Privacy Act of 1974; Systems of Records, 60110-60113 [2019-24246]
Download as PDF
<![CDATA[
60110
Federal Register / Vol. 84, No. 216 / Thursday, November 7, 2019 / Notices
Affairs, Attention Department of Justice
Desk Officer, Washington, DC 20530 or
sent to OIRA_submissions@
omb.eop.gov.
SUPPLEMENTARY INFORMATION: Written
comments and suggestions from the
public and affected agencies concerning
the proposed collection of information
are encouraged. Your comments should
address one or more of the following
four points:
(1) Evaluate whether the proposed
collection of information is necessary
for the proper performance of the
functions of the agency, including
whether the information will have
practical utility;
(2) Evaluate the accuracy of the
agency’s estimate of the burden of the
proposed collection of information,
including the validity of the
methodology and assumptions used;
(3) Enhance the quality, utility, and
clarity of the information to be
collected; and
(4) Minimize the burden of the
collection of information on those who
are to respond, including through the
use of appropriate automated,
electronic, mechanical, or other
technological collection techniques or
other forms of information technology,
e.g., permitting electronic submission of
responses.
Overview of This Information
Collection
(1) Type of Information Collection:
Extension of a currently approved
collection.
(2) Title of the Form/Collection:
Campus Program Grantee Needs and
Progress Assesment Tool.
(3) Agency form number, if any, and
the applicable component of the
Department of Justice sponsoring the
collection: Form Number: 1122–0031.
U.S. Department of Justice, Office on
Violence Against Women.
(4) Affected public who will be asked
or required to respond, as well as a brief
abstract: The affected public includes
current grantees under the Grants to
Reduce Sexual Assault, Domestic
Violence, Dating Violence, and Stalking
on Campus Program. The Campus
Program strengthens the response of
institutions of higher education to the
crimes of sexual assault, domestic
violence, dating violence and stalking
on campuses and enhances
collaboration among campuses, local
law enforcement, and victim advocacy
organizations. Eligible applicants are
institutions of higher education. The
affected public includes the
approximately 100 institutions of higher
education currently funded through the
Campus program.
VerDate Sep<11>2014
17:55 Nov 06, 2019
Jkt 250001
The Grantee Needs and Progress
Assessment Tool will be used to
determine the training and technical
assistance needs of Campus Program
grantees—both new and continuation
grantees—throughout the life of the
grant award as well measure the
development of the capacity of grantees
to respond and prevent violence against
women on their campuses. In addition,
the tool will help campuses and OVW
document the impact of their grantfunded work, promote sustainability of
important intervention and prevention
activities, and provide outcome-based
information throughout the life of the
grant to help OVW-funded technical
assistance providers and grantees make
changes to the goals and objectives
necessary to achieve the Congressional
purpose of the Campus Program.
(5) An estimate of the total number of
respondents and the amount of time
estimated for an average respondent to
respond/reply: It is estimated that it will
take the approximately 100 respondents
(Campus Program grantees)
approximately 30 minutes to complete a
semi-annual progress report. The semiannual progress report is divided into
sections that pertain to the different
types of activities in which grantees
may engage. A Justice for Families
Program grantee will only be required to
complete the sections of the form that
pertain to its own specific activities.
(6) An estimate of the total public
burden (in hours) associated with the
collection: The total annual hour burden
to complete the data collection forms is
140 hours, that is 70 grantees
completing a form twice a year with an
estimated completion time for the form
being one hour.
If additional information is required
contact: Melody Braswell, Deputy
Clearance Officer, United States
Department of Justice, Justice
Management Division, Policy and
Planning Staff, Two Constitution
Square, 145 N Street NE, 3E, 405B,
Washington, DC 20530.
Dated: November 4, 2019.
Melody Braswell,
Department Clearance Officer, PRA, U.S.
Department of Justice.
[FR Doc. 2019–24290 Filed 11–6–19; 8:45 am]
BILLING CODE 4410–FX–P
DEPARTMENT OF JUSTICE
[CPCLO Order No. 012–2019]
Privacy Act of 1974; Systems of
Records
AGENCY:
United States Department of
Justice.
PO 00000
Frm 00059
Fmt 4703
Sfmt 4703
ACTION:
Notice of a new system of
records.
Pursuant to the Privacy Act of
1974 and Office of Management and
Budget (OMB) Circular No. A–108,
notice is hereby given that the United
States Department of Justice (DOJ or
Department), proposes to develop a new
system of records titled ‘‘DOJ Identity,
Credential, and Access Service Records
System,’’ JUSTICE/DOJ–020. DOJ
proposes to establish this system of
records as a part of the Department’s
Enterprise Identity, Credential, and
Access Management services, which
will serve as a central and authoritative
identity management data repository for
DOJ identity information. JUSTICE/
DOJ–020 combines user information
from various data sources to provide a
centralized and authoritative identity
governance solution.
DATES: In accordance with 5 U.S.C.
552a(e)(4) and (11), this system of
records is effective upon publication,
subject to a 30-day period in which to
comment on the routine uses, described
below. Please submit any comments by
December 9, 2019.
