EPA 450/B-03-001
March 2003
Clean Air Act Confidential Business Information
Security Manual
0 S Environmental Protection Agency
Region 5, Library (PL-12J)
77 West Jackson Boulevard, 12tn
Chicago, IL 60604-3590
U.S. Environmental Protection Agency
Office of Air Quality Planning and Standards
Program Resources and Regional Management Staff
Research Triangle Park, North Carolina
-------�
FORWARD
The procedures in this manual provide Federal, Contractor, and Subcontractor employees
with the information necessary to utilize Confidential Business Information (CBI) in the
performance of their assigned duties without violating applicable Federal regulations
protecting the rights of its owners in accordance with the Clean Air Act of 1990 (CAA) as
amended.
This manual will be subject to annual review to ensure it is in compliance with EPA policies and
Federal regulations. Any recommendations for changes, additions or deletions should be
forwarded through the OAQPS Document Control Officer to the Director, OAQPS/PRRMS,
MD-C404-02, Research Triangle Park, NC 27711
-------�
TABLE OF CONTENTS
SECTION I. PURPOSE, SCOPE, POLICY, AUTHORITY &
RESPONSIBILITIES 1
1. PURPOSE 1
2. SCOPE 1
3. POLICY 1
4. AUTHORITY 2
5. RESPONSIBLE OFFICIALS 2
a. Director, Office of Air Quality Planning and Standards (OAQPS) 2
b. Director, Program Planning, Resources and Regional Management Staff (PRRMS) 2
c. OAQPS Document Control Officer (DCO) 3
d. OAQPS Document Control Assistant (DCA) 4
e. OAQPS Division Directors 4
f. OAQPS Program Project Officers 4
g. OAQPS Group Leaders 5
h. OAQPS Work Assignment Managers/Task Order Project Officers
(WAM/TOPO) 6
i. Contractor Document Control Officers (CDCO) 6
j. Employees 8
SECTION II. CAA CBI CERTIFICATION PROCEDURES 10
1. OVERVIEW 10
2. GENERAL ACCESS REQUIREMENTS 10
3. OBTAINING ACCESS TO CAA CBI 10
a. Federal Employee Access Procedures 10
b. Establishing Access for Contractor Facilities 12
c. Contractor Employee Access 16
4. ACCESS CONTROL 16
a. Access Lists 18
b. Subcontractor/Consultant Access 20
5. TERMINATION OF CAA CBI ACCESS 20
-------�
SECTION III. RECORDS MANAGEMENT FOR CAA CBI 22
1. OVERVIEW 22
2. INTENT 22
a. Original CBI 22
b. Derivative CBI 22
3. OAQPS CAA CBI RECORDS MANAGEMENT SYSTEM 22
a. OAQPS CAA CBI Automated Tracking System 23
b. CAA CBI Control Record 23
c. Cover Sheets 23
d. Custody Receipts 24
e. New Materials 24
f. Inventory 24
4. OAQPS CAA CBI DOCUMENT CONTROL NUMBERS 24
5. CBI MARKINGS 25
a. CBI Stamps 25
b. Computer Outputs 25
c. Charts, Maps and Drawings 25
d. Photographs, Films and Recordings 25
6. CBI DOCUMENTS 25
a. Working Papers 25
b. Typing /Word Processing Requirements 25
7. NON-CBI DOCUMENTS 26
a. Deleting or Replacing CBI 26
b. Masking or Aggregating CBI 26
c. Dropping CBI Claim (Declassification) 26
8. DISPOSITION OF CAA CBI DOCUMENTS 27
a. Original CAA CBI Materials 27
b. CBI Created by OAQPS 27
9. RECORDS OF DESTRUCTION 28
10. METHODS OF DESTRUCTION 28
11. CDCO RECORD MANAGEMENT RESPONSIBILITIES 28
a. CAA CBI Control Numbers 29
ii
-------�
b. CAA CBI Inventories 29
c. Reproducing Documents 29
12. COMPLETION OF CONTRACTS, WORK ASSIGNMENTS OR TASK ORDERS ...29
a. Originals 29
b. Duplicates 29
SECTION IV. CAA CBI WORKPLACE PROCEDURES 30
1. OVERVIEW 30
2. OBTAINING CBI DOCUMENTS 30
3. DOCUMENTS CONTROL 30
a. Telephone Calls 30
b. Work Spaces 31
c. Computers 31
d. Meetings 31
e. Document Reproduction 32
f. CBI Waste 32
g. Use of FAX machines 32
h. Site Visits 32
4. SPECIAL CIRCUMSTANCES 33
SECTION V. TRANSFERRING CAA CBI 34
1. OVERVIEW 34
2. TRANSFERRING CAA CBI TO OTHER FEDERAL, STATE OR LOCAL
AGENCIES 34
a. CBI Security Agreement 35
b. Notice to Affected Businesses 35
c. Before Approval 36
d. Before Transfer 36
3. TRANSFERRING CAA CBI TO EPA CONTRACTORS OR PROVIDING
FACILITIES 36
4. TRANSFERRING CAA CBI FROM CONTRACTORS TO OAQPS 36
111
-------�
5. TRANSFER TO SUBCONTRACTORS 37
6. PREPARATION AND PACKING 37
a. Inner and Outer Covers 37
b. Addressing 37
c. Packing 37
7. CUSTODY RECEIPT 38
8. TRANSFER METHODS 38
a. Hand Carrying 38
b. Registered Mail 39
c. Couriers and Express Mail 39
d. FAX Transmittal 39
SECTION VI. STORAGE OF OAQPS CAA CBI 40
1. OVERVIEW 40
2. INTENT 40
3. STORAGE SPECIFICATIONS 40
a. Minimum storage area requirements 40
b. Minimum storage equipment 41
4. PROCEDURES FOR COMBINATION LOCKS AND KEYS 41
a. Combination Locks 41
b. Changing Combinations 41
c. Keyed Locks 42
5. SAFEGUARDING CAA CBI IN THE EVENT OF A DISASTER 42
a. Prevention 42
b. Preparedness 43
c. Response 43
SECTION VII. CBI COMPUTER SYSTEM SECURITY 44
1. OVERVIEW 44
2. DIRECTIVES 44
3. BASIC SECURITY EQUIPMENT 44
IV
-------�
a. Security Mode 44
b. Authenticity and Verification 44
c. Remote Operation (Dial-up or Wireless) 44
d. User Requirements 44
4. COMPUTER EQUIPMENT ROOM 45
5. SAFEGUARDING CBI DURING PERSONAL COMPUTER USE 45
a. Computer Storage Media 45
b. Termination of a CBI Computer Session 46
c. Computer Printouts 46
6. SYSTEM SECURITY SOFTWARE FOR MULTI-USER SYSTEMS 46
a. User Permissions 46
b. Event Record 46
7. GENERAL PROCEDURES 47
a. Checkout 47
b. User Privileges (Multi-User Systems Only) 47
c. Back-up Files 47
d. Transmission 47
8. DESTRUCTION AND RELEASE OF MEDIA 47
a. Magnetic Storage 47
SECTION VIII. CAA CBI SECURITY VIOLATIONS 48
1. OVERVIEW 48
2. RESPONSIBILITY OF DISCOVERER 48
3. INVESTIGATING VIOLATIONS 48
a. Preliminary Inquiry 48
b. Investigation 48
4. REPORTS AND FINDINGS 48
a. Finding of No Damage 48
b. Lost Documents 48
c. Evidence of Compromise 48
d. Finding of Damage 49
5. RESULTING ACTIONS 49
a. Violations Subject to Punitive Measures 49
v
-------�
b. Punitive Measures 49
CAA CBI DEFINITIONS 50
GLOSSARY OF ACRONYMS 52
INDEX OF APPENDICES 54
VI
-------�
SECTION I.
PURPOSE, SCOPE, POLICY, AUTHORITY &
RESPONSIBILITIES
1. PURPOSE. The purpose of this manual is to set forth policies and procedures for
the handling of information claimed as Confidential Business Information (CBI), whether
submitted voluntarily or obtained under Section 114 of the Clean Air Act (CAA), and governed by U.S.
Environmental Protection Agency (EPA) regulations in 40 Code of Federal Regulations (CFR), Part 2,
Subpart B, and other EPA regulations and policies.
The need to safeguard CBI cannot be overstated. Valid and secure CBI procedures are essential to
the EPA's rulemaking mandate and therefore are required to be effectively safeguarded. Any
compromise to CBI threatens not only the businesses providing the information, but also EPA's ability
to make, implement and enforce environmental policy, and ultimately, the communities that benefit
from that policy. Therefore, the Office of Air Quality Planning and Standards (OAQPS) has designed
and implemented a four-pronged security system to ensure protection of CAA CBI and at the same time
permit effective operations of the OAQPS CBI Office (CBIO). The CAA CBI security system
consists of controlled access, document tracking, training, and monitoring of CAA CBI
operations.
2. SCOPE. This manual sets forth policies and procedures to manage and safeguard CAA
CBI. Unless otherwise noted, the phrase CAA CBI refers to information which has been either
submitted voluntarily to the Environmental Protection Agency or under section 114 of the Clean Air Act
and is claimed as "Confidential Business Information", "Proprietary Information" or "Trade Secret" by
the submitting organization.
3. POLICY. It is the policy of OAQPS to protect all information collected by EPA
personnel, its authorized contractors and subcontractors. The information may be either documentary
information (e.g., written responses to questions, photographs, records or charts) or non-documentary
(e.g., records of oral communications, or visual observations). The providing organization must assert a
claim of confidentiality under the procedures established in 40 CFR Part 2 by noting such claim on
documentary and non-documentary materials provided to OAQPS.
Any material or information claimed as confidential or trade secret will be treated as confidential by
OAQPS and its contractors in accordance with the provisions of 40 CFR Part 2. Any material or
information for which a claim of confidentiality is NOT made may be made available to the public
by OAQPS without notice to the providing organization.
Documents generated by OAQPS or its contractors using information that has been claimed as
Confidential Business Information (CBI) will be treated as CAA CBI until a determination is made
regarding its status by the providing organization, OAQPS, or the Office of General Counsel (OGC).
-------�
4. AUTHORITY. The policies and procedures established by this manual provide ^
guidance for compliance with the following Federal statutes and regulations:
• Clean Air Act as amended
• 40 CFR, Part 2, Subpart B
• Freedom of Information Act
• Privacy Act
• EPA IRM Policy Manual, Chapter 8, Information Security
• OAQPS Security Plan
|Any deviations from the procedures outlined in this manual must be approved in writing by the
fpirector, OAQPS/PRRMS.
5. RESPONSIBLE OFFICIALS. The responsibilities of OAQPS officials and personnel
concerning CAA CBI are outlined below.
a. Director, Office of Air Quality Planning and Standards (OAQPS). The ^
OAQPS Director or his/her designee has overall responsibility for controlling CAA CBI within the •
Office. The Director or Acting Director may delegate authority to perform security control functions.
b. Director, Planning, Resources & Regional Management Staff (PRRMS). The Director,
Planning, Resources & Regional Management (PRRMS), has been delegated authority to direct
and administer the CAA CBI program for OAQPS. In performing these duties, the Director has
authority for setting policies, standards, and procedures that ensure compliance with the current
laws and regulations. The Director provides oversight, a security education program, and a
security assurance program for effective implementation of the OAQPS CAA CBI program.
Specific responsibilities are to:
• Advise the OAQPS Director on the OAQPS CBI CAA program, as requested.
• Approve initial contract access for OAQPS contractors to access CAA CBI.
• Review and approve all outside requests and transfers of OAQPS CAA CBI.
• Approve of contractor employee access to specific CAA CBI documents is delegated to
the OAQPS Group Leaders.
-------�
c. OAQPS Document Control Officer. The OAQPS Document Control Officer (DCO) is
directly responsible to the PRRMS Director for implementing the CAA CBI program. The OAQPS
DCO implements and monitors the activities of the Confidential Information Office (CBIO) and
provides guidance and technical direction as needed. The following are responsibilities of the
OAQPS DCO:
• Ensures that the PRRMS Operations Team Leader is informed of all issues pertaining to
CAA CBI.
• Assumes custody of all CAA CBI materials received at the OAQPS Confidential Business
Information Office (CBIO).
• Ensures that OAQPS security procedures for handling CAA CBI are continually reviewed,
updated, and enforced.
• Conducts briefings and testing in support of the OAQPS CAA CBI security program..
• Ensures compliance with the CAA CBI security program.
• Reviews security plans, procedures, and inspects facilities of EPA contractors handling and
storing CAA CBI files.
• Reviews contractor employee CAA CBI security, education and training programs.
• Reviews CAA CBI access requests for contractors and other Federal/State and Local
agencies.
• Evaluates proposed system improvements.
• Conducts preliminary inquiries and investigations of alleged procedural violations and
reports findings to the PRRMS Director.
• Advises the PRRMS Director concerning appropriate actions for CAA CBI security
violations.
• Signs receipts for incoming CAA CBI documents.
• Reviews documentation of all CAA CBI being transferred outside of OAQPS and ensure that
release is in accordance with Section 2.209 of 40 CFR, Part 2.
• Prepares CAA CBI documents for transmittal outside of OAQPS.
• Declassifies or destroys CAA CBI materials when authorized by Work Assignment
Manager/Task Order Project Officer (WAM/TOPO), OGC or Submitter.
-------�
• Briefs and debriefs all persons designated by Group Leaders that require access to CAA CBI.
• Keeps an Authorized Access List of all persons cleared for CAA CBI access and a record of
each person's briefing status.
• Assigns OAQPS CBI control numbers.
• Generates Control Record and applies markings to all new CAA CBI documents and
reproduce documents as required.
• Establishes, maintains, and controls an automated OAQPS CAA CBI file system. Logs in
and out all CAA CBI documents. Conduct periodic inventories of all CBI documents stored
at the OAQPS CBIO or contractor facilities.
• Maintains a tracking system to ensure that CBI transmitted to other organizations is received.
• Ensures proper security of CBI documents used in the CBI office during the work day.
• Ensures that at the end of each business day, all classified material has been returned to the
CBIO.
• Monitors support staff providing clerical assistance to the CBIO.
d. OAQPS Document Control Assistant. Document Control Assistants (DCA) are
employees of OAQPS, who are charged with assisting in the implementation of the OAQPS CBI
program. The OAQPS Document Control Assistant (DCA) will perform the aforementioned DCO
responsibilities in the absence of the DCO and assist in administrative functions as necessary.
e. OAQPS Division Directors. Division Directors' responsibilities are to:
• Ensure that their employees comply with the procedures listed in this manual.
• Approve all authorizations for their Division employees to access CAA CBI; and
• Sign as requesting official for contractor employee access to CAA CBI.
f. OAQPS Program Project Officers. The respective program project officers' (PPO)
responsibilities are as follows:
• To notify the OAQPS DCO when a contract will require CAA CBI access and to serve as an
interface between the OAQPS DCO, contractors, WAM/TOPO and the Contracting Officer.
• To issue notification to the affected businesses via Federal Register notice at the start of a
contract by identifying the contractor or subcontractor who will have access to CAA CBI
-------�
submitted to OAQPS in performing their assigned duties.
• Assist WAM/TOPO in preparing individual notification to affected businesses or industries
on an as-needed-basis.
• Ensure compliance with all CBI procedures set forth in the applicable contract.
• Work with DCO to resolve security plan deficiencies.
g. OAQPS Group Leaders. Group Leaders are responsible for ensuring that their
employees and contractors comply with the procedures listed in this manual.
Group Leaders will:
• Designate EPA and contractor employees who need access to specific CBI associated
with each project. This responsibility may not be delegated.
• Authorize the additions and deletions to the CAA CBI Project Access list for the specific
project under his or her control.
