[Federal Register Volume 88, Number 55 (Wednesday, March 22, 2023)]
[Notices]
[Pages 17219-17222]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2023-05806]


-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

[FRL-10616-01-OMS]


Privacy Act of 1974; System of Records

AGENCY: Office of Mission Support (OMS), Environmental Protection 
Agency (EPA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: The U.S. Environmental Protection Agency's (EPA) Office of 
Mission Support (OMS) is giving notice that it proposes to modify a 
system of records pursuant to the provisions of the Privacy Act of 
1974. The Office of Administrative Services Information System (OASIS) 
is being modified to update safeguard infrastructure and security 
measures, and add Routine Uses.

DATES: Persons wishing to comment on this system of records notice must 
do so by April 21, 2023. New routine uses for this modified system of 
records will be effective April 21, 2023.

ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OEI-2006-0633, by one of the following methods:
    Federal eRulemaking Portal: https://www.regulations.gov. Follow the 
online instructions for submitting comments.
    Email: [email protected]. Include the Docket ID number in the 
subject line of the message.
    Fax: (202) 566-1752.
    Mail: OMS Docket, Environmental Protection Agency, Mail Code: 
2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
    Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 
1301 Constitution Ave. NW, Washington, DC 20460. Such deliveries are 
only accepted during the Docket's normal hours of operation, and 
special arrangements should be made for deliveries of boxed 
information.
    Instructions: Direct your comments to Docket ID No. EPA-HQ-OEI-
2006-0633. The EPA's policy is that all comments received will be 
included in the public docket without change and may be made available 
online at https://www.regulations.gov, including any personal 
information provided, unless the comment includes information claimed 
to be Controlled Unclassified Information (CUI) or other information 
for which disclosure is restricted by statute. Do not submit 
information that you consider to be CUI or otherwise protected through 
https://www.regulations.gov. The https://www.regulations.gov website is 
an ``anonymous access'' system for the EPA, which means the EPA will 
not know your identity or contact information. If you submit an 
electronic comment, the EPA recommends that you include your name and 
other contact information in the body of your comment. If the EPA 
cannot read your comment due to technical difficulties and cannot 
contact you for clarification, the EPA may not be able to consider your 
comment. If you send an email comment directly to the EPA without going 
through https://www.regulations.gov, your email address will be 
automatically captured and included as part of the comment that is 
placed in the public docket and made available on the internet. 
Electronic files should avoid the use of special characters, any form 
of encryption, and be free of any defects or viruses. For additional 
information about the EPA public docket, visit the EPA Docket Center 
homepage at https://www.epa.gov/dockets.
    Docket: All documents in the docket are listed in the https://www.regulations.gov index. Although listed in the index, some 
information is not publicly available, e.g., CUI or other information 
for which disclosure is restricted by statute. Certain other material, 
such as copyrighted material, will be publicly available only in hard 
copy. Publicly available docket

[[Page 17220]]

materials are available either electronically in https://www.regulations.gov or in hard copy at the OMS Docket, EPA/DC, WJC West 
Building, Room 3334, 1301 Constitution Ave. NW, Washington, DC 20460. 
The Public Reading Room is normally open from 8:30 a.m. to 4:30 p.m., 
Monday through Friday excluding legal holidays. The telephone number 
for the Public Reading Room is (202) 566-1744, and the telephone number 
for the OMS Docket is (202) 566-1752. Further information about EPA 
Docket Center services and current operating status is available 
athttps://www.epa.gov/dockets.

FOR FURTHER INFORMATION CONTACT: James Cunningham, 
[email protected], 202-564-7212; Jackie Brown, 
[email protected], 202-564-0313; or [email protected].

SUPPLEMENTARY INFORMATION: EPA uses OASIS as a secure platform to 
provide software services to EPA employees using EPA's intranet, 
including a secure database for the software modules the system 
supports. EPA is updating this SORN to reflect how OASIS has modernized 
its operating system platform, implemented a more secure method for 
user authentication, and completed a review and update to the software 
modules the system supports. EPA is removing the following OASIS 
software modules that are no longer in use: Physical Security; 
Warehouse Management; Fitness Center Management; Combo Locks, 
Incidents, Keys and Safe System; and Personnel Security System. EPA is 
updating the following OASIS software modules with no impact to 
personally identifiable information (PII): Building Service Desk, 
Credential Badging, Driver Tracking, Mail Center, National Security 
Information, and Parking System (previously Parking and Transit 
System). EPA is adding the following OASIS software modules with no 
addition of new PII data elements: Environmental Health and Safety, HQ 
Project Management, Incident Reporting, Print Request Form, Print 
Request Tracking, PSS1 Archive, Transit Management, Transit Subsidy 
Program Enrollment, USA Performance (USAP), and User Management. All 
OASIS modules were updated to incorporate Multi-Factor Authentication 
(MFA). Additionally, EPA is updating this SORN to add Routine Uses L 
and M per updated OMB requirements.