ADDRESSES: The public, OMB, and
Congress are invited to submit any
comments by mail to the United States
Department of Justice, Office of Privacy
and Civil Liberties, ATTN: Privacy
Analyst, Two Constitution Square, 145
N Street NE, Suite 8W.300, Washington,
DC 20530; by facsimile at (202) 307–
0693; or by email at
privacy.compliance@usdoj.gov. To
ensure proper handling, please
reference the above CPCLO Order No.
on your correspondence.
FOR FURTHER INFORMATION CONTACT:
Nickolous Ward, DOJ Chief Information
Security Officer, (202) 514–3101, 145 N
Street NE, Washington, DC 20530.
SUPPLEMENTARY INFORMATION: In
accordance with the Federal
Information Security Modernization Act
of 2014, DOJ is responsible for
complying with policies and procedures
issued by the OMB and implementing
information security protections
commensurate with the risk and
magnitude of harm resulting from the
unauthorized access, use, disclosure,
disruption, modification, or destruction
of DOJ information and information
systems. 44 U.S.C. 3554. OMB policy
requires agencies to properly identify,
credential, monitor, and manage
subjects that access Federal resources,
including information, information
systems, facilities, and secured areas.
See Office of Management and Budget
M–19–17, Enabling Mission Delivery
through Improved Identity, Credential,
SUMMARY:
E:\FR\FM\07NON1.SGM
07NON1
Federal Register / Vol. 84, No. 216 / Thursday, November 7, 2019 / Notices
and Access Management (May 21,
2019). DOJ’s compliance with the
Federal Identity, Credential, and Access
Management (ICAM) policy is essential
to meeting DOJ’s information security
and privacy risk management
responsibilities.
JUSTICE/DOJ–020 will serve as DOJ’s
central and authoritative ICAM record
repository for DOJ Identity Services, a
program that allows DOJ management
and information system staff to monitor
and manage enterprise identities (e.g.,
DOJ employees, contractors, mission or
business partners, devices, etc.) to DOJ
information and information systems.
DOJ will collect and maintain identity
records in order to manage enterprise
accounts across DOJ components and
business units within DOJ. Such
activities can include, but are not
limited to, account request, creation,
modification, removal, and annual
account recertification across DOJ
components and business units within
DOJ.
In accordance with 5 U.S.C. 552a(r),
the Department has provided a report to
OMB and Congress on this new system
of records.
Dated: November 1, 2019.
Peter A. Winn,
Acting Chief Privacy and Civil Liberties
Officer, United States Department of Justice.
JUSTICE/DOJ–020
SYSTEM NAME AND NUMBER
DOJ Identity, Credential, and Access
Service Records System, JUSTICE/DOJ–
020.
SECURITY CLASSIFICATION:
SYSTEM LOCATION:
Records will be maintained
electronically at one or more of the
Department’s data centers, including,
but not limited to, one or more of the
Department’s Core Enterprise Facilities
(CEF), including, but not limited to, the
Department’s CEF East, Clarksburg, WV
26306, or CEF West, Pocatello, ID
83201. Records within this system of
records may be transferred to a
Department-authorized cloud service
provider within the Continental United
States. Access to these electronic
records may occur at any location at
which the DOJ, Justice Management
Division, Office of the Chief Information
Officer, Cybersecurity Services Staff
(DOJ CSS) operates or where DOJ CSS
operations are supported, including the
Two Constitution Square building, 145
N Street NE, Washington, DC 20530.
Some or all of the information in the
system may be duplicated at other
17:55 Nov 06, 2019
Jkt 250001
SYSTEM MANAGER(S):
DOJ Chief Information Security
Officer, (202) 514–3101, 145 N Street
NE, Washington, DC 20530.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Federal Information Security
Modernization Act of 2014, 44 U.S.C.
3551 et seq.; 44 U.S.C 3504; Homeland
Security Presidential Directive 12:
Policy for a Common Identification
Standard for Federal Employees and
Contractors (Aug. 2015); FIPS 201–2,
Personal Identity Verification (PIV) of
Federal Employees and Contractors
(Aug. 2013); OMB Circular A–130,
Managing Information as a Strategic
Resource (July 2016); OMB
Memorandum M–10–28, Clarifying
Cybersecurity Responsibilities and
Activities of the Executive Office of the
President and the Department of
Homeland Security (July 6, 2010); OMB
Memorandum M–14–03, Enhancing the
Security of Federal Information and
Information Systems (Nov. 18, 2013);
OMB Memorandum M–19–17, Enabling
Mission Delivery through Improved
Identity, Credential, and Access
Management (May 21, 2019).
PURPOSE(S) OF THE SYSTEM:
The system is unclassified.
VerDate Sep<11>2014
locations where the Department has
granted direct access to support DOJ
CSS operations, system backup,
emergency preparedness, and/or
continuity of operations. To determine
the location of a particular record
maintained in this system of records,
contact the system manager, whose
contact information is listed in the
‘‘SYSTEM MANAGER(S)’’ paragraph,
below.
