United States
Environmental Protection
Agency
Office of Air Quality
Planning and Standards
Planning, Resources & Regional
Management Planning Staff (MD-11)
Research Triangle Park, NC 27711
EPA 450/B-98-001 *
August 1998 Edition
CLEAN AIR ACT
CONFIDENTIAL BUSINESS
INFORMATION
SECURITY MANUAL
-------�
EPA 450/B-98-001
CLEAN AIR ACT
CONFIDENTIAL
BUSINESS
INFORMATION
SECURITY MANUAL
U.S. Environmental Protection Agency
Region ii.libi-ary (PL-12J)
77 West Jackson Boulevard, 12th Floor
Chicago, II 60604-3590
U.S. Environmental Protection Agency
Office of Air Quality Planning and Standards (MD-11)
Research Triangle Park, NC 27711
August 1998 (Revised Version)
-------�
TABLE OF CONTENTS
I. PURPOSE, SCOPE, AUTHORITY, & RESPONSIBILITY 1
A. Purpose 1
B. Scope 2
C. Policy 2
D. Authority 2
E. Responsible Officials 3
1. Director, OAQPS 3
2. Director, Planning, Resources and Regional
Management Staff (PRRMS) 3
3. OAQPS Document Control Officer 4
4. OAQPS Documents Control Assistants 6
5. OAQPS Division Directors 6
6. OAQPS Program Project Officers 6
7. OAQPS Group Leaders 7
8. OAQPS Work Assignment Manager/Task Order
Project Officer (WAM/TOPO) 8
9. Employees 9
10. Contractor Document Control Officers 10
//. EDUCATION AND TRAINING 13
A. Overview 13
B. Initial Briefing 13
C. Annual Briefing 13
D. Terminal Briefing 14
///. ACCESS TO SPECIFIC CAA CBI 15
A. Overview 15
B. General Access Requirements 15
C. Employee Access 15
1. Procedures 15
2. Authorized Access Lists 17
D. Withdrawal Of Clearance 20
1. Periodic Review 20
2. Removal From Access Lists 20
E. Contractor Employee Access 21
1. Prerequisite 21
2. Conditions 21
3. Obtaining Approval 22
-------�
4. Security Plan 22
5. Contractor DCO/DCA Requirement 26
6. Completion of Contracts, Work Assignments or
Task Orders 26
7. Authorized Access Lists 26
8. Withdrawal of Access 27
F. Subcontractor/Consultant Access 27
IV. RECORDS MANAGEMENT FOR CAA CBI 30
A. Overview 30
B. Intent 30
C. OAOPS CAA CBI Records Management System 30
1. OAQPS CAA CBI Automated Tracking System 31
2. CAA CBI Control Record 32
3. Cover Sheets 32
4. Custody Receipts 32
5. Pending Log 32
6. Inventory 33
D. Obtaining CBI Documents 33
E. OAOPS CAA CBI Document Control Numbers 34
F. Creating CBI Documents 34
1. Working Papers 34
2. Typing/Word Processing Requirements 35
3. Use in Meetings 35
G. Creating Non CBI Documents 36
1. Deleting or Replacing CBI 36
2. Masking or Aggregating CBI 36
3. Dropping CBI Claim 36
H. Relinquishing Of CAA CBI Status 37
1. Original CAA CBI 37
2. CBI Created by OAQPS 37
I. Determining Claim To Validity 38
J. Reproduction 38
1. CBI Material 38
2. Equipment 38
3. Broken Equipment 39
K. CDCO Record Management Responsibilities 39
1. CAA Control Numbers 39
2. CAA CBI Inventories 39
3. Reproduction 40
V. DISCLOSURE OF CAA CBI 41
A. Overview 41
ii
-------�
B. Disclosure To Other Federal. State Or Local
Agencies 41
1. Non-disclosure Agreement 42
2. Notice to Affected Businesses 43
3. Before Approval 43
4. Before Disclosure 43
C, Disclosure To EPA Contractors And Subcontractors 44
D. Discussing CBI On The Telephone 44
1. Telephone Memorandum 44
2. Telephone Calls with Providing Organizations 44
E. CAA CBI Disclosed At Meetings 45
1. Access 45
2. Chairperson's Duties 46
3. Chairperson's Limitations 46
4. Notes or Recordings 46
5. Safeguarding 46
6. Controls 47
VI. CATEGORIES OF CAA CBI 48
A. Overview 48
B. Original CBI 48
C, Derivative CBI 48
VIL CAA CBI MARKINGS 49
A. Overview 49
B. CBI Stamps 49
C. Computer Output 49
D. Special Categories Of Materials 49
1. Charts, Maps, and Drawings 49
2. Photographs, Films, and Recordings 50
3. CAA CBI Waste 50
VIIL TRANSFERRING CUSTODY OF CAA CBI 51
A. Overview 51
B. Transferring CAA CBI To EPA Contractors and
Providing Plants/Facilities 51
C Transferring CAA CBI from Contractors to OAQPS 52
D. Transferring CAA CBI to Government and State Agencies
Outside OfOAOPS 52
E. Confidential Business Information Security Agreement 53
F. Preparation And Packaging 53
1. Inner and Outer Covers 53
2. Addressing 54
iii
-------�
3. Packaging 54
G. Custody Receipt 54
H. Transfer Methods 54
1. Hand Carrying 55
2. Registered Mail 56
3. Couriers and Express Mail 56
IX. STORAGE OF OAQPS CAA CBI 57
A. Overview 57
B. Intent 57
C. Storage Equipment Specifications 57
D. Procedures For Lock Combinations 57
1. Changing Combinations 58
2. Granting Access to Combinations 58
E. Evacuation Procedures 58
F. Safeguarding CAA CBI in the Event of a Disaster 58
1. Prevention 59
2. Preparedness 59
3. Response 60
X. CAA CBI COMPUTER SECURITY 61
A. Overview 61
B. Directives 61
C. Basic Security Requirement 62
1. Security Mode 62
2. Authenticity and Verification 62
3. Remote Operation 62
4. Users Requirements 62
5. Visitors 63
D. CBI Computer Room 63
E. Safeguarding CBI During Personal Computer Use 64
1. Computer Storage Media 64
2. Terminating a CBI Computer Session 64
3. Use of aPrinter 65
F. System Security Software For Multi-User System 65
1. User Authority 65
2. Event Record 66
G. General Procedures 66
1. Checkout 66
2. User Privileges (Multi-year system only) 66
3. CBI Computer Room DCA 67
4. Back-up Files 67
5. Transmission 67
iv
-------�
H. Destruction and Release Of Data Media 67
1. Magnetic Storage 67
2. Rigid Magnetic Storage Media 68
/. Security Plan 68
J. Risk Analyses 68
XI. DISPOSAL AND DESTRUCTION 69
A. Overview 69
B. Intent 69
C. Notice of Intent to Destroy 69
D. Original CBI 69
E. Derivative CBI 70
F. CBI Waste 70
G. Records of Destruction 70
H. Methods of Destruction 70
XIL CAA CBI SECURITY VIOLATIONS 71
A. Overview 71
B. Responsibility Of Discoverer 71
C. Violations of This Manual 71
D. Preliminary Inquiry 71
E. Investigation 71
F. Reports And Findings 72
1. Finding of No Damage 72
2. Lost Documents 72
3. Compromise 72
4. Finding of Damage 72
G. Resulting Actions 73
1. Violations Subject to Punitive Measures 73
2. Punitive Measures 73
XIII. CAA CBI DEFINITIONS 74
XIV. GLOSSARY OF ACRONYMS 77
XV. APPENDICES 79
v
-------�
LIST OF FIGURES
Figure Page
1. Steps for Obtaining Access to CAA CBI 16
2. Sample Specific Access Letter (Single Projects) 18
3. Sample Specific Access Letter (Multiple Projects) 19
4. Contractor Steps for Obtaining Access to CAA CBI 23
5. Contractor Request for Access to Specific CAA CBI 24
6. Sample Letter for Subcontractor or Consultant Designation
(Notice to Industry) 28
VI
-------�
SECTION I.
PURPOSE, SCOPE, POLICY, AUTHORITY &
RESPONSIBILITY
A. PURPOSE
The procedures in this manual provide Federal,
contractor, and subcontractor employees with the information
necessary to utilize Confidential Business Information to
perform their assigned duties without violating applicable
Federal regulations protecting the rights of its owners.
The purpose of this manual is to set forth policies and
procedures for Federal, contractor, and subcontractor employees
to follow in the handling of information claimed as Confidential
Business Information (CBI), obtained under Section 114 of the
Clean Air Act (CAA), and governed by U.S. Environmental
Protection Agency (EPA) regulations at 40 Code of Federal
Regulations (CFR), Part 2, Subpart B, and other EPA regulations
and policies. CBI collected under the authority of other
environmental legislation is managed according to similar
applicable procedures.
The need to safeguard CBI cannot be overstated. Valid and
secure CBI procedures are essential to EPA's decisionmaking and
therefore is required to effectively safeguard the environment.
Any compromise to CBI threatens not only the businesses providing
data, but also EPA's ability to make, implement and enforce
environmental policy, and ultimately, the communities that
benefit from that policy. Therefore, the Office of Air Quality
Planning and Standards (OAQPS) has designed and implemented a
four-pronged security system to ensure protection of CAA CBI and
at the same time permit effective operations of the OAQPS CBI
Office (CBIO). The CAA CBI security system consists of
controlled access, document tracking, training, and monitoring of
CAA CBI operations.
-------�
B. SCOPE
This manual sets forth policies and procedures to manage and
safeguard CAA CBI. Unless otherwise noted the phrase
"Confidential Business Information" or ("CBI" refers to Clean Air
Act Confidential Business Information only).
C. POLICY
As outlined in the provisions of Section 114 of the Clean
Air Act as amended, it is OAQPS' policy to protect any
information claimed as confidential collected from 114
information requests and site visits by OAQPS personnel and
authorized contractors. The information may be either
documentary information (e.g., written responses to questions,
photographs, records or charts) or non-documentary (e.g., oral
communications, taking of photographs, or visual observations).
The providing organization may assert a claim of confidentiality
under the procedures established in 40 CFR Part 2 by noting such
claim on documentary and nondocumentary materials provided to
OAQPS.
Any material or information claimed as confidential or trade
secret will be treated as confidential by OAQPS and its
contractors in accordance with its contract and provisions of 40
CFR Part 2. Any material or information for which a claim of
confidentiality is NOT made may be made available to the public
by OAQPS without notice to the providing organization.
Documents created by OAQPS or its contractors from
information collected from 114 responses or site visits will be
treated as pending CAA CBI until a determination is made
regarding the status by the providing organization, OAQPS, or the
Office of General Counsel (OGC).
D. AUTHORITY
The policies and procedures found in this manual provide
guidance for compliance with the following Federal statutes and
regulations:
• Clean Air Act as amended
-------�
• 40 CFR, Part 2, Subpart B
• Freedom of Information Act
• Privacy Act
• EPA IRM Policy Manual, Chapter 8, Information Security
E. RESPONSIBLE OFFICIALS
The responsibilities of OAQPS officials and personnel
concerning CAA CBI are outlined below.
1. Director, OAQPS
The OAQPS Director or his designee has overall
responsibility for controlling CAA CBI within the Office. The
Director or Acting Director may delegate his/her authority to
perform security control functions.
2. Director, Planning, Resources & Regional Management
Staff
The Director, Planning, Resources & Regional Management
(PRRMS), has been delegated authority to direct and administer
the CAA CBI program for OAQPS. In performing these duties, the
Director has authority for setting policies, standards, and
procedures that ensure compliance with the laws and regulations
described in EPA IRM Policy Manual, Chapter 8. The Director
provides oversight, a security education program, and a security
assurance program for effective implementation of the OAQPS CAA
CBI program. Specific responsibilities are to:
• Advise the OAQPS Director on the OAQPS CBI CAA program, as
requested;
• Approve initial contract access for OAQPS contractors to
access CAA CBI; and
• Review and approve all outside requests and transfers of
OAQPS CAA CBI to other Federal and State agencies, special
circumstances.
Approval of contractor employee access to specific CAA CBI
documents is delegated to the OAQPS Group Leaders.
-------�
3. OAQPS Document Control Officer
The OAQPS Document Control Officer (DCO) is directly
responsible to the PRRMS Director for implementing the CAA CBI
program. The OAQPS DCO implements and monitors the activities of
the CBIO and provides guidance and technical direction as needed.
