Privacy Act of 1974; Proposed Privacy Act System of Records, 56983-56986 [E6-15901]

Download as PDF Federal Register / Vol. 71, No. 188 / Thursday, September 28, 2006 / Notices FEDERAL MARITIME COMMISSION Notice of Request for Additional Information The Commission gives notice that it has requested that the parties to the below listed agreement provide additional information pursuant to section 6(d) of the Shipping Act of 1984, 46 U.S.C. app. 1701 et seq. This action prevents the agreement from becoming effective as originally scheduled. Agreement No.: 201172. Title: UMS-PHA Marine Terminal Agreement. Parties: Port of Houston Authority of Harris County, TX, and Universal Maritime Service Corporation. Dated: September 22, 2006. By Order of the Federal Maritime Commission.1 Bryant L. VanBrakle, Secretary. [FR Doc. E6–15910 Filed 9–27–06; 8:45 am] BILLING CODE 6730–01–P Additional information on all bank holding companies may be obtained from the National Information Center website at www.ffiec.gov/nic/. Unless otherwise noted, comments regarding each of these applications must be received at the Reserve Bank indicated or the offices of the Board of Governors not later than October 23, 2006. A. Federal Reserve Bank of San Francisco (Tracy Basinger, Director, Regional and Community Bank Group) 101 Market Street, San Francisco, California 94105-1579: 1. Premier Commercial Bancorp, Anaheim, California; to acquire 85.4 percent of the voting shares of Premier Commercial Bank, Arizona, N.A., Mesa, Arizona (in organization). Board of Governors of the Federal Reserve System, September 25, 2006. Robert deV. Frierson, Deputy Secretary of the Board. [FR Doc. E6–15929 Filed 9–27–06; 8:45 am] BILLING CODE 6210–01–S FEDERAL RESERVE SYSTEM sroberts on PROD1PC70 with NOTICES Formations of, Acquisitions by, and Mergers of Bank Holding Companies The companies listed in this notice have applied to the Board for approval, pursuant to the Bank Holding Company Act of 1956 (12 U.S.C. 1841 et seq.) (BHC Act), Regulation Y (12 CFR Part 225), and all other applicable statutes and regulations to become a bank holding company and/or to acquire the assets or the ownership of, control of, or the power to vote shares of a bank or bank holding company and all of the banks and nonbanking companies owned by the bank holding company, including the companies listed below. The applications listed below, as well as other related filings required by the Board, are available for immediate inspection at the Federal Reserve Bank indicated. The application also will be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing on the standards enumerated in the BHC Act (12 U.S.C. 1842(c)). If the proposal also involves the acquisition of a nonbanking company, the review also includes whether the acquisition of the nonbanking company complies with the standards in section 4 of the BHC Act (12 U.S.C. 1843). Unless otherwise noted, nonbanking activities will be conducted throughout the United States. 1 Chairman Blust and Commissioner Dye would not delay the subject agreement from becoming effective and would not seek additional information from the agreement parties. 20:16 Sep 27, 2006 Jkt 208001 or the offices of the Board of Governors not later than October 13, 2006. A. Federal Reserve Bank of Chicago (Patrick M. Wilder, Assistant Vice President) 230 South LaSalle Street, Chicago, Illinois 60690-1414: 1. Baytree Bancorp, Inc., Lake Forest, Illinois; to continue to engage de novo through its subsidiary, Baytree Bancorp, Investments, Inc., Lake Forest, Illinois, in riskless–principal transactions, pursuant to section 225.28(b)(7)(ii) of Regulation Y. Board of Governors of the Federal Reserve System, September 25, 2006. Robert deV. Frierson, Deputy Secretary of the Board. [FR Doc.E6–15928 Filed 9–27–06; 8:45 am] BILLING CODE 6210–01–S GENERAL SERVICES ADMINISTRATION Privacy Act of 1974; Proposed Privacy Act System of Records General Services Administration. ACTION: Notice of Privacy Act system of records. AGENCY: FEDERAL RESERVE SYSTEM VerDate Aug<31>2005 56983 Notice of Proposals to Engage in Permissible Nonbanking Activities or to Acquire Companies that are Engaged in Permissible Nonbanking Activities The companies listed in this notice have given notice under section 4 of the Bank Holding Company Act (12 U.S.C. 1843) (BHC Act) and Regulation Y (12 CFR Part 225) to engage de novo, or to acquire or control voting securities or assets of a company, including the companies listed below, that engages either directly or through a subsidiary or other company, in a nonbanking activity that is listed in § 225.28 of Regulation Y (12 CFR 225.28) or that the Board has determined by Order to be closely related to banking and permissible for bank holding companies. Unless otherwise noted, these activities will be conducted throughout the United States. Each notice is available for inspection at the Federal Reserve Bank indicated. The notice also will be available for inspection at the offices of the Board of Governors. Interested persons may express their views in writing on the question whether the proposal complies with the standards of section 4 of the BHC Act. Additional information on all bank holding companies may be obtained from the National Information Center website at www.ffiec.gov/nic/. Unless otherwise noted, comments regarding the applications must be received at the Reserve Bank indicated PO 00000 Frm 00035 Fmt 4703 Sfmt 4703 SUMMARY: Pursuant to the Privacy Act of 1974, the General Services Administration (GSA) proposes to establish a new system of records titled the Federal Personal Identity Verification Identity Management System (PIV IDMS) (GSA–GOVT–7). This system will support the implementation of Homeland Security Presidential Directive 12 (HSPD–12) by providing a GSA managed shared infrastructure and services for participating Federal agencies. HSPD– 12 requires the use of a common identification credential for both logical and physical access to federally controlled facilities and information systems. This system will enhance security, increase efficiency, reduce identity fraud, and protect personal privacy. The established system of records will be effective 30 days after publication of this Notice. ADDRESSES: Comments may be submitted to the Director, HSPD–12 Managed Service Office, Federal Acquisition Service, General Services Administration, Suite 911, 2011 Crystal Drive, Arlington, VA 22202. FOR FURTHER INFORMATION CONTACT: Director, Identity Policy and Management, Office of Governmentwide Policy, Washington, DC 20405; or call 202–208–7655. DATES: