Prvacy mpact Assessment (PA) Name of Project: Access Control (Badgng and Access) System Project's Unque 10: D: B&A Project's Unque D:! Legal 144 j U.s.C U.S.C 2104 Authorty(es): Purpose of ths System/Applcaton: The Badgng and Access System provdes the approprate ndvduals access to NARA facltes. The Badgng Staton provdes a means n whch user nformaton s s entered onto the lamnated badge whch s assocated wth vvth access permssons and lnked to the buldng wde Access Control System. The Access Control System s the physcal system that reads the lamnated dentfcaton badge and allows/denes access dependng on access rghts. The Badgng and Access System s a stand-alone system connected to a dgtal camera and prnter. Sx workstatons are lnked wth dedcated connectons drectly to the system. Secton 1: nformaton to be Collected 1. Descrbe the nformaton (data clements elements and felds) avalable n the system n the followng categores: Employees, The Badgng System collects the name of the person seekng a NARA N.ARA badge. The system also assgns each user an dentfcaton number.!! The Access System collects the followng nformaton concernng NARA employees. employees, contractors and volunteers: name. name, date of brth. brth, heght. heght, weght w eght, har and eye color. color, and assgned card number. External! N/A Users Audt tral nformaton (ncludng employee log- n nformaton) ~~~~~be) 1 The Badgng & Access System allows authorzed personnel to track ndvduals usng name and or card number. Audt tools create. create, mantan. mantan, and protect a tral of actons of users and admnstrators that trace securtyrelevant events to an ndvdual. ndvdual, ensurng accountablty. Currently. Currently, audt logs are not checked to trace actons of users. Other none (descrbe) none Descrbe/dentfy whch data clements elements are obtaned from fles, databases, ndvduals, or any other sources? sources'? ' l\ KMOWl \ ()\. \1 \f((\ VRtHM* 1 -" \\.1) W O ({ R l ()f(d\ C ORDS -\D\\.\ -\D\\S 1f( R \T(j\. \T()\ PdlC 1 ol 1 \ A Torm 8012 (08-09)
NARA n/a operatonal records External users nla a/a Employees nla Other Federal nla agences (lst! agency) State and local nla a'a agences (lst agency) Other thrd The Badgng & Access System s populated wth pre-programmed dentfcaton part\' party source numbers that are assgned as badges ssued to ndvduals. Other nformaton n the system comes from personnel forms and state ssued dentfcaton cards that support the nformaton provded by the employee. employee, contractor. contractor, or volunteer seekng a NARA badsze. badl!e. Secton 2: Why the nformaton s Beng Collected 1. s each data element requred for the busness purpose of the system? Explan. Yes. each data element s necessary to postvely dentfy dentf~' the ndvdual and to provde a badge gvng Rvng the ndvdual access to the buldno. buldng.! 2. s there another source for the data? Explan how that source s or s not used? nla a/a,! Secton 3: ntended Use o~ of ths nformaton 1. Wll the system derve new data or create prevously unavalable data about an ndvdual through aggregaton from the nformaton collected, and how wll ths be mantaned and fled? No 2. Wll the new data be placed n the ndvdual's record? No 3. Can the system make determnatons about employees/the publc that would not be possble wthout the new data? No N,\lO"\L NATON \L ARrmvs '\RCH\ \,\'>;D AND RlcCORD\ RECORDS '\D\l1'\R,\O' ADMNSRAON Pag~ Paac 2 Clr of 1 '\'\ NA rclrnl8012 rorn (08-09)
