BUSINESS ..- INFORMATION URITY MANUAL '<* ------- FORWARD The procedures in this manual provide Federal, Contractor, and Subcontractor employees with the information necessary to utilize Confidential Business Information (CBI) in the performance of their assigned duties without violating applicable Federal regulations protecting the rights of its owners in accordance with the Clean Air Act of 1990 (CAA) as amended. This manual will be subject to annual review to ensure it is in compliance with EPA policies and Federal regulations. Any recommendations for changes, additions or deletions should be forwarded through the OAQPS Document Control Officer to the Director, OAQPS/PRRMS, MD-C404-02, 109 T.W. Alexander Drive, RTP, NC 27711 U S. Environmental Protection Agenqr Rejiw 5, Library (PL-12J) 77 West Jacks«n Boulevard, Chicago, It 60604-3590 ------- TABLE OF CONTENTS SECTION I. PURPOSE, SCOPE, POLICY, AUTHORITY & RESPONSIBILITIES 1 1. PURPOSE 1 2. SCOPE 1 3. POLICY 1 4. AUTHORITY 2 5. RESPONSIBLE OFFICIALS 2 a. Director, Office of Air Quality Planning and Standards (OAQPS) 2 b. Director, Program Planning, Resources and Regional Management Staff (PRRMS) .... 2 c. OAQPS Document Control Officer (DCO) 3 d. OAQPS Document Control Assistant (DCA) 4 e. OAQPS Division Directors 4 f. OAQPS Program Project Officers 5 g. Group Leaders 5 h. OAQPS Work Assignment Managers/Task Order Project Officers (WAM/TOPO) 6 i. Contractor Document Control Officers (CDCO) 7 j. Employees 9 SECTION II. CAA CBI CERTIFICATION PROCEDURES 10 1. OVERVIEW 10 2. GENERAL ACCESS REQUIREMENTS 10 3. OBTAINING ACCESS TO CAA CBI 10 a. Federal Employee Access Procedures 10 b. Establishing Access for Contractor Facilities 12 c. Contractor Employee Access 16 4. ACCESS CONTROL 16 a. Access Lists 18 b. Subcontractor/Consultant Access 20 ------- 5. TERMINATION OF CAA CBI ACCESS 20 SECTION III. RECORDS MANAGEMENT FOR CAA CBI 22 1. OVERVIEW 22 2. INTENT 22 a. Original CBI 22 b.Derivitive CBI 22 3. OAQPS CAA CBI RECORDS MANAGEMENT SYSTEM 22 a. OAQPS CAA CBI Automated Tracking System 23 b. CAA CBI Control Record 23 c. Cover Sheets 23 d. Custody Receipts 24 e. New Materials 24 f. Inventory 24 4. OAQPS CAA CBI DOCUMENT CONTROL NUMBERS 24 5. CBI MARKINGS 25 a. CBI Stamps 25 b. Computer Outputs 25 c. Charts, Maps and Drawings 25 d. Photographs, Films and Recordings 25 6. CBI DOCUMENTS 25 a. Working Papers 25 b. Typing /Word Processing Requirements 26 7. NON-CBI DOCUMENTS 26 a. Deleting or Replacing CBI 26 b. Masking or Aggregating CBI 26 c. Dropping CBI Claim (Declassification) 26 8. DISPOSITION OF CAA CBI DOCUMENTS 27 a. Original CAA CBI Materials 27 b. CBI Created by OAQPS 27 9. RECORDS OF DESTRUCTION 28 10. METHODS OF DESTRUCTION 28 11 ------- 11. CDCO RECORD MANAGEMENT RESPONSIBILITIES 29 a. CAA CBI Control Numbers 29 b. CAA CBI Inventories 29 c. Reproducing Documents 29 12. COMPLETION OF CONTRACTS, WORK ASSIGNMENTS OR TASK ORDERS 29 a. Originals 29 b. Duplicates 29 SECTION IV. CAA CBI WORKPLACE PROCEDURES 30 1. OVERVIEW 30 2. OBTAINING CBI DOCUMENTS 30 3. DOCUMENT CONTROL 30 a. Telephone Calls 30 b. Work Spaces 31 c. Computers 31 d. Meetings 31 e. Document Reproduction 32 f. CBI Waste 32 g. Use of FAX machines 32 h. Site Visits 33 4. SPECIAL CIRCUMSTANCES 33 SECTION V. TRANSFERRING CAA CBI 34 1. OVERVIEW 34 2. TRANSFERRING CAA CBI TO OTHER FEDERAL, STATE OR LOCAL AGENCIES 34 a. CBI Security Agreement 35 b. Notice to Affected Businesses 35 c. Before Approval 36 d. Before Transfer 36 3. TRANSFERRING CAA CBI TO EPA CONTRACTORS OR PROVIDING FACILITIES 36 111 ------- 4. TRANSFERRING CAA CBI FROM CONTRACTORS TO OAQPS 36 5. TRANSFER TO SUBCONTRACTORS 37 6. PREPARATION AND PACKING 37 a. Inner and Outer Covers 37 b. Addressing 37 c. Packing 38 7. CUSTODY RECEIPT 38 8. TRANSFER METHODS 38 a. Hand Carrying 38 b. Registered Mail 39 c. Couriers,and Express Mail 39 d. FAX Transmittal 39 SECTION VI. STORAGE OF OAQPS CAA CBI 41 1. OVERVIEW 41 2. INTENT 41 3. STORAGE SPECIFICATIONS 41 a. Minimum storage area reqirements 41 b. Minimum storage equipment 42 4. PROCEDURES FOR COMBINATION LOCKS AND KEYS 42 a. Combination Locks 42 b. Changing Combinations 43 c. Keyed Locks 43 5. SAFEGUARDING CAA CBI IN THE EVENT OF A DISASTER 43 a. Prevention 44 b. Preparedness 44 c. Response 44 SECTION VII. CAA CBI COMPUTER SYSTEM SECURITY 45 1. OVERVIEW 45 2. DIRECTIVES 45 iv ------- 3. BASIC SECURITY EQUIPMENT 45 a. Security Mode 45 b. Authenticity and Verification 45 c. Remote Operation (Dial-up or Wireless) 45 d. User Requirements 45 4. COMPUTER EQUIPMENT ROOM 46 5. SAFEGUARDING CBI DURING PERSONAL COMPUTER USE 46 a. Computer Storage Media 46 b. Termination of a CBI Computer Session 46 c. Computer Printouts 47 6. SYSTEM SECURITY SOFTWARE FOR MULTI-USER SYSTEMS 47 a. User Permissions 47 b. Event Record 47 7. GENERAL PROCEDURES 48 a. Checkout 48 b. User Privileges (Multi-User Systems Only) 48 c. Back-up Files 48 d. Transmission 48 8. DESTRUCTION AND RELEASE OF MEDIA 48 a. Magnetic Storage 48 SECTION VIII. CAA CBI SECURITY VIOLATIONS 49 1. OVERVIEW 49 2. RESPONSIBILITY OF DISCOVERER 49 3. INVESTIGATING VIOLATIONS 49 a. Preliminary Inquiry 49 b. Investigation 49 4. REPORTS AND FINDINGS 49 a. Finding of No Damage 49 b. Lost Documents 49 c. Evidence of Compromise 50 d. Finding of Damage 50 v ------- 5. RESULTING ACTIONS 50 a. Violations Subject to Punitive Measures 50 b. Punitive Measures 50 CAA CBI DEFINITION OF TERMS 51 GLOSSARY OF ACRONYMS 53 INDEX OF APPENDICES 55 VI ------- SECTION I. PURPOSE, SCOPE, POLICY, AUTHORITY & RESPONSIBILITIES 1. PURPOSE. The purpose of this manual is to set forth policies and procedures for the handling of information claimed as Confidential Business Information (CBI), whether submitted voluntarily or obtained under Section 114 of the Clean Air Act (CAA), and governed by U.S. Environmental Protection Agency (EPA) regulations in 40 Code of Federal Regulations (CFR), Part 2, Subpart B, and other EPA regulations and policies. The need to safeguard CBI cannot be overstated. Valid and secure CBI procedures are essential to the EPA's rulemaking mandate and therefore are required to be effectively safeguarded. Any compromise to CBI threatens not only the businesses providing the information, but also EPA's ability to make, implement and enforce environmental policy, and ultimately, the communities that benefit from that policy. Therefore, the Office of Air Quality Planning and Standards (OAQPS) has designed and implemented a four-pronged security system to ensure protection of CAA CBI and at the same time permit effective operations of the OAQPS CBI Office (CBIO). The CAA CBI security system consists of controlled access, document tracking, training, and monitoring of CAA CBI operations. 2. SCOPE. This manual sets forth policies and procedures to manage and safeguard CAA CBI. Unless otherwise noted, the phrase CAA CBI refers to information which has been either submitted voluntarily to the Environmental Protection Agency or under section 114 of the Clean Air Act and is claimed as "Confidential Business Information", "Proprietary Information" or "Trade Secret" by the submitting organization. 3. POLICY. It is the policy of OAQPS to protect all information collected by EPA personnel, its authorized contractors and subcontractors. The information may be either documentary information (e.g., written responses to questions, photographs, records or charts) or non-documentary (e.g., records of oral communications, or visual observations). The providing organization must assert a claim of confidentiality under the procedures established in 40 CFR Part 2 by noting such claim on documentary and non-documentary materials provided to OAQPS. Any material or information claimed as confidential or trade secret will be treated as confidential by OAQPS and its contractors in accordance with the provisions of 40 CFR Part 2. Any material or information for which a claim of confidentiality is NOT made may be made available to the public by OAQPS without notice to the providing organization. Documents generated by OAQPS or its contractors using information that has been claimed as Confidential Business Information (CBI) will be treated as CAA CBI until a determination is ------- made regarding its status by the providing organization, OAQPS, or the Office of General Counsel (OGC). 4. AUTHORITY. The policies and procedures established by this manual provide guidance for compliance with the following Federal statutes and regulations: Clean Air Act as amended 40 CFR, Part 2, Subpart B Freedom of Information Act Privacy Act EPA IRM Policy Manual, Chapter 8, Information Security OAQPS Security Plan Any deviations from the procedures outlined in this manual must be approved in writing I by the Director, OAQPS/PRRMS. ' 5. RESPONSIBLE OFFICIALS. The responsibilities of OAQPS officials and personnel concerning CAA CBI are outlined below. a. Director, Office of Air Quality Planning and Standards (OAQPS). The OAQPS Director or his/her designee has overall responsibility for controlling CAA CBI within the Office. The Director or Acting Director may delegate authority to perform security control functions. b. Director, Planning, Resources & Regional Management Staff (PRRMS). The Director, Planning, Resources & Regional Management Staff (PRRMS), has been delegated authority to direct and administer the CAA CBI program for OAQPS. The Director has authority for setting policies, standards, and procedures that ensure compliance with the current laws and regulations. The Director provides oversight, a security education program, and a security assurance program for effective implementation of the OAQPS CAA CBI program. Specific responsibilities are to: Advise the OAQPS Director on the OAQPS CBI CAA program, as requested. Approve initial contract access for OAQPS contractors to access CAA CBI. Review and approve all outside requests and transfers of OAQPS CAA CBI. ------- Approval of contractor employee access to specific CAA CBI documents is delegated to the OAQPS Group Leaders. c. OAQPS Document Control Officer. The OAQPS Document Control Officer (DCO) is directly responsible to the PRRMS Director for implementing the CAA CBI program. The OAQPS DCO implements and monitors the activities of the Confidential Information Office (CBIO) and provides guidance and technical direction as needed. The following are responsibilities of the OAQPS DCO: Ensures that the Operations Team Leader is informed of all issues pertaining to CAA CBI. Assumes custody of all CAA CBI materials received at the OAQPS Confidential Business Information Office (CBIO). Ensures that OAQPS security procedures for handling CAA CBI are continually reviewed, updated, and enforced. Conducts briefings and testing in support of the OAQPS CAA CBI security program.. Ensures compliance with the CAA CBI security program. Reviews security plans, procedures, and inspects facilities of EPA contractors handling and storing CAA CBI files. Reviews contractor employee CAA CBI security, education and training programs. Reviews and Approves CAA CBI access requests for contractors and other Federal/State and Local agencies. Evaluates proposed system improvements. Conducts preliminary inquiries and investigations of alleged procedural violations and reports findings to the PRRMS Director. Advises the PRRMS Director concerning appropriate actions for CAA CBI security violations. Signs receipts for incoming CAA CBI documents. Reviews documentation of all CAA CBI being transferred outside of OAQPS; and ensure that release is in accordance with Section 2.209 of 40 CFR, Part 2. ------- Prepares CAA CBI documents for transmittal outside of OAQPS. Declassifies or destroys CAA CBI materials when authorized by Work Assignment Manager/Task Order Project Officer (WAM/TOPO), OGC or Submitter. Briefs and debriefs all persons designated by Group Leaders that require access to CAA CBI. Keeps an Authorized Access List of all persons cleared for CAA CBI access and a record of each person's briefing status. Assigns OAQPS CBI control numbers. Generates Control Record and applies markings to all new CAA CBI documents and reproduce documents as required. Establishes, maintains, and controls an automated OAQPS CAA CBI file system. Logs in and out all CAA CBI documents. Conduct periodic inventories of all CBI documents stored at the OAQPS CBIO or contractor facilities. Maintains a tracking system to ensure that CBI transmitted to other organizations is received. Locks CBI in appropriate containers whenever the information is not in use or under the supervision of cleared personnel. Ensures that at the end of each business day, all classified material has been returned to the CBIO and is properly stored. Monitors support staff providing clerical assistance to the CBIO. d. OAQPS Document Control Assistant. Document Control Assistants (DCA) are employees of OAQPS, who are charged with assisting in the implementation of the OAQPS CBI program. The OAQPS Document Control Assistant (DCA) will perform the aforementioned CDCO responsibilities in the absence of the DCO and assist in administrative functions as necessary. e. OAQPS Division Directors. Division Directors' responsibilities are to: Ensure that their employees comply with the procedures listed in this manual. Approve all authorizations for their Division employees to access CAA CBI; and Sign as requesting official for contractor employee access to CAA CBI. ------- f. OAQPS Program Project Officers. The respective program project officers' (PPO) responsibilities are as follows: To notify the OAQPS DCO when a contract will require CAA CBI access and to serve as an interface between the OAQPS DCO, contractors, WAM/TOPO and the EPA Contracting Officer. To issue notification to the affected businesses via Federal Register notice at the start of a contract by identifying the contractor or subcontractor who will have access to CAA CBI submitted to OAQPS in performing their assigned duties. Assist WAM/TOPO in preparing individual notification to affected businesses or industries on an as-needed-basis. Ensure compliance with all CBI procedures set forth in the applicable contract. Work with DCO to reslove security plan deficiencies. g. OAQPS Group Leaders. Group Leaders are responsible for ensuring that their employees and contractors comply with the procedures listed in this manual. Group Leaders will: Designate EPA and contractor employees who need access to specific CBI associated with each project. This responsibility may not be delegated. Authorize the additions and deletions to the CAA CBI Project Access list for the specific project under his or her control. Ensure that Group employees and other persons whom they designate are qualified and authorized to access CBI utilizing procedures found in Section II. Authorize transfer of CAA CBI to providing companies, facilities or contractors. The authority to transfer CAA CBI to all other outside organizations is reserved for the PRRMS Director. Ensure that any CBI the Group receives directly is sent immediately to the OAQPS CBIO. Recommend to the PRRMS Director whether to release CBI to Congress, the Comptroller General, or other Federal agencies. ------- Ensure that CBI is not used in publications or improperly released in any documents. Authorize necessary creation of NON-CBI materials by summarization or masking. Review and approve NON-CBI materials prior to their release. Cooperate with the OAQPS DCO in establishing and improving CBI safeguards, and implementing and maintaining CBI education and quality within their Groups. Report cases of CBI disclosures or possible compromises to the OAQPS DCO and cooperate with investigations conducted under the OAQPS CAA CBI security program. h. OAQPS Work Assignment Manager/Task Order Project Officer (WAM/TOPO). Ensures that contractors and EPA employees working on his/her project comply with procedures in this manual and CBI procedures set forth in the applicable contract for CBI related to his/her project. Analyzes technical aspects of all project work written or otherwise created and determines whether CBI is involved and, if so, has it logged in the CBIO. Ensures that necessary paperwork is submitted in accordance with 40 CFR, Part 2, Subpart B, to enable Office of General Counsel (OGC) to make a final determination as to whether information that has been received is entitled to confidential treatment. Authorizes necessary reproduction of CBI and ensures that CBI is reproduced only under the supervision of the OAQPS DCO as described in Section IV, e. Ensures that memos, notes and reports from telephone conversations, visits, inspections, or tests are protected as CBI and filed in the CBIO until a determination is made regarding the status. Ensures that CBI is not used in publications or improperly released in any document. Initiates the process for declassification, destruction and disposal of CBI material. Ensures that any CBI received associated with his/her project is logged by the OAQPS CBIO. Coordinates with contractor the return of CAA CBI files to the OAQPS CBIO at the completion of a work assignment or when the information is no longer required to be ------- maintained at contractor facilities. Provides assistance to the OAQPS DCO in determining the status of returned CBI materials from the contractor. Reports cases of wrongful disclosure or possible compromise of CAA CBI to the responsible Group Leader and OAQPS DCO, and cooperates with investigations conducted under the OAQPS CAA CBI security program. i. Contractor Document Control Officers. Contractor's management must nominate a Contractor Document Control Officer (CDCO) and a Contractor Document Control Assistant (CDCA). Additionally, the contractor is also responsible for establishing a training and certification program in accordance with the procedures outlined in this manual. Before OAQPS recognizes them as CDCOs, they must be properly trained and required paperwork must be on file at OAQPS. The CDCO controls the receipt, storage, and handling of CAA CBI by employees at their facilities and manages a document tracking system. 