Download:
pdf |
pdfTSCA CBI
Protection Manual
United States
Environmental
Protection Agency
Office of Pollution Prevention and Toxics
(7407 M)
Washington, DC 20460
October 20,2003
7700Al
�TSCA CBI PROTECTIONMANUAL
This page intentionally left blank.
�TSCA CBI PROTECTION
MANUAL
Table of Contexts
- Summary [See Detailed Contents below]
Page
PREFACE
GUIDING
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -xvPRINCIPLES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -xvii-
CHAPTER
1
References
&J
ABBREVIATIONS
GLOSSARY
1.2
1.3
AND ACRONYMS
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . -l-
. . . . . . . . . . . . . . . . . . . . . . . ..*.........................
LIST OF APPENDICES
-3-
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -7-
CHAPTER
2
TSCA CBI Access
2.0
INTRODUCTION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -9-
2.1
TSCA CBI ACCESS FOR FEDERAL EMPLOYEES:
CERTIFICATION,
MAINTENANCE,
SUSPENSION, AND TERMINATION
. . . . . . . . . . . . -lO-
2.2
TSCA CBI ACCESS FOR CONTRACTORS
AND CONTRACTOR
EMPLOYEES: CERTIFICATION,
MAINTENANCE,
TERMINATION
AND INDUSTRY NOTICE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -16-
2.3
TSCA CBI ACCESS CERTIFICATION
AGENCIES
FOR OTHER
FEDERAL
...................... ... ............... ......................
2.4
-25-
REQUESTS FROM CONGRESS OR THE GENERAL ACCOUNTING
OFFICE (GAO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -2%
Table of Contents
-i-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
CHAPTER
3
TSCA CBI Responsibilities
3.0
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -31-
INTRODUCTION
3.1
EhwLOYEE
RESPONSIBILITIES
3.2
MANAGER
3.3
DC0
3.4
EAD AND IMD ANNUAL
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -31-
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -33-
RESPONSIBILITIES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -34-
RESPONSIBILITIES
REVIEW
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -44-
CHAPTER
4
TSCA CBI Document Management
4.0
INTRODUCT
&J
RECEIPT
4.2
DOCUMENT
4.3
STORING
4.4
TSCA CBI DOCUMENTS
4.5
REPRODUCING
4,6
TRANSFERRING,
TRANSMITTING
OF TSCA CBI .......................................
TRACKiNG
SYSTEM
-47-
(DTS) REQUIREMENTS
......
TSCA CBI ...........................................
-6O-
....................................
-63-
TRANSFER RECORD- KEEPING,
TSCA CBI ....................................
USING AND HANDLING
4.f3
USING COMPUTERS
4.9
DESTRUCTION
TSCA CBI
TSCA CBI
OF TSCA CBI ..................................
-ii-
AND
-64-
.............................
TO WORK WITH
-5O-
-53-
.......................................
TSCA CBI
4.7
Table of Contents
-47-
ON . . . . . . . . . . . . . . . . . . . . . . ..*..........................
-71-
...............
-73-
-76-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
CHAPTER
5
Procedures Violations, Missing Documents and Unauthorized
Disclosures
5.0
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -79-
INTRODUCTION
5.1
EMPLOYEE
5.2
REPORT
5.3
CORRZXTIVE
5.4
OPPT DIRECTOR
Table of Contents
REPORTING
OF’ VIOLATIONS
ACTION
PROCEDURES
. . . . . . . . . . . . . . . . . . . . . . -79-
TO TSS .............................
AND PENALTY
AS ARBITER
. ..
-ill-
GUlDELINFS
-SO...........
-82-
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -85
October 20,2003
�TSCA CBI PROTECTION
MANUAL
This page intentionally left blank.
Table of Contents
-iv-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
Table of Contents
- Detailed -Page
PREFACE
GUIDING
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -xvPRINCIPLES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -xvii-
CHAPTER
1
References
1.1
ABBREVIATIONS
AND ACRONYMS
1.2
GLOSSARY
1.3
LIST OF APPENDICES
.............................
....................................................
..........................................
CHAPTER
-l-
-3-
-7-
2
TSCA CBI Access
2.0
INTRODUCTION
&J
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -9-
TSCA CBI ACCESS FOR FEDERAL EMPLOYEES:
CERTIFICATION,
MAINTENANCE,
SUSPENSION, AND TERMINATION
. . . . . . . . . . . . -lO2.1.1
Re-Certification
For Federal Employees .....................
2.1.1.1 DocumentAudit
..................................
2.1.1.2 Time For Re-CertifiinR
.............................
-ll-
-ll-
-12-
2.1.2
Failure to Maintain Access Certification
.....................
2.1.2.1 Suspension and Termination ..........................
-12-
-12-
Table of Contents
-v-
October 20,2003
�TSCA CBI PROTECTION
2.2
MANUAL
2.1.3
Suspension of Log-Out
Privileges..
2.1.4
EPA Employee Transfers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -13-
2.1.4.1
Supervisors’ Responsibilities When Emplovee Transfers . . . -13-
2.1.5
TSCA CBI Access Termination for Federal Employees . . . . . . . . -13-
2.1.5.1 TSCA CBI Access Termination Procedures: Federal Emplovees
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -14@J DC0 And Supervisor Responsibilities For Access Termination
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -15@ OPPT DC0 Responsibilities For Access Termination: . . -15-
2.1.6
Unaccounted
For Documents
. . . . . . . . . . . . . . . . . . . . . . . . . -13-
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -15
TSCA CBI ACCESS FOR CONTRACTORS
AND CONTRACTOR
EMPLOYEES:
CERTIFICATION,
MAINTENANCE,
TERMINATION
AND INDUSTRY NOTICE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -162.2.1
Determination
of TSCA CBI Access for Contractors
2.2.2
Approval for TSCA CBI Access or Expedited Approval
Immediate Access. .......................................
...........
for
- 17-
2.2.3
Rules for Contractors
2.2.4
Notice to Affected Businesses Prior To Granting
2.2.5
Requirement
2.2.6
TSCA CBI Certification
2.2.7
Initial
2.2.8
National Agency Check & Inquiries
2.2.9
TSCA CBI Re-Certification
for Contractor Employees
2.2.9.1 DocumentAudit
....................................
2.2.9.2 Time for Re-Certifiing
.............................
........
Failure to Maintain
Employees
2.2.10
....................................
for Contractor
Certification
DC0
Access
.......
..........................
for Contractor
for Contractor
-17-
Employees
...........
Employees ................
(NACI)
Access Certification
2.2.11
-18-
-19-
..................
for Contractor
-19-
-2O-
-21-
-21-
-21-
-22-
‘1q
TSCA CBI Access Termination:
Contractor Employees
. . . . . . . -23-
2.2.11.1
TSCA CBI Access Termination Procedures: Contractor
Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -23-
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Table of Contents
-16-
-vi-
-L/L-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
2.2.11.2 Unaccounted For Documents
2.2.12
Change in Corporate
. . . . . . . . . . . . . . . . . . . . . . . . -25
Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -25-
TSCA CBI ACCESS CERTIFICATION
FOR OTHER FEDERAL
AGENCIES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -2.5
2,3
2.3.1
Procedures for Other Federal Agencies to Obtain TSCA CBI Access
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -26-
2.4
2.3.2
Notice to Affected Businesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -27-
2.3.3
Security Requirements
at Other Federal Agencies . . . . . . . . . . . . . -2%
REQUESTS FROM CONGRESS OR THE GENERAL
OFFICE(GAO)................................................
CHAPTER
ACCOUNTING
-2%
3
TSCA CBI Responsibilities
3.0
INTRODUCTION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -31-
EMPLOYEE
RESPONSIBILITIES
...............................
3.1.1
Personal Accountability
3.1.2
Assuring Adequate TSCA CBI Protection
3.1.3
Reporting
3.1.4
Document Accountability
3.1.5
TSCA CBI Procedure Accountability
3.1.6
Return TSCA CBI Document
3.1.7
Determination
Table of Contents
Procedural
...................................
Violations
...................
...........................
.................................
.......................
..............................
of TSCA CBI ...............................
-vii-
-3 l-
-3 l-
-3 l-
-3 l-
-32-
-32-
-32-
-32-
October 20,2003
�TSCA CBI PROTECTION
3.1.8
3.2
MANUAL
Receipt of Possible CBI ...................................
MANAGER
3.2.1
3.3
RESPONSIBILITIES
-33-
...............................
-33-
Assigning DC0 and ADCO ................................
-33-
DCORESPONSIBILITIES
......................................
-34-
3.3.1
DCOs and Alternate DCOs ................................
3.3.2
Maintaining
3.3.3
Transfer
3.3.4
Receiving TSCA CBI .....................................
-35
3.3.5
ProperStorageofTSCACBI
-35-
3.3.6
Records of Lock-Combinations
3.3.7
Conditions
3.3.8
Updating
3.3.9
Monitoring
3.3.10
Overdue
3.3.11
DC0 Guidance In Identifying
3.3.12
TSCA CBI Audits .......................................
3.3.12.1 Federal DCOs And The Confidential Business Information
Center (CBIC) ...................................
a Document Tracking
of TSCA CBI
Table of Contents
-34-
-34
..............................
And Controlling
Monitoring
-35
...........................
The TSCA CBI Authorized
Materials:
.............
....................................
For Changing Lock Combinations
&J
(bJ
&
3.3.12.2
System (DTS)
-34-
................
Access List .............
-36-
Release of TSCA CBI ............
-36-
And Notification
............
Contractor DCOs ................................
Comprehensive Audits of Entire Collection
&)
(‘bJ Contract close-out Audits ....................
.. .
-37-
And Sanitizing CBI Documents
Comprehensive Audits of Entire Collection
Transaction Audits ........................
DC0 Transition Audits ......................
-VIII-
-36-
.....
. . -38-
-38-
-38-
-38-4O-
-41-
......
-42-
-42-43-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
3.3.13
3.4
Termination
Of Employment
EAD AND IMD ANNUAL
REVIEW
CHAPTER
Or Status For DC0
. . . . . . . . . . . . -44-
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -44-
4
TSCA CBI Document Management
4.0
INTRODUCTION
RECEIPT
4.1
4.2
4.3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -47-
OF TSCA CBI
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -47-
4.1.1
Incoming
4.1.2
Personal File Copies - New Chemicals Program
4.1.3
Supplemental
4.1.4
Processing Newly Received TSCA CBI . . . . . . . . . . . . . . . . . . . . . . -48-
4.1.4.1 CBI Fax Transmission From Industry . . . . . . . . . . . . . . . . . -49-
4.1.5
TSCA CBI Claims That Appear Unwarranted
DOCUMENT
TSCA CBI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -47-
Filings - New Chemicals Program
TRACKING
SYSTEM
(OPPT-CCD)
(OPPT-CCD)
4.2.1
Use of an Automated
4.2.2
Use of a Manual Document Tracking System (DTS)
4.2.2,1 Receipt Loa .....................................
4.2.2.2 Inventory Log .....................................
STORING
4.3.1
Table of Contents
. . -4%
. . . . . . . . . . . . . . . . -5O-
(DTS) REQUIREMENTS
Document Tracking
. . . -4%
System (DTS)
......
.......
...........
TSCA CBI ...........................................
Secure
4.3.1.1
4.3.1.2
4.3.1.3
4.3.1.4
-5O-
-51-
-52-
-52-
-53-
Storage Areas (SSAs) ..............................
Enter-inn An SSA With An Electronic Access Card (EAC) ...
Entering an SSA Without An Electronic Access Card ......
Entering An SSA With Expired Certification .............
Grantees And Interns In SSAs ........................
-ix-
-5O-
-53-
-54-
-54-
-54-
-54-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
4.3.1.5 Visitors In SSAs ...................................
4.3.1.6 Custodian. Maintenance and Deliver-v Persons in SSAs ....
4.3.1.7 DCOs And SSAs ...................................
4.3.1.8 Usinn TSCA CBI Outside An SSA .....................
Required
4.3.3
.....................
-56-
Storing TSCA CBI At Other Locations
-57-
4.3.3.1 Storing Of TSCA CBI While Traveling ..................
4.3.3.2 Storing and Workinn with TSCA CBI in a Personal Residence
................................................
-57-
-6O-
Employee Absence and Storage of TSCA CBI ................
TSCA CBI DOCUMENTS
4.4
4.5
4.6
-6O-
.......................................
4.4.1
New CBI Documents
4.4.2
Working Papers ........................................
4.4.2.1 When Working Papers Become Subiect to Tracking .......
4.4.2.2 Destrovina Working Papers .........................
-6O-
-61-
4.4.3
When CBI Documents Are No Longer CBI
-61-
4.4.4
Aggregating
4.4.5
Declassifying
4.4.6
TSCA CBI Document Submitters:
CBI
-6O-
.....................................
..................
CBI Documents
a Claim
TSCA CBI
4.5.1
Managing
TSCA CBI Copies ..............................
4.5.2
Copying CBI Outside SSAs ................................
TRANSFERRING,
TRANSMITTING
4.6.1
-62-
..............................
Dropping
.........
-63-
-64-
AND
-64-
Transferring
Hard Copy TSCA CBI .......................
4.4.1.1 Procedures For Sending Or Receiving TSCA CBI .......
4.6.1.2 Prenarinn CBI For Mailing .........................
4.6.1.3 Transfer-r-inn TSCA CBI to Another Facilitv .............
-X-
-63-
-63-
....................................
TRANSFER RECORD- KEEPING,
TSCA CBI ....................................
-61-
-62-
........................................
REPRODUCING
Table of Contents
-56-
..............................
4.3.2
4.3.4
Storage Containers
-5%
-55
-55-
-56
-64-
-64-
-65-
-65-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
4.6.1.4
-66-
4.6.2
.............
-66-
Hard Copy TSCA CBI Transfer Record-Keeping
-66-
4.6.2.1 Record-Keevina For Permanent Transfer .............
4.4.2.2 Record-Keevina For Temvorarv Transfers Within A Facilitv -67-
4.6.3
Transmitting TSCA
4.6.3.1 Transmitting
4.6.3.2 Transmitting
4.6.3.3 Transmitting
4.6.3.4 Transmitting
4.7
USING AND HANDLING
4.8
USING COMPUTERS
4.9
TSCA CBI to Industrv ....................
Transferring
CBI Electronically
.....................
TSCA CBI Bv Telephone .................
TSCA CBI bv Fax ......................
TSCA CBI Bv E-mail ....................
TSCA CBZ Bv Tele-Video Conference
TSCA CBI
......
.............................
TO WORK WITH
TSCA CBI
-68-
-68-
-69-
-7O-
-7O-
-71-
...............
-73-
-73-
48.1
Prohibition
4.8.2
TSCA CBI Computers
4.8.3
Registration
4.8.4
Using Portable Computers
4.8.5
Disposing of Computers
4.8.6
Modems..
4.8.7
TSCA CBI Data Processed Only Within SSAs ................
-75-
4.8.8
Printing
-75-
4.8.9
Storing CBI on Magnetic Media ............................
-75-
4.8.10
Disposing of TSCA CBI Computer
-75-
4.8.11
Security for TSCA CBI Data Stored on Contractor’s
Computer ..............................................
DESTRUCTION
Table of Contents
.............................................
Must Be Separate From Public Networks
is Required
to Use CBI Computer
Systems
.......
(Laptops and Handheld Devices) .....
Formerly
Used for TSCA CBI
........
..............................................
CBI Information
-73-
-73-
-74-
-74-
-75-
.................................
Disks ....................
Off-site
-76-
OF TSCA CBI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -76-
-xi-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
4.9.1
Procedures for Destroying
TSCA CBI .......................
4.9.2
Destruction
Methods
4.9.3
Destruction
Record-Keeping
4.9.4
Disposition
of CBI Cover Sheets ...........................
4.9.5
Contracts Involving
-76-
-77-
.....................................
-77-
..............................
-77-
TSCA CBI ............................
CHAPTER
-77-
5
Procedures Violations, Unaccounted For Documents and
Unauthorized Disclosures
5.0
INTRODUCTION
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -79-
EMPLOYEE
5.1
5.2
REPORTING
PROCEDURES
-79-
......................
5.1.1
Oral Report .............................................
-79-
5.1.2
Written Report
-8O-
REPORT
.........................................
OF VIOLATIONS
TO TSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - SO-
5.2.1
TSS Investigation
5.2.2
Oral Notice to Submitter
5.2.3
Report of Investigation
5.2.4
Company Notification
5.2.5
Company Notification of Documents Unaccounted for: EAD Director
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -82-
5.2.6
Referral
5.2.7
Annual Security Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D. . . . . -82-
Table of Contents
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -8O-
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -81-
(ROI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -81-
of Improper
Disclosure: EAD Director
. . . -81-
to the Inspector General . . . . . . . . . . . . . . . . . . . . . . . . . . . -82-
-xii-
October 20,2003
�TSCA CBI PROTECTION
5.3
CORRECTIVE
5.3.1
5.4
Table of Contents
MANUAL
ACTION
AND PENALTY
GUIDELINES
Responsibility for Monitoring Compliance
.......................................................
5.3.2
Violations by Federal Employees
5.3.3
Violations
OPPT DIRECTOR
by Contractor
AS ARBITER.
. ..
-XIII-
- 82-
With Protection Manual
...........................
Employees
...........
.......................
-82-
-83-
-85-
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -85-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
This page intentionally left blank
Table of Contents
-xiv-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
PREFACE
This Manual applies to all federal employees, contractors, and contractor
employees with access to information claimed as Toxic Substances Control
Act (TSCA) Confidential Business Information (CBI) in connection with
either their official duties or with a TSCA-related government contract, as
stated in Section 14(a) of TSCA.
This Manual does not apply to other persons, including submitters to the
Agency of TSCA CBI, nor purport in any way to set rules regarding how
information must be submitted to the Agency or otherwise handled by
I
those persons.
The following
Steps necessary to become authorized for access to TSCA CBI.
l
l
general subjects correspond to the chapters in this Manuali
l
Relative roles and responsibilities regarding TSCA CBI.
l
Steps for use and protection of TSCA CBI.
Procedures in cases of lost or improperly disclosed TSCA CBI.
The provisions in this Manual are designed to protect the confidential
information entrusted to the Federal Government, and to ensure that employees
and contractors are aware of the importance of adhering to the procedures of
handling TSCA CBI, their personal responsibilities in doing so, and the
consequences for failing to do so. When situations and circumstances not
specifically addressed in this Manual arise, the obligation to protect TSCA
CBI materials entrusted to EPA continues and must be ensured. For these
unspecified instances, additional protections may be recommended or required
at the appropriate time.
Most TSCA CBI is stored and handled at Environmental Protection Agency
(EPA) Headquarters in the TSCA Confidential Business Information Center
(CBIC). When necessary, EPA approves storing and handling of CBI at other
Headquarters locations as well as facilities such as EPA Regional Offices,
other federal agencies, and contractor facilities. Some differences in security
and control procedures may be necessary depending on local circumstances.
Any such differences, however, must be approved in writing by the Director
of the EPA’s Office of Pollution Prevention and Toxics (OPPT) Information
-xv-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
Management Division (IMD).
Information coming to the Agency pursuant to the Lead-Based Paint Real
Estate Notification and Disclosure Rule (40 C.F.R. Part 745, Subpart F) will
be exempted from the requirements of this Manual once a replacement security
plan has been developed and approved by the OPPT Director.
This
replacement security plan may be accessed by contacting the OPPT DCO. A
replacement security plan approved by the OPPT Director is binding upon
Federal and contractor employees handling Residential Lead Disclosure CBI.