E:\FR\FM\28SEN1.SGM 28SEN1 56984 Federal Register / Vol. 71, No. 188 / Thursday, September 28, 2006 / Notices The General Services Administration’s Federal Acquisition Service (FAS) is publishing a Privacy Act system of records notice to cover the collection, use, and maintenance of records relating to its administration of managed services in the collection and management of personally identifiable information for the purpose of issuing credentials (ID badges) to meet the requirements of Homeland Security Presidential Directive 12 for multiple agencies. Homeland Security Presidential Directive 12 (HSPD–12), issued on August 27, 2004, required the establishment of a standard for identification of Federal Government employees and contractors. HSPD–12 directs the use of a common identification credential for both logical and physical access to federally controlled facilities and information systems. This policy is intended to enhance security, increase efficiency, reduce identity fraud, and protect personal privacy. HSPD–12 requires that the Federal credential be secure and reliable. As directed by the Presidential Directive, the National Institute of Standards and Technology (NIST) published the standard for secure and reliable forms of identification, Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors, on February 25, 2005 and an update as FIPS 201–1 on June 26, 2006. HSPD–12 established four control objectives for Federal agencies to accomplish in implementing the directive: • Issue identification credentials based on sound criteria to verify an individual’s identity; • Issue credentials that are strongly resistant to fraud, tampering, counterfeiting, and terrorist exploitation; • Provide for rapid, electronic authentication of personal identity; and • Issue credentials by providers whose reliability has been established through an official accreditation process. FIPS 201 has two parts: PIV I and PIV II. The requirements in PIV I support the control objectives and identity verification and security requirements described in FIPS 201, including the requirement for standard background investigation for all Federal employees and long-term contractors. PIV II specifies standards for PIV credentials to support technical interoperability and security for all HSPD–12 deployments. sroberts on PROD1PC70 with NOTICES SUPPLEMENTARY INFORMATION: VerDate Aug<31>2005 20:16 Sep 27, 2006 Jkt 208001 The Office of Management and Budget issued government-wide implementation guidance (M–05–24) for HSPD–12 on August 5, 2005. This implementation guidance required agencies to begin to issue identity credentials compliant with the PIV II requirements of FIPS 201 beginning October 27, 2006. OMB formed the HSPD–12 Executive Steering Committee (ESC) in November 2005 to establish broad direction to assist agencies in meeting HSPD–12 implementation requirements. As a key initiative to assist government-wide implementation efforts, the ESC asked for lead agencies to provide common infrastructure for agencies to share in meeting implementation requirements. In response to the HSPD ESC direction, GSA established the HSPD–12 Managed Service Office (MSO) to provide common, shared infrastructure and services to assist Federal agencies in the implementation of HSPD–12. GSA is offering the HSPD–12 managed services on a government-wide basis; any agency can sign up to use the shared infrastructure and services. The scope of the GSA HSPD–12 managed services consist of enrollment services, systems infrastructure through a centralized PIV Identity Management System (IDMS), card production facility, and card activation, finalization and issuance. GSA will initially provide the HSPD–12 managed services in four locations to demonstrate the initial operating capability in Atlanta, New York City, Seattle, and Washington DC. All other localities within a Federal presence will be serviced over time. The managed services provide for the enrollment of applicants in the PIV program in compliance with FIPS PIV I requirements, the issuance of PIV II compliant PIV cards and credentials, and the maintenance of systems records. The initial operating capability will be a combination of manual and automated processes. Following the initial operating capability, GSA will begin to roll out enrollment stations and operating capability to additional locations to service all user agencies. The managed service PIV enrollment process and IDMS records will cover all user agency employees, contractors and their employees, consultants, and volunteers who require long-term, routine access to federal facilities, systems, and networks. The personal information to be collected in the enrollment process will consist of data elements necessary to verify the identity of the individual and to perform background or other investigations concerning the individual. The PIV IDMS will collect data elements from PO 00000 Frm 00036 Fmt 4703 Sfmt 4703 the PIV card applicant, including: Name, date of birth, Social Security Number, organizational and employee affiliations, fingerprints, digital color photograph, work e-mail address, and phone number(s) as well additional verification and demographic information. These records also will be accessible to authorized personnel of participating Federal agencies for their PIV applicants. The Privacy Act embodies fair information principles in a statutory framework governing the means by which the United States Government collects, maintains, uses and disseminates personally identifiable information. The Privacy Act applies to information that a Federal agency maintains in a ‘‘system of records.’’ A ‘‘system of records’’ is a group of any records under the control of an agency from which the agency retrieves personal information by the name of the individual or by some identifying number, symbol, or other identifying particular assigned to the individual. The GSA HSPD–12 Identity Management System is such a system of records. GSA will provide controlled access to the records of the PIV IDMS to participating Federal agencies for their PIV applicants. Participating agencies will need to determine whether any updates to their existing Privacy Act System of Records Notices are required. Dated: September 21, 2006. Cheryl Paige, Acting Director, Office of Information Management. GSA/GOVT–7 SYSTEM NAME: Personal Identity Verification Identity Management System (PIV IDMS) SECURITY CLASSIFICATION: Sensitive but unclassified. SYSTEM LOCATION: Records covered by this system are maintained by a contractor at the contractor’s site. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The PIV IDMS records will cover all participating agency employees, contractors and their employees, consultants, and volunteers who require routine, long-term access to federal facilities, information technology systems, and networks. The system also includes individuals authorized to perform or use services provided in agency facilities (e.g., Credit Union, Fitness Center, etc.). At their discretion, participating Federal agencies may include short-term employees and contractors in the PIV E:\FR\FM\28SEN1.SGM 28SEN1 Federal Register / Vol. 71, No. 188 / Thursday, September 28, 2006 / Notices program and, therefore, inclusion in the PIV IDMS. Federal agencies shall make risk-based decisions to determine whether to issue PIV cards and require prerequisite background checks for short-term employees and contractors. The system does not apply to occasional visitors or short-term guests. GSA and participating agencies will issue temporary identification and credentials for this purpose. sroberts on PROD1PC70 with NOTICES CATEGORIES OF RECORDS IN THE SYSTEM: Enrollment records maintained in the PIV IDMS on individuals applying for the PIV program and a PIV credential through the GSA HSPD–12 managed service include the following data fields: full name; Social Security Number; Applicant ID number, date of birth; current address; digital color photograph; fingerprints; biometric template (two fingerprints); organization/office of assignment; employee affiliation; work e-mail address; work telephone number(s); office address; copies of identity source documents; employee status; military status; foreign national status; federal emergency response official status; law enforcement official status; results of background check; Government agency code; and PIV card issuance location. Records in the PIV IDMS needed for credential management for enrolled individuals in the PIV program include: PIV card serial number; digital certificate(s) serial number; PIV card issuance and expiration dates; PIV card PIN; Cardholder Unique Identifier (CHUID); and card management keys. Agencies may also choose to collect the following data at PIV enrollment which would also be maintained in the PIV IDMS: physical characteristics (e.g., height, weight, and eye and hair color). Individuals enrolled in the PIV managed service will be issued a PIV card. The PIV card contains the following mandatory visual personally identifiable information: name, photograph, employee affiliation, organizational affiliation, PIV card expiration date, agency card serial number, and color-coding for employee affiliation. Agencies may choose to have the following optional personally identifiable information printed on the card: Cardholder physical characteristics (height, weight, and eye and hair color). The card also contains an integrated circuit chip which is encoded with the following mandatory data elements which comprise the standard data model for PIV logical credentials: PIV card PIN, cardholder unique identifier (CHUID), PIV authentication digital certificate, and two fingerprint biometric templates. The VerDate Aug<31>2005 20:16 Sep 27, 2006 Jkt 208001 PIV data model may be optionally extended by agencies to include the following logical credentials: digital certificate for digital signature, digital certificate for key management, card authentication keys, and card management system keys. All PIV logical credentials can only be read by machine. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 5 U.S.C. 301; Federal Information Security Management Act (Pub. L. 107– 296, Sec. 3544); E-Government Act (Pub. L. 107–347, Sec. 203); Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et al) and Government Paperwork Elimination Act (Pub. L. 105–277, 44 U.S.C. 3504); Homeland Security Presidential Directive 12 (HSPD–12), Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004; Federal Property and Administrative Services Act of 1949, as amended. PURPOSES: The primary purposes of the system are: To ensure the safety and security of Federal facilities, systems, or information, and of facility occupants and users; to provide for interoperability and trust in allowing physical access to individuals entering Federal facilities; and to allow logical access to Federal information systems, networks, and resources on a government-wide basis. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: In addition to those disclosures generally permitted under 5 U.S.C. Section 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside GSA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows: a. To the Department of Justice (DOJ) when: (1) The agency or any component thereof; or (2) any employee of the agency in his or her official capacity; (3) any employee of the agency in his or her individual capacity where agency or the Department of Justice has agreed to represent the employee; or (4) the United States Government is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records by DOJ and is therefore deemed by the agency to be for a purpose compatible with the purpose for which the agency collected the records. b. To a court or adjudicative body in a proceeding when: (1) The agency or PO 00000 Frm 00037 Fmt 4703 Sfmt 4703 56985 any component thereof; (2) any employee of the agency in his or her official capacity; (3) any employee of the agency in his or her individual capacity where the agency or the Department of Justice has agreed to represent the employee; or (4) the United States Government is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records and is therefore deemed by the agency to be for a purpose that is compatible with the purpose for which the agency collected the records. c. Except as noted on Forms SF 85, SF 85–P, and SF 86, when a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate public authority, whether Federal, foreign, State, local, or tribal, or otherwise, responsible for enforcing, investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to any enforcement, regulatory, investigative or prosecutorial responsibility of the receiving entity. d. To a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional office made at the written request of the constituent about whom the record is maintained. e. To the National Archives and Records Administration (NARA) or to the General Services Administration for records management inspections conducted under 44 U.S.C. 2904 and 2906. f. To agency contractors, grantees, or volunteers who have been engaged to assist the agency in the performance of a contract service, grant, cooperative