SYSTEM NAME AND NUMBER:
    Office of Administrative Services Information System (OASIS), EPA-
41.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The system is managed by the Office of Mission Support, EPA, 1301 
Constitution Ave. NW, Washington, DC 20460. Electronically stored 
information is hosted at the EPA National Computer Center (NCC), 109 TW 
Alexander Drive, Research Triangle Park, Durham, NC 27711.

SYSTEM MANAGER(S):
    James Cunningham, Information Technology Project Manager, 1301 
Constitution Ave. NW, Washington, DC 20460, [email protected]. 
Jackie Brown, Information System Security Officer, 1301 Constitution 
Ave. NW, Washington, DC 20460, [email protected].

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    E-Government Act of 2002 (Pub. L. 104-347); the Paperwork Reduction 
Act of 1995, as amended (44 U.S.C. 3501, et seq.); Executive Order 
13571--Streamlining Service Delivery and Improving Customer Service 
(April 2011).

PURPOSE(S) OF THE SYSTEM:
    The purpose of OASIS is to administer and manage administrative 
resources for the EPA. There are nineteen OASIS software modules. Each 
module's business purpose is described in the following table:

------------------------------------------------------------------------
       OASIS software module                  Business purpose
------------------------------------------------------------------------
Building Service Desk.............  Manage Headquarters building
                                     maintenance and service calls.
Credential Badging................  Generate and manage issuance and
                                     expiration of Credential badges
                                     used to access restricted EPA labs.
Driver Tracking...................  Manage EPA Headquarters executive
                                     motor pool fleet of vehicles and
                                     track and report on EPA vehicle
                                     usage trends.
Environmental, Health and Safety..  Track and report environmental,
                                     health and safety regulatory
                                     compliance.
EPA Automotive Statistical Tool     Manage EPA's fleet life-cycle data
 (AST).                              such as acquisition costs, vehicle
                                     identification, operating costs,
                                     fuel consumption, and disposal
                                     proceeds.
Federal Real Property Profile       Facilitate yearly submission of the
 (FRPP).                             Federal Real Property Profile
                                     (FRPP) data to the General Services
                                     Administration (GSA).
HQ Project Management.............  Provide Facility Management Services
                                     Division with the capability to
                                     manage EPA Headquarters facility
                                     projects.
Incident Reporting................  Provide security incident reporting
                                     system for EPA Headquarters.
Mail Center.......................  Record and track postal transaction
                                     costs associated with the Agency's
                                     incoming and outgoing mail and
                                     reconcile the costs with the Office
                                     of the Chief Financial Officer
                                     (OCFO) financial system.
National Security Information.....  Support EPA Security Management
                                     Division (SMD) in implementing the
                                     agency's national security
                                     information program.
Parking System....................  Manage EPA Headquarters parking
                                     spaces.
Print Request Form................  Provide EPA Headquarters employees
                                     with the capability to submit
                                     document print requests.
Print Request Tracking............  Track and maintain information for
                                     Headquarters Print Job Orders and
                                     manage Print Shop costs associated
                                     with these orders.
PSS1 Archive......................  Provide SMD Physical Security Branch
                                     (PSB) the capability to read legacy
                                     Personnel Security System data.
Real Estate Management............  Manage EPA real property assets.
Transit Management................  Provide Facility Management Services
                                     Divison (FMSD) with the capability
                                     to manage EPA Headquarters employee
                                     Transit Subsidy accounts.
Transit Subsidy Program Enrollment  Provide Headquarters employees with
                                     the capability to register and
                                     update their Transit Subsidy
                                     accounts.
USA Performance...................  Provide application programming
                                     interface (API) access to the
                                     Office of Personnel Management
                                     (OPM) USA Performance (USAP) System
                                     to maintain performance related
                                     data for EPA employees.
User Management...................  Manage user access and roles for
                                     OASIS software modules.
------------------------------------------------------------------------


[[Page 17221]]