Please be aware that approval of a replacement security plan does not exempt
this information from the requirements of EPA confidentiality regulations at
40 CFR Part 2, Subpart B.
The provisions of this Manual are intended to apply in all situations. From
time to time, however, extraordinary circumstances may arise presenting the
need for a change from a prescribed procedure. In such cases, the appropriate
divisional or other regional managers may apply directly in writing to the IMD
Director for an exception. In examining the justification for the requested
exception, the IMD Director will, in his/her judgment, decide whether to grant
the request, in full or in part, including any conditions deemed appropriate.
This Manual is a “living” document.
That is, its development and
interpretation is continuing in nature and will be amended as the need arises.
This Manual may not appear to fit some situations, or the provisions within it
may not seem to include every scenario, contingency, or specialized case. In
these situations, please call the OPPT DC0 or the OPPT IMD Attorney
Advisor for special guidance or clarification.
-xvi-
October20,2003
�TSCA CBI PROTECTION
MANUAL
GUIDING
PRINCIPLES
You have a responsibility to protect the information claimed as TSCA CBI.
Any document that contains TSCA CBI which you receive, retain, create, or
give to another must be protected. This is integral to your work.
The Agency tracks all documents in its possession and you, as a TSCA CBI
cleared individual, are required to undergo an annual audit of all TSCA CBI
entrusted to you by the Agency. Working papers must be individually tracked
when not in direct possession of the creator and otherwise protected until
destroyed.
You can only discuss or disseminate TSCA CBI with persons you know are
authorized for access to TSCA CBI.
If you think you may have a TSCA CBI issue or problem, you should talk with
your manager about it immediately.
You must ensure through personal accountability that you will act consistently
with all guidelines established in this manual to protect TSCA CBI.
-xvii-
October20,2003
�TSCA CBI PROTECTION
MANUAL
This page intentionally
left blank
.. .
-XVIII-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
CHAPTER 1
Reference
1.1
ABBREVIATIONS
ACRONYMS
AND
Provided below is a list of abbreviations and acronyms used in this manual:
ADCO
CBIC
CBITS
CCD
CFR
DCN
DC0
DOPO
DTS
EAC
EAD
EC0
EETD
EPA
FMSD
FOIA
ID
IMD
IS0
LAN
NACI
NCIC
NOWCC
OAM
OARM
OGC
OPPT
OMB
PC
PMN
Alternate DC0
Confidential Business Information Center
Confidential Business Information Tracking System
Chemical Control Division, OPPT
Code of Federal Regulations
Document Control Number
Document Control Officer
Delivery Order Project Officer
Document Tracking System
Electronic Access Cards
Environmental Assistance Division, OPPT
Environmental Careers Organization
Economics, Exposure and Technology Division, OPPT
Environmental Protection Agency
Financial Management and Services Division
Freedom of Information Act
Identification
Information Management Division, OPPT
Information Security Officer
Local Area Network
National Agency Check and Inquiries
Non-Confidential Information Center
National Older Worker Career Center employee
Office of Acquisition Management
Office of Administration and Resources Management
Office of General Counsel
Office of Pollution Prevention and Toxics
Office of Management and Budget
Personal Computer
Premanufacture Notification
Chapter 1: Reference
-l-
October 20,2003
�TSCA CBI PROTECTION
PO
RDMB
ROI
SEE
sow
SSA
TSCA
TSCA CBI
TSS
WAM
MANUAL
Project Officer
Records and Dockets Management Branch, IMD
Report of Investigation
Senior Environmental Employment Program
Contractor Statement of Work
Secure Storage Area
Toxic Substances Control Act
Information submitted in connection with TSCA and claimed
as confidential business information
TSCA Security Staff
Work Assignment Manager
Chapter 1: Reference
-2-
October 20,2003
�TSCA CBI PROTECTION
12.
MANUAL
GLOSSARY
Agency
DC0
The lead document control officer for the
TSCA program at EPA (aka: OPPT DCO)
Alternate
Document
Control
Officer
(ADCO)
The OPPT DC0 and other DCOs can
nominate ADCOs to assist them in
performing document control functions.
ADCOs can perform all functions of a DCO.
Annual Audit
Certification Report
Employees complete these reports on an annual basis to
indicate the status of any TSCA CBI logged out in their
name.
Authorized Access List
A list of people who are authorized for access to TSCA
CBI.
Certification
The process whereby federal and contractor employees
acquire administrative access to TSCA CBI.
Contractor DC0
The document control officer designated by the Project
Officer for a TSCA CBI cleared contract.
Contractors and
Subcontractors
Persons, including individuals or business entities, who
perform work under a contract with the United States
Government or a subcontract with a contractor.
Document Control
Officer (DCO)
DCOs oversee the receipt, storage, transfer, use,
reproduction and destruction of TSCA CBI by employees.
DCOs are responsible for assisting employees in requesting
and renewing TSCA CBI access authorization, as well as
managing the manual or automated Document Tracking
System (DTS) for TSCA CBI in their facility or office.
Document Tracking
System (DTS)
A Document Tracking System is used to track receipt of
and activity involving TSCA CBI within a facility. The
system may be manual or automated (electronic).
Automated systems are recommended for high-volume
facilities.
Chapter 1: Reference
-3-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
Environmental
Assistance Division
WAD)
EAD is responsible for oversight of the TSCA Confidential
Business Information security function. This includes
enforcement of the procedures and provisions contained in
the TSCA CBI Protection Manual.
EPA Office
Organizational element of EPA, at any level or location.
EPA Project Officer
(also known outside this
Manual as “Contract
Level COK’)
The Contracting Officer’s primary representative on a basic
contract who oversees the delivery order, task order or
work assignment.
Facility
Any location where EPA, a government contractor or
another federal agency stores and uses TSCA CBI.
Specific procedures may vary from location to location, but
the general procedures in this Manual are in force at all
facilities.
Federal Employee
Generally, an employee of the federal government who has
a Standard Form (SF-52) on file with the Office of
Personnel Management (OPM).
Grantee
Person who performs work under a grant.
[Under TSCA, grantees are not authorized to handle TSCA
CBI. Contact the OPPT-DC0 for more information].
Hard-Copy
Data (e.g., submissions, printouts, photographs) received or
generated on paper. Also, Magnetic Media (e.g., diskette,
video tapes), and other “physical” things which can hold or
contain CBI.
Information
Management Division
(IMD) Director
Within the Office of Pollution Prevention and Toxics
(OPPT) the IMD director is responsible for the day-to-day
implementation of TSCA CBI and control programs,
including the development of policies for the use and
handling of TSCA CBI and operation of the EPA
headquarters-Confidential Business Information Center
(CBIC).
Office of Pollution
Prevention and Toxics
(OPPT) Director
The OPPT director has overall authority for managing
TSCA activities, including TSCA security programs.
Chapter 1: Reference
-4-
October 20,2003
�TCf’h
f’RI
DDT\TCf’Tlnhl
MAhll
IA1
OPPT Confidential
Business Information
Center (CBIC)
The primary area for storing and using TSCA CBI is the
EPA CBIC at EPA headquarters in Washington, D.C. If
appropriate, EPA may authorize TSCA CBI access at other
facilities including EPA regional offices, other Federal
agency offices, and contractor facilities.
OPPT Document Control
Officer (OPPT DCO)
The OPPT DC0 provides day-to-day support to other
Federal and Contractor DCOs nationwide. This includes
issuing the TSCA CBI authorized access list and processing
forms and records pertaining to requests for TSCA CBI
access authority for organizations and individuals. The
OPPT DC0 manages the headquarters CBIC, oversees
other DCOs at headquarters, and provides training materials
and guidance to all DCOs on appropriate TSCA CBI
handling procedures.
Originator
An employee who is responsible for determining if
documents he/she creates contain CBI and stamping them
as such.
Requesting Official
This is (1) employee’s immediate supervisor or higher
authority who nominates a Federal employee for TSCA
CBI access or (2) the EPA project officer who nominates a
contractor employee for TSCA CBI access. Requesting
officials’ responsibilities include ensuring that their
employees renew their TSCA CBI access authority yearly,
determining when their employees no longer require access
authority, authorizing their employees to transfer TSCA
CBI using a courier or express mail, and initiating or
reviewing their employees’ reports of violation of this
manual’ s procedures.
Sanitize
To remove TSCA CBI from a document.
Secure Storage Area
WA)
An area that is secured from persons not authorized for
access to TSCA CBI. Secure storage areas house the bulk
of an organization or facility’s TSCA CBI records, or serve
as an organization or facility’s primary TSCA CBI work
area, or both.
Temporary Transfer
Relinquishing custody of TSCA CBI from one person to
another in the same facility on a temporary basis.
Chapter 1: Reference
-5-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
TSCA CBI
TSCA information claimed business-confidential under
EPA’s confidentiality regulations at 40 CF’R Part 2, Subpart
B.
TSCA CBI LAN
The physically isolated Local Area Network (LAN) located
at EPA Headquarters dedicated exclusively to TSCA CBI.
TSCA CBI Materials
Documents or any other information-bearing
contain TSCA CBI.
TSCA Security Staff
The TSCA security staff (of EAD) responsible for securityrelated activities, including reviewing security procedures,
performing facility site inspections, and investigating
violations of the procedures contained in this manual.
Unauthorized Access
Access to TSCA CBI by persons lacking administrative
clearance or whose clearance has expired.
Working Papers
Temporary work product documents produced by a federal
or contractor employee containing TSCA CBI, which are
subject to special handling procedures.
Chapter 1: Reference
-6-
media that
October 20,2003
�TSCA CBI PROTECTION
MANUAL
LIST OF APPENDICES
13.
Appendix
A
Appendix
Appendix
Appendix
Appendix
B
C
D
E
Appendix
F
Appendix
Appendix
G
H
Appendix
I
Appendix
J
Appendix
K
Appendix
L
Appendix
Appendix
Appendix
Appendix
Appendix
Appendix
M
N
0
P
Q
R
Appendix
S
Appendix
Appendix
Appendix
Appendix
Appendix
Appendix
T
U
V
W
X
Y
Appendix
Z
Chapter 1: Reference
Form 7740-6: TSCA CBI Access Request, Agreement, and
Approval
Form 7740-25: TSCA CBI ADP User Registration
Request for EPA Identification Badge
Request for Building Pass
Form 7740-28: United States Environmental Protection Agency
TSCA Confidential Business Information Document Reconciliation
Certificatiqn
Form 77 lo- 17: Confidentiality Agreement for United States
Employees Upon Relinquishing TSCA CBI Access Authority
Form 3110-l: Employee Separation or Transfer Checklist
Form 7740-17: Request for Approval of Contractor Access to TSCA
Confidential Business Information
EPAAR 1552.23578: Data Security for Toxic Substances Control
Act Confidential Business Information
EPAAR 1552.235-75: Access to Toxic Substances Control Act
Confidential Business Information
EPAAR 1552.235-76: Treatment of Confidential Business
Information (TSCA)
Form 7740-27: Contractor Information Sheet - Contractor TSCA
CBI Access/Transfer
Contractor Checklist For TSCA CBI Access
Contractor Employee Checklist For TSCA CBI Access
Form 86: Questionnaire for National Security Positions
Fingerprint Card “FD258 Application”
Procedures for Terminating Contractor Access to TSCA CBI
Form 7740-18: Confidentiality Agreement for Contractor Employees
Upon Relinquishing TSCA CBI Access Authority
Form 7740-24: Federal Agency, Congress, and Federal Court Sign
out Log
Stamp to use when Material contains TSCA CBI
Form 7740-9: Confidential Business Information Cover Sheet
Form 7740- 11: Inventory Log
Form 7740- 10: Receipt Log
Form 7740-13: TSCA CBI Visitors Log
Form 7740-26: Permanent Transfer Receipt for TSCA Confidential
Business Information
Form 7740- 12: Memorandum of TSCA CBI Telephone
Conversation
-7-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
Appendix AA
Form 7740- 14: Temporary Loan Receipt for TSCA Confidential
Business Inforrnation
Laptop Computer Agreement for the Confidential Business
Information Center (CBIC)
Amendment Through Voluntary Withdrawal
40 CFR 2.208, TSCA CBI substantive criteria for determining
confidentiality
Taking action on TSCA CBI claims that appear unwarranted
Appendix BB
Appendix CC
Appendix DD
Appendix EE
Chapter 1: Reference
-8-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
CHAPTER 2
TSCA CBI Access
2.0
INTRODUCTION
This section identifies persons entitled to TSCA CBI access and addresses requirements that
must be met in order to obtain, maintain, or terminate certification to work with TSCA CBI.
Legal access to TSCA CBI is dependent on meeting the conditions found in Section 14 of
TSCA. For federal employees, qualification for access is contingent on having federal
employment and a job-related need for access to TSCA CBI. For contractor employees,
qualification for access is contingent on employment
with a TSCA-related federal
contractor, a job-related need for access to TSCA CBI, and maintaining up-to-date
administrative certification.
Federal and contractor employees who have an official job-related need for TSCA CBI
access are, however, required to complete an initial administrative certification when
receiving their new job assignment, prior to working with TSCA CBI. Moreover, these
employees are required to complete an annual re-certification process for each year thereafter
for as long as their jobs require access to TSCA CBI.
Administrative
TSCA CBI access, in every case, is granted solely to further the needs
and the mission of the Government.
Members of the following groups are not federal employees and, consequently, are not
eligible for TSCA CBI access:
l
l
l
Volunteers (unpaid staff)
Students (except those in the Student Temporary Employment Program (STEP) popularly known as Stay-In-Schools, who are federal employees)
Student Interns who are placed in EPA facilities by the Environmental Careers
Organization (ECO) and other recipients of EPA grants and cooperative agreements
l
Senior Environmental Employment (SEE) program enrollees
l
National Older Worker Career Center (NOWCC)
l
Grantees
Chapter 2: TSCA CBI Access
-9-
staff
October 20,2003
�TSCA CBI PROTECTION
2.1
MANUAL
TSCA CBI ACCESS FOR FEDERAL
EMPLOYEES: CERTIFICATION,
MAINTENANCE,
SUSPENSION, AND
TERMINATION
The following administrative procedures, which are necessary for access, apply to federal
employees who will work with TSCA CBI for the first time, or who have let their
certification lapse:
l
l
View the Security briefing: A federal employee’s immediate supervisor is responsible
for ensuring that the employee has read this manual and viewed the security briefing
on procedures for handling TSCA CBI. The briefing, either automated or on
videotape, is arranged by the OPPT Document Control Officer (DCO) or the
employee’s DCO.
Complete one or both of the following
needed) and submit them to the DCO:
forms (depending on the extent of access
1. Form 7740-6: TSCA CBI Access Request, Agreement, and Approval.
APPENDIX
A.]
[See
[Note: Notwithstanding the Privacy Act statement which appears in the 9-92
version of Form 7740-6, providing a Social Security Number is not required
under Section 14 of TSCA, and is not mandatory to obtain access to TSCA
CBI. Upon request at the time of initial access, an alternate generic number
may be assigned].
2. Form 7740-25: TSCA CBI Automated Data Processing (ADP) User Registration
Form (if online access to a TSCA CBI system or database is required). [See
APPENDIX
B.]
l
l
Employee’s immediate supervisor ensures that the employee has read this TSCA CBI
Protection Manual and viewed the security briefing.
Employee’s immediate supervisor signs line 20 of Form 7740-6 (general access
request form) to signify approval of TSCA CBI access and forwards it to the DCO,
or disapproves access.
Chapter 2: TSCA CBI Access
-lO-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
DC0 reviews forms for completeness and forwards them to the OPPT DCO. [In
general, the DC0 assists employees with obtaining and maintaining TSCA CBI
certi$cation.]
l
l
Subject to the oversight of the IMD Director, the OPPT DC0 reviews and approves
access and adds the employee’s name to the TSCA CBI Authorized Access List.
[The OPPT DC0 provides monthly updated lists to DCOs and can verify which
employees are on the latest list. The CBIC uses the list in conjunction with the
Confidential Business Information Tracking System (CBITS) to verify access.]
2.1.1
Re-Certification
For Federal Employees
The OPPT DC0 notifies DCOs of persons whose certifications are about to expire. Federal
employees who need TSCA CBI access in connection with their official duties must renew
their certification every year by:
1. Viewing the security briefing videos and
2. Completing the document audit procedure.
2.1.1.1
Document Audit
The following
steps must be taken:
1. Employee’s DC0 provides list of all documents logged out to the employee. The
federal employee’s immediate supervisor ensures the Document Audit is
completed.
2. Employee reconciles the document list by following
l
Verify that he/she has the listed documents in his or her possession, OR
l
Return logged-out documents which are overdue to the DCO, AND
l
l
the steps below:
Notify the DC0 of any unaccounted for documents, and report them on the
Document Reconciliation Certificate (see APPENDIX
E), OR
Indicate on the Document Reconciliation
logged out, AND
Chapter 2: TSCA CBI Access
-II-
Certificate that no documents are
October 20,2003
�TSCA CBI PROTECTION
l
MANUAL
Sign the Document Reconciliation Certificate, to be placed in the employee’s
access file for future audit.
3. If the employee fails to locate any unaccounted for documents, he or she must
follow the procedures in CHAPTER 5 concerning unaccounted-for documents.
All returned documents must be re-entered into the collection of records.
Time For Re-Certifiing
2.1.1.2
The time for re-certifying access to TSCA CBI is no more than 30 days prior to an
employee’s anniversary date. Employees who re-certify within this period will retain
their anniversary dates. Re-certifying prior to the 30 day window or after the anniversary
date will result in a new corresponding anniversary date.
2.1.2
Failure
to Maintain
Access Certification
Federal employees who miss their annual deadline to re-certify under the TSCA CBI
protection program and who continue to have access to TSCA CBI as part of their official
responsibilities are in violation of these procedures and are subject to the corrective actions
and administrative penalties outlined in CHAPTER 5. [This violation of administrative
procedure is not, however, reportable to the information submitter a&an unauthorized
disclosure under Section 14 of TSCA].
2.1.2.1
SusDension and Termination
Employees who are 29 or few-days late in renewing their certification are suspended from
receiving access to TSCA CBI. Employees who are 30 days or more late in renewing their
certification are terminated from receiving access to TSCA CBI as part of their official
duties.
Employees who have had their access terminated must repeat initial certification, not simply
re-certification, in order to once again receive official access.
Chapter 2: TSCA CBI Access
-12-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
2.1.3 Suspension of Log-Out Privileges
If logged-out documents are overdue or are not returned or accounted for as required during
the annual Document Audit procedure (see Section 2.1.1), an employee’s privilege to log out
CBI documents from secured reference areas such as the CBIC may be suspended. Once the
documents at issue are returned or accounted for, borrowing privileges will be restored.
2.1.4 EPA Employee Transfers
The OPPT DC0 must be notified when an EPA employee officially transfers to another
branch, division, or office, if the new position requires TSCA CBI access. The employee
will be required to perform a document reconciliation and return all CBI documents to the
CBIC prior to receiving access for the new position. Upon completion of these two
requirements, complete access to CBI materials will be available.
2.1.4.1
Supervisors ’ Responsibilities
Employee Tranxfers
When
It is the responsibility of the employee’s former supervisor or DC0 to notify the OPPT DC0
of the transfer. In addition, the new supervisor or DC0 must submit a new Form 7740-6
(Appendix A) for the employee.