DOJ establishes this system of records
to support the information and
information systems serving as the
central and authoritative identity
management data repository for DOJ
enterprise identities. This system of
records will allow management and IT
staff to monitor and manage user access
to DOJ information systems across
departments and business units within
DOJ. Such activities include, but are not
limited to, account requests, creation,
modification, removal, and annual
account recertification.
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
All DOJ employees and contractors,
DOJ information system users, and
individuals granted access to DOJ
information.
CATEGORIES OF RECORDS IN THE SYSTEM:
User identity information, such as
name and associated identities; user
identification information (e.g.,
PO 00000
Frm 00060
Fmt 4703
Sfmt 4703
60111
username); home and/or work
address(es); personal and/or work email
address(es); personal and/or work
telephone numbers; duty city, county,
state, and/or station information; Social
Security Number; sponsorship
information; employee identification
information; employment and
enrollment information; assigned
government furnished equipment
information (mobile device identifiers);
and biometric identifiers (e.g.,
fingerprints and high-resolution
photographs).
Identity investigation and
adjudication information.
Assigned card information, such as
associated identity information; card
activated date; card delivered date;
credential and certificate information;
card reissue request and replacement
information; card replacement status;
card reprint request status; card
suspended and termination dates; and
user account flags.
Training information, including but
not limited to, date training is required
to be completed, date training was
assigned, and date training was
completed.
Access management information,
such as information system roles held
by an identity.
RECORD SOURCE CATEGORIES:
Information will feed into this system
of records from a number of source
systems: USAccess (including records in
GSA/GOVT–7, Personal Identity
Verification Identity Management
System (PIV IDMS), last published in
full at 71 FR 56983 (Sept. 28, 2006));
National Finance Center (NFC); Justice
Security Tracking and Adjudication
Record System (JSTARS) (including
records in JUSTICE/DOJ–006, Personnel
Investigation and Security Clearance
Records for the Department of Justice,
last published in full at 67 FR 59864
(Sept. 24, 2002)); and LearnDOJ.
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OF USERS AND
THE PURPOSES OF SUCH USES:
In addition to those disclosures
generally permitted under 5 U.S.C.
552a(b), all or a portion of the records
or information contained in this system
of records may be disclosed as a routine
use, pursuant to 5 U.S.C. 552a(b)(3)
under the circumstances or for the
purposes described below, to the extent
such disclosures are compatible with
the purposes for which the information
was collected.
(A) Where a record, either alone or in
conjunction with other information,
indicates a violation or potential
violation of law—criminal, civil, or
E:\FR\FM\07NON1.SGM
07NON1
60112
Federal Register / Vol. 84, No. 216 / Thursday, November 7, 2019 / Notices
regulatory in nature—the relevant
records may be referred to the
appropriate federal, state, local,
territorial, tribal, or foreign law
enforcement authority or other
appropriate entity charged with the
responsibility for investigating or
prosecuting such violation or charged
with enforcing or implementing such
law.
(B) To complainants and/or victims to
the extent necessary to provide such
persons with information and
explanations concerning the progress
and/or results of the investigation or
case arising from the matters of which
they complained and/or of which they
were a victim.
(C) To any person or entity that the
DOJ has reason to believe possesses
information regarding a matter within
the jurisdiction of the DOJ, to the extent
deemed to be necessary by the DOJ in
order to elicit such information or
cooperation from the recipient for use in
the performance of an authorized
activity.
(D) In an appropriate proceeding
before a court, grand jury, or
administrative or adjudicative body,
when DOJ determines that the records
are arguably relevant to the proceeding;
or in an appropriate proceeding before
an administrative or adjudicative body
when the adjudicator determines the
records to be relevant to the proceeding.
(E) To an actual or potential party to
litigation or the party’s authorized
representative for the purpose of
negotiation or discussion of such
matters as settlement, plea bargaining,
or informal discovery proceedings.
(F) To the news media and the public,
including disclosures pursuant to 28
CFR. 50.2, unless it is determined that
release of the specific information in the
context of a particular case would
constitute an unwarranted invasion of
personal privacy.
(G) To contractors, grantees, experts,
consultants, students, and others
performing or working on a contract,
service, grant, cooperative agreement, or
other assignment for the Federal
Government, when necessary to
accomplish an agency function related
to this system of records.
(H) To designated officers and
employees of state, local, territorial, or
tribal law enforcement or detention
agencies in connection with the hiring
or continued employment of an
employee or contractor, where the
employee or contractor would occupy or
occupies a position of public trust as a
law enforcement officer or detention
officer having direct contact with the
public or with prisoners or detainees, to
the extent that the information is
VerDate Sep<11>2014
17:55 Nov 06, 2019
Jkt 250001
relevant and necessary to the recipient
agency’s decision.
(I) To appropriate officials and
employees of a Federal agency or entity
that requires information relevant to a
decision concerning the hiring,
appointment, or retention of an
employee; the assignment, detail, or
deployment of an employee; the
issuance, renewal, suspension, or
revocation of a security clearance; the
execution of a security or suitability
investigation; the letting of a contract, or
the issuance of a grant or benefit.