agreement, or other activity related to this system of records and who need to have access to the records in order to perform their activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a, the Federal Information Security Management Act (Pub. L. 107–296), and associated OMB policies, standards and guidance from the National Institute of Standards and Technology, and the General Services Administration. g. To a Federal agency, State, local, foreign, or tribal or other public E:\FR\FM\28SEN1.SGM 28SEN1 56986 Federal Register / Vol. 71, No. 188 / Thursday, September 28, 2006 / Notices sroberts on PROD1PC70 with NOTICES authority, on request, in connection with the hiring or retention of an employee, the issuance or retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant, or other benefit, to the extent that the information is relevant and necessary to the requesting agency’s decision. h. To the Office of Management and Budget (OMB) when necessary to the review of private relief legislation pursuant to OMB Circular No. A–19. i. To a Federal, State, or local agency, or other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947, as amended; the CIA Act of 1949, as amended; Executive Order 12333 or any successor order; and applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders, or directives. j. To designated agency personnel for controlled access to specific records for the purposes of performing authorized audit or authorized oversight and administrative functions. All access is controlled systematically through authentication using PIV credentials based on access and authorization rules for specific audit and administrative functions. k. To the Office of Personnel Management (OPM) in accordance with the agency’s responsibility for evaluation of Federal personnel management. l. To the Federal Bureau of Investigation for the FBI National Criminal History check. m. To a Federal, State, or local agency, or other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947 as amended; the CIA Act of 1949 as amended; Executive Order 12333 or any successor order; and applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders or directives. RETRIEVABILITY: NOTIFICATION PROCEDURE: Records may be retrieved by name of the individual, Cardholder Unique Identification Number, Applicant ID, Social Security Number, and/or by any other unique individual identifier. A request for access to records in this system may be made by writing to the System Manager. When requesting notification of or access to records covered by this Notice, an individual should provide his/her full name, date of birth, agency name, and work location. An individual requesting notification of records in person must provide identity documents sufficient to satisfy the custodian of the records that the requester is entitled to access, such as a government-issued photo ID. POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING AND DISPOSING OF RECORDS IN THE SYSTEM: SYSTEM MANAGER AND ADDRESS: STORAGE: Records are stored in electronic media and in paper files. VerDate Aug<31>2005 20:16 Sep 27, 2006 Jkt 208001 SAFEGUARDS: Consistent with the requirements of the Federal Information Security Management Act (Pub. L. 107–296), and associated OMB policies, standards and guidance from the National Institute of Standards and Technology, and the General Services Administration, the GSA HSPD–12 managed service office protects all records from unauthorized access through appropriate administrative, physical, and technical safeguards. Access is restricted on a ‘‘need to know’’ basis, utilization of PIV Card access, secure VPN for web access, and locks on doors and approved storage containers. Buildings have security guards and secured doors. All entrances are monitored through electronic surveillance equipment. The hosting facility is supported by 24/7 onsite hosting and network monitoring by trained technical staff. Physical security controls include: Indoor and outdoor security monitoring and surveillance; badge and picture ID access screening; biometric access screening. Personally identifiable information is safeguarded and protected in conformance with all Federal statutory and OMB guidance requirements. All access has role-based restrictions, and individuals with access privileges have undergone vetting and suitability screening. All data is encrypted in transit. While it is not contemplated, any system records stored on mobile computers or mobile devices will be encrypted. GSA maintains an audit trail and performs random periodic reviews to identify unauthorized access. Persons given roles in the PIV process must be approved by the Government and complete training specific to their roles to ensure they are knowledgeable about how to protect personally identifiable information. Disposition of records will be according to NARA disposition authority N1–269–06–1 (pending). Director, HSPD–12 Managed Service Office, Federal Acquisition Service (FAS), General Services Administration, Suite 911, 2011 Crystal Drive, Arlington, VA 22202. Frm 00038 Fmt 4703 Sfmt 4703 Same as Notification Procedure above. CONTESTING RECORD PROCEDURES: Same as Notification Procedure above. State clearly and concisely the information being contested, the reasons for contesting it, and the proposed amendment to the information sought. RECORD SOURCE CATEGORIES: Employee, contractor, or applicant; sponsoring agency; former sponsoring agency; other Federal agencies; contract employer; former employer. EXEMPTIONS CLAIMED FOR THE SYSTEM: None. [FR Doc. E6–15901 Filed 9–27–06; 8:45 am] BILLING CODE 6820–34–P DEPARTMENT OF HEALTH AND HUMAN SERVICES Meeting of the Chronic Fatigue Syndrome Advisory Committee Department of Health and Human Services, Office of the Secretary, Office of Public Health and Science. ACTION: Notice. AGENCY: SUMMARY: As stipulated in the Federal Advisory Committee Act, the U.S. Department of Health and Human Services is hereby giving notice that the Chronic Fatigue Syndrome Advisory Committee (CFSAC) will hold a meeting. The meeting is open to the public. The meeting will be held on Monday and Tuesday, November 20–21, 2006 from 9 a.m. to 5 p.m. each day. ADDRESSES: Department of Health and Human Services; Room 800 Hubert H. Humphrey Building; 200 Independence Avenue, SW., Washington, DC 20201. FOR FURTHER INFORMATION CONTACT: CDR John Eckert; Acting Executive Secretary, Chronic Fatigue Syndrome Advisory Committee; Department of Health and Human Services; 200 Independence DATES: RETENTION AND DISPOSAL: PO 00000 RECORD ACCESS PROCEDURES: E:\FR\FM\28SEN1.SGM 28SEN1

