BUSINESS ..-
INFORMATION
URITY MANUAL
'<*
-------�
FORWARD
The procedures in this manual provide Federal, Contractor, and Subcontractor employees
with the information necessary to utilize Confidential Business Information (CBI) in the
performance of their assigned duties without violating applicable Federal regulations
protecting the rights of its owners in accordance with the Clean Air Act of 1990 (CAA) as
amended.
This manual will be subject to annual review to ensure it is in compliance with EPA policies and
Federal regulations. Any recommendations for changes, additions or deletions should be
forwarded through the OAQPS Document Control Officer to the Director, OAQPS/PRRMS,
MD-C404-02, 109 T.W. Alexander Drive, RTP, NC 27711
U S. Environmental Protection Agenqr
Rejiw 5, Library (PL-12J)
77 West Jacks«n Boulevard,
Chicago, It 60604-3590
-------�
TABLE OF CONTENTS
SECTION I. PURPOSE, SCOPE, POLICY, AUTHORITY &
RESPONSIBILITIES 1
1. PURPOSE 1
2. SCOPE 1
3. POLICY 1
4. AUTHORITY 2
5. RESPONSIBLE OFFICIALS 2
a. Director, Office of Air Quality Planning and Standards (OAQPS) 2
b. Director, Program Planning, Resources and Regional Management Staff (PRRMS) .... 2
c. OAQPS Document Control Officer (DCO) 3
d. OAQPS Document Control Assistant (DCA) 4
e. OAQPS Division Directors 4
f. OAQPS Program Project Officers 5
g. Group Leaders 5
h. OAQPS Work Assignment Managers/Task Order Project Officers
(WAM/TOPO) 6
i. Contractor Document Control Officers (CDCO) 7
j. Employees 9
SECTION II. CAA CBI CERTIFICATION PROCEDURES 10
1. OVERVIEW 10
2. GENERAL ACCESS REQUIREMENTS 10
3. OBTAINING ACCESS TO CAA CBI 10
a. Federal Employee Access Procedures 10
b. Establishing Access for Contractor Facilities 12
c. Contractor Employee Access 16
4. ACCESS CONTROL 16
a. Access Lists 18
b. Subcontractor/Consultant Access 20
-------�
5. TERMINATION OF CAA CBI ACCESS 20
SECTION III. RECORDS MANAGEMENT FOR CAA CBI 22
1. OVERVIEW 22
2. INTENT 22
a. Original CBI 22
b.Derivitive CBI 22
3. OAQPS CAA CBI RECORDS MANAGEMENT SYSTEM 22
a. OAQPS CAA CBI Automated Tracking System 23
b. CAA CBI Control Record 23
c. Cover Sheets 23
d. Custody Receipts 24
e. New Materials 24
f. Inventory 24
4. OAQPS CAA CBI DOCUMENT CONTROL NUMBERS 24
5. CBI MARKINGS 25
a. CBI Stamps 25
b. Computer Outputs 25
c. Charts, Maps and Drawings 25
d. Photographs, Films and Recordings 25
6. CBI DOCUMENTS 25
a. Working Papers 25
b. Typing /Word Processing Requirements 26
7. NON-CBI DOCUMENTS 26
a. Deleting or Replacing CBI 26
b. Masking or Aggregating CBI 26
c. Dropping CBI Claim (Declassification) 26
8. DISPOSITION OF CAA CBI DOCUMENTS 27
a. Original CAA CBI Materials 27
b. CBI Created by OAQPS 27
9. RECORDS OF DESTRUCTION 28
10. METHODS OF DESTRUCTION 28
11
-------�
11. CDCO RECORD MANAGEMENT RESPONSIBILITIES 29
a. CAA CBI Control Numbers 29
b. CAA CBI Inventories 29
c. Reproducing Documents 29
12. COMPLETION OF CONTRACTS, WORK ASSIGNMENTS OR TASK ORDERS 29
a. Originals 29
b. Duplicates 29
SECTION IV. CAA CBI WORKPLACE PROCEDURES 30
1. OVERVIEW 30
2. OBTAINING CBI DOCUMENTS 30
3. DOCUMENT CONTROL 30
a. Telephone Calls 30
b. Work Spaces 31
c. Computers 31
d. Meetings 31
e. Document Reproduction 32
f. CBI Waste 32
g. Use of FAX machines 32
h. Site Visits 33
4. SPECIAL CIRCUMSTANCES 33
SECTION V. TRANSFERRING CAA CBI 34
1. OVERVIEW 34
2. TRANSFERRING CAA CBI TO OTHER FEDERAL, STATE OR LOCAL
AGENCIES 34
a. CBI Security Agreement 35
b. Notice to Affected Businesses 35
c. Before Approval 36
d. Before Transfer 36
3. TRANSFERRING CAA CBI TO EPA CONTRACTORS OR PROVIDING
FACILITIES 36
111
-------�
4. TRANSFERRING CAA CBI FROM CONTRACTORS TO OAQPS 36
5. TRANSFER TO SUBCONTRACTORS 37
6. PREPARATION AND PACKING 37
a. Inner and Outer Covers 37
b. Addressing 37
c. Packing 38
7. CUSTODY RECEIPT 38
8. TRANSFER METHODS 38
a. Hand Carrying 38
b. Registered Mail 39
c. Couriers,and Express Mail 39
d. FAX Transmittal 39
SECTION VI. STORAGE OF OAQPS CAA CBI 41
1. OVERVIEW 41
2. INTENT 41
3. STORAGE SPECIFICATIONS 41
a. Minimum storage area reqirements 41
b. Minimum storage equipment 42
4. PROCEDURES FOR COMBINATION LOCKS AND KEYS 42
a. Combination Locks 42
b. Changing Combinations 43
c. Keyed Locks 43
5. SAFEGUARDING CAA CBI IN THE EVENT OF A DISASTER 43
a. Prevention 44
b. Preparedness 44
c. Response 44
SECTION VII. CAA CBI COMPUTER SYSTEM SECURITY 45
1. OVERVIEW 45
2. DIRECTIVES 45
iv
-------�
3. BASIC SECURITY EQUIPMENT 45
a. Security Mode 45
b. Authenticity and Verification 45
c. Remote Operation (Dial-up or Wireless) 45
d. User Requirements 45
4. COMPUTER EQUIPMENT ROOM 46
5. SAFEGUARDING CBI DURING PERSONAL COMPUTER USE 46
a. Computer Storage Media 46
b. Termination of a CBI Computer Session 46
c. Computer Printouts 47
6. SYSTEM SECURITY SOFTWARE FOR MULTI-USER SYSTEMS 47
a. User Permissions 47
b. Event Record 47
7. GENERAL PROCEDURES 48
a. Checkout 48
b. User Privileges (Multi-User Systems Only) 48
c. Back-up Files 48
d. Transmission 48
8. DESTRUCTION AND RELEASE OF MEDIA 48
a. Magnetic Storage 48
SECTION VIII. CAA CBI SECURITY VIOLATIONS 49
1. OVERVIEW 49
2. RESPONSIBILITY OF DISCOVERER 49
3. INVESTIGATING VIOLATIONS 49
a. Preliminary Inquiry 49
b. Investigation 49
4. REPORTS AND FINDINGS 49
a. Finding of No Damage 49
b. Lost Documents 49
c. Evidence of Compromise 50
d. Finding of Damage 50
v
-------�
5. RESULTING ACTIONS 50
a. Violations Subject to Punitive Measures 50
b. Punitive Measures 50
CAA CBI DEFINITION OF TERMS 51
GLOSSARY OF ACRONYMS 53
INDEX OF APPENDICES 55
VI
-------�
SECTION I.
PURPOSE, SCOPE, POLICY, AUTHORITY &
RESPONSIBILITIES
1. PURPOSE. The purpose of this manual is to set forth policies and procedures for
the handling of information claimed as Confidential Business Information (CBI), whether
submitted voluntarily or obtained under Section 114 of the Clean Air Act (CAA), and governed
by U.S. Environmental Protection Agency (EPA) regulations in 40 Code of Federal Regulations
(CFR), Part 2, Subpart B, and other EPA regulations and policies.
The need to safeguard CBI cannot be overstated. Valid and secure CBI procedures are
essential to the EPA's rulemaking mandate and therefore are required to be effectively
safeguarded. Any compromise to CBI threatens not only the businesses providing the
information, but also EPA's ability to make, implement and enforce environmental policy, and
ultimately, the communities that benefit from that policy. Therefore, the Office of Air Quality
Planning and Standards (OAQPS) has designed and implemented a four-pronged security system
to ensure protection of CAA CBI and at the same time permit effective operations of the OAQPS
CBI Office (CBIO). The CAA CBI security system consists of controlled access, document
tracking, training, and monitoring of CAA CBI operations.
2. SCOPE. This manual sets forth policies and procedures to manage and safeguard CAA
CBI. Unless otherwise noted, the phrase CAA CBI refers to information which has been either
submitted voluntarily to the Environmental Protection Agency or under section 114 of the Clean
Air Act and is claimed as "Confidential Business Information", "Proprietary Information" or
"Trade Secret" by the submitting organization.
3. POLICY. It is the policy of OAQPS to protect all information collected by EPA
personnel, its authorized contractors and subcontractors. The information may be either
documentary information (e.g., written responses to questions, photographs, records or charts) or
non-documentary (e.g., records of oral communications, or visual observations). The providing
organization must assert a claim of confidentiality under the procedures established in 40 CFR
Part 2 by noting such claim on documentary and non-documentary materials provided to
OAQPS.
Any material or information claimed as confidential or trade secret will be treated as confidential
by OAQPS and its contractors in accordance with the provisions of 40 CFR Part 2. Any
material or information for which a claim of confidentiality is NOT made may be made
available to the public by OAQPS without notice to the providing organization.
Documents generated by OAQPS or its contractors using information that has been claimed as
Confidential Business Information (CBI) will be treated as CAA CBI until a determination is
-------�
made regarding its status by the providing organization, OAQPS, or the Office of General
Counsel (OGC).
4. AUTHORITY. The policies and procedures established by this manual provide
guidance for compliance with the following Federal statutes and regulations:
Clean Air Act as amended
40 CFR, Part 2, Subpart B
Freedom of Information Act
Privacy Act
EPA IRM Policy Manual, Chapter 8, Information Security
OAQPS Security Plan
Any deviations from the procedures outlined in this manual must be approved in writing
I by the Director, OAQPS/PRRMS. '
5. RESPONSIBLE OFFICIALS. The responsibilities of OAQPS officials and personnel
concerning CAA CBI are outlined below.
a. Director, Office of Air Quality Planning and Standards (OAQPS). The
OAQPS Director or his/her designee has overall responsibility for controlling CAA CBI within
the Office. The Director or Acting Director may delegate authority to perform security control
functions.
b. Director, Planning, Resources & Regional Management Staff (PRRMS). The
Director, Planning, Resources & Regional Management Staff (PRRMS), has been delegated
authority to direct and administer the CAA CBI program for OAQPS. The Director has authority
for setting policies, standards, and procedures that ensure compliance with the current laws and
regulations. The Director provides oversight, a security education program, and a security
assurance program for effective implementation of the OAQPS CAA CBI program. Specific
responsibilities are to:
Advise the OAQPS Director on the OAQPS CBI CAA program, as requested.
Approve initial contract access for OAQPS contractors to access CAA CBI.
Review and approve all outside requests and transfers of OAQPS CAA CBI.
-------�
Approval of contractor employee access to specific CAA CBI documents is
delegated to the OAQPS Group Leaders.
c. OAQPS Document Control Officer. The OAQPS Document Control Officer (DCO) is
directly responsible to the PRRMS Director for implementing the CAA CBI program. The
OAQPS DCO implements and monitors the activities of the Confidential Information Office
(CBIO) and provides guidance and technical direction as needed. The following are
responsibilities of the OAQPS DCO:
Ensures that the Operations Team Leader is informed of all issues pertaining to CAA
CBI.
Assumes custody of all CAA CBI materials received at the OAQPS Confidential
Business Information Office (CBIO).
Ensures that OAQPS security procedures for handling CAA CBI are continually
reviewed, updated, and enforced.
Conducts briefings and testing in support of the OAQPS CAA CBI security program..
Ensures compliance with the CAA CBI security program.
Reviews security plans, procedures, and inspects facilities of EPA contractors
handling and storing CAA CBI files.
Reviews contractor employee CAA CBI security, education and training programs.
Reviews and Approves CAA CBI access requests for contractors and other
Federal/State and Local agencies.
Evaluates proposed system improvements.
Conducts preliminary inquiries and investigations of alleged procedural violations and
reports findings to the PRRMS Director.
Advises the PRRMS Director concerning appropriate actions for CAA CBI security
violations.
Signs receipts for incoming CAA CBI documents.
Reviews documentation of all CAA CBI being transferred outside of OAQPS; and
ensure that release is in accordance with Section 2.209 of 40 CFR, Part 2.
-------�
Prepares CAA CBI documents for transmittal outside of OAQPS.
Declassifies or destroys CAA CBI materials when authorized by Work Assignment
Manager/Task Order Project Officer (WAM/TOPO), OGC or Submitter.
Briefs and debriefs all persons designated by Group Leaders that require access to
CAA CBI.
Keeps an Authorized Access List of all persons cleared for CAA CBI access and a
record of each person's briefing status.
Assigns OAQPS CBI control numbers.
Generates Control Record and applies markings to all new CAA CBI documents and
reproduce documents as required.
Establishes, maintains, and controls an automated OAQPS CAA CBI file system.
Logs in and out all CAA CBI documents. Conduct periodic inventories of all CBI
documents stored at the OAQPS CBIO or contractor facilities.
Maintains a tracking system to ensure that CBI transmitted to other organizations is
received.
Locks CBI in appropriate containers whenever the information is not in use or under
the supervision of cleared personnel.
Ensures that at the end of each business day, all classified material has been returned
to the CBIO and is properly stored.
Monitors support staff providing clerical assistance to the CBIO.
d. OAQPS Document Control Assistant. Document Control Assistants (DCA) are
employees of OAQPS, who are charged with assisting in the implementation of the OAQPS CBI
program. The OAQPS Document Control Assistant (DCA) will perform the aforementioned
CDCO responsibilities in the absence of the DCO and assist in administrative functions as
necessary.
e. OAQPS Division Directors. Division Directors' responsibilities are to:
Ensure that their employees comply with the procedures listed in this manual.
Approve all authorizations for their Division employees to access CAA CBI; and
Sign as requesting official for contractor employee access to CAA CBI.
-------�
f. OAQPS Program Project Officers. The respective program project officers' (PPO)
responsibilities are as follows:
To notify the OAQPS DCO when a contract will require CAA CBI access and to
serve as an interface between the OAQPS DCO, contractors, WAM/TOPO and the
EPA Contracting Officer.
To issue notification to the affected businesses via Federal Register notice at the start
of a contract by identifying the contractor or subcontractor who will have access to
CAA CBI submitted to OAQPS in performing their assigned duties.
Assist WAM/TOPO in preparing individual notification to affected businesses or
industries on an as-needed-basis.
Ensure compliance with all CBI procedures set forth in the applicable contract.
Work with DCO to reslove security plan deficiencies.
g. OAQPS Group Leaders. Group Leaders are responsible for ensuring that their
employees and contractors comply with the procedures listed in this manual.