The following are responsibilities of the OAQPS DCO:
• Ensures that OAQPS security procedures for handling CAA CBI
are continually reviewed, updated, and enforced;
• Ensures compliance with the security education program and
security assurance program;
• Reviews security plans, procedures, and inspects facilities
of EPA contractors handling and storing CAA CBI files;
• Reviews contractor employee CAA CBI security, education and
training programs;
• Reviews CAA CBI access requests for contractors and other
Federal/State and Local agencies. (The PRRMS Director must
approve requests for all initial contractor access);
• Evaluates proposed system improvements;
• Promptly conducts preliminary inquiries and investigations
of alleged procedural violations and reports findings to the
PRRMS Director; and
• Advises the PRRMS Director concerning appropriate actions
for CAA CBI security violations.
• Signs receipts for CAA CBI arriving and departing OAQPS;
• Reviews documentation of all CAA CBI being transmitted from
OAQPS;
• Transmits CAA CBI to contractor upon the request of the work
assignment manager/task order project officer (WAM/TOPO) or
the responsible Group Leader;
-------�
Declassifies or destroys CAA CBI material after receipt of
authorization from OGC, the owner, WAM/TOPO, or after the
CBI has served its purposes;
Briefs and debriefs all persons designated by Group Leaders
as requiring access to CAA CBI.
Keeps an Authorized Access List of all persons cleared for
CAA CBI access and a record of each person's briefing
status;
Assigns OAQPS CBI control numbers, attach Control Records
and apply markings (when applicable) to all new CAA CBI
documents and reproduce documents as required;
Establishes, maintains, and controls an automated OAQPS CAA
CBI file system. Logs in and out all CAA CBI documents.
Conduct periodic inventories of all CBI documents stored at
the OAQPS CBIO or contractor facilities;
Maintains a tracking system to ensure that CBI transmitted
to other organizations is received;
Prepares CBI for mailing to other Federal agencies, plants
or facilities, and contractors when authorized and maintain
records of all such actions;
Locks CBI in appropriate containers whenever the information
is not in use or under the supervision of cleared personnel;
Ensures at the end of each day that all classified materials
used during the day have been returned to the CBIO and are
properly stored; and
Monitors support staff providing clerical assistance to the
CBIO.
The CBI Office maintains "custody" of CAA CBI at all times
even when being accessed by authorized individuals. Custody of
CAA CBI may only be transferred from one CBI Office to
another.
-------�
4. OAQPS Document Control Assistants
Document Control Assistants (DCA) are employees of
OAQPS in locations other than the Office of the Director, PRRMS
who are charged with implementing the OAQPS CBI program at their
location. The OAQPS DCO oversees their activities and provides
guidance and technical direction as needed.
5. OAQPS Division Directors
The responsible Division Director's responsibilities
are to:
• Ensure that their employees comply with the procedures
listed in this manual.
• Approve all authorizations for their Division employees to
access CAA CBI; and
• Sign as requesting official for contractor employee access
to CAA CBI.
6. OAQPS Program Project Officers
The respective program project officers (POs)
responsibilities are as follows:
• To notify the OAQPS DCO when a contract will require CAA CBI
access and to serve as an interface between the OAQPS DCO,
contractors, WAM/TOPO and the EPA Contracting Officer;
• To issue notification to the affected businesses via Federal
Register notice at the start of a contract by identifying
the contractor or subcontractor who will have access to CAA
CBI submitted to OAQPS in performing their assigned duties;
• Assists WAM/TOPO in preparing individual notification to
affected businesses or industries on an as-needed-basis; and
• Ensures compliance with all CBI procedures set forth in the
applicable contract.
-------�
7. OAQPS Group Leaders
Group Leaders are responsible for ensuring that their
employees and contractors comply with the procedures listed in
this manual. Group Leaders are responsible for the following
functions:
• Designates EPA and contractor employees who need access to
specific CBI associated with each project. This
responsibility may not be delegated, and authorizations made
by formerly responsible Group Leaders will remain in effect
until access lists are reviewed and updated;
• Ensures that Group employees and other persons whom they
designate are qualified and authorized to access CBI
utilizing procedures found in Section II-C;
• Authorizes transfer of CAA CBI to providing companies,
facilities or contractors. The authority to transfer CAA
CBI to all other outside organizations is reserved for the
PRRMS Director;
• Ensures that any CBI the Group receives directly is sent
immediately to the OAQPS CBIO;
• Recommends to the PRRMS Director whether to release CBI to
Congress, the Comptroller General, or other Federal agencies
and ensure that releases are in accordance with Section
2.209 of 40 CFR, Part 2;
• Ensures that CBI is not used in publications or improperly
released in any documents;
• Authorizes necessary creation (by summarization and masking)
of nonCBI materials from CBI and review and approve those
nonCBI materials prior to their release;
• Cooperates with the OAQPS DCO in establishing and improving
CBI safeguards, and implementing and maintaining CBI
education and quality within their Groups; and
-------�
Reports cases of CBI disclosures or possible compromise to
the OAQPS DCO and cooperate with investigations conducted
under the OAQPS CAA CBI security program.
8. OAQPS Work Assignment Manager/Task Order Project
Officer (WAM/TOPO)
The OAQPS WAM/TOPO has primary responsibility for
ensuring that his/her contractors maintain control over
project related CAA CBI and adhere to prescribed procedures.
OAQPS WAM/TOPOs are responsible for the following:
Ensures that contractors and EPA employees working on
his/her project comply with procedures in this manual and
CBI procedures set forth in the applicable contract for CBI
related to his/her project;
Analyzes technical aspects of all project work written or
otherwise created and determine whether CBI is involved and,
if so, have it logged in the CBIO;
Ensures that necessary paperwork is submitted in accordance
with 40 CFR, Part 2, Subpart B, to enable Office of General
Counsel (OGC) to make a final determination as to whether
information that has been received is entitled to
confidential treatment;
Authorizes necessary reproduction of CBI and ensure that CBI
is reproduced only under the supervision of the OAQPS DCO as
described in Section IV-J;
Ensures that memos, notes and reports from telephone
conversations, visits, inspections, or tests are protected
as CBI and filed in the CBIO until a determination is made
regarding the status;
Ensures that CBI is not used in publications or improperly
released in any document;
-------�
• Initiates the process for destruction and disposal of CBI
material;
• Ensures that CBI to be transferred or mailed is processed by
the CBIO for proper wrapping and disposition;
• Ensures that any CBI received associated with his/her
project is logged by the OAQPS CBIO;
• Authorizes contractor to return CAA CBI files to the OAQPS
CBIO at the end of a work assignment or when the information
is no longer required to be maintained at contractor
facilities;
• Provides assistance to the OAQPS DCO in determining the
status of returned CBI materials from the contractor; and
• Reports cases of wrongful disclosure or possible compromise
of CAA CBI to the responsible Group Leader and OAQPS DCO,
and cooperate with investigations conducted under the OAQPS
CAA CBI security program.
9. Employees
Contractor/subcontractor and Federal, State and Local
employees are responsible for the following:
• Complies with all applicable procedures in this manual;
• Complies with all CBI procedures set forth in the applicable
contract;
• Maintains possession of CBI until returned to the CBIO;
• Stores CAA CBI in the CBIO only;
• Discusses CBI only with authorized persons;
• Ensures that any CBI received directly is sent immediately
to the OAQPS CBIO for storage and proper logging;
• Ensures that CBI is not used in publications or improperly
released in any document;
-------�
• Reports alleged violations of security procedures to the
OAQPS DCO immediately; and
• Ensures that memos, notes, and reports concerning CBI
obtained from telephone conversations, visits, inspections,
inquiries, or tests are protected as CBI, logged and stored
in the CBIO.
10. Contractor Document Control Officers
Contractor's management must nominate a Contractor
Document Control Officer (CDCO) and a Contractor Document Control
Assistant (CDCA). Before OAQPS recognizes them as CDCOs, they
must be properly trained and required paperwork on file at OAQPS.
The CDCO controls the receipt, storage, and handling of CAA C3I
by employees in their facilities and manages a document tracking
system.
a. CDCO responsibilities include:
• Serves as the principal contact for OAQPS regarding the
security and control of CAA CBI;
• Provides security plan for safeguarding CAA CBI;
• Maintains a secure CBI facility;
• Conducts CAA CBI briefings (including testing) for all
contractor employees authorized to handle or access CAA CTBI ;
• Obtains signed Authorization for Access to CAA CBI for
Contractor Employees, CAA CBI Form 3 (Appendix B) from each
contractor employee who will have access to CAA CBI before
the employee is granted access. The original of this
completed form shall be forwarded to the OAQPS DCO.
• Conducts annual briefings and testing in support of the
OAQPS CAA CBI education and training program.
• Inspects facilities and review CAA CBI procedures of
subcontractors and obtain OAQPS's approval. The OAQPS DCO
shall accompany the CDCO on inspections.
10
-------�
Maintains a list of contractor employees who are authorized
to access CAA CBI including administrative or computer
support, or as designated by the OAQPS Group Leader as
having a need-to-know specific CAA CBI to perform their
work.
Releases CAA CBI only to authorized persons;
Reviews and update access lists continuously of contractor
employees and notify the OAQPS DCO immediately of any
changes;
Submits updated access lists to the OAQPS DCO monthly;
Provides guidance, technical assistance and administrative
support to contractor employees on all matters concerning
CAA CBI security;
Establishes, maintains, and controls a CAA CBI file system
(including disposition) in compliance with OAQPS' CAA CBI
Records Management procedures;
Logs in and out all CAA CBI documents, summaries,
tabulations, and materials to users,-
Maintains a CAA CBI document retrieval system;
Ensures all CAA CBI is properly stored when not in use;
Ensures CAA CBI is properly wrapped, marked and transferred;
Maintains an inventory of all CAA CBI, conduct periodic
audits, and submit inventory annually to the OAQPS DCO;
Destroys drafts and working papers as authorized by the
OAQPS DCO or project lead;
Maintains in a secure location a record of combinations of
all locks, safes, and cabinets that contain CAA CBI, and
ensure combinations are changed annually, or whenever anyone
who knows the combination terminates or transfers
employment;
11
-------�
Reports alleged violations of contractor security procedures
immediately to contractor management and the OAQPS DCO; and
Obtains a signed Confidential Agreement for Contractor
Employees Upon Relinquishing CAA CBI Access Authority, CAA
CBI Form 5 (Appendix B) for any employee who terminates
employment or transfers to a position not requiring access
to CAA CBI. One copy of this completed form shall be
forwarded to the OAQPS DCO.
Whenever CDCOs terminate their employment or relinquish
their responsibilities, an inventory of CAA CBI materials must
be performed within 30 days of their departure.
Jb. Contractor Document Control Assistant
The Contractor Document Control Assistant (CDCA) will
perform the aforementioned CDCO responsibilities in the absence
of the CDCO.
12
-------�
SECTION II.
EDUCATION AND TRAINING
A. OVERVIEW
The OAQPS Confidential Business Information (CBI) education
and training program is implemented by the OAQPS DCO. Group
Leaders and contractor management must arrange for employees to
be available for briefings in support of the OAQPS CAA CBI
program. Designated employees must meet all requirements of the
program to obtain and maintain authorization to access CAA CBI.
B. INITIAL BRIEFING
All access designees shall:
1. read this manual;
2. receive a briefing on the responsibilities and
procedures for proper handling of CAA CBI; and
3. pass a competency test at the end of the briefing.
After receiving the briefing and passing the competency test,
each employee will sign an Authorization for Access to CAA CBI
for Federal Employees, CAA CBI Form 2 or CAA CBI Form 3 for
contractors (Appendix A). Employees may then be nominated and
approved for access to specific CAA CBI and their name placed on
the authorized project access list.
C. ANNUAL BRIEFING
Federal and contractor employees approved for CAA CBI access
must maintain their access authority by attending an annual
security briefing and passing a written test. Annual briefings
will be given in the month of employee's initial access.
Employees who fail to attend their last annual briefing will be
given an opportunity to attend other scheduled briefings. If
they fail to attend a makeup session, within 3 months of expired
13
-------�
access, their names will be removed from the OAQPS CAA CBI
Authorized Access List.
The OAQPS DCO will notify the Group Leader of the
suspension. If the employee fails to attend the next scheduled
briefing within 30 days of the suspension notice, the employee
must relinquish authorized access to CAA CBI. The employee must
return all CBI materials which they may have in their possession
to the CBIO and sign a Confidential Agreement for U.S. Employees
Upon Relinquishing CAA CBI Access Authority, CAA CBI Form 4
(Appendix C) or CAA CBI Form 5 for contractors (Appendix B). If
access to CAA CBI is relinquished, the Group Leader must
renominate the employee to access CAA CBI, direct the employee to
attend a briefing, and obtain authorization to access CAA CBI by
completing CAA Form 2.
