Privacy Act of 1974; System of Records, 58477-58479 [2017-26752]

Download as PDF Federal Register / Vol. 82, No. 237 / Tuesday, December 12, 2017 / Notices GIS/IPS; SA–2, Suite 8100; Washington, DC 20522–0208. NOTIFICATION PROCEDURES: Individuals who have reason to believe that this system of records may contain information pertaining to them may write to U.S. Department of State; Director, Office of Information Programs and Services; A/GIS/IPS; SA–2, Suite 8100; Washington, DC 20522–0208. The individual must specify that he or she wishes the Network User Account Records to be checked. At a minimum, the individual must include: Full name (including maiden name, if appropriate) and any other names used; current mailing address and zip code; date and place of birth; notarized signature or statement under penalty of perjury; a brief description of the circumstances that caused the creation of the record (including the city and/or country and the approximate dates) which gives the individual cause to believe that the Network User Account Records include records pertaining to him or her. Comments can be submitted by mail or email. If mail, please write to: U.S. Department of State; Office of Global Information Systems, Privacy Staff; A/GIS/PRV; SA–2, Suite 8100; Washington, DC 20522–0208. If email, please address the email to the Chief Privacy Officer, Margaret P. Grafeld, at Privacy@state.gov. Please write ‘‘Email Archive Management Records, State-01’’ on the envelope or the subject line of your email. FOR FURTHER INFORMATION CONTACT: Margaret P. Grafeld, Chief Privacy Officer; U.S. Department of State; Office of Global Information Services, A/GIS/ PRV; SA–2, Suite 8100; Washington, DC 20522–0208 or 202–261–8300. SUPPLEMENTARY INFORMATION: None. ADDRESSES: SECURITY CLASSIFICATION: RECORD SOURCE CATEGORIES: Unclassified and Classified. SYSTEM LOCATION: [FR Doc. 2017–26750 Filed 12–11–17; 8:45 am] SYSTEM MANAGER(S): BILLING CODE 4710–24–P Division Chief, Office of Information Resource Management, Messaging Systems Office, Messaging Design Division; U.S. Department of State, 7049 Newington Rd; Lorton, VA 22079. The System Manager can be reached at (703) 746–2113. HISTORY: This SORN was previously published at 75 FR 7210. DEPARTMENT OF STATE [Public Notice: 10226] Privacy Act of 1974; System of Records AUTHORITY FOR MAINTENANCE OF THE SYSTEM: Department of State. ACTION: Notice of a New System of Records. AGENCY: The purpose of the Email Archive Management Records system is to capture all emails and attachments that interact with a Department of State email account and to store them in a secure repository that allows for search, retrieval, and view when necessary. DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this system of records takes effect upon publication, with the exception of the routine uses that are subject to a 30-day period during which interested persons may submit comments to the Department. Please submit any comments by January 11, 2018. ethrower on DSK3G9T082PROD with NOTICES SUMMARY: VerDate Sep<11>2014 20:03 Dec 11, 2017 Jkt 244001 CATEGORIES OF RECORDS IN THE SYSTEM: Email Archive Management Records, State-01. SYSTEM NAME AND NUMBER: Mary R. Avery, Senior Agency Official for Privacy, Senior Advisor, Office of Global Information Services, Bureau of Administration, Department of State. None. is archived in the system. The system may also include information about individuals who interact with a Department of State email account, as well as individuals who are mentioned in a Department of State email message or attachment. The Privacy Act defines an individual at 5 U.S.C.552a(a)(2) as a United States citizen or lawful permanent resident. The records in this system include email messages and attachments associated with a Department of State email account, including any information that may be included in such messages or attachments. The system may also include biographic and contact information of individuals who maintain a Department of State email account, including name, address, email address, and phone number. Department of State (‘‘Department’), located at 2201 C Street NW, Washington, DC 20520; Department of State annexes, U.S. Embassies, U.S. Consulates General, and U.S. Consulates. Information may also be stored within a government-certified cloud, implemented, and overseen by the Department’s Messaging Systems Office (MSO), 2025 E. St. NW, Washington, DC 20006. EXEMPTIONS PROMULGATED FOR THE SYSTEM: 58477 (a) 5 U.S.C. 301 (b) Federal Records Act, 44 U.S.C. Ch. 31; (c) Freedom of Information Act, 5 U.S.C. 552. (d) Privacy Act of 1974, 5 U.S.C.552a(d). (e) 22 CFR part 171. PURPOSE(S) OF THE SYSTEM: The purpose of the system is to capture all emails and attachments that interact with a Department of State email account and to store them in a secure repository that allows for search, retrieval, and view when necessary. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Individuals who maintain a Department of State email account that PO 00000 Frm 00100 Fmt 4703 Sfmt 4703 These records contain information obtained from individuals who maintain a Department of State email account, as well as those who interact with such individuals. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: The information in the system may be shared with: (a) Other federal agencies, foreign governments, and private entities where relevant and necessary for them to review or consult on documents that implicate their equities; (b) a contractor of the Department having need for the information in the performance of the contract, but not operating a system of records within the meaning of 5 U.S.C. 552a(m). (c) appropriate agencies, entities, and persons when (1) the Department of State suspects or has confirmed that there has been a breach of the system of records; (2) the Department of State has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Department of State (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Department of State efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. (d) another Federal agency or Federal entity, when the Department of State determines that information from this system of records is reasonably necessary to assist the recipient agency E:\FR\FM\12DEN1.SGM 12DEN1 ethrower on DSK3G9T082PROD with NOTICES 58478 Federal Register / Vol. 82, No. 237 / Tuesday, December 12, 2017 / Notices or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. (e) an agency, whether federal, state, local or foreign, where a record indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program statute, or by regulation, rule or order issued pursuant thereto, so that the recipient agency can fulfill its responsibility to investigate or prosecute such violation or enforce or implement the statute, rule, regulation, or order. (f) the Federal Bureau of Investigation, the Department of Homeland Security, the National Counter-Terrorism Center (NCTC), the Terrorist Screening Center (TSC), or other appropriate federal agencies, for the integration and use of such information to protect against terrorism, if that record is about one or more individuals known, or suspected, to be or to have been involved in activities constituting, in preparation for, in aid of, or related to terrorism. Such information may be further disseminated by recipient agencies to Federal, State, local, territorial, tribal, and foreign government authorities, and to support private sector processes as contemplated in Homeland Security Presidential Directive/HSPD–6 and other relevant laws and directives, for terrorist screening, threat-protection and other homeland security purposes. (g) a congressional office from the record of an individual in response to an inquiry from the Congressional office made at the request of that individual. (h) a court, adjudicative body, or administrative body before which the Department is authorized to appear when (a) the Department; (b) any employee of the Department in his or her official capacity; (c) any employee of the Department in his or her individual capacity where the U.S. Department of Justice (‘‘DOJ’’) or the Department has agreed to represent the employee; or (d) the Government of the United States, when the Department determines that litigation is likely to affect the Department, is a party to litigation or has an interest in such litigation, and the use of such records by the Department is deemed to be relevant and necessary to the litigation or administrative proceeding. (i) the Department of Justice (‘‘DOJ’’) for its use in providing legal advice to the Department or in representing the VerDate Sep<11>2014 21:18 Dec 11, 2017 Jkt 244001 Department in a proceeding before a court, adjudicative body, or other administrative body before which the Department is authorized to appear, where the Department deems DOJ’s use of such information relevant and necessary to the litigation, and such proceeding names as a party or interests: (a) The Department or any component of it; (b) Any employee of the Department in his or her official capacity; (c) Any employee of the Department in his or her individual capacity where DOJ has agreed to represent the employee; or (d) The Government of the United States, where the Department determines that litigation is likely to affect the Department or any of its components. (j) the National Archives and Records Administration and the General Services Administration: For records management inspections, surveys and studies; following transfer to a Federal records center for storage; and to determine whether such records have sufficient historical or other value to warrant accessioning into the National Archives of the United States. POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Records are stored on electronic media. A description of standard Department of State policies concerning storage of electronic records is found here https://fam.state.gov/FAM/05FAM/ 05FAM0440.html. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: By individual name or other personal identifier, if available. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: The Department of State is in the process of finalizing a retention schedule for these records. Once the schedule is approved by the National Archives and Records Administration, the Records will be retired in accordance with the published Department of State Records Disposition Schedule that shall be published here: https://foia.state.gov/Learn/ RecordsDisposition.aspx. More specific information may be obtained by writing to the following address: U.S. Department of State; Director, Office of Information Programs and Services; A/ GIS/IPS; SA–2, Suite 8100; Washington, DC 20522–0208. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: All users are given cyber security awareness training which covers the PO 00000 Frm 00101 Fmt 4703 Sfmt 4703 procedures for handling Sensitive But Unclassified information, including personally identifiable information (PII). Annual refresher training is mandatory. In addition, all Foreign Service and Civil Service employees and those Locally Employed Staff who handle PII are required to take a distance learning course instructing employees on privacy and security requirements, including the rules of behavior for handling PII and the potential consequences if it is handled improperly. Before being granted access to Email Archive Management Records, a user must first be granted access to the Department of State computer system. Remote access to the Department of State network from non-Departmentowned systems is authorized only to unclassified systems and through a Department-approved access program. Remote access to the network is configured with the authentication requirements contained in the Office of Management and Budget Circular Memorandum A–130. All Department of State employees and contractors with authorized access have undergone a thorough background security investigation. Access to the Department of State, its annexes and posts abroad is controlled by security guards, and admission is limited to those individuals possessing a valid identification card or individuals under proper escort. Access to Department of State workstations/networks requires a valid PKI identification card protected by a user’s PIN that must first be entered before accessing the Department of State network. Access to computerized files is password-protected and under the direct supervision of the system manager. The system manager has the capability of printing audit trails of access from the computer media, thereby permitting regular and ad hoc monitoring of computer usage. When it is determined that a user no longer needs access, the user account is disabled. The safeguards in the following paragraphs apply only to records that are maintained in cloud systems. All cloud systems that provide IT services and process Department of State information must be specifically authorized by the Department of State Authorizing Official and Senior Agency Official for Privacy. Information that conforms with Department-specific definitions for FISMA low, moderate, or high categorization are permissible for cloud usage and must specifically be authorized by the Cloud Computing Governance Board. Specific security measures and safeguards will depend on E:\FR\FM\12DEN1.SGM 12DEN1 Federal Register / Vol. 82, No. 237 / Tuesday, December 12, 2017 / Notices the FISMA categorization of the information in a given cloud system. The Email Archive Management Records system is rated as a FISMA high system. In accordance with Department policy, systems that process more sensitive information will require more stringent controls and review by Department cybersecurity experts prior to approval. Prior to operation, all Cloud systems must comply with applicable security measures that are outlined in FISMA, FedRAMP, OMB regulations, NIST Federal Information Processing Standards (FIPS) and Special Publication (SP), and Department of State policies and standards. All data stored in cloud environments categorized above a low FISMA impact risk level must be encrypted at rest and in-transit using a federally-approved encryption mechanism. The encryption keys shall be generated, maintained, and controlled in a Department data center by the Department key management authority. Deviations from these encryption requirements must be approved in writing by the Authorizing Official. Data in Email Archive Management Records categorized at a high FISMA impact risk level will additionally be subject to continual auditing and monitoring, multifactor authentication mechanisms utilizing PKI, NIST 800–53 controls concerning virtualization, servers, storage and networking as well as stringent measures to sanitize data from the cloud service once the contract is terminated. ethrower on DSK3G9T082PROD with NOTICES RECORD ACCESS PROCEDURES: Individuals who wish to gain access to or to amend records pertaining to themselves should write to U.S. Department of State; Director, Office of Information Programs and Services; A/ GIS/IPS; SA–2, Suite 8100; Washington, DC 20522–0208. The individual must specify that he or she wishes the Email Archive