Agencies

[Federal Register Volume 71, Number 188 (Thursday, September 28, 2006)]
[Notices]
[Pages 56983-56986]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E6-15901]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION


Privacy Act of 1974; Proposed Privacy Act System of Records

AGENCY: General Services Administration.

ACTION: Notice of Privacy Act system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974, the General Services 
Administration (GSA) proposes to establish a new system of records 
titled the Federal Personal Identity Verification Identity Management 
System (PIV IDMS) (GSA-GOVT-7). This system will support the 
implementation of Homeland Security Presidential Directive 12 (HSPD-12) 
by providing a GSA managed shared infrastructure and services for 
participating Federal agencies. HSPD-12 requires the use of a common 
identification credential for both logical and physical access to 
federally controlled facilities and information systems. This system 
will enhance security, increase efficiency, reduce identity fraud, and 
protect personal privacy.

DATES: The established system of records will be effective 30 days 
after publication of this Notice.

ADDRESSES: Comments may be submitted to the Director, HSPD-12 Managed 
Service Office, Federal Acquisition Service, General Services 
Administration, Suite 911, 2011 Crystal Drive, Arlington, VA 22202.

FOR FURTHER INFORMATION CONTACT: Director, Identity Policy and 
Management, Office of Governmentwide Policy, Washington, DC 20405; or 
call 202-208-7655.

[[Page 56984]]