D. TERMINAL BRIEFING
All employees who have been granted access to CAA CBI shall
receive a terminal briefing and sign a Confidential Agreement for
U.S. Employees Upon Relinquishing CAA CBI Access Authorized, CAA
CBI Form 4 or CAA CBI Form 5 (contractors) when they terminate
their employment or transfer to a position in which CAA CBI
access is not required.
14
-------�
SECTION III.
ACCESS TO SPECIFIC CAA CBI
A. OVERVIEW
This section describes policies and procedures for allowing
access to Confidential Business Information (CBI) and for
dissemination of CAA CBI to OAQPS contractors.
B. GENERAL ACCESS REQUIREMENTS
No person has a right of access to CBI by virtue of
organizational title or position alone. A person must also have
a need-to-know specific CBI before access is granted. There is a
responsibility to the organization providing CAA CBI to protect
its information and a parallel responsibility of OAQPS employees
and contractors to minimize their liability.
C. FEDERAL EMPLOYEE ACCESS
Care in granting access to CBI is important in ensuring a
secure CBI system. A secure CBI system requires the continuous
updating of the employee Authorization Access List (AAL) ensuring
attendance of yearly briefings, and the continuous updating the
specific Project AAL to reflect current employee work
assignments.
1. Procedures
Upon determining that an OAQPS employee needs access to
CAA CBI, Group Leaders refer those employees to the OAQPS DCO.
The employee attends an initial OAQPS CAA CBI security briefing.
After passing the written test (as explained in Section II,
Education and Training), the employee and OAQPS DCO sign an
Authorization for Access to CAA CBI for Federal Employees, CAA
CBI Form 2 (Appendix A). The form is then forwarded to the
responsible Division Director for signature and final approval.
Approved forms are returned to the CBIO for filing. See Figure 1
for steps in obtaining access to CAA CBI.
15
-------�
Steps for Obtaining Access to CAA CBI
GROUP LEADER NOMINATES
Employee Needing Access
EMPLOYEE ATTENDS
CBI Briefings
EMPLOYEE PASSES
Written Test
EMPLOYEE SIGNS
Confidentiality Agreement
DIVISION DIRECTOR
Approves Employee Access
GROUP LEADER DESIGNATES
Access to Specific CBI
CBI OFFICE MAINTAINS
Authorized Access Lists
Figure 1
16
-------�
In addition, the responsible Group Leaders must
designate and approve employees who have a need-to-know for
specific CAA CBI in order to access individual projects by
submitting an authorization (memo) to the OAQPS DCO (Figures 2
and 3). The authorization may include OAQPS and contractor
personnel who require access to specific projects containing CAA
CBI .
** NOTE: Approval of CAA Form 2 does not automatically allow
access to all individual projects. **
Administrative support personnel, DCOs, and DCAs,
CDCOs, CDCAs etc. may obtain administrative access to CAA CBI to
provide typing, word processing, supervised reproduction,
courier, and document handling support of CAA CBI. This access
may be granted upon nomination, attendance of briefing and
passing written test and does not require designation by Group
Leaders to access specific CBI.
Federal or contractor employees who require on-line
access to a computer system or database containing CAA CBI must
complete a Computer Request, Approval, and Registration for CAA
CBI Computer Access, CAA CBI Form 10 (Appendix G), and notify the
DCO. See Section X, CAA CBI Computer Security.
Other EPA employees (outside of OAQPS), who have a
need-to-know specific CAA CBI may request OAQPS CAA CBI access
authority. An Authorization for Access to CAA CBI for Federal
Employees, CAA CBI Form 2 (Appendix A) must be requested from the
OAQPS CBIO, completed and returned. In addition to completion of
this form, the requested CAA CBI and the OAQPS WAM/TOPO
responsible for that CBI must be identified. Upon approval by the
responsible OAQPS Group Leader and the requestors management
(equivalent to the Director or higher), the employee may access
the material as outlined in Section VIII. The WAM/TOPO verifies
CAA CBI to be transferred, and the OAQPS DCO will properly
package and transfer materials.
2. Authorized Access Lists
Upon receiving approval to access CAA CBI, the employee
name(s) is placed on the OAQPS CAA CBI Authorized Access List.
17
-------�
EXAMPLE
MEMORANDUM
SUBJECT: Confidential Business Information (CBI) Access
FROM: (Name of Group Leader)
(Name of Group)
TO: Melva Toomer, OAQPS Document Control Officer
This memorandum is to request that the following personnel name(s) be removed from
the CAA CBI authorized access list for the (name of the project), (ESD Project # or CBI #).
(Name(s) of individuals including affiliation)
Also, please add (name(s) of to the CBI authorized access list for the (name of project,
etc.). Description of material: Any material received as a result of developing the NESHAP for
(name ofindustiy or NESHAP).
(List name(s) and affiliation)
Figure 2
18
-------�
Example
MEMORANDUM
SUBJECT: Authorization for Access to CAA CBI Files
FROM: (Name of Group Leader)
(Group Name, Mail Drop)
TO: Melva Toomer, OAQPS DCO
PRRMS, CBIO, MD-11
ESD Project No & Title: 97/06 - Cellulose Production MACT
97/14 - Leather Tanning & Finishing MACT
This memorandum is to request that the following individual(s) name(s) be added to the
access list for CAA CBI information collected for the (name of project and project #}.
97/06: (List names including OAQPS and contractor personnel)
97/14: (List names including OAQPS and contractor personnel)
Figure 3
19
-------�
When the Group Leader designates an employee for access to
specific CBI, the name is placed on the OAQPS Authorized Project
Access List. These access lists are used as a reference to
determine whether an individual is currently authorized to access
CAA CBI and what specific CBI they are authorized to access on a
need-to-know basis.
The OAQPS DCO provides Group Leaders with both access
lists on a regular basis to determine whether any names of
employees within their jurisdiction should be added or deleted.
Group Leaders confirm the names listed or make appropriate
changes, if assignments are shifted or employment terminated, and
return the list to the OAQPS DCO to use in updating the
"official" OAQPS CAA CBI access lists.
D. WITHDRAWAL OF CLEARANCE
CAA CBI clearances are withdrawn as a result of a Federal or
contractor employee no longer having a need to access CAA CBI .
1. Periodic Review
All CAA CBI accesses will be reviewed periodically to
minimize the number of people authorized access. A Group Leader
may determine that a currently cleared Federal or contractor
employee no longer requires access to specific CAA CBI for the
performance of official duties and obligations. Should that
happen, access is withdrawn.
2. Removal From Access Lists
The name of employees who no longer need access to CAA
CBI is removed from the OAQPS CAA CBI access lists. Access is
terminated under the following circumstances:
• termination of employment;
• termination of duties requiring access to CBI; and
• failure to attend the yearly briefing and pass the written
test explained in Section II, Education and Training.
20
-------�
E. CONTRACTOR EMPLOYEE ACCESS
1. Prerequisite
The respective program Project Officers shall notify the
OAQPS DCO immediately upon determining that a prospective
contract may require that contractors be granted access to CAA
CBI. The following information must be furnished:
• The name of the prospective contractors and the location of
the contractor's facility.
• A copy of the Federal Register notification for contractor
access to CAA CBI collected under the specific contract,
including the contract number.
• A copy of the statement of work.
• Whether the contractor's facility is to receive and store
CBI under the contract.
2. Conditions
Contractors may not receive access to CAA CBI until the
contractor meets the following conditions:
• Obtain OAQPS approval for access to CAA CBI;
• Prepare and have OAQPS approve a security plan;
• Have the contractor site inspected and approved by OAQPS;
• Nominate and train a Contractor Document Control Officer
(CDO), and a Contractor Document Control Assistant (CDCA)
acceptable to OAQPS; and
• Obtain OAQPS approval from responsible Group Leader for
access to specific CAA CBI for each contractor employee
required to work with CAA CBI.
21
-------�
3. Obtaining Approval
When access to CAA CBI is necessary, the contractor
must complete a Request for Approval of Contractor Access to CAA
CBI, CAA CBI From 11, (Appendix H). The form must explain the
reasons CAA CBI access is necessary under the contract. The
OAQPS WAM/TOPO must forward the form and Contractor Information
Sheet, CAA CBI Form lla, (Appendix H) to his/her Division
Director, who will sign the form as the requesting official arid
forward it and the information sheet to the OAQPS DCO for revi.ew.
The OAQPS DCO will then forward the form and the information
sheet to the PRRMS Director for final approval.
After the above prerequisites and conditions for
contractor access have been met, the OAQPS WAM/TOPO confers with
contractor officials to determine which work assignments or task
orders, and which employees will require access to CAA CBI. Upon
receiving the requirements for contractor employee access to CAA
CBI, the CDCO will have the designated employee(s) attend an
initial briefing, pass a written test, obtain signatures on the
Authorization for Access to CAA CBI for Contractor Employees, CAA
CBI Form 3, (Appendix A). The contractor employee names are then
submitted to the OAQPS DCO to be included on the OAQPS authorized
access list. Employees requiring access to computerized CAA CBI
must also complete a .Request, Approval and Registration for CAA
CBI Computer Access, CAA CBI Form 10, (Appendix G). The
originals of these forms are also forwarded to the OAQPS DCO for
the record. See Figures 4 and 5, Contractor Steps for Obtaining
Contractor Access to CAA CBI, and Contractor Request for Specific
CAA CBI Access.
4. Security Plan
The contractor must prepare and OAQPS must approve a
security plan for access to CAA CBI at a location away from trie
OAQPS headquarters facilities. Security plans must describe
physical security mechanisms at the contractor's site and
procedures to be followed by employees when handling CAA CBI at
the site.
22
-------�
Contractor
Steps for Obtaining Access to CAA CBI
Obtain Approval from Director
PRRMS to Access CAA CBI
Prepare & Submit an Adequate
Security Plan
Pass OAQPS Inspection of Site
Nominate & Obtain Approval
of Contractor Employees to
Serve as CDCO and CDCA
CDCO Brief & Test Employees
on Security Procedures
Submit Name(s) & Obtain
Approval for Individual(s) to
Access Specific CBI
Figure 4
23
-------�
EXAMPLE
CONTRACTOR REQUEST FOR ACCESS TO SPECIFIC
CAA CBI
Date: June 23, 1998
Subject: Access Request to Clean Air Act Confidential Business Information
Contract No:
Work Assignment No: (or Title of Project)
BSD Project No:
From: (Name of Requestor)
Contract Document Control Officer
(Name of company)
To: Melva Toomer, OAQPS DCO
OAQPS, PRRMS/CBIO, MD-11
(Name of individual(s)) have been assigned to work on the referenced project, and their
work will require them to access confidential business information (CBI) that has been collected
under the Clean Air Act (CAA). The mentioned (name of company) personnel have been trained
and are authorized to access CAA CBI.
Approved by:
(WAM/TOPO) Date (Group Leader) Date
Figure 5
24
-------�
The procedures described within this manual and the
OAQPS forms in the appendices are intended to serve as guidelines
for the preparation of contractor security plans and need not be
incorporated verbatim in the plans. However, contractor security
plans must equal or surpass the security standards described in
this manual.
The following is an outline of a Security Plan.
• CDCO responsibilities
• Access procedures
• Accountability system
• Pending file system
• CAA CBI storage
• CAA CBI transfers
• CAA CBI safeguards (including disaster prevention,
preparedness, and recovery plan)
• Security violations
• Education and training
• Computer security (if applicable)
The OAQPS DCO is responsible for reviewing contractor
security plans, discussing any perceived deficiencies with the
OAQPS PO and the contractor, and sending a memorandum through the
PO to the contractor either approving or disapproving the
security plan. In addition, the OAQPS DCO must inspect and
approve contractor facilities before CAA CBI can be received or
stored. All facilities authorized for CAA CBI access are
inspected by OAQPS on an annual basis. If during an inspection
or review of the security plan, only minor problems are noted,
the OAQPS DCO will work with the contractor to correct them. If
there are major deficiencies, the contractor may be given 30 days
to correct the deficiencies. The contractor shall conduct
periodic internal audits of its facilities, employees, and the
25
-------�
CAA CBI security system to ensure compliance with its security
plan. Records of such audits will be available upon request.