Management Records to be checked. At a minimum, the individual must include: Full name (including maiden name, if appropriate) and any other names used; current mailing address and zip code; date and place of birth; notarized signature or statement under penalty of perjury; a brief description of the circumstances that caused the creation of the record (including the city and/or country and the approximate dates) which gives the individual cause to believe that the Email Archive Management Records include records pertaining to him or her. Detailed instructions on Department of State procedures for accessing and amending records can be found at https://foia.state.gov/Request/ Guide.aspx. VerDate Sep<11>2014 20:03 Dec 11, 2017 Jkt 244001 CONTESTING RECORD PROCEDURES: Individuals who wish to contest record procedures should write to U.S. Department of State; Director, Office of Information Programs and Services; A/ GIS/IPS; SA–2, Suite 8100; Washington, DC 20522–0208. NOTIFICATION PROCEDURES: Individuals who have reason to believe that this system of records may contain information pertaining to them may write to U.S. Department of State; Director, Office of Information Programs and Services; A/GIS/IPS; SA–2, Suite 8100; Washington, DC 20522–0208. The individual must specify that he or she wishes the Email Archive Management Records to be checked. At a minimum, the individual must include: Full name (including maiden name, if appropriate) and any other names used; current mailing address and zip code; date and place of birth; notarized signature or statement under penalty of perjury; a brief description of the circumstances that caused the creation of the record (including the city and/or country and the approximate dates) which gives the individual cause to believe that the Email Archive Management Records include records pertaining to him or her. EXEMPTIONS PROMULGATED FOR THE SYSTEM: Pursuant to 5 U.S.C. 552a (j)(2), records in this system may be exempted from subsections (c)(3) and (4), (d), (e)(1), (2), (3), and (e)(4)(G), (H), and (I), and (f) of the Privacy Act. Pursuant to 5 U.S.C. 552a (k)(1), (k)(2), (k)(3), (k)(4), (k)(5), (k)(6), and (k)(7), records in this system may be exempted from subsections (c)(3), (d)(1), (d)(2), (d)(3), (d)(4), (d)(5), (e)(1), (e)(4)(G), (e)(4)(H), (e)(4)(I), (f)(1), (f)(2), (f)(3), (f)(4), and (f)(5). Any other exempt records from other agencies’ systems of records that are recompiled into this system are also considered exempt to the extent they are claimed as such in the original systems. HISTORY: None. Mary R. Avery, Senior Agency Official for Privacy, Senior Advisor, Office of Global Information Services, Bureau of Administration, Department of State. [FR Doc. 2017–26752 Filed 12–11–17; 8:45 am] BILLING CODE 4710–24–P SURFACE TRANSPORTATION BOARD Release of Waybill Data The Surface Transportation Board has received a request from Neville Peterson PO 00000 Frm 00102 Fmt 4703 Sfmt 4703 58479 LLP on behalf of Trinity Industries, Inc. (WB17–51—12/05/17) for permission to use certain data from the Board’s 2016 Carload Waybill Sample. A copy of this request may be obtained from the Office of Economics. The waybill sample contains confidential railroad and shipper data; therefore, if any parties object to these requests, they should file their objections with the Director of the Board’s Office of Economics within 14 calendar days of the date of this notice. The rules for release of waybill data are codified at 49 CFR 1244.9. Contact: Alexander Dusenberry, (202) 245–0319. Jeffrey Herzig, Clearance Clerk. [FR Doc. 2017–26674 Filed 12–11–17; 8:45 am] BILLING CODE 4915–01–P DEPARTMENT OF TRANSPORTATION Federal Aviation Administration Notice of Opportunity for Public Comment on a Land Use Change From Aeronautical to Non-Aeronautical Use for 419 Acres of Airport Land for Solar Farm Use at Sanford Seacoast Regional Airport, Sanford, ME Federal Aviation Administration (FAA), DOT. ACTION: Request for public comments. AGENCY: Notice is being given that the FAA is considering a request from the Sanford Seacoast Regional Airport, to change the current land use from aeronautical use to non-aeronautical use of 419 acres of land. The parcels are located along the southwesterly side of Runway 07/25, the northerly end of Runway 25 and in a portion of the infield area between Runway 07/25 and Runway 14/32. There is adequate developable area on the airport to meet the future twenty year need for projected activity and the Airport Layout Plan was updated with a Pen and Ink change to designate the parcels for non-aeronautical use. The airport will obtain fair market value for the lease of the land and the income derived from this lease will be placed in the airport’s operation and maintenance funds for the facility. DATES: Comments must be received on or before January 11, 2018. ADDRESSES: You may send comments using any of the following methods: • Federal eRulemaking Portal: Go to http://www.regulations.gov, and follow the instructions on providing comments. SUMMARY: E:\FR\FM\12DEN1.SGM 12DEN1

