Privacy Act of 1974; System of Records, 76036-76038 [2022-26903]
Download as PDF
lotter on DSK11XQN23PROD with NOTICES1
76036
Federal Register / Vol. 87, No. 237 / Monday, December 12, 2022 / Notices
Take notice that the Commission
received the following electric rate
filings:
Docket Numbers: ER20–2878–016.
Applicants: Pacific Gas and Electric
Company.
Description: Compliance filing: WDT
Stipulation Compliance Filing to be
effective 4/15/2021.
Filed Date: 12/5/22.
Accession Number: 20221205–5123.
Comment Date: 5 p.m. ET 12/27/22.
Docket Numbers: ER22–2933–001.
Applicants: Nevada Power Company,
Sierra Pacific Power Company.
Description: Tariff Amendment:
Nevada Power Company submits tariff
filing per 35.17(b): Response to
Deficiency Letter to be effective 12/1/
2022.
Filed Date: 12/6/22.
Accession Number: 20221206–5078.
Comment Date: 5 p.m. ET 12/27/22.
Docket Numbers: ER23–52–001.
Applicants: Westlake Chemicals &
Vinyls LLC.
Description: Tariff Amendment:
Amendment to Notice of Succession in
Docket ER23–52–000 to be effective 10/
12/2022.
Filed Date: 12/6/22.
Accession Number: 20221206–5116.
Comment Date: 5 p.m. ET 12/27/22.
Docket Numbers: ER23–68–002.
Applicants: PJM Interconnection,
L.L.C.
Description: Tariff Amendment:
Revised ISA, SA No. 1949; Queue No.
NQ16 (Amend) Correction to Filing to
be effective 4/17/2008.
Filed Date: 12/6/22.
Accession Number: 20221206–5098.
Comment Date: 5 p.m. ET 12/27/22.
Docket Numbers: ER23–456–001.
Applicants: Public Service Company
of Colorado.
Description: Tariff Amendment:
2022–12–06 WAPA 359 0.2.0
Amendment filing to be effective 12/28/
2022.
Filed Date: 12/6/22.
Accession Number: 20221206–5046.
Comment Date: 5 p.m. ET 12/27/22.
Docket Numbers: ER23–563–000.
Applicants: PJM Interconnection,
L.L.C.
Description: § 205(d) Rate Filing:
Revisions to OA re: termination of
Volunteer Energy Services, Inc. to be
effective 2/4/2023.
Filed Date: 12/5/22.
Accession Number: 20221205–5122.
Comment Date: 5 p.m. ET 12/27/22.
Docket Numbers: ER23–565–000.
Applicants: Midcontinent
Independent System Operator, Inc.,
Ameren Transmission Company of
Illinois.
VerDate Sep<11>2014
18:08 Dec 09, 2022
Jkt 259001
Description: § 205(d) Rate Filing:
Midcontinent Independent System
Operator, Inc. submits tariff filing per
35.13(a)(2)(iii: 2022–12–06_SA 3936, SA
3937 & SA 3938 ATXI-Sikeston
Agreements to be effective 2/5/2023.
Filed Date: 12/6/22.
Accession Number: 20221206–5041.
Comment Date: 5 p.m. ET 12/27/22.
Docket Numbers: ER23–566–000.
Applicants: AEP Texas Inc.
Description: § 205(d) Rate Filing:
AEPTX-Coleman County EC-Golden
Spread EC 2nd A&R IA to be effective
11/17/2022.
Filed Date: 12/6/22.
Accession Number: 20221206–5109.
Comment Date: 5 p.m. ET 12/27/22.
Take notice that the Commission
received the following electric securities
filings:
Docket Numbers: ES23–2–000.
Applicants: Lucky Corridor, LLC.
Description: Amendment to
Application Under Section 204 of the
Federal Power Act for Authorization to
Issue Securities of Lucky Corridor, LLC.
Filed Date: 11/29/22.
Accession Number: 20221129–5180.
Comment Date: 5 p.m. ET 12/20/22.
