Privacy Act of 1974; System of Records

AGENCY:

Office of the Safety, Security, and Protection, USDA.

ACTION:

Notice of a new system of records.

SUMMARY:

In accordance with the Privacy Act of 1974, as amended, and Office of Management and Budget Circular No. A–108 Federal Agency Responsibilities for Review, Reporting, and Publication under the Privacy Act, the U.S. Department of Agriculture (USDA) proposes a new system of records, USDA/OSSP–1, the Enterprise Physical Access Control System (ePACS). The Office of the Safety, Security, and Protections maintains ePACS, which contains the information required to control physical access to USDA managed facilities and restricted areas within the facilities in all regions across the United States. The notice also conveys the system location, categories of records, routine uses (one of which permits records to be provided to the National Archives and Records Administration), storage, safeguards, retention and disposal, system manager and address, notification procedures, records access, and contesting procedures.

DATES:

In accordance with 5 U.S.C. 552a(e)(4) and (11) this notice is applicable upon publication; subject to a 30-day notice and comment period in which to comment on the routine uses described in the routine uses section of this system of records notice. Please submit any comments by July 3, 2023.

ADDRESSES:

Comments may be submitted by one of the following methods:

— Federal eRulemaking Portal: This website provides the ability to type short comments directly into the comment field on this web page or attach a file for lengthier comments. Go to https://www.regulations.gov. Follow the on-line instructions at that site for submitting comments.

— Postal Mail/Commercial Delivery: Office of Safety, Security and Protection, 1400 Independence Ave. SW, Washington, DC 20250.

Instructions: All items submitted by mail or electronic mail must include the Agency name and docket number USDA–2021–13. Comments received in response to this docket will be made available for public inspection and posted without change, including any personal information, to https://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT:

For general questions, please contact Samuel Willis, System Owner/Manager, Office of Safety, Security and Protection, 1400 Independence Avenue SW, Washington, DC 20250, (833) 682–4675.

For Privacy Act questions concerning this system of records notice, please contact Michele Washington, USDA, Departmental Administration Information Technology Office, Office of the Chief Information Officer United States Department of Agriculture (202) 577–8021.

For general USDA Privacy Act questions, please contact the USDA Chief Privacy Officer, Information Security Center, Office of Chief Information Officer, USDA, Jamie L. Whitten Building, 1400 Independence Ave. SW, Washington, DC 20250; email: USDAPrivacy@ocio.usda.gov.

SUPPLEMENTARY INFORMATION:

USDA is proposing to establish a new system of records notice entitled USDA/OSSP–1, the Enterprise Physical Access Control System (ePACS). The primary purpose of this system is to collect data required to manage physical access to USDA operated facilities and restricted areas within the facilities in all regions across the United States. This system maintains individuals' personal individual verification (PIV) information to support the USDA's efforts related to protecting USDA facilities and operating the USDA visitor management program. Efforts have been made to safeguard records in accordance with applicable rules and policies, including all applicable USDA automated systems security and access policies. Strict controls have been imposed to minimize the risk of compromising the information that is being stored. Access to the computer system containing the records in this system is limited to those individuals who have a need to know the information for the performance of their official duties and who have appropriate clearances or permissions.

SYSTEM NAME AND NUMBER:

USDA/OSSP–1, Enterprise Physical Access Control System (ePACS)

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The ePACS is maintained and physically located at USDA's Digital Infrastructure Services Center at 8930 Ward Parkway, Kansas City, Missouri 64114.

SYSTEM MANAGER(S):

Director, Facility Protection Division, Office of Safety, Security, and Protection,1400 Independence Avenue SW, Washington, DC 20250, (202) 260–8930.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Homeland Security Presidential Directive–12 (HSPD–12), Departmental Physical Security Program, DR 1650–001, December 9, 2021, and Authority to Operate (ATO), 06/07/2022.

PURPOSE(S) OF THE SYSTEM:

The ePACS provides a centralized infrastructure for the use of the USDA standard personal individual verification (PIV) card for access to federally controlled facilities as mandated by HSPD–12. The ePACS provides a means for USDA Agencies to deploy electronic access control to its facilities; supports the mitigation of identified threats and vulnerabilities; and ensures that unauthorized individuals do not have access to critical USDA assets. Incorporated into ePACS is the Visitor Management System (VMS), which allows visitors to log into a website and request to visit USDA locations where VMS is implemented.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Categories of individuals covered by this system include individuals with electronic facility physical access credentials including USDA employees, contractor employees, building occupants, interns, visitors, and volunteers.

CATEGORIES OF RECORDS IN THE SYSTEM:

Categories of records in the system consists of records created for individuals to obtain electronic facility access credentials as well as temporary badges for facility access. The ePACS generally handles physical access security management information including physical access card status, physical access card category, physical access card expiration date, and physical access card holder emergency response responsibilities.

The data stored in ePACS includes: Federal Agency Smart Credential Number (FASC–N), Card Category, Card Status, Card Expiration Date, Photo, First Name, Middle Name, Last Name, Employee type, Employee Status, Emergency Responder, Department, Agency, Sub-agency, City, State, date of birth, and entry and exit date and time.

RECORD SOURCE CATEGORIES:

Information in this system is obtained from an official Department information technology system and is loaded into the system of records from the following source system: the Department's system of records entitled USDA/OCIO–2, eAuthentication Service—71 FR 42346—July 26, 2006, USDA/OCIO–2, eAuthentication Service (eAuth)—77 FR 15024—March 14, 2012, USDA/OCIO–2 eAuthentication Service—82 FR 8503—January 26, 2017.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, records contained in this system may be disclosed outside USDA as a routine use pursuant to 5 U.S.C. 552a(b)(3), to the extent that such uses are compatible with the purposes for which the information was collected. Such permitted routine uses include the following:

A. To the Department of Justice (DOJ) when: (a) USDA or any component thereof; or (b) any employee of USDA in his or her official capacity where the Department of Justice has agreed to represent the employee; or (c) the United States Government, is a party to litigation or has an interest in such litigation, and USDA determines that the records are both relevant and necessary to the litigation and the use of such records by the Department of Justice is deemed by USDA to be for a purpose that is compatible with the purpose for which USDA collected the records.

