AGENCY:

Environmental Protection Agency.

ACTION:

Notice.

SUMMARY:

The U.S. Environmental Protection Agency's (EPA) Office of Administration and Resource Management, Office of Administration, Security Management Division is giving notice that it proposes to create a new system of records pursuant to the provisions of the Privacy Act of 1974 (5 U.S.C. 552a). The EPA Personnel Access and Security System (EPASS) is being created to comply with the Homeland Security Presidential Directive-12 (HSPD-12), which was issued on August 12, 2004 and signed on August 27, 2004. HSPD-12 mandates a government-wide federal standard for ensuring that identification cards issued to government employees and contractors are reliable and secure. EPASS complies with the federal requirements and will enhance security, increase efficiency, reduce identity fraud, and protect personal privacy.

DATES:

Persons wishing to comment on this new system of records notice must do so by September 29, 2014.

ADDRESS:

Submit your comments, identified by Docket ID No. EPA-HQ-2012-0836, by mail:

• www.regulations.gov: Follow the online instructions for submitting comments.
• Email: oei.docket@epa.gov.
• Fax: 202-566-1752.
• Mail: OEI Docket, Environmental Protection Agency, Mail code: 2822T, 1200 Pennsylvania Ave. NW., Washington, DC 20460.
• Hand Delivery: OEI Docket, EPA/DC, EPA West Building, Room 3334, 1301 Constitution Ave. NW., Washington, DC. Such deliveries are only accepted during the docket's normal hours of operation, and special arrangements should be made for deliveries of boxed information.

Instructions: Direct your comments to Docket ID No. EPA-HQ-OEI-2012-0836. EPA's policy is that all comments received will be included in the public docket without change and may be made available online at www.regulations.gov,, including any personal information provided, unless the comment includes information Start Printed Page 49077claimed to be Confidential Business Information (CBI) or other information for which disclosure is restricted by statute. Do not submit information that you consider to be CBI or otherwise protected through www.regulations.gov. The www.regulations.gov Web site is an “anonymous access” system, which means EPA will not know your identity or contact information unless you provide it in the body of your comment. If you send an email comment directly to EPA without going through www.regulations.gov your email address will be automatically captured and included as part of the comment that is placed in the public docket and made available on the Internet. If you submit an electronic comment, EPA recommends that you include your name and other contact information in the body of your comment and with any disk or CD-ROM you submit. If EPA cannot read your comment due to technical difficulties and cannot contact you for clarification, EPA may not be able to consider your comment. Electronic files should avoid the use of special characters, any form of encryption, and be free of any defects or viruses. For additional information about EPA's public docket visit the EPA Docket Center homepage at http://www.epa.gov/​epahome/​dockets.htm.

Docket: All documents in the docket are listed in the www.regulations.gov index. Although listed in the index, some information is not publicly available (e.g., CBI or other information for which disclosure is restricted by statute). Certain other material, such as copyrighted material, will be publicly available only in hard copy. Publicly available docket materials are available either electronically in www.regulations.gov or in hard copy at the OEI Docket, EPA/DC, EPA West Building, Room 3334, 1301 Constitution Ave. NW., Washington, DC. The Public Reading Room is open from 8:30 a.m. to 4:30 p.m., Monday through Friday excluding legal holidays. The telephone number for the Public Reading Room is (202) 566-1744, and the telephone number for the OEI Docket is (202) 566-1745.

FOR FURTHER INFORMATION CONTACT:

Kelly Glazier, Security Management Division (SMD) Acting Director, (202) 564-0351.

SUPPLEMENTARY INFORMATION:

General Information

The U.S. Environmental Protection Agency (EPA) plans to create a Privacy Act system of records for the EPA Personnel Access and Security System (EPASS). This system is being created for the purpose of issuing credentials to EPA employees and its contractors that meet the requirements of Homeland Security Presidential Directive 12 (HSPD-12) issued on August 12, 2004. The Directive requires the development of a mandatory, government-wide standard for issuing secure and reliable forms of identification to executive branch employees and federal contractors for access to federally controlled facilities and networks.

The National Institute of Standards and Technology (NIST) further defined the issuance standards in Federal Information Processing (FIP) Standards Publication 201which describes the minimum requirements for a federal personal identification verification (PIV) system. EPA's identification system, EPASS, complies with all HSPD-12 requirements. It is designed to link a person's identity to an identification credential and link the credential to a person's ability to physically and logically access federally-controlled buildings and information systems.

EPASS will contain information on all Agency employees, contractors, consultants, volunteers and other workers who require long-term, regular access, as required by their position, to federal facilities, systems and networks. The personal information collected in the personnel enrollment process consists of data elements necessary to verify the identity of the individual and to perform background or other investigations. EPASS will collect the applicant's name, date of birth, Social Security Number, organizational affiliations, fingerprints, work email address and phone number(s), other verification and demographic information, and the applicant's photograph.

EPA-62

System Name:

EPA Personnel Access and Security System (EPASS)

System Location:

Environmental Protection Agency, Office of Administration and Resource Management (OARM), Office of Administration (OA), Ariel Rios Building, MC3201A, 1200 Pennsylvania Ave. NW., Washington, DC 20460.

