Sorn-037

DHS-ALL-037_E-AuthenticationRecords_08112014.pdf

USCIS Online Account Access

SORN-037

OMB: 1615-0122

Document [pdf]
Download: pdf | pdf
Federal Register / Vol. 79, No. 154 / Monday, August 11, 2014 / Notices
records in this system is limited to those
individuals who have a need to know
the information for the performance of
their official duties and who have
appropriate clearances or permissions.
RETENTION AND DISPOSAL:

NARA approved the retention and
disposal schedule, N1–566–08–007,
which covers E-Verify records. E-Verify
stores and retains records collected in
the process of enrolling in E-Verify and
in verifying employment eligibility for
ten (10) years from the date of the
completion of the last transaction,
unless the records are part of an ongoing
investigation in which case they may be
retained until completion of the
investigation. This period is based on
the statute of limitations for most types
of misuse or fraud possible using
E-Verify (under 18 U.S.C. § 3291, the
statute of limitations for false statements
or misuse regarding passports,
citizenship, or naturalization
documents).

RECORD ACCESS PROCEDURES:

See ‘‘Notification procedure’’ above.

SYSTEM MANAGER AND ADDRESS:

mstockstill on DSK4VPTVN1PROD with NOTICES

http://www.dhs.gov or 1–866–431–0486.
In addition you should:
• Explain why you believe the
Department would have information on
you;
• Identify which component(s) of the
Department you believe may have the
information about you;
• Specify when you believe the
records would have been created; and
• Provide any other information that
will help the FOIA staff determine
which DHS component agency may
have responsive records.
If your request is seeking records
pertaining to another living individual,
you must include a statement from that
individual certifying his/her agreement
for you to access his/her records.
Without the above information the
component(s) may not be able to
conduct an effective search, and your
request may be denied due to lack of
specificity or lack of compliance with
applicable regulations.

Chief, Verification Division, USCIS,
Washington, DC 20528.

CONTESTING RECORD PROCEDURES:

NOTIFICATION PROCEDURE:

RECORD SOURCE CATEGORIES:

Individuals seeking notification of
and access to any record contained in
this system of records, or seeking to
contest its content, may submit a
request in writing to the USCIS,
Freedom of Information Act (FOIA)
Officer, whose contact information can
be found at http://www.dhs.gov/foia
under ‘‘FOIA Contact Information.’’ If
an individual believes more than one
component maintains Privacy Act
records concerning himself or herself,
the individual may submit the request
to the Chief Privacy Officer and Chief
Freedom of Information Act Officer,
Department of Homeland Security, 245
Murray Drive SW., Building 410, STOP–
0655, Washington, DC 20528.
When seeking records about yourself
from this system of records or any other
Departmental system of records, your
request must conform with the Privacy
Act regulations set forth in 6 CFR Part
5, Subpart B. You must first verify your
identity, meaning that you must provide
your full name, current address, and
date and place of birth. You must sign
your request, and your signature must
either be notarized or submitted under
28 U.S.C. § 1746, a law that permits
statements to be made under penalty of
perjury as a substitute for notarization.
While no specific form is required, you
may obtain forms for this purpose from
the Chief Privacy Officer and Chief
Freedom of Information Act Officer,

Records are obtained from several
sources including:
(A) Information collected from
employers about their employees
relating to employment eligibility
verification;
(B) Information collected from EVerify users used to provide account
access and monitoring;
(C) Information collected from Federal
and state databases listed below:
• SSA Numident System,
• Customs and Border Protection
(CBP) Arrival and Departure
Information System (ADIS),
• CBP Nonimmigrant Information
System (NIIS) and Border Crossing
Information (BCI),
• Immigration Customs and
Enforcement (ICE) Student and
Exchange Visitor Identification System
(SEVIS),
• ICE ENFORCE Integrated Database
(EID) Enforcement Alien Removal,
Module (EARM) Alien Number,
• USCIS Aliens Change of Address
System (AR–11),
• USCIS Central Index System (CIS),
• USCIS Customer Profile
Management System (CPMS),
• USCIS Computer-Linked
Application Information Management
System Version 3 (CLAIMS 3),
• USCIS Computer-Linked
Application Information Management
System Version 4 (CLAIMS 4),

VerDate Mar<15>2010

17:35 Aug 08, 2014

Jkt 232001

See ‘‘Notification procedure’’ above.