B. To a Congressional Office in response to an inquiry from that Congressional Office made at the written request of the individual about whom the record pertains.

C. To the National Archives and Records Administration (NARA) or other Federal Government agencies pursuant to records management activities being conducted under 44 U.S.C. 2904 and 2906.

To appropriate agencies, entities, and persons when (1) USDA suspects or has confirmed that the security or confidentiality of information in the system of records has been compromised; (2) USDA has determined that as a result of the suspected or confirmed breach, there is a risk of harm to individuals, USDA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure to such agencies, entities, and persons is reasonably necessary to assist in connection with USDA's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm; or to another Federal agency or Federal entity, when information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach; or (2) preventing, minimizing, or remedying the risk of harm to individuals, the agency (including its information systems, programs, and operations), the Federal Government, or national security.

When a record on its face, or in conjunction with other records, indicates a violation or potential violation of law, whether civil, criminal or regulatory in nature, and whether arising by general statute or particular program, statute, or by regulation, rule, or order issued pursuant thereto, disclosure may be made to the appropriate Federal, State, local, foreign, Tribal, or other public authority responsible for enforcing, investigating, or prosecuting such violation or charged with enforcing or implementing the statute, or rule, regulation, or order issued pursuant thereto, if the information disclosed is relevant to any enforcement, regulatory, investigative or prosecutive responsibility of the receiving entity. Referral to the appropriate agency, whether Federal, State, local, or foreign, charged with the responsibility of investigating or prosecuting violation of law, or of enforcing or implementing a statute, rule, regulation, or order issued pursuant thereto, of any record within this system when information available indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature.

D. To a court or adjudicative body in a proceeding when: (a) USDA or any component thereof; or (b) any employee of USDA in his or her official capacity; or (c) any employee of USDA in his or her individual capacity where USDA has agreed to represent the employee; or the United States Government is a party to litigation or has an interest in such litigation, and USDA determines that the records are both relevant and necessary to the litigation, and that use of such records is therefore deemed by USDA to be for a purpose that is compatible with the purpose for which USDA collected the records.

To contractors and their agents, grantees, experts, consultants, and others performing or working on a contract, service, grant, cooperative agreement, or other assignment for the USDA, when necessary to accomplish an agency function related to this system of records. Individuals providing information under this routine use are subject to the same Privacy Act requirements and limitations on disclosure as are applicable to USDA officers and employees.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored on encrypted servers within a secured and controlled environment. Records backup storage is maintained by the USDA's Digital Infrastructure Services Center (DISC) in a virtual tape library at the USDA's DISC facility in Kansas City, MO. Copies of the backup records are maintained at the USDA DISC facility in St. Louis, MO. The ePACS has no hardcopy paper records that require storage.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records are retrieved by a combination of name and date range.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Records compiled under this SORN will be maintained in accordance with NARA General Records Schedule (GRS) Transmittal 32 issued March 2022, Items 110 and 120, and NARA records retention schedules DAA–GRS2017–0006–0014, and DAA–GRS2021–0001–0005, to the extent applicable. Records may be retained for a longer period as required by litigation, investigation, and/or audit. A master file backup is created at the end of the calendar year and maintained in St. Louis, Mo. The St. Louis offsite storage site is located approximately 250 miles from the primary data facility and is not susceptible to the same hazards.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Records in this system are safeguarded by restricting accessibility, in accordance with USDA security and access policies. The safeguarding includes secured severs, firewall(s), network protection, and an encrypted password. Each user is assigned a level of role-based access, which is strictly controlled and granted through USDA-approved, secure application (after the user has successfully completed the Government National Agency Check with Inquiries (NACI) investigation).

Physical security measures are in place to prevent unauthorized persons from accessing ePACS as only government furnished equipment is allowed. The ePACS users are also required to complete appropriate training to learn requirements for safeguarding records maintained under the Privacy Act. USDA's Digital Infrastructure Services Center (DISC) safeguards records and ensures that privacy requirements are met in accordance with Federal and cyber security mandates. DISC provides continuous storage management, encryption, security administration, regular dataset backups, and contingency planning/disaster recovery.

RECORD ACCESS PROCEDURES:

Individuals seeking to gain access to a record in this system of records, must contact the system manager at the address listed above and provide the system manager with the necessary particulars such as full name, date of birth, work address, country of citizenship. Requesters must also reasonably specify the record contents sought. The request must meet the requirements of the regulations at 34 CFR 5b.5, including proof of identity. All requests for access to records must be in writing and should be submitted to the system manager at the address listed above. A determination whether a record may be accessed will be made at the time a request is received. All inquiries should be addressed in accordance with the “Notification Procedures” below.

CONTESTING RECORD PROCEDURES:

Individuals seeking to contest or amend information maintained in the system should direct their request to the above listed System Manager and should include the reason for contesting it and the proposed amendment to the information with supporting information to show how the record is inaccurate. A request for contesting records should contain: Name, address including zip code, name of the system of records, year of records in question, and any other pertinent information to help identify the data requested.

NOTIFICATION PROCEDURES:

Any individual may request information regarding this system of records, or information as to whether the system contains records pertaining to the individual, from the System Manager listed above: See RECORD ACCESS PROCEDURES.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.