AGENCY:

Defense Information Systems Agency, DoD.

ACTION:

Notice of a New System of Records.

SUMMARY:

The Defense Information Systems Agency (DISA) proposes to establish a new system of records entitled “Electronic Security System (ESS), K890.28” to control physical access to DISA Headquarters. DISA, as a classified collateral open storage area, has security responsibilities mandated by DoD Manual 5200.01, volume 3, DoD Information Security Program: Protection of Classified Information. This includes the use of an integrated electronic access control system. The system identifies and verifies Start Printed Page 1080individuals through the use of data registered into the access control system from an individual's Common Access Card (CAC). The system tracks the entry/exit times of personnel who enter/exit the DISA Headquarters Complex and some rooms within the complex.

DATES:

Comments will be accepted on or before March 4, 2019. This proposed action will be effective the date following the end of the comment period unless comments are received which result in a contrary determination.

ADDRESSES:

You may submit comments, identified by docket number and title, by any of the following methods:

* Federal Rulemaking Portal: http://www.regulations.gov.

Follow the instructions for submitting comments.

* Mail: Department of Defense, Office of the Chief Management Officer, Directorate for Oversight and Compliance, 4800 Mark Center Drive, Mailbox #24, Suite 08D09, Alexandria, VA 22350-1700.

Instructions: All submissions received must include the agency name and docket number for this Federal Register document. The general policy for comments and other submissions from members of the public is to make these submissions available for public viewing on the internet at http://www.regulations.gov as they are received without change, including any personal identifiers or contact information.

FOR FURTHER INFORMATION CONTACT:

Mrs. Jeanette M. Weathers-Jenkins, DISA Privacy Officer, 6914 Cooper Ave., Fort Meade, MD 20755-7090, or by phone at (301) 225-8158.

SUPPLEMENTARY INFORMATION:

DISA's security responsibilities include identifying or verifying individuals through the use of matching PKI (Public Key Infrastructure) information on the CAC to the information registered into the ESS (from the CAC), to retrieve CACs upon separation, to maintain visitor statistics, collect information to adjudicate access to facility, and track the entry/exit times of personnel for purposes of verifying times of entry and exit. For entry into building, the guards have the ability to match picture on CAC to person holding CAC and the picture on file in system.

The DISA notices for systems of records subject to the Privacy Act of 1974 (5 U.S.C. 552a), as amended, have been published in the Federal Register and are available from the address in FOR FURTHER INFORMATION CONTACT or at the Defense Privacy, Civil Liberties, and Transparency Division website at https://defense.gov/​privacy.

The proposed system reports, as required by 5 U.S.C. 552a(r) of the Privacy Act of 1974, as amended, was submitted on November 5, 2018, to the House Committee on Oversight and Government Reform, the Senate Committee on Governmental Affairs, and the Office of Management and Budget (OMB) pursuant to Section 6 to OMB Circular No. A-108, “Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act,” revised December 23, 2016 (December 23, 2016, 81 FR 94424).

SYSTEM NAME AND NUMBER

Electronic Security System (ESS), K890.28

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Defense Information Systems Agency (DISA), 6910 Cooper Ave., Ft. Meade, MD 20755-7090.

SYSTEM MANAGER(S):

Chief, Security Division, Workforce Services Directorate (WSD)/MP61, Defense Information Systems Agency, 6910 Cooper Ave., Ft. Meade, MD 20755-7090, (301) 225-1235.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

10 U.S.C. 193 and 10 U.S.C. 142; Department of Defense Directive 5105.19, Defense Information Systems Agency (DISA); Department of Defense Directive 5200.08, Security of DoD Installations and Resources and the DoD Physical Security Review Board (PSRB) and HSPD-12, Policy for a Common Identification Standard for Federal Employees and Contractors.

PURPOSE(S) OF THE SYSTEM:

The purpose of the system is to control physical access to DISA Headquarters controlled information. DISA's security responsibilities include identifying or verifying individuals through the use of matching PKI (Public Key Infrastructure) information on the CAC to the information registered into the ESS (from the CAC). For entry into building guards also have ability to match picture on CAC to person holding CAC and the picture on file in system.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

DISA military and civilian employees and contractors, and others with issued common access card and authorized (regular or frequent) entry to DISA facilities.

CATEGORIES OF RECORDS IN THE SYSTEM:

Name, DoD ID Number or credential barcode, photograph of person, information that reflects time of entry/exit from facility or secure location, and identification expiration dates.