Group Leaders will:
Designate EPA and contractor employees who need access to specific CBI
associated with each project. This responsibility may not be delegated.
Authorize the additions and deletions to the CAA CBI Project Access list for
the specific project under his or her control.
Ensure that Group employees and other persons whom they designate are qualified
and authorized to access CBI utilizing procedures found in Section II.
Authorize transfer of CAA CBI to providing companies, facilities or contractors.
The authority to transfer CAA CBI to all other outside organizations is reserved for the
PRRMS Director.
Ensure that any CBI the Group receives directly is sent immediately to the OAQPS
CBIO.
Recommend to the PRRMS Director whether to release CBI to Congress, the
Comptroller General, or other Federal agencies.
-------�
Ensure that CBI is not used in publications or improperly released in any documents.
Authorize necessary creation of NON-CBI materials by summarization or masking.
Review and approve NON-CBI materials prior to their release.
Cooperate with the OAQPS DCO in establishing and improving CBI safeguards, and
implementing and maintaining CBI education and quality within their Groups.
Report cases of CBI disclosures or possible compromises to the OAQPS DCO and
cooperate with investigations conducted under the OAQPS CAA CBI security
program.
h. OAQPS Work Assignment Manager/Task Order Project Officer (WAM/TOPO).
Ensures that contractors and EPA employees working on his/her project comply with
procedures in this manual and CBI procedures set forth in the applicable contract for
CBI related to his/her project.
Analyzes technical aspects of all project work written or otherwise created and
determines whether CBI is involved and, if so, has it logged in the CBIO.
Ensures that necessary paperwork is submitted in accordance with 40 CFR, Part 2,
Subpart B, to enable Office of General Counsel (OGC) to make a final determination
as to whether information that has been received is entitled to confidential treatment.
Authorizes necessary reproduction of CBI and ensures that CBI is reproduced only
under the supervision of the OAQPS DCO as described in Section IV, e.
Ensures that memos, notes and reports from telephone conversations, visits,
inspections, or tests are protected as CBI and filed in the CBIO until a determination
is made regarding the status.
Ensures that CBI is not used in publications or improperly released in any document.
Initiates the process for declassification, destruction and disposal of CBI material.
Ensures that any CBI received associated with his/her project is logged by the
OAQPS CBIO.
Coordinates with contractor the return of CAA CBI files to the OAQPS CBIO at the
completion of a work assignment or when the information is no longer required to be
-------�
maintained at contractor facilities.
Provides assistance to the OAQPS DCO in determining the status of returned CBI
materials from the contractor.
Reports cases of wrongful disclosure or possible compromise of CAA CBI to the
responsible Group Leader and OAQPS DCO, and cooperates with investigations
conducted under the OAQPS CAA CBI security program.
i. Contractor Document Control Officers. Contractor's management must nominate a
Contractor Document Control Officer (CDCO) and a Contractor Document Control Assistant
(CDCA). Additionally, the contractor is also responsible for establishing a training and
certification program in accordance with the procedures outlined in this manual.
Before OAQPS recognizes them as CDCOs, they must be properly trained and required
paperwork must be on file at OAQPS. The CDCO controls the receipt, storage, and handling of
CAA CBI by employees at their facilities and manages a document tracking system.
1) CDCO responsibilities include:
Serving as the principal contact for OAQPS regarding the security and control of
CAA CBI;
Developing security plan for safeguarding CAA CBI;
Maintaining a secure CBI facility;
Conducting CAA CBI briefings (including testing) for all contractor employees
authorized to handle or access CAA CBI;
Obtaining signed Authorization for Access to CAA CBI for Contractor
Employees, CAA CBI Form 3 (Appendix A) from each contractor employee who
will have access to CAA CBI before the employee is granted access.
Conducting briefings and testing in support of the OAQPS CAA CBI education
and training program.
Inspecting subcontractor facilities, reviewing security procedures and obtaining
OAQPS' approval.
Maintaining a list of contractor employees who are authorized access to CAA
CBI including administrative or computer support, or as designated by the
OAQPS Group Leader as having a need-to-know specific CAA CBI to perform
-------�
their duties.
Releasing CAA CBI only to authorized persons.
Reviewing and updating access lists and notifying the OAQPS DCO immediately
of any changes.
Submitting updated access lists to the OAQPS DCO on a Semi-Annual basis.
Providing guidance, technical assistance and administrative support to contractor
employees on all matters concerning CAA CBI security.
Establishing, maintaining, and controlling a CAA CBI file system (including
disposition) in compliance with OAQPS' CAA CBI Records Management
procedures.
Logging in and out all CAA CBI documents, summaries, tabulations, and
materials to users.
Ensuring all CAA CBI is properly stored when not in use.
Ensuring CAA CBI is properly wrapped, marked and transferred.
Maintaining an inventory of all CAA CBI, conducting periodic audits, and
submitting annual inventory to the OAQPS DCO.
Destroying drafts, duplicates and working papers as authorized by the OAQPS
DCO or project lead.
Maintaining, in a secure location, a record of combinations of all locks, safes, and
cabinets that contain CAA CBI.
Reporting alleged violations of contractor security procedures immediately to
contractor management and the OAQPS DCO.
Monitoring and ensuring compliance with employee certification procedures.
Notifying OAQPS DCO, in writing, whenever an employee has relinquished
his/her access to CAA CBI.
2) Contractor Document Control Assistant. The Contractor Document Control
Assistant (CDCA) will perform the aforementioned CDCO responsibilities in the absence
of the CDCO and assist in administrative functions as necessary.
-------�
Whenever DCOs terminate their employment or relinquish their responsibilities, the
outgoing DCO will certify to the PRRMS Operations Team leader that an inventory of
CAA CBI materials has been performed, and that all materials are accounted for prior
to their departure. If personnel actions permit, the outgoing DCO will brief incoming
personnel as to the current status of records and any outstanding issues.
j. Employees. Contractor/subcontractor and Federal, State and Local Government
employees must:
Comply with all applicable procedures in this manual.
Comply with all CBI procedures set forth in the applicable contract.
Maintain positive control of CBI until returned to the CBIO.
Store CAA CBI in accordance with the policies set forth in this manual.
Discuss CBI only with authorized persons.
Ensure that any CBI received directly is sent immediately to the OAQPS CBIO for
storage and proper logging.
Ensure that CBI is not used in publications or improperly released in any document.
Report alleged violations of security procedures to the OAQPS DCO immediately.
Ensure that memos, notes, and reports containing CBI obtained from telephone
conversations, visits, inspections, inquiries, or tests are protected as CBI, logged and
stored in the CBIO.
-------�
SECTION II.
CAA CBI CERTIFICATION PROCEDURES
1. OVERVIEW. This section describes policies and procedures for allowing access to
Confidential Business Information (CBI) for OAQPS Federal employees and OAQPS
contractors.
Group Leaders and contractor management must arrange for employees to be available for
briefings in support of the OAQPS CAA CBI program. Designated employees must meet all
requirements of the program in order to obtain and maintain access to CAA CBI.
2. GENERAL ACCESS REQUIREMENTS. No person has a right of access to
CBI by virtue of organizational title or position. A person must have a need-to-know
specific CBI before access is granted. There is a responsibility to the organization providing
CAA CBI to protect its information and a parallel responsibility of OAQPS employees and
contractors to minimize their liability.
3. OBTAINING ACCESS TO CAA CBI. A secure CBI system requires continuous
updating of the employee Authorization Access List (AAL),and ensuring adherence to the
annual recertification policy. The steps outlined below have been developed to maintain system
integrity.
a. Federal Employee Access Procedures. Upon determining that an OAQPS employee
needs access to specific CAA CBI, Group Leaders refer those employees to the OAQPS
DCO. The employee attends an initial OAQPS CAA CBI security briefing. See Figure 1 for
steps in obtaining access to CAA CBI.
1) Initial Briefing. All access designees shall:
Become familiar with the policies and procedures outlined in the CAA CBI
Security Manual.
Receive training on the proper handling of CAA CBI, and pass a competency
test.
In the event that the nominated employee fails to pass the CAA CBI test. He or She may
retake the test after a 5 day waiting period.
10
-------�
Steps for Obtaining Access to CAA CBI
GROUP LEADER NOMINATES
Employee Needing Access
I
EMPLOYEE ATTENDS
CBI Briefing/Training
1
EMPLOYEE PASSES
Written Test
i
EMPLOYEE SIGNS
Confidentiality Agreement
I
DIVISION DIRECTOR
Approves Employee Access
i
GROUP LEADER DESIGNATES
Access to Specific CBI
i
CBI OFFICE MAINTAINS
Authorized Access Lists
Figure 1
11
-------�
After receiving the briefing and passing the competency test, each employee will complete and
sign an Authorization for Access to CAA CBI, CAA CBI Form 2 (Appendix A).
The Authorization for Access to CAA CBI form is divided into four sections. Sections I through
III cover the employee's authority to access CAA CBI. Section IV will document the
employee's continued requirement for access to CAA CBI and will ensure that the employee is
current with CAA CBI security procedures. Upon completion, the form should be forwarded to
the responsible Division Director for signature and final approval. Approved forms are returned
to the CBIO for filing.
Employees are responsible for ensuring that their respective Division Director signs the
authorization for access to CAA CBI. Prior to having their name placed on the authorized access
list, the employee's Group Leader must notify the CBI office, in writing, of the requirement to
access specific CBI. An example of the memo is provided in Figure 2.
2) Annual Recertification. Federal employees approved for CAA CBI access must re-
certify their access to CAA CBI on an annual basis. Re-certification may be
accomplished up to 90 days prior, but not exceeding the anniversary date of the issue
of their current certificate. To re-certify, an employee must:
Visit his or her local CBI office and receive a briefing on current procedural
changes, updates or CBI related issue from the DCO or DCA .
Initial Section IV of CAA CBI Form 2 (Annual Re-certification of CBI
Clearance), certifying that he or she continues to require CBI Clearance and is
current with the CAA CBI security procedures set forth in this manual.
Any employee that fails to annually re-certify will have their CAA CBI Form 2 stamped as "CAA
CBI Clearance Terminated" by the DCO/DCA. Their name will be removed from the OAQPS
CAA CBI Authorized Access List and they must relinquish access to CAA CBI materials
effective on the anniversary of their certification.
Every effort must be made to ensure that CAA CBI Form 2 is current. If unscheduled travel or
absence will prevent the employee from initialing CAA CBI Form 2, the employee must contact
their respective CBI office and obtain a wavier. The waiver will cover the period of unscheduled
travel or absence. Upon return to duty, the employee will have no more than 15 days to re-
certify. Failure to do so will require the employee to lose certification and he or she must
reinitiate the CAA CBI access procedure as specified in section (a). The OAQPS DCO will
notify the Group Leader of any suspension of certification.
b. Establishing Access for Contractor Facilities
1) Facilities. Project Officers shall notify the OAQPS DCO immediately upon
determining that a prospective project may require contractor access to CAA CBI.
12
-------�
EXAMPLE
MEMORANDUM
SUBJECT: Request for Confidential Business Information (CBI) Access
FROM: (Name of Group Leader)
(Name of Group)
TO: (CBI Manager)
OAQPS, (MD-C404-02)
This memorandum is to request that the following personnel name(s) be (added to
/removedfrom) the CAA CBI authorized access list for the (Name of Project), (BSD Project # or
CBI #).
(Name(s) of individuals including affiliation).
Also, please add (Name(s) of (Group) to the CBI authorized access list for the (Name of
Project, etc.). Description of Material: Any material received as a result of developing the
the NESHAP for (Name of industry or NESHAP)
(Name(s) of individuals including affiliation).
Figure 2
13
-------�
The following information must be furnished:
a) The name of the prospective contractor and the location of the contractor's
facility.
b) A copy of the Federal Register notification for contractor access to CAA CBI
collected under the specific contract, including the contract number.
c) A copy of the statement of work.
d) Whether the contractor's facility is to receive and store CBI under the contract.
2) Conditions. Contractors may not receive access to and provide storage for CAA CBI
until the contractor meets the following conditions:
a.) Obtains OAQPS approval for access to CAA CBI.
b) Nominates and trains a Contractor Document Control Officer (DCO), and a
Contractor Document Control Assistant (CDCA).
c) Prepares and has OAQPS approve a security plan.
d) Has site inspected and approved by OAQPS.
e) Obtains OAQPS approval from responsible Group Leader for access to specific
CAA CBI for each contractor employee required to work with CAA CBI.
3) Obtaining Approval. When access to CAA CBI is necessary, the contractor must
complete a Request for Approval of Contractor Access to CAA CBI, CAA CBI Form 11,
(Appendix G). The form must explain the reason CAA CBI access is necessary under the
contract. The OAQPS WAM/TOPO must forward the form and Contractor Information
Sheet, CAA CBI Form 1 la, (Appendix G) to his/her Division Director, who will sign the
form as the requesting official and forward it and the information sheet to the OAQPS
DCO for review. The OAQPS DCO will then forward the form and the information sheet
to the PRRMS Director for final approval.
4) Contractor DCO/DCA Requirement. Prior to the commencement of operations,
contractor management must nominate contractor employees who will serve as a
Contractor Document Control Officer (CDCO)and a Contractor Document Control
Assistant (CDCA) and notify OAQPS. The CDCO will be responsible for developing the
Security Plan and must be trained in proper CAA CBI handling procedures prior to
being assigned to their positions.
The CBI Security Manual will be provided in hardcopy and the CDCO/CDCA may
14
-------�
attend a CAA CBI briefing offered by the OAQPS DCO. The requirement that a CDCO
be assigned before actual access begins is required even if access to CAA CBI under the
contract is limited to the OAQPS headquarters facilities. The CDCO serves as the liaison
between OAQPS and the contractor on issues relating to CAA CBI and plays an
important role in requesting and maintaining access authorization for individual
contractor employees and in handling CBI. The CDCA is a back-up for the CDCO.
5) Security Plan. The contractor must prepare and OAQPS must approve a security plan
for access to CAA CBI at a location away from the OAQPS headquarters. Security plans
must describe physical security mechanisms at the contractor's site that are
commensurate with the assessed risk and those procedures put in place to allow
employees to safeguard materials when handling CAA CBI at the site.
The procedures described within this manual and the OAQPS forms in the appendices are
intended to serve as guidelines for the preparation of contractor security plans and need
not be incorporated verbatim in the plans. However, contractor security plans must equal
or surpass the security standards described in this manual.
The following is an outline of a Security Plan.
CDCO responsibilities.
Access procedures.
Accountability system.
CAA CBI storage (based on Security Risk Assessment).
CAA CBI transfers.
CAA CBI safeguards (including disaster prevention, preparedness, and recovery
plan).
Security violations.
Education and training.
Computer security (if applicable).
The OAQPS DCO is responsible for reviewing contractor security plans, discussing any
perceived deficiencies with the OAQPS Project Officer (PO) and the contractor, and
sending a memorandum through the PO to the contractor either approving or
disapproving the security plan.