2.1.5 TSCA CBI Access Termination
Employees
for Federal
TSCA CBI access terminates when the official need for access terminates, as in the following
examples:
l
When a federal employee leaves federal service
l
When a federal employee transfers to a new federal position
l
When a federal employee receives an administrative penalty, suspending employment
or reassigning the employee to another federal position that does not require official
need for TSCA CBI
When a federal employee’s duties change, and no longer require TSCA CBI access
Chapter 2: TSCA CBI Access
-13October 20,2003
l
�TSCA CBI PROTECTION
l
MANUAL
When a federal employee fails within 30 days from the anniversary date to reconcile
the document audit report and attend the annual security briefing
2.1.5.1
TSCA CBI Access Termination
Federal Enployees
Procedures:
To terminate TSCA CBI access, an employee must follow the Document Audit procedure
The employee receives a list of all their logged out
described in the steps below.
documents from the DCO. From that list, the terminating employee must reconcile all
documents in his/her possession by doing the following:
(Both the employee’s supervisor and DC0 are responsible for ensuring that these steps
are taken)
l
Either:
1. Return logged-out documents and magnetic media to the DC0 (see
APPENDIX
E), notify the DC0 of any unaccounted for documents, and
report them on the Document Reconciliation Certificate, OR
2. Indicate on the Document Reconciliation
logged out.
l
Certificate that no documents are
In addition, sign the Document Reconciliation
employee’s access file for future audit.
Certificate, to be placed in the
(If the employee fails to locate unaccountedfor documents within 5 business days
of the issuance to the employee of the list of items logged out to him/her, he/she
must follow the procedures in CHAPTER
5 concerning unaccounted-for
documents.)
l
l
Receive from the DC0 a copy of the Confidentiality Agreement the employee
signed when first assigned or hired to work with TSCA CBI. Sign and receive a
copy of a receipt for the form entitled, “Confidentiality Agreement for United
States Employees Upon Relinquishing TSCA CBI Access Authority.”
[See
APPENDIX
F],
Complete EPA Form 77 10-17: “Conjidentiality Agreement for United States
Employees upon Relinquishing TSCA CBI Access Authority. ” [See APPENDIX
Fl.
Chapter 2: TSCA CBI Access
-14-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
2.1.5.1(a)
DC0 And Supervisor
Access Termination
Responsibilities
For
The DC0 will take action on unaccounted for documents. In the case of a dispute
between the employee and DC0 about whether a document is logged out, the
document will be considered possibly unaccounted for, and will be reported as such
in accordance with the Manual Procedures in CHAPTER 5.
The DC0 must change the lock combinations for storage containers to which the
employee had access and remove any CBI from the employee’s desk area before any
new staff arrive.
2.1.5.1(b)
l
l
l
OPPT DC0
Termination:
Responsibilities
For Access
Upon notice from the employee’s DCO, remove the employee’s name from the
TSCA CBI Authorized Access List.
Arrange with IMD to invalidate the employee’s TSCA CBI computer user IDS and
passwords for all TSCA CBI-related computer systems. IMD is responsible for
notifying the OPPT DC0 in writing when the employee’s passwords are
invalidated.
Make immediate arrangements to invalidate the employee’s electronic entry ID
card for TSCA CBI Secure Storage Areas (SSA’s).
2.1.6
Unaccounted
For Documents
The Facility DC0 must assume that a TSCA CBI document is unaccounted for if it is not
received within 5 business days of issuing the employee the list of items logged out to
him/her and report the document as unaccounted for according to the procedures in
CHAPTER5
Chapter 2: TSCA CBI Access
-15-
October 20,2003
�TSCA CBI PROTECTION
2.2
MANUAL
TSCA CBI ACCESS FOR CONTRACTORS
AND CONTRACTOR
EMPLOYEES:
CERTIFICATION,
MAINTENANCE,
TERMINATION
AND INDUSTRY NOTICE
The EPA Project Officer (PO) determines if, under TSCA Section 14(a), a contractor
requires access to TSCA CBI.
2.2.1
Determination
Contractors
of TSCA CBI Access for
To establish access for a contractor the PO submits Form 7740- 17: Request for Approval of
Contractor Access to TSCA CBI (APPENDIX
H) to the appropriate division director (or
equivalent supervisor) for signature, then forwards it to the IMD Director who issues final
approval in the form of a notice (as described in Section 2.2.4.).
For new contracts (or to modify an existing contract) Form 7740-17 must be submitted to the
IMD Director 20 business days before access is to begin. Form 7740-17 is submitted to the
IMD Director prior to the modification request.
The PO also must complete the following:
l
Notify EPA’s Office of Acquisition Management (OAM) contracting officer of
required TSCA CBI language, including the following contract clauses from the EPA
Acquisition Regulation 1901 (9/l 2/2000):
-
l
l
Data Security for TSCA CBI (EPAAR 1552.23578) (see APPENDIX
Access to TSCA CBI (EPAAR 1552.235-75) (see APPENDIX
J)
Treatment of CBI (EPAAR 1552.235-76) (see APPENDIX
K);
I)
Forward Form 7740-17 to OAM after the IMD Director has signed it; and
At least 60 days prior to the date access is to begin complete a Contractor Information
Sheet, Form 7740-27 (see APPENDIX
L) and forward it to the OPPT DCO.
Chapter 2: TSCA CBI Access
-16-
October 20,2003
�TSCA CBI PROTECTION
2.2.2
MANUAL
Approval
Approval
for TSCA CBI Access or Expedited
for Immediate Access.
The OPPT DC0 will add a contractor’s name to the TSCA CBI Authorized Access List when
the contractor is approved for CBI access. For contractor employees, the OPPT DC0 will
notify the contractor DC0 of the approval of an employee by sending the contractor DC0
the TSCA CBI Authorized Access List.
When a programmatic need can be demonstrated, expedited approval may be granted by the
IMD Director which will allow a contractor and/or contractor employee access to TSCA CBI
without having to wait 60 days after Form 7740-27 is submitted to&he OPPT DCO.
Expedited approval does not waive the requirement for the advance notice provided in
Section 2.2.4.
See APPENDIX
2.2.3
M for a Contractor Checklist for TSCA CBI Access.
Rules for Contractors
Contractors who receive TSCA CBI must:
l
l
l
Adhere to the terms of their contracts regarding site requirements for receiving and
maintaining TSCA CBI.
Maintain TSCA CBI in a secure environment that meets or exceeds the requirements
in CHAPTER
4.
Maintain the “two-barrier” system described below for establishing any TSCA CBI
storage site not located at a federal agency facility:
Barrier
1:
-
Perimeter walls must be constructed “slab to slab,” and must not have false
ceilings that would permit entry into the contractor’s workspace from over a
corridor wall.
-
Entry and exit doors must have pin-tumbler deadbolt locks or equivalents
installed (unless the door is for emergency exit in which case it must have a
crash bar with an audible alarm).
Chapter 2: TSCA CBI Access
-17-
October 20,2003
�TSCA CBI PROTECTION
-
MANUAL
Entry and exit doors must have exposed hinge pins that are pinned or
otherwise constructed to prevent removal of the pins.
Barrier 2:
l
Must have approved storage containers as described in Section 4.3.3.
Arrange for a site inspection by TSS. TSCA CBI access will not be authorized at the
contractor’s site without TSS approval. TSS will communicate its approval to the
OPPT DCO. (Contractors should contact TSS if they have any questions about
establishing or maintaining TSCA CBI security.)
2.2.4
Notice to Affected Businesses Prior To Granting
Access
1) HOW
IMD will notify affected businesses in one of the following
CBI access to contractors:
ways prior to granting TSCA
l
Publishing a notice in the Federal Register
l
Sending an individual Notice by certified mail-return receipt requested
l
Sending an individual Notice by telegram
l
Using any other means to give actual notice, and documenting the fact that such
notice was received.
The Notice process:
l
OPPT DC0 uses the Contractor Information Sheet from the PO to prepare the Notice
l
IMD Director signs the Notice, authorizing access for the contractor.
2) WHEN
IMD must wait at least 5 business days following receipt or publication of the Notice before
granting access in order to allow the affected business an opportunity to comment.
Chapter 2: TSCA CBI Access
-18-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
3) WHAT
The Notice must include the following:
Contractor company’s identity
Contract number
Explanation
contract
of why TSCA CBI access is necessary for the performance of the
Where access is authorized (on EPA premises and/or at the contractor’s facility)
Types of information to be disclosed
Period of time for which TSCA CBI access is authorized
2.2.5
Requirement
for Contractor
DC0
Each contractor with TSCA CBI access at either the contractor’s facility or an EPA facility
must have a contractor DC0 who must be designated before the contractor is allowed access
to TSCA CBI.
The contractor must nominate one DC0 and one Alternate DCO, and notify the EPA PO of
their names. The EPA PO nominates the employees and forwards their names, telephone and
fax numbers and e-mail and mailing addresses to the OPPT DCO. [See 3.2.11
2.2.6
TSCA CBI Certification
Employees
for Contractor
Following certification of TSCA CBI access for contractor companies, contractor employees
must obtain individual access certification. All certification forms are available through the
OPPT DCO. See APPENDIX
N for a Contractor Employee Checklist for TSCA CBI
Access.
After completing the above requirements (sections 2.2.1,2.2.2,2.2.3,2.2.4.2.2.5),
the EPA
PO, EPA Delivery Order Project Officer (DOPO), or the EPA WAM confers with contractor
officials to determine which contractor employees require TSCA CBI access certification.
The EPA PO will request access certification for these individuals.
After contractor employees are certified for TSCA CBI access, they are listed on the TSCA
Chapter 2: TSCA CBI Access
-19-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
CBI Authorized Access List. The list provides the names of people cleared for TSCA CBI
access, including TSCA CBI computer access, and the date on which their access expires.
The OPPT DC0 provides monthly copies of the updated list to DCOs. If after consulting the
list questions remain about a person’s TSCA CBI certification, consult the OPPT DCO.
2.2.7 Initial Certification
for Contractor
Employees
Contractor employees acquire initial certification according to the process described below:
l
l
The employee views the security briefing on procedures for handling TSCA CBI. The
contractor DC0 is responsible for ensuring that contractor employees read this
Manual and view the security briefing. The briefing is arranged by the OPPT DC0
or any DCO.
The employee completes the following
DCO:
-
forms and submits them to the contractor
7740-6: TSCA CBI Access Request, Agreement, and Approval
APPENDIX
A].
Form
[see
[Note: Notwithstanding the Privacy Act statement which appears in the 9-92
version of Form 7740-6, providing a Social Security Number is not required
under Section 14 of TSCA, and is not mandatory to obtain access to TSCA CBI.
Upon request at the time of initial access, an alternate generic number may be
assigned].
- Form 86: Questionnaire for National Security Positions (see APPENDIX
l
l
l
0).
-
F’D-258: Fingerprint card (two originals) (see APPENDIX
-
Form 7740-25: TSCA CBI ADP User Registration Form (for online accessto a TSCA
CBI system or database) (see APPENDIX B).
P).
The contractor DC0 reviews forms for completeness and forwards them to the EPA PO.
The EPA PO either signs line 20 of the general accessrequest form, indicating approval, or
disapproves access.
The EPA PO submits the approved forms to the OPPT DC0 for review and approval on that
level.
[See APPENDIX
N for a Contractor Employee Checklist for TSCA CBI Access.]
Chapter 2: TSCA CBI Access
-2o-
October 20,2003
�TSCA CBI PROTECTION
2.2.8
MANUAL
National
Agency Check & Inquiries
(NACI)
All contractor employees who are granted access to TSCA CBI must successfully pass a
NACI background check to maintain TSCA CBI clearance. NACI investigations are
conducted by the U.S. Office of Personnel Management at the request of the EPA Office of
Administration and Resource Management, usually several weeks following the contractor
employee’s grant of access. The EPA PO or WAM must ensure the NACI investigation
requirement is placed in the official Statement Of Work (SOW).
2.2.9
TSCA CBI Re-Certification
Employees
for Contractor
The OPPT DC0 notifies DCOs of persons whose certifications are about to expire.
Contractor employees who continue to require TSCA CBI access in connection with their
job-related duties must renew their certification every year by:
1. Viewing the security briefing videos, and
2. Completing the document audit procedure below.
Document Audit
2.2.9.1
The following
steps must be taken:
1. The Contractor DC0 provides a list of all documents logged out to the contractor
employee.
2. The Contractor employee reconciles the DC0 document list by following
procedures below:
l
l
l
l
the
Return logged-out documents listed on the Document Reconciliation Certificate
to the Facility DC0 (see APPENDIX E), AND
Notify the DC0 of any unaccounted for documents, and report them on the
Document Reconciliation Certificate, OR
Indicate on the Document Reconciliation Certificate that no documents are logged
out.
Sign the Document Reconciliation Certificate, to be placed in the contractor
employee’s access file for future audit.
Chapter 2: TSCA CBI Access
-21-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
3. If the employee fails to locate the documents, he/she must follow the procedures in
CHAPTER 5 concerning unaccounted for documents.
All returned documents must be re-entered into the collection of records.
2.2.9.2
Time for Re- Certi fiing
The time for re-certifying TSCA CBI is no more than 30 days prior to an employee’s
anniversary date. If an employee re-certifies within this period$he employee will retain
the same anniversary date. Re-certifying either prior to the 30 day window or following
the anniversary date will result in a new corresponding anniversary date.
2.2.10 Failure to Maintain Access Certification
Contractor Employees
for
Contractor employees who miss their annualdeadlines to re-certify under the TSCA CBI
security program and who continue to have access to TSCA CBI are in violation of these
procedures, and subject themselves to disciplinary or corrective action by their contractor
employer.
Contractor employees who have not re-certified for TSCA CBI access within the past year
must pass initial certification, not re-certification.
EPA may suspend the access of any
contractor employee if in the Agency’s judgment doing so is necessary to protect TSCA CBI
against some credible threat of loss or wrongful disclosure. For contractor employees a lapse
in certification access may result in an unauthorized disclosure reportable to the submitter
as describedin CHAPTER5
There is no need, however, to obtain a new NACI or to be re-fingerprinted, if the employee
never left the contractor’s employment. This provision applies when both of the following
conditions are true:
l
The contractor continues to hold a TSCA-related contract.
l
The contractor employee’s job requires access to TSCA CBI.
Chapter 2: TSCA CBI Access
-22-
October 20,2003
�TSCA CBI PROTECTION
2.2.11
MANUAL
TSCA CBI Access Termination:
Employees
Contractor
TSCA CBI access terminates for a contractor employee under various conditions.
example:
l
When the contract ends.
l
When a contractor employee leaves the contractor’s employ.
l
For
When a contractor employee transfers to a new position which does not require TSCA
CBI access.
When a contractor employee receives an administrative penalty from the contractor
suspending employment or the contractor employee is reassigned within the company
to another position which does not require TSCA CBI access.
l
l
l
l
When a contractor employee’s job duties change and he/she no longer requires TSCA
CBI access.
When EPA suspends TSCA CBI access for a contractor employee under CHAPTER
5 of this Manual.
When a contractor no longer needs access for the successful completion of an Agency
Task.
2.2.11.1
TSCA CBI Access Termination Procedures:
Contractor Enwlovees
To terminate access to TSCA CBI, the contractor employee must follow the Document
Q for a Checklist of
Audit procedure described in the steps below. See APPENDIX
Procedures for Terminating Contractor Access to TSCA CBI.
l
The contractor DC0 provides a list of all documents logged out to the contractor
employee. From that list, the contractor employee must reconcile all documents in
his/her possession by doing the following:
-
Either return logged-out documents listed on the Document Reconciliation
Certificate to the contractor DC0 (see APPENDIX
E), notifying the contractor
DC0 of any unaccounted for documents, and report them on the Document
Chapter 2: TSCA CBI Access
-23-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
Reconciliation
Certificate, OR
-
Indicate on the Document Reconciliation Certificate that no documents are logged
out.
-
In addition, sign the Document Reconciliation Certificate, to be placed in the
contractor employee’s access file for future audit.
If the contractor employee fails to locate any of the listed documents within 5 business
days of the issuance to the employee of the list of items logged out to him/her, he/she must
follow procedures for reporting lost documents in CHAPTER 5. Both the contractor
employer and the contractor DC0 are responsible under the terms of the contract for
assuring this procedure is completed. In addition, Prior to termination of the TSCA
contract, contractor DCOs are resuonsible for reconciling TSCA CBI 14 calendar davs
before the termination date.
The Contractor DC0 mustkdso:
l
l
l
l
Request that the OPPT DC0 remove the contractor employee’s name from the
TSCA CBI Authorized Access List.
Make immediate arrangements to invalidate the contractor employee’s electronic
entry ID card for TSCA CBI.
Change the combinations to locks for any TSCA CBI storage containers to which
the contractor employee had access.
Provide contractor employee with copy of Confidentiality Agreement (Form 77406) signed at the inception of assignment and obtain the contractor employee’s
signature on the “Confidentiality Agreement for Contractor Employees Upon
Relinquishing TSCA CBI Access Authority” Form 7740- 18. (See APPENDIX
R.)
l
Remove any CBI from the contractor employee’s desk area before new staff
occupies the desk.
The OPPT DC0 must arrange with IMD to invalidate the contractor employee’s TSCA
CBI computer user ID code and passwords for all TSCA CBI-related computer systems
to which the contractor employee had access. IMD is responsible for notifying the OPPT.
DC0 in writing when the contractor employee’s passwords are invalidated.
Chapter 2: TSCA CBI Access
-24-
October 20,2003
�TSCA CBI PROTECTION
2.2.1 I.2
MANUAL
Unaccounted For Documents
The contractor DC0 must assume that a TSCA CBI document is unaccounted for when
it is not received within 5 business days of issuing the contractor employee the list of
items logged out to him/her, and report this fact under the procedures in CHAPTER 5.
2.2.12
Change In Corporate Status
When a contractor or subcontractor with access to TSCA CBI is acquired by or merged into
another company (or otherwise alters its corporate status by associating in some way with
another company) it shall provide notice to EPA prior to the transaction. EPA will allow the
contractor or subcontractor 30 days from the time of notice to complete the corporate and
employee TSCA CBI clearance procedures discussed in this section 2.2 above. If the
required notice is not given within 90 days of the transaction, then access during that time
will be considered unauthorized, and the Agency will follow the unauthorized disclosure
procedures in Chapter 5.
23.
TSCA CBI
ACCESS CERTIFICATION
FOR OTHER FEDERAL AGENCIES
Access to TSCA CBI data may be granted to other federal agencies under the following
circumstances:
.
When TSCA CBI data is required to perform work for EPA.
.
When TSCA CBI data is required to perform the other agency’s legal duties
to protect health or the environment.
.
When TSCA CBI data is required for specific law enforcement purposes.
All persons contemplating disclosure of TSCA CBI to other federal agencies should review
the regulations at 40 CFR Sections 2.209(c) and 2.306.
Chapter 2: TSCA CBI Access
-25-
October 20,2003
�TSCA CBI PROTECTION
2.3.1
MANUAL
Procedures for Other Federal Agencies to
obtain TSCA CBI Access
Other federal agencies may obtain access to TSCA CBI by following the applicable
requirements outlined in 40 CFR 2.209(c), and including taking the following steps:
An authorized agency representative must submit a written request to the IMD Director
preferably at least one month before access is to begin. The request must specify the
following:
.
Information to which access is requested.
.
Reason(s) why access is necessary (including the official purpose).
.
Supporting details.
The request must be signed by an agency official whose authority is at least equivalent to that
of an EPA division director.
The IMD Director reviews the TSCA CBI access request and notifies the agency’s requesting
official of his/her decision. If access is approved, the IMD Director informs the agency of
the following stipulations:
.
TSCA CBI is being disclosed under TSCA authority
.
Unauthorized disclosure of the information may subject the agency’s
employees to criminal penalties in Section 14(d) of TSCA (see CHAPTER 5)
.
The agency seeking TSCA CBI access must provide written agreement that it
will not disclose TSCA CBI, except in any one of the following situations:
(0
The agency has statutory authority both to compel production of
the information and to make the proposed disclosure, and it has
furnished affected businesses with at least the same notice that
EPA would provide under EPA regulations.
(ii)
The agency has obtained the consent of each affected business
prior to the proposed disclosure.
Chapter 2: TSCA CBI Access
-26-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
The agency has obtained a written statement from the EPA
general counsel, or an EPA regional counsel, that disclosure of
the information is authorized under EPA regulations.