.t. 4. How wll the new data be verfed nrfed for relevance and accuracy? nla n/a 5. f the data s beng consoldated, what controls are n place to protect the data from unauthorzed access or use? nla n/a 6. f processes are beng consoldated, are the proper controls remanng n place to protect the data and prevent unauthorzed access? Explan. nla n/a 7. Generally, how wll the data be retreved by the user? Authentcaton to the Access System s controlled by the user loggng onto the specfc workstaton that s hard-wred to the Access System. Ths access s va ndvdual username/pass\\ord username/password pars..authentcaton to the Badgng Badunu System Svstem nvolves lossne loggng nto the ndvdual workstaton from a stand-alone Pc. PC. 8. s the data retrevable by a personal dentfer such as a name, SSN or other unque dentfer? f yes, explan and lst the dentfers that wll be used to retreve nformaton on an ndvdual. Yes. nformaton n the Badgng & Access System can be retreved by an ndvdual's name and/or unque dentfcaton card number. The dentfcaton number s generated by the system. 9. \Vhat What knds of reports can be produced on ndvduals? \Vhat What wll be the use of these reports? \Vho Who wll have access to them? The system allows for the creaton of~trackng reports on ndvduals who have been assgned a NARA access badge. That report provdes nformaton concernng the movement of~the badge holder wthn the buldng. t provdes nformaton concernng the areas the ndvdual entered and the tme of~such entry. Ths nformaton s usually used by securty personnel or the nspector General for nvestgatve purposes. Lsts of~ ndvduals havng access are extracted for use by program oh"ces offces to valdate NATOW AR(H\r'. WDRKORDS \D\MSRAT()\ Pa;c ol \ A 1 orn 8012 ()8-09 l\uo"\ \1 \R( \r, \"\1) R (OR)' \)\'.!'>RUO"\
ndvduals" ndvduals' access to specfc tc areas, areas. partcularly stacks, stacks. records holdng and processng areas. areas, to valdate access authorty or dentfy those no longer needng access. Lsts are returned, returned. wth changes, changes. to the Securty Management unt to be purged. Audt tools create, create. mantan, mantan. and protect a tral of actons of users and admnstrators that trace securty relevant events to an ndvdual, ndvdual. ensurng accountablty. Currently, Currently. audt logs are not checked to trace actons of users. 10. Can the use of the system allow NARA to treat the publc, employees or other persons dfferently? f yes, explan. Yes. The Badgng and Access System can be used to allow NARA to treat the publc, publc. employees, employees. or others dfferently. By grantng a badge, badge. w we e allow employees varyng degrees ofaccess to locatons wthn the buldng. That access s determned based on the ndvduals' Job job related dutes and the approvals granted by management and the physcal securty staff By denyng a badge. badge, the system restrcts publc access to restrcted or employee only areas.. 11. Wll ths system be used to dentfy, locate, and montor ndvduals? f yes, descrbe the busness purpose for the capabltj' capablty and the controls establshed explan. Yes. the system tracks ndvdual badge holders when they enter a locaton va access control card. The system contans the ablty to tral the actons of users and admnstrators that trace securty-relevant events to an ndvdual, ndvdual. ensurng accountablty. 12. What knds of nformaton are collected as a functon of the montorng of ndvduals? Name, Name. card number, number. locaton(s) entered, entered. and tme ofsuch entry. 13. What controls wll be used to prevent unauthorzed montorng? Access to the Badgng and Access System s restrcted to Securty Personnel. All servers and clent work statons are mantaned n lmted access, access. hgh securty areas or under 24/7 armed securty presence. Montors are equpped vvth wth prvacy screens. Authentcaton to the Access System s controlled at two layers. The user must log onto the specfc workstaton that s hard-wred to the Access System. Ths access NATON A ARCHVES AND REC ORDS ADMNSTRATON Rage 4 ol 11 N N-'. A Form FortH 8012 (08-09)