15
-------�
6) Site Inspection. In addition to the security plan, the OAQPS DCO must inspect and
approve contractor facilities before CAA CBI can be received or stored. OAQPS will
perform site inspections upon initial setup and whenever the physical location of an
approved storage area has been changed or modified. In addition, a security inspection
shall be preformed whenever changes have been made to the security plan that may
impact on the contractor's ability to provide an adequate level of security as dictated by
this manual. The OAQPS DCO must be notified, in writing, prior to any change or
modification to existing facilities or procedures.
If minor problems are noted during an on-site inspection or review of the security plan,
the OAQPS DCO will work with the contractor to correct them. Contractors will be given
30 days to correct any major deficiencies encountered during the inspection. The
contractor will conduct periodic internal audits of their facilities, employee certification
programs, and the CAA CBI security system to ensure compliance with the security plan.
Records of such audits will be available upon request.
See Figure 3, Contractor Steps for Obtaining Contractor Access to CAA CBI.
c. Contractor Employee Access. In general, procedures for contractor employee access to
CAA CBI are the same as those for EPA federal employees. See Section II for clearance
procedures. Contractor specific procedures are detailed below.
1) Contractor Employee Access to Specific CBI. The OAQPS WAM/TOPO will confer
with contractor officials to determine which work assignments or task orders, and which
employees will require access to CAA CBI. Upon receiving the requirements for
contractor employee access to CAA CBI, the CDCO will have the designated
employee(s) attend an initial briefing, pass a written test, obtain signatures on the
Authorization for Access to CAA CBI for Contractor Employees, CAA CBI Form 3
(Appendix A).
2) Federal or contractor employees who require on-line access to a computer system or
database containing CAA CBI must complete a Computer Request, Approval, and
Registration for CAA CBI Computer Access, CAA CBI Form 10 (Appendix F), and
notify the DCO. See Section VII, CAA CBI Computer Security. The originals of these
forms are also forwarded to the OAQPS DCO for the record.
It is not necessary to complete a new CAA Form 2 or CAA Form 3 for every new project or
contract. DCO/CDCO will control access to specific CBI through the use of an Authorized
Access List as prescribed by this section.
4. ACCESS CONTROL. In addition to the procedures listed in Section II, the responsible
Group Leaders / Contractor must designate and approve employees who have a need-to-
know for specific CAA CBI in order to access individual projects by submitting an
16
-------�
Contractor
Steps in Obtaining Access to CAA CBI
Obtain Approval from Director PRRMS to Access CAA
CBI
i
Nominate & Obtain Approval of Contractor Employees
to Serve as CDCO and CDCA
1
Prepare & Submit an Adequate Security Plan
Pass OAQPS DCQ Site Inspection
1
CDCO Brief & Test Employees
on Security Procedures
1
Submit Name(s) & Obtain Approval for
Individual(s) to Access Specific CBI
Figure 3
17
-------�
authorization memo to the OAQPS DCO (Figure 4).
Administrative support personnel may obtain access to CAA CBI to provide typing, word
processing, and document handling support of CAA CBI. This Administrative access may be
granted upon nomination, attendance of the security briefing and passing the written CBI
certification test. Administrative access does not require designation by Group Leaders to
access specific CBI.
a. Access Lists.
1) Authorized Access List: Upon receiving approval to access CAA CBI, the employee
name(s) is placed on the OAQPS CAA CBI Authorized Access List (AAL). This list
denotes those individuals authorized to access CAA CBI.
2) Authorized Project Access List: When the Group Leader designates an employee for
access to specific CBI, the name is placed on the OAQPS Authorized Project Access
List. These access lists are used as a reference to determine whether an individual is
currently authorized to access CAA CBI and what specific CBI they are authorized to
access on a need-to-know basis.
I It is the responsibility of the WAM/TOPO to notify the DCO of any changes to Access lists
3) The contractor must maintain a CAA CBI Authorized Access List. The Access Lists
must identify:
a) Name of personnel authorized access to specific CBI.
b) Contract number.
c) CAA Project Number/Name.
d) Project Lead.
The CDCO/CDCA must submit an updated list to the OAQPS DCO Semi-Annually. The list is
used to ensure that only individuals with current CAA CBI access authority obtain materials
from the CDCO.
The Access lists may be automated or hard copy.
When a contractor employee no longer requires access to CAA CBI, he must notify the CDCO.
The CDCO will remove their name from the authorized access lists and notify the OAQPS DCO
of the deletion.
18
-------�
EXAMPLE
CONTRACTOR REQUEST FOR ACCESS TO SPECIFIC
CAACBI
DATE: (Date)
Subject: Access request to Clean Air Act Confidential Business Information
Contract No:
Work Assignment No: (or Title of Person)
BSD Project No:
From: (Name of Requestor)
Contract Document Control Officer
(Name of Company)
TO: (Current OAQPSDCO), CBI Manager
OAQPS, PRRMS/CBIO, (MD-C404-02)
(Name of Individual (s)) have been assigned to work on the referenced project and their
work will require them to access confidential business information (CBI) that has been collected
under the Clean Air Act (CAA). The mentioned (name of Company) personnel have been
trained and are authorized to access CAA CBI.
Approved by:
(WAM/TOPO) Date (Group Leader) Date
Figure 4
19
-------�
b. Subcontractor/Consultant Access. The program PO is responsible for notifying the
public and affected business of all subcontractors who require access to CAA CBI collected
under the respective contracts. If this information is known at the beginning of the contract, a
Federal Register notice must be published according to the guidelines specified in the Clean Air
Act. Figure 5, is a sample letter that must be prepared and sent to affected businesses notifying
them of who will have access to their information submitted to OAQPS. A ten day waiting
period is required prior to access by a subcontractor/consultant to allow for comment by affected
organizations.
The Prime Contractor is responsible for notifying OAQPS of all subcontractors or consultants
being used prior to releasing any CAA CBI to them. Additionally, the prime contractor is
responsible for ensuring that all subcontractors comply with the provisions of this manual.
5. TERMINATION OF CAA CBI CLEARANCE. CBI clearances will be
terminated when a Federal or Contractor employee no longer has a requirement to access CBI in
the performance of their duties. Individuals no longer requiring access to CBI will be removed
from the CBI access lists.
CAA CBI clearance is terminated under the following circumstances:
Termination of employment.
Termination of duties requiring access to CBI.
Failure to maintain annual certification as explained in Section II, CAA CBI Certification
Procedures.
Security Violations.
Upon relinquishing their clearance, FOR ANY REASON, employees who have been granted
access to CAA CBI must receive a terminal briefing. The DCO/CDCO will delete their name
from the Authorized Access List (AAL) and remove their CAA CBI Form 2/CAA CBI Form 3
from the active file. CAA CBI Form 2/CAA CBI Form 3 will be stamped or annotated to reflect
the date of termination of clearance. CDCOs will forward their copy of CAA CBI Form 3 to the
OAQPS DCO.
Confidentiality agreements will be retained as prescribed by EPA records management schedule
SECU 624, 2 years for Federal employees and 7 years for Contractor employees.
20
-------�
EXAMPLE
Name of Recipient
Title of Recipient
Recipient's Address
Dear Mr ./Ms. (Recipient's Last Name):
The United States Environmental Protection Agency has authorized the following
subcontractor to access information that has been, or will be submitted to the EPA under section
114 of the Clean Air Act (CAA) as amended (or applicable statute): list name and address of
subcontractor/consultant. Some of this information may be claimed to be confidential business
information (CBI) by the Submitter. This subcontractor will be providing support to the EPA
under contract (list contract number). The prime contractor on this contract is (list name and
address of the prime contractor). Under the direction of the prime contractor, this subcontractor
will provide technical support to the Office of Air Quality Planning and Standards (OAQPS) in
developing Federal Air Pollution Control Regulations.
The EPA is issuing this notice to inform all submitters of information under section 114
of the CAA (or other applicable statute) that the EPA may provide the above mentioned
subcontractor access to these materials on a need to know basis. Notification of the prime
contractor's potential access to CBI was done through a previous Federal Register notice.
In accordance with 40 CFR 2.301(h), the EPA has determined that the above
subcontractor requires access to CBI submitted to the EPA under sections 112 and 114 of the
CAA (or other statute) in order to satisfactorily perform work for the EPA under the above noted
contract. The subcontractor's personnel will be required to sign non-disclosure agreements and
will receive training on appropriate security procedures before they are permitted access to CBI.
The above subcontractor's clearance for access to CBI is scheduled to expire on (date).
Please provide any comments regarding the above subcontractor's access to CBI
submitted by your company within ten working days of your receipt of this letter. Comments
should be submitted to (Name of Current OAQPS DCO), Document Control Officer, Office of
Air Quality Planning and Standards, (MD-C404-02), Research Triangle Park, NC 27711,
(919)541-0880.
Sincerely,
(name of WAM/TOPO)
(Division)
cc: Project Officer
OAQPS DCO
Director, OAQPS/PRRMS
Figure 5
21
-------�
SECTION III.
RECORDS MANAGEMENT FOR CAA CBI
1. OVERVIEW. This section describes how Confidential Business Information (CBI) whether
originated by OAQPS or its contractors as derivative CBI or received as original CBI is
identified, protected, logged, controlled, and managed.
When any OAQPS employee or contractor employee receives any materials containing
or suspected of containing CBI, they shall immediately deliver those materials to their
respective CBI office for proper logging and storage.
2. INTENT. The OAQPS CAA CBI Records Management System must be able to track
the movement of CBI, identify the persons with authorized access to it, detect its misplacement
and make prompt retrieval possible. The OAQPS CAA CBI Records Management System
ensures these objectives are accomplished by maintaining authorized access lists, assigning
unique numerical identifiers (CBI control numbers) to each document, maintaining an
automated inventory of all documents submitted/logged into the system, and by monitoring
the movement of CBI through manual or automated logs, records of receipt, usage, and
transmission. All material submitted to OAQPS and all material generated at OAQPS containing
information claimed to be CBI are controlled through the OAQPS CAA CBI Records
Management System.
CBI materials usually form two distinct groups:
a. Original CBI. Original CAA CBI is generally submitted voluntarily to the
Environmental Protection Agency or obtained under Section 114 of the Clean Air Act. It is
usually received in the form of a requested response from a solicited business or a site visit
conducted by an OAQPS or contractor employee.
b. Derivative CBI. Derivative CBI is the result of incorporation, paraphrasing, restating,
or generating information from original CBI. Along with the file or record copy of a newly
created CBI document, the OAQPS CBIO must keep a copy of the source document or sufficient
identifying information from the source document. This information includes the originator's
name and title and the date received. The OAQPS WAM/TOPO's name, title, and office must
also be shown on the new document.
3. OAOPS CAA CBI RECORDS MANAGEMENT SYSTEM. The foundation of the
OAQPS CAA CBI Records Management System includes the following basic items:
Automated database (all CBI re: TSCA, CWA, RCRA, FIFRA, etc.).
Control Records (for each item in the system).
Custody Receipts (for transfer of material).
Cover Sheets (for document protection/identification).
Destruction and Declassification Logs.
Document Inventory (by project, WAM/TOPO, disposition, etc.).
Authorized Access List.
22
-------�
a. OAQPS CAA CBI Automated Tracking System. An automated database is used to
record pertinent information about CAA CBI materials filed in the CBIO and persons
authorized to access specific CAA CBI. The database contains the following information:
Date received.
Date of document.
Number of copies.
CBI control number.
Project name.
Document description.
Provider identification.
Transfer information.
Destruction record.
Authorized access clearances.
Various reports may be generated on a routine basis or when requested by management. They
are:
Complete inventory of all CBI documents including disposition (permanent
inventory, destruction, declassification, etc.).
Listing by specific regulating Acts.
Listing by specific CBI projects.
Listing of documents assigned to individual WAMs.
Listings of authorized personnel (EPA and contractors).
The CAA CBI database is continuously updated and allows the OAQPS DCO to determine the
disposition of documents, retrieve documents in a timely manner, and to generate an accurate up-
to-date inventory on a monthly basis or when requested.
b. CAA CBI Control Record. CAA CBI Control Record, CAA Form 1 (Appendix H) is
placed in each CAA CBI file as a permanent record of authorized personnel access. It also
contains reproduction, transfer, declassification, destruction, and other pertinent information
about the document. The Control Record facilitates timely and accurate accounting for CAA
CBI material during the work day. Each user of CAA CBI must sign and date the Control
Record each time access is granted to a CBI document.
The Control Record is extracted from the file and retained by the OAQPS CBIO or contractor
CBIO as a receipt for the material while it is checked out. It is signed and dated by the OAQPS
DCO or CDCO upon the return of the CBI material and filed in the appropriate folder.
When a CAA CBI document is declassified or destroyed, the CAA CBI Control Record will be
retained for 2 years after the completion of the project as a record of the dispositon of these
documents.
c. Cover Sheets. Cover sheets are used to identify CAA CBI documents and provide a
measure of security when the documents may be exposed to casual viewing. The Cover Sheet
23
-------�
conceals the front of each document and must NEVER be removed. There are two types of
cover sheets used by the OAQPS CBI Office.
1) CAA Confidential Business Information, CAA CBI Cover Sheet, CAA Forms 8 ,
(Appendix E) is a YELLOW sheet of paper inscribed with a claim of confidentiality and
handling instructions. This cover sheet is placed over original CBI documents.
2) CAA Confidential Business Information, Duplicate Copy, CAA CBI Cover Sheet,
CAA Form 8a (Appendix E) is a BLUE sheet of paper inscribed with a claim of
confidentiality and handling instructions. This Cover Sheet is placed over all duplicate
copies made from original CBI. The BLUE cover also serves as a certification of
destruction of duplicate copies. See Item 12 of this section.
d. Custody Receipts. CBI Custody Receipts are used to maintain a Chain of Custody
when CAA CBI documents are transferred and is discussed in Section V, Transferring Custody
of CAA CBI.
e. New Materials. All project documents received by the OAQPS CBIO must be reviewed
by the Project leader. When the status of a document is in question, it will be considered CBI
until it is cleared by the originator or the project lead. After review of the materials, the
documents are logged into the OAQPS CAA CBI Inventory. WAMs/TOPOs are responsible
for coordinating with the DCO and their respective CDCO for the disposition of these materials.
f. Inventory. The OAQPS CAA CBI Inventory Log, CAA CBI Form 12
(Appendix H), will be used in the absence of a automated document tracking system and will be
maintained by the OAQPS DCO/DCA. This inventory must have an accurate description of
each document. The inventory log includes the following information:
Date received
CBI control number (OAQPS & contractor)
Provider's name /Description of materials (number of copies, pages, etc.)
Recipient
Disposition
Disposed Date
Inventory Date
The inventory identifies all CBI material for which OAQPS is accountable; An inventory of
CBI material is conducted on a recurring basis, during which time each CBI file is reviewed
and purged of unneeded materials with the assistance of the WAM/TOPO.
4. QAOPS CAA CBI DOCUMENT CONTROL NUMBERS. The OAQPS DCO
assigns an individual Document Control Number (DCN) to each CAA CBI document. The DCN
consists of an alphanumeric code (e.g., 94111-C02-09). The first group denotes the fiscal year the
document was received and the project sequence number (e.g., 94111); the next grouping identifies the
responsible WAM/TOPO (e.g., COS); and the last group refers to the number of documents received
for that specific project, during that fiscal year. The OAQPS CBI control number is placed on
24
-------�
the cover sheet and the first page of the document. The control number is also placed on the custody
receipt and folder.