Categories of Individuals Covered by the System:

The System will collect and maintain information on individuals who require long-term, regular access as required by their position, to EPA-controlled facilities and information technology systems, including federal employees, contractors, grantees, students, interns, volunteers, other non-federal employees and individuals formerly in any of these positions. The System does not collect information on occasional visitors or short-term guests to whom the Agency may issue temporary identification.

Categories of Records in the System:

Enrollment records: full name and history of name changes, social security number, applicant ID number, date of birth, gender, race, height, weight, hair color, eye color, digital color photograph, fingerprints, biometric template (two fingerprints), employee affiliation, work email address, work telephone number(s), office location and organizational unit, employee status, foreign national status, federal emergency response official status, National Agency Check with Inquiries (NACI) status (permanent or provisional), citizenship status, government agency code, computer login name/user principal name (UPN), and personal identification verification (PIV) card issuance location. Records in EPASS's Identity Management System (IDMS) and Card Management System (CMS) are needed for credential management of enrolled individuals and include PIV card serial number, digital certificate serial number, PIV card issuance and expiration dates, PIV card personal identification number (PIN), cardholder unique identifier (CHUID), and card management keys. All sponsored individuals enrolled within EPASS may be issued a PIV card. The PIV card contains the following mandatory information: name, photograph, individual's affiliation, organizational affiliation, PIV card expiration date, Agency card serial number, and color-coding for employee affiliation. The card also contains an integrated circuit chip which is encoded with the following data elements: cardholder unique identifier (CHUID), PIV authentication digital certificate, and two fingerprint biometric minutiae templates.

Authority for Maintenance of the System:

Government Organization and Employees (5 U.S.C. 301); Public Buildings under the control of Administrator of General Services (40 U.S.C. 3101); Federal Information Security Management Act of 2002 (44 U.S.C. 3541); E-Government Act of 2002 (44 U.S.C. 101); Paperwork Reduction Act of 1995 (44 U.S.C. 3501); Executive Order 9347 (Nov. 22, 1943); and Start Printed Page 49078Homeland Security Presidential Directive 12 (HSPD-12) (August 27, 2004).

Purpose(s):

The primary purposes of the System are to: (1) Ensure the safety and security of Federal facilities, systems, or information, and of facility occupants and users; (2) provide for interoperability and trust in allowing physical access to individuals entering Federal facilities; and (3) allow logical access to Federal information systems, networks, and resources on a government-wide basis.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:

General routine uses A, B, C, D E, F, G, H, I, J, K, and L apply to this System.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

• Storage: Records are stored on a secure server within the EPASS sub-system Fingerprint Transmission System (FTS) and can be accessed over the Web using encryption software. The records are kept for 120 days and are either manually or automatically deleted.
• Retrievability: Records can only be retrieved within the System database, which requires authorized user login/password credentials and administrative privileges to retrieve personal data within a Web instance of the system by using a combination of first name and last name.
• Safeguards: Consistent with the requirements of the Federal Information Security Management Act and associated OMB policies, standards and guidance from the National Institute of Standards and Technology, EPA protects all records from unauthorized access through appropriate administrative, physical, and technical safeguards. Buildings have security guards and secured doors. All entrances are monitored through electronic surveillance equipment. Physical security controls include indoor and outdoor security monitoring and surveillance, badge and picture ID access screening and biometric access screening. Personally identifiable information (PII) is safeguarded and protected in conformance with all Federal statutes and Office of Management and Budget (OMB) requirements. All access has role-based restrictions. Individuals granted access privileges must be screened for proper credentials. EPA maintains an audit trail and performs random periodic reviews to identify any unauthorized access. Persons given roles in the EPASS HSPD-12 process must be screened and complete training specific to their roles to ensure they are knowledgeable about how to protect PII.
• Retention and Disposal: Records are retained and disposed of in accordance with EPA's records schedule 089.

System Manager(s) and Address:

Director, Office of Administration and Resources Management (OARM), Office of Administration (OA), Environmental Protection Agency, 1200 Pennsylvania Avenue NW., Washington, DC 20460.

Notification Procedures:

Any individual who wants to know whether this System of records contains a record about him or her, who wants access to his or her record, or who wants to contest the contents of a record, should make a written request to the EPA FOIA Office, Attn: Privacy Act Officer, MC2822T, 1200 Pennsylvania Avenue NW., Washington, DC 20460.

Record Access Procedure:

Requests for access must be made in accordance with the procedures described in EPA's Privacy Act regulations at 40 CFR part 16. Requesters will be required to provide adequate identification, such as a driver's license, employee identification card, or other identifying document. Additional identification procedures may be required in some instances.

Contesting Records Procedure:

Requests for correction or amendment must identify the record to be changed and the corrective action sought. Complete EPA Privacy Act procedures are described in EPA's Privacy Act regulations at 40 CFR part 16.

Record Source Categories:

The sources for information in the system are the individuals about whom, the records are maintained, the supervisors of those individuals, existing EPA systems, the sponsoring agency, the former sponsoring agency, other Federal agencies, the contract employer, the former contract employer and the U.S. Office of Personnel Management (OPM).

Systems Exempted From Certain Provisions of the Act:

None.