RECORD SOURCE CATEGORIES:

Individuals; Defense Enrollment Eligibility Reporting Systems, Department of Defense, other Federal Departments and Agencies, Department of Army, Department of the Air Force, Department of Navy, and U.S. Marine Corps security offices; system managers; computer facility managers; commercial businesses whose employees require access to the facilities or locations; and automated interfaces for user codes on file at Department of Defense sites.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, as amended, the records contained herein may specifically be disclosed outside the DoD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

a. To contractors, grantees, experts, consultants, students, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for the Federal Government when necessary to accomplish an agency function related to this system of records.

b. To the appropriate Federal, State, local, territorial, tribal, foreign, or international law enforcement authority or other appropriate entity where a record, either alone or in conjunction with other information, indicates a violation or potential violation of law, whether criminal, civil, or regulatory in nature.

c. To any component of the Department of Justice for the purpose of representing the DoD, or its components, officers, employees, or members in pending or potential litigation to which the record is pertinent.

d. In an appropriate proceeding before a court, grand jury, or administrative or adjudicative body or official, when the DoD or other Agency representing the DoD determines that the records are relevant and necessary to the proceeding; or in an appropriate proceeding before an administrative or adjudicative body when the adjudicator determines the records to be relevant to the proceeding.Start Printed Page 1081

e. To the National Archives and Records Administration for the purpose of records management inspections conducted under the authority of 44 U.S.C. 2904 and 44 U.S.C. 2906.

f. To a Member of Congress or staff acting upon the Member's behalf when the Member or staff requests the information on behalf of, and at the request of, the individual who is the subject of the record.

g. To appropriate agencies, entities, and persons when (1) the DoD suspects or has confirmed that there has been a breach of the system of records; (2) the DoD has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the DoD (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the DoD's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

h. To another Federal agency or Federal entity, when the DoD determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

These electronic records are stored on secure servers with access controlled, access restricted by the use of logon, password, and/or card swipe protocols.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Information is retrieved by name and DoD ID number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Data elements housed in the agency identity management system are destroyed 6 years after terminating an employee or contractor's employment, but longer retention is authorized if required for business use.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Access to the type and amount of data is governed by privilege management software and policies developed and enforced by Federal Government personnel. Data is protected by repository and interfaces, including, but not limited to multi-layered firewalls, Secure Sockets Layer/Transport Layer Security (SSL/TLS) connections, access control lists, file system permissions, intrusion detection and prevention systems and log monitoring. Complete access to all records is restricted to and controlled by certified system management personnel, who are responsible for maintaining the e-App system integrity and the data confidentiality. Access to computerized data is restricted by Common Access Card (CAC).

Access is provided on a need-to-know basis only. The office space in which the servers are located is locked outside of official working hours. Computer terminals are located in supervised areas. The electronic security system utilized to safeguard is password protected. Computerized records maintained in a controlled area are accessible only to authorized personnel. Records are maintained in a controlled facility. Physical entry is restricted by the use of locks, guards, the access control system, and is accessible only to authorized personnel. Physical and electronic access is restricted to designated individuals having a need therefore in the performance of official duties and who are properly screened and cleared for need-to-know. Access is restricted to only authorized persons who are properly screened.

RECORD ACCESS PROCEDURES:

Individuals seeking access to records about themselves should address written inquiries to the Defense Information Systems Agency (DISA), Workforce Services Directorate (WSD)/MP61, 6910 Cooper Ave., Ft. Meade, MD 20755-7090.

Signed, written requests should include the individual's full name, current address, telephone number, and the name and number of this System of Records. In addition, the requester must provide either a notarized statement or an unsworn declaration made in accordance with 28 U.S.C. 1746, in the following format:

If executed outside the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).”

If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”

CONTESTING RECORD PROCEDURES:

The Defense Information Systems Agency (DISA) rules for contesting contents and appealing initial agency determinations are published in DISA Instruction 210-225-2; 32 CFR part 316; or may be obtained from the system manager.

NOTIFICATION PROCEDURES:

Individuals seeking to determine whether information about themselves is contained in this system should address written inquiries to Defense Information Systems Agency (DISA), Workforce Services Directorate (WSD)/MP61, 6910 Cooper Ave., Ft. Meade, MD 20755-7090.

Signed, written requests should include the individual's full name, current address, telephone number, and the name and number of this system of records notice. In addition, the requester must provide either a notarized statement or an unsworn declaration made in accordance with 28 U.S.C. 1746, in the following format:

If executed outside the United States: “I declare (or certify, verify, or state) under penalty of perjury under the laws of the United States of America that the foregoing is true and correct. Executed on (date). (Signature).”

If executed within the United States, its territories, possessions, or commonwealths: “I declare (or certify, verify, or state) under penalty of perjury that the foregoing is true and correct. Executed on (date). (Signature).”

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.