(J) To a former employee of the
Department for purposes of: responding
to an official inquiry by a federal, state,
or local government entity or
professional licensing authority, in
accordance with applicable Department
regulations; or facilitating
communications with a former
employee that may be necessary for
personnel-related or other official
purposes where the Department requires
information and/or consultation
assistance from the former employee
regarding a matter within that person’s
former area of responsibility.
(K) To Federal, state, local, territorial,
tribal, foreign, or international licensing
agencies or associations which require
information concerning the suitability
or eligibility of an individual for a
license or permit.
(L) To a Member of Congress or staff
acting upon the Member’s behalf when
the Member or staff requests the
information on behalf of, and at the
request of, the individual who is the
subject of the record.
(M) To the National Archives and
Records Administration for purposes of
records management inspections
conducted under the authority of 44
U.S.C. 2904 and 2906.
(N) To appropriate agencies, entities,
and persons when (1) the Department
suspects or has confirmed that there has
been a breach of the system of records;
(2) the Department has determined that
as a result of the suspected or confirmed
breach there is a risk of harm to
individuals, the Department (including
its information systems, programs, and
operations), the Federal Government, or
national security; and (3) the disclosure
made to such agencies, entities, and
persons is reasonably necessary to assist
in connection with the Department’s
efforts to respond to the suspected or
confirmed breach or to prevent,
minimize, or remedy such harm.
(O) To another Federal agency or
Federal entity, when the Department
determines that information from this
system of records is reasonably
necessary to assist the recipient agency
or entity in (1) responding to a
PO 00000
Frm 00061
Fmt 4703
Sfmt 4703
suspected or confirmed breach, or (2)
preventing, minimizing, or remedying
the risk of harm to individuals, the
recipient agency or entity (including its
information systems, programs, and
operations), the Federal Government, or
national security, resulting from a
suspected or confirmed breach.
(P) To any agency, organization, or
individual for the purpose of performing
the Department’s authorized audit or
oversight operations and meeting
related reporting requirements.
(Q) To such recipients and under such
circumstances and procedures as are
mandated by Federal statute or treaty.
POLICIES AND PRACTICES FOR STORAGE OF
RECORDS:
All records in this system of records
are maintained electronically and are in
compliance with applicable executive
orders, statutes, and agency
implementing recommendations.
Electronic records are stored in
databases and/or on hard disks,
removable storage devices, or other
electronic media.
POLICIES AND PRACTICES FOR RETRIEVAL OF
RECORDS:
Records can be retrieved through the
system portal or through a connecting
system via a connector or application
program interface (API). The records are
searchable using First Name, Last Name,
Email Address, Social Security Number,
Birth Date, Components, Process Status,
and Person ID.
POLICIES AND PRACTICES FOR RETENTION AND
DISPOSAL OF RECORDS:
Records in this system are retained
and disposed of in accordance with the
schedule approved by the Archivist of
the United States, General Records
Schedule 3.2, for records created and
maintained by Federal agencies related
to protecting the security of information
technology systems and data, and
responding to computer security
incident.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL
SAFEGUARDS:
The system meets all DOJ
requirements for authorization to
operate per DOJ Order 0904,
Cybersecurity Program. Specifically,
information in this system is maintained
in accordance with applicable laws,
rules, and policies on protecting
individual privacy. The servers storing
electronic data and the backup tapes
stored onsite are located in locked
rooms with access limited to authorized
agency personnel. Backup tapes stored
offsite are maintained in accordance
with a government contract that requires
adherence to applicable laws, rules, and
E:\FR\FM\07NON1.SGM
07NON1
Federal Register / Vol. 84, No. 216 / Thursday, November 7, 2019 / Notices
policies. Internet connections are
protected by multiple firewalls. Security
personnel conduct periodic
vulnerability scans using DOJ-approved
software to ensure security compliance
and security logs are enabled for all
computers to assist in troubleshooting
and forensics analysis during incident
investigations. Users of individual
computers can only gain access to the
data by a valid user identification and
authentication.
RECORD ACCESS PROCEDURES:
All requests for access to records must
be in writing and should be mailed to
the Justice Management Division,
ATTN: FOIA Contact, Robert F.
Kennedy Department of Justice
Building, Room 1111, 950 Pennsylvania
Avenue NW, Washington, DC 20530,
sent by facsimile to (202) 616–6695, or
emailed to JMDFOIA@usdoj.gov. The
envelope and letter should be clearly
marked ‘‘Privacy Act Access Request.’’
The request must describe the records
sought in sufficient detail to enable
Department personnel to locate them
with a reasonable amount of effort. The
request must include a general
description of the records sought and
must include the requester’s full name,
current address, and date and place of
birth. The request must be signed and
either notarized or submitted under
penalty of perjury.
Although no specific form is required,
requesters may obtain sample request
forms from the FOIA/Privacy Act Mail
Referral Unit, United States Department
of Justice, 950 Pennsylvania Avenue
NW, Washington, DC 20530, or on the
Department of Justice website: https://
www.justice.gov/oip/oip-request.html.