(iii)
[Note: If the other federal agency is obtaining access to TSCA CBI for purposes not on
behalf of EPA, notice must first be provided to affected businesses as provided in Section
2.3.2 just below].
Once access has been granted, designated employees of the other federal agency can obtain
access to specified TSCA CBI on EPA premises. The procedures for individual employees
to obtain certification for TSCA CBI access are explained in Section 2.1 of this Manual.
Employees of other federal agencies are not allowed to remove from EPA premises any
documents, notes, or correspondence containing TSCA CBI and must not discuss TSCA CBI
with unauthorized individuals. Only a DC0 may remove TSCA CBI from EPA premises.
TSCA CBI must therefore be transferred from an EPA DC0 to a Facility Agency DCO.
When a programmatic need can be demonstrated (and when the other federal agency needs
TSCA CBI access to perform a function on behalf of EPA) expedited approval may be
granted by the IMD Director which will allow a federal agency access to TSCA CBI before
receiving final approval from the OPPT DCO.
2.3.2
Notice to Affected Businesses
Before granting TSCA CBI access to another agency, in order to do work not on behalf of
EPA, IMD provides written Notice to affected businesses. The Notice must be given at least
10 calendar days before access can be granted via publication in the Federal Register,
telegram, or certified mail (return receipt requested). No Notice to affected businesses is
required however, when EPA discloses TSCA CBI to another agency to perform work for
EPA (as described in 40 CFR Sections 2.209(c) and 2.306(h)).
IMD will prepare the Notice, which must include the following:
l
Identity of the agency to which TSCA CBI access is granted.
0
Official purpose for the access.
.
If access is authorized on EPA premises or at the other agency’s facilities (see
Section 2.3.3).
0
Types of information to be disclosed.
.
Period of time for which access to TSCA CBI is authorized.
Chapter 2: TSCA CBI Access
-27-
October 20,2003
�TSCA CBI PROTECTION
2.3.3
MANUAL
Security Requirements
Agencies
at Other Federal
In order for the other agency to obtain access to TSCA CBI on its own premises, the
requesting official to whom TSCA CBI is to be transferred, must nominate at least two
people as a DC0 and an Alternate DC0 (ADCO). The nomination, submitted in writing to
the OPPT DC0 for approval, must include the names, telephone and fax numbers, and e-mail
and mailing addresses of the nominees. The requesting official or the DC0 can also
nominate ADCOs to assist the DC0 in day-to-day operations. ADCOs can perform the same
duties as DCOs (including signing EPA Form 7740-28).
The following
are required for TSCA CBI access on the other agency’s premises:
0
Agency security procedures and standards that equal or surpass those set forth
in this manual. The requesting official must provide to TSS a written
statement of the agency’s security procedures for handling TSCA CBI. The
statement should state that the security procedures in this Manual have been
adopted, or how the security procedures used by the agency differ from those
in this Manual.
.
EPA TSS inspection and approval of the agency’s TSCA CBI storage
facilities. The inspection is to be arranged by the requesting official.
[NOTE: TSS will not be required to inspect facilities in other federal agencies where CBI
is stored in approved storage containers as referenced in Section 4.3.3.1
24.
REQUESTS FROM CONGRESS OR THE
GENERAL ACCOUNTING OFFICE (GAO)
EPA, federal, and contractor employees must notify the IMD Director immediately when
they receive a request from Congress or the GAO for information that requires access to
TSCA CBI. Pursuant to 40 CFR 2.209, TSCA CBI access is allowed only when the request
is made by the Speaker of the House of Representatives, the President of the Senate, a
chairman of a Congressional committee or subcommittee, or the Comptroller General. All
document access will be provided by the OPPT DCO, who will record all transactions on the
Federal Agency, Congress, and Federal Court Sign-Out Log, Form 7740-24 (see
APPENDIX
S).
0
When EPA allows access to TSCA CBI by Congress or the GAO, EPA must
provide written notice to affected businesses at least 10 calendar days prior to
disclosure unless Congress or GAO directs otherwise or does not give
Chapter 2: TSCA CBI Access
-28-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
sufficient time. In the latter case, notice shall be given as promptly as possible
[see 40 CFR 2.209(b)(2)]. Such notice may be given via publication of a
Notice in the Federal Register, or via telegram or certified mail (return receipt
requested). IMD will prepare the Notice, which must include:
Whether access is authorized on EPA premises or at the other agency’s
facilities
Type of information to be disclosed
Period of time for which need for access to TSCA CBI is expected.
-29-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
This page intentionally
-3o-
left blank
October 20,2003
�TSCA CBI PROTECTION
MANUAL
CHAPTER 3
TSCA CBI Responsibilities
INTRODUCTION
30.
Proper protective controls must be followed by employees of EPA, other federal agencies,
and contractors with access to TSCA CBI who handle, store, or transfer any TSCA CBI.
31.
EMPLOYEE
3.1.1
RESPONSIBILITIES
Personal Accountability
EPA holds every employee with access to TSCA CBI access personally responsible for
adhering to the handling and security procedures in this Manual.
3.1.2
Assuring
Adequate
TSCA CBI Protection
Each employee with TSCA CBI access is required to inform management immediately if
he/she discovers that any procedure in this manual does not provide adequate protection for
TSCA CBI. In addition, those employees are encouraged to suggest changes to improve
protection.
3.1.3
Reporting
Procedural
Violations
Each employee who has access to TSCA CBI is required to report immediately in writing any
potential violations of these procedures to his/her immediate supervisor, and if applicable,
the Contractor PO (see Section 5.1).
Chapter 3: TSCA CBI Responsibilities
-31-
October 20,2003
�TSCA CBI PROTECTION
3.1.4
MANUAL
Document Accountability
Employees are accountable for all TSCA CBI received from a DC0 or other TSCA
CBI-authorized employee, printed from the TSCA CBI LAN, or recorded on magnetic,
optical, or other storage medium.
3.1.5
TSCA CBI Procedure Accountability
Employees are required to adhere to the procedures established by management and their
DC0 for protecting and handling TSCA CBI to prevent disclosure to anyone not authorized
under TSCA Section 14 for access to CBI.
3.1.6
Return TSCA CBI Document
Employees are permitted to log out TSCA CBI documents from their DC0 and to keep the
documents in an approved storage container as defined in Section 4.3.3, or approved SSA
as defined in Section 4.3.1, for up to a year. Employees must return TSCA CBI to the DC0
as soon as the material is no longer needed.
Any material kept longer than a year is considered overdue; the DC0 will notify the
employee responsible. Materials that are not returned to the DC0 within 14 days of
notification are presumed to be unaccounted for. The DC0 must notify his/her division
director of unaccounted for materials, pursuant to the procedures in CHAPTER 5. If the
employee does not return overdue materials to the DC0 within 14 days of notification, the
employee’s access to TSCA CBI may be suspended. Once the documents at issue are
returned or accounted for, CBI access will be restored.
3.1.7
Determination
of TSCA CBI
It is an employee’s responsibility to decide if an existing document submitted to the Agency,
or a document newly created by the employee, contains TSCA CBI. An employee who is
unable to determine if a document is CBI should consult with his/her supervisor or DCO.
If the issue remains unresolved, the employee should consult the chief of the IMD Records
and Dockets Management Branch (RDMB), or equivalent.
Chapter 3: TSCA CBI Responsibilities
-32-
October 20,2003
�TSCA CBI PROTECTION
3.1.8
MANUAL
Receipt of Possible CBI
If an employee receives materials (labeled or unlabeled CBI) via mail or other means which
appear to be TSCA CBI, he/she must immediately take those materials to the DC0 for
assessment and, if warranted, entry into the Document Tracking System (DTS). [See Section
4.1.11.
32.
MANAGER
RESPONSIBILITIES
Program and office managers must continually ensure the following:
0
Adequate personnel are available to carry out the DC0
responsibilities under the manager’s supervision
and ADCO
0
Proper physical control measures are implemented in areas where TSCA CBI
is maintained and tracked
.
Subordinate POs, DOPOs, and WAMs follow TSCA CBI security procedures
while administering contracts
l
Quarterly meetings are held with contractor POs to ensure that contractor
employees are following TSCA CBI security procedures
0
Employees under their supervision who require TSCA CBI access maintain
current certification.
3.2.1
Assigning a DC0 and ADCO
The EPA manager (or Project Officer for the contractor DC0 - see 2.2.5), is responsible for
nominating two employees to act as the DC0 and alternate DCO, respectively. The manager
(or Project Officer) must submit this nomination to the OPPT DCO. The nomination,
submitted in writing, must include each nominee’s name, telephone number, e-mail address,
fax number, and mailing address. The contractor DC0 must be in place before the contractor
is allowed access to TSCA CBI.
Chapter 3: TSCA CBI Responsibilities
-33-
October 20,2003
�TSCA CBI PROTECTION
33.
MANUAL
DC0 RESPONSIBILITIES
DCOs manage their facilities’ Document Tracking Systems (DTS) and oversee the receipt,
storage, transfer, and use of TSCA CBI by employees in their facilities.
3.3.1
DCOs and Alternate
DCOs
All facilities authorized for TSCA CBI access must have at least one DC0 and an ADCO;
other ADCOs may be assigned.
DCOs and Alternate DCOs must be approved by the OPPT DC0 before transfer of CBI to
any facility. In addition, the OPPT DC0 is responsible for providing guidance to all DCOs
and ADCOs on appropriate document handling procedures.
3.3.2
Maintaining
mm
a Document
Tracking
System
The DC0 is responsible for implementing and maintaining a Document Tracking System
for his/her respective facility, to track the receipt, use, and transfer of TSCA CBI. All TSCA
CBI submitted to EPA, and any produced by federal and contractor employees (except as
described in Section 4.4), are monitored through a facility DTS (See Section 4.2 on the
requirements for a DTS).
3.3.3
Transfer
of TSCA CBI
A DC0 must approve the transfer of TSCA CBI to a federal or contractor facility according
to procedures in CHAPTER 4. In order to transfer a copy of a TSCA CBI submission to a
requesting submitter, the submitter must provide to EPA a letter on corporate stationery
which is signed by a designated corporate official indicating the person authorized to receive
the copy (unless a designated representative is already on file). This letter should be
submitted to the OPPT DCO.
The DC0 may send TSCA CBI by courier or certified mail (with return receipt) in
accordance with procedures in CHAPTER 4 of this manual. The DC0 must notify the
receiving DC0 before sending the TSCA CBI.
Chapter 3: TSCA CBI Responsibilities
-34-
October 20,2003
�TSCA Cl31 PROTECTION
3.3.4
MANUAL
Receiving TSCA CBI
The receiving DC0 must review incoming TSCA CBI for completeness. If the documents
appear incomplete, the DC0 must immediately contact the submitter to determine if there
was an omission. If the materials appear to be complete, the DC0 will do the following:
1.
Stamp the document as TSCA CBI (see APPENDIX T). The stamp is applied
to the front page, and the blank back page (if not blank, the blank back cover).
2.
Assign a DCN, if one has not already been assigned.
3.
Attach a TSCA CBI cover sheet (see APPENDIX
U) to the front of the
document. The DC0 must write the DCN on the cover sheet and first page of
the document unless the document is transferred to the CBIC.
3.3.5
Proper Storage of TSCA CBI
DCOs are responsible for ensuring that employees at their facilities are storing documents
properly. [Procedures on storing TSCA CBI can be found in Section a.
If an employee who works in an SSA will be out of the office for more than 7 calendar days,
all TSCA CBI in his/her possession must be locked away in an approved TSCA CBI storage
container. If the employee is unable to do this due to illness or other reason, the employee’s
supervisor or DC0 will ensure the materials are stored in accordance with procedure. [See,
specifically, Section 4.3.4, Employee Absence and Storage of TSCA CBZand Section 4.3.1.8,
Using TSCA CBZ outside an SSA].
The DC0 supervises the storage of TSCA CBI in secure storage containers or in a
centralized secure TSCA CBI storage area (Section 4.3). The responsibilities of the DC0
and employee apply to CBI stored on paper or in digital form on magnetic disks, optical
disks, or other medium. One exception to this requirement is when an employee’s duties
require that he/she be assigned individual responsibility for a specific secure storage
container within an office (such as a Mosler safe or bar lock cabinet).
3.3.6
Records of Lock-Combinations
DCOs and other designated persons have the following responsibilities in maintaining
records of lock combinations for rooms and containers in which TSCA CBI is stored:
.
DCOs must maintain a list of combinations for TSCA CBI storage containers
and rooms controlled by a particular division, facility, program, or office
Chapter 3: TSCA CBI Responsibilities
-35
October 20,2003
�TSCA CBI PROTECTION
MANUAL
.
The OPPT DC0 must maintain a list of combinations for containers and rooms
assigned to IMD, and for all containers and rooms in OPPT not under any
specific division’s control
.
Facilities Management Services Division must maintain a master list of
combinations for all TSCA CBI locks at EPA Headquarters.
Conditions
3.3.7
For Changing
Lock Combinations
The DC0 is required to change lock combinations annually or if any of the following occurs:
.
Each time a person who knows a combination relinquishes his/her TSCA CBI
access authority
.
When
.
If there is a known or possible compromise of TSCA CBI data in the storage
container.
a storage container is put into, or taken out of operation
If any of the above three events occur, DCOs at EPA Headquarters must notify FMSD, which
is responsible for changing the lock combinations.
3.3.8
Updating The TSCA CBI Authorized
Access List
Each DC0 bears responsibility for keeping the TSCA CBI Authorized Access List current.
By the 15th of each month DCOs must notify the OPPT DC0 of any for whom they are
responsible who should be added to or deleted from the list.
3.3.9
Monitoring
And Controlling
TSCA CBI
Release of
DC0 steps for providing TSCA CBI are described below:
.
The DC0 receives a request from an employee for a specific TSCA CBI
document.
.
The DC0 locates the document and notifies the requesting employee.
Chapter 3: TSCA CBI Responsibilities
-36-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
.
When the employee is ready to receive the document, the DC0 verifies the
requesting employee’s TSCA CBI certification by checking the TSCA CBI
Authorized Access List.
.
The DC0 logs the document out to the employee using an automated or
manual document Inventory Log. See APPENDIX V.
3.3.10
Overdue Materials:
Notification
Monitoring
And
The DC0 monitors TSCA CBI, and notifies employees and supervisors when it becomes
overdue. DCOs must monitor the Inventory Log for TSCA CBI materials which have not
been returned within the required one-year period. The DC0 will notify employees and
their supervisors of overdue materials by distributing to each a list of all TSCA CBI
documents logged out to the employee before the annual security briefing and TSCA CBI recertification are accomplished. Any material kept longer than a year is considered overdue;
the DC0 will notify the employee responsible. Materials that are not returned to the DC0
within 5 days of notification are presumed unaccounted for. The DC0 must notify his/her
division director of unaccounted-for materials pursuant to the procedures in CJ3APTER 5.
If the employee does not return overdue materials to the DC0 within 14 days of notification,
the employee’s access to TSCA CBI may be suspended. Once the documents at issue are
returned or accounted for, CBI access will be restored. [See also sections 3.1.6 Return 7’SCA
CBI Documents, and 2.1.3 Suspension of Log-out Privileges].
In general, TSCA CBI may not be logged out from a centralized TSCA CBI storage facility
for more than one year without renewal. Exceptions to this rule include the following:
.
Regional DCOs may receive documents as permanent log-outs
.
Contractor DCOs may receive documents as permanent logouts through the
end of their contract
.
The OPPT DC0 in certain circumstances may grant permanent log-out status
to other DC0 collections on an as-needed basis.
Chapter 3: TSCA CBI Responsibilities
-37-
October 20,2003
�TSCA CBI PROTECTION
3.3.11
MANUAL
DC0 Guidance In Identifying
Sanitizing CBI Documents
And
The DC0 assists employees in determining whether documents contain TSCA CBI and in
sanitizing documents for public disclosure.
The responsibility for determining whether documents contain TSCA CBI rests with the
document’s originator (see Section 4.1). Employees who are unable to determine if
something is confidential should consult with their supervisor or DCO. If the issue remains
unresolved, the employee should consult the chief of IMD RDMB. The DC0 also instructs
document originators on how to sanitize a TSCA CBI document if the document is going to
be released to the public.
The DC0 controls and documents the reproduction and destruction of TSCA CBI. TSCA
CBI (except for working papers as discussed in CHAPTER 4) are reproduced or destroyed
only by a DC0 or ADCO. Specific procedures for reproduction and destruction are set forth
in CHAPTER 4.
3.3.12
TSCA CBI Audits
The following section describes the requirements to audit TSCA CBI for federal and
contractor entities:
3.3.12.1
Federal DCOs And The Cortfidential
&formation Center (CBIC,
Business
[NOTE: This section applies to all Federal TSCA CBI collections and the CBIC, which is managed
under contract by the OPPT DCO.]
3.3.12.1(a)
Comprehensive Audits of Entire
Collection
By April 1,2004, each DC0 must conduct an audit of all TSCA CBI in the
DCO’s collection as of December 3 1, 2003. This step must be performed
every fourth year subsequent to the completion of the first comprehensive
audit. For the intervening years, an annual transaction audit shall be conducted
as outlined in Section 3.3.12.1(b). As an example, the next comprehensive
audit would be conducted by April 1, 2007 for all TSCA CBI in the DCO’s
Chapter 3: TSCA CBI Responsibilities
-38-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
collection as of December 31,2006.
Each DC0 must take the following
CBI audit:
steps in performing the comprehensive
1)
Audit all CBI documents in the Receipt Log or equivalent automated
tracking system, comparing the physical document collection with the
information in the log or tracking system.
2)
Reconcile the TSCA CBI documents in the Receipt Log with the
transactions listed in the Inventory Log (e.g., shred, transferred, logged
out, declassified) .
3)
Locate any documents logged out for more than 1 year.
4)
Verify the status of documents indicated in the Inventory Log or
tracking system as having been shredded. The TSCA CBI cover sheet
must be used to verify that CBI documents have been destroyed.
[NOTE: TSCA CBI cover sheets must be retained until the next
comprehensive audit cycle is complete.]
5)
Certify that the tracking system has been updated to reflect the results
of the audit.
Prior to April 1,2004, and for every fourth year thereafter, the DC0 must
submit a final report to his/her supervisor or contract manager. This report
must contain, at a minimum:
.
Description of the audit methodology
.
Total number of documents audited
.
Description of any documents not located
.
The tracking number (document control number) of any documents not
located
The final audit report will be forwarded by the supervisor or contract manager
to the OPPT DC0 and TSS. If any TSCA CBI documents cannot be located
during the audit, the DC0 must follow the procedures outlined in CHAPTER
3 for reporting potential violations.
Chapter 3: TSCA CBI Responsibilities
-39-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
3.3.12. I(b)
Transaction Audits
Before April 1 of each year for which a comprehensive audit (as described in
m
is not required, each DC0 must conduct an annual audit of TSCA
CBI in the DCO’s collection that consists of:
1)
All documents initially received by the DC0 between January 1 and
December 31 of the previous calendar year.
2)
All documents that were logged out and then returned to the DC0
between January 1 and December 31 of the previous calendar year.
Each DC0 must also:
3)
Locate any documents logged out for more than 1 year
4)
Verify the status of documents indicated in the tracking system or
Inventory Log as shredded. The TSCA CBI cover sheet must be used
to verify that CBI documents have been destroyed. [NOTE: TSCA CBI
cover sheets must be retained until the next comprehensive audit cycle
is complete.]
5)
Certify that the tracking system has been updated to reflect the results
of the audit.
Prior to April 1, the DC0 must submit a final report to his/her supervisor or
contract manager. This report must contain, at minimum:
.
Description of the audit methodology
.
Total number of documents audited
.