s va ndvdual user name/password name!pass\\ord pars..moreover, Moreover. authorzed users of~the Badgng and Access System! are subject to the NARA wde \\ personnel securty controls. NARA personnel securty controls are descrbed n secton ofnara of~nara T Securty Handbook. Please refer to NARA N.ARA T Securty Handbook. Operatons Controls for more nformaton. U. 14. fthe system s neb-based, web-based, does t use persstent cookes or other trackng devces to dentfy! web vstors? vstors'? N!A N/A Secton 4; 4: Sharng o~ of Collected nformaton 1. \Vho Who wll w have access to the data n the system (e.g., contractors, users, managers, system admnstrators, developers, other)? other),? The system admnstrator and authorzed users have access to the Badgng and Access System. Please reference queston 7 (Attrbutes of~ Data secton) and queston 8 (Mantenance and Admnstratve Controls secton) on safeguards. 2. How s access to the data by a user determned and by whom'? w hom? Are crtera, procedures, controls, and responsbltes regardng access documented'? documented? f so, where are they documented (e.g., concept of operatons document, etc.). Are safeguards n place to termnate access to the data by the user? user'? The system admnstrator determnes the user's access to the system based on the user'sjob and ther need for access to the system n order to perform that job. ob. Responsbltes are outlned n the Concept of~ Operatons document for the Badgng and Access System as \\ell well as the System Securty Plan. 3. \V Wll users have access to all data on the system or wll w the user's access be restrcted? restrcted'? Explan. Access to nformaton n the system s restrcted by the system admnstrator based on job dutes and need to know. kno\\. ~. 4. \Vhat What controls are n place to prevent the msuse (e.g., unauthorzed browsng) of data by those who w have been granted access (please lst processes and tranng materals),? materals)? Hon How n wll these controls be montored and verfed? verfed'?. Authorzed users of~the Badgng and Access System are subject to the '\ARA NARA \\ wde personnel securty 1\ N TO' NTONAL ~l ARC H\, s \ W'D D RJ R l ( ORD, ORDS ADMNSTRATON AD\l'" HO' Page'' Pa2c. 5 of Ol \ \ orm 8012 (08-09)
controls. NARA personnel securty controls are descrbed n secton 1 ofnara T Securty Handbook. Operatons Controls. Ths protocol remnds users to only use the system for the purpose for whch t \\as was created and consstent wth ther authorzed dutes. Ths message s renforced n annual.securty tranng and s renforced wth ssuance ofnara polcy gudance on ths topc. 5. Are contractors nvolved wth w the desgn and development of the system and wll they be nvolved wth the mantenance of the system? fyes, were Prvacy Act contract clauses nserted n ther contracts and other regulatory measures addressed? addressed'? No. Contractors nstalled the system. system, however, howe\'er. nput and mantenance s performed by NARA staff wth physcal securty dutes. 6. Do other N.ARA NARA systems provde, receve or share data n the system'? system? fyes, lst the system and descrbe whch data s shared. f no, contnue to queston 7. The Access Control System s connected to fre alarm. f the fre alarm s trggered n a certan area the doors leadng out are unlocked. Besdes the fre alarm system. system, the Access Control System does not connect to any other system. All connectng workstatons/sensors are drectly connected. The Fre Alarm panel and the access control system share no data: data; t s a smple dry contact from the fre panel drectly to the doors n the emergency ext passages to ensure they are unlocked n the e\'ent event of an emergency. 7. Have the NARA systems descrbed n tem 6 receved an approved Securty Securt> Certfcaton and Prvacy mpact Assessment? Assessment'? N/A N!A - The fre alarm does not requre a PA. The connecton between the fre alarm and the Access System s e\'aluated evaluated n the Badgng and Access System Svstem Securty Plan of.luly July 31.2003. ~--------------------------------------------------------------------------------~ 8. Who wll be responsble for protectng the prvacy rghts of the publc and employees affected by the nterface? nterface'? The System Admnstrator for the Badgng and Access System s responsble for protectng the pr\'acy prvacy rghts ofthe publc and employees affected by the nterface. NARA's Senor Agency Offcal for Pr\'acy Prvacy s responsble for ensurng complance wth the prvacy pr\'acy rghts of the publc and NARA employees. 