• Ensure that Group employees and other persons whom they designate are qualified and
authorized to access CBI utilizing procedures found in Section II.
• Authorize transfer of CAA CBI to providing companies, facilities or contractors.
The authority to transfer CAA CBI to all other outside organizations is reserved for the
PRRMS Director.
• Ensure that any CBI the Group receives directly is sent immediately to the OAQPS CBIO.
• Recommend to the PRRMS Director whether to release CBI to Congress, the Comptroller
General, or other Federal agencies.
• Ensure that CBI is not used in publications or improperly released in any documents.
• Authorize necessary creation of NON-CBI materials by summarization or masking.
• Review and approve NON-CBI materials prior to their release.
• Cooperate with the OAQPS DCO in establishing and improving CBI safeguards, and
implementing and maintaining CBI education and quality within their Groups.
• Report cases of CBI disclosures or possible compromise to the OAQPS DCO and cooperate
5
-------�
with investigations conducted under the OAQPS CAA CBI security program. *
h. OAQPS Work Assignment Manager/Task Order Project Officer (WAM/TOPO).
• Ensures that contractors and EPA employees working on his/her project comply with
procedures in this manual and CBI procedures set forth in the applicable contract for CBI
related to his/her project.
• Analyzes technical aspects of all project work written or otherwise created and determines
whether CBI is involved and, if so, has it logged in the CBIO.
• Ensures that necessary paperwork is submitted in accordance with 40 CFR, Part 2,
Subpart B, to enable Office of General Counsel (OGC) to make a final determination as to
whether information that has been received is entitled to confidential treatment.
• Authorizes necessary reproduction of CBI and ensures that CBI is reproduced only under the
supervision of the OAQPS DCO as described in Section IV.
• Ensures that memos, notes and reports from telephone conversations, visits, inspections, or
tests are protected as CBI and filed in the CBIO until a determination is made regarding the
status.
• Ensures that CBI is not used in publications or improperly released in any document.
• Initiates the process for declassification, destruction and disposal of CBI material.
• Ensures that any CBI received associated with his/her project is logged by the OAQPS
CBIO.
• Coordinates with contractor the return of CAA CBI files to the OAQPS CBIO at the
completion of a work assignment or when the information is no longer required to be
maintained at contractor facilities.
• Provides assistance to the OAQPS DCO in determining the status of returned CBI materials
from the contractor.
• Reports cases of wrongful disclosure or possible compromise of CAA CBI to the responsible
Group Leader and OAQPS DCO, and cooperates with investigations conducted under the
OAQPS CAA CBI security program.
i. Contractor Document Control Officers. Contractor's management must nominate a
Contractor Document Control Officer (CDCO) and a Contractor Document Control Assistant (CDCA).
Additionally, the contractor is also responsible for establishing a training and certification program in
-------�
accordance with the procedures outlined in this manual.
Before OAQPS recognizes them as CDCOs, they must be properly trained and required paperwork must
be on file at OAQPS. The CDCO controls the receipt, storage, and handling of CAA CBI by employees
at their facilities and manages a document tracking system.
1) CDCO responsibilities include:
• Serving as the principal contact for OAQPS regarding the security and control of CAA
CBI.
• Developing security plan for safeguarding CAA CBI.
• Maintaining a secure CBI facility.
• Conducting CAA CBI briefings (including testing) for all contractor employees
authorized to handle or access CAA CBI.
• Obtaining signed Authorization for Access to CAA CBI for Contractor Employees, CAA
CBI Form 3 (Appendix A) from each contractor employee who will have access to CAA
CBI before the employee is granted access.
• Conducting briefings and testing in support of the OAQPS CAA CBI education and
training program.
• Ensuring that subcontractor facilities provide adequate protection to CAA CBI as
prescribed by this manual.
• Maintaining a list of contractor employees who are authorized access to CAA CBI
including administrative or computer support, or as designated by the OAQPS Group
Leader as having a need-to-know specific CAA CBI to perform their duties.
• Releasing CAA CBI only to authorized persons.
• Reviewing and updating access lists and notifying the OAQPS DCO immediately of any
changes.
• Submitting updated access lists to the OAQPS DCO on a Semi-Annual basis.
• Providing guidance, technical assistance and administrative support to contractor
employees on all matters concerning CAA CBI security.
• Establishing, maintaining, and controlling a CAA CBI file system (including disposition)
-------�
in compliance with OAQPS' CAA CBI Records Management procedures.
• Logging in and out all CAA CBI documents, summaries, tabulations, and materials to
users.
• Ensuring all CAA CBI is properly stored when not in use.
• Ensuring CAA CBI is properly wrapped, marked and transferred.
• Maintaining an inventory of all CAA CBI, conducting periodic audits, and submitting
annual inventory to the OAQPS DCO.
• Destroying drafts, duplicates and working papers as authorized by the OAQPS DCO or
project lead.
• Maintaining, in a secure location, a record of combinations of all locks, safes, and
cabinets that contain CAA CBI.
• Reporting alleged violations of contractor security procedures immediately to contractor
management and the OAQPS DCO.
• Monitoring and ensuring compliance with employee certification procedures.
• Notifying OAQPS DCO, in writing, whenever an employee has relinquished his/her
access to CAA CBI.
2) Contractor Document Control Assistant. The Contractor Document Control Assistant
(CDCA) will perform the aforementioned CDCO responsibilities in the absence of the CDCO
and assist in administrative functions as necessary.
Whenever DCOs terminate their employment or relinquish their responsibilities, the
outgoing DCO will certify to the PRRMS Operations Team leader that an inventory of CAA
CBI materials has been performed, and that all materials are accounted for prior to their
departure. If personnel actions permit, the outgoing DCO will brief incoming personnel as to
the current status of records and any outstanding issues.
j. Employees. Contractor/subcontractor and Federal, State and Local Government employees must:
• Comply with all applicable procedures in this manual.
• Comply with all CBI procedures set forth in the applicable contract.
8
-------�
• Maintain possession of CBI until returned to the CBIO.
• Store CAA CBI in accordance with the policies set forth in this manual.
• Discuss CBI only with authorized persons.
• Ensure that any CBI received directly is sent immediately to the OAQPS CBIO for storage
and proper logging.
• Ensure that CBI is not used in publications or improperly released in any document.
• Report alleged violations of security procedures to the OAQPS DCO immediately.
• Ensure that memos, notes, and reports containing CBI obtained from telephone
conversations, visits, inspections, inquiries, or tests are protected as CBI, logged and stored
in the CBIO.
-------�
THIS PAGE INTENTIONALLY LEFT BLANK
9.1
-------�
SECTION II.
CAA CBI CERTIFICATION PROCEDURES
1. OVERVIEW. This section describes policies and procedures for allowing access to
Confidential Business Information (CBI) for OAQPS Federal employees and OAQPS contractors.
Group Leaders and contractor management must arrange for employees to be available for briefings in
support of the OAQPS CAA CBI program. Designated employees must meet all requirements of the
program in order to obtain and maintain access to CAA CBI.
2. GENERAL ACCESS REQUIREMENTS. No person has a right of access to CBI by
virtue of organizational title or position. A person must have a need-to-know specific CBI before
access is granted. There is a responsibility to the organization providing CAA CBI to protect its
information and a parallel responsibility of OAQPS employees and contractors to minimize their
liability.
3. OBTAINING ACCESS TO CAA CBI. A secure CBI system requires continuous
updating of the employee Authorization Access List (AAL), and ensuring adherence to the annual
recertification policy. The steps outlined below have been developed to maintain system integrity.
a. Federal Employee Access Procedures. Upon determining that an OAQPS employee
needs access to specific CAA CBI, Group Leaders refer those employees to the OAQPS DCO. The
employee attends an initial OAQPS CAA CBI security briefing. See Figure 1 for steps in obtaining
access to CAA CBI.
1) Initial Briefing. All access designees shall:
• Become familiar with the policies and procedures outlined in the CAA CBI Security
Manual.
• Receive training on the proper handling of CAA CBI, and pass a competency test.
In the event that the nominated employee fails to pass the CAA CBI test he or she may retake
the test after a 5 working day waiting period.
10
-------�
Steps for Obtaining Access to CAA CBI
GROUP LEADER NOMINATES
Employee Needing Access
i
EMPLOYEE ATTENDS
CBI Briefing/Training
i
EMPLOYEE PASSES
Written Test
i
EMPLOYEE SIGNS
Confidentiality Agreement
i
DIVISION DIRECTOR
Approves Employee Access
i ~
GROUP LEADER DESIGNATES
Access to Specific CBI
1
CBI OFFICE MAINTAINS
Authorized Access Lists
Figure 1
11
-------�
After receiving the briefing and passing the competency test, each employee will complete and sign an
Authorization for Access to CAA CBI, CAA CBI Form 2 (Appendix A).
The Authorization for Access to CAA CBI form is divided into four sections. Sections I through III
cover the employee's authority to access CAA CBI. Section IV will document the employee's continued
requirement for access to CAA CBI and will ensure that the employee is current with CAA CBI security
procedures. Upon completion, the form should be forwarded to the responsible Division Director for
signature and final approval. Approved forms are returned to the CBIO for filing.
Employees are responsible for ensuring that their respective Division Director signs the authorization
for access to CAA CBI. Prior to having their name placed on the authorized access list, the employee's
Group Leader must notify the CBI office, in writing, of the requirement to access specific CBI. An
example of the memo is provided in Figure 2.
2) Annual Recertification. Federal employees approved for CAA CBI access must re-certify
access to CAA CBI on an annual basis. Re-certification must be accomplished up to 90 days
prior to the issue date of the current certificate. To re-certify, an employee must:
• Visit his or her local CBI office and receive a briefing on current procedural changes,
updates or CBI related issue from the DCO or DCA.
• Initial Section IV of CAA CBI Form 2 (Annual Re-certification of CBI Clearance),
certifying that he or she continues to require CBI Clearance and is current with the CAA
CBI security procedures set forth in this manual.
Any employee that fails to annually re-certify will have their CAA CBI Form 2 stamped as CAA CBI
Clearance Terminated by the DCO/DCA. Their name will be removed from the OAQPS CAA CBI
Authorized Access List and they must relinquish access to CAA CBI materials effective on the
anniversary of their certification.
Every effort must be made to ensure that CAA CBI Form 2 is current. If unscheduled travel or absence
will prevent the employee from initialing CAA CBI Form 2, the employee must contact their respective
CBI office and obtain a wavier. The waiver will cover the period of unscheduled travel or absence.
Upon return to duty, the employee will have no more than 15 days business days to re-certify. Failure to
do so will result in the termination of the employee's certification. He or she must reinitiate the CAA
CBI access procedure as specified in section (a). The OAQPS DCO will notify the Group Leader of any
suspension of certification.
b. Establishing Access for Contractors
1) Facilities. Project Officers shall notify the OAQPS DCO immediately upon determining that
a prospective project may require contractor access to CAA CBI.
12
-------�
EXAMPLE
MEMORANDUM
SUBJECT: Request for Confidential Business Information (CBI) Access
FROM: (Name of Group Leader)
(Name of Group)
TO: (CBI Manager)
OAQPS, (MD-C404-02)
This memorandum is to request that the following personnel name(s) be (added to /removed
from) the CAA CBI authorized access list for the (Name of Project), (BSD Project # or CBI #).
(Name(s) of individuals including affiliation).
Also, please add (Name(s) of (Group) to the CBI authorized access list for the (Name of Project,
etc.). Description of Material: Any material received as a result of developing the NESHAP for (Name
of industry or NESHAP)
(Name(s) of individuals including affiliation).
Figure 2
13
-------�
The following information must be furnished:
a) The name of the prospective contractors and the location of the contractor's facility.
b) A copy of the Federal Register notification for contractor access to CAA CBI collected
under the specific contract, including the contract number.
c) A copy of the statement of work.
d) Whether the contractor's facility is to receive and store CBI under the contract.
2) Conditions. Contractors may not receive access to and provide storage for CAA CBI until
the contractor meets the following conditions:
a.) Obtains OAQPS approval for access to CAA CBI.
b) Nominates and trains a Contractor Document Control Officer (DCO), and a Contractor
Document Control Assistant (CDCA).
c) Prepares and has OAQPS approve a security plan.
d) Has site inspected and approved by OAQPS.
e) Obtains OAQPS approval from responsible Group Leader for access to specific CAA
CBI for each contractor employee required to work with CAA CBI.
3) Obtaining Approval. When access to CAA CBI is necessary, the contractor must complete a
Request for Approval of Contractor Access to CAA CBI, CAA CBI Form 11, (Appendix G).
The form must explain the reason CAA CBI access is necessary under the contract. The OAQPS
WAM/TOPO must forward the form and Contractor Information Sheet, CAA CBI Form 1 la,
(Appendix G) to his/her Division Director, who will sign the form as the requesting official and
forward it and the information sheet to the OAQPS DCO for review. The OAQPS DCO will
then forward the form and the information sheet to the PRRMS Director for final approval.
4) Contractor DCO/DCA Requirement. Prior to the commencement of operations,
contractor management must nominate contractor employees who will serve as a Contractor
Document Control Officer (CDCO) and a Contractor Document Control Assistant (CDCA) and
notify OAQPS. The CDCO will be responsible for developing the Security Plan and must be
trained in proper CAA CBI handling procedures prior to being assigned to their positions.
The OAQPS CAA CBI Security Manual will be provided in hardcopy, and the CDCO/CDCA
may attend a CAA CBI briefing offered by the OAQPS DCO. The requirement that a CDCO be
assigned before actual access begins is required even if access to CAA CBI under the contract is
limited to the OAQPS headquarters facilities. The CDCO serves as the liaison between OAQPS
14
-------�
and the contractor on issues relating to CAA CBI and plays an important role in requesting and ™
maintaining access authorization for individual contractor employees and in handling CBI. The
CDCA is a back-up for the CDCO.
5) Security Plan. The contractor must prepare and OAQPS must approve a security plan for
access to CAA CBI at a location away from the OAQPS headquarters. Security plans must
describe physical security mechanisms at the contractor's site that are commensurate with the
assessed risk and those procedures put in place to allow employees to safeguard materials when
handling CAA CBI at the site.
The procedures described within this manual and the OAQPS forms in the appendices are
intended to serve as guidelines for the preparation of contractor security plans and need not be
incorporated verbatim in the plans. However, contractor security plans must equal or surpass the
security standards described in this manual.
The following is an outline of a Security Plan.
• CDCO responsibilities.
• Access procedures.
• Accountability system.
• CAA CBI storage (based on Security Risk Assessment).
• CAA CBI transfers.
• CAA CBI safeguards (including disaster prevention, preparedness, and recovery plan).
• Security violations.
• Education and training.
• Computer security (if applicable).
The OAQPS DCO is responsible for reviewing contractor security plans, discussing any
perceived deficiencies with the OAQPS Project Officer (PO) and the contractor, and sending a
memorandum to the contractor, through the Project Officer, either approving or disapproving the
security plan.
6) Site Inspection. As part of the OAQPS CAA CBI Security program, contractors may request
that the DCO provide assistance in the determination of adequate storage areas. In Addition, the
OAQPS DCO may inspect contractor facilities before, during and after CAA CBI has been
received or stored to ensure that contractor facilities provide the minimum storage requirements
15
-------�
outlined in this manual. The OAQPS DCO must be notified, in writing, prior to any change or
modification to existing storage facilities or CAA CBI procedures.
If minor problems are noted during an on-site inspection or review of the security plan, the
OAQPS DCO will work with the contractor to correct them. Contractors will be given 30 days to
correct any major deficiencies encountered during the inspection. The contractor will conduct
periodic internal audits of their facilities, employee certification programs, and the CAA CBI
security system to ensure compliance with the security plan. Records of such audits will be
available upon request.