1) CDCO responsibilities include: Serving as the principal contact for OAQPS regarding the security and control of CAA CBI; Developing security plan for safeguarding CAA CBI; Maintaining a secure CBI facility; Conducting CAA CBI briefings (including testing) for all contractor employees authorized to handle or access CAA CBI; Obtaining signed Authorization for Access to CAA CBI for Contractor Employees, CAA CBI Form 3 (Appendix A) from each contractor employee who will have access to CAA CBI before the employee is granted access. Conducting briefings and testing in support of the OAQPS CAA CBI education and training program. Inspecting subcontractor facilities, reviewing security procedures and obtaining OAQPS' approval. Maintaining a list of contractor employees who are authorized access to CAA CBI including administrative or computer support, or as designated by the OAQPS Group Leader as having a need-to-know specific CAA CBI to perform ------- their duties. Releasing CAA CBI only to authorized persons. Reviewing and updating access lists and notifying the OAQPS DCO immediately of any changes. Submitting updated access lists to the OAQPS DCO on a Semi-Annual basis. Providing guidance, technical assistance and administrative support to contractor employees on all matters concerning CAA CBI security. Establishing, maintaining, and controlling a CAA CBI file system (including disposition) in compliance with OAQPS' CAA CBI Records Management procedures. Logging in and out all CAA CBI documents, summaries, tabulations, and materials to users. Ensuring all CAA CBI is properly stored when not in use. Ensuring CAA CBI is properly wrapped, marked and transferred. Maintaining an inventory of all CAA CBI, conducting periodic audits, and submitting annual inventory to the OAQPS DCO. Destroying drafts, duplicates and working papers as authorized by the OAQPS DCO or project lead. Maintaining, in a secure location, a record of combinations of all locks, safes, and cabinets that contain CAA CBI. Reporting alleged violations of contractor security procedures immediately to contractor management and the OAQPS DCO. Monitoring and ensuring compliance with employee certification procedures. Notifying OAQPS DCO, in writing, whenever an employee has relinquished his/her access to CAA CBI. 2) Contractor Document Control Assistant. The Contractor Document Control Assistant (CDCA) will perform the aforementioned CDCO responsibilities in the absence of the CDCO and assist in administrative functions as necessary. ------- Whenever DCOs terminate their employment or relinquish their responsibilities, the outgoing DCO will certify to the PRRMS Operations Team leader that an inventory of CAA CBI materials has been performed, and that all materials are accounted for prior to their departure. If personnel actions permit, the outgoing DCO will brief incoming personnel as to the current status of records and any outstanding issues. j. Employees. Contractor/subcontractor and Federal, State and Local Government employees must: Comply with all applicable procedures in this manual. Comply with all CBI procedures set forth in the applicable contract. Maintain positive control of CBI until returned to the CBIO. Store CAA CBI in accordance with the policies set forth in this manual. Discuss CBI only with authorized persons. Ensure that any CBI received directly is sent immediately to the OAQPS CBIO for storage and proper logging. Ensure that CBI is not used in publications or improperly released in any document. Report alleged violations of security procedures to the OAQPS DCO immediately. Ensure that memos, notes, and reports containing CBI obtained from telephone conversations, visits, inspections, inquiries, or tests are protected as CBI, logged and stored in the CBIO. ------- SECTION II. CAA CBI CERTIFICATION PROCEDURES 1. OVERVIEW. This section describes policies and procedures for allowing access to Confidential Business Information (CBI) for OAQPS Federal employees and OAQPS contractors. Group Leaders and contractor management must arrange for employees to be available for briefings in support of the OAQPS CAA CBI program. Designated employees must meet all requirements of the program in order to obtain and maintain access to CAA CBI. 2. GENERAL ACCESS REQUIREMENTS. No person has a right of access to CBI by virtue of organizational title or position. A person must have a need-to-know specific CBI before access is granted. There is a responsibility to the organization providing CAA CBI to protect its information and a parallel responsibility of OAQPS employees and contractors to minimize their liability. 3. OBTAINING ACCESS TO CAA CBI. A secure CBI system requires continuous updating of the employee Authorization Access List (AAL),and ensuring adherence to the annual recertification policy. The steps outlined below have been developed to maintain system integrity. a. Federal Employee Access Procedures. Upon determining that an OAQPS employee needs access to specific CAA CBI, Group Leaders refer those employees to the OAQPS DCO. The employee attends an initial OAQPS CAA CBI security briefing. See Figure 1 for steps in obtaining access to CAA CBI. 1) Initial Briefing. All access designees shall: Become familiar with the policies and procedures outlined in the CAA CBI Security Manual. Receive training on the proper handling of CAA CBI, and pass a competency test. In the event that the nominated employee fails to pass the CAA CBI test. He or She may retake the test after a 5 day waiting period. 10 ------- Steps for Obtaining Access to CAA CBI GROUP LEADER NOMINATES Employee Needing Access I EMPLOYEE ATTENDS CBI Briefing/Training 1 EMPLOYEE PASSES Written Test i EMPLOYEE SIGNS Confidentiality Agreement I DIVISION DIRECTOR Approves Employee Access i GROUP LEADER DESIGNATES Access to Specific CBI i CBI OFFICE MAINTAINS Authorized Access Lists Figure 1 11 ------- After receiving the briefing and passing the competency test, each employee will complete and sign an Authorization for Access to CAA CBI, CAA CBI Form 2 (Appendix A). The Authorization for Access to CAA CBI form is divided into four sections. Sections I through III cover the employee's authority to access CAA CBI. Section IV will document the employee's continued requirement for access to CAA CBI and will ensure that the employee is current with CAA CBI security procedures. Upon completion, the form should be forwarded to the responsible Division Director for signature and final approval. Approved forms are returned to the CBIO for filing. Employees are responsible for ensuring that their respective Division Director signs the authorization for access to CAA CBI. Prior to having their name placed on the authorized access list, the employee's Group Leader must notify the CBI office, in writing, of the requirement to access specific CBI. An example of the memo is provided in Figure 2. 2) Annual Recertification. Federal employees approved for CAA CBI access must re- certify their access to CAA CBI on an annual basis. Re-certification may be accomplished up to 90 days prior, but not exceeding the anniversary date of the issue of their current certificate. To re-certify, an employee must: Visit his or her local CBI office and receive a briefing on current procedural changes, updates or CBI related issue from the DCO or DCA . Initial Section IV of CAA CBI Form 2 (Annual Re-certification of CBI Clearance), certifying that he or she continues to require CBI Clearance and is current with the CAA CBI security procedures set forth in this manual. Any employee that fails to annually re-certify will have their CAA CBI Form 2 stamped as "CAA CBI Clearance Terminated" by the DCO/DCA. Their name will be removed from the OAQPS CAA CBI Authorized Access List and they must relinquish access to CAA CBI materials effective on the anniversary of their certification. Every effort must be made to ensure that CAA CBI Form 2 is current. If unscheduled travel or absence will prevent the employee from initialing CAA CBI Form 2, the employee must contact their respective CBI office and obtain a wavier. The waiver will cover the period of unscheduled travel or absence. Upon return to duty, the employee will have no more than 15 days to re- certify. Failure to do so will require the employee to lose certification and he or she must reinitiate the CAA CBI access procedure as specified in section (a). The OAQPS DCO will notify the Group Leader of any suspension of certification. b. Establishing Access for Contractor Facilities 1) Facilities. Project Officers shall notify the OAQPS DCO immediately upon determining that a prospective project may require contractor access to CAA CBI. 12 ------- EXAMPLE MEMORANDUM SUBJECT: Request for Confidential Business Information (CBI) Access FROM: (Name of Group Leader) (Name of Group) TO: (CBI Manager) OAQPS, (MD-C404-02) This memorandum is to request that the following personnel name(s) be (added to /removedfrom) the CAA CBI authorized access list for the (Name of Project), (BSD Project # or CBI #). (Name(s) of individuals including affiliation). Also, please add (Name(s) of (Group) to the CBI authorized access list for the (Name of Project, etc.). Description of Material: Any material received as a result of developing the the NESHAP for (Name of industry or NESHAP) (Name(s) of individuals including affiliation). Figure 2 13 ------- The following information must be furnished: a) The name of the prospective contractor and the location of the contractor's facility. b) A copy of the Federal Register notification for contractor access to CAA CBI collected under the specific contract, including the contract number. c) A copy of the statement of work. d) Whether the contractor's facility is to receive and store CBI under the contract. 2) Conditions. Contractors may not receive access to and provide storage for CAA CBI until the contractor meets the following conditions: a.) Obtains OAQPS approval for access to CAA CBI. b) Nominates and trains a Contractor Document Control Officer (DCO), and a Contractor Document Control Assistant (CDCA). c) Prepares and has OAQPS approve a security plan. d) Has site inspected and approved by OAQPS. e) Obtains OAQPS approval from responsible Group Leader for access to specific CAA CBI for each contractor employee required to work with CAA CBI. 3) Obtaining Approval. When access to CAA CBI is necessary, the contractor must complete a Request for Approval of Contractor Access to CAA CBI, CAA CBI Form 11, (Appendix G). The form must explain the reason CAA CBI access is necessary under the contract. The OAQPS WAM/TOPO must forward the form and Contractor Information Sheet, CAA CBI Form 1 la, (Appendix G) to his/her Division Director, who will sign the form as the requesting official and forward it and the information sheet to the OAQPS DCO for review. The OAQPS DCO will then forward the form and the information sheet to the PRRMS Director for final approval. 4) Contractor DCO/DCA Requirement. Prior to the commencement of operations, contractor management must nominate contractor employees who will serve as a Contractor Document Control Officer (CDCO)and a Contractor Document Control Assistant (CDCA) and notify OAQPS. The CDCO will be responsible for developing the Security Plan and must be trained in proper CAA CBI handling procedures prior to being assigned to their positions. The CBI Security Manual will be provided in hardcopy and the CDCO/CDCA may 14 ------- attend a CAA CBI briefing offered by the OAQPS DCO. The requirement that a CDCO be assigned before actual access begins is required even if access to CAA CBI under the contract is limited to the OAQPS headquarters facilities. The CDCO serves as the liaison between OAQPS and the contractor on issues relating to CAA CBI and plays an important role in requesting and maintaining access authorization for individual contractor employees and in handling CBI. The CDCA is a back-up for the CDCO. 5) Security Plan. The contractor must prepare and OAQPS must approve a security plan for access to CAA CBI at a location away from the OAQPS headquarters. Security plans must describe physical security mechanisms at the contractor's site that are commensurate with the assessed risk and those procedures put in place to allow employees to safeguard materials when handling CAA CBI at the site. The procedures described within this manual and the OAQPS forms in the appendices are intended to serve as guidelines for the preparation of contractor security plans and need not be incorporated verbatim in the plans. However, contractor security plans must equal or surpass the security standards described in this manual. The following is an outline of a Security Plan. CDCO responsibilities. Access procedures. Accountability system. CAA CBI storage (based on Security Risk Assessment). CAA CBI transfers. CAA CBI safeguards (including disaster prevention, preparedness, and recovery plan). Security violations. Education and training. Computer security (if applicable). The OAQPS DCO is responsible for reviewing contractor security plans, discussing any perceived deficiencies with the OAQPS Project Officer (PO) and the contractor, and sending a memorandum through the PO to the contractor either approving or disapproving the security plan. 15 ------- 6) Site Inspection. In addition to the security plan, the OAQPS DCO must inspect and approve contractor facilities before CAA CBI can be received or stored. OAQPS will perform site inspections upon initial setup and whenever the physical location of an approved storage area has been changed or modified. In addition, a security inspection shall be preformed whenever changes have been made to the security plan that may impact on the contractor's ability to provide an adequate level of security as dictated by this manual. The OAQPS DCO must be notified, in writing, prior to any change or modification to existing facilities or procedures. If minor problems are noted during an on-site inspection or review of the security plan, the OAQPS DCO will work with the contractor to correct them. Contractors will be given 30 days to correct any major deficiencies encountered during the inspection. The contractor will conduct periodic internal audits of their facilities, employee certification programs, and the CAA CBI security system to ensure compliance with the security plan. Records of such audits will be available upon request. See Figure 3, Contractor Steps for Obtaining Contractor Access to CAA CBI. c. Contractor Employee Access. In general, procedures for contractor employee access to CAA CBI are the same as those for EPA federal employees. See Section II for clearance procedures. Contractor specific procedures are detailed below. 1) Contractor Employee Access to Specific CBI. The OAQPS WAM/TOPO will confer with contractor officials to determine which work assignments or task orders, and which employees will require access to CAA CBI. Upon receiving the requirements for contractor employee access to CAA CBI, the CDCO will have the designated employee(s) attend an initial briefing, pass a written test, obtain signatures on the Authorization for Access to CAA CBI for Contractor Employees, CAA CBI Form 3 (Appendix A). 2) Federal or contractor employees who require on-line access to a computer system or database containing CAA CBI must complete a Computer Request, Approval, and Registration for CAA CBI Computer Access, CAA CBI Form 10 (Appendix F), and notify the DCO. See Section VII, CAA CBI Computer Security. The originals of these forms are also forwarded to the OAQPS DCO for the record. It is not necessary to complete a new CAA Form 2 or CAA Form 3 for every new project or contract. DCO/CDCO will control access to specific CBI through the use of an Authorized Access List as prescribed by this section. 