5. CBI MARKINGS. Markings are conspicuously stamped, printed, written or affixed on
classified materials to include other than paper documents. If this is not practicable, the
containers of such material shall be marked. The means by which material is marked varies
according to the physical characteristics of the material or organizational and operational
requirements.
CBI material shall be marked in such a way as to readily identify them for special handling.
a. CBI Stamps. Both original and derivative CAA CBI documents are stamped
"Subject to Confidentiality Claim." See Appendix D for additional CAA CBI stamps or
markings.
b. Computer Output. Documents that are generated as computer output may be marked
automatically by systems software. If automatic marking is not practicable, these documents
must be marked manually. Removable storage media and devices used with ADP systems,
typewriters, or word processing equipment shall bear both external (affixed) and internal
(software generated) CBI markings. Documents produced by ADP equipment shall have at a
minimum their first page and their last page marked.
c. Charts, Maps, and Drawings. The markings on charts, maps, and drawings are
inscribed both at the top and the bottom of each document. When the document is unfolded, the
classification marking shall be clearly visible on each folded portion. The marking must also be
visible when the document is rolled or folded for storage.
d. Photographs, Films, and Recordings. Photographs, including negative envelopes,
must be marked as confidential. Their containers must also be marked. The markings on each
transparency or slide must be on the image and on the holder or frame. Classified motion picture
films and videotapes are marked at the beginning and end with a clear statement of classification.
The containers or reels on which they are kept must also be marked.
6. CBI DOCUMENTS. Care must be taken not to compromise proprietary information
when working with CAA CBI. Documents, generated by OAQPS or its contractors, that contain
information derived from CBI documents should be treated as CBI until cleared by the Group
Leader, providing organization or OGC, if required.
a. Working Papers. Newly created CBI is, at first, in the form of working papers. The
category of CAA CBI working papers includes materials such as notes and outlines; initial drafts
of documents; computations, drawings, and diagrams; and other documents. It is the employee's
responsibility to ensure that no information, which has been previously declared as CBI by the
originator, is entered into working papers which are intended for public dissemination. If in
doubt, working papers should be secured in the CAA CBI office. If the document is later deemed
to be non-confidential, it will be returned and retained by the appropriate Project Leader.
25
-------�
b. Typing/Word Processing Requirements. The author of a CAA CBI document may
provide the document to a typist who has authorized access. The typist must return to the
author the newly typed materials and the original draft when typing is completed. All
materials used in typing documents containing CBI, including word processing disks, ribbons,
and waste paper must be treated as CBI and submitted to the CBIO for storage or destruction.
The typist may use the Local Area Network (LAN) for the preparation of CAA CBI documents
but must never store CAA CBI on Share drives or any device other than removable storage
media. Data, reports, etc., must be stored on a floppy diskette or other removable media and
submitted to the CBIO, with a hard copy, for proper logging and storage.
7. NON-CBI DOCUMENTS. Materials produced from CAA CBI need not be
confidential. Non-confidential documents may be produced by deleting CBI from an
existing document or by masking or aggregating the CBI so that it cannot be linked to its
source.
a. Deleting or Replacing CBI. CAA CBI can be replaced in a document with NON-CBI
data, generic descriptive words or terms derived from CBI data that are not themselves CBI.
b. Masking or Aggregating CBI. Group Leaders must be consulted in advance by authors
who wish to produce non-confidential documents by masking or aggregating CBI. Group
Leaders shall review all submissions of masked or aggregate material to ensure that no CBI is
exposed and approve the final non-CBI version.
c. Dropping CBI Claim (Declassification). Non-CBI documents can also be created
from information submitted by a providing organization which drops its claim of confidentiality,
or for which a claim is determined not valid by the OGC.
If a providing organization relinquishes its claim of confidentiality for original CBI, the
WAM/TOPO must obtain a written statement from the submitter and provide a copy to the
DCO before the information can be released to the public in accordance with the procedures
established under 40 CFR 2 Subpart B.
EPA and Contractor employees will comply with the following procedures when declassifying
CBI documents. CAA CBI may be declassified under two conditions:
1) When written authorization has been received from the submitting organization.
a) DCO/CDCO will verify that the proper declassification authority has been
received. A declassification notice must accompany all requests and will denote
the organization authorizing declassification, description of specific item(s) being
declassified, project number and document control number.
b) Declassified documents need not be kept in the CBI inventory and may be
returned to the respective OAQPS Project Lead or Contractor Team Leader.
26
-------�
The DCO/CDCO will inventory the documents prior to transfer to ensure that only
declassified documents are being transferred.
c) The receiving DCO/CDCO will inventory declassified materials and verify that
they are in accordance with the declassification notice. Any discrepancies will be
reported IMMEDIATELY.
d) If declassified materials are received and cannot be immediately inventoried, they
must be stored and treated as CBI until an inventory has been completed.
2) When the originator has not responded within a prescribed time period to a notice of
intent of disclosure submitted to them by the Project Lead as required by 40 CFR 2
subpart B.
At no time will a Contractor or Subcontractor declassify any CBI in their possession
without the expressed, written authorization of the Project Lead and notification of the
OAQPS DCO.
In all instances, the WAM/TOPO is responsible for ensuring that documents contain no CBI.
Materials produced using CBI must be treated as CBI until a determination is made by the
Group Leader or providing organization.
8. DISPOSITION OF CAA CBI DOCUMENTS. WAM/TOPOs or the responsible
Group Leaders shall initiate the process for destruction or disposal of original CBI material not
used or referenced in the rulemaking process. The OAQPS DCO will destroy specified
documents and maintain a record of all destroyed documents. The destruction of CAA CBI
material shall only take place with the proper authorization from the WAM/TOPO and when in
accordance with applicable records management schedules. Submitter notification is not required.
a. Original CAA CBI Materials. CBI material used for technical reference only and not
used in the formulation of a rule, policy or decision may be retained until no longer needed at
which time, and with the prior approval of the WAM, may be routinely and consistently
destroyed in accordance with EPA/NARA Records Retention Schedule TECH 008.
CBI documents that are referenced in rulemaking dockets and / or have been used to formulate
policy or in the development of a rule, will be treated in accordance with EPA/NARA Records
Retention Schedule REGS 149. Project leads will provide the DCO with docket index numbers
as soon as available.
b. CBI Created by OAQPS. Authors of derivative CBI (CBI created from original CBI)
may authorize the CBI Office to destroy these materials.
Documents such as site surveys, test reports, telephone conversations, and meeting minutes
which are compiled into a draft trip report, are forwarded to the affected business (providing
27
-------�
organization) for review of accuracy and confidentiality by the responsible Group Leader. The
responsible industry official is requested by cover letter to review the report, clearly mark any
information considered to be confidential, and return the marked-up report within the specified
time frame. The original is kept in the CBIO. When the marked-up copy of the report is
returned, OAQPS will have the option of:
Protecting the whole document as CBI.
Creating a nonCBI version with all CBI removed by aggregating or masking, and
maintaining a complete CBI version.
Creating a CBI addendum when indicated CBI is at a minimum.
Challenging the validity of the business' claim through OGC.
All revised final documents must be submitted to the providing organization for review
before release to the public.
If the report is determined to be accurate and nonconfidential, the business firm will so note, or
not-respond by the requested date. If the document has CBI status, it is placed in the OAQPS
CBIO and logged into the OAQPS CAA CBI inventory.
In the event that the firm does not respond by the requested date, the WAM/TOPO shall contact
the providing organization and verify the claim and provide a written response to the OAQPS
CBIO for declassification or release purposes.
9. RECORDS OF DESTRUCTION. Records of destruction are required for CAA
CBI materials. When a document is destroyed, the OAQPS DCO or the CDCO must indicate on
the CAA CBI Control Record, CAA CBI Form 1 (Appendix H) the destruction date, person
destroying document, and attach documentation authorizing the destruction to the CAA CBI
Control Record.
The control records of destroyed documents must be retained for audit purposes in accordance
with EPA records management schedules. The destruction of CBI materials shall be
documented in the CAA CBI automated database.
10. METHODS OF DESTRUCTION. CAA CBI documents and materials shall be
destroyed in a manner that precludes recognition or reconstruction. In general, CAA CBI
materials are destroyed by SHREDDING (including any type of paper substance microfiche,
typewriter ribbons, diskettes, and data tapes).
28
-------�
11. CDCO RECORDS MANAGEMENT RESPONSIBILITIES. Contractor
DCOs must comply with the aforementioned requirements of this manual to ensure adequate
safeguarding and handling of CAA CBI documents. CDCO may use sample CAA CBI Forms or
design own in-house forms as long as required OAQPS information is available.
a. CAA CBI Control Numbers. CDCOs may implement an internal CAA CBI control
numbering system, but must cross-reference OAQPS CAA CBI Control numbers on custody
receipts, inventories, derivative CBI, correspondence, etc. regarding specific CAA CBI.
b. CAA CBI Inventories. CDCO must maintain an accurate inventory log consisting of
a NON-CBI description of each document in the CBI inventory (Appendix H). The CDCO shall
conduct an inventory of all CAA CBI materials stored at their facility at least once a year. A
copy of the inventory shall be submitted to the OAQPS DCO. Any original CAA CBI no longer
needed at their facility must be returned to OAQPS.
c. Reproducing Documents. Copying of CAA CBI by contractors is limited to working
papers, drafts of technical reports, drafts of trip reports, meeting handouts, and similar temporary
documents. Copying must be done under the direction and guidance of the CDCO. Procedures
in Section IV, e. should be followed during all document reproduction.
12. COMPLETION OF CONTRACTS, WORK ASSIGNMENTS OR TASK
ORDERS. All documents generated, or received during the execution of a project or contract
are the property of the EPA and must be submitted to the agency upon completion of the project
or contract. CDCOs will return all to the OAQPS CBIO. The CDCO will ensure that all project
CBI materials are inventoried prior to their return.
a. Originals. Originals, documents or materials generated by the contractor in support of the
assigned project, must be returned to the OAQPS DCO at closeout.
b. Duplicates. All duplicate copies, sent to the CDCO for reference during a project, may be
destroyed in conjunction with the closeout inventory. Duplicates transferred by OAQPS will be
identified by their distinctive (BLUE) document cover (Appendix E). CDCOs will acknowledge
destruction of duplicates by signing the appropriate section of CAA Form 8a and returning it to
the OAQPS DCO along with CBI materials. In the event that cover sheets are not available, the
CDCO will submit a memorandum accounting for the destroyed duplicates.
29
-------�
SECTION IV.
CAA CBI WORKPLACE PROCEDURES
1. OVERVIEW. Many modern office buildings incorporate contemporary office design
which present a unique challenge to DCOs, CDCOs and employees alike. Glass walled
conference rooms, open area office space and common areas increase the likelihood of
inadvertent disclosure of CBI information through overheard telephone conversations or casual
viewing of CBI documents by others. This work environment requires that certain procedures be
followed to ensure strict CAA CBI document control measures during the conduct of daily
business.
2. OBTAINING CBI DOCUMENTS. Employees and contractors who are authorized
access to specific CAA CBI may obtain CBI materials from the OAQPS CBIO. The OAQPS
DCO verifies that the employee is authorized access to the requested CBI. Employees must
sign the OAQPS CBI Control Record upon receipt of the document and safeguard CBI
materials while in their possession. Any time an employee relinquishes physical custody of the
CAA CBI (lunch or at the end of the day), he/she must return the document to the CBI office for
storage. The DCO/DCA will sign and date the Control Record upon return. (Other than as
provided in Section III, 6 (b); Direct transfer of CAA CBI materials between employees is
not permitted).
In the event the CBI Office is closed, employees must retain control of the documents or they
may take the documents to an approved CBI storage site for temporary storage. It is the custodian's
responsibility to ensure that the documents are logged and secured until they can be retrieved by
the DCO or DCA. CDCOs should develop their own policies to address this contingency.
CBI materials are transferred ONLY through CBI offices or DCOs
3. DOCUMENT CONTROL. In order to minimize the exposure of CAA CBI
materials to inadvertent disclosure, the following document control steps should be taken:
a. Telephone Calls. Federal and contractor employees with CAA CBI access may
discuss CAA CBI on the telephone with other individuals who are authorized access to the
specific CBI or authorized individuals of providing organizations. However, caution must be
used because interception of telephone communications is an easy means by which unauthorized
persons may obtain CBI.
When making or receiving telephone calls in which CBI will be discussed, the following
safeguards should be abided by:
Verify the identity and CBI access status of the person with whom they are speaking.
30
-------�
Inform the person that the telephone lines are not secure.
Assure the person that a telephone discussion of CAA CBI with a federal or
contractor employee does not constitute a waiver of any claim of confidentiality.
Inform the person that any information provided in the telephone conversation
claimed as confidential will be properly safeguarded.
I Interoffice communication systems (i.e., speaker phones) will not be used to discuss CAA
CBI. ||
Federal and contractor employees shall complete the Memorandum of CAA CBI Telephone
Conversation, CAA CBI Form 6 (Appendix B) for all telephone calls in which CAA CBI is
discussed. Telephone memorandum must be submitted to the CBIO upon completion of the
call so it can be added to the record.
b. Work Spaces(Cubicle). Whenever possible, try to arrange your work area so that
casual passers-by can not read the contents of CBI documents.
c. Computers. When working with word processing applications always turn computer
screens away from view or minimize screens when unauthorized individuals come into your
work area. In order to remove "Temp" files which may have been created during a computer
session, close applications after use. If in doubt, locate the application's Temp Storage folder
and verify deletion. Printers should also by turned off to remove any documents in the printer's
memory buffer.
Additional guidance is provided in Section VII.
I It is the responsibility of the user to ensure that all appropriate measures have been taken
to protect CAA CBI from disclosure to unauthorized individuals. ||
d. Meetings. OAQPS offices or Contractors that host or convene any meeting
(conference, symposium, seminar, exhibit, convention, scientific, or technical gathering) at
which CAA CBI will be disclosed shall take appropriate security measures. The DCO shall
be notified whenever CAA CBI materials must be reproduced for use at a meeting.
The chairperson must verify that all attendees are cleared for CAA CBI and have a need to know
specific CBI to be discussed. Whenever CAA CBI documents are circulated for discussion you must:
1) Have any required documents reproduced by the OAQPS DCO/DCA. The DCO will
number the copies i.e. lof 6, 2 of 6 to ensure that all pages are returned to the CBI Office.
31
-------�
2) Provide a CAA CBI Meeting Sign-In Sheet, CAA CBI Form 7 (Appendix C) as a
meeting record. The following information shall be recorded: date, time, place,
chairperson, and subject. All persons attending the meeting must sign this sheet. The
chairperson will control access in and out of the meeting. All sign-in sheets shall be
delivered to the CBIO by the close of business or the next business day after the meeting.
3) The meeting chairperson must remind those in attendance of their duty to treat all
notes or recordings taken at the meeting as confidential. These materials will be
submitted to the CBIO for storage until CBI status is determined. Notes, minutes,
summaries, recordings, proceedings, and reports on the CAA CBI classified portions of
the meeting must be safeguarded and controlled throughout the meeting.
