records Administration (NARA) for records management purposes;

d. To a public data repository (only name, e-mail address, organization, and public key) to facilitate secure communications using digital certificates; and

e. Any of the routine uses specified in the Prefatory Statement of General Routine Uses, published October 10, 2006 (71 FR 59614).

Disclosure To Consumer Reporting Agencies:

Disclosure of system records to consumer reporting systems is not permitted.

Policies And Practices For Storing, Retrieving, Accessing, Retaining, And Disposing Of Records In The System:

Storage:

Records are stored electronically or on paper.

Retrievability:

Records are retrievable by an individual's name, e-mail address, certificate status, certificate number, certificate issuance date, or approval role.

Safeguards:

Technical, administrative, and personnel security measures are implemented to ensure confidentiality, integrity, and availability of the system data stored, processed, and transmitted. Hard copy documents are maintained in locking file cabinets. Electronic records are password protected. Access to and use of these records are limited to those individuals whose official duties require access.

Retention And Disposal:

Disposition pending (until NARA has approved the retention and disposition schedule for these records, treat the records as permanent).

System Manager(s) And Address:

Director, Infrastructure and Computer Operations Division, Office of Information Services, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001.

Notification Procedure:

Individuals seeking to determine whether this system of records contains information pertaining to themselves should write to the Freedom of Information Act and Privacy Act (FOIA/PA) Officer, Office of Information Services, U.S. Nuclear Regulatory Commission, Washington, DC 20555-0001, and comply with the procedures contained in NRC's Privacy Act regulations, 10 CFR part 9.

Record Access Procedure:

Same as “Notification procedure.”

Contesting Record Procedure:

Same as “Notification procedure.”

Record Source Categories:

The sources for information in the system are the individuals who apply for digital certificates, the NRC and contractors using multiple sources to verify identities, and internal system transactions designed to gather and maintain data needed to manage and evaluate the digital certificate program.

Exemptions Claims For The System:

None.