PO 00000

Frm 00089

Fmt 4703

Sfmt 4703

46857

• USCIS Citizenship and Immigration
Services Centralized Operational
Repository (CISCOR),
• USCIS National File Tracking
System (NFTS),
• USCIS Microfilm Digitization
Application System (MiDAS),
• USCIS Marriage Fraud Amendment
System (MFAS),
• USCIS Enterprise Document
Management System (EDMS),
• USCIS Refugees, Asylum, and
Parole System (RAPS),
• Department of State Consular
Consolidated Database (CCD),
• DOJ EOIR Case Access System,
• State Motor Vehicle
Administrations, if participating in the
E-Verify RIDE initiative,
(D) Information created by E-Verify,
and
(E) Information from individuals
seeking to check employment eligibility
and access to features concerning the
use of their information in E-Verify and
Self Check.
EXEMPTIONS CLAIMED FOR THE SYSTEM:

None.
Dated: July 31, 2014.
Karen L. Neuman,
Chief Privacy Officer, Department of
Homeland Security.
[FR Doc. 2014–18701 Filed 8–8–14; 8:45 am]
BILLING CODE 9111–97–P

DEPARTMENT OF HOMELAND
SECURITY
Office of the Secretary
[Docket No. DHS–2014–0039]

Privacy Act of 1974; Department of
Homeland Security/ALL–037 EAuthentication Records System of
Records
Privacy Office, Department of
Homeland Security.
ACTION: Notice of Privacy Act System of
Records.
AGENCY:

In accordance with the
Privacy Act of 1974, the Department of
Homeland Security proposes to
establish a new system of records titled,
Department of Homeland Security/ALL–
037 E-Authentication Records System of
Records. This system of records allows
the Department of Homeland Security to
collect, maintain, and retrieve records
about individuals, including members
of the public, who electronically
authenticate their identities. The
information in this system of records
includes data collected by programs and
applications for use when the
Department of Homeland Security or a

SUMMARY:

E:\FR\FM\11AUN1.SGM

11AUN1

46858

Federal Register / Vol. 79, No. 154 / Monday, August 11, 2014 / Notices

trusted third-party performs some or all
of the functions required to enroll,
issue, and maintain a credential on
DHS’s behalf that can be used by an
individual to electronically authenticate
his or her identity to DHS systems.
These programs and applications
include: The Department of Homeland
Security’s Homeland Security
Information Network, which is a trusted
network for homeland security mission
operations to share sensitive but
unclassified information used by
federal, state, local, tribal, territorial,
international, and private sector
homeland security partners to manage
operations, analyze data, and send alerts
and notices; the U.S. Citizenship and
Immigration Services E-Verify Self
Check, which is a free service that
allows individuals to learn about their
work authorization status information;
and the U.S. Citizenship and
Immigration Services myE-Verify,
which is a free service that allows
individuals to create an account and
access additional features beyond Self
Check concerning the use of their
personally identifiable information in EVerify and Self Check such as the ability
to lock a Social Security number to
prevent its use in E-Verify and Self
Check. Additional Department programs
or applications may also use third-party
authentication.
In addition, the Department of
Homeland Security also proposes to
consolidate the E-Verify Self Check
System of Records (DHS/USCIS–013),
last published in the Federal Register
on February 16, 2011 (76 FR 9604), into
this newly established E-Authentication
Records System of Records. As a result
of this consolidation, by this notice,
DHS intends to remove DHS/USCIS–013
from its inventory of systems of records.
The newly established system will be
included in the Department of
Homeland Security’s inventory of
record systems.
DATES: Written comments must be
submitted on or before September 10,
2014.
You may submit comments,
identified by Docket Number DHS–
2014–0039 by one of the following
methods:
• Federal e-Rulemaking Portal:
http://www.regulations.gov. Follow the
instructions for submitting comments.
• Fax: (202) 343–4010.
• Mail: Karen L. Neuman, Chief
Privacy Officer, Privacy Office, U.S.
Department of Homeland Security, 245
Murray Drive SW., Building 410, STOP–
0655, Washington, DC 20528.
Instructions: All submissions received
must include the agency name and

mstockstill on DSK4VPTVN1PROD with NOTICES

ADDRESSES:

VerDate Mar<15>2010

17:35 Aug 08, 2014

Jkt 232001

docket number for this rulemaking. All
comments received will be posted
without change to http://
www.regulations.gov, including any
personal information provided.
Docket: For access to the docket to
read background documents or
comments received go to http://
www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: For
general and privacy related questions
please contact: Karen L. Neuman (202–
343–1717), Chief Privacy Officer,
Privacy Office, U.S. Department of
Homeland Security, 245 Murray Drive
SW., Building 410, STOP–0655,
Washington, DC 20528.
SUPPLEMENTARY INFORMATION:
I. Background
In accordance with the Privacy Act of
1974, 5 U.S.C. 552a, the Department of
Homeland Security (DHS) proposes to
establish a new DHS system of records
titled, ‘‘DHS/ALL–037 E-Authentication
Records System of Records.’’ The
collection and maintenance of
information within this system of
records assists DHS in enrolling,
issuing, and maintaining credentials
(e.g., online accounts) for individuals
seeking electronic access to DHS
programs, services, and applications,
including when DHS uses a trusted
third-party identity service provider for
these activities. DHS may perform some
or all credential management functions
(e.g., identity proofing, manage
authentication tokens, authenticate
users) on its own, choose a single thirdparty to perform all functions, or use
multiple providers for each discrete
function. This system of records notice
is agnostic as to how DHS applications
or systems using electronic
authentication wish to engage with
third-parties.
DHS has many public-facing programs
that provide online access to its services
at various levels of assurance, as
described in the Office of Management
and Budget (OMB) E-Authentication
Guidance for Federal Agencies (M–04–
04). OMB defines four levels of
assurance (LOA), Levels 1 to 4, in terms
of the consequences resultant from
authentication errors or misuse of
credentials. Level 1 is the lowest
assurance level, and Level 4 is the
highest. For example, an authentication
error may occur if an individual gains
access to sensitive information he or she
is not entitled to access. Depending on
the context and the sensitivity of the
information accessed, the consequences
of such an authentication error could
pose significant harm to other
individuals and/or to the affected

PO 00000

Frm 00090

Fmt 4703

Sfmt 4703

agency. As the consequences of an
authentication error become more
serious, the required LOA increases.
In order to facilitate access,
information must be collected to
authenticate an individual’s identity at
the requisite level of assurance for the
purpose of obtaining a credential or
electronically authorizing access to a
DHS program or application. These
programs and applications include:
DHS’s Homeland Security Information
Network (HSIN), which is a trusted
network for homeland security mission
operations to share sensitive but
unclassified information used by
federal, state, local, tribal, territorial,
international, and private sector
homeland security partners to manage
operations, analyze data, and send alerts
and notices; the U.S. Citizenship and
Immigration Services (USCIS) E-Verify
Self Check, which is a free service that
allows individuals to learn about their
work authorization status information;
and USCIS myE-Verify, which is a free
service that allows individuals to create
an account and exercise limited control
about the use of their information in EVerify Self Check. HSIN, E-Verify Self
Check, and myE-Verify use trusted
third-party identity service providers to
perform credential management
functions.
Identity proofing is the process by
which an identity service provider
collects and verifies information (e.g.,
name, date of birth, Social Security
number (SSN), address of residence)
about a person for the purpose of
issuing credentials to that person.
Third-party identity service providers
use a variety of verification techniques,
including knowledge-based
authentication, to generate a quiz
containing questions that only the
individual should be able to answer.
When using the knowledge-based
authentication process the third-party
identity provider generates a quiz based
on commercial identity verification
information collected by the thirdparties from financial institutions,
public records, and other service
providers. The information accessed by
the third-parties includes information
such as the individual’s commercial
transaction history, mortgage payments,
addresses, or past addresses. DHS does
not have access to the commercial
identity verification information, the
quiz questions asked of the individual,
or the responses provided thereto;
therefore this commercial information is
not included in this system of records.
Rather, DHS receives assertions (e.g.,
pass/fail) and assertion references (e.g.,
transaction ID, date/time of the
transaction, and error codes) from the

E:\FR\FM\11AUN1.SGM

11AUN1

mstockstill on DSK4VPTVN1PROD with NOTICES

Federal Register / Vol. 79, No. 154 / Monday, August 11, 2014 / Notices
identity service provider to facilitate
troubleshooting and system
management. DHS maintains attributes
(e.g., clearances, location, biometrics,
and group memberships) collected for
identity proofing only when necessary
for the DHS program to manage the
credential.
DHS may request verified attributes
about an individual from the third-party
depending on the program or
application’s requirements. For any
attribute DHS requests from the thirdparty, DHS will ask the user if he or she
wishes to share the requested
information with DHS prior to gaining
access to the DHS online system or
application. The user can select to optin, meaning he or she will allow DHS
access to his or her attribute information
from the third-party in order for him or
her to gain access to the DHS system. If
the third-party cannot generate a quiz,
or if the individual cannot answer the
questions provided, the individual may
not be able to access program or
application.
DHS may share attribute information
with trusted third-party identity service
providers under contract with DHS or
certified by the Federal Identity
Management Credential and Access
Management (FICAM) initiative for the
purpose of authenticating an individual
seeking a credential with DHS. More
information about FICAM is available at
www.idmanagment.gov. Attributes
provided to the relying party are limited
to: (1) Making authorization decisions;
(2) dynamically provisioning accounts;
and (3) performing audit logging. The
transaction may be included in the
individual’s credit record as a ‘‘soft
inquiry’’ that does not impact the
individual’s credit score when the
identity service provider is a credit
bureau or uses a credit bureau to
conduct identity proofing. The ‘‘soft
inquiry’’ is not viewable by third
parties. DHS may also share attribute
information with ‘‘relying parties’’
approved by the National Information
Exchange Federation (NIEF) Trust
Framework Provider who provide
federated access to systems. More
information about NIEF is available at
https://nief.gfipm.net/.
In accordance with the Privacy Act of
1974, DHS is giving notice that it
proposes to issue a new DHS system of
records notice titled, DHS/ALL–037
E-Authentication Records System of
Records. In addition DHS proposes to
consolidate the E-Verify Self Check
System of Records (DHS/USCIS–013)
into this newly-established system of
records. As a result of this
consolidation, by this notice, DHS
intends to remove DHS/USCIS–013