4) Physical and technical security controls shall be established to control access. The
meeting room shall be cleared of all CAA CBI materials after the meeting. This
includes cleaning all chalkboards, returning any unneeded CAA CBI materials to the
CBIO for destruction, and ensuring that nothing is left in the room that could lead to the
unauthorized disclosure of CAA CBI.
e. Document Reproduction. This subsection details the procedures for controlling and
safeguarding CAA CBI reproduction or other copying.
1) Group Leaders or WAM/TOPOs authorize the reproduction of CAA CBI materials.
Only the DCO/DCA is authorized to make reproductions. The DCO will log additional
copies into the OAQPS Records Tracking System and record the distribution of copies.
2) Copy machines should be dedicated solely to CBI document reproduction. Only
persons authorized access to the specific CAA CBI being copied may be present during
copying. After reproduction, the operator must pass three blank copies through the
machine to ensure that any impressions on the image surfaces of the machine have been
erased.
3) If the equipment used for reproducing CAA CBI materials has a malfunction, the DCO
must inspect the machine's paper path and image surface to retrieve any materials that
may be jammed in the equipment before the repair person is called.
f. CBI Waste. Documents and materials such as typewriter ribbons, carbons and draft
copies used in preparing confidential information shall be handled in such a way that the
information is adequately protected until destroyed. Section III, gives instructions for the
disposal and destruction of CAA CBI.
g. Use of FAX Machines. The use of FAX machines to transmit CAA CBI documents is
authorized. As with any CBI document, care must be taken not to leave documents uncovered or
unattended during transmission. Specific procedures for the use of FAX machines is covered
under Section V,8,d of this manual.
32
-------�
h. Site Visits. Because data-gathering visits, plant inspections, and source testing may
involve inadvertent receipt of CBI, it is the policy of OAQPS to protect all parties involved.
Prior to or at the inception of a plant inspection, data-gathering visit, or source testing,
OAQPS representatives should discuss with plant representatives the information that will
be sought, how it is to be used, and how it is to be protected. OAQPS representatives should
solicit the assistance of plant representatives in determining if any materials being removed
from the site are claimed as CBI. Only materials claimed and marked as CBI are secured in the
CBI office.
4. SPECIAL CIRCUMSTANCES . In the event of a fire or other emergency
requiring evacuation of office spaces, persons who are unable to return the material in their
possession to the CBIO will ensure that such material is safeguarded by covering it from view
and taking it with them. The employee must keep it under their personal control at all times
until it can be secured.
33
-------�
SECTION V.
TRANSFERRING CAA CBI
1. OVERVIEW. This section discusses minimum procedures required to ensure the
security of CBI during authorized transfer.
2. TRANSFERRING CAA CBI TO OTHER FEDERAL. STATE OR
LOCAL AGENCIES. EPA regulations allows disclosure of CBI to another Federal or
State agency in either of two circumstances. Specific guidelines for transfer of CBI documents
can be found in 40 CFR Part 2, Subpart B, Sec. 2.209:
When the official purpose for which the information is needed by the other agency is in
connection with its duties under any law for protection of health or the environment or
for specific law enforcement purposes; or
When disclosure is necessary to enable the other agency to perform a function on behalf
of EPA.
In either circumstance, the PRRMS Director must be notified immediately upon receipt of a
request for documents or information requiring access to CAA CBI. In addition, the procedures
described below must be followed before CAA CBI may be disclosed to other agencies.
These procedures do not apply to disclosure of CAA CBI to individual employees of other
agencies performing functions on behalf of OAQPS where access is confined to OAQPS
premises.
EPA may disclose CAA CBI to other Federal, State or Local agencies upon the written request
from the requestor. Because of the time needed for processing, the written request should be
directed to the PRRMS Director at least 30 days prior to the time access is needed. The request
must be signed by an official of the other agency who is at least equivalent in authority to a
Division Director. It should state specifically the information to which access is requested.
The official purpose for which the CAA CBI is needed should be set forth in detail as well as
any other pertinent information, such as previous efforts to obtain the information. The need
must be in connection with the agency's duties under a law for the protection of public
health or the environment or for a specific law enforcement purpose.
When the signed agreement is returned, it shall be forwarded to the OAQPS CBIO along with a
Letter to Accompany CAA CBI Transferred Outside OAQPS (Appendix I). This letter will
constitute direction to the OAQPS DCO to transmit the CAA CBI materials to the requestor.
The OAQPS DCO will send the materials, the letter and the CAA CBI Custody Receipt to the
requestor.
34
-------�
NOTE: TSCA and FIFRA CBI maintained by OAQPS may not be disclosed to States.
a. CBI Security Agreement. In addition, as part of its written request, a Confidential
Business Information Security Agreement, CAA CBI Form 15 (Appendix I) must be signed by
an official of a government entity requesting transfer of CAA CBI prior to transfer of custody.
This form requires the official of the receiving agency to verify that the information will be
safeguarded utilizing procedures comparable to EPA's procedures for handling CBI found in this
manual and 40 CFR, Part 2, Subpart B. Additionally, each person having access to CAA CBI
documents will be required to sign a Confidentiality Agreement CAA CBI Form 2a (Appendix
I).
Further disclosure of information claimed as confidential, by the gaining agency, is authorized
only if it meets the following conditions:
The gaining agency has statutory authority both to request and receive the information,
and to make the proposed disclosure and, prior to the disclosure, it has furnished the
affected business with at least the same notice that EPA would provide under its
regulations.
The gaining agency has obtained the consent of each affected business to the
proposed disclosure.
The gaining agency has obtained a written statement from the EPA OGC or an EPA
Regional Counsel that disclosure would be proper under EPA's regulations.
b. Notice to Affected Businesses. OAQPS CAA CBI may be released to State or Local
agencies with the written permission from the submitter. Also, it may be possible to aggregate
data or sanitize documents containing CAA CBI without disclosing information claimed as CBI.
When disclosure is requested by another agency, OAQPS must give the affected businesses at
least 10 calendar days notice before granting access to the other agency. Notice to the
affected businesses may be given by Federal Register, letter sent by registered mail (return
receipt requested), or telegram and must include:
The identity of the agency/contractor to which CBI is to be disclosed.
The official purpose for the access.
Whether access is authorized only on EPA premises or also at the other agency or
contractor's facilities.
A non-confidential description of the specific information to be disclosed.
The period of time for which access to the CBI is authorized.
35
-------�
However, no notice shall be required when EPA furnishes business information to another
I Federal agency to perform a function on behalf of EPA.
c. Before Approval. The PRRMS Director will notify the requesting official
acknowledging receipt of the written request and will direct issuance of a notice to affected
businesses if required. The PRRMS Director will also notify the requesting official if
approval is not granted.
d. Before Transfer. Before CAA CBI may be disclosed, the PRRMS Director must notify
the other agency that the information being disclosed is classified as CAA CBI, that it was
acquired under authority of the CAA, and that any unauthorized disclosure of the information
may subject employees of the other agency to criminal penalties (18 U.S.C. 1905, et.al.).
3. TRANSFERRING CAA CBI TO EPA CONTRACTORS OR
PROVIDING PLANTS/FACILITIES. CAA CBI documents are transferred to
authorized individuals by the OAQPS DCO. To initiate the process of transferring CAA CBI,
a Letter of Transfer (Appendix J) shall be prepared by the responsible Group Leader. The
WAM/TOPO or employee delivers the letter of transfer to the CBIO. The letter of transfer, a
custody receipt (and one copy) are enclosed with the transferred CAA CBI.
CAA CBI documents (draft reports, revisions, telephone contact reports, etc.) are
transferred between DCOs/CDCOs via a Custody Receipt. A Letter of Transfer signed
by the Group Leader is not required for this type of transfer.
The process for transferring CBI to a contractor or facility is as follows:
WAM/TOPO submits letter of transfer to Group Leader for signature (Facility Only).
WAM/TOPO gives verbal or written authorization for document transfer to contractors.
Letter of transfer and Project or CAA CBI control number, if known, is submitted to the
CBIO (Facility Only).
The DCO prepares the custody receipt, properly packages CAA CBI including letter of
transfer.
The DCO releases package to authorized contractor employee or mails package via
registered mail or Federal Express.
4. TRANSFERRING CAA CBI FROM CONTRACTORS TO OAQPS. The
contractor Project Lead or EPA Work Assignment Manager must authorize the transfer of CAA
CBI, related to their projects, to OAQPS. Records should be identified and instructions given to
36
-------�
the CDCO to return the material to the OAQPS CBIO. The material being transferred must be
listed on the CAA CBI Custody Receipt, CAA CBI Form 14 , Appendix H (including the
OAQPS CAA CBI control number if available).
The process for transferring CBI from EPA Contractors to OAQPS is as follows:
WAM/TOPO gives verbal or written authorization for document transfer to OAQPS.
The CDCO prepares the custody receipt, properly packages CAA CBI for transfer.
The DCO releases package to authorized contractor employee or mails package via
registered mail or Federal Express.
Direct transfer of CAA CBI materials between contractor employees is not permitted.
CAA CBI materials must be transferred through the CDCQ only.
5. TRANSFER TO SUBCONTRACTORS. EPA's regulations (40 CFR, Part 2)
allow disclosure of CAA CBI to contractors and their subcontractors when disclosure is
necessary to enable the contractor to perform work on a contract. Unless previously given, the
affected businesses must be given notice before CAA CBI is transferred to the subcontractor
with the same requirements as indicated above. The initial notice is usually prepared by the
OAQPS Project Officer and is published in the Federal Register notifying the public and
affected businesses of OAQPS contractors and subcontractors who will have access to CBI
collected under the Clean Air Act. As in all cases the procedures listed in this section apply to
transfers of CAA CBI to subcontractors.
The Prime Contractor is responsible for the transfer of CAA CBI to their designated
Subcontractors or Consultants.
6. PREPARATION AND PACKAGING. CAA CBI materials to be transferred will
be processed by the DCO. The following guidelines set forth the procedures for preparing and
packaging CBI materials.
a. Inner and Outer Covers. Before CAA CBI may be transferred or hand carried out of
the OAQPS facility, the materials to be transferred must be double wrapped with opaque
paper. The inner cover must bear markings that indicate the classification and instructions,
"Subject to Confidentiality Claim," and "To Be Opened by Addressee Only." The person
to whom the material is intended is included in the address as an "Attention" line on the inner
envelope. Markings on the inner cover shall not show through the outer cover.
b. Addressing. CAA CBI being transferred from the OAQPS CBIO to another facility or
being returned from a facility to the CBI Office shall bear the name of the receiving DCO and
37
-------�
shall not bear any classification markings or other indication that CAA CBI information is
enclosed.
c. Packaging. Materials used in packaging CAA CBI must be strong and durable enough
to provide protection in transit and prevent items from protruding through the covers. Upon
receipt, packages must be inspected to ensure that the seals have not been broken.
7. CUSTODY RECEIPT. A CAA CBI Custody Receipt, CAA CBI Form 14 (Appendix
H) is included with all transfers of CAA CBI materials and prepared in triplicate. This form
provides the previous holder of CAA CBI with proof of accountability that the material was
transferred and received.
The Custody Receipt is prepared in three copies. After verifying all materials were received,
the recipient signs and dates Copy 1 and returns it to the sender. Copy 2 may be retained by the
recipient for his/her records. Copy 3 is retained by the CBIO as a suspense copy until the
signed original Copy 1 is returned by the recipient, or the Domestic Return Receipt is received
acknowledging delivery of the document(s). See Section III. Records Management for CAA
CBI for more information on accountability, control records, and the CAA CBI control
numbers.
8. TRANSFER METHODS. OAQPS CAA CBI may be transferred or transported by
the following methods:
Hand carried to another facility by an employee or contractor employee who is
authorized access to the CAA CBI.
U.S. Postal Service registered mail (return receipt requested), Express Mail.
Private courier (Federal Express).
a. Hand Carrying. Appropriately cleared OAQPS employees may be authorized to hand
carry CAA CBI material between facilities (when traveling) if the conditions outlined below are
met.
1) Individuals authorized to carry CBI must contact the CBIO to be fully briefed on the
provisions of this Section before departing.
2) While traveling by plane or other public conveyance, employees must keep CAA
CBI materials in their possession, and will not check them with their luggage.
3) When employees travel with CAA CBI materials and are unable to deliver or ship
the CAA CBI materials to a facility authorized to store CAA CBI, they may store the
38
-------�
materials for short periods inside the locked trunk of a motor vehicle while enroute. At
no time will CBI materials by stored in the trunk of a car overnight. CAA CBI
materials may be stored overnight in hotel safes, if a receipt is obtained from the hotel
management. Otherwise, CAA CBI materials must be kept in the possession of the
traveler.
4) The storage provisions for CAA CBI are detailed in Section VIII. Storage of CAA
CBI, shall apply to all stops enroute to a destination. CAA CBI materials shall not be
unwrapped until the traveler's destination is reached. If the materials are to be
transferred to someone at that location, they must immediately be taken to the local
DCO and logged into the local Document Tracking System or given to the designated
plant recipient.
5) The CBI Office shall log out CAA CBI carried or escorted by traveling personnel.
CAA CBI must be inventoried upon return by count and inspection of materials or by
inspection of receipts for materials, if delivered.
b. Registered Mail. CAA CBI material must be mailed by registered mail (return receipt
requested). Regular first class mail must never be used to transfer CAA CBI.
c. Couriers and Express Mail. EPA and contractor employee couriers, commercial
couriers, and U.S. Postal Service Express Mail may be used in the transmission of CAA CBI.
d. FAX Transmittal. During the conduct of daily business it may become necessary to
transmit CAA CBI documents to and from originating facilities or EPA and Contractors in
order to expedite processes. The DCO or DCA must be informed of all FAX transmissions of
CAA CBI.
The guidelines listed below have been established to provide security of documents transferred
via this medium and apply to both EPA and Contractor employees:
Prior to any FAX transmittal of CAA CBI, all parties must be made aware that
transmission lines are not secure and that NO encryption equipment will be used to
scramble the message.
1) Only a FAX machine located in the CBI Office is authorized to receive a FAX
containing CAA CBI.
2) Before sending a FAX containing CAA CBI, the sender must verify the recipient's
access authority.
3) During transmission, the sender must have sole access to the FAX machine. The
sender must also ensure that no uncleared person(s) view the CAA CBI documents.
39
-------�
4) FAX machines may contain internal memory. After transmission is complete the
sender must turn off the FAX machine in order to clear the memory buffer.
5) Central FAX receiving centers are not authorized to receive CAA CBI.
6) Individuals requesting the transmission of CAA CBI must ensure that the recipient's
FAX number is correct.
7) FAX machines should be configured to print a Transmission Receipt when FAXing
is complete. This receipt will be placed in the document's official file. In addition, the
DCO will contact the recipient after transmission to verify the FAXed copies have
arrived.
When FAX transmittal of CBI is requested by an originating facility, the WAM/TOPO must
verify that the recipient is authorized to receive a company's CAA CBI documents prior to
transmission. Facilities must submit a notarized letter on corporate letterhead signed by a
corporate officer indicating the person(s) authorized to receive CBI documents. The notarized
letter will be maintained in the official document file.
40
-------�
SECTION VI.
STORAGE OF OAQPS CAA CBI
1. OVERVIEW. This section describes the minimum standards for the physical
safeguarding and storage of CAA CBI.