9. Wll other agences share data or have access to the data n ths system (Federal, State, Local, or Other),? Other)? fso lst the agency agency and the offcal responsble for proper use of the data, and NAONA ARCHVES AND REC ORDS ADMNSTR\TON Page 6 O'11,\A \ A f,lfll18012 rorn (08-0<) (08-09)
explan exrlan how the data wll be used. No. Secton 5; 5: Opportuntes Op~ortuntes for ndvduals to Declne Provdng nformaton 1. What opportuntes do ndvduals have to declne to provde nformaton (Le., (.e., where provdng nformaton s voluntary) ) or to consent to partcular uses of the nformaton (other than requred or authorzed uses), and how can ndvduals grant consent? Submsson ofthe requested nformaton s voluntary: however. ever, refusal to provde such nformaton \\ wll result n the nablty to obtan an access control card. Refusal to provde ths nformaton may also result n the nablty to perform certan job related tasks because an ndvdual \\ w ll ll be unable to to gan access to to certan areas of the buldng where entry requres an access card. certan areas ot~the buldng \\here entry requres an access card. 2. Does the system s~'stem ensure "due process" b~' by allowng affected partes to respond to an~' any negatve determnaton, pror tofnalacton? acton? n!a n/a Secton 6: Securty o~ of Collected nformaton 1. How wll w data be verfed for accurac~', accuracy, tmelness, and completeness? "!hat W'hat steps or or procedures are taken to ensure the data s current? Name the document that outlnes these procedures (e.g., data models, etc.). nformaton nfonnaton n the system s provded by the ndvdual seekng a NARA access badge (employee. (employee, contractor or volunteer). The ndvdual provdes documentaton (drvers lcense. lcense, employment form. SF-50. etc) that s needed to verfy ther dentty. We assume the ndvduals are provdng accurate. accurate, tmely and complete nformaton regardng them-selves. Secondary documents are assumed correct f they have not expred. 2. f the s~'stem system s operated n more than one ste, how wll w consstent use of the s~'stem system and data be mantaned n all stes? N/A 3. What are the retenton perods of data n ths s~'stem? system? Credentals and passes are temporarv temporary. records and are destroved destroyed. n accordance wth vvth the dsposton nstructons n the NARA records schedule contaned n FLES 203. the NARA N\llo'\\1 N\l()N\ '\RC\L-, ARCHMS -\'\J) AND RLCORJ), RECORDS \J)\""R-\()'\ ADMNSRAON Raae 7 ol' 1 N\ N A lfll 1 orn S(J~ 80121 (JS-(J<) (08-09),
; Fles Mantenance and Records Dsposton Manual. ; dentfcaton credentals. credentals, ncludng cards. cards, badges and aad photographs are destroyed 3 months moaths after return to the ssung ssuag offce. Recepts. Recepts, ndces. ndces, lstngs. lstngs, and accountable records are destroy after all lsted credentals are accounted for. Vstor control tles fles are destroyed 5 years after date of document. document, as approprate. Regsters or logs used to record names of outsde contractors. contractors, servce personnel, personnel. vstors, vstors. and employees admtted to areas, areas. and reports on automobles and passengers are destroyed 5 years after date of document as approprate. For areas under maxmum ma.xmum securty. securty, records are destroyed 2 years after tnal fnal entry. eatry. For other areas. areas, records are destroyed 2 years after date of document. document, as approprate. Badges are renewed every 5 years for employees and every 2 years for volunteers. Badges ssued to contractors expre at end of contract. 