5. Contractor DCO/DCA Requirement
Prior to the commencement of access to CAA CBI,
contractor management must nominate contractor employees who will
serve as CDCO/CDCA and obtain approval by OAQPS. The CDCO/CDCA
must be trained in proper CAA CBI handling procedures prior to
being assigned to their positions. The OAQPS CAA CBI Security
Manual is provided, and the CDCO/CDCA may attend a CAA CBI
briefing offered by the OAQPS DCO. The requirement that a CDCO
be assigned before actual access may begin applies even if access
to CAA CBI under the contract is limited to the OAQPS
headquarters facilities. The CDCO serves as the liaison betwsen
OAQPS and the contractor on issues relating to CAA CBI and plays
important roles in requesting and maintaining access
authorization for individual contractor employees and in handling
CBI. The CDCA is a back-up for the CDCO.
6. Completion of Contracts, Work Assignments, or Task
Orders
Upon completion of the contract, work assignment, or
task order, the CDCO must inventory all CBI materials and report
the results to the OAQPS DCO. Within 30 days of completion, the
contractor must collect all CBI materials and document control
materials, including logs and control records (see Section VIII)
and transfer them to the OAQPS DCO. The OAQPS DCO will inventory
the materials, the WAM/TOPO will review the materials, determine
status, and initiate process for proper disposition of returned
CAA CBI materials.
7. Authorized Access Lists
The contractor must maintain CAA CBI Authorized Access
Lists: names of individuals with CAA CBI access including test
date and specific project access authorization, and submit an
updated list to the OAQPS DCO monthly. The list is used to
ensure that only individuals with current CAA CBI access
authority obtain materials from the CDCO.
26
-------�
8. Withdrawal of Access
When a contractor employee no longer requires access to
CAA CBI, the CDCO will have the employee sign a Confidential
Agreement for Contractor Employees Upon Relinquishing CAA CBI
Access, CAA CBI Form 5, (Appendix B). Remove their name from the
authorized access lists, notify the OAQPS DCO of the deletion,
and forward a copy of CAA CBI Form 5 to the OAQPS DCO.
F. SUBCONTRACTOR/CONSULTANT ACCESS
The program PO is responsible for notifying the public and
affected business of all subcontractors who require access to CAA
CBI collected under the respective contracts. If this
information is known at the beginning of the contract, a Federal
Register notice must be published according to the guidelines as
specified in the Clean Air Act.
The prime contractor is responsible for notifying OAQPS of
all subcontractors or consultants being used prior to releasing
any CAA CBI to them. This also includes subcontractors or
consultants accompanying the prime contractor or EPA staff on
site visits. Figure 6, is a sample letter that must be prepared
and sent to affected businesses notifying them of who will have
access to their information submitted to OAQPS. A ten day
waiting period must be allowed before CAA CBI is disclosed to the
subcontractor/consultant.
27
-------�
SAMPLE
Name of Recipient
Title of Recipient
Recipient's Address
Dear Mr./Ms. (Recipient's Last Name):
The United States Environmental Protection Agency has authorized the following
subcontractor to access information that has been, or will be, submitted to the EPA under section
114 of the Clean Air Act (CAA) as amended: list name and address of subcontractor/consultant.
Some of this information may be claimed to be confidential business information (CBI) by the
submitter. This subcontractor will be providing support to the EPA under contract (list contract
number). The prime contractor on this contract is (list name and address of the prime
contractor). Under the direction of the prime contractor, this subcontractor will provide
technical support to the Office of Air Quality Planning and Standards (OAQPS) in developing
Federal Air Pollution Control Regulations.
The EPA is issuing this notice to inform all submitters of information under section 114
of the CAA that the EPA may provide the above mentioned subcontractor access to these
materials on a need-to-know basis. Notification of the prime contractor's potential access to CBI
was done through a previous Federal Register notice.
In accordance with 40 CFR 2.30l(h), the EPA has determined that the above
subcontractor requires access to CBI submitted to the EPA under sections 112 and 114 of the
CAA in order to perform work satisfactorily under the above noted contract. The subcontractor's
personnel will be given access to information submitted under section 114 of the CAA. The
subcontractor's personnel will be required to sign nondisclosure agreements and will receive
training on appropriate security procedures before they are permitted access to CBI. The above
subcontractor's clearance for access to CAA CBI is scheduled to expire on September 30, 2001.
Figure 6
28
-------�
Please provide any comments regarding the above subcontractor's access to CBI
submitted by your company within ten working days of your receipt of this letter. Comments
should be submitted to Melva Toomer, Document Control Officer, Office of Air Quality
Planning and Standards (MD-11), U.S. Environmental Protection Agency, Research Triangle
Park, North Carolina 27711, (919) 541-0880.
Sincerely,
Name ofTOPO/WAM
Emission Standards Division
cc: Melva Toomer (MD-11)
leva Spons (MD-11)
Tim Watkins I Carolyn Wigington, Project Officer (MD-13)
Figure 6 (continued)
29
-------�
SECTION IV.
RECORDS MANAGEMENT FOR CAA CBI
A. OVERVIEW
This section describes how Confidential Business Information
(CBI) either originated by OAQPS or its contractors as derivative
CBI or received as original CBI is identified, protected, logged,
controlled, and managed.
When any OAQPS employee or contractor employee receives or
otherwise obtains material containing or suspected of
containing CBI, they shall deliver those materials immediately
to the CBI office for proper logging and storage.
B. INTENT
The OAQPS CAA CBI Records Management System must be able to
trace the movement of CBI, identify the persons with authorized
access to it, detect its misplacement and make prompt retrieval
possible. The OAQPS CAA CBI Records Management System ensures
these objectives are accomplished by the maintaining of
authorized access lists, assigning unique numerical identifiers
(CBI control numbers) to each document, maintaining an automated
inventory of all documents submitted/logged into the system, and
by monitoring the movement of CBI through manual or automated
logs, records of receipt, usage, and transmission. All material
submitted to OAQPS and all material generated at OAQPS containing
information claimed to be CBI are controlled through the OAQPS
CAA CBI Records Management System.
C. OAQPS CAA CBI RECORDS MANAGEMENT SYSTEM
The foundation of the OAQPS CAA CBI Records Management
System includes the following basic items:
• Automated database (all CBI re: TSCA, CWA, RCRA, FIFRA,
etc. )
• Control Records (for each item in the system)
• Custody Receipts (for transfer of material)
30
-------�
• Cover Sheets (for document protection/identification)
• Destruction and Declassification Logs
• Pending Log (for new material)
• Inventory (by project, WAM/TOPO, disposition, etc.)
• Employee Authorized Access List
• Project Authorized Access List
1. OAOPS CAA CBI Automated Tracking System
An automated database is used to record pertinent
information about CAA CBI materials filed in the CBIO, persons
authorized to access specific CAA CBI, and contains the following
information.
• Date received
• Date of document
• Number of copies
• CBI control number
• Project name
• Document description
• Provider identification
• Transfer information
• Destruction record
• Authorized access clearances
Various reports may be generated on a routine basis or
when requested by management. They are:
• Complete inventory of all CBI documents including
disposition (pending, permanent inventory, destruction,
declassification, etc.);
• Listing by specific regulating Acts;
• Listing by specific CBI projects;
• Listing of documents assigned to individual WAMs ,• and
• Listings of authorized personnel (EPA and contractors).
The CAA CBI database is continuously updated and allows
the OAQPS DCO to determine the disposition of documents, retrieve
documents in a timely manner, and to generate an accurate up-to-
date inventory on a monthly basis or when requested.
31
-------�
2. CAA CBI Control Record
CAA CBI Control Record, CAA Form 1 (Appendix J) is
placed in each CAA CBI file as a permanent record of authorized
personnel access. It also contains reproduction, transfer,
declassification, destruction, and any other pertinent
information about the document. The Control Record facilitates
timely and accurate accounting for CAA CBI material during the
work day. Each user of CAA CBI must sign and date the Control
Record each time access is granted to a CBI document.
The Control Record is extracted from the file and
retained by the OAQPS CBIO or contractor CBIO as a receipt for
the material while it is checked out. It is signed and dated by
the OAQPS DCO or CDCO upon the return of the CBI material and
filed in the appropriate folder.
When a CAA CBI document is declassified or destroyed,
the CAA CBI Control Record or register must be retained for a
period of two-years after the completion of a project or until
the specific CAA CBI project file has been reconciled.
3. Cover Sheets
A CAA CBI Cover Sheet, CAA Forms 8 and 9 (Appendix F)
is a yellow sheet of paper inscribed with a claim of
confidentiality and handling instructions. The Cover Sheet
conceals the front of each document and should not be removed.
4. Custody Receipts
CBI Custody Receipts are discussed in Section VIII,
Transferring Custody of CAA CBI.
5. Pending Log
The CAA CBI Pending Log, CAA CBI Form 13 (Appendix I)
is used to account for all CBI materials upon initial receipt
pending a decision by the appropriate personnel. The WAM/TOPO
will review submitted materials and remove any nonCBI (as
appropriate) and, verify the accuracy of information contained
within. After review of the materials and the confidentiality
is determined, the documents are logged into the OAQPS CAA CBI
32
-------�
Inventory. WAMs/TOPOs are contacted every 30 days to determine
the status of materials stored as pending and to solicit further
instructions concerning the disposition of these materials.
CDCO shall contacr their employees to determine the status
of materials with a pending disposition and solicit further
instructions concerning materials if there has been no action
within the preceding 30 days.
6. Inventory
The OAQPS CAA CBI Inventory Log, CAA CBI Form 12
(Appendix I), is also maintained by the OAQPS DCO. This
inventory must have an accurate nonCBI description of each
document. The inventory log includes the following information:
• Date received
• CBI control number (OAQPS & contractor)
• Provider's name and address
• Name of project or work assignment
• Description of materials (number of copies, pages, etc.)
• Date of document
• Disposition status
• Inventory date
It identifies all CBI material for which OAQPS is
accountable; An inventory of CBI material is conducted at least
once a year, during which time each CBI file is reviewed and
purged of unneeded materials with the assistance of the WAM/TOPO.
D. OBTAINING CBI DOCUMENTS
Employees and contractors who are authorized access to
specific CAA CBI may obtain CBI materials from the OAQPS CBIO
from 7:30 a.m. to 5:00 p.m., Monday through Thursday, and Fridays
from 7:30 a.m. to 3:30 p.m. The OAQPS DCO verifies that the
employee is authorized access to the requested CBI. Employees
must sign the OAQPS CBI Control Record upon receipt of the
document and safeguard CBI materials while in their possession.
Any time an employee relinquishes physical custody of the CAA CBI
(lunch or at the end of the day), he/she must obtain a release of
responsibility for the document by having the DCO sign and date
the Control Record. (Direct transfer of CAA CBI materials
33
-------�
between employees is not permitted). CBI materials are
transferred only through CBI offices or DCOs.
E. OAOPS CAA CBI DOCUMENT CONTROL NUMBERS
The OAQPS DCO assigns an individual control number to each
CAA CBI document. The number consists of a least ten digits
(e.g., 94111-C02-09). The first five digits are the fiscal year
and project identification numbers; first two numbers are the
fiscal year the document was initially received and next three
numbers are assigned for each specific project (e.g., 94111); the
next three digits identify the responsible and WAM/TOPO (e.g.,
C03); and the last digit refers to the number of documents
received by CBIO for a specific project. The OAQPS CBI control
number is placed on the cover sheet, the first page, and on the
back of the last sheet or back cover of the document. The number
is also placed on the custody receipts and folders for
identification purposes.
F. CREATING CBI DOCUMENTS
All CBI and pending CBI documents generated by OAQPS will
be treated and protected as such until a CBI determination has
been made by the responsible Group Leader, providing
organization (affected business) or OGC.
Documents and other materials generated by OAQPS or its
contractors that contain information from CBI documents are
usually CBI themselves.
1. Working Papers
Newly created CBI is at first in the form of working
papers pending the creation of new CBI documents. The category
of CAA CBI working papers includes materials such as notes and
outlines; initial drafts of documents; computations, drawings,
and diagrams; and pending documents. Working papers are labeled
as PENDING CBI, provided a OAQPS CAA CBI Control Record and Cover
Sheet, secured in the CBIO, and otherwise used and handled like
any other CBI document except they are labeled pending until the
disposition is determined. After the document has been deemed as
confidential, the status is changed to permanent and maintained
34
-------�
according to OAQPS records management policies governing CAA CBI.
2. Typing/Word Processing Requirements
The author of a CAA CBI document may provide the
document to a typist who is authorized access CAA CBI. The
typist must return to the author the newly typed materials and
the original draft when typing is completed. All materials used
in typing documents containing CAA CBI, including word processing
disks, ribbons, carbons, and waste paper must be treated as CBI
and submitted to the CBIO for storage or destruction.
