AGENCY:

Office of Mission Support (OMS), Environmental Protection Agency (EPA).

ACTION:

Notice of a modified system of records.

SUMMARY:

The U.S. Environmental Protection Agency's (EPA) Office of Mission Support (OMS) is giving notice that it proposes to modify a system of records pursuant to the provisions of the Privacy Act of 1974. The Office of Administrative Services Information System (OASIS) is being modified to update safeguard infrastructure and security measures, and add Routine Uses.

DATES:

Persons wishing to comment on this system of records notice must do so by April 21, 2023. New routine uses for this modified system of records will be effective April 21, 2023.

ADDRESSES:

Submit your comments, identified by Docket ID No. EPA-HQ-OEI-2006-0633, by one of the following methods:

Federal eRulemaking Portal: https://www.regulations.gov. Follow the online instructions for submitting comments.

Email: docket_oms@epa.gov. Include the Docket ID number in the subject line of the message.

Fax: (202) 566-1752.

Mail: OMS Docket, Environmental Protection Agency, Mail Code: 2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.

Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are only accepted during the Docket's normal hours of operation, and special arrangements should be made for deliveries of boxed information.

Instructions: Direct your comments to Docket ID No. EPA-HQ-OEI-2006-0633. The EPA's policy is that all comments received will be included in the public docket without change and may be made available online at https://www.regulations.gov, including any personal information provided, unless the comment includes information claimed to be Controlled Unclassified Information (CUI) or other information for which disclosure is restricted by statute. Do not submit information that you consider to be CUI or otherwise protected through https://www.regulations.gov. The https://www.regulations.gov website is an “anonymous access” system for the EPA, which means the EPA will not know your identity or contact information. If you submit an electronic comment, the EPA recommends that you include your name and other contact information in the body of your comment. If the EPA cannot read your comment due to technical difficulties and cannot contact you for clarification, the EPA may not be able to consider your comment. If you send an email comment directly to the EPA without going through https://www.regulations.gov, your email address will be automatically captured and included as part of the comment that is placed in the public docket and made available on the internet. Electronic files should avoid the use of special characters, any form of encryption, and be free of any defects or viruses. For additional information about the EPA public docket, visit the EPA Docket Center homepage at https://www.epa.gov/​dockets.

Docket: All documents in the docket are listed in the https://www.regulations.gov index. Although listed in the index, some information is not publicly available, e.g., CUI or other information for which disclosure is restricted by statute. Certain other material, such as copyrighted material, will be publicly available only in hard copy. Publicly available docket Start Printed Page 17220 materials are available either electronically in https://www.regulations.gov or in hard copy at the OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave. NW, Washington, DC 20460. The Public Reading Room is normally open from 8:30 a.m. to 4:30 p.m., Monday through Friday excluding legal holidays. The telephone number for the Public Reading Room is (202) 566-1744, and the telephone number for the OMS Docket is (202) 566-1752. Further information about EPA Docket Center services and current operating status is available at https://www.epa.gov/​dockets.

FOR FURTHER INFORMATION CONTACT:

James Cunningham, cunningham.james@epa.gov, 202-564-7212; Jackie Brown, brown.jackie@epa.gov, 202-564-0313; or OMS-ARM-OA-RMS@epa.gov.

SUPPLEMENTARY INFORMATION:

EPA uses OASIS as a secure platform to provide software services to EPA employees using EPA's intranet, including a secure database for the software modules the system supports. EPA is updating this SORN to reflect how OASIS has modernized its operating system platform, implemented a more secure method for user authentication, and completed a review and update to the software modules the system supports. EPA is removing the following OASIS software modules that are no longer in use: Physical Security; Warehouse Management; Fitness Center Management; Combo Locks, Incidents, Keys and Safe System; and Personnel Security System. EPA is updating the following OASIS software modules with no impact to personally identifiable information (PII): Building Service Desk, Credential Badging, Driver Tracking, Mail Center, National Security Information, and Parking System (previously Parking and Transit System). EPA is adding the following OASIS software modules with no addition of new PII data elements: Environmental Health and Safety, HQ Project Management, Incident Reporting, Print Request Form, Print Request Tracking, PSS1 Archive, Transit Management, Transit Subsidy Program Enrollment, USA Performance (USAP), and User Management. All OASIS modules were updated to incorporate Multi-Factor Authentication (MFA). Additionally, EPA is updating this SORN to add Routine Uses L and M per updated OMB requirements.

SYSTEM NAME AND NUMBER:

Office of Administrative Services Information System (OASIS), EPA-41.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The system is managed by the Office of Mission Support, EPA, 1301 Constitution Ave. NW, Washington, DC 20460. Electronically stored information is hosted at the EPA National Computer Center (NCC), 109 TW Alexander Drive, Research Triangle Park, Durham, NC 27711.

SYSTEM MANAGER(S):

James Cunningham, Information Technology Project Manager, 1301 Constitution Ave. NW, Washington, DC 20460, cunningham.james@epa.gov. Jackie Brown, Information System Security Officer, 1301 Constitution Ave. NW, Washington, DC 20460, brown.jackie@epa.gov.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

E-Government Act of 2002 (Pub. L. 104-347); the Paperwork Reduction Act of 1995, as amended (44 U.S.C. 3501, et seq.); Executive Order 13571—Streamlining Service Delivery and Improving Customer Service (April 2011).