The filings are accessible in the
Commission’s eLibrary system (https://
elibrary.ferc.gov/idmws/search/
fercgensearch.asp) by querying the
docket number.
Any person desiring to intervene or
protest in any of the above proceedings
must file in accordance with Rules 211
and 214 of the Commission’s
Regulations (18 CFR 385.211 and
385.214) on or before 5:00 p.m. Eastern
time on the specified comment date.
Protests may be considered, but
intervention is necessary to become a
party to the proceeding.
eFiling is encouraged. More detailed
information relating to filing
requirements, interventions, protests,
service, and qualifying facilities filings
can be found at: https://www.ferc.gov/
docs-filing/efiling/filing-req.pdf. For
other information, call (866) 208–3676
(toll free). For TTY, call (202) 502–8659.
Dated: December 6, 2022.
Kimberly D. Bose,
Secretary.
[FR Doc. 2022–26915 Filed 12–9–22; 8:45 am]
BILLING CODE 6717–01–P
PO 00000
Frm 00013
Fmt 4703
Sfmt 4703
ENVIRONMENTAL PROTECTION
AGENCY
[FRL–10299–01–OMS]
Privacy Act of 1974; System of
Records
Office of Mission Support
(OMS), Environmental Protection
Agency (EPA).
ACTION: Notice of a new system of
records.
AGENCY:
The U.S. Environmental
Protection Agency’s (EPA) Office of
Mission Support (OMS) is giving notice
that it proposes to create a new system
of records pursuant to the provisions of
the Privacy Act of 1974. EPA is creating
the Enterprise Physical Access Control
System (ePACS) to collect and maintain
employee and contractor information
that is used to determine suitability for
physical access to EPA-managed
facilities and certain restricted areas
within these facilities.
DATES: Persons wishing to comment on
this system of records notice must do so
by January 11, 2023.
Routine uses; for this new system of
records will be effective January 11,
2023.
SUMMARY:
Submit your comments,
identified by Docket ID No. EPA–HQ–
OMS–2022–0847, by one of the
following methods:
Federal eRulemaking Portal: https://
www.regulations.gov. Follow the online
instructions for submitting comments.
Email: docket_oms@epa.gov. Include
the Docket ID number in the subject line
of the message.
Fax: (202) 566–1752.
Mail: OMS Docket, Environmental
Protection Agency, Mail Code: 2822T,
1200 Pennsylvania Ave. NW,
Washington, DC 20460.
Hand Delivery: OMS Docket, EPA/DC,
WJC West Building, Room 3334, 1301
Constitution Ave. NW, Washington, DC
20460. Such deliveries are only
accepted during the Docket’s normal
hours of operation, and special
arrangements should be made for
deliveries of boxed information.
Instructions: Direct your comments to
Docket ID No. EPA–HQ–OMS–2022–
0847. The EPA’s policy is that all
comments received will be included in
the public docket without change and
may be made available online at https://
www.regulations.gov, including any
personal information provided, unless
the comment includes information
claimed to be Controlled Unclassified
Information (CUI) or other information
for which disclosure is restricted by
statute. Do not submit information that
ADDRESSES:
E:\FR\FM\12DEN1.SGM
12DEN1
Federal Register / Vol. 87, No. 237 / Monday, December 12, 2022 / Notices
you consider to be CUI or otherwise
protected through https://
www.regulations.gov. The https://
www.regulations.gov website is an
‘‘anonymous access’’ system for the
EPA, which means the EPA will not
know your identity or contact
information. If you submit an electronic
comment, the EPA recommends that
you include your name and other
contact information in the body of your
comment. If the EPA cannot read your
comment due to technical difficulties
and cannot contact you for clarification,
the EPA may not be able to consider
your comment. If you send an email
comment directly to the EPA without
going through https://
www.regulations.gov, your email
address will be automatically captured
and included as part of the comment
that is placed in the public docket and
made available on the internet.
Electronic files should avoid the use of
special characters, any form of
encryption, and be free of any defects or
viruses. For additional information
about the EPA public docket, visit the
EPA Docket Center homepage at https://
www.epa.gov/dockets.