More information regarding the
Department’s procedures for accessing
records in accordance with the Privacy
Act can be found at 28 CFR part 16
subpart D, ‘‘Protection of Privacy and
Access to Individual Records Under the
Privacy Act of 1974.’’
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest or
amend records maintained in this
system of records must direct their
requests to the address indicated in the
‘‘RECORD ACCESS PROCEDURES’’
paragraph, above. All requests to contest
or amend records must be in writing,
with the envelope and letter clearly
marked ‘‘Privacy Act Amendment
Request.’’
All requests must state clearly and
concisely what record is being
contested, the reasons for contesting it,
and the proposed amendment to the
record.
VerDate Sep<11>2014
17:55 Nov 06, 2019
Jkt 250001
More information regarding the
Department’s procedures for amending
or contesting records in accordance with
the Privacy Act can be found at 28 CFR
16.46, ‘‘Requests for Amendment or
Correction of Records.’’
NOTIFICATION PROCEDURES:
Individuals may be notified if a record
in this system of records pertains to
them when the individuals request
information utilizing the same
procedures as those identified in the
‘‘RECORD ACCESS PROCEDURES’’
paragraph, above.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
None.
[FR Doc. 2019–24246 Filed 11–6–19; 8:45 am]
BILLING CODE 4410–NW–P
DEPARTMENT OF JUSTICE
[OMB Number 1122–0032]
Agency Information Collection
Activities; Proposed eCollection
eComments Requested; Extension of a
Currently Approved Collection
Office on Violence Against
Women, Department of Justice.
ACTION: 30-Day notice.
AGENCY:
The Department of Justice,
Office on Violence Against Women
(OVW) will be submitting the following
information collection request to the
Office of Management and Budget
(OMB) for review and approval in
accordance with the Paperwork
Reduction Act of 1995. The proposed
information collection was previously
published in the Federal Register on
June 28, 2019 allowing for a 60 day
comment period.
DATES: Comments are encouraged and
will be accepted for 30 days until
December 9, 2019.
FOR FURTHER INFORMATION CONTACT:
Written comments and/or suggestion
regarding the items contained in this
notice, especially the estimated public
burden and associated response time,
should be directed to Cathy Poston,
Office on Violence Against Women, at
202–514–5430 or Catherine.poston@
usdoj.gov. Written comments and/or
suggestions can also be sent to the
Office of Management and Budget,
Office of Information and Regulatory
Affairs, Attention Department of Justice
Desk Officer, Washington, DC 20530 or
sent to OIRA_submissions@
omb.eop.gov.
SUMMARY:
PO 00000
Frm 00062
Fmt 4703
Sfmt 4703
60113
Written
comments and suggestions from the
public and affected agencies concerning
the proposed collection of information
are encouraged. Your comments should
address one or more of the following
four points:
(1) Evaluate whether the proposed
collection of information is necessary
for the proper performance of the
functions of the agency, including
whether the information will have
practical utility;
(2) Evaluate the accuracy of the
agency’s estimate of the burden of the
proposed collection of information,
including the validity of the
methodology and assumptions used;
(3) Enhance the quality, utility, and
clarity of the information to be
collected; and
(4) Minimize the burden of the
collection of information on those who
are to respond, including through the
use of appropriate automated,
electronic, mechanical, or other
technological collection techniques or
other forms of information technology,
e.g., permitting electronic submission of
responses.
SUPPLEMENTARY INFORMATION:
Overview of This Information
Collection
(1) Type of Information Collection:
Extension of a currently approved
collection.
(2) Title of the Form/Collection: SemiAnnual Progress Report for Justice for
Families Program.
(3) Agency form number, if any, and
the applicable component of the
Department of Justice sponsoring the
collection: Form Number: 1122–0032.
U.S. Department of Justice, Office on
Violence Against Women.
(4) Affected public who will be asked
or required to respond, as well as a brief
abstract: The affected public includes
the current grantees under the Justice
for Families Program. The Justice for
Families Program improves the response
of all aspects of the civil and criminal
justice system to families with a history
of domestic violence, dating violence,
sexual assault and stalking, or in cases
involving allegations of child sexual
abuse. Eligible applicants are states,
units of local government, courts, Indian
tribal governments, nonprofit
organizations, legal service providers,
and victim services providers. The
affected public includes the
approximately 70 Justice for Families
Program grantees.
(5) An estimate of the total number of
respondents and the amount of time
estimated for an average respondent to
respond/reply: It is estimated that it will
take the approximately 70 respondents
E:\FR\FM\07NON1.SGM
07NON1
]]>Agencies
[Federal Register Volume 84, Number 216 (Thursday, November 7, 2019)]
[Notices]
[Pages 60110-60113]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-24246]
-----------------------------------------------------------------------
DEPARTMENT OF JUSTICE
[CPCLO Order No. 012-2019]
Privacy Act of 1974; Systems of Records
AGENCY: United States Department of Justice.