The typist should not use the Local Area Network (LAN)
for preparation or storage of CAA CBI documents. Documents are
to be prepared using the local version of the word processing
program on the hard drive of the personal computer vs. the LAN
version. Data, reports, etc., must be stored on a floppy
diskette and submitted to the CBIO for proper logging and
storage. Turn off the printer after printing the newly created
CBI document to ensure that all CBI is removed from the buffer of
the printer.
3 . Use in Meetings
The author of a CAA CBI document may circulate copies
of the document at a meeting for discussion, if the author:
• Notifies the OAQPS DCO, and has the document reproduced by
the OAQPS DCO;
• Attends the meeting and is present when the document is
discussed;
• Collects all copies of the document at the end of the
meeting; and
• Submits all copies of the document for destruction to the
OAQPS CBIO after the meeting.
The OAQPS DCO must number the copies i.e., 1 of 6, 2 of
6 and number the pages and ensure that every page of each copy is
returned at the end of the meeting. All other procedures for
general access and meetings (Section V.E, CBI Disclosed at
35
-------�
Meetings General Requirements) must be followed when CAA CBI
materials are circulated at meetings.
G. CREATING NONCBI DOCUMENTS
Materials produced from CAA CBI need not be confidential.
Nonconfidential documents may be produced by deleting CBI from an
existing document or by masking or aggregating the CBI so that it
cannot be linked to its source.
1. Deleting or Replacing CBI
CAA CBI can be replaced in a document with nonCBI data
or generic descriptive terms data or terms derived from CBI data
but that are not themselves CBI.
2. Masking or Aggregating CBI
Group Leaders must be consulted in advance by authors
who wish to produce nonconfidential documents by masking or
aggregating CBI. Group Leaders shall also review all submissions
of masked and aggregate material to ensure that no CBI is exposed
and approve the final nonCBI version.
3. Dropping CBI Claim
NonCBI documents can also be created from information
submitted by a providing organization which drops its claim of
confidentiality, or for which EPA determines that the claim is
not valid.
In all instances, the WAM/TOPO is responsible for ensuring
that documents contain no CBI. Materials produced using CBI must
be treated as CBI until a determination is made by the Group
Leader or providing organization.
36
-------�
H. RELINQUISHING OF CAA CBI STATUS
1. Original CAA CBI
If a providing organization relinquishes its claim of
confidentiality for original CBI, the WAM/TOPO must obtain a
written statement from the provider before the information can be
released to the public. Any original CAA CBI no longer needed by
OAQPS is destroyed or returned to the business firm.
2. CBI Created by OAOPS
Documents created by OAQPS such as: site surveys, test
reports, telephone conversations, and meeting minutes are
forwarded to the affected business (providing organization) for
review of accuracy and confidentiality by the responsible Group
Leader. The responsible industry official is requested by cover
letter to review the report, clearly mark any information
considered to be confidential, and return the marked-up report
within the specified timeframe. The original is kept in the CBIO
with a "pending" disposition until the marked copy is returned by
the business firm. When the reviewed, marked-up copy of the
report is returned, OAQPS will have the option of:
• protecting the whole document as CBI;
• creating a nonCBI version with all CBI removed by
aggregating or masking, and maintaining a complete CBI
version;
• creating a CBI addendum when indicated CBI is at a minimum;
or
• challenging the validity of the business' claim through OGC.
All revised final CBI documents must be submitted to the
providing organization for review before release to the public
If the report is determined to be accurate and
nonconfidential, the business firm will so note, or not
respond by the requested date.
37
-------�
• If the firm does not respond by the requested date, the
WAM/TOPO shall contact the providing organization and verify
the claim; and provide a written response to the OAQPS CBIO
for declassification or release purposes.
• If the document has CBI status, it is placed in the OAQPS
CBIO and logged into the OAQPS CAA CBI inventory.
I. DETERMINING CLAIM TO VALIDITY
To determine that a claim of confidentiality is valid,
EPA's Office of General Counsel (OGC) or an EPA Regional Counsel,
where appropriate, must render a final determination pursuant to
40 CFR, Part 2, Subpart B. That determination is made based on a
review of the submitter's responses to substantiation questions.
If a claim is denied, the information may not be released for 30
days, during which time the providing organization may challenge
EPA's determination in a Federal District Court.
J. REPRODUCTION
This subsection details the procedures for controlling and
safeguarding CAA CBI reproduction or other copying.
There is a risk of losing control over CBI whenever it is
reproduced in hard copy and disseminated. Copying of CAA CBI
material is limited to the minimum extent possible.
1. CBI Material
Group Leaders or WAM/TOPOs authorize the reproduction
of CAA CBI materials. Only the DCO is authorized to make
reproductions. The DCO enters additional copies of documents
into the OAQPS Records Management System and records the
distribution of reproduced copies.
2. Equipment
Copy machines must be dedicated solely to CBI document
reproduction while CBI documents are being copied, and the OAQPS
DCO must directly supervise the machine while the CBI materials
38
-------�
are being duplicated. Only persons authorized access to the
specific CAA CBI being copied may be present while CBI materials
are being reproduced. After copying is finished, the operator
must pass three blank copies through the machine to ensure that
any impressions on the image surfaces of the machine have been
erased.
3. Broken Equipment
If the equipment used for reproducing CAA CBI materials
has a malfunction while in use, the DCO must inspect the
machine's paper path and image surface to retrieve any materials
containing CBI that are caught in the equipment before the repair
person is called.
K. CDCO RECORD MANAGEMENT RESPONSIBILITIES
Contractor DCOs must comply with the aforementioned
requirements of this manual to ensure adequate safeguarding and
handling of CAA CBI documents. CDCO may use sample CAA CBI Forms
or design own in-house forms as long as required OAQPS
information is available.
1. CAA CBI Control Numbers
CDCOs may implement an internal CAA CBI control
numbering system, but must cross-reference OAQPS CAA CBI Control
numbers on custody receipts, inventories, derivative CBI,
correspondence, etc. regarding specific CAA CBI.
2. CAA CBI Inventories
CDCO must maintain an accurate nonCBI description of
each document and in a CAA CBI inventory (see CAA CBI Form 12).
The CDCO shall conduct an inventory of all CAA CBI materials
stored at their facility at least once a year during which time
each CAA CBI file is reviewed. A copy of the inventory files
shall be submitted to the OAQPS DCO. Any CAA CBI no longer
needed at their facility must be returned to OAQPS.
39
-------�
3. Reproduction
Copying of CAA CBI by contractors is limited to working
papers, drafts of technical reports, drafts of trip reports,
meeting handouts, and similar temporary documents. Copying must
be done under the direction and guidance of the CDCO.
40
-------�
SECTION V.
DISCLOSURE OF CAACBI
A. OVERVIEW
This section discusses minimum procedures required to ensure
the security of Confidential Business Information (CBI) during
authorized disclosures.
The holder of CAA CBI (the person in possession of
specific CBI) is responsible for protecting it from persons
not authorized access to it. CAA CBI shall not be left
unattended; and when work with CBI materials is completed or
suspended, all materials containing CAA CBI (originals,
drafts, memos, and notes) shall be taken to the CBIO for
storage. Holders of CAA CBI shall not allow unauthorized
persons to view CAA CBI materials nor shall holders discuss
CAA CBI with persons not authorized access to it.
B. DISCLOSURE TO OTHER FEDERAL, STATE OR LOCAL
AGENCIES
EPA regulations at 40 CFR Part 2 allow disclosure of CBI to
another Federal or State agency in either of two circumstances:
• When the official purpose for which the information is
needed by the other agency is in connection with its duties
under any law for protection of health or the environment or
for specific law enforcement purposes; or
• When disclosure is necessary to enable the other agency to
perform a function on behalf of EPA.
In either circumstance, the PRRMS Director must be notified
immediately via the OAQPS DCO upon receipt of a request for
documents or information requiring access to CAA CBI. In
addition, the procedures described below must be followed before
CAA CBI may be disclosed to other agencies. These procedures do
41
-------�
not apply to disclosure of CAA CBI to individual employees of
other agencies performing functions on behalf of OAQPS where
access is confined to OAQPS premises.
EPA may disclose CAA CBI to other Federal, State or Local
agencies upon the written request from the requestor. Because of
the time needed for processing, the written request should be
directed to the PRRMS Director at least 30 days prior to the time
access is needed. The request must be signed by an official of
the other agency who is at least equivalent in authority to a
Division Director. It should state specifically the information
to which access is requested. The official purpose for which the
CAA. CBI is needed should be set forth in detail as well as any
other pertinent information, such as previous efforts to obtain
the information. The need must be in connection with the
agency's duties under a law for the protection of public health
or the environment or for a specific law enforcement purpose.
OAQPS CAA CBI may be released to States or Local agencies
with the written permission from the submitter. Also, it may be
possible to aggregate data or sanitize documents containing CAA
CBI without disclosing information claimed as CBI.
NOTE: TSCA and FIFRA CBI maintained in OAQPS (by OAQPS) may
not be disclosed to States.
1. Non-disclosure Agreement
In addition, as part of its written request, the other
agency must agree in writing (Appendix L) not to disclose further
any information designated as confidential unless it meets the
following conditions:
• It has statutory authority both to compel production of the
information and to make the proposed disclosure and, prior
to the disclosure, it has furnished affected business with
at least the same notice that EPA would provide under its
regulations;
• It has obtained the consent of each affected business to the
proposed disclosure; and
42
-------�
• It has obtained a written statement from the EPA Office of
General Counsel or an EPA Regional Counsel that disclosure
of the information would be proper under EPA's regulations.
2. Notice to Affected Businesses
When disclosure is requested by another agency, OAQPS
must give the affected businesses at least 10 calendar days
notice before granting access to the other agency. Notice to the
affected businesses may be given by Federal Register, letter sent
by registered mail (return receipt requested), or telegram and
must include.
• The identity of the agency/contractor to which CBI is to be
disclosed;
• The official purpose for the access;
• Whether access is authorized only on EPA premises or also at
the other agency or contractor's facilities;
• A non-confidential description of the specific information
to be disclosed; and
• The period of time for which access to the CBI is
authorized.
3. Before Approval
The PRRMS Director will notify the requesting official
of the other agency acknowledging receipt of the written request
and will direct issue of required notice to affected businesses.
The PRRMS Director will also notify the requesting official from
the other agency if approval is not granted.
4. Before Disclosure
Before CAA CBI may be disclosed, the PRRMS Director
must notify the other agency that the information being disclosed
is classified as CAA CBI, that it was acquired under authority of
the CAA, and that any unauthorized disclosure of the information
may subject employees of the other agency to criminal penalties
(Chapter 8, Information Security. IRM Policy Manual 2100).
43
-------�
C. DISCLOSURE TO EPA CONTRACTORS AND SUBCONTRACTORS
EPA's regulations (40 CFR, Part 2) allow disclosure of CAA
CBI to contractors and subcontractors when disclosure is
necessary to enable the contractor to perform work on a contract.
Notice to affected businesses must be given before CAA CBI is
disclosed to the contractor with the same requirements as
indicated above. The initial notice is usually prepared by the
OAQPS PO and is published in the Federal Register notifying the
public and affected businesses of OAQPS contractors and
subcontractors who will have access to CBI collected under the
Clean Air Act.
D. DISCUSSING CBI ON THE TELEPHONE
Federal and contractor employees with CAA CBI access may
discuss CAA CBI on the telephone with other individuals who are
authorized access to the specific CBI. However, caution must be
used because interception of telephone communications is an easy
means by which unauthorized persons may obtain CBI.
The person initiating the discussion of CBI during a
telephone call is responsible for verifying that the other has
authorized access to the specific CAA CBI. Access authority can
be confirmed by referring to the OAQPS CAA CBI Authorized Project
Access List. Interoffice communication systems (i.e., speaker
phones) should not be used to discuss CAA CBI if conversations
may be overheard by unauthorized persons.
1. Telephone Memorandum
Federal and contractor employees shall complete a
telephone memorandum, Memorandum of CAA CBI Telephone
Conversation, CAA CBI Form 6 (Appendix C) for all telephone calls
in which CAA CBI is discussed. Telephone memorandums must be
submitted to the CBIO for filing on the day of the call or the
following workday if the call was made after 4:00 p.m.