4. ACCESS CONTROL. In addition to the procedures listed in Section II, the responsible Group Leaders / Contractor must designate and approve employees who have a need-to- know for specific CAA CBI in order to access individual projects by submitting an 16 ------- Contractor Steps in Obtaining Access to CAA CBI Obtain Approval from Director PRRMS to Access CAA CBI i Nominate & Obtain Approval of Contractor Employees to Serve as CDCO and CDCA 1 Prepare & Submit an Adequate Security Plan Pass OAQPS DCQ Site Inspection 1 CDCO Brief & Test Employees on Security Procedures 1 Submit Name(s) & Obtain Approval for Individual(s) to Access Specific CBI Figure 3 17 ------- authorization memo to the OAQPS DCO (Figure 4). Administrative support personnel may obtain access to CAA CBI to provide typing, word processing, and document handling support of CAA CBI. This Administrative access may be granted upon nomination, attendance of the security briefing and passing the written CBI certification test. Administrative access does not require designation by Group Leaders to access specific CBI. a. Access Lists. 1) Authorized Access List: Upon receiving approval to access CAA CBI, the employee name(s) is placed on the OAQPS CAA CBI Authorized Access List (AAL). This list denotes those individuals authorized to access CAA CBI. 2) Authorized Project Access List: When the Group Leader designates an employee for access to specific CBI, the name is placed on the OAQPS Authorized Project Access List. These access lists are used as a reference to determine whether an individual is currently authorized to access CAA CBI and what specific CBI they are authorized to access on a need-to-know basis. I It is the responsibility of the WAM/TOPO to notify the DCO of any changes to Access lists 3) The contractor must maintain a CAA CBI Authorized Access List. The Access Lists must identify: a) Name of personnel authorized access to specific CBI. b) Contract number. c) CAA Project Number/Name. d) Project Lead. The CDCO/CDCA must submit an updated list to the OAQPS DCO Semi-Annually. The list is used to ensure that only individuals with current CAA CBI access authority obtain materials from the CDCO. The Access lists may be automated or hard copy. When a contractor employee no longer requires access to CAA CBI, he must notify the CDCO. The CDCO will remove their name from the authorized access lists and notify the OAQPS DCO of the deletion. 18 ------- EXAMPLE CONTRACTOR REQUEST FOR ACCESS TO SPECIFIC CAACBI DATE: (Date) Subject: Access request to Clean Air Act Confidential Business Information Contract No: Work Assignment No: (or Title of Person) BSD Project No: From: (Name of Requestor) Contract Document Control Officer (Name of Company) TO: (Current OAQPSDCO), CBI Manager OAQPS, PRRMS/CBIO, (MD-C404-02) (Name of Individual (s)) have been assigned to work on the referenced project and their work will require them to access confidential business information (CBI) that has been collected under the Clean Air Act (CAA). The mentioned (name of Company) personnel have been trained and are authorized to access CAA CBI. Approved by: (WAM/TOPO) Date (Group Leader) Date Figure 4 19 ------- b. Subcontractor/Consultant Access. The program PO is responsible for notifying the public and affected business of all subcontractors who require access to CAA CBI collected under the respective contracts. If this information is known at the beginning of the contract, a Federal Register notice must be published according to the guidelines specified in the Clean Air Act. Figure 5, is a sample letter that must be prepared and sent to affected businesses notifying them of who will have access to their information submitted to OAQPS. A ten day waiting period is required prior to access by a subcontractor/consultant to allow for comment by affected organizations. The Prime Contractor is responsible for notifying OAQPS of all subcontractors or consultants being used prior to releasing any CAA CBI to them. Additionally, the prime contractor is responsible for ensuring that all subcontractors comply with the provisions of this manual. 5. TERMINATION OF CAA CBI CLEARANCE. CBI clearances will be terminated when a Federal or Contractor employee no longer has a requirement to access CBI in the performance of their duties. Individuals no longer requiring access to CBI will be removed from the CBI access lists. CAA CBI clearance is terminated under the following circumstances: Termination of employment. Termination of duties requiring access to CBI. Failure to maintain annual certification as explained in Section II, CAA CBI Certification Procedures. Security Violations. Upon relinquishing their clearance, FOR ANY REASON, employees who have been granted access to CAA CBI must receive a terminal briefing. The DCO/CDCO will delete their name from the Authorized Access List (AAL) and remove their CAA CBI Form 2/CAA CBI Form 3 from the active file. CAA CBI Form 2/CAA CBI Form 3 will be stamped or annotated to reflect the date of termination of clearance. CDCOs will forward their copy of CAA CBI Form 3 to the OAQPS DCO. Confidentiality agreements will be retained as prescribed by EPA records management schedule SECU 624, 2 years for Federal employees and 7 years for Contractor employees. 20 ------- EXAMPLE Name of Recipient Title of Recipient Recipient's Address Dear Mr ./Ms. (Recipient's Last Name): The United States Environmental Protection Agency has authorized the following subcontractor to access information that has been, or will be submitted to the EPA under section 114 of the Clean Air Act (CAA) as amended (or applicable statute): list name and address of subcontractor/consultant. Some of this information may be claimed to be confidential business information (CBI) by the Submitter. This subcontractor will be providing support to the EPA under contract (list contract number). The prime contractor on this contract is (list name and address of the prime contractor). Under the direction of the prime contractor, this subcontractor will provide technical support to the Office of Air Quality Planning and Standards (OAQPS) in developing Federal Air Pollution Control Regulations. The EPA is issuing this notice to inform all submitters of information under section 114 of the CAA (or other applicable statute) that the EPA may provide the above mentioned subcontractor access to these materials on a need to know basis. Notification of the prime contractor's potential access to CBI was done through a previous Federal Register notice. In accordance with 40 CFR 2.301(h), the EPA has determined that the above subcontractor requires access to CBI submitted to the EPA under sections 112 and 114 of the CAA (or other statute) in order to satisfactorily perform work for the EPA under the above noted contract. The subcontractor's personnel will be required to sign non-disclosure agreements and will receive training on appropriate security procedures before they are permitted access to CBI. The above subcontractor's clearance for access to CBI is scheduled to expire on (date). Please provide any comments regarding the above subcontractor's access to CBI submitted by your company within ten working days of your receipt of this letter. Comments should be submitted to (Name of Current OAQPS DCO), Document Control Officer, Office of Air Quality Planning and Standards, (MD-C404-02), Research Triangle Park, NC 27711, (919)541-0880. Sincerely, (name of WAM/TOPO) (Division) cc: Project Officer OAQPS DCO Director, OAQPS/PRRMS Figure 5 21 ------- SECTION III. RECORDS MANAGEMENT FOR CAA CBI 1. OVERVIEW. This section describes how Confidential Business Information (CBI) whether originated by OAQPS or its contractors as derivative CBI or received as original CBI is identified, protected, logged, controlled, and managed. When any OAQPS employee or contractor employee receives any materials containing or suspected of containing CBI, they shall immediately deliver those materials to their respective CBI office for proper logging and storage. 2. INTENT. The OAQPS CAA CBI Records Management System must be able to track the movement of CBI, identify the persons with authorized access to it, detect its misplacement and make prompt retrieval possible. The OAQPS CAA CBI Records Management System ensures these objectives are accomplished by maintaining authorized access lists, assigning unique numerical identifiers (CBI control numbers) to each document, maintaining an automated inventory of all documents submitted/logged into the system, and by monitoring the movement of CBI through manual or automated logs, records of receipt, usage, and transmission. All material submitted to OAQPS and all material generated at OAQPS containing information claimed to be CBI are controlled through the OAQPS CAA CBI Records Management System. CBI materials usually form two distinct groups: a. Original CBI. Original CAA CBI is generally submitted voluntarily to the Environmental Protection Agency or obtained under Section 114 of the Clean Air Act. It is usually received in the form of a requested response from a solicited business or a site visit conducted by an OAQPS or contractor employee. b. Derivative CBI. Derivative CBI is the result of incorporation, paraphrasing, restating, or generating information from original CBI. Along with the file or record copy of a newly created CBI document, the OAQPS CBIO must keep a copy of the source document or sufficient identifying information from the source document. This information includes the originator's name and title and the date received. The OAQPS WAM/TOPO's name, title, and office must also be shown on the new document. 3. OAOPS CAA CBI RECORDS MANAGEMENT SYSTEM. The foundation of the OAQPS CAA CBI Records Management System includes the following basic items: Automated database (all CBI re: TSCA, CWA, RCRA, FIFRA, etc.). Control Records (for each item in the system). Custody Receipts (for transfer of material). Cover Sheets (for document protection/identification). Destruction and Declassification Logs. Document Inventory (by project, WAM/TOPO, disposition, etc.). Authorized Access List. 22 ------- a. OAQPS CAA CBI Automated Tracking System. An automated database is used to record pertinent information about CAA CBI materials filed in the CBIO and persons authorized to access specific CAA CBI. The database contains the following information: Date received. Date of document. Number of copies. CBI control number. Project name. Document description. Provider identification. Transfer information. Destruction record. Authorized access clearances. Various reports may be generated on a routine basis or when requested by management. They are: Complete inventory of all CBI documents including disposition (permanent inventory, destruction, declassification, etc.). Listing by specific regulating Acts. Listing by specific CBI projects. Listing of documents assigned to individual WAMs. Listings of authorized personnel (EPA and contractors). The CAA CBI database is continuously updated and allows the OAQPS DCO to determine the disposition of documents, retrieve documents in a timely manner, and to generate an accurate up- to-date inventory on a monthly basis or when requested. b. CAA CBI Control Record. CAA CBI Control Record, CAA Form 1 (Appendix H) is placed in each CAA CBI file as a permanent record of authorized personnel access. It also contains reproduction, transfer, declassification, destruction, and other pertinent information about the document. The Control Record facilitates timely and accurate accounting for CAA CBI material during the work day. Each user of CAA CBI must sign and date the Control Record each time access is granted to a CBI document. The Control Record is extracted from the file and retained by the OAQPS CBIO or contractor CBIO as a receipt for the material while it is checked out. It is signed and dated by the OAQPS DCO or CDCO upon the return of the CBI material and filed in the appropriate folder. When a CAA CBI document is declassified or destroyed, the CAA CBI Control Record will be retained for 2 years after the completion of the project as a record of the dispositon of these documents. c. Cover Sheets. Cover sheets are used to identify CAA CBI documents and provide a measure of security when the documents may be exposed to casual viewing. The Cover Sheet 23 ------- conceals the front of each document and must NEVER be removed. There are two types of cover sheets used by the OAQPS CBI Office. 1) CAA Confidential Business Information, CAA CBI Cover Sheet, CAA Forms 8 , (Appendix E) is a YELLOW sheet of paper inscribed with a claim of confidentiality and handling instructions. This cover sheet is placed over original CBI documents. 2) CAA Confidential Business Information, Duplicate Copy, CAA CBI Cover Sheet, CAA Form 8a (Appendix E) is a BLUE sheet of paper inscribed with a claim of confidentiality and handling instructions. This Cover Sheet is placed over all duplicate copies made from original CBI. The BLUE cover also serves as a certification of destruction of duplicate copies. See Item 12 of this section. d. Custody Receipts. CBI Custody Receipts are used to maintain a Chain of Custody when CAA CBI documents are transferred and is discussed in Section V, Transferring Custody of CAA CBI. e. New Materials. All project documents received by the OAQPS CBIO must be reviewed by the Project leader. When the status of a document is in question, it will be considered CBI until it is cleared by the originator or the project lead. After review of the materials, the documents are logged into the OAQPS CAA CBI Inventory. WAMs/TOPOs are responsible for coordinating with the DCO and their respective CDCO for the disposition of these materials. f. Inventory. The OAQPS CAA CBI Inventory Log, CAA CBI Form 12 (Appendix H), will be used in the absence of a automated document tracking system and will be maintained by the OAQPS DCO/DCA. This inventory must have an accurate description of each document. The inventory log includes the following information: Date received CBI control number (OAQPS & contractor) Provider's name /Description of materials (number of copies, pages, etc.) Recipient Disposition Disposed Date Inventory Date The inventory identifies all CBI material for which OAQPS is accountable; An inventory of CBI material is conducted on a recurring basis, during which time each CBI file is reviewed and purged of unneeded materials with the assistance of the WAM/TOPO. 4. QAOPS CAA CBI DOCUMENT CONTROL NUMBERS. The OAQPS DCO assigns an individual Document Control Number (DCN) to each CAA CBI document. The DCN consists of an alphanumeric code (e.g., 94111-C02-09). The first group denotes the fiscal year the document was received and the project sequence number (e.g., 94111); the next grouping identifies the responsible WAM/TOPO (e.g., COS); and the last group refers to the number of documents received for that specific project, during that fiscal year. The OAQPS CBI control number is placed on 24 ------- the cover sheet and the first page of the document. The control number is also placed on the custody receipt and folder. 5. CBI MARKINGS. Markings are conspicuously stamped, printed, written or affixed on classified materials to include other than paper documents. If this is not practicable, the containers of such material shall be marked. The means by which material is marked varies according to the physical characteristics of the material or organizational and operational requirements. CBI material shall be marked in such a way as to readily identify them for special handling. a. CBI Stamps. Both original and derivative CAA CBI documents are stamped "Subject to Confidentiality Claim." See Appendix D for additional CAA CBI stamps or markings. b. Computer Output. Documents that are generated as computer output may be marked automatically by systems software. If automatic marking is not practicable, these documents must be marked manually. Removable storage media and devices used with ADP systems, typewriters, or word processing equipment shall bear both external (affixed) and internal (software generated) CBI markings. Documents produced by ADP equipment shall have at a minimum their first page and their last page marked. c. Charts, Maps, and Drawings. The markings on charts, maps, and drawings are inscribed both at the top and the bottom of each document. When the document is unfolded, the classification marking shall be clearly visible on each folded portion. The marking must also be visible when the document is rolled or folded for storage. d. Photographs, Films, and Recordings. Photographs, including negative envelopes, must be marked as confidential. Their containers must also be marked. The markings on each transparency or slide must be on the image and on the holder or frame. Classified motion picture films and videotapes are marked at the beginning and end with a clear statement of classification. The containers or reels on which they are kept must also be marked. 