See Figure 3, Contractor Steps for Obtaining Contractor Access to CAA CBI.
c. Contractor Employee Access. In general, procedures for contractor employee access to CAA
CBI are the same as those for EPA federal employees. See section II, for clearance procedures.
Contractor specific procedures are detailed below.
1) Contractor Employee Access to Specific CBI. The OAQPS WAM/TOPO will confer with
contractor officials to determine which work assignments or task orders, and which employees
will require access to CAA CBI. Upon receiving the requirements for contractor employee
access to CAA CBI, the CDCO will have the designated employee(s) attend an initial briefing,
pass a written test, obtain signatures on the Authorization for Access to CAA CBI for Contractor
Employees, CAA CBI Form 3 (Appendix A).
2) Federal or contractor employees who require on-line access to a computer system or database
containing CAA CBI must complete a Computer Request, Approval, and Registration for CAA
CBI Computer Access, CAA CBI Form 10 (Appendix F), and notify the DCO. See Section VII,
CAA CBI Computer Security. The originals of these forms are also forwarded to the OAQPS
DCO for the record.
It is not necessary to complete a new CAA Form 2 or CAA Form 3 for every new project or
contract. DCO/CDCO will control access to specific CBI through the use of an Authorized Access
List as prescribed by this section.
4. ACCESS CONTROL. In addition to the procedures listed in Section II, the responsible
Group Leaders / Contractor must designate and approve employees who have a need-to-know for
specific CAA CBI in order to access individual projects by submitting an authorization memo to the
OAQPS DCO (Figure 4).
16
-------�
Contractor
Steps in Obtaining Access to CAA CBI
Obtain Approval from Director PRRMS to Access
CAA CBI
I
Nominate & Obtain Approval of Contractor
Employees to Serve as CDCO and CDCA
1
Prepare & Submit an Adequate Security Plan
i
OAQPS DCO Site Inspection (As Required)
i
CDCO Brief & Test Employees on Security
Procedures
i
Submit Name(s) & Obtain Approval for Individual(s)
to Access Specific CBI
Figure 3
17
-------�
Administrative support personnel may obtain access to CAA CBI to provide typing, word processing,
and document handling support of CAA CBI. This Administrative access may be granted upon
nomination, attendance of the security briefing and passing the written CBI certification test.
Administrative access does not require designation by Group Leaders to access specific CBI.
a. Access Lists.
1) Authorized Access List: Upon receiving approval to access CAA CBI, the employee name(s)
is placed on the OAQPS CAA CBI Authorized Access List (AAL). This list denotes those
individuals authorized to access CAA CBI.
2) Authorized Project Access List: When the Group Leader designates an employee for access
to specific CBI, the name is placed on the OAQPS Authorized Project Access List. These
access lists are used as a reference to determine whether an individual is currently authorized to
access CAA CBI and what specific CBI they are authorized to access on a need-to-know basis.
I It is the responsibility of the WAM/TOPO to notify the DCO of any changes to Access Lists
—^~— —————^—^——^——^——^—— ———— '<
3) The contractor must maintain a CAA CBI Authorized Access List. The Access Lists must
identify:
a) Name of personnel authorized access to specific CBI.
b) Contract number.
c) CAA Project Number/Name.
d) Project Lead.
The CDCO/CDCA must submit an updated list to the OAQPS DCO Semi-Annually. The list is used to
ensure that only individuals with current CAA CBI access authority obtain materials from the CDCO.
The Access lists may be automated or hard copy.
When a contractor employee no longer requires access to CAA CBI, he must notify the CDCO. The
CDCO will remove their name from the authorized access lists and notify the OAQPS DCO of the
deletion.
18
-------�
EXAMPLE
CONTRACTOR REQUEST FOR ACCESS TO SPECIFIC
CAA CBI
DATE: (Date)
Subject: Access request to Clean Air Act Confidential Business Information
Contract No:
Work Assignment No: (or Title of Person)
BSD Project No:
From: (Name of Requestor)
Contract Document Control Officer
(Name of Company)
TO: (Current OAQPSDCO), CBI Manager
OAQPS, PRRMS/CBIO, (MD-C404-02)
(Name of Individual (s)) have been assigned to work on the referenced project and their work will
require them to access confidential business information (CBI) that has been collected under the Clean
Air Act (CAA). The mentioned (name of Company) personnel have been trained and are authorized to
access CAA CBI.
Approved by:
(WAM/TOPO) Date (Group Leader) Date
Figure 4
19
-------�
b. Subcontractor/Consultant Access. Under CFR 40, Sec. 2.301(h), EPA is authorized to
disclose to any authorized representative of the United States any information to a contractor or
subcontractor while performing work in support of EPA. The program PO is responsible for ensuring
that all notification requirements have been met prior to the contractor and/or subcontractor receiving
authorization to access CAA CBI submitted to OAQPS. A sample letter that may be sent to affected
businesses can be found in Figure 5.
The Prime Contractor is responsible for notifying OAQPS of all subcontractors or consultants being
used prior to releasing any CAA CBI to them. Additionally, the prime contractor is responsible for
ensuring that all subcontractors comply with the provisions of this manual.
5. TERMINATION OF CAA CBI CLEARANCE. CBI clearances will be terminated
when a Federal or Contractor employee no longer has a requirement to access CBI in the performance of
their duties. Individuals no longer requiring access to CBI will be removed from the CBI access lists.
CAA CBI clearance is terminated under the following circumstances:
• Termination of employment.
• Termination of duties requiring access to CBI.
• Failure to maintain annual certification as explained in Section II, CAA CBI Certification
Procedures.
• Security Violations.
Upon relinquishing his/her clearance, FOR ANY REASON, the DCO/CDCO will delete their name
from the Authorized Access List (AAL) and remove their CAA CBI Form 2/CAA CBI Form 3 from the
active file. CAA CBI Form 2/CAA CBI Form 3 will be stamped or annotated to reflect the date of
termination of clearance. The CDCO will forward their copy of CAA CBI Form 3 to the OAQPS DCO.
Confidentiality agreements will be retained by EPA as prescribed by records management schedule
SECU 624; 2 years for Federal employees or 7 years for Contractor employees.
20
-------�
EXAMPLE
Name of Recipient
Title of Recipient
Recipient's Address
Dear Mr. /Ms. (Recipient's Last Name):
The United States Environmental Protection Agency has authorized the following subcontractor
to access information that has been, or will be submitted to the EPA under section 114 of the Clean Air
Act (CAA) as amended (or applicable statute): list name and address of subcontractor/consultant.
Some of this information may be claimed to be confidential business information (CBI) by the
Submitter. This subcontractor will be providing support to the EPA under contract (list contract
number). The prime contractor on this contract is (list name and address of the prime contractor).
Under the direction of the prime contractor, this subcontractor will provide technical support to the
Office of Air Quality Planning and Standards (OAQPS) in developing Federal Air Pollution Control
Regulations.
The EPA is issuing this notice to inform all submitters of information under Section 114 of the
CAA (or other applicable statute) that the EPA may provide the above mentioned subcontractor access
to these materials on a need to know basis. Notification of the prime contractor's potential access to
CBI was done through a previous Federal Register notice.
In accordance with 40 CFR 2.30l(h), the EPA has determined that the above subcontractor
requires access to CBI submitted to the EPA under sections 112 and 114 of the CAA (or other statute) in
order to perform work satisfactorily to the EPA under the above noted contract. The subcontractor's
personnel will be required to sign non-disclosure agreements and will receive training on appropriate
security procedures before they are permitted access to CBI. The above subcontractor's clearance for
access to CBI is scheduled to expire on (date).
Please provide any comments regarding the above subcontractor's access to CBI submitted by
your company within ten working clays of your receipt of this letter. Comments should be submitted to
(Name of Current OAQPS DCO), E>ocument Control Officer, Office of Air Quality Planning and
Standards, (MD-C404-02), 109 T.W. Alexander Drive, Research Triangle Park, NC 27711, (919) 541-
0880.
Sincerely,
(name ofWAM/TOPO)
(Division)
cc: Project Officer
OAQPS DCO
Director, OAQPS/PRRMS
Figure 5
21
-------�
SECTION III.
RECORDS MANAGEMENT FOR CAA CBI
1. OVERVIEW. This section describes how Confidential Business Information (CBI) either
originated by OAQPS or its contractors as derivative CBI or received as original CBI is identified,
protected, logged, controlled, and managed.
When any OAQPS employee or contractor employee receives any materials containing
or suspected of containing CBI, they shall immediately deliver those materials to their
respective CBI office for proper logging and storage.
2. INTENT. The OAQPS CAA CBI Records Management System must be able to track the
movement of CBI, identify the persons with authorized access to it, prevent its misplacement and ensure
prompt retrieval. The OAQPS CAA CBI Records Management System ensures these objectives are
accomplished by the maintaining of authorized access lists, assigning unique numerical identifiers
(CBI Control Numbers) to each document, maintaining an automated inventory of all documents
submitted/logged into the system, and by monitoring the movement of CBI through manual or
automated logs, records of receipt, usage, and transmission. All material submitted to OAQPS and all
material generated at OAQPS containing information claimed to be CBI are controlled through the
OAQPS CAA CBI Records Management System.
CBI materials usually form two distinct groups:
a. Original CBI. Original CAA CBI is generally submitted voluntarily to the
Environmental Protection Agency or obtained under Section 114 of the Clean Air Act. It is usually
received in the form of a requested response from a solicited business or a site visit conducted by an
OAQPS or contractor employee.
b. Derivative CBI. Derivative CBI is the result of incorporation, paraphrasing, restating, or
generating information from original CBI. Along with the file or record copy of a newly created CBI
document, the OAQPS CBIO must keep a copy of the source document or sufficient identifying
information from the source document. This information includes the originator's name and title and the
date received. The OAQPS WAM/TOPO's name, title, and office must also be shown on the new
document.
3. QAQPS CAA CBI RECORDS MANAGEMENT SYSTEM. The foundation of the
OAQPS CAA CBI Records Management System includes the following basic items:
• Automated database (all CBI re: TSCA, CWA, RCRA, FIFRA, etc.).
• Control Records (for each item in the system).
• Custody Receipts (for transfer of material).
• Cover Sheets (for document protection/identification).
22
-------�
• Destruction and Declassification Logs.
• Document Inventory (by project, WAM/TOPO, disposition, etc.).
• Authorized Access List.
a. OAQPS CAA CBI Automated Tracking System. An automated database is used to record
pertinent information about CAA CBI materials filed in the CBIO and persons authorized to access
specific CAA CBI. The database contains the following information:
• Date received.
• Date of document.
• Number of copies.
• CBI control number.
• Project name.
• Document description.
• Provider identification.
• Transfer information.
• Destruction record.
• Authorized access clearances.
Various reports may be generated on a routine basis or when requested by management. They are:
• Complete inventory of all CBI documents including disposition (permanent inventory,
destruction, declassification, etc.).
• Listing by specific regulating Acts.
• Listing by specific CBI projects.
• Listing of documents assigned to individual WAMs.
• Listings of authorized personnel (EPA and contractors).
The CAA CBI database is continuously updated and allows the OAQPS DCO to determine the
disposition of documents, retrieve documents in a timely manner, and to generate an accurate up-to-date
inventory on a monthly basis or when requested.
b. CAA CBI Control Record. CAA CBI Control Record, CAA Form 1 (Appendix H) is placed
in each CAA CBI file as a permanent record of authorized personnel access. It also contains
reproduction, transfer, declassification, destruction, and other pertinent information about the document.
The Control Record facilitates timely and accurate accounting for CAA CBI material during the work
day. Each user of CAA CBI must sign and date the Control Record each time access is granted to a CBI
document.
When documents are checked out, the Control Record is removed from the file and retained by the DCO
as a receipt. When the document is returned, it is signed and dated by the DCO and returned to the file.
When a CAA CBI document is declassified or destroyed, the CAA CBI Control Record will be retained
for 2 years upon completion of a project to certify the disposition of these documents.
c. Cover Sheets. Cover sheets are used to identify CAA CBI documents and provide a measure of
23
-------�
security when the documents may be exposed to casual viewing. The Cover Sheet conceals the front of
each document and must NEVER be removed. There are two types of cover sheets used by the OAQPS
CBI Office.
1) CAA Confidential Business Information, CAA CBI Cover Sheet, CAA Forms 8 , (Appendix
E) is a YELLOW sheet of paper inscribed with a claim of confidentiality and handling
instructions. This cover sheet is placed over original CBI documents.
2) CAA Confidential Business Information, Duplicate Copy, CAA CBI Cover Sheet,
CAA Form 8a (Appendix E) is a BLUE sheet of paper inscribed with a claim of confidentiality
and handling instructions. This Cover Sheet is placed over all duplicate copies made from
original CBI. The BLUE cover also serves as a certification of the destruction of duplicate
copies. See Item 12 of this section.
d. Custody Receipts. CBI Custody Receipts are used to maintain a Chain of Custody when CAA
CBI documents are transferred and are discussed in Section V, Transferring Custody of CAA CBI.
e. New Materials. All project documents received by the OAQPS CBIO must be reviewed by the
Project leader. When the status of a document is in question, it will be considered CBI until it is cleared
by the originator or the project lead. After review of the materials, the documents are logged into the
OAQPS CAA CBI Inventory. WAMs/TOPOs are responsible for coordinating with the DCO and their
respective CDCO for the disposition of these materials.
f. Inventory. The OAQPS CAA CBI Inventory Log, CAA CBI Form 12 (Appendix H), will be
used in the absence of an automated document tracking system and will be maintained by the OAQPS
DCO/DCA. This inventory must have an accurate description of each document containing no CBI
information. The inventory log includes the following information:
• Date received
• CBI control number (OAQPS & contractor)
• Provider's name /Description of materials (number of copies, pages, etc.)
• Recipient
• Disposition
• Disposed Date
• Inventory Date
The inventory identifies all CBI material for which OAQPS is accountable; an inventory of CBI
material is conducted at least once a year, during which time each CBI file is reviewed and purged
of unneeded materials with the assistance of the WAM/TOPO.
4. OAOPS CAA CBI DOCUMENT CONTROL NUMBERS. The OAQPS DCO
assigns an individual Document Control Number (DCN) to each CAA CBI document. The DCN
consists of an alphanumeric code (e.g., 94111-C02-09.a ). The first group of five numbers denotes the
fiscal year the document was received and the project sequence number (e.g., 94111); the next
alphanumeric group identifies the responsible WAM/TOPO (e.g., C03); and the last group (e.g. 09),
refers to the number of documents received for that specific project, during that fiscal year, Each
24
-------�
individual document, under a particular DCN, will receive an alpha character (.a, .b, .c) for detailed
accountability. The OAQPS CBI control number is placed on the cover sheet and the first page of the
document. The control number is also placed on the custody receipt and folder.
5. CBI MARKINGS. Markings are conspicuously stamped, printed, written or affixed on
classified materials to include other than paper documents. If this is not practicable, the containers of
such material shall be marked. The means by which material is marked varies according to the physical
characteristics of the material or organizational and operational requirements.
CBI material shall be marked in such a way as to readily identify them for special handling.
a. CBI Stamps. Both original and derivative CAA CBI documents are stamped
"Subject to Confidentiality Claim." See Appendix D for additional CAA CBI stamps or markings.
b. Computer Output. Documents that are generated as computer output may be marked
automatically by systems software. If automatic marking is not practicable, these documents may be
marked manually. Removable storage media and devices used with ADP systems, typewriters, or word
processing equipment shall bear both external (affixed) and internal (software generated) CBI markings.