Description of any documents not located
.
The tracking number (document control number) of any documents not
located
The final audit report will be forwarded by the supervisor or contract manager
to the OPPT DC0 and TSS. If any TSCA CBI documents cannot be located
during the audit, the DC0 must follow the procedures outlined in CHAPTER
5 for reporting potential violations.
Chapter 3: TSCA CBI Responsibilities
-4o-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
3.3.12.1 (c)
DC0 Transition Audits
This procedure must be followed when DCOs terminate their employment or
relinquish DC0 responsibilities.
The outgoing DC0 must perform the
following steps prior to transferring any TSCA CBI to a new DCO:
1)
Audit all CBI documents in the Receipt Log or equivalent automated
tracking system, comparing the physical document collection with the
information in the log or tracking system.
2)
Reconcile the TSCA CBI documents in the Receipt Log with the
transactions listed in the Inventory Log (e.g., shredded, transferred,
logged out, declassified).
3)
Locate any documents logged out for more than 1 year.
4)
Verify the status of documents indicated in the Inventory Log or
tracking system as shredded. The TSCA CBI cover sheet must be used
to verify that CBI records have been destroyed. [NOTE: TSCA CBI
cover sheets must be retained until the next comprehensive audit cycle
is complete.]
5)
Certify that the tracking system has been updated to reflect the results
of the audit.
Prior to transferring the collection to the incoming DCO, the outgoing
DC0 must submit a final report to his/her supervisor or contract manager.
This report must contain, at a minimum:
.
Description of the audit methodology
.
Total number of documents audited
.
Description of any documents not located
.
The tracking number (document control number) of any documents not
located
The final audit report will be forwarded by the supervisor or contract manager
to the OPPT DC0 and TSS. If any TSCA CBI documents cannot be located
during the audit, the incoming DC0 must follow the procedures outlined in
CHAPTER 5 for reporting potential violations.
Chapter 3: TSCA CBI Responsibilities
-41-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
3.3.12.2 Contractor DCOs
[NOTE: This section applies to all contractor TSCA CBI collections.]
3.3.12.2(a)
Comprehensive Audits of Entire
Collection
By April 1,2004, each contractor DC0 must conduct an audit of all TSCA
CBI in the DCO’s collection a’s of December 31,2003. This comprehensive
audit shall be conducted for each year thereafter for all TSCA CBI in the
DCO’s collection as of December 31 of the previous year.
The DC0 must take the following
steps in performing the CBI audit:
1)
Audit all CBI documents in the Receipt Log or equivalent tracking
system, comparing the physical document collection with the
information in the log or tracking system.
2)
Reconcile the TSCA CBI documents in the Receipt Log with the
transactions listed in the Inventory Log (e.g., shredded, transferred,
logged out, declassified).
3)
Locate any documents logged out for more than 1 year.
4)
Verify the status of documents indicated in the Inventory Log or
tracking system as shred. The TSCA CBI cover sheet must be used to
verify that CBI documents have been destroyed. [NOTE: TSCA CBI
cover sheets must be retained until the next comprehensive audit cycle
is complete.]
5)
Certify that the tracking system has been updated to reflect the results
of the audit.
Prior to April 1, the DC0 must submit a final report to his/her supervisor or
contract manager. This report must contain, at a minimum:
.
Description of the audit methodology
.
Total number of documents audited
.
Description of any documents not located
Chapter 3: TSCA CBI Responsibilities
-42-
October 20,2003
�TSCA CBI PROTECTION
.
MANUAL
The tracking number (document control number) of any documents not
located
The final audit report will be forwarded by the supervisor or contract manager
to the OPPT DC0 and TSS. If any TSCA CBI documents cannot be located
during the audit, the incoming DC0 must follow the procedures outlined in
CHAPTER 5 for reporting potential violations.
3.3.12.2(b)
Contract closeout Audits
Prior to contract closeout, the contractor DC0 must perform a comprehensive
audit of all TSCA CBI in the DCO’s collection. The contractor DC0 must
take the following steps in performing the CBI Audit:
1)
Audit all CBI documents in the Receipt Log or equivalent tracking
system, comparing the physical document collection with the
information in the log or tracking system.
2.
Reconcile the TSCA CBI documents in the Receipt Log with the
transactions listed in the Inventory Log (e.g., shredded, transferred,
logged out, declassified).
3)
Locate any documents logged out for more than 1 year.
4)
Verify the status of documents indicated in the Inventory Log or
tracking system as ‘shredded’. The TSCA CBI cover sheet must be
used to verify that CBI documents have been destroyed.
[NOTE: TSCA CBI cover sheets must be retained until the next
comprehensive audit cycle is complete.]
5)
Certify that the tracking system has been updated to reflect the results
of the audit.
Two weeks prior to contract closeout, the DC0 must submit a final report
to his/her supervisor or contract manager. This report must contain, at a
minimum:
Chapter 3: TSCA CBI Responsibilities
-43-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
.
Description of the audit methodology
.
Total number of documents audited
.
Description of any documents not located
.
The tracking number (document control number) of any documents not
located
The final audit report will be forwarded by the supervisor or contract manager
to the OPPT DC0 and TSS. If any TSCA CBI documents cannot be located
during the audit, the DC0 must follow the procedures outlined in CHAPTER
5 for reporting potential violations.
3.3.13
Termination
DC0
Of Employment
Or Status For
The following procedures must be followed when a DC0 terminates his/her employment, or
relinquishes DC0 responsibilities. They are the same for those of a DC0 at EPA
Headquarters, regional offices, other federal agencies, and contractor facilities.
At termination of employment or DC0 status, TSCA CBI under a DCO’s authority must be
inventoried. The outgoing DC0 and the incoming DC0 must jointly perform an inventory
of TSCA CBI in the outgoing DCO’s collection of records. Both parties must confirm the
inventory before the outgoing DC0 departs. The incoming DC0 should retain a copy of the
inventory for audit purposes and forward a copy to the OPPT DCO.
NOTE:
34.
The CBIC DC0 is not required to perform a collection audit if the
contractor operating the Center does not change.
EAD AND IMD ANNUAL
REVIEW
On an annual basis, the Office of Pollution Prevention and Toxics Information Management
Division (IMD) and the Environmental Assistance Division (EAD) will report on state of the
security of TSCA CBI.
The report will summarize security activities, training, and issues that may have arisen over
the preceding twelve months, including violations and vulnerabilities.
Consistent with EAD’s TSCA Security Staff (TSS) charge, the EAD portion will summarize
Chapter 3: TSCA CBI Responsibilities
-44
October 20,2003
�TSCA CBI PROTECTION
MANUAL
violations, the overall state of security procedures and practices, vulnerabilities, and security
activities. IMD will describe policy issues, training, future needs and other related matters.
This report will be sent to the director of OPPT by January 31st of each calendar year. To
create this report, in addition to reviewing reports and other generated materials, IMD and
EAD will interview representatives of the major users of TSCA CBI for information on the
state of TSCA security, policy and procedural issues (including opportunities for security
improvements).
Chapter 3: TSCA CBI Responsibilities
-45
October 20,2003
�TSCA CBI PROTECTION
MANUAL
This page intentionally
Chapter 3: TSCA CBI Responsibilities
-46-
left blank
October 20,2003
�TSCA CBI PROTECTION
MANUAL
CHAPTER 4
TSCA CBI Document Management
INTRODUCTION
40.
DCOs are vital to the effective management of TSCA CBI documents. DCOs manage their
facilities’ DTSs (Document Tracking Systems) and oversee the receipt, storage, transfer, and
use of TSCA CBI by employees in their facilities.
RECEIPT
41.
OF TSCA CBI
TSCA CBI submitters should be directed to send incoming TSCA CBI to a DC0 only.
TSCA CBI sent between organizations must be sent from one DC0 to another DCO.
4.1.1
Incoming
TSCA CBI
While TSCA CBI sent to OPPT (e.g., by U.S. mail, courier, or fax transmission) may be
addressed to either an EPA or contractor DCO, preferably it would be addressed to the
Confidential Business Information Center (CBIC). In either case, TSCA CBI must be
received in accordance with the requirements of this Manual. TSCA CBI sent or otherwise
misdirected to other Agency personnel should be taken immediately, to the extent
practicable, to a DC0 for tracking. Practical reasons may extend the time for delivering the
misdirected item to the CBIC for up to 3 business days. However, the documents must be
provided to the CBIC as soon as possible for incorporation into the Agency’s official file.
In the case of TSCA CBI mailed from one DC0 to another, a receipt must be sent back to
the sending DC0 identifying the contents of the package. The recipient DC0 must sign the
receipt of contents and return the original to the sender within 5 business days and maintain
a copy of the receipt for his/her files. The receipt of contents must include the following
information:
.
DCN
Description of the CBI
.
Name and signature of the sending DC0 and the date sent.
.
Name and signature of the receiving DC0 and the date received.
l
Chapter 4: TSCA CBI Document Management
-47-
October 20,2003
�TSCA CBI PROTECTION
4.1.2
MANUAL
Personal File Copies - New Chemicals
Program (OPPT-CCD)
New Chemicals Program (NCP) staff in the OPPT Chemical Control Division (CCD) may
make and keep personal file copies of documents sent by submitters to the CCD DC0 before
the documents go to the CBIC. The CCD DC0 will maintain a log which will track all
copies made and distributed with an assigned number for each copy. When each copy is no
longer needed, the document will be shred under the supervision of the CCD DCO, who will
ensure proper logging of the shredded data.
4.1.3
Supplemental Filings - New Chemicals
Program (OPPT-CCD)
NCP staff in OPPT CCD may scan supplemental documents sent by submitters to the CCD
DCO, and place them on the TSCA CBI LAN for distribution in ‘read-only’ format before
the documents go to the CBIC within the timeframe specified in section 4.1.1 above. When
review is complete, the CCD DC0 will ensure the scanned documents are deleted from the
TSCA CBI LAN.
(NOTE: As indicated, the paragraph above refers only to supplemental information
submissions. Initial filings are not to be directed to the CCD DCO, but rather processed
through the CBIC. }
4.1.4
Processing Newly Received TSCA CBI
(applies to all DCOs and the CBIC)
The procedure below must be followed when receiving TSCA CBI [see also, generally,
Section 4.6.1on transferring TSCA CBI]:
.
The receiving DC0 should be notified in advance of what CBI is being sent.
.
Review and Acceptance:
Upon receipt of a document, the receiving DC0 must complete the following
steps:
(9
(ii)
Review any Transfer Slip to ensure that all listed information is
included.
Log the document into the Receipt Log. See APPENDIX
W.
Chapter 4: TSCA CBI Document Management
-48-
October 20,2003
�TSCA CBI PROTECTION
.
MANUAL
stamp:
A federal or contractor employee who creates a documen&s responsible for
stamping the document as TSCA CBI (when the document contains
information claimed as TSCA CBI)!&
non-CBI (as appropriate)${(see
APPENDIX
T for examples of each type of stamp). The stamp is applied to
the front page and the blank back page (if there is no blank page, then a blank
back cover). If a document appears as though it may contain CBI, treat it as
CBI until its status can be verified with the author.
.
Cover Sheets:
All TSCA CBI documents must have a cover sheet, Form 7740-9 (see
APPENDIX
U), that adheres to the following guidelines:
0)
The cover sheet must be green, clearly signifying that the
attached document contains TSCA CBI, and be attached to the
front of the document.
(ii)
The DCN (written or bar code) and the date must appear on both
the cover sheet and the first page of the document.
(iii)
.
The originator’s DC0 must complete the cover sheet.
DCN Assignment:
The Headquarters DCN should be used (or cross-referenced to any regional
DCN assigned).
.
Notification:
Notify the OPPT DCO, or other TSCA CBI cleared addressee(s), of the TSCA
CBI submission’s availability for review and/or pickup.
4.1.4.1
CBI Fax Transmission From Industry
When an external submitter wants to send TSCA CBI via fax transmission, he/she
must be notified that EPA cannot guarantee the confidentiality of the transmission.
The recipient of the transmission must:
.
Notify the sender that EPA’s transmission lines are not secure and that no
encryption equipment will be used to scramble the transmission.
Chapter 4: TSCA CBI Document Management
-49-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
.
Remain by the fax machine until the transmission is complete, if the receiving
fax machine is outside an SSA.
.
Notify the sender of a successful fax transmission.
.
Provide the fax to the DC0 for entry into the tracking system immediately
upon receipt.
4.1.5
TSCA CBI Claims:iThat Appear
Unwarranted
Any employee who discovers a TSCA CBI claim which appears@mwarranted~ may exercise
independent discretion in choosing whether to refer the matter to IMD, or take any action at
all (including contacting the submitter directly). Employees should follow the guidance in
Appendix EE.
42.
DOCUMENT
TRACKING
(DTS) REQUIREMENTS
DCOs must ensure the following
SYSTEM
regarding use of a Document Tracking System (DTS):
.
All manual or automated document logs are properly maintained, updated, and
stored securely
.
DCNs or unique alphanumeric identifiers are assigned to documents
.
Proper procedures are followed when accessing TSCA CBI.
4.2.1
Use of an Automated
System (DTS)
Document Tracking
Use of a DTS is mandatory. The IMD Director has approved several automated DTSs.
Contact the OPPT DC0 for additional information about these DTSs.
EPA strongly recommends an automated DTS for a DC0 who oversees a high volume of
documents and transactions. An automated DTS allows the DC0 to track a document’s
movement from the time it is assigned a DCN, or is received at EPA, until the time it is
destroyed or transferred to another TSCA CBI-cleared facility.
Chapter 4: TSCA CBI Document Management
-5O-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
At EPA Headquarters, the OPPT DC0 uses CBITS, an automated DTS, to track TSCA CBI
documents. An automated DTS has the following required and optional characteristics:
.
.
.
.
4.2.2
Required:
Backup of automated DTSs: When an automated DTS is used, the DC0 must
back up the TSCA CBI on the DTS at the end of each day, if data are added
or deleted. The backup media contain TSCA CBI data and must be protected
as such.
Record maintenance: Any manual document logs that are converted by an
automated DTS must be retained until an audit by TSS verifies the accuracy
of the conversion.
Optional:
Machine-readable bar codes: CBITS uses machine-readable barcodes to track
TSCA CBI documents. The bar code is affixed to each TSCA CBI document
controlled through the CBIC. Bar codes are also affixed to the electronic entry
ID cards of employees using TSCA CBI. The OPPT DC0 uses these bar
codes to verify, through CBITS, that employees are on the TSCA CBI
Authorized Access List. The OPPT DC0 also uses these bar codes to produce
Annual Audit Certification Reports for employees’ completion.
Secure off-site duplicate records: EPA also recommends securing a duplicate
set of media DTS off-site to allow for recovery of documents logged out, in
the event that a natural disaster such as a flood or fire occurs. Contact the
OPPT DC0 and TSS for assistance in establishing a disaster recovery program
for your records.
Use of a Manual
System (DTS)
Document
Tracking
Manual systems may be used to record CBI transactions for small CBI collections. However,
automated databases allow a greater degree of flexibility and search capabilities. The
following forms establish the tracking and control requirements for TSCA CBI:
.
EPA Form
Information.
.
EPA Form 7740-l 1: Inventory
Information.
7740-10:
Chapter 4: TSCA CBI Document Management
Receipt Log for TSCA
-51-
Log for TSCA
Confidential
Business
Confidential
Business
October 20,2003
�TSCA CBI PROTECTION
.
MANUAL
EPA Form 7740.24: Federal Agency, Congress, and Federal Court Sign-Out
Log.
[See APPENDIX
4.2.2.1
W, V, and S, respectively for copies of these forms.]
Receipt Log
A Receipt Log is used to record the receipt of all incoming CBI documents into the
DCO’s domain.
Each document received by a DC0 must be recorded in an automated or manual
receipt log (APPENDIX
W). The DC0 must record the following information in the
Receipt Log:
.
DCN; if a DCN has not been assigned, the copy number assigned by the
DC0 should be recorded.
.
Date on which the document was received by the DCO.
.
Submitter’s name (if the document was received directly from the
submitter), the author’s name (if the document was generated by a
federal or contractor employee), or the facility DCO’s name (if the
document was received from another facility authorized for TSCA CBI
access).
.
Number of pages contained in the document.
.
Brief description of the document. For example, “an engineering report
on PMN-Y,” or “letter from company X on PMN-W”).
4.2.2.2
Inventory Log
An Inventory Log is used to log documents in or out to employees or contractors of
EPA. It is the official record of all in/out transactions of CBI documents in the
DCO’s jurisdiction and is used to record the final disposition of these documents (e.g.,
permanent transfer, shredding).
DCOs may develop their own tracking and logging forms as long as they contain, at
a minimum, the information outlined in Section 4.2.2 above.
Each DC0 must maintain an inventory log, Form 7740- 11 (see APPENDIX
Chapter 4: TSCA CBI Document Management
-52-
V), for
October 20,2003
�TSCA CBI PROTECTION
MANUAL
TSCA CBI transactions at his/her facility.
following information:
43.
The inventory log must contain the
.
DCN.
.
Dates on which a document is logged out from, and returned to, the
DCO.
.
Identity of the individual logging out the document.
.
If the document is to be destroyed, the entry in the disposition block of
the log must include the date of destruction and the identity of the
person who will destroy it.
.
If the requesting employee plans to transfer the document outside the
DCO’s jurisdiction, the disposition block of the log must include the
date and destination of the transfer.
STORING TSCA CBI
4.3.1
Secure Storage Areas (SSAs)
Secure Storage Areas (SSAs) are spaces that meet the security requirements identified below
and are used as TSCA CBI work and storage areas. Division directors can request that SSAs
be designated; the SSAs must be approved by the IMD Director. After approval, the IMD
Director will request that TSS inspect the SSAs for adherence to the following security
requirements:
.
Pin-tumbler door lock or equivalent
.
A monitored intrusion alarm, OR
.
Either an electronic entry ID card system or a changeable push-button door
lock.
Chapter 4: TSCA CBI Document Management
-53-
October 20,2003
�TSCA CBI PROTECTION
4.3.1.1
MANUAL
Entering An SSA With An Electronic Access
Card (EAC)
Electronic ID card holders are required to present their cards to the reader the first
time they enter a specific SSA each day, even if entering with a group of card holders.
Thereafter, they would not need to use their card (for example, when leaving and reentering the SSA to use the restroom, go to lunch, etc.) if they should re-enter the SSA
with another person who opens the door.
Employees are not permitted to loan their entry cards to other employees.
4.3.1.2
Entering an SSA Without An Electronic
Access Card
Federal and contractor employees entering an SSA who do not have their entry cards
are required to sign a Visitor’s Log, Form 7740-13(see APPENDIX
X), upon initial
entry. Employees may obtain a temporary card from their DCO. If the card has been
lost, the loss must be reported to the OPPT DC0 who will provide paperwork for the
re-issuance of a new card and the deactivation of the lost card.
4.3.1.3
Entering An SSA With Suspended or
Terminated Cert@cation
A federal employee whose certification has been suspended, yet who still has an
official need for access to TSCA CBI, may continue to enter SSAs and view TSCA
CBI but will be prohibited from logging out documents until certification has been
renewed. A federal employee whose certification has been terminated may not enter
an SSA, and must again pass initial certification, not recertification, in order to again
enter an SSA and view TSCA CBI. [See X1.2.11
4.3.1.4
Grantees And Interns In SSAs
At EPA Headquarters, certain persons, such as grantees (e.g., NOWCC employees)
and some interns, may work within SSAs but are prohibited from having access to
TSCA CBI. They must, nevertheless, complete the certification process.
Grantees and approved interns must be “supervised’ or “monitored” within an SSA
by following these guidelines:
Chapter 4: TSCA CBI Document Management
-54-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
A grantee or intern:
.