2. INTENT. Offices established for the storage and security of CAA CBI material are
responsible for ensuring that all reasonable means have been taken to prevent the unauthorized
disclosure of information. A complete evaluation of security risks will identify the safeguards
required to address potential threats.
3. STORAGE SPECIFICATIONS.
I The type of container and storage area approved for CAA CBI storage must be adequate
to the level of security identified by the Risk Assessment and detailed in the Security Plan.
EPA's Information Security policy provides for a methodology for a risk analysis to adequately
determine the appropriate security level to address the risk. The risk assessment and security
plan are subject to approval by the PRRMS Director and shall be available to representatives of
EPA's OIG.
The risk analysis will provide an evaluation of the relative vulnerabilities at an installation in
order to maximize the effectiveness of security measures within the constraints of available
resources.
As a minimum, security of CAA CBI materials maintained in manual record form will conform
to those measures prescribed by the EPA Information Security Manual, Section 14.3.
a. Minimum storage area requirements
The preferred CBI storage area is an interior office or room which will be designated soley
for the storage of CAA CBI. Items to consider when choosing a storage area are:
Windows - When visual access is a factor, windows should be kept closed and
locked at all times. Windows should be made translucent or opaque by any practical
method such as painting or covering the inside of the glass to prevent viewing from
the outside.
Ceilings - Ceilings should be constructed of plaster, gypsum wallboard material,
panels, hardboard, wood, plywood, ceiling tile or other material offering similar
resistance to and detection of unauthorized entry. When a false ceiling is used, this
false ceiling should, within a reasonable manner, provide resistance to unauthorized
41
-------�
entry and be alarmed or otherwise secured. In those instances where barrier walls
extend to a solid ceiling, there is no need to reinforce a false ceiling.
Walls - Construction should be plaster, gypsum wallboard material, metal panels,
hardboard, wood, plywood, or other material offering similar resistance to and
detection of unauthorized entry. If insert-type panels are used, a method must be
devised to prevent the removal of such panels without leaving visual evidence of
tampering. Barrier walls should be opaque or translucent where visibility is a
factor. If visual access is not a factor, barrier walls may be wire mesh or other
non-opaque material. Barrier walls should extend to a solid ceiling. If, however,
walls extend only to the level of a false ceiling, the open area between ceilings
must be secured.
Access Door - Whenever possible, the storage area should have only one access
door. Doors will be solid wood or metal and secured by a Combination, Cipher
Lock or Electronic Card Reader.
b. Minimum storage equipment:
Containers - Lockable File Cabinets (Keyed or Combination Lock). Storage cabinets
must be secured by a combination lock or require a key for access.
"OPEN/CLOSED" magnetic signs or equivalent, shall be posted on each CAA CBI
storage container to readily identify containers that are open or locked, and to provide
a visual spot check at the end of the work day to ensure containers are properly
secured.
All CBI storage containers and the entry door shall be locked whenever CBI personnel are not
present, i.e. lunch hour, and at the end of each business day.
4. PROCEDURES FOR COMBINATION LOCKS AND CABINET KEYS
Procedures must be developed for the use and accountability of locking devices used on CAA
CBI storage containers. The security of lock combinations and key control is paramount to the
OAQPS security program. Locks are not required to resist forced entry with tools but shall be so
designed and constructed to resist the effects of normal everyday use and abuse.
a. Combination Locks. Combination locks used to secure CAA CBI must conform to the
following minimum specifications:
1) The locking mechanism shall preclude the changing of the combination without
knowledge of the existing combination.
2) The locking mechanism shall not permit the shackle to be locked out in the open
position.
3) The locking bolt shall be guarded by not less that three combination wheels.
42
-------�
4) The shackle shall not spring to the open position when unlocked.
b. Changing Combinations. Combinations shall be changed only by cleared personnel
having that responsibility under these circumstances:
Whenever someone who knows the combination no longer requires access.
In the event of suspected compromise of CAA CBI.
When deemed necessary by the custodian.
Knowledge of combinations is limited to CBI Office personnel and DCOs. Records of
combinations must be protected as though CAA CBI.
c. Keyed Locks. Keys require strict controls since they can be more easily lost or stolen.
Key Control measures:
All keys will be locked in the CBIO key box under the direct control of the
DCO/CDCO.
A record of all key ID numbers will be maintained by the DCO/CDCO.
A key control roster will be maintained by the CBIO to annotate when keys are
removed from and returned to the Key Box by CBIO staff.
At no time will keys be removed for the CBI office.
Each key will remain in the cabinet locking device when the cabinet is opened.
Each key will have a tag with the appropriate key ID number affixed. The tag will
serve a dual purpose. It will make keys easy to identify and it may serve as an
"OPEN/CLOSED" indicator.
5. SAFEGUARDING CAA CBI IN THE EVENT OF A DISASTER.
Security of CAA CBI should be an integral part of any Disaster Plan.
A disaster plan is required by the Federal Emergency Management Agency (FEMA) to ensure
the safety of personnel and to protect vital records. OAQPS and its contractors are required to
protect any records/documents affecting the legal and financial rights of the Government and of
the people affected by its actions. Steps take in safeguarding CBI in the event of an emergency
form part of the overall OAQPS Contingency Of Operations Plan (COOP)which has three main
components: prevention, preparedness, and response.
43
-------�
a. Prevention. Procedural prevention relates to activities performed on a day-to-day,
month-to-month, or annual basis, relating to security and recovery. The objective of procedural
prevention is to define activities necessary to prevent various types of hazards and ensure that
these activities are performed regularly.
Physical prevention begins when a CAA CBI storage site is identified or constructed. It
includes special requirements for room construction, as well as fire protection for various
equipment. Special considerations include: computers, fire detection and extinguishing
systems, record(s) protection, air conditioning, heating and ventilation, electrical supply and
emergency egress.
The OAQPS DCO will conduct an inspection of the OAQPS CBIO to identify problem
areas and foster awareness of disaster prevention issues among the staff.
The OAQPS DCO will train the CBIO staff in records management, protection, and how
to respond to a disaster.
b. Preparedness. OAQPS DCO will ensure that there are appropriate supplies on hand
to deal with immediate needs, conduct CAA CBI database backups on a. routine basis and
identify local suppliers of materials that are needed in the event of a disaster. The OAQPS
DCO will also keep up-to-date on current technology, procedures, and services available for
disaster planning and recovery, and ensure the staff is informed about these issues.
Additionally, the DCO will ensure appropriate security measures are taken to prevent damage or
destruction of CAA CBI, at approve off-site storage facilities.
c. Response. The OAQPS DCO is responsible for directing all disaster operations
affecting damage or destruction CAA CBI records. All OAQPS staff (Directors, Group
Leaders, POs, WAM/TOPOs and employees) must be involved in order for the disaster plan to
be effective. Preventing, preparing for, and responding to disasters has to be a team effort. The
OAQPS DCO will evaluate the damage, plan and execute recovery operations, and perform a
post-disaster assessment.
44
-------�
SECTION VII.
OAQPS CAA CBI COMPUTER SYSTEM SECURITY
1. OVERVIEW. This policy applies to all information systems processing and/or storing
CAA CBI. It shall apply equally when the systems are owned and operated by EPA or by its
contractors or consultants.
2. DIRECTIVES. The computer processing of CAA CBI must be in compliance with the
security guidelines as outlined in EPA Directive 2100, Information Resources Management
Policy Manual, EPA Directive 2195A1, EPA Information Security Manual; and Office of
Management and Budget OMB Circular A-130 ( directives issued to all Federal agencies
processing sensitive data by computer).
These directives require Federal agencies processing sensitive information by computer to
establish and maintain a formal security system.
3. BASIC SECURITY REQUIREMENT. In accordance with the OAQPS
Information Security Plan, all OAQPS LAN and application users must ensure that system
resources are protected. Employees are held accountable for their actions and are responsible
for information security.
When CAA CBI access is permitted over an information system. The system must provide a
level of security adequate to protect any CBI being processed from alteration, loss, or
unauthorized access. The system will conform to the following specifications:
a. Security Mode. OAQPS CAA CBI must be entered into an isolated system with access
control safeguards as well as additional safeguards within the system. In addition, file and data
separation is required since all users are not authorized to access all data.
b. Authenticity and Verification. The system will authenticate the password of each
project, verify each user's identity, and validate each user's file access authority and privileges.
The DCO will maintain a list of all CBI user Passwords. System output must have special
markings that identify particular data sets or programs to provide audit trails. These audit trails
will produce an activity log and, when possible, an event record to permit analysis of system
operation by the CBI Office.
c. Remote Operation (Dial-up or Wireless). There will be no communication system to
interface with remote systems, Personal Digital Assistants (PDA's) or Laptops.
d. User Requirements. All system users and persons authorized access to the
information system shall meet the following criteria:
Receive authorization to access CAA CBI data system by completing a Request,
45
-------�
Approval, and Registration for CAA CBI Computer Access, CAA CBI Form 10.
Obtain and understand the proper security procedures for operation of the system.
Report any incidence of system malfunction.
Receive training in the use of the system.
Sign an acknowledgment of having been provided the above information.
OAQPS and contractor employees authorized access to specific CBI may view a computer
screen that contains the specific CBI to which they have been authorized access.
4. COMPUTER EQUIPMENT ROOM. Servers and other peripheral equipment
forming part of a CBI information system must be located in a room with a keyed or
combination, lock. CBI information systems may be located in CBI Office or LAN Server
room. Regardless of location, any room used to house the CBI information system equipment
must meet the following minimum requirements:
a) Shall be on a floor not accessible from the exterior of the building.
b) Shall be in an area not adjacent to, above, or below an area that would constitute a
high-risk area from the standpoint of fire or explosion.
c) Shall maintain only one entrance for personnel access. Other doors, if any, shall be
secured.
d) Shall be secured with a Simplex combination lock, mounted on a solid wooden or
metal door.
5. SAFEGUARDING CBI DURING PERSONAL COMPUTER USE. While
accessing CAA CBI from a computer in an unsecured area, the operator must retain exclusive
control over the operation of the computer and printer and must ensure that only individuals
authorized for access to the CAA CBI can view the terminal screen. If the operator must leave
the terminal for any reason, the computer session shall be terminated.
**
DO NOT store CAA CBI data on the LAN or Non- Removable storage device**
a. Computer Storage Media. CBI data generated or processed on a personal computer
must be stored on either floppy, compact diskettes, or detachable hard disks. Floppy or
compact disks are preferable and shall be secured in the CBIO. After each session storage
media will be removed for the computer and returned to the CBIO.
b. Termination of a CBI Computer Session. Proper termination of a computer session
46
-------�
involving CBI consists of the following steps:
Transferring and verifying the transfer of the CBI data to the storage medium
(floppy disk, detachable hard disk, or printout).
Removing the storage medium from the computer.
Erasing any storage media no longer required for this purpose, with a authorized
utility program conforming to the DOD 5220.22-M standard.
Close out applications properly to erase TEMP files and data that may by
temporarily stored in Random Access Memory.
Returning the disks and generated printouts to the CBIO.
c. Computer Printouts. If CAA CBI is printed out, the printed material must be secured
in the CBIO. Employees who generate or obtain a printout from the computer must first
determine whether the printout contains CBI. All printouts and any information obtained from
a computer screen containing CBI must be logged in and out through the CBI office.
Turn off the printer to ensure removal of any CBI information stored in the printer
buffer.
6. SYSTEM SECURITY SOFTWARE FOR MULTI-USER SYSTEM. The
operating system will protect itself and provide an authorization function to permit only
approved sets of individuals and programs to be combined for a project. One class of machine
instructions will be reserved for exclusive use of the operating system, and one class will be
usable by the operating system and user applications.
a. User Permissions. The system will enforce user privileges as authorized for any given
file and will include execute Read Only access and prohibit copying or renaming of CBI files.
Authentication of project passwords, verification of user identity, and validation of user file
authority are performed by the system.
b. Event Record. Except for password maintenance activities, unique identifiers
(passwords) may not be printed or displayed on any output or terminal. Within the limits of
system capability, an access and event journal will be maintained by the system in a secure
manner to record system activity, log-on attempts, and program execution. This audit function
should permit event attribution to the individual user. An exception audit will be produced by
the system of all unauthorized activity, including log-on and file access attempts for review by
the DCO/DCA. The system will include a time clock for recording events. The system activity
log will have a write-only mode.
47
-------�
7. GENERAL PROCEDURES. Changes to the operating system will be made
off-line, reviewed, and approved before being installed on the active system. Changes in the
application programs will be made off-line using non-sensitive data and implemented after
review.
a. Checkout. Portable storage disks must be checked out from the CBI Office using the
same procedures described in Section IV.
b. User Privileges (Multi-User System Only). Unique identifiers (passwords) shall be
used for project identification in the log-on procedure and for data file access. These identifiers
shall be treated as confidential. Two passwords are required to begin a program. The
DCO/DCA shall provide a data file access password. System access password and user
permissions will be assigned by the Information Security Officer.
c. Back-up Files. CAA CBI files will be scheduled for periodic backups. Backups
will be conducted to removable media (i.e. removable Hard Drive) ONLY. Back-up files will
be secured in the CBIO.
d. Transmission. Input and output media shall be transmitted only between the CBI
Office and the users who are authorized access to specific data contained on the media. In no
case will input media be accepted from or delivered to a third party. Any system processing
and/or storing CBI must be a system that maintains CBI controls.
8. DESTRUCTION AND RELEASE OF MEDIA. When no longer needed, all
paper products, program listings and printouts, will be destroyed in accordance with current
procedures for disposal of CBI documents as covered in Section III.
a. Magnetic Storage. Any magnetic storage media previously used to process or store
CAA CBI may be released from control after it has been erased using an approved software
utility. Software used to sanitize media will conform with DOD 5220.22-M. All identifying
markings must be removed prior to release.
48
-------�
SECTION VIII.
CAA CBI SECURITY VIOLATIONS
1. OVERVIEW. This section sets forth the procedures to be followed whenever CAA
CBI security procedures may have been violated.
2. RESPONSIBILITY OF DISCOVERER. Any OAQPS employee who is either
aware of actual or possible violations regarding loss of CBI materials or unauthorized
disclosures must immediately report this information to the DCO.
3. INVESTIGATING VIOLATIONS. All alleged violations of this manual's
procedures shall be investigated, even if there is no evidence of a lost document or unauthorized
disclosure.
a. Preliminary Inquiry. The PRRMS Director will instruct the OAQPS DCO to conduct
a preliminary inquiry into the circumstances surrounding an actual or possible compromise. The
findings of this inquiry will be presented to the PRRMS Director for evaluation.
b. Investigation. Based on a review of the Preliminary inquiry, the PRRMS Director may
direct the OAQPS DCO to conduct a full investigation of the incident. The investigation shall
include the following components:
A complete identification of each item of classified information involved.
A thorough search for the CBI.
Identification of any persons or procedures responsible for the compromise.
A statement that a compromise did occur, may have occurred, or did not occur, and
an estimate of the risk of damage to the affected business.
A thorough discussion of all facts uncovered.