Docket: All documents in the docket
are listed in the https://
www.regulations.gov index. Although
listed in the index, some information is
not publicly available, e.g., CUI or other
information for which disclosure is
restricted by statute. Certain other
material, such as copyrighted material,
will be publicly available only in hard
copy. Publicly available docket
materials are available either
electronically in https://
www.regulations.gov or in hard copy at
the OMS Docket, EPA/DC, WJC West
Building, Room 3334, 1301 Constitution
Ave. NW, Washington, DC 20460. The
Public Reading Room is normally open
from 8:30 a.m. to 4:30 p.m., Monday
through Friday excluding legal holidays.
The telephone number for the Public
Reading Room is (202) 566–1744, and
the telephone number for the OMS
Docket is (202) 566–1752. Further
information about EPA Docket Center
services and current operating status is
available at https://www.epa.gov/
dockets.
lotter on DSK11XQN23PROD with NOTICES1
FOR FURTHER INFORMATION CONTACT:
James Cunningham, Information
Technology (IT) Project Manager, Office
of Mission Support, Environmental
Protection Agency, 1301 Constitution
Ave. NW, Washington, DC 20460,
cunningham.james@epa.gov.
Jackie Brown, Information System
Security Officer, Office of Mission
Support, Environmental Protection
Agency, 1301 Constitution Ave. NW,
VerDate Sep<11>2014
18:08 Dec 09, 2022
Jkt 259001
Washington, DC 20460, brown.jackie@
epa.gov.
Enterprise
Physical Access Control System
(ePACS) comprises non-traditional IT
hardware such as Personal Identity
Verification (PIV) card readers, control
panels, closed circuit video cameras,
building intrusion detection sensors,
alarm keypads, and emergency door
buttons that are tightly integrated into
one ePACS system that is centrally
managed in a virtual server
environment. An employee or
contractor must register their PIV card
with ePACS. During the registration
process, the following information is
collected and stored in an ePACS
centralized database: first name, last
name, PIV card serial number, image,
expiration date, affiliation (employee or
contractor), and organization. Specific
access clearances are then granted to a
PIV card credential which allows access
to EPA buildings, doors, rooms,
elevators, and other physical access
points. Information collected each time
the PIV card credential is used is stored
in the ePACS centralized database. This
information assists EPA in monitoring
its facilities, buildings, and other
physical access points to ensure that
only authorized personnel gain entry.
EPA is developing ePACS to comply
with Homeland Security Presidential
Directive-12: Policy for a Common
Identification Standard for Federal
Employees and Contractors (HSPD–12),
and with the Office of Management and
Budget (OMB) Memorandum M–11–11
Continued Implementation of HSPD–12.
HSPD–12 mandates a government-wide
standard for secure and reliable forms of
identification issued by the Federal
Government to its employees and
contractors. M–11–11 requires use of a
PIV credential as the common means of
authentication for access to Federallycontrolled facilities, networks, and
information systems. To allow physical
entry to EPA-controlled facilities and
logical access to EPA information
systems, ePACS uses PIV smartcard
credentials issued to EPA employees
and contractors. A PIV smartcard links
an individual’s identity to an
identification credential that enables
that person to gain physical access to
federally-controlled buildings and
logical access to information systems.
SUPPLEMENTARY INFORMATION:
SYSTEM NAME AND NUMBER:
Enterprise Physical Access Control
System (ePACS), EPA–99.
SECURITY CLASSIFICATION:
Unclassified.
PO 00000
Frm 00014
Fmt 4703
Sfmt 4703
76037
SYSTEM LOCATION:
The system will be managed by the
Office of Mission Support,
Environmental Protection Agency, 1301
Constitution Ave. NW, Washington, DC
20460.
Electronically stored information is
hosted at the EPA National Computer
Center (NCC), 109 TW Alexander Drive,
Research Triangle Park, Durham, NC
27711.
SYSTEM MANAGER(S):
Alexandria DeLaCruz-Matthews,
Program Manager, Office of Mission
Support, Environmental Protection
Agency, 1301 Constitution Ave. NW,
Washington, DC 20460, delacruzmatthews.alexandria@epa.gov.