Documents produced by ADP equipment shall have at a minimum their first page and their last page
marked.
c. Charts, Maps, and Drawings. The markings on charts, maps, and drawings are inscribed both
at the top and the bottom of each document. When the document is unfolded, the classification marking
shall be clearly visible on each folded portion. The marking must also be visible when the document is
rolled or folded for storage.
d. Photographs, Films, and Recordings. Photographs, including negative envelopes, must be
marked as confidential. Their containers must also be marked. The markings on each transparency or
slide must be on the image and on the holder or frame. Classified motion picture films and videotapes
are marked at the beginning and end with a clear statement of classification. The containers or reels on
which they are kept must also be marked.
6. CBI DOCUMENTS. Care must be taken not to compromise proprietary information when
working with CAA CBI. Documents, generated by OAQPS or its contractors containing information
derived from CBI documents should be treated as CBI until cleared by the Group Leader, providing
organization or OGC, if required.
a. Working Papers. Newly created CBI is, at first, in the form of working papers. The category
of CAA CBI working papers includes materials such as notes and outlines; initial drafts of documents;
computations, drawings, and diagrams; and other documents. It is the employee's responsibility to
ensure that no information, which has been previously declared as CBI by the originator, is entered into
working papers which are intended for public dissemination. If in doubt, working papers should be
secured in the CAA CBI office. All non-confidential documents will be returned to the Project Leader.
b. Typing / Word Processing Requirements. The author of a CAA CBI document may provide
25
-------�
the document to a typist who has authorized access. The typist must return to the author the newly
typed materials and the original draft when typing is completed. All materials used in typing
documents containing CBI, including word processing disks, ribbons, and waste paper must be treated
as CBI and submitted to the CBIO for storage or destruction.
Typists may use applications that reside on a Local Area Network (LAN) for the preparation of CAA
CBI documents but must never store CAA CBI on Share drives or any device other than removable
storage media. Data, reports, etc., must be stored on a floppy diskette or other removable media and
submitted to the CBIO, with a hard copy, for proper logging and storage.
7. NON-CBI DOCUMENTS. Materials produced from CAA CBI need not be confidential.
Non-confidential documents may be produced by deleting CBI from an existing document or by
masking or aggregating the CBI so that it cannot be linked to its source.
a. Deleting or Replacing CBI. CAA CBI can be replaced in a document with NON-CBI data,
generic descriptive words or terms derived from CBI data that are not themselves CBI.
b. Masking or Aggregating CBI. Group Leaders must be consulted in advance by authors who
wish to produce non-confidential documents by masking or aggregating CBI. Group Leaders shall
review all submissions of masked or aggregate material to ensure that no CBI is exposed and approve
the final NON-CBI version.
c. Dropping CBI Claim (Declassification). Non-CBI documents can also be created from
information submitted by a providing organization which drops its claim of confidentiality, or for which
a claim is determined not valid by the OGC.
If a providing organization relinquishes its claim of confidentiality for original CBI, the WAM/TOPO
must obtain a written statement from the submitter and provide a copy to the DCO before the
information can be released to the public in accordance with the procedures established under 40 CFR 2
Subpart B.
EPA and Contractor employees will comply with the following procedures when declassifying CBI
documents. CAA CBI may be declassified under two conditions:
1) When written authorization has been received from the submitting organization.
a) DCO/CDCO will verify that the proper declassification authority has been received and
stamp or mark the document to reflect its new status. A declassification notice must
accompany all requests and will denote the organization authorizing declassification,
description of specific item(s) being declassified, project number and document control
number.
b) Declassified documents need not be kept in the CBI inventory and may be returned to the
respective OAQPS Project Lead or Contractor team Leader. DCO/CDCO will inventory
26
-------�
the documents prior to transfer to ensure that only declassified documents are transferred.
c) The receiving DCO/CDCO will inventory declassified materials and verify that they are
in accordance with the declassification notice. Any discrepancies will be reported
IMMEDIATELY.
d) If declassified materials are received and cannot be immediately inventoried, they must
be stored and treated as CBI until an inventory has been completed.
2) When the originator has not responded within a prescribed time period, to a notice of intent
of disclosure submitted to them by the Project Lead as required by 40 CFR 2 subpart B.
At no time will a Contractor or Subcontractor declassify any CBI in their possession without the
expressed, written authorization of the Project Lead and notification of the OAQPS DCO.
In all instances, the WAM/TOPO is responsible for ensuring that documents contain no CBI.
Materials produced using CBI must be treated as CBI until a determination is made by the
Group Leader or providing organization.
8. DISPOSITION OF CAA CBI DOCUMENTS. WAM/TOPOs or the responsible
Group Leaders shall initiate the process for destruction or disposal of original CBI material not
used or referenced in the rule making process. The OAQPS DCO will destroy specified
documents and maintain a record of all destroyed documents. The destruction of CAA CBI
material shall only take place with the proper authorization from the WAM/TOPO and when in
accordance with applicable records management schedules. Submitter notification is not required.
a. Original CAA CBI Materials. CBI material used for technical reference only and not
used in the formulation of a rule, policy or decision may be retained until no longer needed at
which time, and with the prior approval of the WAM, may be routinely and consistently
destroyed in accordance with EPA/NARA Records Retention Schedule TECH 008.
CBI documents that are referenced in rulemaking dockets and/or have been used to formulate
policy or in the development of a rule, will be treated in accordance with EPA/NARA Records
Retention Schedule REGS 149. Project leads will provide the DCO with docket index numbers
as soon as available.
b. CBI Created by OAQPS. Authors of derivative CBI (CBI created from original CBI)
may authorize the CBI Office to destroy these materials.
Documents such as site surveys, test reports, telephone conversations, and meeting minutes
which are compiled into a draft trip report, are forwarded to the affected business (providing
organization) for review of accuracy and confidentiality by the responsible Group Leader. The
responsible industry official is requested by cover letter to review the report, clearly mark any
information considered to be confidential, and return the marked-up report within the specified
27
-------�
time frame. The original is kept in the CBIO. When the marked-up copy of the report is
returned, OAQPS will have the option of:
• Protecting the whole document as CBI.
• Creating a NON-CBI version with all CBI removed by aggregating or masking, and
maintaining a complete CBI version.
• Creating a CBI addendum when indicated CBI is at a minimum.
• Challenging the validity of the business' claim through OGC.
All revised final documents must be submitted to the providing organization for review
before release to the public.
If the report is determined to be accurate and non-confidential, the business firm will so note, or
not respond by the requested date. If the document has CBI status, it is placed in the OAQPS
CBIO and logged into the OAQPS CAA CBI inventory.
In the event that the firm does not respond by the requested date, the WAM/TOPO may contact
the providing organization and verify the claim and provide a written response to the OAQPS
CBIO for declassification or release purposes.
9. RECORDS OF DESTRUCTION. Records of destruction are required for CAA
CBI materials. When a document is destroyed, the OAQPS DCO or the CDCO must indicate on
the CAA CBI Control Record, CAA CBI Form 1 (Appendix H) the destruction date, person
destroying document, and attach documentation authorizing the destruction to the CAA CBI
Control Record.
The control records of destroyed documents must be retained for audit purposes in accordance
with EPA records management schedules. The destruction of CBI materials shall be documented
in the CAA CBI automated database.
10. METHODS OF DESTRUCTION. CAA CBI documents and materials shall be
destroyed in a manner that precludes recognition or reconstruction. In general, CAA CBI
materials are destroyed by SHREDDING (including any type of paper substance microfiche,
typewriter ribbons, diskettes, and data tapes).
11. CDCO RECORDS MANAGEMENT RESPONSIBILITIES. Contractor
DCOs must comply with the aforementioned requirements of this manual to ensure adequate
safeguarding and handling of CAA CBI documents. CDCO may use sample CAA CBI Forms or
design own in-house forms as long as required OAQPS information is available.
28
-------�
a. CAA CBI Control Numbers. CDCOs may implement an internal CAA CBI control
numbering system, but must cross-reference OAQPS CAA CBI Control numbers on custody
receipts, inventories, derivative CBI, correspondence, etc. regarding specific CAA CBI.
b. CAA CBI Inventories. CDCO must maintain an accurate inventory log consisting of a
NON-CBI description of each document in the CBI inventory (Appendix H). The CDCO shall
conduct an inventory of all CAA CBI materials stored at their facility at least once a year. A
copy of the inventory shall be submitted to the OAQPS DCO. Any original CAA CBI no longer
needed at their facility must be returned to OAQPS.
c. Reproducing Documents. Copying of CAA CBI by contractors is limited to working
papers, drafts of technical reports, drafts of trip reports, meeting handouts, and similar temporary
documents. Copying must be done under the direction and guidance of the CDCO. Procedures
in Section IV should be followed during all document reproduction.
12. COMPLETION OF CONTRACTS. WORK ASSIGNMENTS OR TASK
ORDERS. All documents generated or received during the execution of a project or contract
are the property of EPA and must be submitted to the agency upon completion of the project
or contract. CDCOs will ensure that all pertinent project materials are returned to the OAQPS CBIO.
The CDCO will ensure that all materials are inventoried prior to their return. Copies of reports, data
or other materials retained for use with related projects must be assigned new control numbers and
identified in the closeout inventory.
a. Originals. Originals, documents or materials generated by the contractor in support of the
assigned project, must be returned to the OAQPS DCO at closeout.
b. Duplicates. All duplicate copies, sent to the CDCO for reference during a project, may be
destroyed in conjunction with the closeout inventory. Duplicates transferred by OAQPS will be
identified by their distinctive (BLUE) document cover (Appendix E). CDCOs will acknowledge
destruction of duplicates by signing, the appropriate section of CAA Form 8a and returning it to
the OAQPS DCO along with CBI materials. In the event that cover sheets are not available, the
CDCO will submit a memorandum accounting for the destroyed duplicates.
29
-------�
SECTION IV.
CAA CBI WORKPLACE PROCEDURES
1. OVERVIEW. Many modern office buildings incorporate contemporary office designs
which present a unique challenge to DCOs, CDCOs and employees alike. Glass walled
conference rooms, open area office space and common areas increase the likelihood of
inadvertent disclosure of CBI information through overheard telephone conversations or casual
viewing of CBI documents by others. This work environment requires that certain procedures be
followed to ensure strict CAA CBI document control measures during the conduct of daily
business.
2. OBTAINING CBI DOCUMENTS. Employees and contractors who are authorized
access to specific CAA CBI may obtain CBI materials from the OAQPS CBIO. The OAQPS
DCO verifies that the employee is authorized access to the requested CBI. Employees must
sign the OAQPS CBI Control Record upon receipt of the document and safeguard CBI
materials while in their possession. Any time an employee relinquishes physical custody of the
CAA CBI (lunch or at the end of the day), he/she must return the document to the CBI office for
storage. The DCO/DCA will sign and date the Control Record upon return. (Other than as
provided in Section III, 6 (b); Direct transfer of CAA CBI materials between employees is
not permitted).
In the event the CBI Office is closed employees must retain custody of documents until they can be
secured in an approved authorized storage area or designated document drop. CDCOs should develop
their own policies to address this contingency.
| CBI materials are transferred ONLY through CBI offices or DCOs |
3. DOCUMENT CONTROL. In order to minimize the exposure of CAA CBI materials to
inadvertent disclosure, the following document control steps should be taken:
a. Telephone Calls. Federal and contractor employees with CAA CBI access may discuss CAA
CBI on the telephone ONLY with other individuals authorized to access the specific CBI or authorized
individuals of providing organizations.
The use of speaker phones is authorized ONLY where the likelihood of a conversation being overheard
by unauthorized persons has been reduced, i.e. in a closed office or conference room.
When using the telephone caution must always be used because of the ease of interception of
telephone communications by unauthorized individuals.
When making or receiving telephone calls in which CBI will be discussed, the following safeguards
must be adhered to:
30
-------�
• Verify the identity and CB1 access status of the person with whom they are speaking.
• Inform the person that the telephone lines are not secure.
• Assure the person that a telephone discussion of CAA CBI with a Federal or contractor
employee does not constitute a waiver of any claim of confidentiality.
• Inform the person that any information provided in the telephone conversation claimed as
confidential will be properly safeguarded.
It is the responsibility of the user to ensure that all appropriate measures have been taken
to protect CAA CBI from disclosure to unauthorized individuals. [
Federal and contractor employees shall complete a telephone memorandum, Memorandum of CAA CBI
Telephone Conversation, CAA CBI Form 6 (Appendix B), for all telephone calls in which CAA CBI is
discussed. Telephone memorandums must be submitted to the CBIO upon completion of the call so
they can be added to the record.
b. Work Spaces (Cubicle). Whenever possible, try to arrange your work area so that casual
passers-by can not read the contents of CBI documents.
c. Computers. When working with word processing applications always turn computer screens
away from view or minimize screens when unauthorized individuals come into your work area. In order
to remove "Temp" files, which may have been created during a computer session, always close
applications after use. If in doubt, locate the application's Temp Storage folder and verify deletion.
Printers should also be turned off to remove any documents in the printer's memory buffer.
Additional guidance is provided in Section VII.
d. Meetings. OAQPS offices or Contractors that host or convene any meeting (conference,
symposium, seminar, exhibit, convention, scientific, or technical gathering) at which CAA CBI will be
disclosed shall take appropriate security measures. The DCO shall be notified whenever CAA CBI
materials must be reproduced for use at a meeting.
The chairperson must verify that all attendees are cleared for CAA CBI and have a need to know
specific CBI to be discussed. Whenever CBI documents are circulated for discussion you must:
1) Have any required documents reproduced by the OAQPS DCO/DCA. The DCO will number
the copies, i.e. lof 6, 2 of 6, to ensure all pages are returned to the CBI office.
2) Provide a CAA CBI Meeting Sign-In Sheet, CAA CBI Form 7 (Appendix C) as a meeting
record. The following information shall be recorded: date, time, place, chairperson, and subject.
31
-------�
All persons attending the meeting must sign this sheet. The chairperson will control access in
and out of the meeting. All sign-in sheets shall be delivered to the CBIO by the close of business
or the next business day after the meeting.
3) The meeting chairperson must remind those in attendance of their duty to treat all notes or
recordings taken at the meeting as confidential. These materials will be submitted to the CBIO for
storage until CBI status is determined. Notes, minutes, summaries, recordings, proceedings, and
reports on the CAA CBI classified portions of the meeting must be safeguarded and controlled
throughout the meeting.
4) Physical and technical security controls shall be established to control access. The meeting
room shall be cleared of all CAA CBI materials after the meeting. This includes cleaning all
chalkboards, returning any unneeded CAA CBI materials to the CBIO for destruction, and
ensuring that nothing is left in the room that could lead to the unauthorized disclosure of CAA
CBI.
e. Document Reproduction. This subsection details the procedures for controlling and
safeguarding CAA CBI reproduction or other copying.
1) Group Leaders or WAM/TOPOs authorize the reproduction of CAA CBI materials. Only the
DCO/DCA is authorized to make reproductions. The DCO will log additional copies into the
OAQPS Records Tracking System and record the distribution of copies.
2) Copy machines should be dedicated solely to CBI document reproduction. Only persons
authorized access to the specific CAA CBI being copied may be present during copying. After
reproduction, the operator must pass three blank copies through the machine to ensure that any
impressions on the image surfaces of the machine have been erased.