SUPPLEMENTARY INFORMATION: The General Services Administration's 
Federal Acquisition Service (FAS) is publishing a Privacy Act system of 
records notice to cover the collection, use, and maintenance of records 
relating to its administration of managed services in the collection 
and management of personally identifiable information for the purpose 
of issuing credentials (ID badges) to meet the requirements of Homeland 
Security Presidential Directive 12 for multiple agencies.
    Homeland Security Presidential Directive 12 (HSPD-12), issued on 
August 27, 2004, required the establishment of a standard for 
identification of Federal Government employees and contractors. HSPD-12 
directs the use of a common identification credential for both logical 
and physical access to federally controlled facilities and information 
systems. This policy is intended to enhance security, increase 
efficiency, reduce identity fraud, and protect personal privacy.
    HSPD-12 requires that the Federal credential be secure and 
reliable. As directed by the Presidential Directive, the National 
Institute of Standards and Technology (NIST) published the standard for 
secure and reliable forms of identification, Federal Information 
Processing Standard Publication 201 (FIPS 201), Personal Identity 
Verification (PIV) of Federal Employees and Contractors, on February 
25, 2005 and an update as FIPS 201-1 on June 26, 2006. HSPD-12 
established four control objectives for Federal agencies to accomplish 
in implementing the directive:
     Issue identification credentials based on sound criteria 
to verify an individual's identity;
     Issue credentials that are strongly resistant to fraud, 
tampering, counterfeiting, and terrorist exploitation;
     Provide for rapid, electronic authentication of personal 
identity; and
     Issue credentials by providers whose reliability has been 
established through an official accreditation process.
    FIPS 201 has two parts: PIV I and PIV II. The requirements in PIV I 
support the control objectives and identity verification and security 
requirements described in FIPS 201, including the requirement for 
standard background investigation for all Federal employees and long-
term contractors. PIV II specifies standards for PIV credentials to 
support technical interoperability and security for all HSPD-12 
deployments.
    The Office of Management and Budget issued government-wide 
implementation guidance (M-05-24) for HSPD-12 on August 5, 2005. This 
implementation guidance required agencies to begin to issue identity 
credentials compliant with the PIV II requirements of FIPS 201 
beginning October 27, 2006. OMB formed the HSPD-12 Executive Steering 
Committee (ESC) in November 2005 to establish broad direction to assist 
agencies in meeting HSPD-12 implementation requirements. As a key 
initiative to assist government-wide implementation efforts, the ESC 
asked for lead agencies to provide common infrastructure for agencies 
to share in meeting implementation requirements.
    In response to the HSPD ESC direction, GSA established the HSPD-12 
Managed Service Office (MSO) to provide common, shared infrastructure 
and services to assist Federal agencies in the implementation of HSPD-
12. GSA is offering the HSPD-12 managed services on a government-wide 
basis; any agency can sign up to use the shared infrastructure and 
services. The scope of the GSA HSPD-12 managed services consist of 
enrollment services, systems infrastructure through a centralized PIV 
Identity Management System (IDMS), card production facility, and card 
activation, finalization and issuance. GSA will initially provide the 
HSPD-12 managed services in four locations to demonstrate the initial 
operating capability in Atlanta, New York City, Seattle, and Washington 
DC. All other localities within a Federal presence will be serviced 
over time. The managed services provide for the enrollment of 
applicants in the PIV program in compliance with FIPS PIV I 
requirements, the issuance of PIV II compliant PIV cards and 
credentials, and the maintenance of systems records. The initial 
operating capability will be a combination of manual and automated 
processes. Following the initial operating capability, GSA will begin 
to roll out enrollment stations and operating capability to additional 
locations to service all user agencies.
    The managed service PIV enrollment process and IDMS records will 
cover all user agency employees, contractors and their employees, 
consultants, and volunteers who require long-term, routine access to 
federal facilities, systems, and networks. The personal information to 
be collected in the enrollment process will consist of data elements 
necessary to verify the identity of the individual and to perform 
background or other investigations concerning the individual. The PIV 
IDMS will collect data elements from the PIV card applicant, including: 
Name, date of birth, Social Security Number, organizational and 
employee affiliations, fingerprints, digital color photograph, work e-
mail address, and phone number(s) as well additional verification and 
demographic information. These records also will be accessible to 
authorized personnel of participating Federal agencies for their PIV 
applicants. The Privacy Act embodies fair information principles in a 
statutory framework governing the means by which the United States 
Government collects, maintains, uses and disseminates personally 
identifiable information. The Privacy Act applies to information that a 
Federal agency maintains in a ``system of records.'' A ``system of 
records'' is a group of any records under the control of an agency from 
which the agency retrieves personal information by the name of the 
individual or by some identifying number, symbol, or other identifying 
particular assigned to the individual. The GSA HSPD-12 Identity 
Management System is such a system of records. GSA will provide 
controlled access to the records of the PIV IDMS to participating 
Federal agencies for their PIV applicants. Participating agencies will 
need to determine whether any updates to their existing Privacy Act 
System of Records Notices are required.

    Dated: September 21, 2006.
Cheryl Paige,
Acting Director, Office of Information Management.
GSA/GOVT-7

System Name:
    Personal Identity Verification Identity Management System (PIV 
IDMS)

Security Classification:
    Sensitive but unclassified.

System Location:
    Records covered by this system are maintained by a contractor at 
the contractor's site.

Categories Of Individuals Covered By The System:
    The PIV IDMS records will cover all participating agency employees, 
contractors and their employees, consultants, and volunteers who 
require routine, long-term access to federal facilities, information 
technology systems, and networks. The system also includes individuals 
authorized to perform or use services provided in agency facilities 
(e.g., Credit Union, Fitness Center, etc.).
    At their discretion, participating Federal agencies may include 
short-term employees and contractors in the PIV

[[Page 56985]]

program and, therefore, inclusion in the PIV IDMS. Federal agencies 
shall make risk-based decisions to determine whether to issue PIV cards 
and require prerequisite background checks for short-term employees and 
contractors.
    The system does not apply to occasional visitors or short-term 
guests. GSA and participating agencies will issue temporary 
identification and credentials for this purpose.