4. REPORTS AND FINDINGS. Investigative reports shall include, if possible, the
document date, subject, name and address of the originator, and a description of the material.
a. Finding of No Damage. If it is determined that compromise could not reasonably be
expected to cause identifiable damage to the affected business, the report of the preliminary
inquiry will be sufficient to resolve the incident.
b. Lost Documents. The report should include the time and date of the loss and the steps
49
-------�
taken to locate the material. If possible, the person responsible for the loss should be identified.
c. Evidence of Compromise. Where a compromise is believed to have occurred, a
narrative statement by the WAM/TOPO should detail the circumstances, the identity of the
unauthorized person(s) who had or may have had access to the material, the steps taken to
determine whether a compromise did in fact occur, and the WAM's evaluation of the
importance of the material.
d. Finding of Damage. If it is determined that the probability of identifiable damage to
the affected company cannot be ruled out, the PRRMS Director shall notify the affected
business that the materials claimed as CBI are not in account and that there is reason to believe
the information may have been disclosed to individuals not authorized to access it. Written
notice to the affected business must contain a description of the CBI in question and the date of
the disclosure.
5. RESULTING ACTIONS. After receiving an inquiry and/or investigation report, the
PRRMS Director will notify appropriate Division Directors of the report findings and
recommend actions in keeping with the EPA Conduct and Discipline Order. Division Directors
are responsible for imposing punitive measures as deemed necessary.
a. Violations Subject to Punitive Measures. Employees may be subject to punitive
measures if they do any of the following:
Compromise CBI through negligence.
Knowingly and willfully violate any provisions of this manual or without
authorization, disclose properly classified CBI.
b. Punitive Measures. Punitive measures for security violations are specified in 18
U.S.C 1905 and 18 U.S.C 1924 and include, but are not limited to, warning notice, admonition,
reprimand, termination of authorization for access to CBI, removal, discharge, or legal charges.
These measures will be imposed in accordance with applicable law and EPA regulations.
50
-------�
CAA CBI DEFINITIONS
Access: The ability and opportunity to gain knowledge of CAA CBI in any manner
whatsoever.
Affected Business: Any providing organization that could be affected adversely by the
unauthorized disclosure of its CAA CBI.
Authorized Person: Any person duly authorized pursuant to OAQPS procedures to have
access to CAA CBI.
CAA CBI Control Number: Unique number assigned by the OAQPS DCO to any document
received or generated that contains CAA CBI.
Confidential Business Information: Any documentary or non-documentary information, in
any form, received by OAQPS from a person, firm, partnership, corporation, association, or
local, State or Federal agency that relates to trade secrets, commercial or financial information
and claimed as confidential by the person submitting it under the procedures in 40 CFR, Part 2,
Subpart B.
Contractor: Any person, association, partnership, corporation, business, educational,
institution, governmental body or other entity that performs work under a contract with the
United States Government.
Contracting Officer (CO): EPA delegated official with the authority to enter into contracts
on behalf of the EPA. The CO has sole authority to sign contracts, obligate funds for a contract,
issue work assignments, modify contract terms or conditions, and terminate a contract.
Custody: Formal responsibility for controlling access to CAA CBI according to the
procedures found in this manual.
Derivative CBI: Confidential Business Information created by incorporating, paraphrasing,
restating, or generating a new form of the information.
Document: Any recorded information regardless of its physical form or characteristics,
including, without limitation, written or printed materials; data processing cards, disks, and
tapes; maps; charts; photographs; paintings; drawings; engravings; sketches; working notes and
papers; reproductions of such items by any means or processes; and sound, voice, or electronic
recordings in any form.
CBI Office: Secured interior room at OAQPS headquarters where all CAA CBI is stored.
51
-------�
Document Control Officer: A Government employee designated by the PRRMS Director to
oversee the OAQPS CAA CBI program.
Document Tracking System: A system to account for the location or disposition of CAA CBI
materials. Materials in a Document Tracking System are assigned unique numerical identifiers,
or CBI control numbers, and their locations are tracked through manual or automated logs or
records of receipt, usage, and transfer.
Employee: Any person employed by EPA on a full-time or part-time basis in accordance with
the procedures of the Office of Personnel Management. (This definition does not include
contractors, grantees, or their employees).
Federal Agency: Any organization or entity composed of United States officers or employees
except for Federal courts and Congress.
Holder: A Federal employee or OAQPS contractor employee who is authorized access to
specific CAA CBI, and is currently in possession of the CAA CBI.
Original CBI: Confidential business information in its original form as submitted by a
providing organization or as recorded during a visit to the providing organization.
Project Officer (PO): EPA's primary technical representative of the CO for a contract.
Responsibilities include: evaluating contractor proposals; assisting in writing statement of
work; reviewing contractor progress reports; reviewing contractor requests and recommending
approval or disapproval to the CO; and assisting the CO in the resolution of problems
associated with contractor performance.
Specific CAA CBI: Confidential business information collected for an individual project or
work assignment/task order under a contract.
Subcontractor: A contractor that provides a portion of the level of effort on an OAQPS
contract through a contractual agreement with the OAQPS prime contractor. The EPA's
contractual agreement is with the prime contractor, not the subcontractor.
Violation: The failure to comply with any provision of these procedures, whether or not such
failure leads to actual unauthorized disclosure of CAA CBI.
Work Assignment Manager/Task Order Project Officer (WAM/TOPO): An EPA
program official who monitors a specific work assignment written under a contract. The
WAM/TOPO develops the statement of work for specific work assignments or task orders and
monitors the technical performance of the contractor.
52
-------�
GLOSSARY OF ACRONYMS
ACRONYMS
AAL
ADP
CAA
CBI
CBIO
CDCA
CDCO
CFR
CWA
DCA
DCO
EPA
FEMA
FIFRA
GAO
OAQPS
LAN
OIG
OGC
osw
Authorized Access List
Automatic Data Processing
Clean Air Act
Confidential Business Information
Confidential Business Information Office
Contractor Document Control Assistant
Contractor Document Control Officer
Code of Federal Regulations
Clean Water Act
Document Control Assistant
Document Control Officer
United States Environmental Protection Agency
Federal Emergency Management Agency
Federal Insecticide, Fungicide and Rodenticide Act
General Accounting Office
Office of Air Quality Planning and Standards
Local Area Network
Office of the Inspector General
Office of General Counsel
Office of Solid Waste
53
-------�
PC
PRRMS
RCRA
TSCA
WAM/TOPO
Personal Computer
Planning, Resources & Regional Management Staff
Resource Conservation and Recovery Act
Toxic Substances Control Act
Work Assignment Manager/Task Order Project Officer
54
-------�
INDEX OF APPENDICES
APPENDIX P& TITLE
A-l Authorization for Access to CAA CBI for Federal Employees,
CAA CBI Form 2
A-2 Authorization for Access to CAA CBI for Contractor Employees,
CAA CBI Form 3
B B-1 Memorandum of CAA CBI Telephone Conversation, CAA CBI
Form 6
C C-l CAA CBI Meeting Sign-In Sheet, CAA CBI Form 7
D D-l CAA CBI Markings
E E-1 CAA CBI Cover Sheet, CAA CBI Form 8
E-2 CAA Confidential Business Information "Duplicate Copy" Cover
Sheet, CAA CBI Form 8a
F F-l Request, Approval, and Registration for CAA CBI Computer
Access, CAA CBI Form 10
G G-l Request for Approval of Contractor Access to CAA CBI, CAA
CBI Form 11
G-2 Contractor Information Sheet-Contractor CAA CBI
Access/Transfer, CAA CBI Form 1 la
H H-1 CAA CBI Inventory Log, CAA CBI Form 12
H-2 CAA Confidential Business Information Control Record,
CAA CBI Form 1
H-3 CAA CBI Custody Receipt, CAA CBI Form 14
55
-------�
1-1 Confidential Business Information Security Agreement,
CAA CBI Form 15
1-2 Letter to CAA CBI Requesters Outside of OAQPS
1-3 Letter to Accompany CAA CBI Transferred Outside of OAQPS
1-4 Confidentiality Agreement for Federal Employees, CAA CBI
Form2a
J-l Letter of Transfer (Trip Report Review Letter to Providing
Facilities)
J-3 Trip Report Response Letter to Providing Facility
56
-------�
THIS PAGE INTENTIONALLY LEFT BLANK
57
-------�
CAA CBI Security Manual (Appendix A)
FULL NAME
SSN
POSITION
OFFICE
SIGNATURE OF AUTHORIZING OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
I. AUTHORIZATION FOR ACCESS TO CAA CBI FOR FEDERAL EMPLOYEES
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her supervision who
require access to CAA CBI:
1. Sign the Confidentiality Agreement for Federal Employees
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
II. CONFIDENTIALITY AGREEMENT FOR FEDERAL EMPLOYEES
I understand that, in accordance with my official duties, I will have access to certain Confidential Business
Information submitted under the Clean Air Act (CAA) (42 U.S.C. 7401 et seq.)
I understand that, under 18 U.S.C. 1905 and 18 U.S.C. 1924,1 am liable for a possible fine of up to $1,000 and/or
imprisonment for up to one year, if I willfully disclose CAA Confidential Business Information to any person not
authorized to receive it. Additionally, I understand that, I may be subject to disciplinary action for violation of this
agreement with penalties ranging up to and including dismissal.
I am aware that, I may be subject to criminal penalties under 18 U.S.C. 1001 if I have made any statement of
material facts knowing that such statement is false or if I willfully conceal any material fact.
I agree that, upon the termination of my duties, transfer or departure from the Environmental Protection Agency, I
will return all materials in my possession containing CAA Confidential Business Information to the OAQPS CBI
Office.
I certify that I have read and understand these procedures and those outlined in the CAA CBI Security Manual.
SIGNATURE
TELEPHONE NO.
DATE
III. THE UNDERSIGNED CERTIFIES THE ALL TRAINING AND TEST
REQUIREMENTS HAVE BEEN MET BY THE EMPLOYEE.
SIGNATURE CBI MANAGER/DCO
TELEPHONE NO.
DATE
IV. ANNUAL RE-CERTIFICATION: I certify that, in conjunction with my duties, I require access to
CAA CBI. I am current with all CBI handling procedures and security guidelines as outlined in the CCA CBI
Security Manual.
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
CAA CBI From 2 (Rev. 01/02) * Must be Division Director (or equivalment) or above.
A-l
-------�
CAA CBI Security Manual (Appendix A)
FULL NAME
SSN
POSITION
CONTRACTOR
SIGNATURE OF AUTHORIZING OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
I. AUTHORIZATION FOR ACCESS TO CAA CBI FOR CONTACTOR EMPLOYEES
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her supervision who
require access to CAA CBI:
1. Sign the Confidentiality Agreement for Contractor Employees
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
II. CONFIDENTIALITY AGREEMENT FOR CONTRACTOR EMPLOYEES
I understand that, in accordance with my official duties, I will have access to certain Confidential Business
Information submitted under the Clean Air Act (CAA) (42 U.S.C. 7401 et seq.)
I understand that, under 18 U.S.C. 1905 and 18 U.S.C. 1924,1 am liable for a possible fine of up to $1,000 and/or
imprisonment for up to one year, if I willfully disclose CAA Confidential Business Information to any person not
authorized to receive it. Additionally, I understand that, I may be subject to disciplinary action for violation of this
agreement with penalties ranging up to and including dismissal.
I am aware that, I may be subject to criminal penalties under 18 U.S.C. 1001 if I have made any statement of
material facts knowing that such statement is false or if I willfully conceal any material fact.
I agree that, upon the termination of my duties, transfer or departure from my duites with the Environmental
Protection Agency, I will return all materials in my possession containing CAA Confidential Business Information
to the OAQPS CBI Office.
I certify that I have read and understand these procedures and those outlined in the CAA CBI Security Manual.
SIGNATURE
TELEPHONE NO.
DATE
III. THE UNDERSIGNED CERTIFIES THE ALL TRAINING AND TEST
REQUIREMENTS HAVE BEEN MET BY THE EMPLOYEE.
SIGNATURE CBI MANAGER/CDCO
TELEPHONE NO.
DATE
IV. ANNUAL RE-CERTIFICATION: I certify that, in conjunction with my duties, I require access to
CAA CBI. I am current with all CBI handling procedures and security guidelines as outlined in the CCA CBI
Security Manual.
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
CAA CBI From 3 (Rev. 01/02) * Must be Contractor Management.
A-2
-------�
CAA CBI Security Manual (Appendix B)
US Environmental Protection Agency
Washington, DC 20460
MEMORANDUM OF CAA CBI
TELEPHONE CONVERSATION
I. EMPLOYEE IDENTIFICATION
Name of Employee
Date
Organization
Time
II. SECOND PARTY IDENTIFICATION
Call is:
To
From
Name
Number
Organization
III. Concerning What CAA CBI?
IV. Content of Conversation: (CONTINUE ON SEPARATE SHEET)
CAA CBI Form 6 (Rev. 01/02)
B-l
-------�
CAA CBI Security Manual (Appendix C)
^£D sr^f U.S. Environmental Protection Agency
^ ^^ **. Washington, DC 20460
| S^R? $ CAA CBI MEETING SIGN-IN SHEET
%> <^
^ PRO^°
CHAIRPERSON
MEETING PLACE (ROOM, BUILDING, CITY, STATE)
DATE
TIME
SUBJECT OF MEETING
NAME (Print)
Signature
ORGANIZATION
THIS SIGN-IN SHEET MUST BE GIVEN TO THE CBI MANAGER
CAA CBI Form 7 (Rev. 6/95)
C-l
-------�
CAA CBI Security Manual (Appendix D)
CAA CBI MARKINGS
"SUBJECT TO CONFIDENTIALITY CLAIM"
"TO BE OPENED BY ADDRESSEE ONLY"
"DESTROYED BY / DATE
"DECLASSIFIED BY / DATE
"CAA CBI CLEARANCE TERMINATED BY / DATE
D-l
-------�
CAA CBI Security Manual (Appendix E)
Contractor Control No.:
EPA Control No.:
Copy No.:
CAA
CONFIDENTIAL
BUSINESS INFORMATION
contain! data!
ir Acti(CAA
imed to be c
amended (4
another p
y person not
g up to and i
3Ject youfio a
idential busi
.S.C. 7401,
y excerpt
orized to
ding disniis
of upll $1
inform
1,7412,
summarie
ive it, you
In additi
.00 an
n(C
,74
st
beli
disclosv
impriso
heCle
osed or c
Ifully disci
action w
iof security
au
notb
If you
discipl
violati
one
CAA1CBI to
penalties .ran
ceduresjnay
DO NOT DETACH
CAA CBI Form 8 (Rev. 01/02)
E-l
-------�
CAA CBI Security Manual (Appendix E)
Contractor Control No.:
EPA Control No.:_
Copy No.:
CAA
CONFIDENTIAL
BUSINESS INFORMATION
LICAW COIY
m
: contains $&t& claimed to be confid^pl business information (CBJ|$iiider ffie ^jf
, "'
The attached
authority of the Act (CfUV) as amended (42 U.^g/401, 7411, 74lf 7414, 741^,^601). CB%iay
not be disclosed or for release to another party. An|||j|cerpts or surrimalfes must als^fie treated as CBI.