6. CBI DOCUMENTS. Care must be taken not to compromise proprietary information when working with CAA CBI. Documents, generated by OAQPS or its contractors, that contain information derived from CBI documents should be treated as CBI until cleared by the Group Leader, providing organization or OGC, if required. a. Working Papers. Newly created CBI is, at first, in the form of working papers. The category of CAA CBI working papers includes materials such as notes and outlines; initial drafts of documents; computations, drawings, and diagrams; and other documents. It is the employee's responsibility to ensure that no information, which has been previously declared as CBI by the originator, is entered into working papers which are intended for public dissemination. If in doubt, working papers should be secured in the CAA CBI office. If the document is later deemed to be non-confidential, it will be returned and retained by the appropriate Project Leader. 25 ------- b. Typing/Word Processing Requirements. The author of a CAA CBI document may provide the document to a typist who has authorized access. The typist must return to the author the newly typed materials and the original draft when typing is completed. All materials used in typing documents containing CBI, including word processing disks, ribbons, and waste paper must be treated as CBI and submitted to the CBIO for storage or destruction. The typist may use the Local Area Network (LAN) for the preparation of CAA CBI documents but must never store CAA CBI on Share drives or any device other than removable storage media. Data, reports, etc., must be stored on a floppy diskette or other removable media and submitted to the CBIO, with a hard copy, for proper logging and storage. 7. NON-CBI DOCUMENTS. Materials produced from CAA CBI need not be confidential. Non-confidential documents may be produced by deleting CBI from an existing document or by masking or aggregating the CBI so that it cannot be linked to its source. a. Deleting or Replacing CBI. CAA CBI can be replaced in a document with NON-CBI data, generic descriptive words or terms derived from CBI data that are not themselves CBI. b. Masking or Aggregating CBI. Group Leaders must be consulted in advance by authors who wish to produce non-confidential documents by masking or aggregating CBI. Group Leaders shall review all submissions of masked or aggregate material to ensure that no CBI is exposed and approve the final non-CBI version. c. Dropping CBI Claim (Declassification). Non-CBI documents can also be created from information submitted by a providing organization which drops its claim of confidentiality, or for which a claim is determined not valid by the OGC. If a providing organization relinquishes its claim of confidentiality for original CBI, the WAM/TOPO must obtain a written statement from the submitter and provide a copy to the DCO before the information can be released to the public in accordance with the procedures established under 40 CFR 2 Subpart B. EPA and Contractor employees will comply with the following procedures when declassifying CBI documents. CAA CBI may be declassified under two conditions: 1) When written authorization has been received from the submitting organization. a) DCO/CDCO will verify that the proper declassification authority has been received. A declassification notice must accompany all requests and will denote the organization authorizing declassification, description of specific item(s) being declassified, project number and document control number. b) Declassified documents need not be kept in the CBI inventory and may be returned to the respective OAQPS Project Lead or Contractor Team Leader. 26 ------- The DCO/CDCO will inventory the documents prior to transfer to ensure that only declassified documents are being transferred. c) The receiving DCO/CDCO will inventory declassified materials and verify that they are in accordance with the declassification notice. Any discrepancies will be reported IMMEDIATELY. d) If declassified materials are received and cannot be immediately inventoried, they must be stored and treated as CBI until an inventory has been completed. 2) When the originator has not responded within a prescribed time period to a notice of intent of disclosure submitted to them by the Project Lead as required by 40 CFR 2 subpart B. At no time will a Contractor or Subcontractor declassify any CBI in their possession without the expressed, written authorization of the Project Lead and notification of the OAQPS DCO. In all instances, the WAM/TOPO is responsible for ensuring that documents contain no CBI. Materials produced using CBI must be treated as CBI until a determination is made by the Group Leader or providing organization. 8. DISPOSITION OF CAA CBI DOCUMENTS. WAM/TOPOs or the responsible Group Leaders shall initiate the process for destruction or disposal of original CBI material not used or referenced in the rulemaking process. The OAQPS DCO will destroy specified documents and maintain a record of all destroyed documents. The destruction of CAA CBI material shall only take place with the proper authorization from the WAM/TOPO and when in accordance with applicable records management schedules. Submitter notification is not required. a. Original CAA CBI Materials. CBI material used for technical reference only and not used in the formulation of a rule, policy or decision may be retained until no longer needed at which time, and with the prior approval of the WAM, may be routinely and consistently destroyed in accordance with EPA/NARA Records Retention Schedule TECH 008. CBI documents that are referenced in rulemaking dockets and / or have been used to formulate policy or in the development of a rule, will be treated in accordance with EPA/NARA Records Retention Schedule REGS 149. Project leads will provide the DCO with docket index numbers as soon as available. b. CBI Created by OAQPS. Authors of derivative CBI (CBI created from original CBI) may authorize the CBI Office to destroy these materials. Documents such as site surveys, test reports, telephone conversations, and meeting minutes which are compiled into a draft trip report, are forwarded to the affected business (providing 27 ------- organization) for review of accuracy and confidentiality by the responsible Group Leader. The responsible industry official is requested by cover letter to review the report, clearly mark any information considered to be confidential, and return the marked-up report within the specified time frame. The original is kept in the CBIO. When the marked-up copy of the report is returned, OAQPS will have the option of: Protecting the whole document as CBI. Creating a nonCBI version with all CBI removed by aggregating or masking, and maintaining a complete CBI version. Creating a CBI addendum when indicated CBI is at a minimum. Challenging the validity of the business' claim through OGC. All revised final documents must be submitted to the providing organization for review before release to the public. If the report is determined to be accurate and nonconfidential, the business firm will so note, or not-respond by the requested date. If the document has CBI status, it is placed in the OAQPS CBIO and logged into the OAQPS CAA CBI inventory. In the event that the firm does not respond by the requested date, the WAM/TOPO shall contact the providing organization and verify the claim and provide a written response to the OAQPS CBIO for declassification or release purposes. 9. RECORDS OF DESTRUCTION. Records of destruction are required for CAA CBI materials. When a document is destroyed, the OAQPS DCO or the CDCO must indicate on the CAA CBI Control Record, CAA CBI Form 1 (Appendix H) the destruction date, person destroying document, and attach documentation authorizing the destruction to the CAA CBI Control Record. The control records of destroyed documents must be retained for audit purposes in accordance with EPA records management schedules. The destruction of CBI materials shall be documented in the CAA CBI automated database. 10. METHODS OF DESTRUCTION. CAA CBI documents and materials shall be destroyed in a manner that precludes recognition or reconstruction. In general, CAA CBI materials are destroyed by SHREDDING (including any type of paper substance microfiche, typewriter ribbons, diskettes, and data tapes). 28 ------- 11. CDCO RECORDS MANAGEMENT RESPONSIBILITIES. Contractor DCOs must comply with the aforementioned requirements of this manual to ensure adequate safeguarding and handling of CAA CBI documents. CDCO may use sample CAA CBI Forms or design own in-house forms as long as required OAQPS information is available. a. CAA CBI Control Numbers. CDCOs may implement an internal CAA CBI control numbering system, but must cross-reference OAQPS CAA CBI Control numbers on custody receipts, inventories, derivative CBI, correspondence, etc. regarding specific CAA CBI. b. CAA CBI Inventories. CDCO must maintain an accurate inventory log consisting of a NON-CBI description of each document in the CBI inventory (Appendix H). The CDCO shall conduct an inventory of all CAA CBI materials stored at their facility at least once a year. A copy of the inventory shall be submitted to the OAQPS DCO. Any original CAA CBI no longer needed at their facility must be returned to OAQPS. c. Reproducing Documents. Copying of CAA CBI by contractors is limited to working papers, drafts of technical reports, drafts of trip reports, meeting handouts, and similar temporary documents. Copying must be done under the direction and guidance of the CDCO. Procedures in Section IV, e. should be followed during all document reproduction. 12. COMPLETION OF CONTRACTS, WORK ASSIGNMENTS OR TASK ORDERS. All documents generated, or received during the execution of a project or contract are the property of the EPA and must be submitted to the agency upon completion of the project or contract. CDCOs will return all to the OAQPS CBIO. The CDCO will ensure that all project CBI materials are inventoried prior to their return. a. Originals. Originals, documents or materials generated by the contractor in support of the assigned project, must be returned to the OAQPS DCO at closeout. b. Duplicates. All duplicate copies, sent to the CDCO for reference during a project, may be destroyed in conjunction with the closeout inventory. Duplicates transferred by OAQPS will be identified by their distinctive (BLUE) document cover (Appendix E). CDCOs will acknowledge destruction of duplicates by signing the appropriate section of CAA Form 8a and returning it to the OAQPS DCO along with CBI materials. In the event that cover sheets are not available, the CDCO will submit a memorandum accounting for the destroyed duplicates. 29 ------- SECTION IV. CAA CBI WORKPLACE PROCEDURES 1. OVERVIEW. Many modern office buildings incorporate contemporary office design which present a unique challenge to DCOs, CDCOs and employees alike. Glass walled conference rooms, open area office space and common areas increase the likelihood of inadvertent disclosure of CBI information through overheard telephone conversations or casual viewing of CBI documents by others. This work environment requires that certain procedures be followed to ensure strict CAA CBI document control measures during the conduct of daily business. 2. OBTAINING CBI DOCUMENTS. Employees and contractors who are authorized access to specific CAA CBI may obtain CBI materials from the OAQPS CBIO. The OAQPS DCO verifies that the employee is authorized access to the requested CBI. Employees must sign the OAQPS CBI Control Record upon receipt of the document and safeguard CBI materials while in their possession. Any time an employee relinquishes physical custody of the CAA CBI (lunch or at the end of the day), he/she must return the document to the CBI office for storage. The DCO/DCA will sign and date the Control Record upon return. (Other than as provided in Section III, 6 (b); Direct transfer of CAA CBI materials between employees is not permitted). In the event the CBI Office is closed, employees must retain control of the documents or they may take the documents to an approved CBI storage site for temporary storage. It is the custodian's responsibility to ensure that the documents are logged and secured until they can be retrieved by the DCO or DCA. CDCOs should develop their own policies to address this contingency. CBI materials are transferred ONLY through CBI offices or DCOs 3. DOCUMENT CONTROL. In order to minimize the exposure of CAA CBI materials to inadvertent disclosure, the following document control steps should be taken: a. Telephone Calls. Federal and contractor employees with CAA CBI access may discuss CAA CBI on the telephone with other individuals who are authorized access to the specific CBI or authorized individuals of providing organizations. However, caution must be used because interception of telephone communications is an easy means by which unauthorized persons may obtain CBI. When making or receiving telephone calls in which CBI will be discussed, the following safeguards should be abided by: Verify the identity and CBI access status of the person with whom they are speaking. 30 ------- Inform the person that the telephone lines are not secure. Assure the person that a telephone discussion of CAA CBI with a federal or contractor employee does not constitute a waiver of any claim of confidentiality. Inform the person that any information provided in the telephone conversation claimed as confidential will be properly safeguarded. I Interoffice communication systems (i.e., speaker phones) will not be used to discuss CAA CBI. || Federal and contractor employees shall complete the Memorandum of CAA CBI Telephone Conversation, CAA CBI Form 6 (Appendix B) for all telephone calls in which CAA CBI is discussed. Telephone memorandum must be submitted to the CBIO upon completion of the call so it can be added to the record. b. Work Spaces(Cubicle). Whenever possible, try to arrange your work area so that casual passers-by can not read the contents of CBI documents. c. Computers. When working with word processing applications always turn computer screens away from view or minimize screens when unauthorized individuals come into your work area. In order to remove "Temp" files which may have been created during a computer session, close applications after use. If in doubt, locate the application's Temp Storage folder and verify deletion. Printers should also by turned off to remove any documents in the printer's memory buffer. Additional guidance is provided in Section VII. I It is the responsibility of the user to ensure that all appropriate measures have been taken to protect CAA CBI from disclosure to unauthorized individuals. || d. Meetings. OAQPS offices or Contractors that host or convene any meeting (conference, symposium, seminar, exhibit, convention, scientific, or technical gathering) at which CAA CBI will be disclosed shall take appropriate security measures. The DCO shall be notified whenever CAA CBI materials must be reproduced for use at a meeting. The chairperson must verify that all attendees are cleared for CAA CBI and have a need to know specific CBI to be discussed. Whenever CAA CBI documents are circulated for discussion you must: 1) Have any required documents reproduced by the OAQPS DCO/DCA. The DCO will number the copies i.e. lof 6, 2 of 6 to ensure that all pages are returned to the CBI Office. 31 ------- 2) Provide a CAA CBI Meeting Sign-In Sheet, CAA CBI Form 7 (Appendix C) as a meeting record. The following information shall be recorded: date, time, place, chairperson, and subject. All persons attending the meeting must sign this sheet. The chairperson will control access in and out of the meeting. All sign-in sheets shall be delivered to the CBIO by the close of business or the next business day after the meeting. 3) The meeting chairperson must remind those in attendance of their duty to treat all notes or recordings taken at the meeting as confidential. These materials will be submitted to the CBIO for storage until CBI status is determined. Notes, minutes, summaries, recordings, proceedings, and reports on the CAA CBI classified portions of the meeting must be safeguarded and controlled throughout the meeting. 