Privacy Act of 1974; Notice of Updated Systems of Records, 22377-22380 [E8-8884]

Download as PDF sroberts on PROD1PC70 with NOTICES Federal Register / Vol. 73, No. 81 / Friday, April 25, 2008 / Notices prosecuting, enforcing, or carrying out a statute, rule, regulation, or order, where an agency becomes aware of a violation or potential violation of civil or criminal law or regulation. b. To an appeal, grievance, or formal complaints examiner; equal employment opportunity investigator; arbitrator; or other official engaged in investigating, or settling a grievance, complaint, or appeal filed by an individual who is the subject of the record. c. To officials of labor organizations recognized under Public Law 95–454, when necessary to their duties of exclusive representation on personnel policies, practices, and matters affecting working conditions. d. To another Federal agency in connection with the hiring or retention of an employee; the issuance of a security clearance; the reporting of an investigation; clarifying a job; the letting of a contract; or the issuance of a grant, license, or other benefit to the extent that the information is relevant and necessary to a decision. e. To the Office of Personnel Management (OPM), the Office of Management and Budget (OMB), the Government Accountability Office (GAO) or other Federal agency when the information is required for program evaluation purposes. f. To a Member of Congress or staff on behalf of and at the request of the individual who is the subject of the record. g. To the National Archives and Records Administration (NARA) for records management purposes. h. To an expert, consultant, or contractor in the performance of a Federal duty to which the information is relevant, including issuance of charge cards. i. To GSA in the form of listings, reports, and records of all transportation related transactions, including refunds and adjustments, by the contractor to enable audits of transportation related charges to the Government. j. To GSA contract agents assigned to participating agencies for billing of purchase expenses. k. To agency finance offices for debt collection purposes. l. To appropriate agencies, entities, and persons when (1) the Agency suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) the Agency has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or VerDate Aug<31>2005 20:20 Apr 24, 2008 Jkt 214001 integrity of this system or other systems or programs (whether maintained by GSA or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with GSA’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF SYSTEM RECORDS: STORAGE: Information may be collected on paper or electronically and may be stored on paper or on electronic media, as appropriate. RETRIEVABILITY: Records may be retrieved by name, Social Security Number, credit card number, and/or other personal identifier or appropriate type of designation. SAFEGUARDS: System records are safeguarded in accordance with the requirements of the Privacy Act, the Computer Security Act, and OMB Circular A–130. Technical, administrative, and personnel security measures are implemented to ensure confidentiality and integrity of the system data stored, processed, and transmitted. Paper records are stored in secure cabinets or rooms. Electronic records are protected by passwords and other appropriate security measures. RETENTION AND DISPOSAL: Disposition of records is according to the National Archives and Records Administration (NARA) guidelines, as set forth in the handbook, GSA Records Maintenance and Disposition System (OAD P 1820.2A and CIO P 1820.1), authorized GSA records schedules, and by individual agencies. SYSTEM MANAGER AND ADDRESS: Director, Office of Commercial Acquisition (FC), General Services Administration, 1901 South Bell Street, Arlington VA 22202. Also, officials responsible for individual agency purchase card programs using the SmartPay system. NOTIFICATION PROCEDURE: Individuals may obtain information about their records from the purchase charge card program manager of the agency for which they transact purchases. RECORD ACCESS PROCEDURES: Requests from individuals for access to their records should be addressed to PO 00000 Frm 00057 Fmt 4703 Sfmt 4703 22377 their agency’s purchase charge card program manager or to the finance office of the agency for which the individual transacts purchases. CONTESTING RECORD PROCEDURES: Individuals may access their records, contest the contents, and appeal determinations according to their agency’s rules. RECORD SOURCE CATEGORIES: Information is obtained from individuals submitting charge card applications, monthly contractor reports, purchase records, managers, other agencies, non-Federal sources such as private firms, and other agency systems containing information pertaining to the purchase charge card program. [FR Doc. E8–8883 Filed 4–24–08; 8:45 am] BILLING CODE 6820–34–P GENERAL SERVICES ADMINISTRATION Privacy Act of 1974; Notice of Updated Systems of Records General Services Administration. ACTION: Notice. AGENCY: SUMMARY: GSA reviewed its Privacy Act systems to ensure that