VerDate Mar<15>2010

17:35 Aug 08, 2014

Jkt 232001

from its inventory of systems of records.
This newly established system will be
included in DHS’s inventory of record
systems.
II. Privacy Act
The Privacy Act embodies fair
information principles in a statutory
framework governing the means by
which the federal government agencies
collect, maintain, use, and disseminate
individuals’ records. The Privacy Act
applies to information that is
maintained in a ‘‘system of records.’’ A
‘‘system of records’’ is a group of any
records under the control of an agency
from which information is retrieved by
the name of an individual or by some
identifying number, symbol, or other
identifying particular assigned to the
individual. In the Privacy Act, an
individual is defined to encompass
United States citizens and lawful
permanent residents. As a matter of
policy, DHS extends administrative
Privacy Act protections to all
individuals when systems of records
maintain information on U.S. citizens,
lawful permanent residents, and
visitors. Individuals may request access
to their own records that are maintained
in a system of records in the possession
or under the control of DHS by
complying with DHS Privacy Act
regulations, 6 CFR part 5.
The Privacy Act requires each agency
to publish in the Federal Register a
description denoting the type and
character of each system of records that
the agency maintains, and the routine
uses that are contained in each system
in order to make agency record keeping
practices transparent, to notify
individuals regarding the uses to which
their records are put, and to assist
individuals to more easily find such
files within the agency. Below is the
description of DHS/ALL–037
E-Authentication Records System of
Records.
In accordance with 5 U.S.C. 552a(r),
DHS has provided a report of this
system of records to the Office of
Management and Budget and to
Congress.
System of Records:

Department of Homeland Security
(DHS)/ALL–037.
SYSTEM NAME:

DHS/ALL–037 E-Authentication
Records System of Records.
SECURITY CLASSIFICATION:

Sensitive but unclassified.
SYSTEM LOCATION:

Records are maintained at several
Headquarters locations and in

PO 00000

Frm 00091

Fmt 4703

Sfmt 4703

46859

component offices of DHS, in both
Washington, DC, and field locations or
by a third-party identity service
provider. Records related to identity
proofing required for levels of assurance
(LOA) 2 and above are also maintained
by the third-party identity service
provider in accordance with retention
requirements identified in the National
Institute of Standards and Technology
(NIST) Special Publication 800–63
Electronic Authentication Guideline for
the applicable LOA.
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:

Categories of individuals in this
system of records include members of
the public, external stakeholders, and
federal employees or contractors seeking
electronic access to DHS programs and
applications. This includes anyone
attempting to authenticate his or her
identity for the purpose of obtaining a
credential to access a DHS program or
application electronically, including
when the program or application uses a
third-party identity service provider to
perform some or all credential
management functions (e.g., prove
identity, manage authentication tokens,
authenticate users).
CATEGORIES OF RECORDS IN THE SYSTEM:

• Attributes DHS or a third-party
identity service provider collects
necessary to perform identity proofing
at the required level of assurance.
Attributes are only retained in this
system of records if it is necessary for
the program to manage the credential.
Examples of attributes collected for
identity proofing information include:
Æ Name (last, first, middle, and
maiden);
Æ Date of birth;
Æ Place of birth;
Æ Financial or utility account
number;
Æ Address of residence;
Æ Social Security number (SSN)—full
or partial (may be optional depending
on the application);
Æ Telephone number—(may be
optional depending on the application);
and
Æ Country of Citizenship.
• Assertions and assertion references
from a third-party identity service
provider such as:
Æ Transaction ID;
Æ Pass/fail indicator;
Æ Date/time of the transaction;
Æ Codes associated with the
transaction;
• Information DHS or third-parties
collect necessary to register, issue, and
maintain the credential (e.g., to
administer multi-factor authentication)