4) Physical and technical security controls shall be established to control access. The meeting room shall be cleared of all CAA CBI materials after the meeting. This includes cleaning all chalkboards, returning any unneeded CAA CBI materials to the CBIO for destruction, and ensuring that nothing is left in the room that could lead to the unauthorized disclosure of CAA CBI. e. Document Reproduction. This subsection details the procedures for controlling and safeguarding CAA CBI reproduction or other copying. 1) Group Leaders or WAM/TOPOs authorize the reproduction of CAA CBI materials. Only the DCO/DCA is authorized to make reproductions. The DCO will log additional copies into the OAQPS Records Tracking System and record the distribution of copies. 2) Copy machines should be dedicated solely to CBI document reproduction. Only persons authorized access to the specific CAA CBI being copied may be present during copying. After reproduction, the operator must pass three blank copies through the machine to ensure that any impressions on the image surfaces of the machine have been erased. 3) If the equipment used for reproducing CAA CBI materials has a malfunction, the DCO must inspect the machine's paper path and image surface to retrieve any materials that may be jammed in the equipment before the repair person is called. f. CBI Waste. Documents and materials such as typewriter ribbons, carbons and draft copies used in preparing confidential information shall be handled in such a way that the information is adequately protected until destroyed. Section III, gives instructions for the disposal and destruction of CAA CBI. g. Use of FAX Machines. The use of FAX machines to transmit CAA CBI documents is authorized. As with any CBI document, care must be taken not to leave documents uncovered or unattended during transmission. Specific procedures for the use of FAX machines is covered under Section V,8,d of this manual. 32 ------- h. Site Visits. Because data-gathering visits, plant inspections, and source testing may involve inadvertent receipt of CBI, it is the policy of OAQPS to protect all parties involved. Prior to or at the inception of a plant inspection, data-gathering visit, or source testing, OAQPS representatives should discuss with plant representatives the information that will be sought, how it is to be used, and how it is to be protected. OAQPS representatives should solicit the assistance of plant representatives in determining if any materials being removed from the site are claimed as CBI. Only materials claimed and marked as CBI are secured in the CBI office. 4. SPECIAL CIRCUMSTANCES . In the event of a fire or other emergency requiring evacuation of office spaces, persons who are unable to return the material in their possession to the CBIO will ensure that such material is safeguarded by covering it from view and taking it with them. The employee must keep it under their personal control at all times until it can be secured. 33 ------- SECTION V. TRANSFERRING CAA CBI 1. OVERVIEW. This section discusses minimum procedures required to ensure the security of CBI during authorized transfer. 2. TRANSFERRING CAA CBI TO OTHER FEDERAL. STATE OR LOCAL AGENCIES. EPA regulations allows disclosure of CBI to another Federal or State agency in either of two circumstances. Specific guidelines for transfer of CBI documents can be found in 40 CFR Part 2, Subpart B, Sec. 2.209: When the official purpose for which the information is needed by the other agency is in connection with its duties under any law for protection of health or the environment or for specific law enforcement purposes; or When disclosure is necessary to enable the other agency to perform a function on behalf of EPA. In either circumstance, the PRRMS Director must be notified immediately upon receipt of a request for documents or information requiring access to CAA CBI. In addition, the procedures described below must be followed before CAA CBI may be disclosed to other agencies. These procedures do not apply to disclosure of CAA CBI to individual employees of other agencies performing functions on behalf of OAQPS where access is confined to OAQPS premises. EPA may disclose CAA CBI to other Federal, State or Local agencies upon the written request from the requestor. Because of the time needed for processing, the written request should be directed to the PRRMS Director at least 30 days prior to the time access is needed. The request must be signed by an official of the other agency who is at least equivalent in authority to a Division Director. It should state specifically the information to which access is requested. The official purpose for which the CAA CBI is needed should be set forth in detail as well as any other pertinent information, such as previous efforts to obtain the information. The need must be in connection with the agency's duties under a law for the protection of public health or the environment or for a specific law enforcement purpose. When the signed agreement is returned, it shall be forwarded to the OAQPS CBIO along with a Letter to Accompany CAA CBI Transferred Outside OAQPS (Appendix I). This letter will constitute direction to the OAQPS DCO to transmit the CAA CBI materials to the requestor. The OAQPS DCO will send the materials, the letter and the CAA CBI Custody Receipt to the requestor. 34 ------- NOTE: TSCA and FIFRA CBI maintained by OAQPS may not be disclosed to States. a. CBI Security Agreement. In addition, as part of its written request, a Confidential Business Information Security Agreement, CAA CBI Form 15 (Appendix I) must be signed by an official of a government entity requesting transfer of CAA CBI prior to transfer of custody. This form requires the official of the receiving agency to verify that the information will be safeguarded utilizing procedures comparable to EPA's procedures for handling CBI found in this manual and 40 CFR, Part 2, Subpart B. Additionally, each person having access to CAA CBI documents will be required to sign a Confidentiality Agreement CAA CBI Form 2a (Appendix I). Further disclosure of information claimed as confidential, by the gaining agency, is authorized only if it meets the following conditions: The gaining agency has statutory authority both to request and receive the information, and to make the proposed disclosure and, prior to the disclosure, it has furnished the affected business with at least the same notice that EPA would provide under its regulations. The gaining agency has obtained the consent of each affected business to the proposed disclosure. The gaining agency has obtained a written statement from the EPA OGC or an EPA Regional Counsel that disclosure would be proper under EPA's regulations. b. Notice to Affected Businesses. OAQPS CAA CBI may be released to State or Local agencies with the written permission from the submitter. Also, it may be possible to aggregate data or sanitize documents containing CAA CBI without disclosing information claimed as CBI. When disclosure is requested by another agency, OAQPS must give the affected businesses at least 10 calendar days notice before granting access to the other agency. Notice to the affected businesses may be given by Federal Register, letter sent by registered mail (return receipt requested), or telegram and must include: The identity of the agency/contractor to which CBI is to be disclosed. The official purpose for the access. Whether access is authorized only on EPA premises or also at the other agency or contractor's facilities. A non-confidential description of the specific information to be disclosed. The period of time for which access to the CBI is authorized. 35 ------- However, no notice shall be required when EPA furnishes business information to another I Federal agency to perform a function on behalf of EPA. c. Before Approval. The PRRMS Director will notify the requesting official acknowledging receipt of the written request and will direct issuance of a notice to affected businesses if required. The PRRMS Director will also notify the requesting official if approval is not granted. d. Before Transfer. Before CAA CBI may be disclosed, the PRRMS Director must notify the other agency that the information being disclosed is classified as CAA CBI, that it was acquired under authority of the CAA, and that any unauthorized disclosure of the information may subject employees of the other agency to criminal penalties (18 U.S.C. 1905, et.al.). 3. TRANSFERRING CAA CBI TO EPA CONTRACTORS OR PROVIDING PLANTS/FACILITIES. CAA CBI documents are transferred to authorized individuals by the OAQPS DCO. To initiate the process of transferring CAA CBI, a Letter of Transfer (Appendix J) shall be prepared by the responsible Group Leader. The WAM/TOPO or employee delivers the letter of transfer to the CBIO. The letter of transfer, a custody receipt (and one copy) are enclosed with the transferred CAA CBI. CAA CBI documents (draft reports, revisions, telephone contact reports, etc.) are transferred between DCOs/CDCOs via a Custody Receipt. A Letter of Transfer signed by the Group Leader is not required for this type of transfer. The process for transferring CBI to a contractor or facility is as follows: WAM/TOPO submits letter of transfer to Group Leader for signature (Facility Only). WAM/TOPO gives verbal or written authorization for document transfer to contractors. Letter of transfer and Project or CAA CBI control number, if known, is submitted to the CBIO (Facility Only). The DCO prepares the custody receipt, properly packages CAA CBI including letter of transfer. The DCO releases package to authorized contractor employee or mails package via registered mail or Federal Express. 4. TRANSFERRING CAA CBI FROM CONTRACTORS TO OAQPS. The contractor Project Lead or EPA Work Assignment Manager must authorize the transfer of CAA CBI, related to their projects, to OAQPS. Records should be identified and instructions given to 36 ------- the CDCO to return the material to the OAQPS CBIO. The material being transferred must be listed on the CAA CBI Custody Receipt, CAA CBI Form 14 , Appendix H (including the OAQPS CAA CBI control number if available). The process for transferring CBI from EPA Contractors to OAQPS is as follows: WAM/TOPO gives verbal or written authorization for document transfer to OAQPS. The CDCO prepares the custody receipt, properly packages CAA CBI for transfer. The DCO releases package to authorized contractor employee or mails package via registered mail or Federal Express. Direct transfer of CAA CBI materials between contractor employees is not permitted. CAA CBI materials must be transferred through the CDCQ only. 5. TRANSFER TO SUBCONTRACTORS. EPA's regulations (40 CFR, Part 2) allow disclosure of CAA CBI to contractors and their subcontractors when disclosure is necessary to enable the contractor to perform work on a contract. Unless previously given, the affected businesses must be given notice before CAA CBI is transferred to the subcontractor with the same requirements as indicated above. The initial notice is usually prepared by the OAQPS Project Officer and is published in the Federal Register notifying the public and affected businesses of OAQPS contractors and subcontractors who will have access to CBI collected under the Clean Air Act. As in all cases the procedures listed in this section apply to transfers of CAA CBI to subcontractors. The Prime Contractor is responsible for the transfer of CAA CBI to their designated Subcontractors or Consultants. 6. PREPARATION AND PACKAGING. CAA CBI materials to be transferred will be processed by the DCO. The following guidelines set forth the procedures for preparing and packaging CBI materials. a. Inner and Outer Covers. Before CAA CBI may be transferred or hand carried out of the OAQPS facility, the materials to be transferred must be double wrapped with opaque paper. The inner cover must bear markings that indicate the classification and instructions, "Subject to Confidentiality Claim," and "To Be Opened by Addressee Only." The person to whom the material is intended is included in the address as an "Attention" line on the inner envelope. Markings on the inner cover shall not show through the outer cover. b. Addressing. CAA CBI being transferred from the OAQPS CBIO to another facility or being returned from a facility to the CBI Office shall bear the name of the receiving DCO and 37 ------- shall not bear any classification markings or other indication that CAA CBI information is enclosed. c. Packaging. Materials used in packaging CAA CBI must be strong and durable enough to provide protection in transit and prevent items from protruding through the covers. Upon receipt, packages must be inspected to ensure that the seals have not been broken. 7. CUSTODY RECEIPT. A CAA CBI Custody Receipt, CAA CBI Form 14 (Appendix H) is included with all transfers of CAA CBI materials and prepared in triplicate. This form provides the previous holder of CAA CBI with proof of accountability that the material was transferred and received. The Custody Receipt is prepared in three copies. After verifying all materials were received, the recipient signs and dates Copy 1 and returns it to the sender. Copy 2 may be retained by the recipient for his/her records. Copy 3 is retained by the CBIO as a suspense copy until the signed original Copy 1 is returned by the recipient, or the Domestic Return Receipt is received acknowledging delivery of the document(s). See Section III. Records Management for CAA CBI for more information on accountability, control records, and the CAA CBI control numbers. 8. TRANSFER METHODS. OAQPS CAA CBI may be transferred or transported by the following methods: Hand carried to another facility by an employee or contractor employee who is authorized access to the CAA CBI. U.S. Postal Service registered mail (return receipt requested), Express Mail. Private courier (Federal Express). a. Hand Carrying. Appropriately cleared OAQPS employees may be authorized to hand carry CAA CBI material between facilities (when traveling) if the conditions outlined below are met. 1) Individuals authorized to carry CBI must contact the CBIO to be fully briefed on the provisions of this Section before departing. 2) While traveling by plane or other public conveyance, employees must keep CAA CBI materials in their possession, and will not check them with their luggage. 3) When employees travel with CAA CBI materials and are unable to deliver or ship the CAA CBI materials to a facility authorized to store CAA CBI, they may store the 38 ------- materials for short periods inside the locked trunk of a motor vehicle while enroute. At no time will CBI materials by stored in the trunk of a car overnight. CAA CBI materials may be stored overnight in hotel safes, if a receipt is obtained from the hotel management. Otherwise, CAA CBI materials must be kept in the possession of the traveler. 4) The storage provisions for CAA CBI are detailed in Section VIII. Storage of CAA CBI, shall apply to all stops enroute to a destination. CAA CBI materials shall not be unwrapped until the traveler's destination is reached. If the materials are to be transferred to someone at that location, they must immediately be taken to the local DCO and logged into the local Document Tracking System or given to the designated plant recipient. 5) The CBI Office shall log out CAA CBI carried or escorted by traveling personnel. CAA CBI must be inventoried upon return by count and inspection of materials or by inspection of receipts for materials, if delivered. b. Registered Mail. CAA CBI material must be mailed by registered mail (return receipt requested). Regular first class mail must never be used to transfer CAA CBI. c. Couriers and Express Mail. EPA and contractor employee couriers, commercial couriers, and U.S. Postal Service Express Mail may be used in the transmission of CAA CBI. d. FAX Transmittal. During the conduct of daily business it may become necessary to transmit CAA CBI documents to and from originating facilities or EPA and Contractors in order to expedite processes. The DCO or DCA must be informed of all FAX transmissions of CAA CBI. The guidelines listed below have been established to provide security of documents transferred via this medium and apply to both EPA and Contractor employees: Prior to any FAX transmittal of CAA CBI, all parties must be made aware that transmission lines are not secure and that NO encryption equipment will be used to scramble the message. 1) Only a FAX machine located in the CBI Office is authorized to receive a FAX containing CAA CBI. 2) Before sending a FAX containing CAA CBI, the sender must verify the recipient's access authority. 3) During transmission, the sender must have sole access to the FAX machine. The sender must also ensure that no uncleared person(s) view the CAA CBI documents. 39 ------- 4) FAX machines may contain internal memory. After transmission is complete the sender must turn off the FAX machine in order to clear the memory buffer. 