James Cunningham, IT Project
Manager, Office of Mission Support,
Environmental Protection Agency, 1301
Constitution Ave. NW, Washington, DC
20460, cunningham.james@epa.gov.
Jackie Brown, Information System
Security Officer, Office of Mission
Support, Environmental Protection
Agency, 1301 Constitution Ave. NW,
Washington, DC 20460, brown.jackie@
epa.gov.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Government Organization and
Employees, 5 U.S.C. 301; Management
of buildings by Administrator of General
Services, 40 U.S.C. 582; Lease
agreements, 40 U.S.C. 585; Public
Buildings under the control of
Administrator of General Services, 40
U.S.C. 3101; Agency Chief Information
Officer, 40 U.S.C. 11315; Federal
Information Security Management Act
of 2002, 44 U.S.C. 3501; 44 U.S.C. 3505,
44 U.S.C. 3506, 44 U.S.C. 3541; EGovernment Act of 2002, 44 U.S.C. 101,
Chapter 35; Federal Information
Processing Standards Publication (FIPS)
201–3, Personal Identity Verification
(PIV) of Federal Employees and
Contractors, and HSPD–12.
PURPOSE(S) OF THE SYSTEM:
The Agency will use the ePACS
system to collect and maintain
information required for and related to
authorized physical access to all EPAmanaged facilities and restricted areas
within these facilities across the United
States.
Collection and maintenance of this
information will help to:
1. Ensure the safety and security of
Federal facilities, systems, and
information, and of facility occupants
and users.
2. Provide for interoperability
between systems and locations to
individuals entering EPA facilities.
3. Ensure that all personnel
(employees and contractors) entering
E:\FR\FM\12DEN1.SGM
12DEN1
76038
Federal Register / Vol. 87, No. 237 / Monday, December 12, 2022 / Notices
EPA buildings have proper credentials
and to protect against unauthorized
access. The information will also
provide an audit trail for investigations,
if needed.
4. Allow logical access to Federal
information systems, networks, and
resources on a government-wide basis.
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
EPA employees, contractor
employees, interns, and volunteers that
have valid credentials programmed for
specific access points.
CATEGORIES OF RECORDS IN THE SYSTEM:
Full name, photographs, surveillance
video recordings and camera images,
Full Cardholder Unique Identifier
(CHUID), credential ID, PIV card
number, Public Key Infrastructure (PKI)
certificate—(X509), Card Authentication
Key (CAK) certificate, person
classification, badge expiration date,
card state, User Principal Name (UPN),
Federal Agency Smart Card Number
(FASC–N), and Globally Unique
Identifier (GUID).
RECORD SOURCE CATEGORIES:
ePACS obtains information from
employees, contractor employees,
interns, and volunteers using their EPA
PIV credential. This information is
stored in a secure ePACS database and
updated when the PIV credential is used
at an access point. In addition, ePACS
collects information from video cameras
and video recording devices located at
and within EPA facilities in the United
States.
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OF USERS AND
PURPOSES OF SUCH USES:
The routine uses below are both
related to and compatible with the
original purpose for which the
information was collected. The
following general routine uses apply to
this system (86 FR 62527): A, B, C, D,
E, F, G, H, I, J, K, L, and M.
lotter on DSK11XQN23PROD with NOTICES1
POLICIES AND PRACTICES FOR STORAGE OF
RECORDS:
Records are stored on secure servers
within the ePACS Master and Satellite
Application Databases and can be
accessed only by authorized users over
EPA secure intranet using encryption
software. These records are maintained
electronically on computer storage
devices located at the U.S. EPA National
Computer Center, 109 T.W. Alexander
Drive, Research Triangle Park, NC
27711.
VerDate Sep<11>2014
18:08 Dec 09, 2022
Jkt 259001
POLICIES AND PRACTICES FOR RETRIEVAL OF
RECORDS:
Authorized user login/password
credentials and administrative
privileges are required to access the
ePACS software application. ePACS
records can only be accessed when
logged in to the ePACS application that
pulls these records from the ePACS
database. Records may be retrieved by
first name, last name, full name, email
address, FACSN, or Object ID Number.