Categories Of Records In The System:
    Enrollment records maintained in the PIV IDMS on individuals 
applying for the PIV program and a PIV credential through the GSA HSPD-
12 managed service include the following data fields: full name; Social 
Security Number; Applicant ID number, date of birth; current address; 
digital color photograph; fingerprints; biometric template (two 
fingerprints); organization/office of assignment; employee affiliation; 
work e-mail address; work telephone number(s); office address; copies 
of identity source documents; employee status; military status; foreign 
national status; federal emergency response official status; law 
enforcement official status; results of background check; Government 
agency code; and PIV card issuance location. Records in the PIV IDMS 
needed for credential management for enrolled individuals in the PIV 
program include: PIV card serial number; digital certificate(s) serial 
number; PIV card issuance and expiration dates; PIV card PIN; 
Cardholder Unique Identifier (CHUID); and card management keys. 
Agencies may also choose to collect the following data at PIV 
enrollment which would also be maintained in the PIV IDMS: physical 
characteristics (e.g., height, weight, and eye and hair color).
    Individuals enrolled in the PIV managed service will be issued a 
PIV card. The PIV card contains the following mandatory visual 
personally identifiable information: name, photograph, employee 
affiliation, organizational affiliation, PIV card expiration date, 
agency card serial number, and color-coding for employee affiliation. 
Agencies may choose to have the following optional personally 
identifiable information printed on the card: Cardholder physical 
characteristics (height, weight, and eye and hair color). The card also 
contains an integrated circuit chip which is encoded with the following 
mandatory data elements which comprise the standard data model for PIV 
logical credentials: PIV card PIN, cardholder unique identifier 
(CHUID), PIV authentication digital certificate, and two fingerprint 
biometric templates. The PIV data model may be optionally extended by 
agencies to include the following logical credentials: digital 
certificate for digital signature, digital certificate for key 
management, card authentication keys, and card management system keys. 
All PIV logical credentials can only be read by machine.

Authority For Maintenance Of The System:
    5 U.S.C. 301; Federal Information Security Management Act (Pub. L. 
107-296, Sec. 3544); E-Government Act (Pub. L. 107-347, Sec. 203); 
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et al) and Government 
Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C. 3504); Homeland 
Security Presidential Directive 12 (HSPD-12), Policy for a Common 
Identification Standard for Federal Employees and Contractors, August 
27, 2004; Federal Property and Administrative Services Act of 1949, as 
amended.

Purposes:
    The primary purposes of the system are: To ensure the safety and 
security of Federal facilities, systems, or information, and of 
facility occupants and users; to provide for interoperability and trust 
in allowing physical access to individuals entering Federal facilities; 
and to allow logical access to Federal information systems, networks, 
and resources on a government-wide basis.

Routine Uses of Records Maintained in the System Including Categories 
of Users and the Purposes of Such Uses:
    In addition to those disclosures generally permitted under 5 U.S.C. 
Section 552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside GSA as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    a. To the Department of Justice (DOJ) when: (1) The agency or any 
component thereof; or (2) any employee of the agency in his or her 
official capacity; (3) any employee of the agency in his or her 
individual capacity where agency or the Department of Justice has 
agreed to represent the employee; or (4) the United States Government 
is a party to litigation or has an interest in such litigation, and by 
careful review, the agency determines that the records are both 
relevant and necessary to the litigation and the use of such records by 
DOJ and is therefore deemed by the agency to be for a purpose 
compatible with the purpose for which the agency collected the records.
    b. To a court or adjudicative body in a proceeding when: (1) The 
agency or any component thereof; (2) any employee of the agency in his 
or her official capacity; (3) any employee of the agency in his or her 
individual capacity where the agency or the Department of Justice has 
agreed to represent the employee; or (4) the United States Government 
is a party to litigation or has an interest in such litigation, and by 
careful review, the agency determines that the records are both 
relevant and necessary to the litigation and the use of such records 
and is therefore deemed by the agency to be for a purpose that is 
compatible with the purpose for which the agency collected the records.
    c. Except as noted on Forms SF 85, SF 85-P, and SF 86, when a 
record on its face, or in conjunction with other records, indicates a 
violation or potential violation of law, whether civil, criminal, or 
regulatory in nature, and whether arising by general statute or 
particular program statute, or by regulation, rule, or order issued 
pursuant thereto, disclosure may be made to the appropriate public 
authority, whether Federal, foreign, State, local, or tribal, or 
otherwise, responsible for enforcing, investigating or prosecuting such 
violation or charged with enforcing or implementing the statute, or 
rule, regulation, or order issued pursuant thereto, if the information 
disclosed is relevant to any enforcement, regulatory, investigative or 
prosecutorial responsibility of the receiving entity.
    d. To a Member of Congress or to a Congressional staff member in 
response to an inquiry of the Congressional office made at the written 
request of the constituent about whom the record is maintained.
    e. To the National Archives and Records Administration (NARA) or to 
the General Services Administration for records management inspections 
conducted under 44 U.S.C. 2904 and 2906.
    f. To agency contractors, grantees, or volunteers who have been 
engaged to assist the agency in the performance of a contract service, 
grant, cooperative agreement, or other activity related to this system 
of records and who need to have access to the records in order to 
perform their activity. Recipients shall be required to comply with the 
requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a, the 
Federal Information Security Management Act (Pub. L. 107-296), and 
associated OMB policies, standards and guidance from the National 
Institute of Standards and Technology, and the General Services 
Administration.
    g. To a Federal agency, State, local, foreign, or tribal or other 
public