If you willfully disclf||f3AA CBI to any person no| autho|||jd to receive it, |ju may be Ij^jle for a
disciplinary action ^^|penaltie|^igmg up to an^includi^^smissal. In action, discl^ittfe of CAA CBI or
i a fine o:
.$1,000.
or
impri^»ient for up tdl
REFERENCE COPY
DESTROY WHEN NO LONGER NEEDED
DO NOT DETACH
Duplicate Destroyed by
Date
(CDCO Signature Required)
CAA CBI Form 8a (Rev. 01/02)
E-2
-------�
CAA CBI Security Manual (Appendix F)
U.S. Environmental Protection Agency
Washington, DC 20460
Request, Approval, and Registration
for CAA CBI Computer Access
I. Request for CAA CBI Computer Access
1. Name (Last,First,MI)
2. Requestor (Office/Division/Branch)
3. System and Data Base to Be Accessed
4. Describe fully the duties that require access to each system
5. Signature of Requesting Official (Division Director or above)
6. Date
II. Computer Room DCA Approval
1. Date Received
2. Signature of Computer Room DC A
III. DCO Approval
1. Date Received
2. Holds Current CAA CBI Access
D Yes D No
3. Approved
D Yes DNo (Explain
On back)
4. Signature DCO
CAA CBI Form 10 (Rev. 01/02)
F-l
-------�
CAA CBI Security Manual (Appendix G)
73
VvX
\
(3
U.S. Environmental Protection Agency
Washington, DC 20460
REQUEST FOR APPROVAL OF
CONTRACTOR ACCESS TO CAA CBI
Requesting Official
Signature
Date
Title and Office
Contractor and contract number
EPA Project Officer
EPA Contracting Officer
i on feetoe offal feitf if oec^sary).
Approved (Signature)
Date
CAA CBI Form 11 (Rev. 01/02)
G-l
-------�
CAA CBI Security Manual (Appendix G)
CONTRACTOR INFORMATION SHEET
CAA CBI ACCESS/TRANSFER
1. Contractor
2. Address :
3. Contract #:
4. Is this a renewal of a previous contract? Yes D NoD
5. Previous contact number:
6. EPA Project Officer
7. EPA Contracting Officer
8. EPA Work Assignment Manager:
Phone: Room: Mail Code:_
9. Contractor Project Officer:
10. Description of duties to be performed by contractor that require CAA CBI access:
11. Type(s) of data to be transferred/disclosed:
12. Will CBI be transferred offsite under this contract? Yes D No D
13. If so, to where?
14. Have contractor security plan and facilities been approved by the OAQPS DCO? Yes D No D
15. If so, date of test site inspection:
16. Date access scheduled to commence:
17. Contract expiration date:_
18. Is computer CBI access needed under this contract? Yes D No D
19. Has computer access been approved? Yes D No D
CAA CBI Form 1 la (Rev. 01/02)
G-2
-------�
q
ti
is
(U
W>
11
Q
O
o
s
00
«:
o
O
IS 5
SSH
en
oj
1
Rec
u
u
U
a
o
a p,
ffi
T3
C
0)
a-
c^
<;
£>
u
oo
s
U
<
<
U
Numbe
CB
rol
C8 '5
CN
O
O
o
«
U
U
H-l
-------�
CAA CBI Security Manual (Appendix H)
CAA CONFIDENTIAL BUSINESS INFORMATION
CONTROL RECORD
DATE RECEIVED:
DATE OF DOCUMENT:
RESPONSIBLE GROUP:
CONTROL NUMBER:
DOCUMENT AUTHOR:
DESCRIPTION (PROVIDING ORGANIZATION, TITLE, SUBJECT, NUMBER OF COPIES, NUMBER OF PAGES)
RETURN DATE:
DESTRUCTION DATE:
INITIALS:
EACH PERSON WHO IS GIVEN ACCESS TO THIS DOCUMENT MUST FILL IN THE INFORMATION BELOW.
CHECK-OUT
SIGNATURE
DATE
TIME
CHECK-IN
SIGNATURE
DATE
TIME
CAA Form 1 (Rev. 01/02)
H-2
-------�
CAA CBI Security Manual (Appendix H)
CAA CBI CUSTODY RECEIPT
US Environmental Protection Agency
Office of Air Quality Planning and Standards
CBI Office (MD-C404-02)
Research Triangle Park, NC 27711
Date:
Receipt:
Project:
Contact:
Sent Via:
Project No:
TO:
FROM: Document Control Officer
(Name), DCO
Environmental Protection Agency
OAQPS/PRRMS
MD-XXX-XX
Research Triangle Park, NC 27711
INSTRUCTIONS:
1. Original of this receipt to be signed by recipient and returned to sender.
2. Duplicate of this receipt to be retained by recipient.
CBI CONTROL NO. COPY NO. DESCRIPTION OF MATERIAL
I have personally received material, enclosures, and attachments as identified above. I assume full
responsibility for the safe handling, storage, and transmittal of this material in accordance with existing
Confidential Business Information regulations.
DATE RECEIVED:
SIGNATURE OF RECIPIENT:
CAA FORM 14 (Rev. 01/02)
H-3
-------�
CAA CBI Security Manual (Appendix I)
CONFIDENTIAL BUSINESS INFORMATION
SECURITY AGREEMENT
[n requesting information claimed to be business confidential from the Office of Air Quality
Planning and Standards (OAQPS), I agree to safeguard this information according to (
Name of Agency )'s procedures comparable to EPA's procedures for handling Confidential
Business Information as found in 40 CFR, Part 2, Subpart B, Confidentiality of Business
Information. I further agree that access will be limited to only those persons in our organization
having a "need to know," that the information will be kept in a secure storage container (e.g., a
lockable file cabinet) while it is in our custody, that a record of persons accessing the
information be maintained, and that it will be returned to OAQPS at the conclusion of our
project.
Name, Title (Please Type or Print)
Signature Date
CAA CBI Form 15 (Rev. 01 /02) I-1
-------�
CAA CBI Security Manual ( Appendix I)
LETTER TO CAA CBI REQUESTERS OUTSIDE OAOPS
Agency Official
Government Agency
Dear (Agency Official):
(Cite the name of local contact or letter of request) indicates that you have requested a
copy of certain Confidential Business Information (CBI) files which are held by our office.
Please be advised that our long-standing policy is to release CBI only to those persons
authorized by 40 CFR Part 2, Subpart B. Since we have not previously granted clearance for
access to Clean Air Act (CAA) information to you or anyone in your organization, we request
assurance that this information will be handled according to applicable federal regulations. To
provide a record of your agreement to safeguard the information, we require that you sign and
return the accompanying CBI Security Agreement. We will release the requested information to
you upon receipt of this agreement.
Sincerely,
leva G. Spons, Director
Planning, Resources and
Regional Management Staff
Enclosures
1-2
-------�
CAA CBI Security Manual (Appendix I)
LETTER TO ACCOMPANY CAA CBI TRANSFERRED
OUTSIDE OF OAOPS
Agency Official
Government Agency
Dear Agency Official:
Your security agreement associated with the request for access to (Detailed information
Description) has been received. We are therefore releasing the enclosed Confidential Business
Information to your custody. Please sign the attached Custody Receipt and return it to:
Name, OAQPS Document Control Officer
U.S. Environmental Protection Agency
Office of Air Quality Planning & Standards
Planning, Resources & Regional Management Staff (MD-C404-02)
Research Triangle Park, NC 27711
Sincerely,
leva G. Spons, Director
Planning, Resources and
Regional Management Staff
Enclosures
1-3
-------�
CAA CBI Security Manual (Appendix I)
FULL NAME
SSN
POSITION
OFFICE
SIGNATURE OF AUTHORIZING OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
I. AUTHORIZATION FOR ACCESS TO OAQPS CAA CBI
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her
supervision who require access to CAA CBI:
1. Sign the Confidentiality Agreement CAA CBI Form 2a
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
II. CONFIDENTIALITY AGREEMENT FOR FEDERAL EMPLOYEES
I understand that, in accordance with my official duties, I will have access to certain
Confidential Business Information submitted under the Clean Air Act (CAA) (42 U.S.C. 7401
et.seq.)
I understand that, under 18 U.S.C. 1905, and 18 U.S.C. 1924, I am liable for a possible fine of
up to $1,000 and/or imprisonment for up to one year, if I willfully disclose CAA Confidential
Business Information to any person not authorized to receive it. Additionally, I understand that,
I may be subject to disciplinary action for violation of this agreement with penalties ranging
up to and including dismissal.
I am aware that, I may be subject to criminal penalties under 18 U.S.C. 1001, if I have made
any statement of material facts knowing that such statement is false or if I willfully conceal
any material fact.
I understand that I can not transfer CAA CBI materials to any other agency or office unless
specifically authorized by 40 CFR Part 2, Subpart B, and without prior notification of the
OAQPS CBI Office.
I agree that I, when no longer required by this office, I will return any and all materials
transfered to me to the OAQPS CBI office.
SIGNATURE
TELEPHONE NO.
DATE
CAA CBI From 2a (Rev. 01/01) * Must be Division Director (or equivalent) or above.
1-4
-------�
CAA CBI Security Manual (Appendix J)
SAMPLE LETTER OF TRANSFER
TRIP REPORT REVIEW LETTER TO PROVIDING
FACILITIES
Name of recipient
Title of Recipient
Recipient's Address
Dear (Name):
Thank you for your efforts in coordinating a visit to the Name of the facility, address,
and date. The U. S. Environmental Protection agency (EPA) appreciates the time you spent
discussing the manufacturing process at your facility.
Enclosed is a draft of the trip report that has been prepared based on the information
obtained during our site visit. We would appreciate your reviewing the report for any errors or
omissions. You may return the enclosed copy of the report with your written comments. Since
this report will eventually become a part of the public record, we want to portray your operations
as accurately as possible. A copy of the final version of the report incorporating your comments
will be sent to you for your records.
The custody receipt for the trip report is also enclosed. Please sign and date the form to
acknowledge receipt of the report and return a copy of the form to the Document Control
Officer, Planning, Resources, and Regional Management Staff (MD-C404-02), U. S.
Environmental Protection Agency, Research Triangle Park, North Carolina 27711.
If you believe the disclosure of any specific information contained in the trip report
would reveal trade secrets or other confidential information, you should clearly identify the
specific information. Please do not label the entire report" confidential" if only certain portions
consist of trade secret information. If the EPA determines that there is a need to disclose such
information, we will need, at that time, the following to support your claim.:
1. Measures taken by Name of facility to guard against undesired disclosure of the
specific information to others;
2. The extent to which the specific information has been disclosed to others and the
precautions taken in connection therewith;
J-l
-------�
CAA CBI Security Manual (Appendix J)
3. Pertinent confidentiality determinations, if any, by other Federal agencies (furnish a copy of
any such determination, or references to it, if available); and
4. Whether Name of facility asserts that disclosure of the specific information would likely
result in substantial harmful effects on facility Name's competitive position, and if so, what
those harmful effects would be, why they should be viewed as substantial, and an explanation of
the causal relationship between disclosure and such harmful effects.
Any specific information subsequently determined to constitute a trade secret will be protected
under 18 U.S.C. 1905. If no claim of confidentiality accompanies the information when it is
received by EPA, it may be made available to the public by EPA without further notice (40 CFR
Part 2.203, September 1, 1976). Any specific information subsequently determined to constitute
a trade secret will be protected under 18 U.S.C. 1905. However, all emission data will be
available to the public. A clarification of what EPA considers to be emission data is contained in
Enclosure 2.
We respectfully request that you submit your review comments on the trip report by date. If
you concur with the information contained in the report, we would appreciate a letter to that
effect. In addition, please indicate in your letter the specific parts of the report, if any, that
Facility Name considers to be confidential. If we do not receive a response by date, the report
will be considered non-confidential and accurate.
Thank you for your cooperation. The information supplied by Facility Name will be most
helpful in our study. If you have any questions, please call name of WAM/TOPO, telephone
number; Contractor's name, company name and telephone number.
Sincerely,
Group Leader
Division
Enclosure
J-2
-------�
CAA CBI Security Manual (Appendix J)
TRIP REPORT RESPONSE TO PROVIDING FACILITY
Name ofReceipient
Title ofReceipient
Address
Dear (Name):
Thank you for reviewing the trip report for the (Date) visit to the (Name and Address of
Facility) by representatives from the U.S. Environmental Protection Agency and (Name of
Contractor if required). Your comments have been incorporated in the enclosed final trip report.
The trip report includes a nonconfidential version plus a confidential addendum. The
confidential addendum consist of those items you identified as confidential business information
(CBI) in your (Date) letter. Unless we hear from you by (Date) with further comments or
corrections, we will treat the nonconfidential trip report and the confidential addendum as final.
In its final form, the nonconfidential trip report may be accessed by the general public following
proposal of the national emission standards for hazardous air pollutants for combustion sources
in the (Name Industry). The confidential addendum can only be accessed by those authorized to
view CAA CBI pertaining to the (Name Industry).
If you have any questions or additional comments, please contact (Name of Project Lead)
of my staff at (919) 541 -XXXX. Thank you for your cooperation.
Sincerely,
Group Leader
(Name) Specific Group
Enclosures
J-3
-------�
INTENTIONALLY LEFT BLANK
-------�
TECHNICAL REPORT DATA
(Please read Instructions on reverse before completing)
1 REPORT NO.
EPA-450/B-02-001
3 RECIPIENT'S ACCESSION NO.
4 TITLE AND SUBTITLE
Clean Air Act Confidential Business Information Security Manual
5. REPORT DATE January 2002
6. PERFORMING ORGANIZATION CODE
7 AUTHOR(S)
Roberto Morales
8. PERFORMING ORGANIZATION REPORT NO.
9 PERFORMING ORGANIZATION NAME AND ADDRESS
U.S. Environmental Protection Agency
Office of Air Quality Planning and Standards
Research Triangle Park, NC 27711
10. PROGRAM ELEMENT NO
11. CONTRACT/GRANT NO
12 SPONSORING AGENCY NAME AND ADDRESS
Director
Office of Air Quality Planning and Standards
Office of Air and Radiation
U.S. Environmental Protection Agency
Research Triangle Park, NC 27711
13. TYPE OF REPORT AND PERIOD COVERED
Procedures Manual
14. SPONSORING AGENCY CODE
EPA/200/04
15 SUPPLEMENTARY NOTES
16 ABSTRACT
The procedures in this manual provide Federal, Contractor, and Subcontractor employees with the
information necessary to utilize Confidential Business Information (CBI) in the performance of their assigned
duties without violating applicable Federal regulations protecting the rights of its owners in accordance with
the Clean Air Act of 1990 (CAA) as amended.
17 KEY WORDS AND DOCUMENT ANALYSIS
a DESCRIPTORS
ii
^-'
%
18 DISTRIBUTION STATEMENT
Release Unlimited
b. IDENTIFIERS/OPEN ENDED TERMS
19. SECURITY CLASS (Report)
Unclassified
20. SECURITY CLASS (Page)
Unclassified
c. COSATI Field/Group
21 NO. OF PAGES
85
22. PRICE
1PA Form 2220-1 (Rev. 4-77) PREVIOUS EDITION IS OBSOLETE
-------�
U.S. Environmental Protection Agency
teflon 5, Library (PL-12J)
77 West Jackson Boulevard, 12tfi Ftoar
Chicago, II 60604-3590
-------� |