Privacy Impact Assessment (PIA) Summary
Date of this submission: 04/03/2008
NASA Center: Headquarters (HQ), NASA
Application Name: Common Badging and Access Control System (CBACS)
Is this application or information collection new or is an existing one being modified? EXISTING
Does this application collect, maintain, and/or disseminate information in identifiable form (IIF)? YES
Mission Program/Project Supported: NASA Office of Security and Program Protection/NASA Office of the Chief Information Officer
Identifying Numbers (Use N/A, where appropriate)
Privacy Act System of Records Number: "Security Records System" (NASA 1OSECR)
OMB Information Collection Approval Number and Expiration Date: SF 85 -OMB No. 3206-0005, SF 86 -OMB No. 3206-0007
Other Identifying Number(s): N/A
- Provide an overview of the application or collection and indicate the legislation authorizing this activity.
CBACS is a system of records to document, track, manage, analyze, produce a NASA badge that is verifiable, identifiable, durable and can be used to access NASA resources (Physical and Logical) Routine uses of this system of records will be to determine eligibility to access classified national security information; to maintain a record of identification documentation provided to NASA as proof of an individual's identity; to provide personal identifying data to Federal, State, local or foreign law enforcement representatives seeking confirmation of identity of persons under investigation.
Authority for CBACS activity is derived from: 42 U.S.C. 2451, et seq., the National Aeronautics and Space Act of 1958, as amended; Espionage and Information Control Statutes, 18 U.S.C. 793-799; Sabotage Statutes, 18 U.S.C. 2151-2157; Conspiracy Statute, 18 U.S.C. 371; 18 U.S.C. 202-208, 3056; Internal Security Act of 1950; Atomic Energy Act of 1954, as amended; Executive Order 12958, as amended, Classified National Security Information; Executive Order 12968, as amended, Access to Classified Information: Executive Order 10865, Safeguarding Classified Information Within Industry; Executive Order 10450, Security Requirements for Government Employees; Pub. L. 81•733;5 U.S.C. 552a, Privacy Act of 1974; E-Government Act of 2002;Federal Information Security Management Act 2002 41 CFR Chapter 101; 14 CFR parts 1203-1203b; 44 U.S.C. 3101; and Homeland Security Presidential Directive 12; Federal Information Processing Standard 201: Policy for a Common Identification Standard for Federal Employees and Contractors.
- Describe the information the agency will collect, maintain, or disseminate and how the agency will use the information. In this description, indicate whether the information contains IIF and whether submission is voluntary or mandatory.
- The IIF in this system pertains to applicants seeking access to NASA resources (physical and logical) The IIF contains but not limited to: name, home address, citizenship, date of birth, social security numbers, description of the applicant (height, weight, hair color etc...) Submission of IIF is voluntary.
- The IIF in this system is intended for the sole use of the U.S. Government and its contractors who support U.S. Government operations, policies, laws and regulations, as well as State, local and foreign law enforcement representatives seeking confirmation of identity of persons under investigation.
The Agency will use the IIF to conduct, document and complete the NASA identity proofing and registration process; create data records in the Personal Identity Verification (PIV) Identity Management System (IDMS); issue PIV cards to insure individuals entering federal facilities, using federal information resources, or accessing classified information are authorized to do so; track and control issued PIV cards.
Fingerprints are collected then immediately transmitted (electronically) to the Federal Bureau of Investigation (FBI) as part of a background investigative package in accordance with 42USC14616. Further, as required by FIPS-201 (Personal Identity Verification (PIV) of Federal Employees and Contractors), the fingerprints are encoded on the PIV card and held in an encrypted container.
Immediately upon fulfilling these two requirements (mentioned in 2.b above), the Agency purges the collected fingerprints from the system.
NASA does not maintain any fingerprints in any database, or any other system. Should a PIV card become lost, or damaged, biometrics must be recaptured because they are not stored in any NASA system.
- Explain how the IIF collected, maintained, and/or disseminated is the minimum necessary to accomplish the purpose for this effort.
- Only the required IIF collected to prove the Identity and employment eligibility of the applicant, process background investigations and maintain a history of the applicant for future use in reporting to other entities as required by law.
- The IIF may be shared with Federal, State, local and foreign government agencies as authorized by applicable laws and regulations.
- Explain why the IIF is being collected, maintained, or disseminated.