Agencies

[Federal Register Volume 82, Number 237 (Tuesday, December 12, 2017)]
[Notices]
[Pages 58477-58479]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2017-26752]


-----------------------------------------------------------------------

DEPARTMENT OF STATE

[Public Notice: 10226]


Privacy Act of 1974; System of Records

AGENCY: Department of State.

ACTION: Notice of a New System of Records.

-----------------------------------------------------------------------

SUMMARY: The purpose of the Email Archive Management Records system is 
to capture all emails and attachments that interact with a Department 
of State email account and to store them in a secure repository that 
allows for search, retrieval, and view when necessary.

DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this system of 
records takes effect upon publication, with the exception of the 
routine uses that are subject to a 30-day period during which 
interested persons may submit comments to the Department. Please submit 
any comments by January 11, 2018.

ADDRESSES: Comments can be submitted by mail or email. If mail, please 
write to: U.S. Department of State; Office of Global Information 
Systems, Privacy Staff; A/GIS/PRV; SA-2, Suite 8100; Washington, DC 
20522-0208. If email, please address the email to the Chief Privacy 
Officer, Margaret P. Grafeld, at [email protected]. Please write 
``Email Archive Management Records, State-01'' on the envelope or the 
subject line of your email.

FOR FURTHER INFORMATION CONTACT: Margaret P. Grafeld, Chief Privacy 
Officer; U.S. Department of State; Office of Global Information 
Services, A/GIS/PRV; SA-2, Suite 8100; Washington, DC 20522-0208 or 
202-261-8300.

SUPPLEMENTARY INFORMATION: None.
SYSTEM NAME AND NUMBER:
    Email Archive Management Records, State-01.

SECURITY CLASSIFICATION:
    Unclassified and Classified.

SYSTEM LOCATION:
    Department of State (``Department'), located at 2201 C Street NW, 
Washington, DC 20520; Department of State annexes, U.S. Embassies, U.S. 
Consulates General, and U.S. Consulates. Information may also be stored 
within a government-certified cloud, implemented, and overseen by the 
Department's Messaging Systems Office (MSO), 2025 E. St. NW, 
Washington, DC 20006.

SYSTEM MANAGER(S):
    Division Chief, Office of Information Resource Management, 
Messaging Systems Office, Messaging Design Division; U.S. Department of 
State, 7049 Newington Rd; Lorton, VA 22079. The System Manager can be 
reached at (703) 746-2113.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    (a) 5 U.S.C. 301
    (b) Federal Records Act, 44 U.S.C. Ch. 31;
    (c) Freedom of Information Act, 5 U.S.C. 552.
    (d) Privacy Act of 1974, 5 U.S.C.552a(d).
    (e) 22 CFR part 171.