3) If the equipment used for reproducing CAA CBI materials has a malfunction, the DCO must
inspect the machine's paper path and image surface to retrieve any materials that may be jammed
in the equipment before the repair person is called.
f. CBI Waste. Documents and materials such as typewriter ribbons, carbons and draft copies
used in preparing confidential information shall be handled in such a way that the information is
adequately protected until destroyed. Section III gives instructions for the disposal and destruction of
CAA CBI.
g. Use of FAX Machines. The use of FAX machines to transmit CAA CBI documents is
authorized. As with any CBI document, care must be taken not to leave documents uncovered or
unattended during transmission. Section V outlines specific procedures for the use of FAX machines.
h. Site Visits. Because data-gathering visits, plant inspections, and source testing may involve
inadvertent receipt of CBI, it is the policy of OAQPS to protect all parties involved. Prior to or at the
inception of a plant inspection, data-gathering visit, or source testing, OAQPS representatives should
32
-------�
discuss with plant representatives the information that will be sought, how it is to be used, and
how it is to be protected. OAQPS representatives should solicit the assistance of plant representatives
in determining if any materials being removed from the site are claimed as CBI. Only materials claimed
and marked as CBI are secured in the CBI office.
4. SPECIAL CIRCUMSTANCES. In the event of an emergency requiring evacuation of
office spaces, persons who are unable to return the material in their possession to the CBIO will ensure
that such material is safeguarded by covering it from view and taking it with them. The employee must
keep it under their personal control at all times until it can be secured.
33
-------�
SECTION V.
TRANSFERRING CAA CBI
1. OVERVIEW. This section discusses minimum procedures required to ensure the
security of CBI during authorized transfer.
2. TRANSFERRING CAA CBI TO OTHER FEDERAL. STATE OR LOCAL
AGENCIES. EPA regulations allow disclosure of CBI to another Federal or State agency in either
of two circumstances. Specific guidelines for transfer of CBI documents can be found in 40 CFR Part 2,
Subpart B, Sec. 2.209:
• When the official purpose for which the information is needed by the other agency is in
connection with its duties under any law for protection of health or the environment or for
specific law enforcement purposes; or
• When disclosure is necessary to enable the other agency to perform a function on behalf of EPA.
In either circumstance, the PRRMS Director must be notified immediately, through the CBI Office,
upon receipt of a request for documents or information requiring access to CAA CBI. In addition, the
procedures described below must be followed before CAA CBI may be disclosed to other agencies.
These procedures do not apply to disclosure of CAA CBI to individual employees of other agencies
performing functions on behalf of OAQPS where access is confined to OAQPS premises.
EPA may disclose CAA CBI to other Federal, State or Local agencies upon the written request from the
requestor. Because of the time needed for processing, the written request should be directed to the
PRRMS Director at least 30 days prior to the time access is needed. The request must be signed by an
official of the other agency who is at least equivalent in authority to a Division Director. It should state
specifically the information to which access is requested. The official purpose for which the CAA
CBI is needed should be set forth in detail as well as any other pertinent information, such as previous
efforts to obtain the information. The need must be in connection with the agency's duties under a
law for the protection of public health or the environment or for a specific law enforcement
purpose.
When the signed agreement is returned, it shall be forwarded to the OAQPS CBIO along with a letter to
accompany CAA CBI transferred outside OAQPS (Appendix I). This letter will constitute direction to
the OAQPS DCO to transmit the CAA CBI materials to the requestor. The OAQPS DCO will send the
materials, the letter and the CAA CBI Custody Receipt to the requestor.
NOTE: TSCA and FIFRA CBI maintained by OAQPS may not be disclosed to States.
34
-------�
a. CBI Security Agreement. In addition, as part of its written request, a Confidential
Business Information Security Agreement, CAA CBI Form 15 (Appendix I) must be signed by an
official of a government entity requesting transfer of CAA CBI prior to transfer of custody. This form
requires the official of the receiving agency to verify that the information will be safeguarded utilizing
procedures comparable to EPA's procedures for handling CBI found in this manual and 40 CFR, Part 2,
Subpart B. Additionally, each person having access to CAA CBI documents will be required to sign a
Confidentiality Agreement CAA CBI Form 2a (Appendix I).
Further disclosure by the gaining agency of information claimed as confidential is authorized only if the
following conditions are met:
• The gaining agency has statutory authority both to receive the information, and to make the
proposed disclosure and, prior to the disclosure, it has furnished the affected business with at
least the same notice that EPA would provide under its regulations.
• The gaining agency has obtained the consent of each affected business to the proposed
disclosure.
• The gaining agency has obtained a written statement from the EPA OGC or an EPA Regional
Counsel that disclosure would be proper under EPA's regulations.
b. Notice to Affected Businesses. OAQPS CAA CBI may be released to State or Local
agencies with the written permission from the submitter. Also, it may be possible to aggregate data or
sanitize documents containing CAA CBI without disclosing information claimed as CBI. When
disclosure is requested by another agency, OAQPS must give the affected businesses at least 10
calendar days notice before granting access to the other agency. Notice to the affected businesses
may be given by Federal Register, letter sent by registered mail (return receipt requested), or telegram
and must include:
• The identity of the agency/contractor to which CBI is to be disclosed.
• The official purpose for the access.
• Whether access is authorized only on EPA premises or also at the other agency or
contractor's facilities.
• A non-confidential description of the specific information to be disclosed.
• The period of time for which access to the CBI is authorized.
NO notice shall be required when EPA furnishes business information to another Federal agency
| performing a function on behalf of EPA.
35
-------�
c. Before Approval. The PRRMS Director will notify the requesting official acknowledging
receipt of the written request and will direct issuance of a notice to affected businesses if required. The
PRRMS Director will also notify the requesting official of the approval or disapproval of the request.
d. Before Transfer. Before CAA CBI may be disclosed, the PRRMS Director must notify
the other agency that the information being disclosed is classified as CAA CBI, that it was acquired
under authority of the CAA, and that any unauthorized disclosure of the information may subject
employees of the other agency to criminal penalties (18 U.S.C. 1905, et. al.).
3. TRANSFERRING CAA CBI TO EPA CONTRACTORS OR PROVIDING
PLANTS/FACILITIES. CAA CBI documents are transferred to authorized individuals by
the OAQPS DCO. To initiate the process of transferring CAA CBI, a Letter of Transfer (Appendix J)
shall be prepared by the responsible Group Leader. The WAM/TOPO or employee delivers the
letter of transfer to the CBIO. The letter of transfer; a custody receipt (and one copy) are enclosed with
the transferred CAA CBI.
CAA CBI documents (draft reports, revisions, telephone contact reports, etc.) are transferred
between DCOs/CDCOs via a Custody Receipt. A Letter of Transfer signed by the Group Leader
is not required for this type of transfer.
The process for transferring CBI to a contractor or facility is as follows:
• WAM/TOPO submits letter of transfer to Group Leader for signature (Facility Only).
• WAM/TOPO gives verbal or written authorization for document transfer to contractors.
• Letter of transfer and Project or CAA CBI control number, if known, is submitted to the CBIO
(Facility Only).
• The DCO prepares the custody receipt, properly packages CAA CBI including letter of transfer.
• The DCO releases package to authorized contractor employee or mails package via registered
mail or Federal Express.
4. TRANSFERRING CAA CBI FROM CONTRACTORS TO OAQPS. The
contractor Project Lead or EPA Work Assignment Manager must authorize the transfer of CAA CBI,
related to their projects, to OAQPS. Records should be identified and instructions given to the CDCO to
return the material to the OAQPS CBIO. The material being transferred must be listed on the CAA CBI
Custody Receipt, CAA CBI Form 14, Appendix H (including the OAQPS CAA CBI control number if
available).
The process for transferring CBI from EPA Contractors to OAQPS is as follows:
36
-------�
• WAM/TOPO gives verbal or written authorization for document transfer to OAQPS.
• The CDCO prepares the custody receipt, properly packages CAA CBI for transfer.
• The CDCO releases package to authorized contractor employee or mails package via registered
mail or Federal Express.
Direct transfer of CAA CBI materials between contractor employees is not permitted. CAA
CBI materials must be transferred through the CDCO only.
5. TRANSFER TO SUBCONTRACTORS. Federal regulation 40 CFR, Part 2 allows
disclosure of CAA CBI to contractors and their subcontractors when disclosure is necessary to enable
the contractor to perform work on a contract. Unless previously given, the affected businesses must be
given notice before CAA CBI is transferred to the subcontractor with the same requirements as
indicated above. The initial notice is usually prepared by the OAQPS Project Officer and is published in
the Federal Register notifying the public and affected businesses of OAQPS contractors and
subcontractors who will have access to CBI collected under the Clean Air Act. As in all cases, the
procedures listed in this section apply to transfers of CAA CBI to subcontractors.
The Prime Contractor is responsible for the transfer of CAA CBI to their designated
Subcontractors or Consultants.
6. PREPARATION AND PACKAGING. CAA CBI materials to be transferred will be
processed by the DCO. The following guidelines set forth the procedures for preparing and packaging
CBI materials.
a. Inner and Outer Covers. Before CAA CBI may be transferred or hand carried out of
the OAQPS facility, the materials must be double wrapped with opaque paper. The inner cover
must bear markings that indicate the classification and instructions, "Subject to Confidentiality
Claim," and "To Be Opened by Addressee Only." The person to whom the material is intended is
included in the address as an "Attention" line on the inner envelope. Markings on the inner cover shall
not show through the outer cover.
b. Addressing. CAA CBI being transferred from the OAQPS CBIO to another facility or
being returned from a facility to the CBI Office shall bear the name of the receiving DCO and shall not
bear any classification markings or other indication that CAA CBI information is enclosed.
c. Packaging. Materials used in packaging CAA CBI must be strong and durable enough
to provide protection in transit and prevent items from protruding through the covers. Upon receipt,
packages must be inspected to ensure that the seals have not been broken.
37
-------�
7. CUSTODY RECEIPT. A CAA CBI Custody Receipt, CAA CBI Form 14 (Appendix H) is
included with all transfers of CAA CBI materials. This form provides the previous holder of CAA CBI
with proof of accountability that the material was transferred and received.
The Custody Receipt is prepared in three copies. After verifying all materials were received, the
recipient signs and dates Copy 1 and returns it to the sender. Copy 2 may be retained by the recipient for
his/her records. Copy 3 is retained by the CBIO as a suspense copy until the signed original Copy 1 is
returned by the recipient, or the Domestic Return Receipt is received acknowledging delivery of the
document(s). See Section III, Records Management for CAA CBI, for more information on
accountability, control records, and the CAA CBI control numbers.
8. TRANSFER METHODS. OAQPS CAA CBI may be transferred or transported by the
following methods:
• Hand carried to another facility by an employee or contractor employee who is authorized access
to the CAA CBI.
• U.S. Postal Service registered mail (return receipt requested), Express Mail.
• Private courier (Federal Express).
a. Hand Carrying. Appropriately cleared OAQPS employees may be authorized to hand carry
CAA CBI material between facilities (when traveling) if the conditions outlined below are met.
1) Individuals authorized to carry CBI must contact the CBIO to be fully briefed on the
provisions of this Section before departing.
2) While traveling by plane or other public conveyance, employees must keep CAA CBI
materials in their possession, and will not check them with their luggage.
3) When employees travel with CAA CBI materials and are unable to deliver or ship the
CAA CBI materials to a facility authorized to store CAA CBI, they may store the materials
for short periods inside the locked trunk of a motor vehicle while enroute. At no time will
CBI materials be stored in the trunk of a car overnight. CAA CBI materials may be
stored in hotel safes, only if a receipt is obtained from the hotel management. Otherwise,
CAA CBI materials must be kept in the possession of the traveler.
4) The storage provisions for CAA CBI are detailed in Section VIII. Storage of CAA CBI shall
apply to all stops enroute to / from a destination. CAA CBI materials shall not be unwrapped
until the traveler's destination is reached. If the materials are to be transferred to someone at
that location, they must immediately be taken to the local DCO and logged into the local
Document Tracking System or given to the designated plant recipient.
5) The CBI Office shall log out CAA CBI carried or escorted by traveling personnel. CAA CBI
38
-------�
must be inventoried upon return by count and inspection of materials or by inspection of receipts
for materials, if delivered.
b. Registered Mail. CAA CBI material must be mailed by registered mail (return receipt
requested). Regular first class mail must never be used to transfer CAA CBI.
c. Couriers and Express Mail. EPA and contractor employee couriers, commercial couriers, and
U.S. Postal Service Express Mail may be used in the transmission of CAA CBI.
d. FAX Transmittal. During the conduct of daily business it may become necessary to transmit
CAA CBI documents to and from originating facilities or EPA and Contractors in order to expedite
processes. The DCO or DCA must be informed of all FAX transmissions of CAA CBI.
The guidelines listed below have been established to provide security of documents transferred via this
medium and apply to both EPA and Contractor employees:
Prior to any FAX transmittal of CAA CBI, all parties must be made aware that transmission
lines are not secure and that NO encryption equipment will be used to scramble the message.
1) Only a FAX machine located in the CBI Office is authorized to receive a FAX containing
CAA CBI.
2) Before sending a FAX containing CAA CBI, the sender must verify the recipient's access
authority.
3) During transmission, the sender must have sole access to the FAX machine. The sender must
also ensure that documents are not in plain view of unauthorized person(s) during transmission.
4) FAX machines may contain internal memory. After transmission is complete the sender
must turn off the FAX machine in order to clear the memory buffer.
5) Central FAX receiving centers are not authorized to receive CAA CBI.
6) Individuals requesting the transmission of CAA CBI must ensure that the recipient's FAX
number is correct.
7) FAX machines should be configured to print a Transmission Receipt when Faxing
is complete. This receipt will be placed in the document's official file. The DCO will contact the
recipient after transmission to verify the Faxed copies have arrived.
When FAX transmittal is requested, the WAM/TOPO must verify that the recipient is authorized to
receive CAA CBI documents prior to transmission. Facilities must submit a notarized letter on
corporate letterhead signed by a corporate officer indicating the person(s) authorized to receive CBI.
39
-------�
SECTION VI.
STORAGE OF OAQPS CAA CBI
1. OVERVIEW. This section describes the minimum standards for the physical safeguarding and
storage of CAA CBI.
2. INTENT. Offices established for the storage and security of CAA CBI material are responsible
for ensuring that all reasonable means have been taken to prevent the unauthorized disclosure of
information. A complete evaluation of security risks will identify the safeguards required to address
potential threats.
3. STORAGE SPECIFICATIONS.
I The type of container and storage area approved for CAA CBI storage must be adequate to the
level of security identified by the assessed risk and detailed in the Security Plan.
EPA's Information Security policy provides for a methodology for a risk analysis to adequately
determine the appropriate security level to address the risk. The risk assessment and security plan are
subject to approval by the PRRMS Director and shall be available to representatives of EPA's OIG.
The risk analysis will provide an evaluation of the relative vulnerabilities at an installation in order to
maximize the effectiveness of security measures within the constraints of available resources.
As a minimum, security of CAA CBI materials maintained in manual record form will conform to those
measures prescribed by the EPA Information Security Manual, Section 14.3.
a. Minimum storage area requirements
The preferred CBI storage area is an interior office or room which will be designated solely for the
storage of CAA CBI. Items to consider when choosing a storage area are;
• Windows - When visual access is a factor, windows should be kept closed and locked at all
times. Windows should be made translucent or opaque by any practical method such as
painting or covering the inside of the glass to prevent viewing from the outside.
• Ceilings - Ceilings should be constructed of plaster, gypsum wallboard material, panels,
hardboard, wood, plywood, ceiling tile or other material offering similar resistance to and
detection of unauthorized entry. When a false ceiling is used, this false ceiling should,
within a reasonable manner, provide resistance to unauthorized entry. In those instances
where barrier walls extend to a solid ceiling, there is no need to reinforce a false ceiling.