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: Pursuant to the Privacy Act of 1974 and Office of Management
and Budget (OMB) Circular No. A-108, notice is hereby given that the
United States Department of Justice (DOJ or Department), proposes to
develop a new system of records titled ``DOJ Identity, Credential, and
Access Service Records System,'' JUSTICE/DOJ-020. DOJ proposes to
establish this system of records as a part of the Department's
Enterprise Identity, Credential, and Access Management services, which
will serve as a central and authoritative identity management data
repository for DOJ identity information. JUSTICE/DOJ-020 combines user
information from various data sources to provide a centralized and
authoritative identity governance solution.
DATES: In accordance with 5 U.S.C. 552a(e)(4) and (11), this system of
records is effective upon publication, subject to a 30-day period in
which to comment on the routine uses, described below. Please submit
any comments by December 9, 2019.
ADDRESSES: The public, OMB, and Congress are invited to submit any
comments by mail to the United States Department of Justice, Office of
Privacy and Civil Liberties, ATTN: Privacy Analyst, Two Constitution
Square, 145 N Street NE, Suite 8W.300, Washington, DC 20530; by
facsimile at (202) 307-0693; or by email at
[email protected]. To ensure proper handling, please
reference the above CPCLO Order No. on your correspondence.
FOR FURTHER INFORMATION CONTACT: Nickolous Ward, DOJ Chief Information
Security Officer, (202) 514-3101, 145 N Street NE, Washington, DC
20530.
SUPPLEMENTARY INFORMATION: In accordance with the Federal Information
Security Modernization Act of 2014, DOJ is responsible for complying
with policies and procedures issued by the OMB and implementing
information security protections commensurate with the risk and
magnitude of harm resulting from the unauthorized access, use,
disclosure, disruption, modification, or destruction of DOJ information
and information systems. 44 U.S.C. 3554. OMB policy requires agencies
to properly identify, credential, monitor, and manage subjects that
access Federal resources, including information, information systems,
facilities, and secured areas. See Office of Management and Budget M-
19-17, Enabling Mission Delivery through Improved Identity, Credential,
[[Page 60111]]
and Access Management (May 21, 2019). DOJ's compliance with the Federal
Identity, Credential, and Access Management (ICAM) policy is essential
to meeting DOJ's information security and privacy risk management
responsibilities.
JUSTICE/DOJ-020 will serve as DOJ's central and authoritative ICAM
record repository for DOJ Identity Services, a program that allows DOJ
management and information system staff to monitor and manage
enterprise identities (e.g., DOJ employees, contractors, mission or
business partners, devices, etc.) to DOJ information and information
systems. DOJ will collect and maintain identity records in order to
manage enterprise accounts across DOJ components and business units
within DOJ. Such activities can include, but are not limited to,
account request, creation, modification, removal, and annual account
recertification across DOJ components and business units within DOJ.
In accordance with 5 U.S.C. 552a(r), the Department has provided a
report to OMB and Congress on this new system of records.
Dated: November 1, 2019.
Peter A. Winn,
Acting Chief Privacy and Civil Liberties Officer, United States
Department of Justice.
JUSTICE/DOJ-020
SYSTEM NAME AND NUMBER
DOJ Identity, Credential, and Access Service Records System,
JUSTICE/DOJ-020.
SECURITY CLASSIFICATION:
The system is unclassified.
SYSTEM LOCATION:
Records will be maintained electronically at one or more of the
Department's data centers, including, but not limited to, one or more
of the Department's Core Enterprise Facilities (CEF), including, but
not limited to, the Department's CEF East, Clarksburg, WV 26306, or CEF
West, Pocatello, ID 83201. Records within this system of records may be
transferred to a Department-authorized cloud service provider within
the Continental United States. Access to these electronic records may
occur at any location at which the DOJ, Justice Management Division,
Office of the Chief Information Officer, Cybersecurity Services Staff
(DOJ CSS) operates or where DOJ CSS operations are supported, including
the Two Constitution Square building, 145 N Street NE, Washington, DC
20530. Some or all of the information in the system may be duplicated
at other locations where the Department has granted direct access to
support DOJ CSS operations, system backup, emergency preparedness, and/
or continuity of operations. To determine the location of a particular
record maintained in this system of records, contact the system
manager, whose contact information is listed in the ``SYSTEM
MANAGER(S)'' paragraph, below.
SYSTEM MANAGER(S):
DOJ Chief Information Security Officer, (202) 514-3101, 145 N
Street NE, Washington, DC 20530.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Federal Information Security Modernization Act of 2014, 44 U.S.C.
3551 et seq.; 44 U.S.C 3504; Homeland Security Presidential Directive
12: Policy for a Common Identification Standard for Federal Employees
and Contractors (Aug. 2015); FIPS 201-2, Personal Identity Verification
(PIV) of Federal Employees and Contractors (Aug. 2013); OMB Circular A-
130, Managing Information as a Strategic Resource (July 2016); OMB
Memorandum M-10-28, Clarifying Cybersecurity Responsibilities and
Activities of the Executive Office of the President and the Department
of Homeland Security (July 6, 2010); OMB Memorandum M-14-03, Enhancing
the Security of Federal Information and Information Systems (Nov. 18,
2013); OMB Memorandum M-19-17, Enabling Mission Delivery through
Improved Identity, Credential, and Access Management (May 21, 2019).