they are relevant, necessary, accurate, up-to-date, covered by the appropriate legal or regulatory authority, and in response to OMB M– 07–16. This notice is a compilation of updated Privacy Act system of record notices. DATES: Effective May 27, 2008. Call or e-mail the GSA Privacy Act Officer: Telephone 202–208–1317; e-mail gsa.privacyact@gsa.gov. FOR FURTHER INFORMATION CONTACT: GSA Privacy Act Officer (CIB), General Services Administration, 1800 F Street, NW., Washington, DC 20405. ADDRESSES: GSA undertook and completed an agency wide review of its Privacy Act systems of records. As a result of the review GSA is publishing updated Privacy Act systems of records notices. Rather than make numerous piecemeal revisions, GSA is republishing updated notices for one of its systems. Nothing in the revised system notices indicates a change in authorities or practices regarding the collection and maintenance of information. Nor do the changes impact individuals’ rights to access or amend their records in the systems of records. The updated system SUPPLEMENTARY INFORMATION: E:\FR\FM\25APN1.SGM 25APN1 22378 Federal Register / Vol. 73, No. 81 / Friday, April 25, 2008 / Notices notices also include the new requirement from OMB Memorandum M–07–16 regarding a new routine use that allows agencies to disclose information in connection with a response and remedial efforts in the event of a data breach. Dated: April 16, 2008. Cheryl M. Paige, Director, Office of Information Management. GSA/GOVT–7 SYSTEM NAME: Personal Identity Verification Identity Management System (PIV IDMS). SECURITY CLASSIFICATION: Sensitive but unclassified. SYSTEM LOCATION: Records covered by this system are maintained by a contractor at the contractor’s site. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: The PIV IDMS records will cover all participating agency employees, contractors and their employees, consultants, and volunteers who require routine, long-term access to federal facilities, information technology systems, and networks. The system also includes individuals authorized to perform or use services provided in agency facilities (e.g., Credit Union, Fitness Center, etc.). At their discretion, participating Federal agencies may include short-term employees and contractors in the PIV program and, therefore, inclusion in the PIV IDMS. Federal agencies shall make risk-based decisions to determine whether to issue PIV cards and require prerequisite background checks for short-term employees and contractors. The system does not apply to occasional visitors or short-term guests. GSA and participating agencies will issue temporary identification and credentials for this purpose. sroberts on PROD1PC70 with NOTICES CATEGORIES OF RECORDS IN THE SYSTEM: Enrollment records maintained in the PIV IDMS on individuals applying for the PIV program and a PIV credential through the GSA HSPD–12 managed service include the following data fields: Full name; Social Security Number; Applicant ID number, date of birth; current address; digital color photograph; fingerprints; biometric template (two fingerprints); organization/office of assignment; employee affiliation; work e-mail address; work telephone number(s); office address; copies of identity source documents; employee status; military status; foreign national status; federal VerDate Aug<31>2005 20:20 Apr 24, 2008 Jkt 214001 emergency response official status; law enforcement official status; results of background check; Government agency code; and PIV card issuance location. Records in the PIV IDMS needed for credential management for enrolled individuals in the PIV program include: PIV card serial number; digital certificate(s) serial number; PIV card issuance and expiration dates; PIV card PIN; Cardholder Unique Identifier (CHUID); and card management keys. Agencies may also choose to collect the following data at PIV enrollment which would also be maintained in the PIV IDMS: Physical characteristics (e.g., height, weight, and eye and hair color). Individuals enrolled in the PIV managed service will be issued a PIV card. The PIV card contains the following mandatory visual personally identifiable information: Name, photograph, employee affiliation, organizational affiliation, PIV card expiration date, agency card serial number, and colorcoding for employee affiliation. Agencies may choose to have the following optional personally identifiable information printed on the card: Cardholder physical characteristics (height, weight, and eye and hair color). The card also contains an integrated circuit chip which is encoded with the following mandatory data elements which comprise the standard data model for PIV logical credentials: PIV card PIN, cardholder unique identifier (CHUID), PIV authentication digital certificate, and two fingerprint biometric templates. The PIV data model may be optionally extended by agencies to include the following logical credentials: Digital certificate for digital signature, digital certificate for key management, card authentication keys, and card management system keys. All PIV logical credentials can only be read by machine. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 5 U.S.C. 301; Federal Information Security Management Act (Pub. L. 107– 296, Sec. 3544); E-Government Act (Pub. L. 107–347, Sec. 203); Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et al.) and Government Paperwork Elimination Act (Pub. L. 105–277, 44 U.S.C. 3504); Homeland Security Presidential Directive 12 (HSPD–12), Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004; Federal Property and Administrative Services Act of 1949, as amended. PURPOSES: The primary purposes of the system are: To ensure the safety and security of PO 00000 Frm 00058 Fmt 4703 Sfmt 4703 Federal facilities, systems, or information, and of facility occupants and users; to provide for interoperability and trust in allowing physical access to individuals entering Federal facilities; and to allow logical access to Federal information systems, networks, and resources on a government-wide basis. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: In addition to those disclosures generally permitted under 5 U.S.C. Section 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside GSA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows: a. To the Department of Justice (DOJ) when: (1) The agency or any component thereof; or (2) any employee of the agency in his or her official capacity; (3) any employee of the agency in his or her individual capacity where agency or the Department of Justice has agreed to represent the employee; or (4) the United States Government is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records by DOJ and is therefore deemed by the agency to be for a purpose compatible with the purpose for which the agency collected the records. b. To a court or adjudicative body in a proceeding when: (1) The agency or any component thereof; (2) any employee of the agency in his or her official capacity; (3) any employee of the agency in his or her individual capacity where the agency or the Department of Justice has agreed to represent the employee; or (4) the United States Government is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records and is therefore deemed by the agency to be for a purpose that is compatible with the purpose for which the agency collected the records. c. Except as noted on Forms SF 85, SF 85–P, and SF 86, when a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate public authority, whether Federal, foreign, State, local, or tribal, or otherwise, E:\FR\FM\25APN1.SGM 25APN1 sroberts on PROD1PC70 with NOTICES Federal Register / Vol. 73, No. 81 / Friday, April 25, 2008 / Notices responsible for enforcing, investigating or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to any enforcement, regulatory, investigative or prosecutorial responsibility of the receiving entity. d. To a Member of Congress or to a Congressional staff member in response to an inquiry of the Congressional office made at the written request of the constituent about whom the record is maintained. e. To the National Archives and Records Administration (NARA) or to the General Services Administration for records management inspections conducted under 44 U.S.C. 2904 and 2906. f. To agency contractors, grantees, or volunteers who have been engaged to assist the agency in the performance of a contract service, grant, cooperative agreement, or other activity related to this system of records and who need to have access to the records in order to perform their activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a, the Federal Information Security Management Act (Pub. L. 107–296), and associated OMB policies, standards and guidance from the National Institute of Standards and Technology, and the General Services Administration. g. To a Federal agency, State, local, foreign, or tribal or other public authority, on request, in connection with the hiring or retention of an employee, the issuance or retention of a security clearance, the letting of a contract, or the issuance or retention of a license, grant, or other benefit, to the extent that the information is relevant and necessary to the requesting agency’s decision. h. To the Office of Management and Budget (OMB) when necessary to the review of private relief legislation pursuant to OMB Circular No. A–19. i. To a Federal, State, or local agency, or other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947, as amended; the CIA Act of 1949, as amended; Executive Order 12333 or any successor order; and applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders, or Directives. VerDate Aug<31>2005 20:20 Apr 24, 2008 Jkt 214001 j. To designated agency personnel for controlled access to specific records for the purposes of performing authorized audit or authorized oversight and administrative functions. All access is controlled systematically through authentication using PIV credentials based on access and authorization rules for specific audit and administrative functions. k. To the Office of Personnel Management (OPM), the Office of Management and Budget (OMB), the Government Accountability Office (GAO), or other Federal agency