POLICIES AND PRACTICES FOR RETENTION AND
DISPOSAL OF RECORDS:
Records are retained and disposed of
in accordance with applicable NARA
retention schedules as well as EPA
records schedules 089, 1008, and 1012.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL
SAFEGUARDS:
PII is safeguarded and protected in
conformance with all Federal statutes
and OMB requirements. Security
controls used to protect personal
sensitive data in ePACS are
commensurate with those required for
an information system rated
MODERATE for confidentiality,
integrity, and availability, as prescribed
in National Institute of Standards and
Technology (NIST) Special Publication,
800–53, ‘‘Security and Privacy Controls
for Information Systems and
Organizations,’’ Revision 5.
1. Administrative Safeguards: Only
authorized users are allowed access to
ePACS. Each authorized user must
complete a background investigation
with favorable results, must be assigned
to the appropriate security group,
acknowledge agency rules of behavior,
and complete annual privacy and
security training. In addition, personnel
are instructed to lock their computers
when they leave their desks.
2. Technical Safeguards: All ePACS
user access is limited by role-based
restrictions. In addition, ePACS
operators are required to enter a valid
username and password to gain access
to the system. Individuals granted
access privileges are screened for proper
credentials and added to the appropriate
Microsoft Windows security group
based on their Local Area Network
account. EPA maintains an audit log
trail for ePACS, which accounts for all
instances of users accessing the system.
EPA reviews audit logs periodically to
identify any unauthorized access.
3. Physical Safeguards: All ePACS
records are stored on database servers
located in secure, access-controlled
buildings. ePACS database and
application servers are in accesscontrolled rooms that require PIV
credentials for access. Only authorized
PO 00000
Frm 00015
Fmt 4703
Sfmt 9990
users are allowed access to
administrative accounts for ePACS
application and database servers.
RECORD ACCESS PROCEDURES:
All requests for access to personal
records should cite the Privacy Act of
1974 and reference the type of request
being made (i.e., access). Requests must
include: (1) the name and signature of
the individual making the request; (2)
the name of the Privacy Act system of
records to which the request relates; (3)
a statement whether a personal
inspection of the records or a copy of
them by mail is desired; and (4) proof
of identity. A full description of EPA’s
Privacy Act procedures for requesting
access to records is included in EPA’s
Privacy Act regulations at 40 CFR part
16.
CONTESTING RECORD PROCEDURES:
Requests for correction or amendment
must include: (1) the name and
signature of the individual making the
request; (2) the name of the Privacy Act
system of records to which the request
relates; (3) a description of the
information sought to be corrected or
amended and the specific reasons for
the correction or amendment; and (4)
proof of identity. A full description of
EPA’s Privacy Act procedures for the
correction or amendment of a record is
included in EPA’s Privacy Act
regulations at 40 CFR part 16.
NOTIFICATION PROCEDURES:
Individuals who wish to be informed
whether a Privacy Act system of records
maintained by EPA contains any record
pertaining to them, should make a
written request to the EPA, Attn:
Agency Privacy Officer, MC 2831T,
1200 Pennsylvania Ave. NW,
Washington, DC 20460, or by email at:
privacy@epa.gov. A full description of
EPA’s Privacy Act procedures is
included in EPA’s Privacy Act
regulations at 40 CFR part 16.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
None.
Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2022–26903 Filed 12–9–22; 8:45 am]
BILLING CODE 6560–50–P
E:\FR\FM\12DEN1.SGM
12DEN1
Agencies
[Federal Register Volume 87, Number 237 (Monday, December 12, 2022)]
[Notices]
[Pages 76036-76038]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-26903]
=======================================================================
-----------------------------------------------------------------------
ENVIRONMENTAL PROTECTION AGENCY
[FRL-10299-01-OMS]
Privacy Act of 1974; System of Records
AGENCY: Office of Mission Support (OMS), Environmental Protection
Agency (EPA).