- Records are being collected and maintained pursuant to Homeland Security
Presidential Directive-12 (HSPD-12). To achieve these objectives the system must document, track, manage, analyze, and/or report on individuals accessing NASA resources. Routine uses of CBACS system will be to determine eligibility to access classified national security information; to maintain a record of identification documentation provided to NASA as proof of an individual's identity.
- The IIF information is only disseminated to other government agencies as authorized by applicable laws and regulations
- Records are being collected and maintained pursuant to Homeland Security
- Identify with whom the agency will share the IIF.
To the Department of Justice when: (a) the agency or any component thereof; or (b) any employee of the agency in his or her official capacity; (c) any employee of the agency in his or her individual capacity where agency or the Department of Justice has agreed to represent the employee; or (d) the United States Government, is a party to litigation or has an interest in such litigation, and by careful review, the agency determines that the records are both relevant and necessary to the litigation and the use of such records by DOJ is therefore deemed by the agency to be for a purpose compatible with the purpose for which the agency collected the records.
To agency contractors, grantees, or volunteers who have been engaged to assist the agency in the performance of a contract service, grant, cooperative agreement, or other activity related to this system of records and who need to have access to the records in order to perform their activity. Recipients shall be required to comply with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. § 552a.
To other Federal agencies and relevant contractor facilities to determine eligibility of individuals to access classified National Security information.
To any source or potential source from which information is requested in the course of an investigation concerning the retention of an employee or other personnel action (other than hiring), or the retention of a security clearance, contract, grant, license, or other benefit, to the extent necessary to identify the individual, inform the source of the nature and purpose of the investigation, and to identify the type of information requested.
To any official investigative or judicial source from which information is requested in the course of an investigation, to the extent necessary to identify the individual, inform the source of the nature and purpose of the investigation, and to identify the type of information requested.
To notify another federal agency when, or verify whether a PIV card is longer valid.
- Describe how the IIF will be obtained, from whom it will be collected, what the suppliers of information and will be told about the information collection, and how this message will be conveyed to them (e.g., written notice, electronic notice if a Web-based collection, etc.). Describe any opportunities for consent provided to individuals regarding what information is collected and how the information will be shared.
- The IIF will be solicited directly from the individual. The individual will be advised of the authority and purposes for collecting this information as stated in 1-5 above. The information may be provided in written form, usually by the use of an approved OMB Standard Form (e.g., SF-85, SF-85P or SF-86). Individuals grant consent to the collection by providing the requested information.
- Employers' and former employers' records; FBI criminal history records. Security violation information is obtained from a variety of sources, such as guard reports, security inspections, supervisor's reports, audit reports.
- State whether personal information will be collected from children under age 13 on the Internet and, if so, how parental or guardian approval will be obtained. (Reference: Children's Online Privacy Protection Act of 1998)
- Information will not be collected from children.
- Describe how the IIF will be secured.
- Access to IIF is strictly controlled by either Government personnel or selected personnel of NASA contractor personnel. Only after presenting proper identification and requesting a file or record, a person with an official need to know and, if appropriate, a proper clearance may have access to a file or records only after it has been retrieved and approved for release by a NASA security representative. These records are stored in security storage equipment, and/or information technology systems employing strong security countermeasures. Additionally, the IIF is contained inside of a federally owned and operated building with video surveillance, card readers on external doors and roving security personnel.
- Describe plans for retention and destruction of IIF.
- GRS/24, Item 5; Destroy/delete 1 year after the system is superseded and or replaced.
- NRRS/1 item 103; Destroy/delete inactive file 5 years after user account is terminated or password is altered, or when no longer needed for investigative or security purposes, whichever is later.
- NRRS/2 item 4B2; Destroy/delete inactive files 8 years or when no longer needed for investigative or security purposes, whichever is later.
- Identify whether a system of records is being created under section 552a of Title 5, United States Code (the Privacy Act), or identify the existing Privacy Act system of records notice under which the records will be maintained.
- NASA 10 SECR is being updated.
Identify a point of contact to whom a member of the public can address questions concerning this information system and the privacy concerns associated with it: Teresa Fryer, NASA Privacy Program Manager
Signature on File
Tim Baldridge, CBACS Project Manager
NASA Cognizant Official/Title
Signature on File
William H. Morrison
CBACS Program Manager
Signature on File Signature on File
Teresa Fryer Jonathan Q. Pettus
NASA Privacy Program Manager NASA Chief Information Officer
Date: 09/15/08 Date: 09/29/08