PURPOSE(S) OF THE SYSTEM:
    The purpose of the system is to capture all emails and attachments 
that interact with a Department of State email account and to store 
them in a secure repository that allows for search, retrieval, and view 
when necessary.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals who maintain a Department of State email account that 
is archived in the system. The system may also include information 
about individuals who interact with a Department of State email 
account, as well as individuals who are mentioned in a Department of 
State email message or attachment. The Privacy Act defines an 
individual at 5 U.S.C.552a(a)(2) as a United States citizen or lawful 
permanent resident.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The records in this system include email messages and attachments 
associated with a Department of State email account, including any 
information that may be included in such messages or attachments. The 
system may also include biographic and contact information of 
individuals who maintain a Department of State email account, including 
name, address, email address, and phone number.

RECORD SOURCE CATEGORIES:
    These records contain information obtained from individuals who 
maintain a Department of State email account, as well as those who 
interact with such individuals.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The information in the system may be shared with:
    (a) Other federal agencies, foreign governments, and private 
entities where relevant and necessary for them to review or consult on 
documents that implicate their equities;
    (b) a contractor of the Department having need for the information 
in the performance of the contract, but not operating a system of 
records within the meaning of 5 U.S.C. 552a(m).
    (c) appropriate agencies, entities, and persons when (1) the 
Department of State suspects or has confirmed that there has been a 
breach of the system of records; (2) the Department of State has 
determined that as a result of the suspected or confirmed breach there 
is a risk of harm to individuals, the Department of State (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with the Department of State efforts to respond to the 
suspected or confirmed breach or to prevent, minimize, or remedy such 
harm.
    (d) another Federal agency or Federal entity, when the Department 
of State determines that information from this system of records is 
reasonably necessary to assist the recipient agency

[[Page 58478]]