E:\FR\FM\11AUN1.SGM

11AUN1

mstockstill on DSK4VPTVN1PROD with NOTICES

46860

Federal Register / Vol. 79, No. 154 / Monday, August 11, 2014 / Notices

including verified attributes the identity
service provider maintains or passes to
DHS after a user successfully passes
identity proofing such as:
Æ Name;
Æ Email addresses;
Æ User ID;
Æ Passwords;
Æ Phone numbers (primary, alternate,
mobile, home, work, landline);
Æ Two-factor authentication
preference (SMS text message, email,
phone number for interactive voice
response);
Æ Self-generated security questions
and answers;
Æ Level of access;
• Credential registration information
DHS collects manually that is necessary
to perform manual identity verification
in cases in which an individual cannot
electronically prove his or her identity.
Note that some identity proofing
information (e.g., copies of governmentissued photo identification) is retained
in this system of records only if it is
necessary for DHS to manage the
credential.
• Other program-specific attribute
information DHS or the identity service
provider collects directly on behalf of
DHS may include:
Æ Citizenship;
Æ Accepted Terms of Service (Y/N);
Æ Employment information such as
job title, job role, organization;
Æ Business and affiliations;
Æ Faculty positions held;
Æ Home addresses;
Æ Business addresses;
Æ Justification/nomination for access
to DHS computers, networks, or
systems;
Æ Supervisor/nominator’s name, job
title, organization, phone numbers,
email address;
Æ Verification of training
requirements or other prerequisite
requirements for access to DHS
computers, networks, or systems;
Æ Government-issued identity
document type and expiration date;
• Records on access to DHS
computers, networks, online programs,
and applications including user ID and
passwords;
Æ Registration numbers or IDs
associated with DHS Information
Technology (IT) resources;
Æ Date and time of access;
Æ Logs of activity interacting with
DHS IT resources;
Æ Internet Protocol (IP) address of
access;
Æ Logs of internet activity; and
Æ Records on the authentication of
the access request, names, phone
numbers of other contacts, and positions
or business/organizational affiliations

VerDate Mar<15>2010

17:35 Aug 08, 2014

Jkt 232001

and titles of individuals who can verify
that the individual seeking access has a
need to access the system, as well as
other contact information provided to
the Department or that is derived from
other sources to facilitate authorized
access to DHS IT resources.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

44 U.S.C. 3101; EO 9397 (SSN), as
amended by EO 13487; 44 U.S.C. 3534;
Illegal Immigration Reform and
Immigrant Responsibility Act of 1996
(IIRIRA), Public Law (Pub. L.) 104–208,
September 30, 1996, Note Section 404.
Additional programmatic authorities
may apply to maintenance of the
credential.
PURPOSE(S):

This system collects information in
order to authenticate an individual’s
identity for the purpose of obtaining a
credential to electronically access a DHS
program or application. This system
includes DHS programs or applications
that use a third-party identity service
provider to provide any of the following
credential services: Registration,
including identity proofing, issuance,
authentication, authorization, and
maintenance. This system collects
information that allows DHS to track the
use of programs and applications for
system maintenance and
troubleshooting. The system also
enables DHS to allow an individual to
reuse a credential received when
applicable and available.
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OF USERS AND
THE PURPOSES OF SUCH USES:

In addition to those disclosures
generally permitted under 5 U.S.C.
§ 552a(b) of the Privacy Act, all or a
portion of the records or information
contained in this system may be
disclosed outside DHS as a routine use
pursuant to 5 U.S.C. § 552a(b)(3), as
follows:
A. To the Department of Justice (DOJ),
including Offices of the U.S. Attorneys,
or other federal agency conducting
litigation or in proceedings before any
court, adjudicative, or administrative
body, when it is relevant or necessary to
the litigation and one of the following
is a party to the litigation or has an
interest in such litigation:
1. DHS or any component thereof;
2. Any employee or former employee
of DHS in his/her official capacity;
3. Any employee or former employee
of DHS in his/her individual capacity
when DOJ or DHS has agreed to
represent the employee; or
4. The U.S. or any agency thereof.
B. To a congressional office from the
record of an individual in response to