Cannot deliver, locate, file, copy, type or otherwise handle or view TSCA CBI.
.
Cannot be the first employee to arrive or the last employee to leave an SSA
and must never be the only person in an SSA.
.
Cannot have any conversations with company representatives
information that has been claimed, or may be claimed, TSCA CBI.
about
Visitors In SSAs
Visitors to SSAs who do not have TSCA CBI certification must sign the Visitor’s Log
the first time each day they enter and re-enter the SSA and must be escorted while
they are within the area.
Custodian, Maintenance
Persons in SSAs
and Delivery
Custodial, maintenance, mail, and other delivery personnel who routinely and
frequently enter an SSA, and who are known generally to EPA staff, may be
supervised while conducting their regular business. Such persons who are not known
to EPA staff, however, must be escorted.
4.3.1.7
DCOs And SSAs
In general, DCOs are responsible for monitoring activities within SSAs and ensuring
adherence of requirements set forth in this manual. DCOs have the following
responsibilities:
.
Maintain Visitor’s Log entries for one year
.
Safeguard lock combinations and disclose combinations only to authorized
individuals
.
Ensure that lock combinations are changed annually, or whenever anyone
possessing a combination terminates her/his access, or the combination is
otherwise compromised. At EPA Headquarters, DCOs should request a
combination change from the FMSD in the Office of Administration and
Resources Management (OARM).
Chapter 4: TSCA CBI Document Management
-55-
October 20,2003
�TSCA CBI PROTECTION
4.3.1.8
MANUAL
Using TSCA CBI outside an SSA
Employees who are using TSCA CBI documents outside SSAs must retain possession
of them, and never leave the documents anywhere that unauthorized persons may gain
access to them. When a TSCA CBI document is not in use it must be locked up by
the employee in an approved storage container.
4.3.2
The following
Required
Storage Containers
are approved storage containers for TSCA CBI:
.
Metal file cabinets with locking bars and three-way changeable combination
locks
.
GSA-approved Class 6 security containers (safes), or
.
Other secure storage containers, as approved by the IMD
consultation with TSS, on a case-by-case basis.
Director in
A storage container may be used by more than one person to store TSCA CBI, provided each
person is certified for access to TSCA CBI and has separately labeled his/her respective
space within the container. The employee must affix a magnetic “Open”/“Close” sign to
each container so that the status of the security container is visible at all times.
4.3.3
Storing TSCA CBI At Other Locations
TSCA CBI may be stored at locations other than an SSA with certain restrictions:
.
Contractor sites must be inspected and approved by TSS before TSCA CBI
may be transferred to the site (see Section 2.2.1).
.
If traveling with TSCA CBI, it must be kept in the employee’s possession, in
a hotel safe, or with the host DCO. TSCA CBI may be stored at home, if TSS
has approved the employee’s plan for using TSCA CBI at his/her personal
residence.
Chapter 4: TSCA CBI Document Management
-56-
October 20,2003
�TSCA CBI PROTECTION
4.3.3.1
MANUAL
Storing TSCA CBI While Traveling
It is sometimes necessary for a federal or contractor employee authorized for TSCA
CBI access to carry TSCA CBI while traveling on official business. If it is
impractical to return to work to pick up the materials before departure or to drop them
off after returning, the employee may obtain permission from his/her supervisor to
take the materials home for a defined, limited period and protect them in a reasonable
manner under the circumstances. This permission is related only to the storage of CBI
at home when traveling - not for permission to use CBI at home under such
circumstances as flexiplace, etc.
While traveling by plane or other public conveyance, employees must keep TSCA
CBI in their possession and may not check it with their luggage. The following
security measures apply:
.
Car trunk storage. If the employee is traveling by car, he/she should store
TSCA CBI locked in the trunk while en route. TSCA CBI must never be left
in a car overnight.
.
Hotel safe storage. TSCA CBI may be stored overnight in hotel safes, if a
receipt is obtained from the hotel management. If no receipt is available, the
employee must keep the TSCA CBI in his/her possession.
.
Host DC0 storage. Even if the traveler does not intend to transfer possession
of the TSCA CBI, he/she may temporarily store the materials with the DC0
at the location he/she is visiting.
4.3.3.2
Storing and Working with TSCA CBI in a
Personal Residence
Normally, employees are not permitted to take TSCA CBI to their homes. Under
special circumstances, such as recuperation from a long-term illness or under an
approved flexiplace work arrangement, the IMD Director may grant permission for
an EPA employee to use TSCA CBI at home.
Excentional Circumstances: Home use of TSCA CBI is an exception and should be
permitted only on a case-by-case basis when circumstances warrant, and when doing
so serves the best interests of the Agency and promotes its mission. These criteria are
developed as interim requirements to be adhered to in those exceptional situations
when TSCA CBI may be brought to, worked on and kept at the private residence of
an EPA employee.
Chapter 4: TSCA CBI Document Management
-57-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
IMD Director Approval: In every case where home use is requested, the IMD
Director or designee must first review the circumstances and the employee’s plan for
home use of TSCA CBI before approving the arrangement.
Adherence to all Requirements: The procedures and requirements listed in this TSCA
CBI Protection Manual must be followed prior to the transfer of any TSCA@BI to
an employee’s residence.
These procedures and requirements include:
a. Review and approval of a plan for keeping and protecting TSCA CBI;
b. Provision of an approved TSCA CBI container (see below); and
c. Completion of a satisfactory site inspection by the TSCA Security Staff
(TSS).
Use Of TSCA CBI at Home Only When Necessarv: An employee being granted
permission to use and maintain TSCA CBI at home may only do so when it is
absolutely necessary for the satisfactory performance of his/her job. Stay at home or
flexiplace employees granted this permission are strongly encouraged to the greatest
extent feasible to make maximum use of sanitized, or non-TSCA CBI, documents.
In addition, employees should refrain from unnecessary long term home storage of
large volumes of TSCA CBI documents; and instead should work with smaller
manageable amounts of TSCA CBI on a revolving basis where possible.
TSCA CBI Protection Manual: Any employee with permission to use and maintain
TSCA CBI at home must continue to adhere to all applicable portions of the TSCA
CBI Protection Manual.
Ouestions Regarding Home Use: Any question relating to home use and maintenance
of TSCA CBI should be addressed to the OPPT DCO.
MANDATORY
CRITERIA
FOR HOME USE:
The following are criteria for assessing the adequacy of any plan for home use of
TSCA CBI. In addition, the TSS site inspection will use these criteria in evaluating
the adequacy of the employee’s home for the use and maintenance of TSCA CBI.
1.
Employees who are using TSCA CBI in a personal residence must
never leave the documents where unauthorized persons might gain
access to or view TSCA CBI. When a TSCA CBI document in a
personal residence is not in use, the employee must place the document
in an approved storage container.
Chapter 4: TSCA CBI Document Management
-58-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
a. The following
storage containers are approved for TSCA CBI storage:
.
Metal file cabinets with locking
combination locks
.
GSA-approved Class 6 security containers (safes), or
.
Other secure storage containers, as approved by the IMD Director in
consultation with TSS, on a case by case basis.
bars and three-way changeable
b. Home use employees must affix a magnetic open/close sign to each container
so the status of the security container is visible at all times.
If the container has multiple drawers with separate combinations, each drawer
must have an open/close sign affixed to it to show the individual condition of
each drawer.
c. For each type of approved container which may be used at an employee’s
residence the combination or a spare key must be kept by each of the
employees’s Document Control Officers (DCOs).
d. The approved container used for storing TSCA CBI must be kept in a room in
the house or apartment which has a locking door and locking windows.
2. TSCA CBI may never be processed, created, or stored on computers connected to
- or capable of being connected to - the Internet, nor to any LAN not cleared for
CBI, nor on portable computers of any kind except as approved by the IMD
Director.
3. If persons not authorized for access to TSCA CBI must enter the approved room
in an employee’s house for any reason while TSCA CBI is out while being worked
on, they must be accompanied at all times by the TSCA CBI approved employee.
OPTIONAL
CRITERIA:
1. Maintaining
workroom.
an alarm system in the house and/or designated TSCA CBI
2. Keeping the approved container in a locked closet within the locked room
designated for use and storage of TSCA CBI.
3. All work on TSCA CBI performed in a room in the house or apartment which has
a locked door and locking windows.
Chapter 4: TSCA CBI Document Management
-59-
October 20,2003
�TSCA CBI PROTECTION
4.3.4
MANUAL
Employee
Absence and Storage of TSCA CBI
If an employee who works in a Secure Storage Area will be out of the workplace for more
than one week (seven calendar days), all TSCA CBI materials in his/her possession must be
locked away in an approved TSCA CBI storage container. If the employee is unable to do
this due to illness or other reason, the employee’s supervisor or DC0 will ensure the
materials are stored according to procedure. Division Directors may waive this requirement
in exceptional circumstances where not practical.
4.4
TSCA CBI DOCUMENTS
Federal employees using TSCA CBI documents and other materials frequently produce new
TSCA CBI from these sources (in the form of such documents as notes, outlines, and drafts)
or from documents printed from the TSCA CBI LAN. These works-in-progress are internal
documents that exist in paper or electronic form.
4.4.1
New CBI Documents
Except as provided in Section 4.4.2 below, newly created hardcopy CBI must be logged and
tracked by the originator, by following these steps:
l
l
l
Stamp the document as “TSCA CBI”.
(See APPENDIX
T)
Cover the document with a TSCA CBI Green Cover Sheet, and include the
originator’s name, phone number, and the date. (See APPENDIX
U)
Submit the document to the DC0 for tracking.
4.4.2
Working
Papers
New TSCA CBI documents which are “working papers” are exempt from logging procedures
as long as they remain in the possession and/or control of the originator, or in the possession
of a TSCA CBI-certified federal or contractor employee who works in an SSA or has an
approved storage container for storing the TSCA CBI when not in use.
Federal and contractor employees may make multiple copies of a working paper (the copies
themselves then being “working papers”) to distribute simultaneously to the members of a
review group, who will then comment and return the copies to the issuer. Staff must track
any transfers of these multiple copies of working papers using their own personal tracking
system.
Chapter 4: TSCA CBI Document Management
-6O-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
Working papers or other such works-in-progress must be protected from unauthorized
disclosure and handled like any other TSCA CBI document. Though working papers
generated by federal employees and contractors are exempt from logging, an employee who
generates them is responsible and accountable for safeguarding those copies, and is subject
to the administrative and civil penalties described in CHAPTER 5. A green cover sheet
must be applied to every working paper if the working paper is one sheet or multiple sheets
that are clipped or stapled. (Green cover sheets may be obtained from the DC0 or
photocopied or printed on blank green paper.)
When Working Papers Become Subject to
Tracking
4.4.2.1
When a working paper becomes a final document (i.e. work on the document has been
completed or stopped) it must be taken to the DCO. The DC0 must log it into the DTS
and assign it a DCN. At Headquarters, this final document must be taken to the CBIC
for incorporation into the official record.
When a working paper is sent to another facility, it must be tracked, assigned a DCN, and
transferred in accordance with the procedures for transferring TSCA CBI.
4.4.2.2
Destroying Workina Pa7uers
The originator of a working paper or the individual who prints the document from the
CBI LAN may destroy that working paper and any copies made, preferably by
shredding. (See also Section 4.9 on DESTRUCTION OF TSCA CBI).
4.4.3
When TSCAECBI
TSCA CBI
Documents
Are No Longer
TSCA CBI documents are no longer TSCA CBI under any of the following
TSCA$BI
is not included in a new document
l
TSCACBI
is deleted (sanitized) from an existing document
l
The TSCACBI
.
The data are derived from TSCACBI
l
The TSCAFCBI claim is dropped by the submitter
l
l
circumstances:
that is used is masked or aggregated
data but are not themselves TSCA’CBI
EPA formally determines that the claim is not valid in accordance with procedures in
40 CFR part 2 subpart B.
Chapter 4: TSCA CBI Document Management
-61-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
4.4.4 Aggregating
72
TSCAXBI
IMD must be consulted in advance by any program office or enforc
staff who wish to
produce a non-confidential document by aggregating CBI in a new manner. IMD must
review and approve all new applications of aggregating techniques to ensure that appropriate
TSCA CBI protection has been maintained.
4.4.5 Declassifying CBI Documents
Employees may determine that materials are no longer confidential, but the declassification
may only be performed by a DCO. To declassify a TSCA CBI document:
l
l
l
l
l
The employee must take the document to a DCO. If the document has been assigned
a DCN by CBITS, it must be taken to the OPPT DCO. Documents tracked using
other systems may be taken to the Facility DC0 for declassification.
Evidence must be presented to the DC0 proving that the material no longer contains
any CBI. (See Section 4.1)
The DC0 must cross out all CBI markings on the document and remove the cover
sheet.
The DC0 must inscribe both the document and cover sheet with the statement
“Contains no TSCA CBI,” and sign and date both the document and cover sheet.
The OPPT DC0 must change the document’s status in the tracking system.
NOTE:
A DOCUMENT
MAY ONLY BE DECLASSIFIED
IF ALL TSCA CBI
CLAIMS
ASSOCIATED
WITH
THE RECORD
ARE EITHER
WITHDRAWN BY THE SUBMITTER OR FINALLYDETERMINED
BY
THE OFFICE OF GENERAL COUNSEL TO NOT CONSTITUTE TSCA
CBI. ;*k
ml
Chapter 4: TSCA CBI Document Management
-62-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
4.4.6 TSCA CBI Document Submitters:
Claim
Dropping
a
A submitter can drop one or more claims of confidentiality for a document. To do so, an
authorized representative of the submitter must send a letter on company letterhead to the
OPPT DC0 to drop the CBI claim. There may be other means of securing clear notice of a
submitter’s withdrawal of a CBI claim as well. For further information contact the branch
chief of the TSCA Records and Dockets Management Branch, IMD. The steps outlined
above for declassification must then be followed.
4.5
REPRODUCING
TSCA CBI
This section applies to all TSCA CBI except working papers.
Reproducing TSCA CBI should be limited to as few copies as possible. TSCA CBI must
be reproduced only at copying machines located in SSAs unless otherwise approved by the
OPPT DCO. With the exception of working papers, only DCOs and ADCOs are permitted
to photocopy TSCA CBI documents or print multiple copies from the CBI LAN.
4.5.1 Managing
The following
l
l
l
TSCA CBI Copies
rules apply to management of TSCA CBI copies:
The cover sheet on the original document must not be copied. A new cover sheet
must be used for each document copy.
Copies must be logged into the DTS and must be assigned unique DCNs/copy
numbers by the DCO.
The originator may loan the copies to other employees and obtain signed transfer
receipts indicating that the transfers were completed. These transfer receipts must be
retained until the documents are returned. If a document is transferred and no transfer
receipt is obtained, the originator of the document will be held accountable for the
document.
Chapter 4: TSCA CBI Document Management
-63-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
Copying
4.5.2
CBI Outside SSAs
Copying machines outside SSAs may be used if all other machines in locations approved for
copying CBI are inoperable or unavailable, and as long as alternate machines or their use are
approved by the OPPT DCO. A non-secured machine must be dedicated to the task and
located in a manner that makes copying activity secure from observation to the extent
practicable. After copying is finished, at least three blank copies must be passed through the
machine to ensure that any impressions on the image surfaces of the machine have been
erased.
In case of equipment failure, the operator must ensure that all CBI is removed from the
photocopy equipment before leaving the area.
TRANSFER RECORDTRANSFERRING,
KEEPING,
AND TRANSMITTING
TSCA
CBI
4.6
4.6.1
Transferring
Hard Copy TSCA CBI
Except for working papers (Section 4.4.2), TSCA CBI can only be transferred from one
employee to another through their respective DCOs (as long as the receiving employee has
been approved for TSCA CBI access). Transfers of TSCA CBI must be conducted through
DCOs in accordance with the procedures set forth in this manual. [See 3.3.3 and 3.3.41
[In addition,
see Section
4.6.1. I
4.1.4 on processing
newly
received
TSCA CBI]
Procedures For Sending Or Receiving
TSCA CBI
An employee who requires TSCA CBI material to be mailed to a federal employee, a
contractor cleared for CBI access, or to a TSCA submitter must provide the material to
his/her DCO. All TSCA CBI which is being sent by OPPT to locations outside the
building must be mailed or shipped by the OPPT DCO, who has the option to
delegate mailouts to the CCD and EETD DCOs.
Chapter 4: TSCA CBI Document Management
-64-
October 20,2003
�TSCA CBI PROTECTION
4.6.1.2
MANUAL
PreDarina CBI For Mailing
The DC0 must double wrap TSCA CBI. The DC0 must label the inner wrapping with
the recipient DCO’s name and the statement,“TSCA Confidential Business Information
-- To Be Opened by Addressee Only.”
The DC0 must label the outer wrapper with the name and address of the recipient and a
return address. The outer wrapper must be free of any indications that the package
contains TSCA CBI. (The materials may be prepared for mailing by the originator, but
the package must be left open for the DCOs review.)
Transferring
Facili@
TSCA CBI to Another
Before any TSCA CBI may be transferred to another facility, the sending DC0 should notify
the receiving DC0 by email and by telephone that the materials will be sent. (See also Section
4.6.2 below relating to CBI Transfer Record-keeping, and Section 4.1.4 on processing newly
received TSCA CBI.)
TSCA CBI may be transferred to an individual
the following ways:
l
at another federal or contractor facility in one of
DC0 can send the materials certified mail through the U.S. Postal Service - “return
receipt requested”, or by Federal Express or other commercial and approved overnight
delivery services which maintain routine tracking and receipt signature services. The
DC0 may also use a private messenger or courier service provided they are pre-approved
by the IMD Director. Regular first class mail must never be used to transfer TSCA CBI.
DC0 can appoint a cleared employee to deliver the materials directly to another DCO.
l
l
DC0 can transfer the materials via fax. (See Section 4.6.3.2)
1) When sending TSCA CBI to another facility, the DC0 must include a receipt identifying
the contents of the package inside the inner envelope. (See APPENDIX Y, Form 7740-26
“Permanent Transfer Receiptfor TSCA CM.“) When used properly, the transfer receipt
will not contain TSCA CBI information; therefore, the DC0 has the option of either
placing the form on the outside of the inner envelope or in it. (This form can also be
used as a temporary transfer receipt for multiple documents; line out the word
“permanent” and write “temporary” in its place.) The receiving DC0 must sign the
receipt of contents and return it to the sender within 5 business days. This form is not
used when sending CBI to a TSCA submitter (see Section 4.6.1.4).
Chapter 4: TSCA CBI Document Management
-65-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
Tramferrina
4.6.1.4
TSCA CBI to Industry
There may be occasions when a submitter will request a copy of its submission to the
Agency that contains TSCA CBI. Such a request must be in writing. However, in order
to receive a copy, the company”. must provide a letter on corporate stationery which is
signed by a designated corporate official indicating the person is authorized to receive the
copy (unless a designated representative is already on file). This letter should be
submitted to the OPPT DC0 or in the case of a Region to the Regional DCO.
The TSCA ‘CBI must be double-wrapped as described above and sent certified mail via
the U.S. Postal Service, (indicating the person to receive the information) return receipt
required. Couriers and private mail delivery systems may also be used. The tracking
numbers used by these private mail delivery system must be recorded in the appropriate
log.
The Agency may also initiate correspondence with industry which includes TSCA CBI.
In this case the same procedures are followed except for the requirement of a notarized
letter.
4.6.2
Hard Copy TSCA CBI Transfer
Keeping
All permanent transfers must be made through a DCO.
4.6.2. I
The following
For Permanent
rules also apply:
Traqfer
Keep records on transfer. If the transfer was made through a DCO, the DC0 will
record the transfer in the Document Tracking System (DTS)
l
l
l
Record-Keeping
Record-
Document Transfers. Transfers between DCOs can be documented on a TSCA CBI
Transfer Receipt, Form7740-26 (see APPENDIX Y). Both the sending and receiving
DC0 should retain receipts for audit purposes. Contractor DCOs should maintain
transfer receipts until the contract ends and all TSCA CBI is accounted for.