or entity in (1) responding to a suspected or confirmed breach or (2) 
preventing, minimizing, or remedying the risk of harm to individuals, 
the recipient agency or entity (including its information systems, 
programs, and operations), the Federal Government, or national 
security, resulting from a suspected or confirmed breach.
    (e) an agency, whether federal, state, local or foreign, where a 
record indicates a violation or potential violation of law, whether 
civil, criminal or regulatory in nature, and whether arising by general 
statute or particular program statute, or by regulation, rule or order 
issued pursuant thereto, so that the recipient agency can fulfill its 
responsibility to investigate or prosecute such violation or enforce or 
implement the statute, rule, regulation, or order.
    (f) the Federal Bureau of Investigation, the Department of Homeland 
Security, the National Counter-Terrorism Center (NCTC), the Terrorist 
Screening Center (TSC), or other appropriate federal agencies, for the 
integration and use of such information to protect against terrorism, 
if that record is about one or more individuals known, or suspected, to 
be or to have been involved in activities constituting, in preparation 
for, in aid of, or related to terrorism. Such information may be 
further disseminated by recipient agencies to Federal, State, local, 
territorial, tribal, and foreign government authorities, and to support 
private sector processes as contemplated in Homeland Security 
Presidential Directive/HSPD-6 and other relevant laws and directives, 
for terrorist screening, threat-protection and other homeland security 
purposes.
    (g) a congressional office from the record of an individual in 
response to an inquiry from the Congressional office made at the 
request of that individual.
    (h) a court, adjudicative body, or administrative body before which 
the Department is authorized to appear when (a) the Department; (b) any 
employee of the Department in his or her official capacity; (c) any 
employee of the Department in his or her individual capacity where the 
U.S. Department of Justice (``DOJ'') or the Department has agreed to 
represent the employee; or (d) the Government of the United States, 
when the Department determines that litigation is likely to affect the 
Department, is a party to litigation or has an interest in such 
litigation, and the use of such records by the Department is deemed to 
be relevant and necessary to the litigation or administrative 
proceeding.
    (i) the Department of Justice (``DOJ'') for its use in providing 
legal advice to the Department or in representing the Department in a 
proceeding before a court, adjudicative body, or other administrative 
body before which the Department is authorized to appear, where the 
Department deems DOJ's use of such information relevant and necessary 
to the litigation, and such proceeding names as a party or interests:
    (a) The Department or any component of it;
    (b) Any employee of the Department in his or her official capacity;
    (c) Any employee of the Department in his or her individual 
capacity where DOJ has agreed to represent the employee; or
    (d) The Government of the United States, where the Department 
determines that litigation is likely to affect the Department or any of 
its components.
    (j) the National Archives and Records Administration and the 
General Services Administration: For records management inspections, 
surveys and studies; following transfer to a Federal records center for 
storage; and to determine whether such records have sufficient 
historical or other value to warrant accessioning into the National 
Archives of the United States.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are stored on electronic media. A description of standard 
Department of State policies concerning storage of electronic records 
is found here https://fam.state.gov/FAM/05FAM/05FAM0440.html.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    By individual name or other personal identifier, if available.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    The Department of State is in the process of finalizing a retention 
schedule for these records. Once the schedule is approved by the 
National Archives and Records Administration, the Records will be 
retired in accordance with the published Department of State Records 
Disposition Schedule that shall be published here: https://foia.state.gov/Learn/RecordsDisposition.aspx. More specific information 
may be obtained by writing to the following address: U.S. Department of 
State; Director, Office of Information Programs and Services; A/GIS/
IPS; SA-2, Suite 8100; Washington, DC 20522-0208.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    All users are given cyber security awareness training which covers 
the procedures for handling Sensitive But Unclassified information, 
including personally identifiable information (PII). Annual refresher 
training is mandatory. In addition, all Foreign Service and Civil 
Service employees and those Locally Employed Staff who handle PII are 
required to take a distance learning course instructing employees on 
privacy and security requirements, including the rules of behavior for 
handling PII and the potential consequences if it is handled 
improperly. Before being granted access to Email Archive Management 
Records, a user must first be granted access to the Department of State 
computer system.
    Remote access to the Department of State network from non-
Department-owned systems is authorized only to unclassified systems and 
through a Department-approved access program. Remote access to the 
network is configured with the authentication requirements contained in 
the Office of Management and Budget Circular Memorandum A-130.
    All Department of State employees and contractors with authorized 
access have undergone a thorough background security investigation. 
Access to the Department of State, its annexes and posts abroad is 
controlled by security guards, and admission is limited to those 
individuals possessing a valid identification card or individuals under 
proper escort. Access to Department of State workstations/networks 
requires a valid PKI identification card protected by a user's PIN that 
must first be entered before accessing the Department of State network. 
Access to computerized files is password-protected and under the direct 
supervision of the system manager. The system manager has the 
capability of printing audit trails of access from the computer media, 
thereby permitting regular and ad hoc monitoring of computer usage. 
When it is determined that a user no longer needs access, the user 
account is disabled.
    The safeguards in the following paragraphs apply only to records 
that are maintained in cloud systems. All cloud systems that provide IT 
services and process Department of State information must be 
specifically authorized by the Department of State Authorizing Official 
and Senior Agency Official for Privacy.
    Information that conforms with Department-specific definitions for 
FISMA low, moderate, or high categorization are permissible for cloud 
usage and must specifically be authorized by the Cloud Computing 
Governance Board. Specific security measures and safeguards will depend 
on