PO 00000

Frm 00092

Fmt 4703

Sfmt 4703

an inquiry from that congressional office
made at the request of the individual to
whom the record pertains.
C. To the National Archives and
Records Administration (NARA) or
General Services Administration
pursuant to records management
inspections being conducted under the
authority of 44 U.S.C. 2904 and 2906.
D. To an agency or organization for
the purpose of performing audit or
oversight operations as authorized by
law, but only such information as is
necessary and relevant to such audit or
oversight function.
E. To appropriate agencies, entities,
and persons when:
1. DHS suspects or has confirmed that
the security or confidentiality of
information in the system of records has
been compromised;
2. DHS has determined that as a result
of the suspected or confirmed
compromise, there is a risk of identity
theft or fraud, harm to economic or
property interests, harm to an
individual, or harm to the security or
integrity of this system or other systems
or programs (whether maintained by
DHS or another agency or entity) that
rely upon the compromised
information; and
3. The disclosure made to such
agencies, entities, and persons is
reasonably necessary to assist in
connection with DHS’s efforts to
respond to the suspected or confirmed
compromise and prevent, minimize, or
remedy such harm.
F. To contractors and their agents,
grantees, experts, consultants, and
others performing or working on a
contract, service, grant, cooperative
agreement, or other assignment for DHS,
when necessary to accomplish an
agency function related to this system of
records. Individuals provided
information under this routine use, are
subject to the same Privacy Act
requirements and limitations on
disclosure as are applicable to DHS
officers and employees.
G. To an appropriate federal, state,
tribal, local, international, or foreign law
enforcement agency or other appropriate
authority charged with investigating or
prosecuting a violation or enforcing or
implementing a law, rule, regulation, or
order, when a record, either on its face
or in conjunction with other
information, indicates a violation or
potential violation of law, which
includes criminal, civil, or regulatory
violations and such disclosure is proper
and consistent with the official duties of
the person making the disclosure.
H. To sponsors, employers,
contractors, facility operators, grantees,
experts, and consultants in connection

E:\FR\FM\11AUN1.SGM

11AUN1

Federal Register / Vol. 79, No. 154 / Monday, August 11, 2014 / Notices

Information is retrieved, sorted, or
searched by an identification number
assigned by computer, by SSN (if
maintained by the program), by facility,
by business affiliation, by email address,
or by the name of the individual, or
other data fields previously identified in
this SORN. Note that when DHS uses a
third-party identity service provider for
identity proofing, data elements
collected by the third party on DHS’s
behalf are not retained by DHS unless
specifically required by the program or
application.

are destroyed or deleted six years after
the user account is terminated or
password is altered, or when no longer
needed for investigative or security
purposes, whichever is later.
In addition, in accordance with NIST
SP–800–63–2, a record of the
registration, history, and status of each
token and credential (including
revocation) is maintained by the
credential service provider (CSP) or its
representative. The record retention
period of data for Level 2 and 3
credentials is seven years and six
months beyond the expiration or
revocation (whichever is later). The
minimum record retention period for
Level 4 credential data is ten years and
six months beyond the expiration or
revocations of the credential.

SAFEGUARDS:

SYSTEM MANAGER AND ADDRESS:

The System Manager is the Chief
Information Officer (CIO), Department
of Homeland Security, Washington, DC
20528.

POLICIES AND PRACTICES FOR STORING,
RETRIEVING, ACCESSING, RETAINING, AND
DISPOSING OF RECORDS IN THE SYSTEM:

Information in this system is
safeguarded in accordance with
applicable laws, rules and policies,
including the DHS IT Security Program
Handbook and DHS Information
Security Program Policy and Handbook.
DHS uses trusted identity service
providers including those certified
through the Trust Framework Adoption
Process by Federal Identity Credential
and Access Management (FICAM). The
DHS/ALL–037 E-Authentication
Records system of records security
protocols also meet multiple NIST
Security Standards from Authentication
to Certification and Accreditation.
Records in the DHS/ALL–037 EAuthentication Records system of
records will be maintained in a secure,
password-protected, electronic system
that uses security hardware and
software including: Multiple firewalls,
active intruder detection, and role-based
access controls. Additional safeguards
vary by component and program. All
records are protected from unauthorized
access through appropriate
administrative, physical, and technical
safeguards. These safeguards include
restricting access to authorized
personnel who have a ‘‘need to know,’’
using locks and password protection
identification features. Classified
information is appropriately stored in
accordance with applicable
requirements. DHS file areas are locked
after normal duty hours and the
facilities are protected from the outside
by security personnel.

STORAGE:

RETENTION AND DISPOSAL:

Records in this system are on paper or
in digital or other electronic form.
Digital and other electronic images are
stored on a storage area network in a
secured environment. Records, whether
paper or electronic, are stored at the