5) Central FAX receiving centers are not authorized to receive CAA CBI. 6) Individuals requesting the transmission of CAA CBI must ensure that the recipient's FAX number is correct. 7) FAX machines should be configured to print a Transmission Receipt when FAXing is complete. This receipt will be placed in the document's official file. In addition, the DCO will contact the recipient after transmission to verify the FAXed copies have arrived. When FAX transmittal of CBI is requested by an originating facility, the WAM/TOPO must verify that the recipient is authorized to receive a company's CAA CBI documents prior to transmission. Facilities must submit a notarized letter on corporate letterhead signed by a corporate officer indicating the person(s) authorized to receive CBI documents. The notarized letter will be maintained in the official document file. 40 ------- SECTION VI. STORAGE OF OAQPS CAA CBI 1. OVERVIEW. This section describes the minimum standards for the physical safeguarding and storage of CAA CBI. 2. INTENT. Offices established for the storage and security of CAA CBI material are responsible for ensuring that all reasonable means have been taken to prevent the unauthorized disclosure of information. A complete evaluation of security risks will identify the safeguards required to address potential threats. 3. STORAGE SPECIFICATIONS. I The type of container and storage area approved for CAA CBI storage must be adequate to the level of security identified by the Risk Assessment and detailed in the Security Plan. EPA's Information Security policy provides for a methodology for a risk analysis to adequately determine the appropriate security level to address the risk. The risk assessment and security plan are subject to approval by the PRRMS Director and shall be available to representatives of EPA's OIG. The risk analysis will provide an evaluation of the relative vulnerabilities at an installation in order to maximize the effectiveness of security measures within the constraints of available resources. As a minimum, security of CAA CBI materials maintained in manual record form will conform to those measures prescribed by the EPA Information Security Manual, Section 14.3. a. Minimum storage area requirements The preferred CBI storage area is an interior office or room which will be designated soley for the storage of CAA CBI. Items to consider when choosing a storage area are: Windows - When visual access is a factor, windows should be kept closed and locked at all times. Windows should be made translucent or opaque by any practical method such as painting or covering the inside of the glass to prevent viewing from the outside. Ceilings - Ceilings should be constructed of plaster, gypsum wallboard material, panels, hardboard, wood, plywood, ceiling tile or other material offering similar resistance to and detection of unauthorized entry. When a false ceiling is used, this false ceiling should, within a reasonable manner, provide resistance to unauthorized 41 ------- entry and be alarmed or otherwise secured. In those instances where barrier walls extend to a solid ceiling, there is no need to reinforce a false ceiling. Walls - Construction should be plaster, gypsum wallboard material, metal panels, hardboard, wood, plywood, or other material offering similar resistance to and detection of unauthorized entry. If insert-type panels are used, a method must be devised to prevent the removal of such panels without leaving visual evidence of tampering. Barrier walls should be opaque or translucent where visibility is a factor. If visual access is not a factor, barrier walls may be wire mesh or other non-opaque material. Barrier walls should extend to a solid ceiling. If, however, walls extend only to the level of a false ceiling, the open area between ceilings must be secured. Access Door - Whenever possible, the storage area should have only one access door. Doors will be solid wood or metal and secured by a Combination, Cipher Lock or Electronic Card Reader. b. Minimum storage equipment: Containers - Lockable File Cabinets (Keyed or Combination Lock). Storage cabinets must be secured by a combination lock or require a key for access. "OPEN/CLOSED" magnetic signs or equivalent, shall be posted on each CAA CBI storage container to readily identify containers that are open or locked, and to provide a visual spot check at the end of the work day to ensure containers are properly secured. All CBI storage containers and the entry door shall be locked whenever CBI personnel are not present, i.e. lunch hour, and at the end of each business day. 4. PROCEDURES FOR COMBINATION LOCKS AND CABINET KEYS Procedures must be developed for the use and accountability of locking devices used on CAA CBI storage containers. The security of lock combinations and key control is paramount to the OAQPS security program. Locks are not required to resist forced entry with tools but shall be so designed and constructed to resist the effects of normal everyday use and abuse. a. Combination Locks. Combination locks used to secure CAA CBI must conform to the following minimum specifications: 1) The locking mechanism shall preclude the changing of the combination without knowledge of the existing combination. 2) The locking mechanism shall not permit the shackle to be locked out in the open position. 3) The locking bolt shall be guarded by not less that three combination wheels. 42 ------- 4) The shackle shall not spring to the open position when unlocked. b. Changing Combinations. Combinations shall be changed only by cleared personnel having that responsibility under these circumstances: Whenever someone who knows the combination no longer requires access. In the event of suspected compromise of CAA CBI. When deemed necessary by the custodian. Knowledge of combinations is limited to CBI Office personnel and DCOs. Records of combinations must be protected as though CAA CBI. c. Keyed Locks. Keys require strict controls since they can be more easily lost or stolen. Key Control measures: All keys will be locked in the CBIO key box under the direct control of the DCO/CDCO. A record of all key ID numbers will be maintained by the DCO/CDCO. A key control roster will be maintained by the CBIO to annotate when keys are removed from and returned to the Key Box by CBIO staff. At no time will keys be removed for the CBI office. Each key will remain in the cabinet locking device when the cabinet is opened. Each key will have a tag with the appropriate key ID number affixed. The tag will serve a dual purpose. It will make keys easy to identify and it may serve as an "OPEN/CLOSED" indicator. 5. SAFEGUARDING CAA CBI IN THE EVENT OF A DISASTER. Security of CAA CBI should be an integral part of any Disaster Plan. A disaster plan is required by the Federal Emergency Management Agency (FEMA) to ensure the safety of personnel and to protect vital records. OAQPS and its contractors are required to protect any records/documents affecting the legal and financial rights of the Government and of the people affected by its actions. Steps take in safeguarding CBI in the event of an emergency form part of the overall OAQPS Contingency Of Operations Plan (COOP)which has three main components: prevention, preparedness, and response. 43 ------- a. Prevention. Procedural prevention relates to activities performed on a day-to-day, month-to-month, or annual basis, relating to security and recovery. The objective of procedural prevention is to define activities necessary to prevent various types of hazards and ensure that these activities are performed regularly. Physical prevention begins when a CAA CBI storage site is identified or constructed. It includes special requirements for room construction, as well as fire protection for various equipment. Special considerations include: computers, fire detection and extinguishing systems, record(s) protection, air conditioning, heating and ventilation, electrical supply and emergency egress. The OAQPS DCO will conduct an inspection of the OAQPS CBIO to identify problem areas and foster awareness of disaster prevention issues among the staff. The OAQPS DCO will train the CBIO staff in records management, protection, and how to respond to a disaster. b. Preparedness. OAQPS DCO will ensure that there are appropriate supplies on hand to deal with immediate needs, conduct CAA CBI database backups on a. routine basis and identify local suppliers of materials that are needed in the event of a disaster. The OAQPS DCO will also keep up-to-date on current technology, procedures, and services available for disaster planning and recovery, and ensure the staff is informed about these issues. Additionally, the DCO will ensure appropriate security measures are taken to prevent damage or destruction of CAA CBI, at approve off-site storage facilities. c. Response. The OAQPS DCO is responsible for directing all disaster operations affecting damage or destruction CAA CBI records. All OAQPS staff (Directors, Group Leaders, POs, WAM/TOPOs and employees) must be involved in order for the disaster plan to be effective. Preventing, preparing for, and responding to disasters has to be a team effort. The OAQPS DCO will evaluate the damage, plan and execute recovery operations, and perform a post-disaster assessment. 44 ------- SECTION VII. OAQPS CAA CBI COMPUTER SYSTEM SECURITY 1. OVERVIEW. This policy applies to all information systems processing and/or storing CAA CBI. It shall apply equally when the systems are owned and operated by EPA or by its contractors or consultants. 2. DIRECTIVES. The computer processing of CAA CBI must be in compliance with the security guidelines as outlined in EPA Directive 2100, Information Resources Management Policy Manual, EPA Directive 2195A1, EPA Information Security Manual; and Office of Management and Budget OMB Circular A-130 ( directives issued to all Federal agencies processing sensitive data by computer). These directives require Federal agencies processing sensitive information by computer to establish and maintain a formal security system. 3. BASIC SECURITY REQUIREMENT. In accordance with the OAQPS Information Security Plan, all OAQPS LAN and application users must ensure that system resources are protected. Employees are held accountable for their actions and are responsible for information security. When CAA CBI access is permitted over an information system. The system must provide a level of security adequate to protect any CBI being processed from alteration, loss, or unauthorized access. The system will conform to the following specifications: a. Security Mode. OAQPS CAA CBI must be entered into an isolated system with access control safeguards as well as additional safeguards within the system. In addition, file and data separation is required since all users are not authorized to access all data. b. Authenticity and Verification. The system will authenticate the password of each project, verify each user's identity, and validate each user's file access authority and privileges. The DCO will maintain a list of all CBI user Passwords. System output must have special markings that identify particular data sets or programs to provide audit trails. These audit trails will produce an activity log and, when possible, an event record to permit analysis of system operation by the CBI Office. c. Remote Operation (Dial-up or Wireless). There will be no communication system to interface with remote systems, Personal Digital Assistants (PDA's) or Laptops. d. User Requirements. All system users and persons authorized access to the information system shall meet the following criteria: Receive authorization to access CAA CBI data system by completing a Request, 45 ------- Approval, and Registration for CAA CBI Computer Access, CAA CBI Form 10. Obtain and understand the proper security procedures for operation of the system. Report any incidence of system malfunction. Receive training in the use of the system. Sign an acknowledgment of having been provided the above information. OAQPS and contractor employees authorized access to specific CBI may view a computer screen that contains the specific CBI to which they have been authorized access. 4. COMPUTER EQUIPMENT ROOM. Servers and other peripheral equipment forming part of a CBI information system must be located in a room with a keyed or combination, lock. CBI information systems may be located in CBI Office or LAN Server room. Regardless of location, any room used to house the CBI information system equipment must meet the following minimum requirements: a) Shall be on a floor not accessible from the exterior of the building. b) Shall be in an area not adjacent to, above, or below an area that would constitute a high-risk area from the standpoint of fire or explosion. c) Shall maintain only one entrance for personnel access. Other doors, if any, shall be secured. d) Shall be secured with a Simplex combination lock, mounted on a solid wooden or metal door. 5. SAFEGUARDING CBI DURING PERSONAL COMPUTER USE. While accessing CAA CBI from a computer in an unsecured area, the operator must retain exclusive control over the operation of the computer and printer and must ensure that only individuals authorized for access to the CAA CBI can view the terminal screen. If the operator must leave the terminal for any reason, the computer session shall be terminated. ** DO NOT store CAA CBI data on the LAN or Non- Removable storage device** a. Computer Storage Media. CBI data generated or processed on a personal computer must be stored on either floppy, compact diskettes, or detachable hard disks. Floppy or compact disks are preferable and shall be secured in the CBIO. After each session storage media will be removed for the computer and returned to the CBIO. b. Termination of a CBI Computer Session. Proper termination of a computer session 46 ------- involving CBI consists of the following steps: Transferring and verifying the transfer of the CBI data to the storage medium (floppy disk, detachable hard disk, or printout). Removing the storage medium from the computer. Erasing any storage media no longer required for this purpose, with a authorized utility program conforming to the DOD 5220.22-M standard. Close out applications properly to erase TEMP files and data that may by temporarily stored in Random Access Memory. Returning the disks and generated printouts to the CBIO. c. Computer Printouts. If CAA CBI is printed out, the printed material must be secured in the CBIO. Employees who generate or obtain a printout from the computer must first determine whether the printout contains CBI. All printouts and any information obtained from a computer screen containing CBI must be logged in and out through the CBI office. Turn off the printer to ensure removal of any CBI information stored in the printer buffer. 6. SYSTEM SECURITY SOFTWARE FOR MULTI-USER SYSTEM. The operating system will protect itself and provide an authorization function to permit only approved sets of individuals and programs to be combined for a project. One class of machine instructions will be reserved for exclusive use of the operating system, and one class will be usable by the operating system and user applications. a. User Permissions. The system will enforce user privileges as authorized for any given file and will include execute Read Only access and prohibit copying or renaming of CBI files. Authentication of project passwords, verification of user identity, and validation of user file authority are performed by the system. b. Event Record. Except for password maintenance activities, unique identifiers (passwords) may not be printed or displayed on any output or terminal. Within the limits of system capability, an access and event journal will be maintained by the system in a secure manner to record system activity, log-on attempts, and program execution. This audit function should permit event attribution to the individual user. An exception audit will be produced by the system of all unauthorized activity, including log-on and file access attempts for review by the DCO/DCA. The system will include a time clock for recording events. The system activity log will have a write-only mode. 47 ------- 7. GENERAL PROCEDURES. Changes to the operating system will be made off-line, reviewed, and approved before being installed on the active system. Changes in the application programs will be made off-line using non-sensitive data and implemented after review. a. Checkout. Portable storage disks must be checked out from the CBI Office using the same procedures described in Section IV. b. User Privileges (Multi-User System Only). Unique identifiers (passwords) shall be used for project identification in the log-on procedure and for data file access. These identifiers shall be treated as confidential. Two passwords are required to begin a program. The DCO/DCA shall provide a data file access password. System access password and user permissions will be assigned by the Information Security Officer. c. Back-up Files. CAA CBI files will be scheduled for periodic backups. Backups will be conducted to removable media (i.e. removable Hard Drive) ONLY. Back-up files will be secured in the CBIO. d. Transmission. Input and output media shall be transmitted only between the CBI Office and the users who are authorized access to specific data contained on the media. In no case will input media be accepted from or delivered to a third party. Any system processing and/or storing CBI must be a system that maintains CBI controls. 