Obtain a receiptfor returned documents. When returning TSCA CBI documents, an
employee should prepare a receipt for the DC0 to sign and return to the employee or
the employee’s designee.
Chapter 4: TSCA CBI Document Management
-66-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
Record-Keeping For Temporary Transfers
Within A Facility
The following
l
l
l
l
l
l
standards apply:
Transferring Custody - Custody of CBI may be transferred from one employee
approved for TSCA CBI access to another within the same facility.
Recording; the Transaction - There must be a record indicating that the transfer
was completed.
Obtaining Record Of Transfer - Transferors may use the Temporary Loan Receipt
for TSCA CBI, Form 7740-14 (see APPENDIX AA), or any other form that
records the transfer.
Using Receint Form - Hand delivery with a TSCA CBI Receipt form may be used
only for short-term TSCA CBI transfers.
Delivering Bv Hand - If hand delivery is used, the TSCA CBI must be given
directly to the recipient or a TSCA CBI cleared employee.
Monitoring Overdue TSCA CBI - TSCA CBI may not be logged out from a
centralized TSCA CBI storage facility for more than one year. DCOs must
monitor the DTS for TSCA CBI that have not been returned within one-year. The
DC0 is responsible for notifying employees and their supervisor of overdue
materials.
If a transfer is made by hand delivery to another person within the same facility,
owner or originator of the transferred document may choose to obtain a signed
receipt indicating that the document has been loaned. If a document is transferred
no loan receipt is obtained, the owner or originator of the document will be
responsible for any loss or unauthorized disclosure of the document.
Chapter 4: TSCA CBI Document Management
-67-
the
loan
and
held
October 20,2003
�TSCA CBI PROTECTION
MANUAL
4.6.3 Transmitting
4.6.3.1
TSCA CBI Electronically
Transmitting
TSCA CBI Bv Telephone
CBI may be transmitted orally during telephone conversations.
NOTE:
VOICEMAIL
IS NOT SECURE.
IN A PERSON’S VOICEMAIL.
TSCA CBI MUST NEVER BE LEFT
[However, Case Numbers and PMN
numbers may be left on a submitter’s voicemail if they have not first raised an
objection to EPA following receipt of an acknowledgment letter informing
them of this practice and their right to object.]
Authorized employees are allowed to discuss TSCA CBI on the telephone with other
authorized federal or contractor employees with TSCA CBI access. Both parties to a
telephone call are responsible for verifying that the other is authorized for TSCA CBI
access. To do so, the employees should consult the TSCA CBI Approved Access List
upon initial contact.
The individual who initiates a discussion that includes TSCA CBI must indicate that the
conversation involves TSCA CBI.
Authorized employees are allowed to discuss TSCA CBI on the telephone with an
authorized representative of the submitter when all of the following conditions are met:
l
l
l
The employee must verify that the person to whom he/she is speaking has been
previously identified by the company as an authorized contact to discuss TSCA
CBI. The authorized individual is normally the technical contact for the subject
submission. (In cases where the technical contact or other authorized
representative cannot be obtained from the document submitted to the Agency, the
employee should consult the OPPT DCO.)
The employee must verify that all federal and contractor employees on the line are
cleared for TSCA CBI access and relay that information to the submitter.
The employee must inform the submitter that any further information provided in
the telephone conversation can be claimed as confidential.
Authorized contractors may also discuss TSCA CBI on thel$elephone; with submitters.
The contractor must begin the conversation by identifying that they are an EPA
contractor. The same procedures identified above for employees must be followed. EPA
Chapter 4: TSCA CBI Document Management
-68-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
recommends that employees keep telephone logs of all calls with individuals located
outside their organization during which TSCA CBI is discussed.
A telephone log should contain the following:
l
Date and time of the call.
l
Employee name and office.
l
Name, number, and organization of the other party.
l
Who initiated the call.
l
Content of the conversation.
Telephone logs of conversations with TSCA CBI submitters should be kept when the call
results in changing the status of information in an industry submission: for example,
when information is requested from the submitter, when clarifications are provided to the
submitter of a substantive nature, etc. Telephone logs must be provided to the DC0 for
incorporation into the DTS and to the CBIC if relevant to a TSCA submission, Form
7740-12 (See APPENDIX
Z.)
4.6.3.2
Transmitting
TSCA CBI by Fax
EPA and contractor DCOs may transfer and receive TSCA CBI materials via facsimile.
Faxing of TSCA CBI should be limited to situations where timely delivery would be
compromised by using other means (e.g., mail delivery, courier service).
The following
by fax:
l
security provisions must be followed when transmitting any TSCA CBI
Verify receiver. Before sending a fax containing TSCA CBI to an authorized
government or contractor recipient, the sender must verify that the recipient has
been certified for access to TSCA CBI by consulting the TSCA CBI Authorized
Access List. In addition, prior to sending a fax containing TSCA CBI to a
submitter of the information, the sender must verify that the recipient has been
identified as the company’s authorized representative on the original submission
to EPA. Alternatively, the Agency must be in possession of a letter on corporate
stationery signed by a designated company official authorizing the transmission
to this recipient. Similarly, when a submitter requests that EPA fax its TSCA CBI
to a third party (e.g., lab director or attorney), the Agency must be in possession
of a letter on corporate stationery signed by a designated company official
authorizing the transmission to the specified third party.
Chapter 4: TSCA CBI Document Management
-69-
October 20,2003
�TSCA CBI PROTECTION
l
l
l
l
MANUAL
Control the fax equipment. During transmission of TSCA CBI by employees and
Agency contractors, the DCOs sending and receiving the document must
completely control the fax machines. They must ensure that anyone not cleared
for TSCA CBI does not view the document being sent.
Select the fax machine. Fax machines located inside SSAs are recommended.
Fax machines used outside SSAs may be used, but only with the utmost care.
Verifv the phone number. The employee sending the fax is responsible for
ensuring that the number dialed is correct by verifying the number on the fax
transmission confirmation receipt. Use extreme caution when dialing the number
to ensure that the correct number is entered. (If TSCA CBI is accidentally
transferred to a wrong number, TSS must be immediately notified.)
Retain the receipt. The DC0 must attach the fax transmission confirmation
receipt to the document that was faxed and place the document in the official
document file if applicable.
Authorization from the submitter to fax documents to third parties (e.g., lab directors)
must be obtained in writing and maintained in the DCO’s files.
4.6.3.3
Transmitting
TSCA CBI By E-mail
TSCA CBI cannot be transmitted via e-mail except on approved Local Area Networks
(LANs). (See Section 4.8 on using computers to work with TSCA CBI.) In the event
TSCA CBI is released on any other LAN or the internet, you must imrnediately report this
to your Office Information Security Officer (ISO) and immediate supervisor. For further
information, contact your ISO.
4.6.3.4
Transmitting
Coqference
TSCA CBI By Tele-Video
TSCA CBI may be displayed and discussed during tele-video conferences conducted
between EPA Headquarters and EPA regional offices. Employees who arrange or
schedule a tele-video conference are responsible for ensuring that all TSCA CBI security
procedures are followed. These procedures include the following:
l
Verify that everyone who attends the tele-video conference is cleared for TSCA
CBI.
Chapter 4: TSCA CBI Document Management
-7o-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
Ensure that both conference rooms are secured to prevent unauthorized persons
from entering the conference rooms during the tele-video conference.
l
Arrange for use of compressed video encryption during transmission, if available.
For information about tele-video encryption, contact the EPA Security Officer in
Research Triangle Park, at (919) 541-4013.
l
4.7
USING AND HANDLING
Use TSCA CBI according to the following
TSCA CBI
guidelines:
1) Employee Responsibilities
Employees using TSCA CBI are responsible for ensuring that no unauthorized disclosure
of that information occurs. If employees take TSCA CBI outside the SSAs, they must do
one or more of the following:
l
Maintain constant control over the TSCA CBI documents in their possession
l
Return the TSCA CBI documents to the DCO.
l
Store the documents in a TSCA CBI-approved storage container.
2) Obtaining
TSCA CBI
Except as provided in Section 4.4.2 (Working papers) and in Section 4.6.2.2 (RecordKeeping For Temporary Transfers Within a Facility), to obtain TSCA CBI documents
follow the steps below:
l
The employee requests a specific TSCA CBI document from his or her DCO.
The DC0 verifies that the employee is approved for access to the document.
l
l
The DC0 logs the document out to the employee.
3) Using or discussing TSCA CBI in meetings
To discuss TSCA CBI at meetings (scheduled gatherings), follow the steps below:
a. An employee may circulate personal working papers or other materials logged
out to that employee at a meeting if the following conditions are met:
Chapter 4: TSCA CBI Document Management
-71-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
The employee to whom the document belongs attends the meeting and is
present when the document is discussed.
l
The owner employee collects all copies of the document at the end of the
meeting.
l
The owner employee numbers the copies (“1 of 6”, “2 of 6”, and so forth)
before distributing them and checks to make sure that all copies are returned
at the end of the meeting.
l
The owner employee destroys all copies of the document after the meeting.
l
b. To discuss TSCA CBI during meetings, a chairperson
beforehand.
1. The chairperson is responsible for
TSCA CBI access are in the room
The chairperson must also secure
cleaning all chalkboards, removing
must be identijed
ensuring that only people approved for
during discussion involving TSCA CBI.
the room at the end of the meeting (by
all TSCA CBI, etc.).
c. The chairperson must remind meeting attendees that they must treat as
con$idential any notes taken at the meeting.
l
Notes taken at the meeting
at contain TSCA CBI!$re considered to be
personal working papers. To tape record a meeting, permission from the
chairperson must be obtained. Such recordings may contain TSCA CBI and
must be treated as TSCA CBI.
4) Developing
TSCA CBI photographic
materials
When photographs are claimed as TSCA CBI material, the Facility DC0 must ship the
film to the Regional or OPPT DC0 (as appropriate) for processing and development.
Processing or development by a private or commercial laboratory is prohibited unless
expressly approved by the IMD Director in consultation with TSS.
5) Claiming a videotape as TSCA CBI
If an EPA employee utilizes video equipment during an inspection or plant visit, and the
company wishes to claim the tape as TSCA CBI, the tape must be handled and controlled
like any other TSCA CBI material.
Chapter 4: TSCA CBI Document Management
-72-
October 20,2003
�TSCA CBI PROTECTION
4.8
MANUAL
USING COMPUTERS
TSCA CBI
4.8.1
TO WORK
WITH
Prohibition
TSCA CR1 may stut be processed, created, or stored on computers comected to the
lizternet or to any LAN not ~ppruved.for
CBI, mr on portable computers of any
kilzd, except as approved by IMD afier consultation with the TSCA Security Staff (TSS).
In the event TSCA CBI is released onany other!LAN or#heInternet, you must immediately
report this to your Office Information Security Officer (ISO) and immediate supervisor. For
further information, contact your ISO.
4.8.2
TSCA CBI Computers
Public Networks
Must Be Separate From
TSCA CBI may be created, processed, and stored ONLY:
l
on computers which are permanently connected to a self-contained Local Area
Network (LAN) approved for TSCA CBIiand not connected to the Internet
OR,
.
on computers which are permanently disconnected from any network, Internet access,
or other technology which can pass data to another computer.
4.8.3
Registration
Systems
is Required
to Use CBI Computer
Employees who require access to TSCA CBI computer systems must complete the “TSCA
CBI ADP User Registration Form” and submit it to the OPPT DCO. IMD will provide the
employee with a user ID and password to access the TSCA CBI network. (See APPENDIX
B, EPA Form Number 7740-25).
Chapter 4: TSCA CBI Document Management
-73-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
4.8.4 Using Portable Computers (Laptops and
Handheld Devices)
Laptop computers may not be used to process TSCA CBI data unless they are approved by
IMD in consultation with TSS. To obtain approval, the DC0 must prepare a security plan.
TSCA CBI use of laptops will be approved on a case-by-case basis by IMD to ensure that
proper procedures will be followed regarding their use. (See APPENDIX BB for an
example of the Laptop Computer User Agreement for the CBIC form.)
Handheld
devices (such as Personal Digital Assistants) may not be used to process, create,
or store TSCA CBI.
Once a portable computer has been approved for TSCA CBI use,
It must be conspicuously labeled as a TSCA CBI computer with distinctive
markings that are not visible when the computer is not in use. This can include
operating system and application software backgrounds, login screens, and other
reminders that the user is using a TSCA CBI-cleared computer.
l
l
l
Any modem, network card, wireless port, or other computer-to-computer
comtnunications device must be removed.
The user is responsible for preventing the data from being disclosed to any
unauthorized person while traveling outside the Secure Storage Area in which the
portable computer is normally stored while not in use.
4.8.5 Disposing of Computers Formerly
TSCA CBI
Used for
If a computer which has been used to store or process TSCA CBI data is to be connected
to the administrative LAN and/or the Internet, or is to be discarded, its hard drive must be
destroyed or thoroughly erased by appropriate software. IMD must certify a computer as
having been cleaned of TSCA CBI immediately after the computer has been disconnected
from the TSCA CBI LAN or after its retirement from use as a TSCA CBI standalone
computer.
Chapter 4: TSCA CBI Document Management
-74-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
4.8.6 Modems
OPPT prohibits both internal and external modems on all computers used for TSCA CBI.
Any exception to this general prohibition must be approved by IMD.
4.8.7 TSCA CBI Data Processed Only Within SSAs
TSCA CBI may be processed only on computers located within TSCA CBI approved Secure
Storage Areas, unless other arrangements are approved by TSS in consultation with the
OPPT ISO.
4.8.8 Printing
TSCA CBI Information
Authorized employees are permitted to print out one copy of their working papers from the
TSCA CBI LAN for individual use. Multiple copies may be made only by the DCO/DCA.
[See Section 4.42 of this Manual for special requirements concerning personal working
papers].
All printouts from the TSCA CBI LAN are assumed to contain TSCA CBI unless the user
indicates otherwise in writing on the first page of the printout, with signature and date.
Printouts from the TSCA CBI LAN must be treated like any other TSCA CBI document and
protected accordingly.
The employee should promptly remove copies from the printer to reduce the likelihood that
the TSCA CBI information will be viewed by visitors. Once a session ends, the computer
must be re-booted or turned off.
4.8.9 Storing TSCA CBI on Magnetic Media
The procedures for storing TSCA CBI hard-copy materials apply equally to magnetic media
(diskettes, hard disks, magnetic tapes and data cartridges), optical disks, memory cards, and
to any other storage devices.
4.8.10 Disposing of TSCA CBI Computer Disks
When disks are no longer needed or are damaged, they should be destroyed in a manner
approved by IMD, in consultation with TSS, or sent to IMD for destruction. At EPA
headquarters they may be given to IMD for destruction.
Chapter 4: TSCA CBI Document Management
-75-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
4.8.11 Security for TSCA CBI Data Stored on
Contractor’s
Off-site Computers
A contractor’s site must be inspected and approved before any TSCA CBI may be
transferred, processed, or stored there (See Section 2.2.2). EPA contractors may not place
TSCA CBI on any computer system without written authorization from EPA.
Authorized EPA contractors who use TSCA CBI must follow all computer security
requirements established for EPA Contractors. Contractors are permitted to use
standalone PCs and laptops for processing TSCA CBI by adhering to the procedures
contained in this manual.
4.9
DESTRUCTION
OF TSCA CBI
Only DCOs are permitted to destroy TSCA CBI (except working papers, as discussed in
Section 4.4.2.2). Federal employees wishing to have TSCA CBI destroyed must take
these materials to their DCO. Contractor DCOs must obtain written permission from the
OPPT DC0 before destroying TSCA CBI. CBITS-tracked documents may only be
destroyed with the approval of the OPPT DCO; however permanently logged-out
documents may be destroyed by a DCO.
Contractor DCOs may not destroy CBITS-tracked documents. These documents must be
returned to the Project Officer at the end of the contract. The PO must ensure the return
of the documents to the CBIC for proper destruction.
4.9.1
Procedures
for Destroying
TSCA CBI
The procedures for destroying TSCA CBI apply to all media containing TSCA CBI
except working papers. (See Section 4.4.2 on working papers.)
[NOTE: This section, as written,
because of its unique function.]
Chapter 4: TSCA CBI Document Management
does not apply in the special case of the CBIC
-76-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
4.9.2 Destruction Methods
TSCA CBI such as papers, documents, or printouts must be shredded. Materials such as
microfiche, typewriter ribbons, and magnetic media must be burned, degaussed, or
chemically destroyed.
4.9.3 Destruction Record-Keeping
The destruction of a TSCA CBI document that has been entered into the DTS must be
recorded. The DC0 must enter information about the destruction of the document into
both the Receipt Log, Form 7740-10 (see APPENDIX
W), and the Inventory Log, Form
7740- 11 (see APPENDIX
V).
4.9.4 Disposition of CBI Cover Sheets
CBI cover sheets (see APPENDIX
U) must be completed by the DC0 with destruction
date, location where the document was destroyed, and DCO’s name.
The TSCA CBI cover sheets must then be placed in the appropriate file for storage (e.g.,
at EPA Headquarters, a cover sheet would be placed in the CBIC file for that document).
Green cover sheets must be maintained for at least one complete audit cycle (see
Section 3.3.12.1(a)).
4.9.5
Contracts Involving
TSCA CBI
The PO and DC0 for the contract are responsible for ensuring that all TSCA CBI is
properly disposed of and accounted for at contract close-out. All logs and records used to
track and dispose of TSCA CBI must be submitted as part of the contract close-out. Any
unaccounted-for documents must be reported as required in CHAPTER 5.
Chapter 4: TSCA CBI Document Management
-77-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
This page intentionally left blank
Chapter 4: TSCA CBI Document Management
-78-
October 20,2003
�TSCA Cl31 PROTECTION
MANUAL
CHAPTER 5
Procedures Violations, Unaccounted For Documents,
And Unauthorized Disclosures
5.0
INTRODUCTION
This Chapter details the reporting and investigative actions to be followed by TSCA CBI
authorized persons in the event of any possible violation of the requirements outlined in
this manual. Examples of such violations include cases of unaccounted for TSCA CBI
documents, as well as any disclosure of TSCA CBI to a person not authorized to receive it
under Section 14 of TSCA.
The protection procedures detailed in this Manual are enforceable by both the
administrative penalties and corrective actions set forth below. On policy issues, the IMD
Director should be consulted.
5.1
EMPLOYEE
5.1.1
REPORTING
PROCEDURES
Oral Report
Any TSCA CBI-cleared employee of EPA or another Federal agency must provide oral
notice to his or her immediate supervisor within one working day if he or she thinks it is
possible that
l
A TSCA CBI protection procedure has been violated.
l
TSCA CBI is unaccounted for.
l
TSCA CBI may have been disclosed to a person not authorized to receive it under
Section 14 of TSCA.
Contractor employees on the TSCA CBI Authorized Access List must provide oral notice
to their EPA Project Officer or PO designee within 1 business day if any of the above
situations occur. The EPA PO or PO designee must then report to the Division Director
(or equivalent manager in their organization).
Chapter 5: Procedures Violations
-79-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
5.1.2 Written Report
Federal and contractor employees must file a written report within 2 business days in any
of the same situations identified in Section 51.1 above (unless otherwise relieved of the
requirement by their management representative who is authorized to receive the report).
EPA and other federal employees must provide this written report to their Division
Director (or equivalent manager in their organization). Contractor employees must
provide the written report to their PO or PO designee.
The written report must include any relevant circumstances or facts known by the
employee, and describe any of the following:
l
Possible violation of procedures.
l
Possible unauthorized disclosure of TSCA CBI.
l
Materials possibly unaccounted for.