40
-------�
• Walls - Construction should be plaster, gypsum wallboard material, metal panels, hardboard,
wood, plywood, or other material offering similar resistance to and detection of unauthorized
entry. If insert-type panels are used, a method must be devised to prevent the removal of
such panels without leaving visual evidence of tampering. Barrier walls should be opaque or
translucent where visibility is a factor. If visual access is not a factor, barrier walls may be
wire mesh or other non-opaque material. Barrier walls should extend to a solid ceiling. If,
however, walls extend only to the level of a false ceiling, the open area between ceilings
must be secured.
• Access Door - Whenever possible, the storage area should have only one access door. Doors
will be solid wood or metal and secured by a Combination, Cipher Lock or Electronic Card
Reader.
b. Minimum storage equipment:
• Containers - Lockable File Cabinets (Keyed or Combination Lock). Storage cabinets must be
secured by a combination lock or require a key for access. "OPEN/CLOSED" magnetic signs
or equivalent, shall be posted on each CAA CBI storage container to readily identify
containers that are open or locked, and to provide a visual spot check at the end of the work
day to ensure containers are properly secured.
When not in use CAA CBI must be secured in the CBI Office or approved alternate storage area.
4. PROCEDURES FOR COMBINATION LOCKS AND CABINET KEYS.
Procedures must be developed for the use and accountability of locking devices used on CAA CBI
storage containers. The security of lock combinations and key control is paramount to the OAQPS
security program. Locks are not required to resist forced entry with tools but shall be so designed and
constructed to resist the effects of normal everyday use and abuse.
a. Combination Locks. Combination locks used to secure CAA CBI must conform to the
following minimum specifications:
1) The locking mechanism shall preclude the changing of the combination without knowledge
of the existing combination.
2) The locking mechanism shall not permit the shackle to be locked out in the open position.
3) The locking bolt shall be guarded by not less that three combination wheels.
4) The shackle shall not spring to the open position when unlocked.
b. Changing Combinations. Combinations shall be changed only by cleared personnel
having that responsibility under these circumstances:
41
-------�
• Whenever someone who knows the combination no longer requires access.
• In the event of suspected compromise of CAA CBI.
• When deemed necessary by the custodian.
Knowledge of combinations is limited to CBI Office personnel and DCOs. Records of combinations
must be protected as though CAA CBI.
c. Keyed Locks. Keys require strict controls since they can be more easily lost or stolen.
1) Key Control
• All keys will be locked in the CBIO key box under the direct control of the DCO/CDCO.
• A record of all key ID numbers will be maintained by the DCO/CDCO.
• A key control roster will be maintained by the CBIO to annotate when keys are removed
from and returned to the Key Box by CBIO staff.
• At no time will keys be removed for the CBI office.
• Each key will remain in the cabinet locking device when the cabinet is opened.
• Each key will have a tag with the appropriate key ID number affixed. The tag will serve a
dual purpose. It will make keys easy to identify and it may serve as an "OPEN/CLOSED"
indicator.
5. SAFEGUARDING CAA CBI IN THE EVENT OF A DISASTER.
Security of CAA CBI should be an integral part of any Disaster Plan. II
A disaster plan is required by the Federal Emergency Management Agency (FEMA) to ensure the safety
of personnel and to protect vital records. OAQPS and its contractors are required to protect any
records/documents affecting the legal and financial rights of the Government and of the people affected
by its actions. Steps taken for safeguarding CBI in the event of an emergency form part of the overall
OAQPS Contingency Of Operations Plan (COOP) which has three main components: prevention,
preparedness, and response.
a. Prevention. Procedural prevention relates to activities performed on a day-to-day, month-to-
month, or annual basis, relating to security and recovery. The objective of procedural prevention is to
define activities necessary to prevent hazards and ensure that these activities are performed regularly.
42
-------�
Physical prevention begins when a CAA CBI storage site is identified or constructed. It includes special
requirements for room construction, as well as fire protection for various equipment. Special
considerations include: computers, fire detection and extinguishing systems, record(s) protection, air
conditioning, heating and ventilation, electrical supply and emergency egress.
• The OAQPS DCO will conduct an inspection of the OAQPS CBIO to identify problem areas and
foster awareness of disaster prevention issues among the staff.
• The OAQPS DCO will train the CBIO staff in records management, protection, and how to
respond to a disaster.
b. Preparedness. OAQPS DCO will ensure that there are appropriate supplies on hand to deal
with immediate needs, conduct CAA CBI database backups on a routine basis and identify local
suppliers of materials that are needed in the event of a disaster. The OAQPS DCO will also keep up-to-
date on current technology, procedures, and services available for disaster planning and recovery, and
ensure the staff is informed about these issues. Additionally, the DCO will ensure appropriate security
measures are taken to prevent damage or destruction of CAA CBI at approved off-site storage facilities.
c. Response. The OAQPS DCO is responsible for directing all disaster operations affecting
damage or destruction CAA CBI records. All OAQPS staff (Directors, Group Leaders, POs,
WAM/TOPOs and employees) must be involved in order for the disaster plan to be effective.
Preventing, preparing for, and responding to a disaster has to be a team effort. The OAQPS DCO will
evaluate the damage, plan and execute recovery operations, and perform a post-disaster assessment.
43
-------�
SECTION VII.
OAQPS CAA CBI COMPUTER SYSTEM SECURITY
1. OVERVIEW. This policy applies to all information systems processing and/or storing CAA
CBI. It shall apply equally when the systems are owned and operated by EPA or by its contractors or
consultants.
2. DIRECTIVES. The computer processing of CAA CBI must be in compliance with the security
guidelines as outlined in EPA Directive 2100, Information Resources Management Policy Manual, EPA
Directive 2195A1, EPA Information Security Manual; and Office of Management and Budget OMB
Circular A-130 (directives issued to all Federal agencies processing sensitive data by computer).
These directives require Federal agencies processing sensitive information by computer to establish and
maintain a formal security system.
3. BASIC SECURITY REQUIREMENT. In accordance with the OAQPS Information
Security Plan, all OAQPS LAN and application users must ensure that system resources are protected.
Employees are held accountable for their actions and are responsible for information security.
When CAA CBI access is permitted over an information system, the system must provide a level of
security adequate to protect any CBI being processed from alteration, loss, or unauthorized access. The
system will conform to the following specifications:
a. Security Mode. OAQPS CAA CBI must be entered into an isolated system with access
control safeguards as well as additional safeguards within the system. In addition, file and data
separation is required since all users are not authorized to access all data.
b. Authenticity and Verification. The system will authenticate the password of each project,
verify each user's identity, and validate each user's file access authority and privileges. The DCO will
maintain a list of all CBI user Passwords. System output must have special markings that identify
particular data sets or programs to provide audit trails. These audit trails will produce an activity log
and, when possible, an event record to permit analysis of system operation by the CBI Office.
c. Remote Operation (Dial-up or Wireless). There will be no communication system to
interface with remote systems, Personal Digital Assistants (PDA's) or Laptops.
d. User Requirements. All system users and persons authorized access to the information system
shall meet the following criteria:
• Receive authorization to access CAA CBI data system by completing a Request, Approval,
and Registration for CAA CBI Computer Access, CAA CBI Form 3.
44
-------�
• Obtain and understand the proper security procedures for operation of the system.
• Report any incidence of system malfunction.
• Receive training in the use of the system.
• Sign an acknowledgment of having been provided the above information.
OAQPS and contractor employees authorized access to specific CBI may view a computer screen that
contains the specific CBI to which they have been authorized access.
4. COMPUTER EQUIPMENT ROOM. Servers and other peripheral equipment forming part
of a CBI information system must be located in a room secured with a keyed or combination lock. CBI
information systems may be located in CBI Office or LAN Server room. Regardless of location, any
room used to house the CBI information system equipment must meet the following minimum
requirements:
a) Shall be on a floor not accessible from the exterior of the building.
b) Shall be in an area not adjacent to, above, or below an area that would constitute a high-risk
area from the standpoint of fire or explosion.
c) Shall maintain only one entrance for personnel access. Other doors, if any, shall be secured.
d) Shall be secured with a Simplex combination lock, mounted on a solid wooden or metal door.
5. SAFEGUARDING CBI DURING PERSONAL COMPUTER USE. While
accessing CAA CBI from a computer in an unsecured area, the operator must retain exclusive control
over the operation of the computer and printer and must ensure that only individuals authorized for
access to the CAA CBI can view the terminal screen. If the operator must leave the terminal for any
reason, the computer session shall be terminated.
I** DO NOT store CAA CBI data on the LAN or Non-Removable storage devices** I
— *
a. Computer Storage Media. CBI data generated or processed on a personal computer must be
stored on either floppy, compact diskettes, or detachable hard disks. Floppy or compact disks are
preferable and shall be secured in the CBIO. After each session storage media will be removed for the
computer and returned to the CBIO.
45
-------�
b. Termination of a CBI Computer Session. Proper termination of a computer session
involving CBI consists of the following steps:
• Transferring and verifying the transfer of CBI data to the storage medium.
• Removing the storage medium from the computer.
• Erasing any storage media no longer required for this purpose, with an authorized utility
program conforming to the DOD 5220.22-M standard.
• Close out applications properly to erase TEMP files and data that may by temporarily stored
in Random Access Memory.
• Returning the disks and generated printouts to the CBIO.
c. Computer Printouts. If CAA CBI is printed out, the printed material must be secured in the
CBIO. Employees who generate or obtain a printout from the computer must first determine whether
the printout contains CBI. All printouts and any information obtained from a computer screen
containing CBI must be logged in and out through the CBI office.
Turn off the printer to ensure removal of any CBI information stored in the printer buffer.
6. SYSTEM SECURITY SOFTWARE FOR MULTI-USER SYSTEM. The operating
system will protect itself and provide an authorization function to permit only approved sets of
individuals and programs to be combined for a project. One class of machine instructions will be
reserved for exclusive use of the operating system, and one class will be usable by the operating system
and user applications.
a. User Permissions. The system will enforce user privileges as authorized for any given file and
will include execute Read Only access and prohibit copying or renaming of CBI files. Authentication
of project passwords, verification of user identity, and validation of user file authority are performed by
the system.
b. Event Record. Except for password maintenance activities, unique identifiers (passwords) may
not be printed or displayed on any output or terminal. Within the limits of system capability, an access
and event journal will be maintained by the system in a secure manner to record system activity, log-on
attempts, and program execution. This audit function should permit event attribution to the individual
user. An exception audit will be produced by the system of all unauthorized activity, including log-on
and file access attempts for review by the DCO/DCA. The system will include a time clock for
recording events. The system activity log will have a write-only mode.
46
-------�
7. GENERAL PROCEDURES. Changes to the operating system will be made off-line,
reviewed, and approved before being installed on the active system. Changes in the application
programs will be made off-line using non-sensitive data and implemented after review.
a. Checkout. Portable storage disks must be checked out from the CBI Office using the same
procedures described in Section IV.
b. User Privileges (Multi-User System Only). Unique identifiers (passwords) shall be used for
project identification in the log-on procedure and for data file access. These identifiers shall be treated
as confidential. Two passwords are required to begin a program. The DCO/DCA shall provide a
data file access password. System access password and user permissions will be assigned by the
Information Security Officer.
c. Back-up Files. CAA CBI files will be scheduled for periodic backups. Backups will be
conducted to removable media (i.e. removable Hard Drive) ONLY. Back-up files will be secured in the
CBIO.
d. Transmission. Input and output media shall be transmitted only between the CBI
Office and the users who are authorized access to specific data contained on the media. In no case will
input media be accepted from or delivered to a third party. Any system processing and/or storing CBI
must be a system that maintains CBI controls.
8. DESTRUCTION AND RELEASE OF MEDIA. When no longer needed, all paper
products, program listings and printouts, will be destroyed in accordance with current procedures for
disposal of CBI documents as listed in Section III.
a. Magnetic Storage. Any magnetic storage media previously used to process or store CAA CBI
may be released from control after it has been erased using an approved software utility. Software used
to sanitize media will conform to DOD 5220.22-M. All identifying markings must be removed prior to
release.
47
-------�
SECTION VIII.
CAA CBI SECURITY VIOLATIONS
1. OVERVIEW. This section sets forth the procedures to be followed whenever CAA
CBI security procedures may have been violated.
2. RESPONSIBILITY OF DISCOVERER. Any OAQPS employee who is either aware of
actual or possible violations regarding loss of CBI materials or unauthorized disclosures must
immediately report this information to the DCO.
3. INVESTIGATING VIOLATIONS. All alleged violations of this manual's procedures shall
be investigated, even if there is no evidence of a lost document or unauthorized disclosure.
a. Preliminary Inquiry. The PRRMS Director will instruct the OAQPS DCO to conduct
a preliminary inquiry into the circumstances surrounding an actual or possible compromise. The
findings of this inquiry will be presented to the PRRMS Director for evaluation.
b. Investigation. Based on a review of the Preliminary inquiry, the PRRMS Director may
direct the OAQPS DCO to conduct a full investigation of the incident. The investigation shall include
the following components:
• A complete identification of each item of classified information involved.
• A thorough search for the CBI.
• Identification of any persons or procedures responsible for the compromise.
• A statement that a compromise did occur, may have occurred, or did not occur and an
estimate of the risk of damage to the affected business.
• A thorough discussion of all facts uncovered.
4. REPORTS AND FINDINGS. Investigative reports shall include, if possible, the document
date, subject, name and address of the originator, and a description of the material.
a. Finding of No Damage. If it is determined that compromise could not reasonably be
expected to cause identifiable damage to the affected business, the report of the preliminary inquiry will
be sufficient to resolve the incident.
b. Lost Documents. The report should include the time and date of the loss and the steps taken to
locate the material. If possible, the person responsible for the loss should be identified.
48
-------�
c. Evidence of Compromise. Where a compromise is believed to have occurred, a narrative
statement by the WAM/TOPO should detail the circumstances, the identity of the unauthorized
person(s) who had or may have had access to the material, the steps taken to determine whether a
compromise did in fact occur, and the WAM's evaluation of the importance of the material.
d. Finding of Damage. If it is determined that the probability of identifiable damage to the
affected company cannot be ruled out, the PRRMS Director shall notify the affected business that the
materials claimed as CBI are not in account and that there is reason to believe the information may have
been disclosed to individuals not authorized to access it. Written notice to the affected business must
contain a description of the CBI in question and the date of the disclosure.
5. RESULTING ACTIONS.. After receiving an inquiry and/or investigation report, the
PRRMS Director will notify appropriate Division Directors of the report findings and recommend
actions in keeping with the EPA Conduct and Discipline Order. Division Directors are responsible for
imposing punitive measures as deemed necessary.
a. Violations Subject to Punitive Measures. Employees may be subject to punitive measures if
they do any of the following:
• Compromise CBI through negligence.
• Knowingly and willfully violate any provisions of this manual or without authorization,
disclose properly classified CBI.
b. Punitive Measures. Punitive measures for security violations are specified in 18 U.S.C 1905
and 18 U.S.C 1924 and include, but are not limited to, warning notice, admonition, reprimand,
termination of authorization for access to CBI, removal, discharge, or legal charges. These measures
will be imposed in accordance with applicable law and EPA regulations.
49
-------�
CAA CBI DEFINITIONS
Access: The ability and opportunity to gain knowledge of CAA CBI in any manner whatsoever.
Affected Business: Any providing organization that could be affected adversely by the unauthorized
disclosure of its CAA CBI.
Authorized Person: Any person duly authorized pursuant to OAQPS procedures to have access to
CAA CBI.
CAA CBI Control Number: Unique number assigned by the OAQPS DCO to any document
received or generated that contains CAA CBI.
Confidential Business Information: Any documentary or non-documentary information, in any
form, received by OAQPS from a person, firm, partnership, corporation, association, or local, State or
Federal agency that relates to trade secrets, commercial or financial information and claimed as
confidential by the person submitting it under the procedures in 40 CFR, Part 2, Subpart B.