in accordance with the agency’s responsibility for evaluation of Federal personnel management. l. To the Federal Bureau of Investigation for the FBI National Criminal History check. m. To a Federal, State, or local agency, or other appropriate entities or individuals, or through established liaison channels to selected foreign governments, in order to enable an intelligence agency to carry out its responsibilities under the National Security Act of 1947 as amended; the CIA Act of 1949 as amended; Executive Order 12333 or any successor order; and applicable national security directives, or classified implementing procedures approved by the Attorney General and promulgated pursuant to such statutes, orders or directives. n. To appropriate agencies, entities, and persons when (1) the Agency suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) the Agency has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of this system or other systems or programs (whether maintained by GSA or another agency or entity) that rely upon the compromised information; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with GSA’s efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm. POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING AND DISPOSING OF RECORDS IN THE SYSTEM: STORAGE: Records are stored in electronic media and in paper files. RETRIEVABILITY: Records may be retrieved by name of the individual, Cardholder Unique PO 00000 Frm 00059 Fmt 4703 Sfmt 4703 22379 Identification Number, Applicant ID, Social Security Number, and/or by any other unique individual identifier. SAFEGUARDS: Consistent with the requirements of the Federal Information Security Management Act (Pub. L. 107–296), and associated OMB policies, standards and guidance from the National Institute of Standards and Technology, and the General Services Administration, the GSA HSPD–12 managed service office protects all records from unauthorized access through appropriate administrative, physical, and technical safeguards. Access is restricted on a ‘‘need to know’’ basis, utilization of PIV Card access, secure VPN for Web access, and locks on doors and approved storage containers. Buildings have security guards and secured doors. All entrances are monitored through electronic surveillance equipment. The hosting facility is supported by 24/7 onsite hosting and network monitoring by trained technical staff. Physical security controls include: Indoor and outdoor security monitoring and surveillance; badge and picture ID access screening; biometric access screening. Personally identifiable information is safeguarded and protected in conformance with all Federal statutory and OMB guidance requirements. All access has role-based restrictions, and individuals with access privileges have undergone vetting and suitability screening. All data is encrypted in transit. While it is not contemplated, any system records stored on mobile computers or mobile devices will be encrypted. GSA maintains an audit trail and performs random periodic reviews to identify unauthorized access. Persons given roles in the PIV process must be approved by the Government and complete training specific to their roles to ensure they are knowledgeable about how to protect personally identifiable information. RETENTION AND DISPOSAL: Disposition of records will be according to NARA disposition authority N1–269–06–1 (pending). SYSTEM MANAGER AND ADDRESS: Director, HSPD–12 Managed Service Office, Federal Acquisition Service (FAS), General Services Administration, Suite 911, 2011 Crystal Drive, Arlington, VA 22202. NOTIFICATION PROCEDURE: A request for access to records in this system may be made by writing to the System Manager. When requesting E:\FR\FM\25APN1.SGM 25APN1 22380 Federal Register / Vol. 73, No. 81 / Friday, April 25, 2008 / Notices notification of or access to records covered by this Notice, an individual should provide his/her full name, date of birth, agency name, and work location. An individual requesting notification of records in person must provide identity documents sufficient to satisfy the custodian of the records that the requester is entitled to access, such as a government-issued photo ID. RECORD ACCESS PROCEDURES: Same as Notification Procedure above. CONTESTING RECORD PROCEDURES: Same as Notification Procedure above. State clearly and concisely the information being contested, the reasons for contesting it, and the proposed amendment to the information sought. revised system notices indicates a change in authorities or practices regarding the collection and maintenance of information. Nor do the changes impact individuals’ rights to access or amend their records in the systems of records. The updated system notices also includes the new requirement from OMB Memorandum M–07–16 regarding a new routine use that allows agencies to disclose information in connection with a response and remedial efforts in the event of a data breach. Dated: April 16, 2008. Cheryl M. Paige, Director, Office ofInformation Management. GSA/GOVT–5 SYSTEM NAME: RECORD SOURCE CATEGORIES: Employee, contractor, or applicant; sponsoring