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Categories of individuals covered by this system include current 
and former Agency federal employee, contractors, grantees, interns, and 
volunteers.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Categories of records include: personal information such as name, 
home address, telephone number, workforce ID, work location, position, 
date of birth, city of birth, and Social Security Number (SSN); work-
related information such as work address, work telephone number, 
organization/office assignment, application role(s), email address, and 
company name; personnel security records such as the results of a 
background investigation, and information derived from documents used 
to verify applicant's identity; security incident related information 
such as names, incident date, type, description, contact information, 
employment type; physical security information such as building 
vulnerabilities, mitigations, costs associated with mitigation, and 
risk designation levels at various EPA locations; driver tracking 
information such as EPA vehicle license plate numbers, service records, 
driver name, trip type, pickup date, and number of passengers utilizing 
Agency buses; parking and transit information such as carpool members' 
names, addresses, work addresses, license plate numbers, and type of 
cars as well as transit subsidy information such as subsidy amount, 
possession of a registered Smart Trip card, and serial number of Smart 
Trip card if registered; Mail Center Management information used to 
track registered mail, including mailing address of the recipient and 
sender, name of individual who signed for the piece of mail, date and 
time mail was signed for, and costs of postage for each office; 
printing information such as name and telephone number of the office 
requesting print jobs, the budget associated with the print job, and 
completion and delivery of the print job; physical asset information 
such as asset name, ID, type, location, address, legal interest, 
primary use and disposition; and print request information such as 
originator name, work phone number, mail code, title, statistics, data 
requested, date submitted, and estimated cost.

RECORD SOURCE CATEGORIES:
    Personnel information is obtained from EPA's Office of Human 
Resources (OHR). Remaining information is obtained from users and 
managers for each OASIS module.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The routine uses below are both related to and compatible with the 
original purpose for which the information was collected. The following 
general routine uses apply to this system (86 FR 62527): A, B, C, D, E, 
F, G, H, I, J, K, L, and M.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Records are maintained electronically on computer storage devices, 
located at U.S. EPA National Computer Center, 109 T.W. Alexander Drive, 
Research Triangle Park, NC 27711. Paper records are not collected nor 
maintained for OASIS.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Only users authorized to use the National Security Information 
(NSI) module can retrieve information by SSN. Other modules require one 
or more of the following fields to retrieve records: Name, Work Force 
ID, LAN ID, Personnel ID, Email Address, Smart Trip Number, Incident 
Number, Business Service Desk (BSD) Ticket Number, Asset ID, or Project 
Number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are retained and disposed of in accordance with EPA's 
records control schedule approved by the National Archives and Records 
Administration (NARA): EPA Record Schedules 0740 and 0063.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Security controls used to protect personal sensitive data in OASIS 
are commensurate with those required for an information system rated 
MODERATE for confidentiality, integrity, and availability, as 
prescribed in National Institute of Standards and Technology (NIST) 
Special Publication, 800-53, ``Security and Privacy Controls for 
Information Systems and Organizations,'' Revision 5.
    1. Administrative Safeguards: All EPA system users are expected to 
follow the Agency Rules of Behavior. All employees, contractors, 
volunteers, and grantees are required to complete EPA's annual 
Information Security and Privacy Awareness Training and Controlled 
Unclassified Information (CUI) Awareness Training.
    2. Technical Safeguards: Access to OASIS is role-based using the 
principle of least privilege. Role-based access ensures that 
individuals only have the roles granted to them that are necessary to 
complete their job function. These roles could include the ability to 
view, create, or modify records. A PIV Credential is used for MFA user 
authentication. OASIS data elements are stored in an ORACLE Enterprise 
Edition database and uses AES256 bit encryption algorithms to protect 
PII data as it resides in the database and when the data is in use by 
authenticated users.
    3. Physical Safeguards: All OASIS records are maintained on 
computer servers that are located in secure, access-controlled 
buildings.

RECORD ACCESS PROCEDURES:
    All requests for access to personal records should cite the Privacy 
Act of 1974 and reference the type of request being made (i.e., 
access). Requests must include: (1) the name and signature of the 
individual making the request; (2) the name of the Privacy Act system 
of records to which the request relates; (3) a statement whether a 
personal inspection of the records or a copy of them by mail is 
desired; and (4) proof of identity. A full description of EPA's Privacy 
Act procedures for requesting access to records is included in EPA's 
Privacy Act regulations at 40 CFR part 16.

CONTESTING RECORD PROCEDURES:
    Requests for correction or amendment must include: (1) the name and 
signature of the individual making the request; (2) the name of the 
Privacy Act system of records to which the request relates; (3) a 
description of the information sought to be corrected or amended and 
the specific reasons for the correction or amendment; and (4) proof of 
identity. A full description of EPA's Privacy Act procedures for the 
correction or amendment of a record is included in EPA's Privacy Act 
regulations at 40 CFR part 16.

NOTIFICATION PROCEDURES:
    Individuals who wish to be informed whether a Privacy Act system of 
records maintained by EPA contains any record pertaining to them, 
should make a written request to the EPA, Attn: Agency Privacy Officer, 
MC 2831T, 1200 Pennsylvania Ave. NW, Washington, DC 20460, or by email 
at: [email protected]. A full description of EPA's Privacy Act procedures 
is included in EPA's Privacy Act regulations at 40 CFR part 16.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

[[Page 17222]]

HISTORY:
    71 FR 51814 (August 31, 2006).

Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2023-05806 Filed 3-21-23; 8:45 am]
BILLING CODE 6560-50-P