8. DESTRUCTION AND RELEASE OF MEDIA. When no longer needed, all paper products, program listings and printouts, will be destroyed in accordance with current procedures for disposal of CBI documents as covered in Section III. a. Magnetic Storage. Any magnetic storage media previously used to process or store CAA CBI may be released from control after it has been erased using an approved software utility. Software used to sanitize media will conform with DOD 5220.22-M. All identifying markings must be removed prior to release. 48 ------- SECTION VIII. CAA CBI SECURITY VIOLATIONS 1. OVERVIEW. This section sets forth the procedures to be followed whenever CAA CBI security procedures may have been violated. 2. RESPONSIBILITY OF DISCOVERER. Any OAQPS employee who is either aware of actual or possible violations regarding loss of CBI materials or unauthorized disclosures must immediately report this information to the DCO. 3. INVESTIGATING VIOLATIONS. All alleged violations of this manual's procedures shall be investigated, even if there is no evidence of a lost document or unauthorized disclosure. a. Preliminary Inquiry. The PRRMS Director will instruct the OAQPS DCO to conduct a preliminary inquiry into the circumstances surrounding an actual or possible compromise. The findings of this inquiry will be presented to the PRRMS Director for evaluation. b. Investigation. Based on a review of the Preliminary inquiry, the PRRMS Director may direct the OAQPS DCO to conduct a full investigation of the incident. The investigation shall include the following components: A complete identification of each item of classified information involved. A thorough search for the CBI. Identification of any persons or procedures responsible for the compromise. A statement that a compromise did occur, may have occurred, or did not occur, and an estimate of the risk of damage to the affected business. A thorough discussion of all facts uncovered. 4. REPORTS AND FINDINGS. Investigative reports shall include, if possible, the document date, subject, name and address of the originator, and a description of the material. a. Finding of No Damage. If it is determined that compromise could not reasonably be expected to cause identifiable damage to the affected business, the report of the preliminary inquiry will be sufficient to resolve the incident. b. Lost Documents. The report should include the time and date of the loss and the steps 49 ------- taken to locate the material. If possible, the person responsible for the loss should be identified. c. Evidence of Compromise. Where a compromise is believed to have occurred, a narrative statement by the WAM/TOPO should detail the circumstances, the identity of the unauthorized person(s) who had or may have had access to the material, the steps taken to determine whether a compromise did in fact occur, and the WAM's evaluation of the importance of the material. d. Finding of Damage. If it is determined that the probability of identifiable damage to the affected company cannot be ruled out, the PRRMS Director shall notify the affected business that the materials claimed as CBI are not in account and that there is reason to believe the information may have been disclosed to individuals not authorized to access it. Written notice to the affected business must contain a description of the CBI in question and the date of the disclosure. 5. RESULTING ACTIONS. After receiving an inquiry and/or investigation report, the PRRMS Director will notify appropriate Division Directors of the report findings and recommend actions in keeping with the EPA Conduct and Discipline Order. Division Directors are responsible for imposing punitive measures as deemed necessary. a. Violations Subject to Punitive Measures. Employees may be subject to punitive measures if they do any of the following: Compromise CBI through negligence. Knowingly and willfully violate any provisions of this manual or without authorization, disclose properly classified CBI. b. Punitive Measures. Punitive measures for security violations are specified in 18 U.S.C 1905 and 18 U.S.C 1924 and include, but are not limited to, warning notice, admonition, reprimand, termination of authorization for access to CBI, removal, discharge, or legal charges. These measures will be imposed in accordance with applicable law and EPA regulations. 50 ------- CAA CBI DEFINITIONS Access: The ability and opportunity to gain knowledge of CAA CBI in any manner whatsoever. Affected Business: Any providing organization that could be affected adversely by the unauthorized disclosure of its CAA CBI. Authorized Person: Any person duly authorized pursuant to OAQPS procedures to have access to CAA CBI. CAA CBI Control Number: Unique number assigned by the OAQPS DCO to any document received or generated that contains CAA CBI. Confidential Business Information: Any documentary or non-documentary information, in any form, received by OAQPS from a person, firm, partnership, corporation, association, or local, State or Federal agency that relates to trade secrets, commercial or financial information and claimed as confidential by the person submitting it under the procedures in 40 CFR, Part 2, Subpart B. Contractor: Any person, association, partnership, corporation, business, educational, institution, governmental body or other entity that performs work under a contract with the United States Government. Contracting Officer (CO): EPA delegated official with the authority to enter into contracts on behalf of the EPA. The CO has sole authority to sign contracts, obligate funds for a contract, issue work assignments, modify contract terms or conditions, and terminate a contract. Custody: Formal responsibility for controlling access to CAA CBI according to the procedures found in this manual. Derivative CBI: Confidential Business Information created by incorporating, paraphrasing, restating, or generating a new form of the information. Document: Any recorded information regardless of its physical form or characteristics, including, without limitation, written or printed materials; data processing cards, disks, and tapes; maps; charts; photographs; paintings; drawings; engravings; sketches; working notes and papers; reproductions of such items by any means or processes; and sound, voice, or electronic recordings in any form. CBI Office: Secured interior room at OAQPS headquarters where all CAA CBI is stored. 51 ------- Document Control Officer: A Government employee designated by the PRRMS Director to oversee the OAQPS CAA CBI program. Document Tracking System: A system to account for the location or disposition of CAA CBI materials. Materials in a Document Tracking System are assigned unique numerical identifiers, or CBI control numbers, and their locations are tracked through manual or automated logs or records of receipt, usage, and transfer. Employee: Any person employed by EPA on a full-time or part-time basis in accordance with the procedures of the Office of Personnel Management. (This definition does not include contractors, grantees, or their employees). Federal Agency: Any organization or entity composed of United States officers or employees except for Federal courts and Congress. Holder: A Federal employee or OAQPS contractor employee who is authorized access to specific CAA CBI, and is currently in possession of the CAA CBI. Original CBI: Confidential business information in its original form as submitted by a providing organization or as recorded during a visit to the providing organization. Project Officer (PO): EPA's primary technical representative of the CO for a contract. Responsibilities include: evaluating contractor proposals; assisting in writing statement of work; reviewing contractor progress reports; reviewing contractor requests and recommending approval or disapproval to the CO; and assisting the CO in the resolution of problems associated with contractor performance. Specific CAA CBI: Confidential business information collected for an individual project or work assignment/task order under a contract. Subcontractor: A contractor that provides a portion of the level of effort on an OAQPS contract through a contractual agreement with the OAQPS prime contractor. The EPA's contractual agreement is with the prime contractor, not the subcontractor. Violation: The failure to comply with any provision of these procedures, whether or not such failure leads to actual unauthorized disclosure of CAA CBI. Work Assignment Manager/Task Order Project Officer (WAM/TOPO): An EPA program official who monitors a specific work assignment written under a contract. The WAM/TOPO develops the statement of work for specific work assignments or task orders and monitors the technical performance of the contractor. 52 ------- GLOSSARY OF ACRONYMS ACRONYMS AAL ADP CAA CBI CBIO CDCA CDCO CFR CWA DCA DCO EPA FEMA FIFRA GAO OAQPS LAN OIG OGC osw Authorized Access List Automatic Data Processing Clean Air Act Confidential Business Information Confidential Business Information Office Contractor Document Control Assistant Contractor Document Control Officer Code of Federal Regulations Clean Water Act Document Control Assistant Document Control Officer United States Environmental Protection Agency Federal Emergency Management Agency Federal Insecticide, Fungicide and Rodenticide Act General Accounting Office Office of Air Quality Planning and Standards Local Area Network Office of the Inspector General Office of General Counsel Office of Solid Waste 53 ------- PC PRRMS RCRA TSCA WAM/TOPO Personal Computer Planning, Resources & Regional Management Staff Resource Conservation and Recovery Act Toxic Substances Control Act Work Assignment Manager/Task Order Project Officer 54 ------- INDEX OF APPENDICES APPENDIX P& TITLE A-l Authorization for Access to CAA CBI for Federal Employees, CAA CBI Form 2 A-2 Authorization for Access to CAA CBI for Contractor Employees, CAA CBI Form 3 B B-1 Memorandum of CAA CBI Telephone Conversation, CAA CBI Form 6 C C-l CAA CBI Meeting Sign-In Sheet, CAA CBI Form 7 D D-l CAA CBI Markings E E-1 CAA CBI Cover Sheet, CAA CBI Form 8 E-2 CAA Confidential Business Information "Duplicate Copy" Cover Sheet, CAA CBI Form 8a F F-l Request, Approval, and Registration for CAA CBI Computer Access, CAA CBI Form 10 G G-l Request for Approval of Contractor Access to CAA CBI, CAA CBI Form 11 G-2 Contractor Information Sheet-Contractor CAA CBI Access/Transfer, CAA CBI Form 1 la H H-1 CAA CBI Inventory Log, CAA CBI Form 12 H-2 CAA Confidential Business Information Control Record, CAA CBI Form 1 H-3 CAA CBI Custody Receipt, CAA CBI Form 14 55 ------- 1-1 Confidential Business Information Security Agreement, CAA CBI Form 15 1-2 Letter to CAA CBI Requesters Outside of OAQPS 1-3 Letter to Accompany CAA CBI Transferred Outside of OAQPS 1-4 Confidentiality Agreement for Federal Employees, CAA CBI Form2a J-l Letter of Transfer (Trip Report Review Letter to Providing Facilities) J-3 Trip Report Response Letter to Providing Facility 56 ------- THIS PAGE INTENTIONALLY LEFT BLANK 57 ------- CAA CBI Security Manual (Appendix A) FULL NAME SSN POSITION OFFICE SIGNATURE OF AUTHORIZING OFFICIAL* TITLE TELEPHONE NO. DATE LOCATION I. AUTHORIZATION FOR ACCESS TO CAA CBI FOR FEDERAL EMPLOYEES It is the responsibility of each Authorizing Official* to ensure that the employees under his/her supervision who require access to CAA CBI: 1. Sign the Confidentiality Agreement for Federal Employees 2. Are fully informed regarding their security responsibilities for CAA CBI. 3. Obtain access only to that CAA CBI required to perform their official duties II. CONFIDENTIALITY AGREEMENT FOR FEDERAL EMPLOYEES I understand that, in accordance with my official duties, I will have access to certain Confidential Business Information submitted under the Clean Air Act (CAA) (42 U.S.C. 7401 et seq.) I understand that, under 18 U.S.C. 1905 and 18 U.S.C. 1924,1 am liable for a possible fine of up to $1,000 and/or imprisonment for up to one year, if I willfully disclose CAA Confidential Business Information to any person not authorized to receive it. Additionally, I understand that, I may be subject to disciplinary action for violation of this agreement with penalties ranging up to and including dismissal. I am aware that, I may be subject to criminal penalties under 18 U.S.C. 1001 if I have made any statement of material facts knowing that such statement is false or if I willfully conceal any material fact. I agree that, upon the termination of my duties, transfer or departure from the Environmental Protection Agency, I will return all materials in my possession containing CAA Confidential Business Information to the OAQPS CBI Office. I certify that I have read and understand these procedures and those outlined in the CAA CBI Security Manual. SIGNATURE TELEPHONE NO. DATE III. THE UNDERSIGNED CERTIFIES THE ALL TRAINING AND TEST REQUIREMENTS HAVE BEEN MET BY THE EMPLOYEE. SIGNATURE CBI MANAGER/DCO TELEPHONE NO. DATE IV. ANNUAL RE-CERTIFICATION: I certify that, in conjunction with my duties, I require access to CAA CBI. I am current with all CBI handling procedures and security guidelines as outlined in the CCA CBI Security Manual. Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial CAA CBI From 2 (Rev. 01/02) * Must be Division Director (or equivalment) or above. A-l ------- CAA CBI Security Manual (Appendix A) FULL NAME SSN POSITION CONTRACTOR SIGNATURE OF AUTHORIZING OFFICIAL* TITLE TELEPHONE NO. DATE LOCATION I. AUTHORIZATION FOR ACCESS TO CAA CBI FOR CONTACTOR EMPLOYEES It is the responsibility of each Authorizing Official* to ensure that the employees under his/her supervision who require access to CAA CBI: 1. Sign the Confidentiality Agreement for Contractor Employees 2. Are fully informed regarding their security responsibilities for CAA CBI. 3. Obtain access only to that CAA CBI required to perform their official duties II. CONFIDENTIALITY AGREEMENT FOR CONTRACTOR EMPLOYEES I understand that, in accordance with my official duties, I will have access to certain Confidential Business Information submitted under the Clean Air Act (CAA) (42 U.S.C. 7401 et seq.) I understand that, under 18 U.S.C. 1905 and 18 U.S.C. 1924,1 am liable for a possible fine of up to $1,000 and/or imprisonment for up to one year, if I willfully disclose CAA Confidential Business Information to any person not authorized to receive it. Additionally, I understand that, I may be subject to disciplinary action for violation of this agreement with penalties ranging up to and including dismissal. I am aware that, I may be subject to criminal penalties under 18 U.S.C. 1001 if I have made any statement of material facts knowing that such statement is false or if I willfully conceal any material fact. I agree that, upon the termination of my duties, transfer or departure from my duites with the Environmental Protection Agency, I will return all materials in my possession containing CAA Confidential Business Information to the OAQPS CBI Office. I certify that I have read and understand these procedures and those outlined in the CAA CBI Security Manual. SIGNATURE TELEPHONE NO. DATE III. THE UNDERSIGNED CERTIFIES THE ALL TRAINING AND TEST REQUIREMENTS HAVE BEEN MET BY THE EMPLOYEE. SIGNATURE CBI MANAGER/CDCO TELEPHONE NO. DATE IV. ANNUAL RE-CERTIFICATION: I certify that, in conjunction with my duties, I require access to CAA CBI. I am current with all CBI handling procedures and security guidelines as outlined in the CCA CBI Security Manual. Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial Date Initial CAA CBI From 3 (Rev. 01/02) * Must be Contractor Management. A-2 ------- CAA CBI Security Manual (Appendix B) US Environmental Protection Agency Washington, DC 20460 MEMORANDUM OF CAA CBI TELEPHONE CONVERSATION I. EMPLOYEE IDENTIFICATION Name of Employee Date Organization Time II. SECOND PARTY IDENTIFICATION Call is: To From Name Number Organization III. Concerning What CAA CBI? IV. Content of Conversation: (CONTINUE ON SEPARATE SHEET) CAA CBI Form 6 (Rev. 01/02) B-l ------- CAA CBI Security Manual (Appendix C) ^£D sr^f U.S. Environmental Protection Agency ^ ^^ **. Washington, DC 20460 | S^R? $ CAA CBI MEETING SIGN-IN SHEET %> <^ ^ PRO^° CHAIRPERSON MEETING PLACE (ROOM, BUILDING, CITY, STATE) DATE TIME SUBJECT OF MEETING NAME (Print) Signature ORGANIZATION THIS SIGN-IN SHEET MUST BE GIVEN TO THE CBI MANAGER CAA CBI Form 7 (Rev. 6/95) C-l ------- CAA CBI Security Manual (Appendix D) CAA CBI MARKINGS "SUBJECT TO CONFIDENTIALITY CLAIM" "TO BE OPENED BY ADDRESSEE ONLY" "DESTROYED BY / DATE "DECLASSIFIED BY / DATE "CAA CBI CLEARANCE TERMINATED BY / DATE D-l ------- CAA CBI Security Manual (Appendix E) Contractor Control No.: EPA Control No.: Copy No.: CAA CONFIDENTIAL BUSINESS INFORMATION contain! data! ir Acti(CAA imed to be c amended (4 another p y person not g up to and i 3Ject youfio a idential busi .S.C. 7401, y excerpt orized to ding disniis of upll $1 inform 1,7412, summarie ive it, you In additi .00 an n(C ,74 st beli disclosv impriso heCle osed or c Ifully disci action w iof security au notb If you discipl violati one CAA1CBI to penalties .ran ceduresjnay DO NOT DETACH CAA CBI Form 8 (Rev. 01/02) E-l ------- CAA CBI Security Manual (Appendix E) Contractor Control No.: EPA Control No.:_ Copy No.: CAA CONFIDENTIAL BUSINESS INFORMATION LICAW COIY m : contains $&t& claimed to be confid^pl business information (CBJ|$iiider ffie ^jf , "' The attached authority of the Act (CfUV) as amended (42 U.^g/401, 7411, 74lf 7414, 741^,^601). CB%iay not be disclosed or for release to another party. An|||j|cerpts or surrimalfes must als^fie treated as CBI. If you willfully disclf||f3AA CBI to any person no| autho|||jd to receive it, |ju may be Ij^jle for a disciplinary action ^^|penaltie|^igmg up to an^includi^^smissal. In action, discl^ittfe of CAA CBI or i a fine o: .$1,000. or impri^»ient for up tdl REFERENCE COPY DESTROY WHEN NO LONGER NEEDED DO NOT DETACH Duplicate Destroyed by Date (CDCO Signature Required) CAA CBI Form 8a (Rev. 01/02) E-2 ------- CAA CBI Security Manual (Appendix F) U.S. Environmental Protection Agency Washington, DC 20460 Request, Approval, and Registration for CAA CBI Computer Access I. Request for CAA CBI Computer Access 1. Name (Last,First,MI) 2. Requestor (Office/Division/Branch) 3. System and Data Base to Be Accessed 4. Describe fully the duties that require access to each system 5. Signature of Requesting Official (Division Director or above) 6. Date II. Computer Room DCA Approval 1. Date Received 2. Signature of Computer Room DC A III. DCO Approval 1. Date Received 2. Holds Current CAA CBI Access D Yes D No 3. Approved D Yes DNo (Explain On back) 4. Signature DCO CAA CBI Form 10 (Rev. 01/02) F-l ------- CAA CBI Security Manual (Appendix G) 73 VvX \ (3 U.S. Environmental Protection Agency Washington, DC 20460 REQUEST FOR APPROVAL OF CONTRACTOR ACCESS TO CAA CBI Requesting Official Signature Date Title and Office Contractor and contract number EPA Project Officer EPA Contracting Officer i on feetoe offal feitf if oec^sary). Approved (Signature) Date CAA CBI Form 11 (Rev. 01/02) G-l ------- CAA CBI Security Manual (Appendix G) CONTRACTOR INFORMATION SHEET CAA CBI ACCESS/TRANSFER 1. Contractor 2. Address : 3. Contract #: 4. Is this a renewal of a previous contract? Yes D NoD 5. Previous contact number: 6. EPA Project Officer 7. EPA Contracting Officer 8. EPA Work Assignment Manager: Phone: Room: Mail Code:_ 9. Contractor Project Officer: 10. Description of duties to be performed by contractor that require CAA CBI access: 11. Type(s) of data to be transferred/disclosed: 12. Will CBI be transferred offsite under this contract? Yes D No D 13. If so, to where? 14. Have contractor security plan and facilities been approved by the OAQPS DCO? Yes D No D 15. If so, date of test site inspection: 16. Date access scheduled to commence: 17. Contract expiration date:_ 18. Is computer CBI access needed under this contract? Yes D No D 19. Has computer access been approved? Yes D No D CAA CBI Form 1 la (Rev. 01/02) G-2 ------- q ti is (U W> 11 Q O o s 00 «: o O IS 5 SSH en oj 1 Rec u u U a o a p, ffi T3 C 0) a- c^ <; £> u oo s U < < U Numbe CB rol C8 '5 CN O O o « U U H-l ------- CAA CBI Security Manual (Appendix H) CAA CONFIDENTIAL BUSINESS INFORMATION CONTROL RECORD DATE RECEIVED: DATE OF DOCUMENT: RESPONSIBLE GROUP: CONTROL NUMBER: DOCUMENT AUTHOR: DESCRIPTION (PROVIDING ORGANIZATION, TITLE, SUBJECT, NUMBER OF COPIES, NUMBER OF PAGES) RETURN DATE: DESTRUCTION DATE: INITIALS: EACH PERSON WHO IS GIVEN ACCESS TO THIS DOCUMENT MUST FILL IN THE INFORMATION BELOW. CHECK-OUT SIGNATURE DATE TIME CHECK-IN SIGNATURE DATE TIME CAA Form 1 (Rev. 01/02) H-2 ------- CAA CBI Security Manual (Appendix H) CAA CBI CUSTODY RECEIPT US Environmental Protection Agency Office of Air Quality Planning and Standards CBI Office (MD-C404-02) Research Triangle Park, NC 27711 Date: Receipt: Project: Contact: Sent Via: Project No: TO: FROM: Document Control Officer (Name), DCO Environmental Protection Agency OAQPS/PRRMS MD-XXX-XX Research Triangle Park, NC 27711 INSTRUCTIONS: 1. Original of this receipt to be signed by recipient and returned to sender. 2. Duplicate of this receipt to be retained by recipient. CBI CONTROL NO. COPY NO. DESCRIPTION OF MATERIAL I have personally received material, enclosures, and attachments as identified above. I assume full responsibility for the safe handling, storage, and transmittal of this material in accordance with existing Confidential Business Information regulations. DATE RECEIVED: SIGNATURE OF RECIPIENT: CAA FORM 14 (Rev. 01/02) H-3 ------- CAA CBI Security Manual (Appendix I) CONFIDENTIAL BUSINESS INFORMATION SECURITY AGREEMENT [n requesting information claimed to be business confidential from the Office of Air Quality Planning and Standards (OAQPS), I agree to safeguard this information according to ( Name of Agency )'s procedures comparable to EPA's procedures for handling Confidential Business Information as found in 40 CFR, Part 2, Subpart B, Confidentiality of Business Information. I further agree that access will be limited to only those persons in our organization having a "need to know," that the information will be kept in a secure storage container (e.g., a lockable file cabinet) while it is in our custody, that a record of persons accessing the information be maintained, and that it will be returned to OAQPS at the conclusion of our project. Name, Title (Please Type or Print) Signature Date CAA CBI Form 15 (Rev. 01 /02) I-1 ------- CAA CBI Security Manual ( Appendix I) LETTER TO CAA CBI REQUESTERS OUTSIDE OAOPS Agency Official Government Agency Dear (Agency Official): (Cite the name of local contact or letter of request) indicates that you have requested a copy of certain Confidential Business Information (CBI) files which are held by our office. Please be advised that our long-standing policy is to release CBI only to those persons authorized by 40 CFR Part 2, Subpart B. Since we have not previously granted clearance for access to Clean Air Act (CAA) information to you or anyone in your organization, we request assurance that this information will be handled according to applicable federal regulations. To provide a record of your agreement to safeguard the information, we require that you sign and return the accompanying CBI Security Agreement. We will release the requested information to you upon receipt of this agreement. Sincerely, leva G. Spons, Director Planning, Resources and Regional Management Staff Enclosures 1-2 ------- CAA CBI Security Manual (Appendix I) LETTER TO ACCOMPANY CAA CBI TRANSFERRED OUTSIDE OF OAOPS Agency Official Government Agency Dear Agency Official: Your security agreement associated with the request for access to (Detailed information Description) has been received. We are therefore releasing the enclosed Confidential Business Information to your custody. Please sign the attached Custody Receipt and return it to: Name, OAQPS Document Control Officer U.S. Environmental Protection Agency Office of Air Quality Planning & Standards Planning, Resources & Regional Management Staff (MD-C404-02) Research Triangle Park, NC 27711 Sincerely, leva G. Spons, Director Planning, Resources and Regional Management Staff Enclosures 1-3 ------- CAA CBI Security Manual (Appendix I) FULL NAME SSN POSITION OFFICE SIGNATURE OF AUTHORIZING OFFICIAL* TITLE TELEPHONE NO. DATE LOCATION I. AUTHORIZATION FOR ACCESS TO OAQPS CAA CBI It is the responsibility of each Authorizing Official* to ensure that the employees under his/her supervision who require access to CAA CBI: 1. Sign the Confidentiality Agreement CAA CBI Form 2a 2. Are fully informed regarding their security responsibilities for CAA CBI. 3. Obtain access only to that CAA CBI required to perform their official duties II. CONFIDENTIALITY AGREEMENT FOR FEDERAL EMPLOYEES I understand that, in accordance with my official duties, I will have access to certain Confidential Business Information submitted under the Clean Air Act (CAA) (42 U.S.C. 7401 et.seq.) I understand that, under 18 U.S.C. 1905, and 18 U.S.C. 1924, I am liable for a possible fine of up to $1,000 and/or imprisonment for up to one year, if I willfully disclose CAA Confidential Business Information to any person not authorized to receive it. Additionally, I understand that, I may be subject to disciplinary action for violation of this agreement with penalties ranging up to and including dismissal. I am aware that, I may be subject to criminal penalties under 18 U.S.C. 1001, if I have made any statement of material facts knowing that such statement is false or if I willfully conceal any material fact. I understand that I can not transfer CAA CBI materials to any other agency or office unless specifically authorized by 40 CFR Part 2, Subpart B, and without prior notification of the OAQPS CBI Office. I agree that I, when no longer required by this office, I will return any and all materials transfered to me to the OAQPS CBI office. SIGNATURE TELEPHONE NO. DATE CAA CBI From 2a (Rev. 01/01) * Must be Division Director (or equivalent) or above. 1-4 ------- CAA CBI Security Manual (Appendix J) SAMPLE LETTER OF TRANSFER TRIP REPORT REVIEW LETTER TO PROVIDING FACILITIES Name of recipient Title of Recipient Recipient's Address Dear (Name): Thank you for your efforts in coordinating a visit to the Name of the facility, address, and date. The U. S. Environmental Protection agency (EPA) appreciates the time you spent discussing the manufacturing process at your facility. Enclosed is a draft of the trip report that has been prepared based on the information obtained during our site visit. We would appreciate your reviewing the report for any errors or omissions. You may return the enclosed copy of the report with your written comments. Since this report will eventually become a part of the public record, we want to portray your operations as accurately as possible. A copy of the final version of the report incorporating your comments will be sent to you for your records. The custody receipt for the trip report is also enclosed. Please sign and date the form to acknowledge receipt of the report and return a copy of the form to the Document Control Officer, Planning, Resources, and Regional Management Staff (MD-C404-02), U. S. Environmental Protection Agency, Research Triangle Park, North Carolina 27711. If you believe the disclosure of any specific information contained in the trip report would reveal trade secrets or other confidential information, you should clearly identify the specific information. Please do not label the entire report" confidential" if only certain portions consist of trade secret information. If the EPA determines that there is a need to disclose such information, we will need, at that time, the following to support your claim.: 1. Measures taken by Name of facility to guard against undesired disclosure of the specific information to others; 2. The extent to which the specific information has been disclosed to others and the precautions taken in connection therewith; J-l ------- CAA CBI Security Manual (Appendix J) 3. Pertinent confidentiality determinations, if any, by other Federal agencies (furnish a copy of any such determination, or references to it, if available); and 4. Whether Name of facility asserts that disclosure of the specific information would likely result in substantial harmful effects on facility Name's competitive position, and if so, what those harmful effects would be, why they should be viewed as substantial, and an explanation of the causal relationship between disclosure and such harmful effects. Any specific information subsequently determined to constitute a trade secret will be protected under 18 U.S.C. 1905. If no claim of confidentiality accompanies the information when it is received by EPA, it may be made available to the public by EPA without further notice (40 CFR Part 2.203, September 1, 1976). Any specific information subsequently determined to constitute a trade secret will be protected under 18 U.S.C. 1905. However, all emission data will be available to the public. A clarification of what EPA considers to be emission data is contained in Enclosure 2. We respectfully request that you submit your review comments on the trip report by date. If you concur with the information contained in the report, we would appreciate a letter to that effect. In addition, please indicate in your letter the specific parts of the report, if any, that Facility Name considers to be confidential. If we do not receive a response by date, the report will be considered non-confidential and accurate. Thank you for your cooperation. The information supplied by Facility Name will be most helpful in our study. If you have any questions, please call name of WAM/TOPO, telephone number; Contractor's name, company name and telephone number. Sincerely, Group Leader Division Enclosure J-2 ------- CAA CBI Security Manual (Appendix J) TRIP REPORT RESPONSE TO PROVIDING FACILITY Name ofReceipient Title ofReceipient Address Dear (Name): Thank you for reviewing the trip report for the (Date) visit to the (Name and Address of Facility) by representatives from the U.S. Environmental Protection Agency and (Name of Contractor if required). Your comments have been incorporated in the enclosed final trip report. The trip report includes a nonconfidential version plus a confidential addendum. The confidential addendum consist of those items you identified as confidential business information (CBI) in your (Date) letter. Unless we hear from you by (Date) with further comments or corrections, we will treat the nonconfidential trip report and the confidential addendum as final. In its final form, the nonconfidential trip report may be accessed by the general public following proposal of the national emission standards for hazardous air pollutants for combustion sources in the (Name Industry). The confidential addendum can only be accessed by those authorized to view CAA CBI pertaining to the (Name Industry). If you have any questions or additional comments, please contact (Name of Project Lead) of my staff at (919) 541 -XXXX. Thank you for your cooperation. Sincerely, Group Leader (Name) Specific Group Enclosures J-3 ------- INTENTIONALLY LEFT BLANK ------- TECHNICAL REPORT DATA (Please read Instructions on reverse before completing) 1 REPORT NO. EPA-450/B-02-001 3 RECIPIENT'S ACCESSION NO. 4 TITLE AND SUBTITLE Clean Air Act Confidential Business Information Security Manual 5. REPORT DATE January 2002 6. PERFORMING ORGANIZATION CODE 7 AUTHOR(S) Roberto Morales 8. PERFORMING ORGANIZATION REPORT NO. 9 PERFORMING ORGANIZATION NAME AND ADDRESS U.S. Environmental Protection Agency Office of Air Quality Planning and Standards Research Triangle Park, NC 27711 10. PROGRAM ELEMENT NO 11. CONTRACT/GRANT NO 12 SPONSORING AGENCY NAME AND ADDRESS Director Office of Air Quality Planning and Standards Office of Air and Radiation U.S. Environmental Protection Agency Research Triangle Park, NC 27711 13. TYPE OF REPORT AND PERIOD COVERED Procedures Manual 14. SPONSORING AGENCY CODE EPA/200/04 15 SUPPLEMENTARY NOTES 16 ABSTRACT The procedures in this manual provide Federal, Contractor, and Subcontractor employees with the information necessary to utilize Confidential Business Information (CBI) in the performance of their assigned duties without violating applicable Federal regulations protecting the rights of its owners in accordance with the Clean Air Act of 1990 (CAA) as amended. 17 KEY WORDS AND DOCUMENT ANALYSIS a DESCRIPTORS ii ^-' % 18 DISTRIBUTION STATEMENT Release Unlimited b. IDENTIFIERS/OPEN ENDED TERMS 19. SECURITY CLASS (Report) Unclassified 20. SECURITY CLASS (Page) Unclassified c. COSATI Field/Group 21 NO. OF PAGES 85 22. PRICE 1PA Form 2220-1 (Rev. 4-77) PREVIOUS EDITION IS OBSOLETE ------- U.S. Environmental Protection Agency teflon 5, Library (PL-12J) 77 West Jackson Boulevard, 12tfi Ftoar Chicago, II 60604-3590 ------- |