agency; former sponsoring agency; other Federal agencies; contract employer; former employer. Access Certificates for Electronic Services (ACES). SYSTEM LOCATION: GENERAL SERVICES ADMINISTRATION System records are maintained for the General Services Administration (GSA) by contractors at various physical locations. A complete list of locations is available from: Administrative Contracting Officer, FEDCAC, Federal Technology Service, General Services Administration, 7th and D Streets, SW., Room 5060, Washington, DC 20407; telephone (202) 708–6099. Privacy Act of 1974; Notice of Updated Systems of Records CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: EXEMPTIONS CLAIMED FOR THE SYSTEM: None. [FR Doc. E8–8884 Filed 4–24–08; 8:45 am] BILLING CODE 6820–34–P General Services Administration. ACTION: Notice. AGENCY: SUMMARY: GSA reviewed its Privacy Act systems to ensure that they are relevant, necessary, accurate, up-to-date, covered by the appropriate legal or regulatory authority, and in response to OMB M– 07–16. This notice is a compilation of updated Privacy Act system of record notices. DATES: Effective May 27, 2008. Call or e-mail the GSA Privacy Act Officer: telephone 202–208–1317; e-mail gsa.privacyact@gsa.gov. FOR FURTHER INFORMATION CONTACT: GSA Privacy Act Officer (CIB), General Services Administration, 1800 F Street NW., Washington, DC 20405. ADDRESSES: GSA undertook and completed an agency wide review of its Privacy Act systems of records. As a result of the review GSA is publishing updated Privacy Act systems of records notices. Rather than make numerous piecemeal revisions, GSA is republishing updated notices for one of its systems. Nothing in the sroberts on PROD1PC70 with NOTICES SUPPLEMENTARY INFORMATION: VerDate Aug<31>2005 21:24 Apr 24, 2008 Jkt 214001 Individuals covered are persons who have applied for the issuance of a digital signature certificate under the ACES program; have had their certificates amended, renewed, replaced, suspended, revoked, or denied; have used their certificates to electronically make contact with, retrieve information from, or submit information to an automated information system of a participating agency; have requested access to ACES records under the Freedom of Information Act (FOIA) or Privacy Act; and have corresponded with GSA or its ACES contractors concerning ACES services. CATEGORIES OF RECORDS IN THE SYSTEM: The system contains information needed to establish and verify the identity of ACES users, to maintain the system, and to establish accountability and audit controls. System records include: a. Applications for the issuance, amendment, renewal, replacement, or revocation of digital signature certificates under the ACES program, including evidence provided by applicants or proof of identity and authority, and sources used to verify an applicant’s identify and authority. PO 00000 Frm 00060 Fmt 4703 Sfmt 4703 b. Certificates issued. c. Certificates denied, suspended, and revoked, including reasons for denial, suspension, and revocation. d. A list of currently valid certificates. e. A list of currently invalid certificates. f. A file of individuals requesting access and those granted access to ACES information under FOIA or the Privacy Act. g. A file of individuals requesting access and those granted access for reasons other than FOIA or the Privacy Act. h. A record of validation transactions attempted on digital signature certificates issued by the system. i. A record of validation transactions completed on digital signature certificates issued by the system. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Section 5124(b) of the Clinger-Cohen Act of 1996, 40 U.S.C. 1424, which provides authority for GSA to develop and facilitate governmentwide electronic commerce resources and services, and the Paperwork Reduction Act, 44 U.S.C. 3501, et. seq., which provides authority for GSA to manage Federal information resources. PURPOSE: To establish and maintain an electronic system to facilitate secure, on-line communication between Federal automated information systems and the public, using digital signature technologies to authenticate and verify identity. ROUTINE USES OF THE SYSTEM RECORDS, INCLUDING CATEGORIES OF USERS AND THEIR PURPOSES FOR USING THE SYSTEM: Information from this system may be disclosed as a routine use: a. To GSA ACES program contractors to compile and maintain documentation on applicants for proofing applicants’ identity and their authority to access information system applications of participating agencies. b. To GSA ACES program contractors to establish and maintain documentation on information sources for verifying applicants’ identities. c. To Federal agencies participating in the ACES program to determine the validity of applicants’ digital signature certificates in an on-line, near real time environment. d. To GSA, participating Federal agencies, and ACES contractors, for ensuring proper management, ensuring data accuracy, and evaluation of the system. e. To Federal, State, local or foreign agencies responsible for investigating, E:\FR\FM\25APN1.SGM 25APN1