Records are securely retained and
disposed of in accordance with the
NARA’s General Records Schedule
(GRS) 24, section 6, ‘‘User
Identification, Profiles, Authorizations,
and Password Files.’’ Inactive records

with establishing, maintaining, or
managing an access account for an
individual or maintaining appropriate
points of contact.
I. To relying parties approved by the
National Information Exchange
Federation (NIEF) Trust Framework
Provider for the purpose of providing
federated access to systems when the
user has been provided with appropriate
notice and the opportunity to consent.
Attributes provided to the relying party
are limited to: (1) making authorization
decisions; (2) dynamically provisioning
accounts; and (3) performing audit
logging.
J. To international, federal, state and
local, tribal, private and/or corporate
entities for the purpose of the regular
exchange of business contact
information in order to facilitate
collaboration for official business.
K. To a trusted third-party identity
service provider under contract with
DHS or certified by the Federal Identity
Management Credential and Access
Management initiative for the purpose
of authenticating an individual seeking
a credential with DHS. The information
may be included in the individual’s
credit record as a ‘‘soft inquiry’’ that
does not impact the individual’s credit
score when the identity service provider
is a credit bureau or uses a credit bureau
to conduct identity proofing. The ‘‘soft
inquiry’’ is not viewable by third
parties.
L. To the news media and the public,
with the approval of the Chief Privacy
Officer in consultation with counsel,
when there exists a legitimate public
interest in the disclosure of the
information, when disclosure is
necessary to preserve confidence in the
integrity of DHS, or when disclosure is
necessary to demonstrate the
accountability of DHS’s officers,
employees, or individuals covered by
the system, except to the extent the
Chief Privacy Officer determines that
release of the specific information in the
context of a particular case would
constitute an unwarranted invasion of
personal privacy.
DISCLOSURE TO CONSUMER REPORTING
AGENCIES:

mstockstill on DSK4VPTVN1PROD with NOTICES

None.

VerDate Mar<15>2010

17:35 Aug 08, 2014

Jkt 232001

DHS Headquarters, at the component
level, or at the third-party identity
service provider’s physical or cloud
location.

46861

RETRIEVABILITY:

PO 00000

Frm 00093

Fmt 4703

Sfmt 4703

NOTIFICATION PROCEDURE:

Individuals seeking notification of
and access to any record contained in
this system of records, or seeking to
contest its content, may submit a
request in writing to the Headquarters or
component’s FOIA Officer, whose
contact information can be found at
http://www.dhs.gov/foia under
‘‘contacts.’’ If an individual believes
more than one component maintains
Privacy Act records concerning him or
her, the individual may submit the
request to the Chief Privacy Officer and
Chief Freedom of Information Act
Officer, Privacy Office, Department of
Homeland Security, 245 Murray Drive
SW., Building 410, STOP–0655,
Washington, DC 20528.
When seeking records about yourself
from this system of records or any other
Departmental system of records, your
request must conform with the Privacy
Act regulations set forth in 6 CFR Part
5. You must first verify your identity,
meaning that you must provide your full
name, current address and date and
place of birth. You must sign your
request, and your signature must either
be notarized or submitted under 28
U.S.C. 1746, a law that permits
statements to be made under penalty of
perjury as a substitute for notarization.
While no specific form is required, you
may obtain forms for this purpose from
the Chief Privacy Officer and Chief
Freedom of Information Act Officer,
http://www.dhs.gov or 1–866–431–0486.
In addition you should:
• Explain why you believe the
Department would have information on
you;

E:\FR\FM\11AUN1.SGM

11AUN1

46862

Federal Register / Vol. 79, No. 154 / Monday, August 11, 2014 / Notices

• Identify which component(s) of the
Department you believe may have the
information about you;
• Specify when you believe the
records would have been created; and
• Provide any other information that
will help the FOIA staff determine
which DHS component agency may
have responsive records.
If your request is seeking records
pertaining to another living individual,
you must include a statement from that
individual certifying his/her agreement
for you to access his/her records.
Without the above information the
component(s) may not be able to
conduct an effective search, and your
request may be denied due to lack of
specificity or lack of compliance with
applicable regulations.
RECORD ACCESS PROCEDURES:

See ‘‘Notification procedure’’ above.
CONTESTING RECORD PROCEDURES:

See ‘‘Notification procedure’’ above.
RECORD SOURCE CATEGORIES:

Information contained in this system
is obtained from affected individuals,
organizations, facilities, trusted thirdparty identity service providers (which
may use commercial identity
verification information not accessed or
maintained by DHS to perform
knowledge-based authentication),
public source data, other government
agencies, or information already in other
DHS records systems.
EXEMPTIONS CLAIMED FOR THE SYSTEM:

None.
Dated: July 31, 2014.
Karen L. Neuman,
Chief Privacy Officer, Department of
Homeland Security.
[FR Doc. 2014–18703 Filed 8–8–14; 8:45 am]
BILLING CODE 9110–9B–P

DEPARTMENT OF HOMELAND
SECURITY
Office of the Secretary

mstockstill on DSK4VPTVN1PROD with NOTICES

[Docket No. DHS–2014–0038]