To investigate what occurred, the employee and/or the employee’s supervisor should
examine files and discuss the matter with other individuals who may have first-hand
knowledge of the facts.
The employee’s division director (or equivalent) must review the employee’s report and
provide any additional comments or information. Within 2 business days of receiving the
report, the Division Director must refer the report to TSS. If the Division Director
reviews the employee’s report and determines there was no violation of procedures, loss
of TSCA CBI, or unauthorized disclosure, the report need not be referred.
5.2
REPORT OF VIOLATIONS
TO TSS
This section applies in the case of a report referred to TSS by an employee’s supervisor
alleging a possible violation of the procedures contained in this manual, possible
unaccounted for TSCA CBI documents, or possible disclosure of TSCA CBI to a person
not authorized to receive it under Section 14 of TSCA.
5.2.1 TSS Investigation
Following review of the written report referred to TSS in the situations identified above,
TSS will conduct an investigation if it determines one is necessary. If, after reviewing the
written report, TSS determines that the facts do not warrant an investigation, TSS will
notify the employee’s Division Director in writing of this finding.
Chapter 5: Procedures Violations
-8O-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
5.2.2 Oral Notice to Submitter
If TSS conducts an investigation and determines the likelihood of either an improper
disclosure of TSCA CBI under Section 14 of TSCA or the loss of a submitter’s TSCA
CBI, with the approval of the EAD Director TSS will notify the submitter by telephone
within 2 working days.
5.2.3 Report of Investigation
(ROI)
Once the investigation is complete, TSS will provide the EAD Director with an ROI,
which will contain the following:
l
A recitation of the factual circumstances of the violation.
l
Conclusions, including :
-
Probability that an improper violation occurred.
-
Nature and degree of any violation.
-
Recommendations for remedial action or mitigation, including a report
forwarded to the affected employee and supervisor identifying procedures for
handling, using, and storing TSCA CBI.
The length and detail of this report is determined by the nature, degree and circumstances
of the alleged violation.
5.2.4 Company Notification
EAD Director
of Improper
Disclosure:
After receiving an ROI, the EAD Director will authorize issuance of a written notice to
the affected company within 4 business daysunless the EAD Director believes that the
reported disclosure did not occur. If it is determined that an improper disclosure probably
did occur, the written notice must identify the improperly disclosed document and the
date upon which such disclosure was deemed to have occurred.;i’ The EAD Director will
ensure that the submitter is contacted in writing and advised of the fact that it is unlikely
that the reported disclosure occurred, and take no further action.
Chapter 5: Procedures Violations
-81-
October 20,2003
�TSCA CBI PROTECTION
5.2.5
MANUAL
Company Notification
of Documents
Unaccounted for: EAD Director
Following receipt of an ROI notifying the EAD Director of an unaccounted for CBI
document, the EAD Director will issue a written notice to the affected company within 4
business days if the document is not accounted for in that time. The written notice must
identify the lost or misplaced document and state the date on which it was deemed lost or
misplaced. If the EAD Director believes that the document in question is not
unaccounted for, she/he will ensure that the submitter is contacted in writing and advised
of this fact and take no further action.
5.2.6
Referral
to the Inspector
General
Upon consideration of the ROI, if there is any substantial evidence of a knowing or
willful disclosure of TSCA CBI, the EAD Director will immediately refer the matter to
the EPA Office of Inspector General.
5.2.7
Annual
Security Report
On a fiscal year basis, TSS will provide a report to be distributed to the OPPT Director,
the EAD Director, the OPPT DCO, and others upon request, identifying the previous
year’s security violations by type and discussing trends, recognized vulnerabilities, and
other matters that may be of interest.
5.3
CORRECTIVE
GUIDELINES
ACTION
AND PENALTY
The corrective actions and penalties described in the Chapter are intended to prevent or
discourage violations of this manual, and thereby better protect TSCA CBI. Penalties
imposed or actions taken must be fair, consistent, and well-reasoned.
5.3.1
Responsibility
for Monitoring
Protection Manual
Compliance
With
The responsibility for monitoring compliance with the procedures in this manual belongs
to the EAD Director. The Director will review the facts in a given case and, where
appropriate, recommend specific action, including the imposition of corrective actions,
administrative penalties or referral for criminal charges. Responsibility for implementing
Chapter 5: Procedures Violations
-82-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
the EAD Director’s recommended action, or devising and implementing an alternative
action, rests with the Division Director (or equivalent) of the EPA or federal employee
involved.
Nothing in this section should be construed to limit the Agency’s ability to end an
individual’s access to TSCA CBI any time it is viewed as necessary to protect
confidential data entrusted to the Agency or TSCA CBI access is viewed as no longer
necessary for the satisfactory performance of the person’s assigned duties.
5.3.2
Violations
by Federal Employees
After a finding of a likely violation of the rules in this manual, the EAD Director will
notify the EPA or federal employee’s Division Director (or equivalent) and discuss the
structure of any administrative penalties and corrective actions. The EAD Director may
recommend that the employee’s Division Director select and impose an appropriate
penalty chosen from the ones identified in this section after weighing the totality of
circumstances in each case (see Firrure 5-l). In consultation with the EAD Director, the
employee’s Division Director must consider the following:
l
Seriousness of the violation.
l
Potential for unauthorized disclosure of TSCA CBI because of the violation.
l
Nature of the employee’s error (e.g., accidental, willful,
l
If the employee has previously committed any other TSCA CBI violation.
l
or grossly negligent).
How often the employee uses or handles TSCA CBI while performing his/her
official duties.
Corrective actions may be procedural,:lor instructional, and may include training, revision
of work procedures, removal of the individual’s name from the TSCA CBI Authorized
Access List, and other options.
The employee’s Division Director (or other appropriate authority in the employee’s
organization)‘should select, upon the EAD Director’s recommendation, an administrative
penalty when the employee was grossly negligent or previously incurred a prior violation,
even if the violation were not serious. A table of suggested administrative penalties
appears below.
Chapter 5: Procedures Violations
-83-
October 20,2003
�TSCA CBI PROTECTION
NOTE:
MANUAL
The Terms “SUSPENSION”
and “REMOVAL”
in the table below relate
only to TSCA CBI access, and not to federal employment.
Nothing in this Section prevents the employee’s supervisor from imposing
other penalties in addition to those discussed in the table below.
Figure 5-1. IADMINISTRATIVE
PENALTIES
l-day suspension to
Oral or written
7-day suspension to
Removal.
l
These penalties cover only deliberate procedural violations that do not result in the
unauthorized disclosure of TSCA CBI. If EAD’s investigation reveals any
evidence of the knowing and willful unauthorized disclosure of TSCA CBI, the
matter will be immediately referred to the EPA Office of Inspector General. The
suggested penalties in the above table do not replace or supersede the existing
authority of the IMD Director to suspend the TSCA CBI access of any employee
for the purpose of protecting TSCA CBI.
A federal employee who has been found to have willfully disclosed TSCA CBI to a
person not authorized under Section 14 of TSCA may be liable under Section 14(d) of the
Act, 15 U.S.C. 2613(d), for a fine of up to $5,000 and/or imprisonment for up to one year.
The EAD Director has the option of recommending that no action, or a different action,
Chapter 5: Procedures Violations
-84-
October 20,2003
�TSCA CBI PROTECTION
MANUAL
be taken if, for example,
l
l
fault cannot be ascribed to any individual or
a modification of TSCA CBI handling procedures would yield no greater level of
protection to TSCA CBI.
5.3.3 Violations by Contractor
Employees
contractor imposes corrective or disciplinary measures on its employees. &though the
particular~disciplinary action a contractor chooses to impose is a matter for the contractor
to decide, a failure on the part of a contractor employee to follow the procedures in this
manual may be considered a material breach of the contract if the contractor does not take
adequate and appropriate disciplinary and corrective actions.
A
The IMD Director may suspend the TSCA CBI access of a contractor employee to protect
against imminent threat to TSCA CBI security. The IMD Director maintains the right to
suspend the TSCA CBI access of any contractor employee without consultation with the
contractor or going through the contract administrative process if there is imminent cause
for doing so which relates directly to the government’s mandate of protecting TSCA CBI.
A contractor employee who is found to have willfully disclosed TSCA CBI to a person
not authorized under Section 14 of TSCA may be liable under Section 14(d) of the Act,
15 U.S.C. 2613(d), for a fine of up to $5,000 and/or imprisonment for up to one year.
5.4
OPPT DIRECTOR
AS ARBITER
Where disagreements arise between Headquarters divisions, or between Headquarters
divisions and Regional offices, regarding objective assessments of violations, the OPPT
Director will arbitrate all time-sensitive matters within 24 hours of referral. Other matters
not facing legal time limits will be arbitrated within a reasonable time.
Chapter 5: Procedures Violations
-85-
October 20,2003
�Appendix A
Please read Privacy Act Statement and instructions on reverse before completing this form.
United States Environmental Protection Agency
Washington, DC 20460
TSCA CBI Access Request, Agreement, and Approval
Section I. – Access Request
1. Name (Last, First, MI)
2. 9-Digit ID Number (e.g., SSN)
3. Telephone Number
4. Requestor (Agency/Office/Division/Branch)
5. Document Control Officer (DCO)
6. DCO Telephone Number
7.TSCA Sections for which access is
required. Check all that apply. Use blank
_____
ALL
4 ___ 5 ___ 6 ___ 8 ___ 12 ___ 13 ___ 21 ___ _________
- OR
space to request other sections not listed.
8. Justification for TSCA CBI access.
Other
Select appropriate code from instructions on
reverse side. (Check one for all that apply).
List Justification on reverse side
______
A
B
______
C
______
Section II. – Contract Information
9. Employer’s Name
10a. Employer’s Address
11. Contract Number
12. EPA Project Officer
D
-
______
Contractor Employees Only
10b. City
10c. ST
10d. Zipcode
13. EPA Project Officer Telephone
Section III. – OPPT Secure Storage Area Access – HQ Federal and HQ Contractor Employees Only
14. Check if EPA ID Badge. Badge is required.
Yes (New)
Need Replacement
No (List Present EPA ID Badge Number ___________________________)
15. List OPPT Restricted areas by Division to which physical access is required.
Home Division (24 hour access)
Other Divisions (6A.M. – 6P.M. only)
Access to CBIC Only
IMD (DCO and IMD Computer Rms.)
16. List OPPT areas by Division and Room Number for which Alarm Activation/Deactivation Authority is requested.
Section IV. – Confidentiality Agreement
I understand that I will have access to certain Confidential Business Information submitted under the Toxic Substances Control Act (TSCA, 15 USC 2601 et seq.). This access has been granted in accordance with
my official duties relating to Environmental Protection Agency programs.
I understand that TSCA CBI may be used only in connection with my official duties and may not be disclosed except as authorized by TSCA and Agency regulations. I have received a copy of, and understand the
procedures set forth in, the TSCA CBI Protection Manual. I agree that I will treat any TSCA CBI furnished to me as confidential and that I will follow these procedures.
I understand that under section 14(d) of TSCA (15 USC 2513(d)), I am liable for a possible fine of up to $5,000 and/or imprisonment for up to one year if I willfully disclose TSCA CBI to any person not authorized to
receive it. In addition, I understand that I may be subject to disciplinary action for violation of this agreement with penalties ranging up to and including dismissal.
I understand that my obligation to protect TSCA CBI, which has been disclosed to me as part of my official job duties, continues after either termination of my assignment or termination of my employment.
I certify that the statements I have made on this form and all attachments thereto are true, accurate, and complete. I acknowledge that any knowingly false or misleading statement may be punishable by fine or
imprisonment or both under applicable law.
17. Signature of Employee
18. Date
Section V. – Requesting Official Approval
19. TSCA CBI Security Briefing Date
20. Name and Signature of Requesting Official. (Immediate Supervisor – EPA Project Officer for Contractors) As the
immediate supervisor of (or the EPA Project Officer for) the above mentioned employee, I certify he/she has successfully
completed a TSCA CBI Security Briefing on the date shown.
Name
22. Date Received
DCO Code
Signature
23. Approved (TSCA Security Official Signature)
Barcode
Status Code
21. Date
24. Approval Date
Alarm Zones
Data Entry Date and Initials
1.
EPA Form 7740-6 (Rev. 10-03). Replaces previous version of 7740-6 and 7740-6A.
2.
�Paperwork Reduction Act Notice
The public reporting burden for the collection of information is estimated to average .84 hours per response. This estimate includes time for
reviewing instructions, gathering and maintaining the needed data, and completing and reviewing the collection of information. Send comments
regarding the burden estimate or any other aspect of this collection of information to the Director, Collection Strategies Division, US Environmental
Protection Agency (2822T), 1200 Pennsylvania Ave., NW, Washington DC 20460, and to the Office of Information and Regulatory Affairs, Office of
Management and Budget, Washington, DC 20503, marked ATTENTION: Desk Officer for EPA. Include the OMB No. identified on page 1 in any
correspondence. Do not send the completed form to this address. Submit the form in accordance with the instructions in the CBI Manual.
Privacy Act Statement
Furnishing your Social Security Number is voluntary, but encouraged. The information on this form is used by EPA to maintain a record of
those persons cleared for access to TSCA Confidential Business Information (CBI) and to maintain the security of TSCA CBI.
Disclosure of information from this form may be made to the Office of Pollution Prevention and Toxics (OPPT) contractors in order to carry out
functions for EPA compatible with the purpose for which this information is collected; to other Federal agencies when they possess TSCA CBI and
need to verify clearance to EPA and EPA contractor employees for access; to the Department of Justice when related to litigation or anticipated
litigation involving the records or the subject matter of the records; to the appropriate Federal, State or local agency charged with enforcing a statute or
regulation, violation of which is indicated by a record in this system; where necessary, to a State, Federal or local agency maintaining information
pertinent to hiring, retention, or clearance of an employee, letting of a contract, or issuance of a grant or other magistrate or administrative tribunal; in
the course of litigation under TSCA; and to a member of Congress acting on behalf of an individual to whom records in this system pertain.
Instructions for Form Completion
Section I – To be completed by all
Section III – To be completed by HQ Federal
and HQ Contractor employees only
1. List Full Name
2. List 9-Digit ID (e.g., SSN)
3. List Telephone number of person in item 1
4. List Full Acronym of Requesting Office (i.e. EPA Office in which the
individual works or for contractor employees, the EPA Office with whom
the contract is with)
5. List the immediate Document Control Officer for the office in which the
individual works
6. List the telephone number of the Document Control Officer
7. Check the TSCA Sections for which access is requested or check ALL
if applicable
8. Circle the appropriate Access Justification Code
A. Employee is an EPA employee or EPA contractor employee whose
work assignments involve the New and/or Existing Chemical Programs of
TSCA. Hence access to the TSCA sections listed in item 7 of this form is
required in performance of his/her duties .
B. Employee is an EPA employee or EPA contractor employee whose
work entails the administration of computer systems housing TSCA CBI.
Hence access to the TSCA sections listed in
item 7 of this form is required.
C. Employee is an EPA employee or EPA contractor employee whose
work entails physical security or maintenance for TSCA CBI secure
storage areas. Although employee will not actually
work with any TSCA CBI materials, access to the TSCA sections listed in
item 7 of this form is required.
D. List Justification here
NOTE: These procedures apply only to employees requiring access to
OPPT Secure Storage areas. All others follow standard Agency
procedures.
14. Check either box a, b, c or (c&d) f or EPA ID badge or Contractor
Building Pass. If box c is checked, write in badge number.
a. Yes - Check if new employee getting first EPA ID Badge. (New
programmed badge and barcode)
b. Need Replacement - Check if replacement ID Badge is needed
(replacement badge and barcode)
c. No - Existing badge needs programming. List ID Badge no.
15. Check and list OPPT secured areas for which access (via “RUSCO”
electronic door control system) is required. List Division acronyms for the
requested areas.
Home Division - List Division in which employee works
Other Divisions - List other OPPT Divisions for which unrestricted
daytime access is requested
CBIC Only - To be checked for those who only need to access the
Confidential Business Information Center.
IMD Areas - Employees who need to regularly access the IMD Document
Control Office Suite should circle DC0 in the fourth block. Only IMD staff
and contractors who work in IMD computer rooms should circle IMD
Computer Rooms.
16. List OPPT areas by Division and Room numbers for which Alarm
Activation/Deactivation authority is requested. Generally, this is
employees home Division only.
Section II – To be completed by Contractor
Employees only
Section IV – To be completed by all
9. List Employer’s name
10a-d. List Employer’s address
11. List Contract number
12. List EPA Project Officer’s name
13. List EPA Project Officer’s telephone number
17. Employee Signature (must be original)
18. Signature Date
Section V – To be completed by all
19. Enter date employee attended TSCA CBI Security Briefing
20. Immediate Supervisor/EPA Project Officers name and sign.
21. Date of signature
Section VI – To be completed by OPPT Security
�TSCA CBI Protection Manual
Appendix B
��TSCA CBI Protection Manual
Appendix C
�TSCA CBI Protecton Manual
Appendix D
�Appendix E
EPA Form 7740-28 (rev. 10-03)
TSCA CBI Protection Manual
�TSCA CBI Protection Manual
Appendix F
�TSCA CBI Protection Manual
Appendix G
��TSCA CBI Protection Manual
Appendix H
�TSCA CBI Protection Manual
Appendix I
��TSCA CBI Protection Manual
Appendix J
�TSCA CBI Protection Manual
Appendix K
�TSCA CBI Protection Manual
Appendix L
�������TSCA CBI Protection Manual
Appendix O
�������������TSCA CBI Protection Manual
Appendix P
��TSCA CBI Protection Manual
Appendix Q
�TSCA CBI Protection Manual
Appendix R
�TSCA CBI Protection Manual
Appendix S
�TSCA CBI Protection Manual
Appendix T
Stamp to Use when Material
contains TSCA CBI
Stamp to Use when Material
conains No TSCA CBI
�TSCA CBI Protection Manual
Appendix U
Enter Document Control Number or
Bar Code
United States Environmental Protection Agency
Washington, D.C. 20460
Document Description
Date
CONFIDENTIAL
TOXIC SUBSTANCES CONTROL ACT
CONFIDENTIAL BUSINESS INFORMATION
Does not contain National Security Information (E.O. 12065)
The attached document contains Confidential Business Information
obtained under the Toxic Substances Control Act (TSCA 15 U.S.C.
2601 et seq.) TSCA Confidential Business Information may not be
disclosed further or copied by you except as authorized in the
procedures set forth in the TSCA Confidential Business Information
Protection Manual.
If you willfully disclose TSCA Confidential Business Information to
any person not authorized to receive it, you may be liable under
section 14(d) of TSCA (15 U.S.C. 2613(d) for a possible fine up to
$5,000 and/or imprisonment for up to one year. In addition,
disclosure of TSCA Confidential Business Information or violation
of the procedures cited above may subject you to disciplinary action
with penalties ranging up to and including dismissal.
If you are not authorized for TSCA confidential business information
(CBI) access, do not look at this document. If you find this document,
place it in a sealed envelope or other secure container and immediately
give it to your supervisor or a TSCA CBI Document Control Officer
for safekeeping and safe return.
EPA Form 7740-9 (rev. 10-03) Previous edition is obsolete
�TSCA CBI Protection Manual
Appendix V
�TSCA CBI Protection Manual
Appendix W
�TSCA CBI Protection Manual
Appendix X
�TSCA CBI Protection Manual
Appendix Y
�TSCA CBI Protection Manual
Appendix Z
�TSCA CBI Protection Manual
Appendix AA
�TSCA CBI Protection Manual
Appendix BB
����| File Type | application/pdf |
| File Modified | 2018-08-14 |
| File Created | 2004-04-26 |