Agencies

[Federal Register Volume 73, Number 81 (Friday, April 25, 2008)]
[Notices]
[Pages 22377-22380]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-8884]


-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION


Privacy Act of 1974; Notice of Updated Systems of Records

AGENCY: General Services Administration.

ACTION: Notice.

-----------------------------------------------------------------------

SUMMARY: GSA reviewed its Privacy Act systems to ensure that they are 
relevant, necessary, accurate, up-to-date, covered by the appropriate 
legal or regulatory authority, and in response to OMB M-07-16. This 
notice is a compilation of updated Privacy Act system of record 
notices.

DATES: Effective May 27, 2008.

FOR FURTHER INFORMATION CONTACT: Call or e-mail the GSA Privacy Act 
Officer: Telephone 202-208-1317; e-mail gsa.privacyact@gsa.gov.

ADDRESSES: GSA Privacy Act Officer (CIB), General Services 
Administration, 1800 F Street, NW., Washington, DC 20405.

SUPPLEMENTARY INFORMATION: GSA undertook and completed an agency wide 
review of its Privacy Act systems of records. As a result of the review 
GSA is publishing updated Privacy Act systems of records notices. 
Rather than make numerous piecemeal revisions, GSA is republishing 
updated notices for one of its systems. Nothing in the revised system 
notices indicates a change in authorities or practices regarding the 
collection and maintenance of information. Nor do the changes impact 
individuals' rights to access or amend their records in the systems of 
records. The updated system

[[Page 22378]]

notices also include the new requirement from OMB Memorandum M-07-16 
regarding a new routine use that allows agencies to disclose 
information in connection with a response and remedial efforts in the 
event of a data breach.

    Dated: April 16, 2008.
Cheryl M. Paige,
Director, Office of Information Management.
GSA/GOVT-7

SYSTEM NAME:
    Personal Identity Verification Identity Management System (PIV 
IDMS).

SECURITY CLASSIFICATION:
    Sensitive but unclassified.

SYSTEM LOCATION:
    Records covered by this system are maintained by a contractor at 
the contractor's site.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    The PIV IDMS records will cover all participating agency employees, 
contractors and their employees, consultants, and volunteers who 
require routine, long-term access to federal facilities, information 
technology systems, and networks. The system also includes individuals 
authorized to perform or use services provided in agency facilities 
(e.g., Credit Union, Fitness Center, etc.).
    At their discretion, participating Federal agencies may include 
short-term employees and contractors in the PIV program and, therefore, 
inclusion in the PIV IDMS. Federal agencies shall make risk-based 
decisions to determine whether to issue PIV cards and require 
prerequisite background checks for short-term employees and 
contractors. The system does not apply to occasional visitors or short-
term guests. GSA and participating agencies will issue temporary 
identification and credentials for this purpose.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Enrollment records maintained in the PIV IDMS on individuals 
applying for the PIV program and a PIV credential through the GSA HSPD-
12 managed service include the following data fields: Full name; Social 
Security Number; Applicant ID number, date of birth; current address; 
digital color photograph; fingerprints; biometric template (two 
fingerprints); organization/office of assignment; employee affiliation; 
work e-mail address; work telephone number(s); office address; copies 
of identity source documents; employee status; military status; foreign 
national status; federal emergency response official status; law 
enforcement official status; results of background check; Government 
agency code; and PIV card issuance location. Records in the PIV IDMS 
needed for credential management for enrolled individuals in the PIV 
program include: PIV card serial number; digital certificate(s) serial 
number; PIV card issuance and expiration dates; PIV card PIN; 
Cardholder Unique Identifier (CHUID); and card management keys. 
Agencies may also choose to collect the following data at PIV 
enrollment which would also be maintained in the PIV IDMS: Physical 
characteristics (e.g., height, weight, and eye and hair color). 
Individuals enrolled in the PIV managed service will be issued a PIV 
card. The PIV card contains the following mandatory visual personally 
identifiable information: Name, photograph, employee affiliation, 
organizational affiliation, PIV card expiration date, agency card 
serial number, and color-coding for employee affiliation. Agencies may 
choose to have the following optional personally identifiable 
information printed on the card: Cardholder physical characteristics 
(height, weight, and eye and hair color). The card also contains an 
integrated circuit chip which is encoded with the following mandatory 
data elements which comprise the standard data model for PIV logical 
credentials: PIV card PIN, cardholder unique identifier (CHUID), PIV 
authentication digital certificate, and two fingerprint biometric 
templates. The PIV data model may be optionally extended by agencies to 
include the following logical credentials: Digital certificate for 
digital signature, digital certificate for key management, card 
authentication keys, and card management system keys. All PIV logical 
credentials can only be read by machine.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301; Federal Information Security Management Act (Pub. L. 
107-296, Sec. 3544); E-Government Act (Pub. L. 107-347, Sec. 203); 
Paperwork Reduction Act of 1995 (44 U.S.C. 3501 et al.) and Government 
Paperwork Elimination Act (Pub. L. 105-277, 44 U.S.C. 3504); Homeland 
Security Presidential Directive 12 (HSPD-12), Policy for a Common 
Identification Standard for Federal Employees and Contractors, August 
27, 2004; Federal Property and Administrative Services Act of 1949, as 
amended.