Contractor: Any person, association, partnership, corporation, business, educational, institution,
governmental body or other entity that performs work under a contract with the United States
Government.
Contracting Officer (CO): EPA delegated official with the authority to enter into contracts on behalf
of the EPA. The CO has sole authority to sign contracts, obligate funds for a contract, issue work
assignments, modify contract terms or conditions, and terminate a contract.
Custody: Formal responsibility for controlling access to CAA CBI according to the procedures found
in this manual.
Derivative CBI: Confidential Business Information created by incorporating, paraphrasing, restating,
or generating a new form of the information.
Document: Any recorded information regardless of its physical form or characteristics, including,
without limitation, written or printed materials; data processing cards, disks, and tapes; maps; charts;
photographs; paintings; drawings; engravings; sketches; working notes and papers; reproductions of
such items by any means or processes; and sound, voice, or electronic recordings in any form.
CBI Office: Secured interior room at OAQPS headquarters where all CAA CBI is stored.
Document Control Officer: A Government employee designated by the PRRMS Director to oversee
the OAQPS CAA CBI program.
50
-------�
Document Tracking System: A system to account for the location or disposition of CAA CBI
materials. Materials in a Document Tracking System are assigned unique numerical identifiers, or CBI
control numbers, and their locations are tracked through manual or automated logs or records of receipt,
usage, and transfer.
Employee: Any person employed by EPA on a full-time or part-time basis in accordance with the
procedures of the Office of Personnel Management. (This definition does not include contractors,
grantees, or their employees).
Federal Agency: Any organization or entity composed of United States officers or employees except
for Federal courts and Congress.
Holder: A Federal employee or OAQPS contractor employee who is authorized access to specific
CAA CBI, and is currently in possession of the CAA CBI.
Original CBI: Confidential business information in its original form as submitted by a providing
organization or as recorded during a visit to the providing organization.
Project Officer (PO): EPA's primary technical representative of the CO for a contract.
Responsibilities include: evaluating contractor proposals; assisting in writing statement of work;
reviewing contractor progress reports; reviewing contractor requests and recommending approval or
disapproval to the CO; and assisting the CO in the resolution of problems associated with contractor
performance.
Specific CAA CBI: Confidential business information collected for an individual project or work
assignment/task order under a contract.
Subcontractor: A contractor thai provides a portion of the level of effort on an OAQPS contract
through a contractual agreement with the OAQPS prime contractor. The EPA's contractual agreement is
with the prime contractor, not the subcontractor.
Violation: The failure to comply with any provision of these procedures, whether or not such failure
leads to actual unauthorized disclosure of CAA CBI.
Work Assignment Manager/Task Order Project Officer (WAM/TOPO): An EPA program
official who monitors a specific work assignment written under a contract. The WAM/TOPO develops
the statement of work for specific work assignments or task orders and monitors the technical
performance of the contractor.
51
-------�
GLOSSARY OF ACRONYMS
ACRONYMS
AAL
ADP
CAA
CBI
CBIO
CDCA
CDCO
CFR
CWA
DCA
DCO
EPA
FEMA
FIFRA
GAO
OAQPS
LAN
DIG
OGC
OSW
Authorized Access List
Automatic Data Processing
Clean Air Act
Confidential Business Information
Confidential Business Information Office
Contractor Document Control Assistant
Contractor Document Control Officer
Code of Federal Regulations
Clean Water Act
Document Control Assistant
Document Control Officer
United States Environmental Protection Agency
Federal Emergency Management Agency
Federal Insecticide, Fungicide and Rodenticide Act
General Accounting Office
Office of Air Quality Planning and Standards
Local Area Network
Office of the Inspector General
Office of General Counsel
Office of Solid Waste
52
-------�
PC Personal Computer
PRRMS Planning, Resources & Regional Management Staff
RCRA Resource Conservation and Recovery Act
TSCA Toxic Substances Control Act
WAM/TOPO Work Assignment Manager/Task Order Project Officer
53
-------�
INDEX OF APPENDICES
APPENDIX Pg. TITLE
A A-l Authorization for Access to CAA CBI for Federal Employees, CAA CBI
Form 2
A-2 Authorization for Access to CAA CBI for Contractor Employees, CAA
CBI Form 3
B B-l Memorandum of CAA CBI Telephone Conversation, CAA CBI Form 6
C C-1 CAA CBI Meeting Sign-In Sheet, CAA CBI Form 7
D D-l CAA CBI Markings
E E-1 CAA CBI Cover Sheet, CAA CBI Form 8
E-2 CAA Confidential Business Information "Duplicate Copy" Cover Sheet,
CAA CBI Form 8a
F F-l Request, Approval, and Registration for CAA CBI Computer Access,
CAA CBI Form 10
G G-l Request for Approval of Contractor Access to CAA CBI, CAA CBI Form
11
G-2 Contractor Information Sheet-Contractor CAA CBI Access/Transfer,
CAA CBI Form 1 la
H H-l CAA CBI Inventory Log, CAA CBI Form 12
H-2 CAA Confidential Business Information Control Record,
CAA CBI Form 1
H-3 CAA CBI Custody Receipt, CAA CBI Form 14
54
-------�
1-1 Confidential Business Information Security Agreement,
CAA CBI Form 15
1-2 Letter to CAA CBI Requesters Outside of OAQPS
1-3 Letter to Accompany CAA CBI Transferred Outside of OAQPS
1-4 Confidentiality Agreement for Federal Employees, CAA CBI Form 2a
J-l Letter of Transfer (Trip Report Review Letter to Providing Facilities)
J-3 Trip Report Response Letter to Providing Facility
55
-------�
CAA CBI Security Manual (Appendix A)
FULL NAME
SSN
POSITION
OFFICE
SIGNATURE OF AUTHORIZING OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
I. AUTHORIZATION FOR ACCESS TO CAA CBI FOR FEDERAL EMPLOYEES
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her supervision who
require access to CAA CBI:
1. Sign the Confidentiality Agreement for Federal Employees
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
II. CONFIDENTIALITY AGREEMENT FOR FEDERAL EMPLOYEES
I understand that, in accordance with my official duties, I will have access to certain Confidential Business
Information submitted under the Clean Air Act (CAA) (42 U.S.C. 7401 et seq.)
I understand that, under 18 U.S.C. 1905 and 18 U.S.C 1924,1 am liable for a possible fine of up to $1,000 and/or
imprisonment for up to one year, if I willfully disclose CAA Confidential Business Information to any person not
authorized to receive it. Additionally, I understand that, I may be subject to disciplinary action for violation of
this agreement with penalties ranging up to and including dismissal.
I am aware that, I may be subject to criminal penalties under 18 U.S.C. 1001 if I have made any statement of
material facts knowing that such statement is false or if I willfully conceal any material fact.
I agree that, upon the termination of my duties, transfer or departure from the Environmental Protection Agency,
I will return all materials containing CAA Confidential Business Information in my possession to the OAQPS
CBI Office.
I certify that I have read and understand these procedures and those outlined in the CAA CBI Security Manual.
SIGNATURE
TELEPHONE NO.
DATE
III. THE UNDERSIGNED CERTIFIES THE ALL TRAINING AND TEST
REQUIREMENTS HAVE BEEN MET BY THE EMPLOYEE.
SIGNATURE CBI MANAGER/DCO
TELEPHONE NO.
DATE
IV. ANNUAL RE-CERTIFICATION: I certify that, in conjunction with my duties, I require access to
CAA CBI. I am current with all CBI handling procedures and security guidelines as outlined in the CAA CBI
Security Manual.
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Inital
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
CAA CBI Form 2 (Rev. 01/02) * Must be Division Director (or equivalent) or above.
A-l
-------�
PRIVACY ACT STATEMENT
Collection of the information on this form is authorized by Section 114 of the Clean Air Act (CAA)
42 U.S.C. 7414. EPA uses this information to maintain a record of those persons cleared for access to CAA
Confidential Business Information (CBI) and to maintain the security of CAA CBI.
Disclosure of this information may be made to the Office of Air Quality Planning and Standards
(OAQPS) contractors in order to carry out functions for EPA compatible with purposes for which the
information is collected; to other Federal agencies when they process CAA CBI and need to verify clearance
of EPA and EPA contractor employees for access; to the Department of Justice when related to litigation or
anticipated litigation involving the records or the subject matter of the records; where necessary, to a State,
Federal or Local agency maintaining information pertaining to hiring, retention, clearance of an employee,
letting of a contract, or issuance of a grant or other magistrate or administrative tribunal; to opposing
counsel in the course of settlement negotiations; and to a member of Congress acting on behalf of an
individual to whom records in this system pertain.
Furnishing the information on this form, including Social Security Number, is voluntary, but failure
to do so will prevent you from being given access to CAA CBI and will therefore make impossible the
performance of any task which requires access to CAA CBI.
-------�
CAA CBI Security Manual (Appendix A)
FULL NAME
SSN
POSITION
CONTRACTOR
SIGNATURE OF AUTHORIZING OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
I. AUTHORIZATION FOR ACCESS TO CAA CBI FOR CONTACTOR EMPLOYEES
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her supervision who
require access to CAA CBI:
1. Sign the Confidentiality Agreement for Contractor Employees
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
II. CONFIDENTIALITY AGREEMENT FOR CONTRACTOR EMPLOYEES
I understand that, in accordance with my official duties, I will have access to certain Confidential Business
Information submitted under the Clean Air Act (CAA) (42 U.S.C. 7401 et seq.)
I understand that, under 18 U.S.C. 1905 and 18 U.S.C. 1924,1 am liable for a possible fine of up to $1,000 and/or
imprisonment for up to one year, if I willfully disclose CAA Confidential Business Information to any person not
authorized to receive it. Additionally, I understand that, I may be subject to disciplinary action for violation of this
agreement with penalties ranging up to and including dismissal.
I am aware that, I may be subject to criminal penalties under 18 U.S.C. 1001 if I have made any statement of
material facts knowing that such statement is false or if I willfully conceal any material fact.
I agree that, upon the termination of my duties, transfer or departure from my duties with the Environmental
Protection Agency, I will return all materials containing CAA Confidential Business Information in my possession
to the OAQPS CBI Office.
I certify that I have read and understand these procedures and those outlined in the CAA CBI Security Manual.
SIGNATURE
TELEPHONE NO.
DATE
III. THE UNDERSIGNED CERTIFIES THE ALL TRAINING AND TEST
REQUIREMENTS HAVE BEEN MET BY THE EMPLOYEE.
SIGNATURE CBI MANAGER/DCO
TELEPHONE NO.
DATE
IV. ANNUAL RE-CERTIFICATION: I certify that, in conjunction with my duties, I require access to
CAA CBI. I am current with all CBI handling procedures and security guidelines as outlined in the CAA CBI
Security Manual.
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Inital
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
Date
Initial
CAA CBI Form 3 (Rev. 01/02) * Must be Contractor Management.
A-2
-------�
PRIVACY ACT STATEMENT
Collection of the information on this form is authorized by Section 114 of the Clean Air Act (CAA)
42 U.S.C. 7414. EPA uses this information to maintain a record of those persons cleared for access to CAA
Confidential Business Information (CBI) and to maintain the security of CAA CBI.
Disclosure of this information may be made to the Office of Air Quality Planning and Standards
(OAQPS) contractors in order to carry out functions for EPA compatible with purposes for which the
information is collected; to other Federal agencies when they process CAA CBI and need to verify clearance
of EPA and EPA contractor employees for access; to the Department of Justice when related to litigation or
anticipated litigation involving the records or the subject matter of the records; where necessary, to a State,
Federal or Local agency maintaining information pertaining to hiring, retention, clearance of an employee,
letting of a contract, or issuance of a grant or other magistrate or administrative tribunal; to opposing
counsel in the course of settlement negotiations; and to a member of Congress acting on behalf of an
individual to whom records in this system pertain.
Furnishing the information on this form, including Social Security Number, is voluntary, but failure
to do so will prevent you from being given access to CAA CBI and will therefore make impossible the
performance of any task which requires access to CAA CBI.
-------�
CAA CBI Security Manual (Appendix B)
\
o
US Environmental Protection Agency
Washington, DC 20460
MEMORANDUM OF CAA CBI
TELEPHONE CONVERSATION
I. EMPLOYEE IDENTIFICATION
Name of Employee
Date
Organization
Time
II. SECOND PARTY IDENTIFICATION
Call is:
D To
From
Name
Number
Organization
III. Concerning What CAA CBI?
IV. Content of Conversation: (CONTINUE ON SEPARATE SHEET)
CAA CBI Form 6 (Rev. 01/02)
B-l
-------�
CAA CBI Security Manual (Appendix C)
^£D Sfy ^. U.S. Environmental Protection Agency
•^ **. Washington, DC 20460
I J£L\
% XSRZ % CAA CBI MEETING SIGN-IN SHEET
•* ^^^••(•^^^^ ^-
^
-------�
CAA CBI Security Manual (Appendix D)
CAA CBI MARKINGS
"SUBJECT TO CONFIDENTIALITY CLAIM"
"TO BE OPENED BY ADDRESSEE ONLY"
"DESTROYED BY / DATE
"NO CONFIDENTIALITY CLAIM ASSERTED"
"CAA CBI CLEARANCE TERMINATED BY / DATE
D-l
-------�
CAA CBI Security Manual (Appendix E)
Contractor Control No.:
EPA Control No.:
Copy No.:
CAA
CONFIDENTIAL
BUSINESS INFORMATION
The attached document contains data claimed to be confidential business information (CBI)
under the authority of the Clean Air Act (CAA) as amended (42 U.S.C. 7401, 7411, 7412,
7414, 7416, 7601). CBI may riot be disclosed or copied for release to another party. Any
excerpts or summaries must also be treated as CBI. If you willfully disclose CAA CBI to any
person not authorized to receive it, you may be liable for a disciplinary action with penalties
ranging up to and including dismissal. In addition, disclosure of CAA CBI or violation of
security procedures may subject you to a fine of up to $1,000.00 and/or imprisonment for up
to one year.
DO NOT DETACH
CAA CBI Form 8 (Rev. 01/02) E-l
-------�
CAA CBI Security Manual (Appendix E)
Contractor Control No.:
EPA Control No.:
Copy No.:_
CAA
CONFIDENTIAL
BUSINESS INFORMATION
DUPLICATE COPY
The attached document contains data claimed to be confidential business information (CBI)
under the authority of the Clean Air Act (CAA) as amended (42 U.S.C. 7401, 7411, 7412,
7414, 7416, 7601). CBI may not be disclosed or copied for release to another party. Any
excerpts or summaries must also be treated as CBI. If you willfully disclose CAA CBI to any
erson not authorized to receive it, you may be liable for a disciplinary action with penalties
ranging up to and including dismissal. In addition, disclosure of CAA CBI or violation of
security procedures may subject you to a fine of up to $1,000.00 and/or imprisonment for up
to one year.