2. Telephone Calls With Providing Organizations
OAQPS employees, contractors and subcontractors may
discuss CAA CBI from a. providing organization with an employee of
44
-------�
that organization. Before discussion begins, the employees must:
• Verify the identity of the providing organization's employee
with whom they are speaking;
• Inform the providing organization's employee that the
telephone lines are not secured;
• Assure the providing organization's employee that a
telephone discussion of CAA CBI with a Federal or contractor
employee does not constitute a waiver of any claim of
confidentiality; and
• Inform the providing organization's employee that any
further information provided in the telephone conversation
claimed as confidential will be properly safeguarded.
E. CAA CBI DISCLOSED AT MEETINGS
OAQPS offices or its contractors that host or convene any
meeting (conference, symposium, seminar, exhibit, convention,
scientific, or technical gathering) of two or more people, at
which CAA CBI is disclosed shall take appropriate security
measures. The OAQPS DCO shall be informed that a meeting is
scheduled when CAA CBI materials must be reproduced for use at
the meeting. Requirements include, but are not limited to, those
listed below.
1. Access
All persons attending the meeting must be cleared for
access to the specific CBI being presented and be positively
identified before CBI is revealed. If non-OAQPS personnel are
present, the meeting chairperson must provide a CAA CBI Meeting
Sign-In Sheet, CAA CBI Form 7 (Appendix D) as a meeting record.
The following information shall be recorded: date, time, place,
chairperson, and subject. All persons attending the meeting must
sign this sheet. All sign-in sheets shall be delivered to the
CBIO by the close of business or the next business day after the
meeting.
45
-------�
2. Chairperson's Duties
The meeting chairperson is usually the person who
schedules and organizes the meeting. The chairperson is
responsible for ensuring (by referring to the OAQPS CAA CBI
Authorized Access Lists) that only persons authorized access to
the specific CBI to be discussed at the meeting are in attendance
when the discussion involves CBI. Non-cleared attendees must be
excused from the meeting by the chairperson before CAA CBI is
discussed. The chairperson must also ensure that the meeting
room is cleared of all CAA CBI materials after the meeting.
3. Chairperson's Limitations
WAM/TOPOs shall inform the chairperson of any
restrictions that must be imposed on a presentation because of
the CAA CBI or of need-to-know restrictions on certain members of
the audience. The chairperson is responsible for seeking that;
information, and for keeping disclosures within the limits
prescribed.
4. Notes or Recordings
The meeting chairperson must remind those in attendance
of their duty to treat any notes or recordings taken at the
meeting as confidential. These materials are submitted to the
CBIO for storage or proper disposition until the CBI status is
determined.
5. Safeguarding
Notes, minutes, summaries, recordings, proceedings, and
reports on the CAA CBI classified portions of the meeting must be
safeguarded and controlled throughout the meeting. Any CAA CBI
material generated or received as a result of the meeting, as
appropriate, shall be forwarded to attendees by an approved means
of transfer when the meeting ends rather than being hand-carried
by attendees from the meeting site.
46
-------�
6. Controls
Physical and technical security controls shall be
established to control access. The meeting room shall be cleared
of all CAA CBI materials after the meeting. This includes
cleaning all chalkboards, returning any unneeded CAA CBI
materials to the CBIO for destruction, and ensuring that nothing
is left in the room that could lead to the unauthorized
disclosure of CAA CBI.
47
-------�
SECTION VI.
CATEGORIES OF CAA CBI
A. OVERVIEW
This section provides instructions on how Confidential
Business Information (CBI) is categorized.
B. ORIGINAL CBI
Original CAA CBI is generally obtained under Section 114 of
the Clean Air Act in two basic forms. It is usually received in
the form of a request response from a solicited business or from
a site visit conducted by an OAQPS employee or contractor
employee after visiting a solicited business.
Because data-gathering visits, plant inspections, and source
testing can involve inadvertent receipt of CBI, it is the policy
of OAQPS to protect all parties involved. Prior to or at the
inception of a plant inspection, data-gathering visit, or source
test, OAQPS representatives discuss with the responsible industry
official the information sought, how it is to be used, and how it
is to be protected.
C. DERIVATIVE CBI
Derivative CBI is the result of incorporation, paraphrasing,
restating, or generating information from original CBI. Along
with the file or record copy of a newly created CBI document, the
OAQPS CBIO must keep a copy of the source document or sufficient
identifying information from the source document. This
information includes the originator's name and title and the date
received. The OAQPS WAM/TOPO's name, title, and office must also
be shown on the new document.
48
-------�
SECTION VII.
CAACBI MARKINGS
A. OVERVIEW
This chapter explains how materials that have been claimed
as CAA CBI materials must be marked.
B. CBI STAMPS
Both original and derivative CAA CBI documents are stamped
on the first and last page "Subject to Confidentiality Claim."
See Appendix E for additional CAA CBI stamps or markings.
C. COMPUTER OUTPUT
Documents that are generated as computer output may be
marked automatically by systems software. If automatic marking
is not practicable, these documents must be marked manually.
Removable storage media and devices used with ADP systems,
typewriters, or word processing equipment shall bear both
external (affixed) and internal (software generated) CBI
markings. Documents produced by ADP equipment shall have at a
minimum their first page and their last page marked.
D. SPECIAL CATEGORIES OF MATERIALS
Markings are conspicuously stamped, printed, written or
affixed on classified material other than paper documents. If
this is not practicable, the containers of such material shall be
marked. The means by which material is marked varies according
to the physical characteristics of the material and
organizational and operational requirements.
1. Charts, Maps, and Drawings
The markings on charts, maps, and drawings are
inscribed both at the top and the bottom of each document. When
the document is unfolded, the classification marking shall be
clearly visible on each folded portion. The marking must also be
visible when the document is rolled or folded for storage.
49
-------�
2. Photographs, Films, and Recordings
Photographs must be marked as confidential. Their
containers are also marked. The markings on each transparency or
slide must be on the image and on the holder or frame.
Classified motion picture films and videotapes are marked at the
beginning and end with a clear statement of classification. The
containers or reels on which they are kept are also marked.
3. CAA CBI Waste
Such documents and materials as rejected copy, typewriter
ribbons, and carbons used in working with confidential
information shall be handled in such a way that the information
is adequately protected. Unless these documents and materials
are destroyed immediately, they must be marked. Section XI,
gives instructions for disposal and destruction of CAA CBI.
50
-------�
SECTION VIII.
TRANSFERRING CUSTODY Of CAA CBI
A. OVERVIEW
This section describes how custody of Confidential Business
Information (CBI) is transferred. Before a transfer is
initiated, the OAQPS DCO or CDCO must verify the intended
recipient is authorized to access the specific CAA CBI to be
transferred.
B. TRANSFERRING CAA CBI TO EPA CONTRACTORS AND
PROVIDING PLANTS/FACILITIES
CAA CBI documents are transferred by the OAQPS DCO to
contractor DCOs or authorized persons at the providing plant or
facility. A CAA CBI letter of transfer (Appendix S) shall be
prepared for the responsible Group Leader's signature to initiate
the process of transferring CAA CBI to the providing
organization. The WAM/TOPO or employee delivers the letter of
transfer along with the OAQPS CAA CBI control number or
sufficient information identifying the specific CAA CBI to be
transferred to the CBIO. Upon review and approval, the document
will be properly transferred. The letter of transfer, custody
receipt (and one copy) are enclosed with the transferred CAA CBI.
A checklist for transferring CBI to a facility is as
follows:
• WAM/TOPO submits letter of transfer to Group Leader for
signature;
« Letter of transfer and CAA CBI control number is submitted
to the CBIO;
• The DCO prepares the custody receipt, properly packages CAA
CBI including letter of transfer; and
• Releases package to authorized contractor employee or mails
package via registered mail or Federal Express.
51
-------�
Pending CAA CBI documents (draft reports, revisions,
telephone contact reports, etc.) are transferred to the
contractor at the WAM/TOPO's request via Custody Receipt. A
Letter of Transfer signed by the Group Leader is not required.
CAA CBI is transferred from OAQPS to the contractor and
from the contractor to OAQPS. The Prime Contractor is
responsible for the transfer of CAA CBI to their designated
subcontractors or consultants. NOTE: The OAQPS CBI Office
administratively handles all transfers for OAQPS.
C. TRANSFERRING CAA CBI FROM CONTRACTORS TO OAOPS
CAA CBI to be transferred to OAQPS should be identified and
instructions given to the CDCO to return the material to the
OAQPS CBIO. The material being transferred must be listed on the
CAA CBI Custody Receipt, CAA CBI Form 14 (including the OAQPS CAA
CBI control number). Under no circumstances will contractors
dispose of original CAA CBI materials that have been logged into
the OAQPS Records Management System in any way other than
returning them to the OAQPS CBIO.
Direct transfer of CAA CBI materials between contractor
employees is not permitted. CAA CBI materials must be
transferred through the CDCO only.
D. TRANSFERRING CAA CBI TO GOVERNMENT AND STATE
AGENCIES OUTSIDE OF OAOPS
Upon receipt of a request for CAA CBI from a Government or
State entity outside OAQPS and after it is determined that
disclosure of the CAA CBI is allowed (Section V.B), a letter 30
the requesting agency is prepared for signature of PRRMS Director
to explain the procedures that must be followed prior to release
of the information requested. A sample Letter to CAA CBI
Requestors Outside of OAQPS is illustrated in Appendix O, and
included along with the letter shall be a Confidential Business
Information Security Agreement, CAA CBI Form 15 (Appendix L).
The agreement must be signed by the requesting agency official
equivalent or superior to the PRRMS Director. By signing this
52
-------�
agreement, the agency official agrees to safeguard CAA CBI in a
manner comparable with EPA's procedures as found in 40 CFR, part
2, Subpart B.
When the signed agreement is returned, it shall be forwarded
to the OAQPS CBIO along with a Letter to Accompany CAA CBI
Transferred Outside OAQPS (Appendix 0). This letter will
constitute direction to the OAQPS DCO to transmit the CAA CBI
materials to the requestor. The OAQPS DCO will send the
materials, the letter and the original and one copy of a CAA CBI
Custody .Receipt to the requestor.
E. CONFIDENTIAL BUSINESS INFORMATION SECURITY
AGREEMENT
A Confidential Business Information Security Agreement, CAA
CBI Form 15 (Appendix L) must be signed by an official of a
government entity requesting transfer of CAA CBI prior to
transfer of custody. This form requires the official of the
receiving agency to verify that the information will be
safeguarded utilizing procedures comparable to EPA's procedures
for handling CBI found in 40 CFR, Part 2, Subpart B.
F. PREPARATION AND PACKAGING
CAA CBI materials to be transferred will be processed by the
DCO. The following guidelines set forth the procedures for
preparing and packaging CBI materials.
1. Inner and Outer Covers
Before CAA CBI may be transferred or hand carried out
of the OAQPS facility, the materials to be transferred must be
double wrapped with opaque paper. The inner cover must bear
markings that indicate the classification and instructions, "CBI
Confidential Business Information," and "To Be Opened by
Addressee Only." The person to whom the material is intended is
included in the address as an "Attention" line on the inner
envelope. Markings on the inner cover shall not show through the
outer cover.
53
-------�
2. Addressing
CAA CBI being transferred from the OAQPS CBIO to
another facility or being returned from a facility to the CBI
Office shall bear the name of the sending and receiving DCO only
in the address on the outer label. The outer cover shall not
bear any classification markings or other indication that CAA CBI
information is enclosed. The return address of the transferror
is required on both the inner and outer covers.
3. Packaging'
Materials used in packaging CAA CBI must be strong e.nd
durable enough to provide protection in transit and prevent items
from protruding through the covers. Upon receipt, packages must
be inspected to ensure that the seals have not been broken.
G. CUSTODY RECEIPT
A CAA CBI Custody Receipt, CAA CBI Form 14 (Appendix K) is
included with all transfers of CAA CBI materials and prepared in
triplicate. This form provides the previous holder of CAA CB]
with proof of accountability that the material was transferred
and received. The recipient signs and dates custody receipt,
after verifying all materials were received, forwards the
original copy to sender and retains the second copy for his/her
records. The previous holder retains the original copy as a
record of the transfer. The third copy is retained by the
previous holder as a suspense copy until the signed original is
returned by the recipient, or the Domestic Return Receipt from
the U.S. Postal Service acknowledging receipt of the document ,s) .
(See Section IV. CAA CBI Records Management for more information
on accountability, control records, and the CAA CBI control
numbers.)