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: The U.S. Environmental Protection Agency's (EPA) Office of
Mission Support (OMS) is giving notice that it proposes to create a new
system of records pursuant to the provisions of the Privacy Act of
1974. EPA is creating the Enterprise Physical Access Control System
(ePACS) to collect and maintain employee and contractor information
that is used to determine suitability for physical access to EPA-
managed facilities and certain restricted areas within these
facilities.
DATES: Persons wishing to comment on this system of records notice must
do so by January 11, 2023.
Routine uses; for this new system of records will be effective
January 11, 2023.
ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OMS-2022-0847, by one of the following methods:
Federal eRulemaking Portal: https://www.regulations.gov. Follow the
online instructions for submitting comments.
Email: [email protected]. Include the Docket ID number in the
subject line of the message.
Fax: (202) 566-1752.
Mail: OMS Docket, Environmental Protection Agency, Mail Code:
2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334,
1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are
only accepted during the Docket's normal hours of operation, and
special arrangements should be made for deliveries of boxed
information.
Instructions: Direct your comments to Docket ID No. EPA-HQ-OMS-
2022-0847. The EPA's policy is that all comments received will be
included in the public docket without change and may be made available
online at https://www.regulations.gov, including any personal
information provided, unless the comment includes information claimed
to be Controlled Unclassified Information (CUI) or other information
for which disclosure is restricted by statute. Do not submit
information that
[[Page 76037]]
you consider to be CUI or otherwise protected through https://www.regulations.gov. The https://www.regulations.gov website is an
``anonymous access'' system for the EPA, which means the EPA will not
know your identity or contact information. If you submit an electronic
comment, the EPA recommends that you include your name and other
contact information in the body of your comment. If the EPA cannot read
your comment due to technical difficulties and cannot contact you for
clarification, the EPA may not be able to consider your comment. If you
send an email comment directly to the EPA without going through https://www.regulations.gov, your email address will be automatically captured
and included as part of the comment that is placed in the public docket
and made available on the internet. Electronic files should avoid the
use of special characters, any form of encryption, and be free of any
defects or viruses. For additional information about the EPA public
docket, visit the EPA Docket Center homepage at https://www.epa.gov/dockets.
Docket: All documents in the docket are listed in the https://www.regulations.gov index. Although listed in the index, some
information is not publicly available, e.g., CUI or other information
for which disclosure is restricted by statute. Certain other material,
such as copyrighted material, will be publicly available only in hard
copy. Publicly available docket materials are available either
electronically in https://www.regulations.gov or in hard copy at the
OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution
Ave. NW, Washington, DC 20460. The Public Reading Room is normally open
from 8:30 a.m. to 4:30 p.m., Monday through Friday excluding legal
holidays. The telephone number for the Public Reading Room is (202)
566-1744, and the telephone number for the OMS Docket is (202) 566-
1752. Further information about EPA Docket Center services and current
operating status is available at https://www.epa.gov/dockets.
FOR FURTHER INFORMATION CONTACT:
James Cunningham, Information Technology (IT) Project Manager,
Office of Mission Support, Environmental Protection Agency, 1301
Constitution Ave. NW, Washington, DC 20460, [email protected].
Jackie Brown, Information System Security Officer, Office of
Mission Support, Environmental Protection Agency, 1301 Constitution
Ave. NW, Washington, DC 20460, [email protected].
SUPPLEMENTARY INFORMATION: Enterprise Physical Access Control System
(ePACS) comprises non-traditional IT hardware such as Personal Identity
Verification (PIV) card readers, control panels, closed circuit video
cameras, building intrusion detection sensors, alarm keypads, and
emergency door buttons that are tightly integrated into one ePACS
system that is centrally managed in a virtual server environment. An
employee or contractor must register their PIV card with ePACS. During
the registration process, the following information is collected and
stored in an ePACS centralized database: first name, last name, PIV
card serial number, image, expiration date, affiliation (employee or
contractor), and organization. Specific access clearances are then
granted to a PIV card credential which allows access to EPA buildings,
doors, rooms, elevators, and other physical access points. Information
collected each time the PIV card credential is used is stored in the
ePACS centralized database. This information assists EPA in monitoring
its facilities, buildings, and other physical access points to ensure
that only authorized personnel gain entry.