[[Page 58479]]

the FISMA categorization of the information in a given cloud system. 
The Email Archive Management Records system is rated as a FISMA high 
system. In accordance with Department policy, systems that process more 
sensitive information will require more stringent controls and review 
by Department cybersecurity experts prior to approval. Prior to 
operation, all Cloud systems must comply with applicable security 
measures that are outlined in FISMA, FedRAMP, OMB regulations, NIST 
Federal Information Processing Standards (FIPS) and Special Publication 
(SP), and Department of State policies and standards.
    All data stored in cloud environments categorized above a low FISMA 
impact risk level must be encrypted at rest and in-transit using a 
federally-approved encryption mechanism. The encryption keys shall be 
generated, maintained, and controlled in a Department data center by 
the Department key management authority. Deviations from these 
encryption requirements must be approved in writing by the Authorizing 
Official. Data in Email Archive Management Records categorized at a 
high FISMA impact risk level will additionally be subject to continual 
auditing and monitoring, multifactor authentication mechanisms 
utilizing PKI, NIST 800-53 controls concerning virtualization, servers, 
storage and networking as well as stringent measures to sanitize data 
from the cloud service once the contract is terminated.

RECORD ACCESS PROCEDURES:
    Individuals who wish to gain access to or to amend records 
pertaining to themselves should write to U.S. Department of State; 
Director, Office of Information Programs and Services; A/GIS/IPS; SA-2, 
Suite 8100; Washington, DC 20522-0208. The individual must specify that 
he or she wishes the Email Archive Management Records to be checked. At 
a minimum, the individual must include: Full name (including maiden 
name, if appropriate) and any other names used; current mailing address 
and zip code; date and place of birth; notarized signature or statement 
under penalty of perjury; a brief description of the circumstances that 
caused the creation of the record (including the city and/or country 
and the approximate dates) which gives the individual cause to believe 
that the Email Archive Management Records include records pertaining to 
him or her. Detailed instructions on Department of State procedures for 
accessing and amending records can be found at https://foia.state.gov/Request/Guide.aspx.

CONTESTING RECORD PROCEDURES:
    Individuals who wish to contest record procedures should write to 
U.S. Department of State; Director, Office of Information Programs and 
Services; A/GIS/IPS; SA-2, Suite 8100; Washington, DC 20522-0208.

 NOTIFICATION PROCEDURES:
    Individuals who have reason to believe that this system of records 
may contain information pertaining to them may write to U.S. Department 
of State; Director, Office of Information Programs and Services; A/GIS/
IPS; SA-2, Suite 8100; Washington, DC 20522-0208. The individual must 
specify that he or she wishes the Email Archive Management Records to 
be checked. At a minimum, the individual must include: Full name 
(including maiden name, if appropriate) and any other names used; 
current mailing address and zip code; date and place of birth; 
notarized signature or statement under penalty of perjury; a brief 
description of the circumstances that caused the creation of the record 
(including the city and/or country and the approximate dates) which 
gives the individual cause to believe that the Email Archive Management 
Records include records pertaining to him or her.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    Pursuant to 5 U.S.C. 552a (j)(2), records in this system may be 
exempted from subsections (c)(3) and (4), (d), (e)(1), (2), (3), and 
(e)(4)(G), (H), and (I), and (f) of the Privacy Act.
    Pursuant to 5 U.S.C. 552a (k)(1), (k)(2), (k)(3), (k)(4), (k)(5), 
(k)(6), and (k)(7), records in this system may be exempted from 
subsections (c)(3), (d)(1), (d)(2), (d)(3), (d)(4), (d)(5), (e)(1), 
(e)(4)(G), (e)(4)(H), (e)(4)(I), (f)(1), (f)(2), (f)(3), (f)(4), and 
(f)(5).
    Any other exempt records from other agencies' systems of records 
that are recompiled into this system are also considered exempt to the 
extent they are claimed as such in the original systems.

HISTORY:
    None.

Mary R. Avery,
Senior Agency Official for Privacy, Senior Advisor, Office of Global 
Information Services, Bureau of Administration, Department of State.
[FR Doc. 2017-26752 Filed 12-11-17; 8:45 am]
 BILLING CODE 4710-24-P