PURPOSE(S) OF THE SYSTEM:
DOJ establishes this system of records to support the information
and information systems serving as the central and authoritative
identity management data repository for DOJ enterprise identities. This
system of records will allow management and IT staff to monitor and
manage user access to DOJ information systems across departments and
business units within DOJ. Such activities include, but are not limited
to, account requests, creation, modification, removal, and annual
account recertification.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
All DOJ employees and contractors, DOJ information system users,
and individuals granted access to DOJ information.
CATEGORIES OF RECORDS IN THE SYSTEM:
User identity information, such as name and associated identities;
user identification information (e.g., username); home and/or work
address(es); personal and/or work email address(es); personal and/or
work telephone numbers; duty city, county, state, and/or station
information; Social Security Number; sponsorship information; employee
identification information; employment and enrollment information;
assigned government furnished equipment information (mobile device
identifiers); and biometric identifiers (e.g., fingerprints and high-
resolution photographs).
Identity investigation and adjudication information.
Assigned card information, such as associated identity information;
card activated date; card delivered date; credential and certificate
information; card reissue request and replacement information; card
replacement status; card reprint request status; card suspended and
termination dates; and user account flags.
Training information, including but not limited to, date training
is required to be completed, date training was assigned, and date
training was completed.
Access management information, such as information system roles
held by an identity.
RECORD SOURCE CATEGORIES:
Information will feed into this system of records from a number of
source systems: USAccess (including records in GSA/GOVT-7, Personal
Identity Verification Identity Management System (PIV IDMS), last
published in full at 71 FR 56983 (Sept. 28, 2006)); National Finance
Center (NFC); Justice Security Tracking and Adjudication Record System
(JSTARS) (including records in JUSTICE/DOJ-006, Personnel Investigation
and Security Clearance Records for the Department of Justice, last
published in full at 67 FR 59864 (Sept. 24, 2002)); and LearnDOJ.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
In addition to those disclosures generally permitted under 5 U.S.C.
552a(b), all or a portion of the records or information contained in
this system of records may be disclosed as a routine use, pursuant to 5
U.S.C. 552a(b)(3) under the circumstances or for the purposes described
below, to the extent such disclosures are compatible with the purposes
for which the information was collected.
(A) Where a record, either alone or in conjunction with other
information, indicates a violation or potential violation of law--
criminal, civil, or
[[Page 60112]]
regulatory in nature--the relevant records may be referred to the
appropriate federal, state, local, territorial, tribal, or foreign law
enforcement authority or other appropriate entity charged with the
responsibility for investigating or prosecuting such violation or
charged with enforcing or implementing such law.
(B) To complainants and/or victims to the extent necessary to
provide such persons with information and explanations concerning the
progress and/or results of the investigation or case arising from the
matters of which they complained and/or of which they were a victim.
(C) To any person or entity that the DOJ has reason to believe
possesses information regarding a matter within the jurisdiction of the
DOJ, to the extent deemed to be necessary by the DOJ in order to elicit
such information or cooperation from the recipient for use in the
performance of an authorized activity.
(D) In an appropriate proceeding before a court, grand jury, or
administrative or adjudicative body, when DOJ determines that the
records are arguably relevant to the proceeding; or in an appropriate
proceeding before an administrative or adjudicative body when the
adjudicator determines the records to be relevant to the proceeding.
(E) To an actual or potential party to litigation or the party's
authorized representative for the purpose of negotiation or discussion
of such matters as settlement, plea bargaining, or informal discovery
proceedings.
(F) To the news media and the public, including disclosures
pursuant to 28 CFR. 50.2, unless it is determined that release of the
specific information in the context of a particular case would
constitute an unwarranted invasion of personal privacy.
(G) To contractors, grantees, experts, consultants, students, and
others performing or working on a contract, service, grant, cooperative
agreement, or other assignment for the Federal Government, when
necessary to accomplish an agency function related to this system of
records.
(H) To designated officers and employees of state, local,
territorial, or tribal law enforcement or detention agencies in
connection with the hiring or continued employment of an employee or
contractor, where the employee or contractor would occupy or occupies a
position of public trust as a law enforcement officer or detention
officer having direct contact with the public or with prisoners or
detainees, to the extent that the information is relevant and necessary
to the recipient agency's decision.
(I) To appropriate officials and employees of a Federal agency or
entity that requires information relevant to a decision concerning the
hiring, appointment, or retention of an employee; the assignment,
detail, or deployment of an employee; the issuance, renewal,
suspension, or revocation of a security clearance; the execution of a
security or suitability investigation; the letting of a contract, or
the issuance of a grant or benefit.
(J) To a former employee of the Department for purposes of:
responding to an official inquiry by a federal, state, or local
government entity or professional licensing authority, in accordance
with applicable Department regulations; or facilitating communications
with a former employee that may be necessary for personnel-related or
other official purposes where the Department requires information and/
or consultation assistance from the former employee regarding a matter
within that person's former area of responsibility.
(K) To Federal, state, local, territorial, tribal, foreign, or
international licensing agencies or associations which require
information concerning the suitability or eligibility of an individual
for a license or permit.