EPA is developing ePACS to comply with Homeland Security
Presidential Directive-12: Policy for a Common Identification Standard
for Federal Employees and Contractors (HSPD-12), and with the Office of
Management and Budget (OMB) Memorandum M-11-11 Continued Implementation
of HSPD-12. HSPD-12 mandates a government-wide standard for secure and
reliable forms of identification issued by the Federal Government to
its employees and contractors. M-11-11 requires use of a PIV credential
as the common means of authentication for access to Federally-
controlled facilities, networks, and information systems. To allow
physical entry to EPA-controlled facilities and logical access to EPA
information systems, ePACS uses PIV smartcard credentials issued to EPA
employees and contractors. A PIV smartcard links an individual's
identity to an identification credential that enables that person to
gain physical access to federally-controlled buildings and logical
access to information systems.
SYSTEM NAME AND NUMBER:
Enterprise Physical Access Control System (ePACS), EPA-99.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
The system will be managed by the Office of Mission Support,
Environmental Protection Agency, 1301 Constitution Ave. NW, Washington,
DC 20460.
Electronically stored information is hosted at the EPA National
Computer Center (NCC), 109 TW Alexander Drive, Research Triangle Park,
Durham, NC 27711.
SYSTEM MANAGER(S):
Alexandria DeLaCruz-Matthews, Program Manager, Office of Mission
Support, Environmental Protection Agency, 1301 Constitution Ave. NW,
Washington, DC 20460, [email protected].
James Cunningham, IT Project Manager, Office of Mission Support,
Environmental Protection Agency, 1301 Constitution Ave. NW, Washington,
DC 20460, [email protected].
Jackie Brown, Information System Security Officer, Office of
Mission Support, Environmental Protection Agency, 1301 Constitution
Ave. NW, Washington, DC 20460, [email protected].
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Government Organization and Employees, 5 U.S.C. 301; Management of
buildings by Administrator of General Services, 40 U.S.C. 582; Lease
agreements, 40 U.S.C. 585; Public Buildings under the control of
Administrator of General Services, 40 U.S.C. 3101; Agency Chief
Information Officer, 40 U.S.C. 11315; Federal Information Security
Management Act of 2002, 44 U.S.C. 3501; 44 U.S.C. 3505, 44 U.S.C. 3506,
44 U.S.C. 3541; E-Government Act of 2002, 44 U.S.C. 101, Chapter 35;
Federal Information Processing Standards Publication (FIPS) 201-3,
Personal Identity Verification (PIV) of Federal Employees and
Contractors, and HSPD-12.
PURPOSE(S) OF THE SYSTEM:
The Agency will use the ePACS system to collect and maintain
information required for and related to authorized physical access to
all EPA-managed facilities and restricted areas within these facilities
across the United States.
Collection and maintenance of this information will help to:
1. Ensure the safety and security of Federal facilities, systems,
and information, and of facility occupants and users.
2. Provide for interoperability between systems and locations to
individuals entering EPA facilities.
3. Ensure that all personnel (employees and contractors) entering
[[Page 76038]]
EPA buildings have proper credentials and to protect against
unauthorized access. The information will also provide an audit trail
for investigations, if needed.
4. Allow logical access to Federal information systems, networks,
and resources on a government-wide basis.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
EPA employees, contractor employees, interns, and volunteers that
have valid credentials programmed for specific access points.
CATEGORIES OF RECORDS IN THE SYSTEM:
Full name, photographs, surveillance video recordings and camera
images, Full Cardholder Unique Identifier (CHUID), credential ID, PIV
card number, Public Key Infrastructure (PKI) certificate--(X509), Card
Authentication Key (CAK) certificate, person classification, badge
expiration date, card state, User Principal Name (UPN), Federal Agency
Smart Card Number (FASC-N), and Globally Unique Identifier (GUID).