PURPOSES:
    The primary purposes of the system are: To ensure the safety and 
security of Federal facilities, systems, or information, and of 
facility occupants and users; to provide for interoperability and trust 
in allowing physical access to individuals entering Federal facilities; 
and to allow logical access to Federal information systems, networks, 
and resources on a government-wide basis.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
Section 552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed outside GSA as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    a. To the Department of Justice (DOJ) when: (1) The agency or any 
component thereof; or (2) any employee of the agency in his or her 
official capacity; (3) any employee of the agency in his or her 
individual capacity where agency or the Department of Justice has 
agreed to represent the employee; or (4) the United States Government 
is a party to litigation or has an interest in such litigation, and by 
careful review, the agency determines that the records are both 
relevant and necessary to the litigation and the use of such records by 
DOJ and is therefore deemed by the agency to be for a purpose 
compatible with the purpose for which the agency collected the records.
    b. To a court or adjudicative body in a proceeding when: (1) The 
agency or any component thereof; (2) any employee of the agency in his 
or her official capacity; (3) any employee of the agency in his or her 
individual capacity where the agency or the Department of Justice has 
agreed to represent the employee; or (4) the United States Government 
is a party to litigation or has an interest in such litigation, and by 
careful review, the agency determines that the records are both 
relevant and necessary to the litigation and the use of such records 
and is therefore deemed by the agency to be for a purpose that is 
compatible with the purpose for which the agency collected the records.
    c. Except as noted on Forms SF 85, SF 85-P, and SF 86, when a 
record on its face, or in conjunction with other records, indicates a 
violation or potential violation of law, whether civil, criminal, or 
regulatory in nature, and whether arising by general statute or 
particular program statute, or by regulation, rule, or order issued 
pursuant thereto, disclosure may be made to the appropriate public 
authority, whether Federal, foreign, State, local, or tribal, or 
otherwise,

[[Page 22379]]

responsible for enforcing, investigating or prosecuting such violation 
or charged with enforcing or implementing the statute, or rule, 
regulation, or order issued pursuant thereto, if the information 
disclosed is relevant to any enforcement, regulatory, investigative or 
prosecutorial responsibility of the receiving entity.
    d. To a Member of Congress or to a Congressional staff member in 
response to an inquiry of the Congressional office made at the written 
request of the constituent about whom the record is maintained.
    e. To the National Archives and Records Administration (NARA) or to 
the General Services Administration for records management inspections 
conducted under 44 U.S.C. 2904 and 2906.
    f. To agency contractors, grantees, or volunteers who have been 
engaged to assist the agency in the performance of a contract service, 
grant, cooperative agreement, or other activity related to this system 
of records and who need to have access to the records in order to 
perform their activity. Recipients shall be required to comply with the 
requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a, the 
Federal Information Security Management Act (Pub. L. 107-296), and 
associated OMB policies, standards and guidance from the National 
Institute of Standards and Technology, and the General Services 
Administration.
    g. To a Federal agency, State, local, foreign, or tribal or other 
public authority, on request, in connection with the hiring or 
retention of an employee, the issuance or retention of a security 
clearance, the letting of a contract, or the issuance or retention of a 
license, grant, or other benefit, to the extent that the information is 
relevant and necessary to the requesting agency's decision.
    h. To the Office of Management and Budget (OMB) when necessary to 
the review of private relief legislation pursuant to OMB Circular No. 
A-19.
    i. To a Federal, State, or local agency, or other appropriate 
entities or individuals, or through established liaison channels to 
selected foreign governments, in order to enable an intelligence agency 
to carry out its responsibilities under the National Security Act of 
1947, as amended; the CIA Act of 1949, as amended; Executive Order 
12333 or any successor order; and applicable national security 
directives, or classified implementing procedures approved by the 
Attorney General and promulgated pursuant to such statutes, orders, or 
Directives.
    j. To designated agency personnel for controlled access to specific 
records for the purposes of performing authorized audit or authorized 
oversight and administrative functions. All access is controlled 
systematically through authentication using PIV credentials based on 
access and authorization rules for specific audit and administrative 
functions.
    k. To the Office of Personnel Management (OPM), the Office of 
Management and Budget (OMB), the Government Accountability Office 
(GAO), or other Federal agency in accordance with the agency's 
responsibility for evaluation of Federal personnel management.
    l. To the Federal Bureau of Investigation for the FBI National 
Criminal History check.
    m. To a Federal, State, or local agency, or other appropriate 
entities or individuals, or through established liaison channels to 
selected foreign governments, in order to enable an intelligence agency 
to carry out its responsibilities under the National Security Act of 
1947 as amended; the CIA Act of 1949 as amended; Executive Order 12333 
or any successor order; and applicable national security directives, or 
classified implementing procedures approved by the Attorney General and 
promulgated pursuant to such statutes, orders or directives.
    n. To appropriate agencies, entities, and persons when (1) the 
Agency suspects or has confirmed that the security or confidentiality 
of information in the system of records has been compromised; (2) the 
Agency has determined that as a result of the suspected or confirmed 
compromise there is a risk of harm to economic or property interests, 
identity theft or fraud, or harm to the security or integrity of this 
system or other systems or programs (whether maintained by GSA or 
another agency or entity) that rely upon the compromised information; 
and (3) the disclosure made to such agencies, entities, and persons is 
reasonably necessary to assist in connection with GSA's efforts to 
respond to the suspected or confirmed compromise and prevent, minimize, 
or remedy such harm.

POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING 
AND DISPOSING OF RECORDS IN THE SYSTEM:
STORAGE:
    Records are stored in electronic media and in paper files.

RETRIEVABILITY:
    Records may be retrieved by name of the individual, Cardholder 
Unique Identification Number, Applicant ID, Social Security Number, 
and/or by any other unique individual identifier.

SAFEGUARDS:
    Consistent with the requirements of the Federal Information 
Security Management Act (Pub. L. 107-296), and associated OMB policies, 
standards and guidance from the National Institute of Standards and 
Technology, and the General Services Administration, the GSA HSPD-12 
managed service office protects all records from unauthorized access 
through appropriate administrative, physical, and technical safeguards. 
Access is restricted on a ``need to know'' basis, utilization of PIV 
Card access, secure VPN for Web access, and locks on doors and approved 
storage containers. Buildings have security guards and secured doors. 
All entrances are monitored through electronic surveillance equipment. 
The hosting facility is supported by 24/7 onsite hosting and network 
monitoring by trained technical staff. Physical security controls 
include: Indoor and outdoor security monitoring and surveillance; badge 
and picture ID access screening; biometric access screening. Personally 
identifiable information is safeguarded and protected in conformance 
with all Federal statutory and OMB guidance requirements. All access 
has role-based restrictions, and individuals with access privileges 
have undergone vetting and suitability screening. All data is encrypted 
in transit. While it is not contemplated, any system records stored on 
mobile computers or mobile devices will be encrypted. GSA maintains an 
audit trail and performs random periodic reviews to identify 
unauthorized access. Persons given roles in the PIV process must be 
approved by the Government and complete training specific to their 
roles to ensure they are knowledgeable about how to protect personally 
identifiable information.

RETENTION AND DISPOSAL:
    Disposition of records will be according to NARA disposition 
authority N1-269-06-1 (pending).

SYSTEM MANAGER AND ADDRESS:
    Director, HSPD-12 Managed Service Office, Federal Acquisition 
Service (FAS), General Services Administration, Suite 911, 2011 Crystal 
Drive, Arlington, VA 22202.

NOTIFICATION PROCEDURE:
    A request for access to records in this system may be made by 
writing to the System Manager. When requesting

[[Page 22380]]

notification of or access to records covered by this Notice, an 
individual should provide his/her full name, date of birth, agency 
name, and work location. An individual requesting notification of 
records in person must provide identity documents sufficient to satisfy 
the custodian of the records that the requester is entitled to access, 
such as a government-issued photo ID.

RECORD ACCESS PROCEDURES:
    Same as Notification Procedure above.

CONTESTING RECORD PROCEDURES:
    Same as Notification Procedure above. State clearly and concisely 
the information being contested, the reasons for contesting it, and the 
proposed amendment to the information sought.

RECORD SOURCE CATEGORIES:
    Employee, contractor, or applicant; sponsoring agency; former 
sponsoring agency; other Federal agencies; contract employer; former 
employer.

EXEMPTIONS CLAIMED FOR THE SYSTEM:
    None.
[FR Doc. E8-8884 Filed 4-24-08; 8:45 am]
BILLING CODE 6820-34-P