H. TRANSFER METHODS
OAQPS CAA CBI may be transferred or transported by the
following methods:
• Hand carried to another facility by an employee or
contractor employee who is authorized access to the CAA CBI;
54
-------�
• U.S. Postal Service registered mail (return receipt
requested), Express Mail; or
• Private courier (Federal Express).
1. Hand Carrying
Appropriately cleared OAQPS employees may be authorized
to hand carry CAA CBI material between facilities (when
traveling) if the conditions outlined below are met.
• Individuals authorized to carry CBI must contact the CBIO to
be fully briefed on the provisions of this Section before
departing.
• While traveling by plane or other public conveyance,
employees must keep CAA CBI materials in their possession,
and should not check them with their luggage.
• When employees travel with CAA CBI materials and are unable
to deliver or ship the CAA CBI materials to a facility
authorized to store CAA CBI, they may store the materials
for short periods inside the locked trunk of a motor
vehicle. CAA CBI materials may also be stored overnight in
hotel safes, if a receipt is obtained from the hotel
management. Otherwise, CAA CBI materials must be kept in
the possession of the traveler.
• The storage provisions for CAA CBI are detailed in Section
IX. Storage of CAA CBI, shall apply to all stops en route to
a destination. CAA CBI materials shall not be unwrapped
until the traveler's destination is reached. If the
materials are to be transferred to someone at that location,
they must immediately be taken to the local DCO and logged
into the local Document Tracking System.
• The CBI Office shall log out CAA CBI carried or escorted by
traveling personnel. CAA CBI must be accounted for upon
return by count and inspection of materials or by inspection
of receipts for materials, if delivered.
55
-------�
2. Registered Mail
If CAA CBI material is to be mailed, it must be
prepared by the OAQPS DCO for registered mail (return receipt
requested). Regular first class mail must never be used to
transfer CAA CBI.
3. Couriers and Express Mail
EPA and contractor employee couriers, commercial
couriers, and U.S. Postal Service Express Mail may be used in the
transmission of CAA CBI.
56
-------�
SECTION IX.
STORAGE OF OAOPS CAA CBI
A. OVERVIEW
This section describes the minimum standards for the
physical safeguarding and storage of CAA Confidential Business
Information (CBI).
B. INTENT
Employees using CAA CBI material are responsible for
ensuring that no unauthorized disclosures of that information
occur. This means that employees must either maintain constant
control over the CAA CBI material in their possession or return
it to the CBIO.
C. STORAGE EQUIPMENT SPECIFICATIONS
When not in use, CBI materials must be secured in approved
CAA CBI storage containers. The type of container approved for
CAA CBI storage is a metal file cabinet with bar hasp and three-
way, changeable combination lock.
"OPEN/CLOSED" magnetic signs shall be posted on each CAA CBI
storage container to readily identify containers that are open or
locked, and to provide a visual spot checked and at the end of
the work day to ensure containers are properly secured. Storage
containers must be located within a room dedicated to CBI
security. The room must have a lockable entrance secured by a
GSA approved, changeable combination Simplex lock. All CBI
storage containers and the entry door shall be locked during the
lunch hour and at the end of each business day.
D. PROCEDURES FOR LOCK COMBINATIONS
Since all storage containers are secured by combination
locks, the matter of combinations is important.
57
-------�
1. Changing Combinations
Combinations to security equipment shall be changed
only by cleared personnel having that responsibility.
Combinations shall be changed only under these circumstances:
• Whenever someone who knows the combination no longer
requires access;
• In the event of suspected compromise of CAA CBI;
• When deemed necessary by the custodians; or
• At least once each year.
2. Granting Access to Combinations
Knowledge of combinations is limited to CBI Office
personnel and DCOs. Records of combinations must be protected as
though CAA CBI.
E. EVACUATION PROCEDURES
In the event of a fire or other emergency (e.g., natural
disaster or civil disturbance) requiring evacuation of office
spaces, CAA CBI shall be returned immediately to the OAQPS CBIO
where it will be stored properly. Persons who are unable to
return CAA CBI material in their possession to the CBIO shall
ensure that such material is safeguarded by covering it from view
and taking it with them. The employee must keep it under
personal observation at all times until it can be secured in a
facility approved for CBI storage.
F. SAFEGUARDING CAA CBI IN THE EVENT OF A DISASTER
A disaster plan is a little like insurance; we know we
should have it, it costs money, and we hope we never have to
use it!
A disaster plan is required by the Federal Emergency
Management Agency (FEMA) to ensure the safety of personnel and to
58
-------�
protect vital records. OAQPS and its contractors are required to
protect any records/documents affecting the legal and financial
rights of the Government and of the people affected by its
actions. The OAQPS CAA CBI Disaster plan has three components:
prevention, preparedness, and response.
1. Prevention
Procedural prevention relates to activities performed on a
day-to-day, month-to-month, or annual basis, relating to security
and recovery. It begins with assigning responsibility for
overall security of the organization to an individual with
adequate competence and authority to meet the challenges. The
objective of procedural prevention is to define activities
necessary to prevent various types of disasters and ensure that
these activities are performed regularly.
Physical prevention begins when a CAA CBI storage site is
identified or constructed. It includes special requirements for
room construction, as well as fire protection for various
equipment. Special considerations include: computers, fire
detection and extinguishing systems, record(s) protection, air
conditioning, heating and ventilation, electrical supply,
emergency procedures, and storage specifications to protect CAA
CBI records.
• OAQPS DCO will conduct an annual site inspection of the
OAQPS CBIO to identify problem areas and foster awareness of
disaster prevention issues among the staff.
• Provide training for the CBIO staff in records management,
protection, and how to respond to a disaster.
2. Preparedness
OAQPS DCO will ensure that there are appropriate
supplies on hand to deal with immediate needs, and keep a current
list of suppliers of materials that are needed to handle
disasters. The OAQPS DCO will also keep up-to-date on current
technology, procedures, and services available for disaster
planning and recovery, and ensure the staff is informed about
these issues. Ensure appropriate security measures are taken to
prevent damage or destruction of CAA CBI, approve off-site
59
-------�
storage of CAA CBI, arranging for security guards when needed,
establish and maintain an emergency recall list (including EPA
designated personnel, police and fire departments, hospitals,
utility companies, selected resources, etc.), and whatever else
might be required in the circumstances.
3. Response
The OAQPS DCO is responsible for directing all disaster
operations affecting damage or destruction CAA CBI records. All
of OAQPS staff (Directors, Group Leaders, POs, WAM/TOPOs and
employees) must be involved in order for the disaster plan to be
an effective one. Preventing, preparing for, and responding to
disasters has to be a team effort. We all have to be aware of
the issues, and integrate prevention and preparedness into our
daily routines and consciousness. In the event of a disaster, we
have to be able to pull together as a team and respond quickly
and effectively to protect OAQPS's CAA Confidential Business
Information. The OAQPS DCO will also evaluate the damage, plan
and execute recovery operations, and do post-disaster
assessments.
60
-------�
SECTION X.
CAA CBI COMPUTER SECURITY
NOTE: Computer security is difficult and expensive to
maintain. OAQPS personnel and its contractors should not use
CAA CBI in an identifiable form in computer programs, if at
all possible.
A. OVERVIEW
This policy applies to all automated data processing (ADP)
systems processing and/or storing CAA Confidential Business
Information (CBI). It shall apply equally when the ADP systems
are owned and operated by EPA or by its contractors or
consultants.
B. DIRECTIVES
The computer processing of CAA CBI must be in compliance
with the following directives issued to all Federal agencies
processing sensitive data by computer:
• Office of Management and Budget OMB Circular A-130, TM
No . 1 ;
• Office of Personnel Management FPM 732-7;
• National Bureau of Standards FTPS PUBS; and
• General Services Administration 41 CFR Ch. 101.
These directives require all Federal agencies processing
sensitive information by computer to establish and maintain a
formal security system.
61
-------�
C. BASIC SECURITY REQUIREMENT
OAQPS must provide a system with a level of security
adequate to protect any CBI being processed from alteration,
loss, or from unauthorized access.
1. Security Mode
OAQPS CAA CBI must be entered into an isolated system
with access control safeguards as well as additional safeguards
within the system. In addition, file and data separation are
required since all users are not authorized to access all data.
2. Authenticity and Verification
The system will authenticate the password for each
project, verify each user's identity, and validate each user's
file access authority and privileges. System output must have
special markings that identify particular data sets or programs
to provide audit trails. These audit trails will produce an
activity and, when possible, an event record to permit analysis
of system operation by the CBI Office.
3. Remote Operation
There shall be no communication system to interface
with remote terminals.
4. Users Requirements
All system users and persons allowed unescorted access
to the ADP system shall meet the following criteria:
• They are authorized access to CAA CBI;
• They have completed a Request, Approval, and Registration
for CAA CBI Computer Access, CAA CBI Form 3;
• They have been informed of the proper security procedures
for operation of the system;
62
-------�
• They have been informed of the proper action to be taken in
the event of system malfunction (spillage, etc.);
• They have been trained in the use of the system;
• They have been authorized access to specific 'data in the
system and have been given the password to that data; and
• They have signed an acknowledgment of having been provided
the above information.
OAQPS and contractor employees who are authorized access to
specific CBI may view a computer screen that contains the CBI to
which they are authorized access.
5. Visitors
Administrative approval may be given to permit
unauthorized persons to visit the computer facility, but they
shall be escorted and shall sign a log indicating the date and
time of their visit.
D. CBI COMPUTER ROOM
All ADP central processing and ancillary equipment, shall be
located in a specific room. This room in its totality is herein
referred to as the CBI Computer Room.
The CBI Computer Room:
» Shall be located in an interior part of the building;
• Shall be on a floor not accessible from the exterior of the
building;
• Shall be in an area not adjacent to, above, or below an area
that would constitute a high-risk area from the standpoint
of fire or explosion;
• Shall maintain only one entrance for personnel access. Other
doors, if any, shall be secured;
63
-------�
• Shall, when unoccupied, be secured with a Simplex
combination lock, mounted on a solid wooden or metal door;
and
• Shall, during hours of operation, have access controlled by
means of an access control lock.
E. SAFEGUARDING CBI DURING PERSONAL COMPUTER USE
While using CAA CBI at a computer in an unsecured area, the
operator must retain exclusive control over the operation of the
computer and printer and must ensure that only individuals
authorized for access to the CAA CBI can view the terminal
screen. If the operator must leave the terminal for any reason,
the computer session shall be terminated.
1. Computer Storage Media
** DO NOT store CAA CBI data on the LAN **
CBI data generated or processed on a personal computer
must be stored on either floppy, compact diskettes, or detachable
hard disks. Floppy or compact disks are preferable and shall be
secured in the CBIO. Floppy disks containing CAA CBI must also
be removed from the computer after each session and returned to
the CBIO.
Obsolete or damaged disks shall be provided to the
WAM/TOPO for review who will authorize the DCO to return the
disks to the providing organization or to destroy them.
2. Termination of a CBI Computer Session
Proper termination of a computer session involving CBI
consists of the following steps:
• Transferring and verifying the transfer of the CBI data to
the storage medium (floppy disk, detachable hard disk, or
printout);
64
-------�
• Removing the storage medium from the computer;
• Erasing the computer's internal memory with a utility
program disk;
• Turning off the computer to erase data from the Random
Access Memory; and
• Returning the disks and generated printouts to the CBIO.
3. Use of a Printer
If CAA CBI is printed out, the printed material must be
secured in the CBIO. All data printed may not contain CBI,
therefore the employee who generates or obtains a printout from
the computer must first determine whether the printout contains
CBI. All printouts and any information obtained from a computer
screen containing CBI and written down must be logged in and out
through the CBI office.
Since most printers contain buffers, turn off the printer to
ensure removal of any CBI information stored in the printer
buffer.
F. SYSTEM SECURITY SOFTWARE FOR MULTI-USER SYSTEM
Only the operating system shall execute instructions to
control and perform all input/output operations and changes to
memory boundaries, data elements, tables, execution state
variables, and files of the system. The operating system will
protect itself and provide an authorization function to permit
only approved sets of individuals and programs to be combined for
a project. One class of machine instructions will be reserved
for exclusive use of the operating system, and one class will be
usable by the operating system and user applications.
1. C7ser Authority
Where possible, a memory bounds mechanism will be
included so that memory allocated to any particular user can be
restricted to prohibit the user from reading or writing in the
65
-------�
operating system memory or the memory of another user. The
system will enforce the user privileges as authorized for
given file and will include execute only, read only, read/write,
and prohibit scratching or renaming files. Authentication of
project passwords, verification of user identity, and validation
of user file authority are performed by the system.