[[Page 56986]]

authority, on request, in connection with the hiring or retention of an 
employee, the issuance or retention of a security clearance, the 
letting of a contract, or the issuance or retention of a license, 
grant, or other benefit, to the extent that the information is relevant 
and necessary to the requesting agency's decision.
    h. To the Office of Management and Budget (OMB) when necessary to 
the review of private relief legislation pursuant to OMB Circular No. 
A-19.
    i. To a Federal, State, or local agency, or other appropriate 
entities or individuals, or through established liaison channels to 
selected foreign governments, in order to enable an intelligence agency 
to carry out its responsibilities under the National Security Act of 
1947, as amended; the CIA Act of 1949, as amended; Executive Order 
12333 or any successor order; and applicable national security 
directives, or classified implementing procedures approved by the 
Attorney General and promulgated pursuant to such statutes, orders, or 
directives.
    j. To designated agency personnel for controlled access to specific 
records for the purposes of performing authorized audit or authorized 
oversight and administrative functions. All access is controlled 
systematically through authentication using PIV credentials based on 
access and authorization rules for specific audit and administrative 
functions.
    k. To the Office of Personnel Management (OPM) in accordance with 
the agency's responsibility for evaluation of Federal personnel 
management.
    l. To the Federal Bureau of Investigation for the FBI National 
Criminal History check.
    m. To a Federal, State, or local agency, or other appropriate 
entities or individuals, or through established liaison channels to 
selected foreign governments, in order to enable an intelligence agency 
to carry out its responsibilities under the National Security Act of 
1947 as amended; the CIA Act of 1949 as amended; Executive Order 12333 
or any successor order; and applicable national security directives, or 
classified implementing procedures approved by the Attorney General and 
promulgated pursuant to such statutes, orders or directives.

Policies and Practices for Storing, Retrieving, Accessing, Retaining 
and Disposing of Records in the System:
Storage:
    Records are stored in electronic media and in paper files.

Retrievability:
    Records may be retrieved by name of the individual, Cardholder 
Unique Identification Number, Applicant ID, Social Security Number, 
and/or by any other unique individual identifier.

Safeguards:
    Consistent with the requirements of the Federal Information 
Security Management Act (Pub. L. 107-296), and associated OMB policies, 
standards and guidance from the National Institute of Standards and 
Technology, and the General Services Administration, the GSA HSPD-12 
managed service office protects all records from unauthorized access 
through appropriate administrative, physical, and technical safeguards. 
Access is restricted on a ``need to know'' basis, utilization of PIV 
Card access, secure VPN for web access, and locks on doors and approved 
storage containers. Buildings have security guards and secured doors. 
All entrances are monitored through electronic surveillance equipment. 
The hosting facility is supported by 24/7 onsite hosting and network 
monitoring by trained technical staff. Physical security controls 
include: Indoor and outdoor security monitoring and surveillance; badge 
and picture ID access screening; biometric access screening. Personally 
identifiable information is safeguarded and protected in conformance 
with all Federal statutory and OMB guidance requirements. All access 
has role-based restrictions, and individuals with access privileges 
have undergone vetting and suitability screening. All data is encrypted 
in transit. While it is not contemplated, any system records stored on 
mobile computers or mobile devices will be encrypted. GSA maintains an 
audit trail and performs random periodic reviews to identify 
unauthorized access. Persons given roles in the PIV process must be 
approved by the Government and complete training specific to their 
roles to ensure they are knowledgeable about how to protect personally 
identifiable information.

Retention And Disposal:
    Disposition of records will be according to NARA disposition 
authority N1-269-06-1 (pending).

System Manager And Address:
    Director, HSPD-12 Managed Service Office, Federal Acquisition 
Service (FAS), General Services Administration, Suite 911, 2011 Crystal 
Drive, Arlington, VA 22202.

Notification Procedure:
    A request for access to records in this system may be made by 
writing to the System Manager. When requesting notification of or 
access to records covered by this Notice, an individual should provide 
his/her full name, date of birth, agency name, and work location. An 
individual requesting notification of records in person must provide 
identity documents sufficient to satisfy the custodian of the records 
that the requester is entitled to access, such as a government-issued 
photo ID.

Record Access Procedures:
    Same as Notification Procedure above.

Contesting Record Procedures:
    Same as Notification Procedure above. State clearly and concisely 
the information being contested, the reasons for contesting it, and the 
proposed amendment to the information sought.

Record Source Categories:
    Employee, contractor, or applicant; sponsoring agency; former 
sponsoring agency; other Federal agencies; contract employer; former 
employer.

Exemptions Claimed For The System:
    None.

 [FR Doc. E6-15901 Filed 9-27-06; 8:45 am]
BILLING CODE 6820-34-P