4. \Yhat What are the procedures for dsposton of the data at the end of the retenton perod? How long wll the reports produced be kept? \Yhere W'here are the procedures documented? Cte the dsposton nstructons for records that have an approved records dsposton n accordance wth, FLES 203. f the records are unscheduled that cannot be destroyed or purged untl the schedule s approved. See records dsposton schedule above. Obsolete nformaton s deleted at the end of the dsposton perod. For renewals. renewals, outdated nformaton s replaced wth w current nformaton. 5. s the system usng technologes n w ways that the Agency has not prevously employed (e.g., montorng software, software. Smart Cards, Caller-D)? f yes, descrbe. n!a n/a 6. How does the use of ths technology' affect publc/employee prvacy? n/a! 7. Does the system meet both NARA's T securty requrements as well as the procedures requred by federal law and polcy? Yes l" NAONA ~\ 110'\ ~\l '\R( AR(H\S 111\, \'\1) \ND RL( REC Olz!), ORDS -\1)\11'\1', ADMNS ln RA 110'\ ON l'as;c 8 ol NA horn 80!2 (08-09)
8. Has a rsk assessment been performed for ths system? system'? f so, and rsks were dentfed, what controls or procedures were enacted to safeguard the nformaton'? nformaton? Yes. A rsk assessment was conducted on August 27. 2007. No rsks were dentfed. 9. Descrbe any montorng, testng, or eyaluatng evaluatng done on ths system to ensure contnued securf)' securty' of nformaton. Securty Control testng was completed on September 2.2008. 2008. usng crtera outlned n FPS 200 and \ST NST 800-53 to. 10. dentfy a pont of contact for any addtonal questons from users regardng the securty securt>' of the system. Leo Scanlon. T. A-. A-ll. 301-837-0752 Secton 7: s ths a system of records covered by the Prvacy Act? 1. Under whch w Pryacy Prvacy Act systems of of records notce does the the system operate'? operate? Proyde Provde number and name. Ths system operates under NARA 11. Credentals and Passes Ths system operates under NARA 11. Credentals and Passes 2. f the system s beng modfed, wll w ll the Pryacy Prvacy Act system of of records notce requre amendment or reyson'? revson? Explan. The Prvacy Pr\"acy Act system of records notce referenced abo\"e above accurately accurateh co\"ers covers the acth"tes actvtes of the 8adgng Badans and Access System. Svstem. Conclusons anda~;:t!ys s ~ Analyss 1. Dd any pertnent ssues arse durng the draftng of ths Assessment'? Assessment? No 2. f so, what w changes were w ere made to to the the system/applcaton to to compensate'? compensate? nla n/a N\llON\ ARlllMS AND RECORDS ADMNslRMlON Raye 9 ol '\.\ \ A orn onn gol::! 8012 (1\8-09) (l8-09)
See Attached.Approval Page Once the Prvacy mpact Assessment (PA) s completed and aad the sgaature sgnature approval page s sgned. sgned, please provde copes of the PA to the followng: T Securty Manager Prvac: Prvacv Act Oftcer Offcer 1'\110\,\[ N \!()N \ \R(\l.\\\,lRt(OW\ AR( ES AND Rl ^ ORDS \l\\,\r,\o\, ADMNS RA ON 'dgc Pa;c O"tll 10 ol '\.\ \ A ["rll rorm 8012 (08 Ol)1 (08-09)
The Follo\'rng Followng Offcals Have Approved ths PA P.A SYstem System Manager (Project Manager) J t~l~' /0.9, 2c12-. ~~ (Sgnature) : (Date) : Name: Wll Fletcher Ttle: 8adgng Badsne & Access System Svstem O\vner/Manager Owner/Manaaer Contact nformaton: 8601 Adelph Road. Room 2310 College Park. MD 20740-6001 301-837-1491 Senor Agency Offcal for Prvacy (or desgnee) '-W' 9/J-6/ L 0(?:^^^-~-^L/\N -~K~ (Sgnature) ' ' (Date) ~ Name: Gary M. M. ~tern Stern ^ Ttle: General Counsel Contact nformaton: 8601 Adelph Road. Room 3110 College Park. MD M D 20740-6001 301-837-1750 Chef nformaton Offcer (or desgnee) y^y^'^r^ ~./tl-;~j (Sgnature) lv- / O 0/"/2- o/ / z (Date) Name: Mchael Wash Ttle: CO Contact nformaton: 8601 Adelph Road. Room 4400 College Park. Park, MD M D 20740-6001 301-837-1992 NATOW ARCHVES AND REC ORDS ADMNMRATON Pane 11 ol 11 NA N \ llrlll 1 orm XOl2 8012 (OX-091 (08-09)