PURPOSE(S) OF THE SYSTEM:

The purpose of OASIS is to administer and manage administrative resources for the EPA. There are nineteen OASIS software modules. Each module's business purpose is described in the following table:

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Categories of individuals covered by this system include current and former Agency federal employee, contractors, grantees, interns, and volunteers.

CATEGORIES OF RECORDS IN THE SYSTEM:

Categories of records include: personal information such as name, home address, telephone number, workforce ID, work location, position, date of birth, city of birth, and Social Security Number (SSN); work-related information such as work address, work telephone number, organization/office assignment, application role(s), email address, and company name; personnel security records such as the results of a background investigation, and information derived from documents used to verify applicant's identity; security incident related information such as names, incident date, type, description, contact information, employment type; physical security information such as building vulnerabilities, mitigations, costs associated with mitigation, and risk designation levels at various EPA locations; driver tracking information such as EPA vehicle license plate numbers, service records, driver name, trip type, pickup date, and number of passengers utilizing Agency buses; parking and transit information such as carpool members' names, addresses, work addresses, license plate numbers, and type of cars as well as transit subsidy information such as subsidy amount, possession of a registered Smart Trip card, and serial number of Smart Trip card if registered; Mail Center Management information used to track registered mail, including mailing address of the recipient and sender, name of individual who signed for the piece of mail, date and time mail was signed for, and costs of postage for each office; printing information such as name and telephone number of the office requesting print jobs, the budget associated with the print job, and completion and delivery of the print job; physical asset information such as asset name, ID, type, location, address, legal interest, primary use and disposition; and print request information such as originator name, work phone number, mail code, title, statistics, data requested, date submitted, and estimated cost.

RECORD SOURCE CATEGORIES:

Personnel information is obtained from EPA's Office of Human Resources (OHR). Remaining information is obtained from users and managers for each OASIS module.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

The routine uses below are both related to and compatible with the original purpose for which the information was collected. The following general routine uses apply to this system (86 FR 62527): A, B, C, D, E, F, G, H, I, J, K, L, and M.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are maintained electronically on computer storage devices, located at U.S. EPA National Computer Center, 109 T.W. Alexander Drive, Research Triangle Park, NC 27711. Paper records are not collected nor maintained for OASIS.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Only users authorized to use the National Security Information (NSI) module can retrieve information by SSN. Other modules require one or more of the following fields to retrieve records: Name, Work Force ID, LAN ID, Personnel ID, Email Address, Smart Trip Number, Incident Number, Business Service Desk (BSD) Ticket Number, Asset ID, or Project Number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are retained and disposed of in accordance with EPA's records control schedule approved by the National Archives and Records Administration (NARA): EPA Record Schedules 0740 and 0063.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Security controls used to protect personal sensitive data in OASIS are commensurate with those required for an information system rated MODERATE for confidentiality, integrity, and availability, as prescribed in National Institute of Standards and Technology (NIST) Special Publication, 800-53, “Security and Privacy Controls for Information Systems and Organizations,” Revision 5.

1. Administrative Safeguards: All EPA system users are expected to follow the Agency Rules of Behavior. All employees, contractors, volunteers, and grantees are required to complete EPA's annual Information Security and Privacy Awareness Training and Controlled Unclassified Information (CUI) Awareness Training.

2. Technical Safeguards: Access to OASIS is role-based using the principle of least privilege. Role-based access ensures that individuals only have the roles granted to them that are necessary to complete their job function. These roles could include the ability to view, create, or modify records. A PIV Credential is used for MFA user authentication. OASIS data elements are stored in an ORACLE Enterprise Edition database and uses AES256 bit encryption algorithms to protect PII data as it resides in the database and when the data is in use by authenticated users.

3. Physical Safeguards: All OASIS records are maintained on computer servers that are located in secure, access-controlled buildings.

RECORD ACCESS PROCEDURES:

All requests for access to personal records should cite the Privacy Act of 1974 and reference the type of request being made ( i.e., access). Requests must include: (1) the name and signature of the individual making the request; (2) the name of the Privacy Act system of records to which the request relates; (3) a statement whether a personal inspection of the records or a copy of them by mail is desired; and (4) proof of identity. A full description of EPA's Privacy Act procedures for requesting access to records is included in EPA's Privacy Act regulations at 40 CFR part 16.

CONTESTING RECORD PROCEDURES:

Requests for correction or amendment must include: (1) the name and signature of the individual making the request; (2) the name of the Privacy Act system of records to which the request relates; (3) a description of the information sought to be corrected or amended and the specific reasons for the correction or amendment; and (4) proof of identity. A full description of EPA's Privacy Act procedures for the correction or amendment of a record is included in EPA's Privacy Act regulations at 40 CFR part 16.

NOTIFICATION PROCEDURES:

Individuals who wish to be informed whether a Privacy Act system of records maintained by EPA contains any record pertaining to them, should make a written request to the EPA, Attn: Agency Privacy Officer, MC 2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, or by email at: privacy@epa.gov. A full description of EPA's Privacy Act procedures is included in EPA's Privacy Act regulations at 40 CFR part 16.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None. Start Printed Page 17222

HISTORY:

71 FR 51814 (August 31, 2006).