RECORD SOURCE CATEGORIES:
ePACS obtains information from employees, contractor employees,
interns, and volunteers using their EPA PIV credential. This
information is stored in a secure ePACS database and updated when the
PIV credential is used at an access point. In addition, ePACS collects
information from video cameras and video recording devices located at
and within EPA facilities in the United States.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
The routine uses below are both related to and compatible with the
original purpose for which the information was collected. The following
general routine uses apply to this system (86 FR 62527): A, B, C, D, E,
F, G, H, I, J, K, L, and M.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Records are stored on secure servers within the ePACS Master and
Satellite Application Databases and can be accessed only by authorized
users over EPA secure intranet using encryption software. These records
are maintained electronically on computer storage devices located at
the U.S. EPA National Computer Center, 109 T.W. Alexander Drive,
Research Triangle Park, NC 27711.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Authorized user login/password credentials and administrative
privileges are required to access the ePACS software application. ePACS
records can only be accessed when logged in to the ePACS application
that pulls these records from the ePACS database. Records may be
retrieved by first name, last name, full name, email address, FACSN, or
Object ID Number.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Records are retained and disposed of in accordance with applicable
NARA retention schedules as well as EPA records schedules 089, 1008,
and 1012.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
PII is safeguarded and protected in conformance with all Federal
statutes and OMB requirements. Security controls used to protect
personal sensitive data in ePACS are commensurate with those required
for an information system rated MODERATE for confidentiality,
integrity, and availability, as prescribed in National Institute of
Standards and Technology (NIST) Special Publication, 800-53, ``Security
and Privacy Controls for Information Systems and Organizations,''
Revision 5.
1. Administrative Safeguards: Only authorized users are allowed
access to ePACS. Each authorized user must complete a background
investigation with favorable results, must be assigned to the
appropriate security group, acknowledge agency rules of behavior, and
complete annual privacy and security training. In addition, personnel
are instructed to lock their computers when they leave their desks.
2. Technical Safeguards: All ePACS user access is limited by role-
based restrictions. In addition, ePACS operators are required to enter
a valid username and password to gain access to the system. Individuals
granted access privileges are screened for proper credentials and added
to the appropriate Microsoft Windows security group based on their
Local Area Network account. EPA maintains an audit log trail for ePACS,
which accounts for all instances of users accessing the system. EPA
reviews audit logs periodically to identify any unauthorized access.
3. Physical Safeguards: All ePACS records are stored on database
servers located in secure, access-controlled buildings. ePACS database
and application servers are in access-controlled rooms that require PIV
credentials for access. Only authorized users are allowed access to
administrative accounts for ePACS application and database servers.
RECORD ACCESS PROCEDURES:
All requests for access to personal records should cite the Privacy
Act of 1974 and reference the type of request being made (i.e.,
access). Requests must include: (1) the name and signature of the
individual making the request; (2) the name of the Privacy Act system
of records to which the request relates; (3) a statement whether a
personal inspection of the records or a copy of them by mail is
desired; and (4) proof of identity. A full description of EPA's Privacy
Act procedures for requesting access to records is included in EPA's
Privacy Act regulations at 40 CFR part 16.
CONTESTING RECORD PROCEDURES:
Requests for correction or amendment must include: (1) the name and
signature of the individual making the request; (2) the name of the
Privacy Act system of records to which the request relates; (3) a
description of the information sought to be corrected or amended and
the specific reasons for the correction or amendment; and (4) proof of
identity. A full description of EPA's Privacy Act procedures for the
correction or amendment of a record is included in EPA's Privacy Act
regulations at 40 CFR part 16.
NOTIFICATION PROCEDURES:
Individuals who wish to be informed whether a Privacy Act system of
records maintained by EPA contains any record pertaining to them,
should make a written request to the EPA, Attn: Agency Privacy Officer,
MC 2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, or by email
at: [email protected]. A full description of EPA's Privacy Act procedures
is included in EPA's Privacy Act regulations at 40 CFR part 16.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
None.
Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2022-26903 Filed 12-9-22; 8:45 am]
BILLING CODE 6560-50-P