Privacy Act of 1974; Department of
Homeland Security Transportation
Security Administration—002
Transportation Security Threat
Assessment System System of
Records
Privacy Office, Department of
Homeland Security.
ACTION: Notice to update an existing
Privacy Act System of Records.
AGENCY:

In accordance with the
Privacy Act of 1974, the Department of

SUMMARY:

VerDate Mar<15>2010

17:35 Aug 08, 2014

Jkt 232001

Homeland Security proposes to update
and reissue a current Department of
Homeland Security system of records
titled, ‘‘Department of Homeland
Security/Transportation Security
Administration—002 Transportation
Security Threat Assessment System of
Records.’’ This system of records allows
the Department of Homeland Security/
Transportation Security Administration
to collect and maintain records related
to security threat assessments,
employment investigations, and
evaluations that the Transportation
Security Administration conducts on
certain individuals for security
purposes. For example, individuals who
apply for a Transportation Worker
Identification Credential or a Hazardous
Materials Endorsement must undergo a
security threat assessment, and records
associated with the assessment are
covered by this system.
TSA is making modifications to the
‘‘Purposes’’ section of the system of
records to reflect the Department of
Homeland Security’s use of information
to more readily and effectively carry out
the Department of Homeland Security’s
national security, law enforcement,
immigration, and benefits missions.
Also, two categories of records that were
previously listed in the ‘‘Categories of
individuals covered by the system’’
section are being moved to the
‘‘Categories of records’’ section. Finally,
this notice includes non-substantive
changes to simplify the formatting and
text of the previously published notice.
Portions of this system are exempt
under 5 U.S.C. 552a(k)(1) and (k)(2) as
reflected in the final rule published in
the Federal Register on June 25, 2004.
This updated system will continue to
be included in the Department of
Homeland Security’s inventory of
record systems.
DATES: Submit comments on or before
September 10, 2014. This updated
system will be effective September 10,
2014.
ADDRESSES: You may submit comments,
identified by docket number DHS–
2014–0038 by one of the following
methods:
• Federal e-Rulemaking Portal:
http://www.regulations.gov. Follow the
instructions for submitting comments.
• Fax: 202–343–4010.
• Mail: Karen L. Neuman, Chief
Privacy Officer, Privacy Office,
Department of Homeland Security,
Washington, DC 20528.
Instructions: All submissions received
must include the agency name and
docket number for this rulemaking. All
comments received will be posted
without change to http://

PO 00000

Frm 00094

Fmt 4703

Sfmt 4703

www.regulations.gov, including any
personal information provided.
Docket: For access to the docket to
read background documents or
comments received, please visit http://
www.regulations.gov.
FOR FURTHER INFORMATION CONTACT: For
general questions, please contact: Peter
Pietra, Privacy Officer, Transportation
Security Administration, TSA–36, 601
South 12th Street, Arlington, VA,
20598–6036, or [email protected].
For privacy issues please contact: Karen
L. Neuman, (202) 343–1717, Chief
Privacy Officer, Privacy Office,
Department of Homeland Security,
Washington, DC 20528.
SUPPLEMENTARY INFORMATION:
I. Background
In accordance with the Privacy Act of
1974, 5 U.S.C. 552a, the Department of
Homeland Security (DHS)
Transportation Security Administration
(TSA) proposes to update and reissue a
current DHS system of records notice
titled, ‘‘DHS/TSA—002 Transportation
Security Threat Assessment System of
Records.’’
TSA’s mission is to protect the
nation’s transportation systems to
ensure freedom of movement for people
and commerce. To achieve this mission,
TSA is required to develop and adapt its
security programs to respond to
evolving threats to transportation
security. The Security Threat
Assessment System contains records
related to security threat assessments,
employment investigations, and
evaluations DHS/TSA conducts on
certain individuals for security
purposes. The information is collected
to conduct security threat assessments
on individuals to ensure they do not
pose, and are not suspected of posing,
a threat to transportation or national
security. For example, individuals who
apply for a Transportation Worker
Identification Credential or a Hazardous
Materials Endorsement must undergo a
security threat assessment and are
covered by this system.
TSA is making the following
modifications:
• TSA is updating the Purpose(s)
section to reflect the use of information
by DHS to more readily and effectively
carry out DHS’s national security, law
enforcement, immigration, and benefits
missions.
• TSA is updating the Categories of
Records section to include two
categories of records that were
previously listed in the ‘‘Categories of
individuals covered by the system’’
section. These categories are records
concerning the following individuals: (i)

E:\FR\FM\11AUN1.SGM

11AUN1


File Typeapplication/pdf
File Modified2015-12-22
File Created2015-12-22

© 2024 OMB.report | Privacy Policy