(L) To a Member of Congress or staff acting upon the Member's
behalf when the Member or staff requests the information on behalf of,
and at the request of, the individual who is the subject of the record.
(M) To the National Archives and Records Administration for
purposes of records management inspections conducted under the
authority of 44 U.S.C. 2904 and 2906.
(N) To appropriate agencies, entities, and persons when (1) the
Department suspects or has confirmed that there has been a breach of
the system of records; (2) the Department has determined that as a
result of the suspected or confirmed breach there is a risk of harm to
individuals, the Department (including its information systems,
programs, and operations), the Federal Government, or national
security; and (3) the disclosure made to such agencies, entities, and
persons is reasonably necessary to assist in connection with the
Department's efforts to respond to the suspected or confirmed breach or
to prevent, minimize, or remedy such harm.
(O) To another Federal agency or Federal entity, when the
Department determines that information from this system of records is
reasonably necessary to assist the recipient agency or entity in (1)
responding to a suspected or confirmed breach, or (2) preventing,
minimizing, or remedying the risk of harm to individuals, the recipient
agency or entity (including its information systems, programs, and
operations), the Federal Government, or national security, resulting
from a suspected or confirmed breach.
(P) To any agency, organization, or individual for the purpose of
performing the Department's authorized audit or oversight operations
and meeting related reporting requirements.
(Q) To such recipients and under such circumstances and procedures
as are mandated by Federal statute or treaty.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
All records in this system of records are maintained electronically
and are in compliance with applicable executive orders, statutes, and
agency implementing recommendations. Electronic records are stored in
databases and/or on hard disks, removable storage devices, or other
electronic media.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records can be retrieved through the system portal or through a
connecting system via a connector or application program interface
(API). The records are searchable using First Name, Last Name, Email
Address, Social Security Number, Birth Date, Components, Process
Status, and Person ID.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Records in this system are retained and disposed of in accordance
with the schedule approved by the Archivist of the United States,
General Records Schedule 3.2, for records created and maintained by
Federal agencies related to protecting the security of information
technology systems and data, and responding to computer security
incident.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
The system meets all DOJ requirements for authorization to operate
per DOJ Order 0904, Cybersecurity Program. Specifically, information in
this system is maintained in accordance with applicable laws, rules,
and policies on protecting individual privacy. The servers storing
electronic data and the backup tapes stored onsite are located in
locked rooms with access limited to authorized agency personnel. Backup
tapes stored offsite are maintained in accordance with a government
contract that requires adherence to applicable laws, rules, and
[[Page 60113]]
policies. Internet connections are protected by multiple firewalls.
Security personnel conduct periodic vulnerability scans using DOJ-
approved software to ensure security compliance and security logs are
enabled for all computers to assist in troubleshooting and forensics
analysis during incident investigations. Users of individual computers
can only gain access to the data by a valid user identification and
authentication.
RECORD ACCESS PROCEDURES:
All requests for access to records must be in writing and should be
mailed to the Justice Management Division, ATTN: FOIA Contact, Robert
F. Kennedy Department of Justice Building, Room 1111, 950 Pennsylvania
Avenue NW, Washington, DC 20530, sent by facsimile to (202) 616-6695,
or emailed to [email protected]. The envelope and letter should be
clearly marked ``Privacy Act Access Request.'' The request must
describe the records sought in sufficient detail to enable Department
personnel to locate them with a reasonable amount of effort. The
request must include a general description of the records sought and
must include the requester's full name, current address, and date and
place of birth. The request must be signed and either notarized or
submitted under penalty of perjury.
Although no specific form is required, requesters may obtain sample
request forms from the FOIA/Privacy Act Mail Referral Unit, United
States Department of Justice, 950 Pennsylvania Avenue NW, Washington,
DC 20530, or on the Department of Justice website: https://www.justice.gov/oip/oip-request.html.
More information regarding the Department's procedures for
accessing records in accordance with the Privacy Act can be found at 28
CFR part 16 subpart D, ``Protection of Privacy and Access to Individual
Records Under the Privacy Act of 1974.''
CONTESTING RECORD PROCEDURES:
Individuals seeking to contest or amend records maintained in this
system of records must direct their requests to the address indicated
in the ``RECORD ACCESS PROCEDURES'' paragraph, above. All requests to
contest or amend records must be in writing, with the envelope and
letter clearly marked ``Privacy Act Amendment Request.''
All requests must state clearly and concisely what record is being
contested, the reasons for contesting it, and the proposed amendment to
the record.
More information regarding the Department's procedures for amending
or contesting records in accordance with the Privacy Act can be found
at 28 CFR 16.46, ``Requests for Amendment or Correction of Records.''
NOTIFICATION PROCEDURES:
Individuals may be notified if a record in this system of records
pertains to them when the individuals request information utilizing the
same procedures as those identified in the ``RECORD ACCESS PROCEDURES''
paragraph, above.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
None.
[FR Doc. 2019-24246 Filed 11-6-19; 8:45 am]
BILLING CODE 4410-NW-P