REFERENCE COPY
DESTROY WHEN NO LONGER NEEDED
DO NOT DETACH
Duplicate Destroyed by_
Date
(CDCO Signature Required)
CAA CBI Form 8a (Rev. 01/01)
E-2
-------�
CAA CBI Security Manual (Appendix F)
U.S. Environmental Protection Agency
Washington, DC 20460
Request, Approval, and Registration
for CAA CBI Computer Access
I. Request for CAA CBI Computer Access
1. Name (Last,First,MI)
2. Requestor (Office/Division/Branch)
3. System and Data Base to Be Accessed
4. Describe fully the duties that require access to each system
5. Signature of Requesting Official (Division Director or above)
6. Date
II. Computer Room DCA Approval
1 . Date Received
2. Signature of Computer Room DCA
III. DCO Approval
1 . Date Received
2. Holds Current CAA CBI Access
D Yes D No
3. Approved
D Yes DNo (Explain
On back)
4. Signature DCO
CAA CBI Form 10 (Rev. 01/02)
F-l
-------�
CAA CBI Security Manual (Appendix G)
U.S. Environmental Protection Agency
Washington, DC 20460
REQUEST FOR APPROVAL OF
CONTRACTOR ACCESS TO CAA CBI
Requesting Official
Signature
Date
Title and Office
Contractor and contract number
EPA Project Officer
EPA Contracting Officer
I, Brief Description of "contract, iplteitg jJiiipose, §gppe, Ieng%|(ftd other i
•••;; ;.."; "i ^ (Coitinue on bacfcif rtelessary)- ; *"
;::; " II::,What CAA CBI wiJJ berequired, «jidwhy? • • •>• -".*•*--.-
HI, Witt ^pjputertccess to CAA Cgl be requiredby the contract? Q YES Q, NO
;";??••- (Continue on back'lfnece^aiy}" ''''•• "• -^t- ~"*;"
Approved (Signature)
DATE
CAA CBI Form 11 (Rev. 01/03)
G-l
-------�
CAA CBI Security Manual (Appendix G)
CONTRACTOR INFORMATION SHEET
CAA CBI ACCESS/TRANSFER
1. Contractor.
2. Address :
3. Contract #:
4. Is this a renewal of a previous contract? Yes D No D
5. Previous contact number:
6. EPA Project Officer
7. EPA Contracting Officer,
8. EPA Work Assignment Manager:
Phone: Room: Mail Code:_
9. Contractor Project Officer:
10. Description of duties to be performed by contractor that require CAA CBI access:
11. Type(s) of data to be transferred/disclosed:
12. Will CBI be transferred offsite under this contract? Yes D NoD
13. If so, to where?
14. Have contractor security plan and facilities been approved by the OAQPS DCO? Yes D No D
15. If so, date of test site inspection:
16. Date access scheduled to commence:
17. Contract expiration date:
18. Is computer CBI access needed under this contract? Yes D No D
19. Has computer access been approved? Yes D No D
CAA CBI Form 1 la (Rev. 01/02)
G-2
-------�
o
o
h-l
io
8
• 2
PQ «
O *
o
U
O
a
_><
•3
a
OH
OH
c
rt
s
.
o
o
o
o u
g p
"O
u
,
'o
0)
Pi
-------�
CAA CBI Security Manual (Appendix H)
CAA CONFIDENTIAL BUSINESS INFORMATION
CONTROL RECORD
DATE RECEIVED:
DATE OF DOCUMENT:
RESPONSIBLE GROUP:
CONTROL NUMBER:
DOCUMENT AUTHOR:
DESCRIPTION (PROVIDING ORGANIZATION, TITLE, SUBJECT, NUMBER OF COPIES, NUMBER OF PAGES)
RETURN DATE:
EACH PERSON WHO IS GIVEN ACCESS
DESTRUCTION DATE:
INITIALS:
TO THIS DOCUMENT MUST FILL IN THE INFORMATION BELOW.
CHECK-OUT
SIGNATURE
DATE
TIME
CHECK-IN
SIGNATURE
DATE
TIME
CAA Form 1 (Rev. 01/02)
H-2
-------�
CAA CBI Security Manual (Appendix H)
CAA CBI CUSTODY RECEIPT
US Environmental Protection Agency
Office of Air Quality Planning and Standards
CBI Office (MD-11)
Research Triangle Park, NC 27711
TO:
Date:
Receipt:
Project:
Contact:
FROM:
Sent Via:
Project No:
Document Control Officer
(Name), DCO
Environmental Protection Agency
OAQPS/PRRMS
MD-XXX-XX
Research Triangle Park, NC 27711
INSTRUCTIONS:
1. Original of this receipt to be signed by recipient and returned to sender.
2. Duplicate of this receipt to be retained by recipient.
CBI CONTROL NO. COPY NO. DESCRIPTION OF MATERIAL
I have personally received material, enclosures, and attachments as identified above. I assume full
responsibility for the safe handling, storage, and transmittal of this material in accordance with existing
Confidential Business Information regulations.
DATE RECEIVED:
SIGNATURE OF RECIPIENT:
CAA FORM 14 (Rev. 01/02)
H-3
-------�
CAA CBI Security Manual (Appendix I)
CONFIDENTIAL BUSINESS INFORMATION
SECURITY AGREEMENT
In requesting information claimed to be business confidential from the Office of Air Quality
Planning and Standards (OAQPS), I agree to safeguard this information according to (
Name of Agency Vs procedures comparable to EPA's procedures for handling Confidential
Business Information as found in 40 CFR, Part 2, Subpart B, Confidentiality of Business
Information. I further agree that access will be limited to only those persons in our organization
having a "need to know," that the information will be kept in a secure storage container (e.g., a
lockable file cabinet) while it is in our custody, that a record of persons accessing the
information be maintained, and that it will be returned to OAQPS at the conclusion of our
project.
Name, Title (Please Type or Print)
Signature Date
CAA CBI Form 15 (Rev. 01/02) 1-1
-------�
CAA CBI Security Manual ( Appendix I)
LETTER TO CAA CBI REQUESTERS OUTSIDE OAQPS
Agency Official
Government Agency
Dear (Agency Official):
(Cite the name of local contact or letter of request) indicates that you have requested a
copy of certain Confidential Business Information (CBI) files which are held by our office.
Please be advised that our long-standing policy is to release CBI only to those persons
authorized by 40 CFR Part 2, Subpart B. Since we have not previously granted clearance for
access to Clean Air Act (CAA) information to you or anyone in your organization, we request
assurance that this information will be handled according to applicable federal regulations. To
provide a record of your agreement to safeguard the information, we require that you sign and
return the accompanying CBI Security Agreement. We will release the requested information to
you upon receipt of this agreement.
Sincerely,
leva G. Spons, Director
Planning, Resources and
Regional Management Staff
Enclosures
1-2
-------�
CAA CBI Security Manual (Appendix I)
LETTER TO ACCOMPANY CAA CBI TRANSFERRED
OUTSIDE OF OAOPS
Agency Official
Government Agency
Dear Agency Official:
Your security agreement associated with the request for access to (Detailed information
Description) has been received. We are therefore releasing the enclosed Confidential Business
Information to your custody. Please sign the attached Custody Receipt and return it to:
Name, OAQPS Document Control Officer
U.S. Environmental Protection Agency
Office of Air Quality Planning & Standards
Planning, Resources & Regional Management Staff (MD-C404-02)
Research Triangle Park, NC 27711
Sincerely,
leva G. Spons, Director
Planning, Resources and
Regional Management Staff
Enclosures
1-3
-------�
CAA CBI Security Manual (Appendix I)
FULL NAME
SSN
POSITION
OFFICE
SIGNATURE OF AUTHORIZING OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
I. AUTHORIZATION FOR ACCESS TO OAQPS CAA CBI
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her
supervision who require access to CAA CBI:
1. Sign the Confidentiality Agreement CAA CBI Form 2a
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
II. CONFIDENTIALITY AGREEMENT FOR FEDERAL EMPLOYEES
I understand that, in accordance with my official duties, I will have access to certain
Confidential Business Information submitted under the Clean Air Act (CAA) (42 U.S.C. 7401
et.seq.)
I understand that, under 18 U.S.C. 1905, and 18 U.S.C. 1924, I am liable for a possible fine of
up to $1,000 and/or imprisonment for up to one year, if I willfully disclose CAA Confidential
Business Information to any person not uathorized to recive it. Additionally, I understand that,
I may be subject to disciplinary action for violation of this agreement with penalties ranging
up to and including dismissal.
I am aware that, I may be subject to criminal penalties under 18 U.S.C. 1001, if I have made
any statement of material facts knowing that such statement is false or if I willfully conceal
any material fact.
I understand that I can not transfer CAA CBI materials to any other agency or office unless
specifically authorized by 40 CFR Part 2, Subpart B, and without prior notification of the
OAQPS CBI Office.
I agree that I, when no longer required by this office, I will return any and all materials
transfered to me to the OAQPS CBI office.
SIGNATURE
TELEPHONE NO.
DATE
CAA CBI Form 2a (Rev. 01/01) * Must be Division Director (or equivalent) or above.
1-4
-------�
PRIVACY ACT STATEMENT
Collection of the information on this form is authorized by Section 114 of the Clean Air Act (CAA)
42 U.S.C. 7414. EPA uses this information to maintain a record of those persons cleared for access to CAA
Confidential Business Information (CBI) and to maintain the security of CAA CBI.
Disclosure of this information may be made to the Office of Air Quality Planning and Standards
(OAQPS) contractors in order to carry out functions for EPA compatible with purposes for which the
information is collected; to other Federal agencies when they process CAA CBI and need to verify clearance
of EPA and EPA contractor employees for access; to the Department of Justice when related to litigation or
anticipated litigation involving the records or the subject matter of the records; where necessary, to a State,
Federal or Local agency maintaining information pertaining to hiring, retention, clearance of an employee,
letting of a contract, or issuance of a grant or other magistrate or administrative tribunal; to opposing
counsel in the course of settlement negotiations; and to a member of Congress acting on behalf of an
individual to whom records in this system pertain.
Furnishing the information on this form, including Social Security Number, is voluntary, but failure
to do so will prevent you from being given access to CAA CBI and will therefore make impossible the
performance of any task which requires access to CAA CBI.
-------�
CAA CBI Security Manual (Appendix J)
SAMPLE LETTER OF TRANSFER
TRIP REPORT REVIEW LETTER TO PROVIDING
FACILITIES
Name of recipient
Title of Recipient
Recipient's Address
Dear (Name):
Thank you for your efforts in coordinating a visit to the Name of the facility, address,
and date. The U. S. Environmental Protection agency (EPA) appreciates the time you spent
discussing the manufacturing process at your facility.
Enclosed is a draft of the trip report that has been prepared based on the information
obtained during our site visit. We would appreciate your reviewing the report for any errors or
omissions. You may return the enclosed copy of the report with your written comments. Since
this report will eventually become a part of the public record, we want to portray your operations
as accurately as possible. A copy of the final version of the report incorporating your comments
will be sent to you for your records.
The custody receipt for the trip report is also enclosed. Please sign and date the form to
acknowledge receipt of the report and return a copy of the form to the Document Control
Officer, Planning, Resources, and Regional Management Staff (MD-C404-02), U. S.
Environmental Protection Agency, Research Triangle Park, North Carolina 27711.
If you believe the disclosure of any specific information contained in the trip report
would reveal trade secrets or other confidential information, you should clearly identify the
specific information. Please do not label the entire report " confidential" if only certain portions
consist of trade secret information. If the EPA determines that there is a need to disclose such
information, we will need, at that time, the following to support your claim.:
1. Measures taken by Name of facility to guard against undesired disclosure of the
specific information to others;
2. The extent to which the specific information has been disclosed to others and the
precautions taken in connection therewith;
J-l
-------�
CAA CBI Security Manual (Appendix J)
3. Pertinent confidentiality determinations, if any, by other Federal agencies (furnish a copy of
any such determination, or references to it, if available); and
4. Whether Name of facility asserts that disclosure of the specific information would be likely to
result in substantial harmful effects on facility Name's competitive position, and if so, what
those harmful effects would be. why they should be viewed as substantial, and an explanation of
the causal relationship between disclosure and such harmful effects.
Any specific information subsequently determined to constitute a trade secret will be protected
under 18 U.S.C. 1905. If no claim of confidentiality accompanies the information when it is
received by EPA, it may be made available to the public by EPA without further notice(40 CFR
Part 2.203, September 1, 1976). Any specific information subsequently determined to constitute
a trade secret will be protected under 18 U.S.C. 1905. However, all emission date will be
available to the public. A clarification of what EPA considers to be emission date is contained in
Enclosure 2.
We respectfully request thai you submit your review comments on the trip report by date. If
you concur with the information contained in the report, we would appreciate a letter to that
effect. In addition, Please indicate in your letter the specific parts of the report, if any, that
Facility Name considers to be confidential. If we don not receive a response by date, the report
will be considered nonconfidential and accurate.
Thank you for your cooperation. The information supplied by Facility Name will be most
helpful in our study. If you have any questions, please call name ofWAM/TOPO, telephone
number; Contractor's name, company name and telephone number.
Sincerely,
Group Leader
Division
Enclosure
3-2
-------�
CAA CBI Security Manual (Appendix J)
TRIP REPORT RESPONSE TO PROVIDING FACILITY
Name ofReceipient
Title ofReceipient
Address
Dear (Name):
Thank you for reviewing the trip report for the (Date) visit to the (Name and Address of
Facility) by representatives from the U.S. Environmental Protection Agency and (Name of
Contractor if required). Your comments have been incorporated in the enclosed final trip report.
The trip report includes a nonconfidential version plus a confidential addendum. The
confidential addendum consist of those items you identified as confidential business information
(CBI) in your (Date) letter. Unless we hear from you by (Date) with further comments or
corrections, we will treat the nonconfidential trip report and the confidential addendum as final.
In its final form, the nonconfidential trip report may be accessed by the general public following
proposal of the national emission standards for hazardous air pollutants for combustion sources
in the (Name Industry). The confidential addendum can only be accessed by those authorized to
view CAA CBI pertaining to the (Name Industry).
If you have any questions or additional comments, please contact (Name of Project Lead)
of my staff at (919) 541 -XXXX. Thank you for your cooperation.
Sincerely,
Group Leader
(Name) Specific Group
Enclosures
J-3
-------�
THIS PAGE INTENTIONALLY LEFT BLANK
J-3.1
-------�
TECHNICAL REPORT DATA
(Please read Instructions on reverse before completing)
l REPORT NO
EPA-450/B-03-001
3 RECfPIENT'S ACCESSION NO
4 TITLE AND SUBTITLE
Clean Air Act Confidential Business Information Security Manual
REPORT DATE March 2003
6 PERFORMING ORGANIZATION CODE
7 AUTHOR(S)
Roberto Morales
8 PERFORMING ORGANIZATION REPORT NO
9 PERFORMING ORGANIZATION NAME AND ADDRESS
U.S. Environmental Protection Agency
Office of Air Quality Planning and Standards
Research Triangle Park, NC 27711
10 PROGRAM ELEMENT NO
11 CONTRACT/GRANT NO.
12 SPONSORING AGENCY NAME AND ADDRESS
Director
Office of Air Quality Planning and Standards
Office of Air and Radiation
U.S. Environmental Protection Agency
Research Triangle Park, NC 27711
1 3 TYPE OF REPORT AND PERIOD COVERED
Procedures Manual
14 SPONSORING AGENCY CODE
EPA/200/04
15 SUPPLEMENTARY NOTES
16 ABSTRACT
The procedures in this manual provide Federal, Contractor, and Subcontractor employees with the
information necessary to utilize Confidential Business Information (CBI) in the performance of their
assigned duties without violating applicable Federal regulations protecting the rights of its owners in
accordance with the Clean Air Act of 1990 (CAA) as amended.
17
KEY WORDS AND DOCUMENT ANALYSIS
DESCRIPTORS
b IDENTIFIERS/OPEN ENDED TERMS
c COSATI Field/Group
18 DISTRIBUTION STATEMENT
Release Unlimited
19. SECURITY CLASS (Report)
Unclassified
21 NO OF PAGES
90
20 SECURITY CLASS (Page)
Unclassified
22 PRICE
EPA Form 2220-1 (Rev. 4-77) PREVIOUS EDITION IS OBSOLETE
-------�
U.S. Environmental Protection Agency
Region 5. Library (PL-12J)
77 West Jackson Boulevard, 12W Floor
Ui $0604-3590
-------� |