2. Event Record
Except for password maintenance activities, unique
identifiers (passwords) may not be printed or displayed on any
output or terminal. Within the limits of system capability, an
access and event journal will be maintained by the system in a
secure manner to record system activity, log-on attempts, and
program execution. This audit function should permit event
attribution to the individual user. An exception audit will be
produced by the system of all unauthorized activity, including
log-on and file access attempts for daily review by the CBI
Computer Room Document Control Assistant (DCA). The system will
include a time clock for recording events. The system activity
log will have a write-only mode. The system will maintain user
and file isolation on time share and concurrent processing.
G. GENERAL PROCEDURES
Changes to the operating system will be made off-line,
reviewed, and approved before being installed on the active
system. Changes in the application programs will be made
off-line using non-sensitive data and implemented after review.
1. Checkout
Portable storage disks must be checked out from the CBI
Office using procedures described in Section III, Document
Control, and Office when the processing is terminated.
2. User Privileges (Multi-year system only)
User privileges will be limited to those necessary.
The user will log-out the appropriate floppy disk from the CBI
Office before logging into the CBI Computer Room with the CBI
Computer Room DCA.
66
-------�
Uni-que identifiers (passwords) shall be used for
project identification in the log-on procedure and for data file
access. These identifiers shall be treated as confidential and
shall be changed at frequent intervals of at least every 3
months. Two passwords are required to begin a program. The CBI
Computer Room DCA shall provide a system access password and the
user shall provide a data file access password.
3. CBI Computer Room DCA
When termination of processing is ended and the system
is to be shut down, the user will log-out with the CBI Computer
Room DCA. The CBI computer room DCA shall also be responsible for
opening and closing the CBI computer room and starting and
shutting-down the computer.
4. Back-up Files
Back-up files will be maintained in the CBIO.
Periodically, the backup files will be updated and tested to
ensure operational condition.
5. Transmission
Input and output media shall be transmitted only
between the CBI Office and the users who are authorized access to
specific data contained on the media. In no case will input
media be accepted from or delivered to a third party. Any system
processing and/or storing CBI must be a system that maintain CBI
controls.
H. DESTRUCTION AND RELEASE OF DATA MEDIA
All paper products, program listings and cards, when no
longer needed, are to be destroyed in accordance with current
procedures for disposal of CBI documents listed in Section XI,
Disposal and Destruction.
1. Magnetic Storage
Any magnetic storage media used to process or store CAA
CBI may be released from control after they have been degaussed
in an approved manner on an approved degausser. Prior to
67
-------�
release, all identifying markings must be removed from the media
and the erasure of the data must be verified.
2. Rigid Magnetic Storage Media
Rigid magnetic storage media, used for processing or
storing CAA CBI, when no longer needed, may be released from
control after it has been overwritten alternately by ones and
zeros at least three times. In the case of malfunctioning or
damaged data storage media, when overwriting is not possible, the
data storage media must be degaussed. Overwriting or degaussing
must be verified prior to release of the media.
J. SECURITY PLAN
In addition to computer security procedures, EPA's
Information Security policy calls for a methodology for a risk
analysis, security plan, and the requirement for confidentiality
agreements from all contractor personnel. This security plan is
subject to approval by the PRRMS Director and shall be available
to representatives of EPA's Office of the Inspector General
(OIG).
J. RISK ANALYSIS
A risk analyses must be conducted for each computer
installation operated by or on behalf of EPA is required under
the provision of OMB Circular A-130, TM No. 1. These analyses
are specified as needed, before approving design specifications
for new systems; whenever there is a significant change to the
physical facility, hardware, and/or software; or at periodic
intervals not to exceed 5 years. These risk analyses are tc
provide an evaluation of the relative vulnerabilities at the
installation in order to maximize the effectiveness of security
measures within the constraints of available resources.
68
-------�
SECTION XI.
DISPOSAL AND DESTRUCTION
A. OVERVIEW
The purpose of this section is to explain how Confidential
Business Information (CBI) must be disposed of or destroyed.
B. INTENT
CAA CBI that is of no use to OAQPS and not wanted by the
providing organization, will be destroyed only under the
supervision of the DCO. CBI borrowed from TSCA or RCRA may not
be destroyed but must be returned.
C. NOTICE OF INTENT TO DESTROY
The providing organization or owner of original CAA CBI that
is no longer needed by OAQPS must be informed of the intent to
destroy the material. This notice is given to allow the owner an
option to reclaim the materials or have OAQPS destroy them.
D. ORIGINAL CBI
Under no circumstances will contractors dispose of
original CAA CBI materials that have been logged into the
OAQPS Records Management System in any way other than
returning them to the OAQPS CBI Office.
WAM/TOPOs or the responsible Group Leaders shall initiate
the process for destruction or disposal (return to the providing
organization) of original CBI material. The materials must be
identified for destruction. The OAQPS DCO will destroy specified
documents and maintain a record of all destroyed documents. At
no time shall destruction of CAA CBI material take place without
proper authorization from the WAM/TOPO or providing organization.
69
-------�
E. DERIVATIVE CBI
Authors of derivative CBI (CBI created from original CBI)
may authorize the CBI Office to destroy their work that contains
CAA CBI.
F. CBI WASTE
Waste material including handwritten notes, sheets of carbon
paper, diskettes, and working papers that contain CAA CBI must be
returned to the CBI Office daily for destruction. No record of
destroying this type of material need be kept.
G. RECORDS OF DESTRUCTION
Records of destruction are required for CAA CBI materials.
When a document is destroyed, the OAQPS DCO or the CDCO must
indicate on the CAA CBI Control Record, CAA CBI Form 1 (Appendix
J) the destruction date, person destroying document, and attach
documentation authorizing the destruction to the CAA CBI Control
Record.
The control records of destroyed documents must be retained
for audit purposes in accordance with OAQPS records management
requirements, and the CDCO shall submit the list of destroyed
documents with the annual inventory and upon completion of the
contract. The destruction of CBI materials logged into the OAQPS
CAA CBI Records Management System shall documented in the CAA CBI
automated database and purged annually.
H. METHODS OF DESTRUCTION
CAA CBI documents and material shall be destroyed in a
manner that precludes recognition or reconstruction. In general,
CAA CBI materials are destroyed by one of two methods: shredding
(including any type of paper substance) or burning (including
microfiche, typewriter ribbons, diskettes, and data tapes).
70
-------�
SECTION XII.
CAA CBI SECURITY VIOLATIONS
A. OVERVIEW
This section sets forth the procedures to be followed
whenever CAA Confidential Business Information (CBI) security
procedures may have been violated.
B. RESPONSIBILITY OF DISCOVERER
Any OAQPS employee who is either aware of actual or possible
violations regarding loss of CBI materials or unauthorized
disclosures must report immediately this information to the DCO.
C. VIOLATIONS OF THIS MANUAL
All alleged violations of this manual's procedures shall be
investigated, even if there is no evidence of a lost document or
unauthorized disclosure.
D. PRELIMINARY INQUIRY
The PRRMS Director will have the OAQPS DCO conduct a
preliminary inquiry into the circumstances surrounding an actual
or possible compromise. The findings of this inquiry, undertaken
to determine if a compromise did occur, are to be given to the
PRRMS Director for evaluation.
E. INVESTIGATION
The PRRMS Director may direct the OAQPS DCO to conduct a
full investigation based on the results of the preliminary
inquiry. An investigation shall include the following:
• A complete identification of each item of classified
information involved.
• A thorough search for the CBI.
71
-------�
• Identification of any persons or procedures responsible for
the compromise.
• A statement that a compromise did occur, may have occurred,
or did not occur, and an estimate of the risk of damage to
the affected business.
• A thorough discussion of all facts uncovered.
F. REPORTS AND FINDINGS
Investigative reports shall include, if possible, the
document date, subject, name and address of the originator, and a
description of the material.
1 . Finding of No Damage
If it is determined that compromise could not
reasonably be expected to cause identifiable damage to the
affected business the report of the preliminary inquiry will be
sufficient to resolve the incident and, if appropriate, support
the administration of disciplinary action.
2 . Lost
If a document is lost or missing, the report should
include the time, date, surrounding the loss; and the steps taken
to locate the material. If possible, the person responsible for
the loss should be identified.
3 . Compromise
Where a compromise is believed to have occurred, a
narrative statement by the WAM/TOPO should detail the
circumstances, the identity of the unauthorized person (s) who had
or may have had access to the material, the steps taken to
determine whether a compromise did in fact occur, and the WAM ' s
evaluation of the importance of the material.
4. Finding of Damage
If it is determined that the probability of
identifiable damage to the affected company cannot be ruled out,
72
-------�
the PRRMS Director shall notify the affected business that the
materials claimed as CBI are not in account and that there is
reason to believe the information may have been disclosed to
individuals not authorized for access to it. Written notice to
the affected business must contain a description of the CBI in
question and the date of the disclosure.
G. RESULTING ACTIONS
After receiving an inquiry and/or investigation report, the
PRRMS Director will notify appropriate Division Directors of the
report findings and recommend actions in keeping with the EPA
Conduct and Discipline Order. Division Directors are responsible
for imposing punitive measures as deemed necessary.
1. Violations Subject to Punitive Measures
Employees may be subject to punitive measures if they
do any of the following:
• Compromise CBI through negligence;
• Knowingly and willfully violate any provisions of this
manual; or
• Knowingly and willfully, and without authorization, disclose
properly classified CBI.
2. Punitive Measures
Punitive measures for security violations include, but
are not limited to, warning notice, admonition, reprimand,
termination of authorization for access to CBI, suspension
without pay, forfeiture of pay, removal, discharge, or legal
charges. These measures will be imposed in accordance with
applicable law and EPA regulations.
73
-------�
SECTION XIII.
CAA CBI DEFINITIONS
Access: The ability and opportunity to gain knowledge of CAA
CBI in any manner whatsoever. Access to CAA CBI by individuals
not authorized according to procedures in Section VI must be
reported as a security violation.
Affected Business: Any providing organization that could be
affected adversely by the unauthorized disclosure of its CAA CBI.
Authorized Person-. Any person duly authorized pursuant to
OAQPS procedures to have access to CAA CBI.
CAA CBI Control Number: Unique number assigned by the OAQPS
DCO to any document received or generated that contains CAA CBI.
The number consists of a least ten digits (e.g., 98111-C02-09).
The first five digits are the fiscal year and project
identification number; first two numbers are the fiscal year and
next the three numbers are assigned for each specific project
(e.g., 98111); the next three digits identify the responsible
group and WAM/TOPO (e.g., C03); and the last digit refers to the
number of documents submitted to the CBIO from the employee on
the specific project.
Confidential Business Information: Any documentary or
nondocumentary information, in any form, received by OAQPS from a
person, firm, partnership, corporation, association, or local,
State or Federal agency that relates to trade secrets or
commercial or financial information and that has been claimed as
confidential by the person submitting it under the procedures in
40 CFR, Part 2, Subpart B.
Contractor: Any person, association, partnership,
corporation, business, educational, institution, governmental
body or other entity that performs work under a contract with the
United States Government.
74
-------�
Contracting Officer (CO): EPA delegated official with the
authority to enter into contracts on behalf of the EPA. The CO
has sole authority to sign contracts, obligate funds for a
contract, issue work assignments, modify contract terms or
conditions, and terminate a contract.
Custody: Formal responsibility for controlling access to CAA
CBI according to the procedures found in this manual.
Derivative CBI: Confidential Business Information created by
incorporating, paraphrasing, restating, or generating a new form
of the information.
Document: Any recorded information regardless of its physical
form or characteristics, including, without limitation, written
or printed materials; data processing cards, disks, and tapes;
maps; charts; photographs; paintings; drawings; engravings;
sketches; working notes and papers; reproductions of such items
by any means or processes; and sound, voice, or electronic
recordings in any form.
OAQPS CBI Office: Secured interior room at OAQPS headquarters
where all CAA CBI is stored.
OAQPS Document Control Officer: A Government employee
designated by the PRRMS Director to oversee the OAQPS CAA CBI
program.
Document Tracking System: A system to account for the
location or disposition of CAA CBI materials. Materials in a
Document Tracking System are assigned unique numerical
identifiers, or CBI control numbers, and their locations are
tracked through manual or automated logs or records of receipt,
usage, and transfer.
Employee: Any person employed by EPA on a full-time or part-
time basis in accordance with the procedures of the Office of
Personnel Management. (This definition does not include
contractors, grantees, or their employees.)
75
-------�
Federal Agency: Any organization or entity composed of United
States officers or employees except for Federal courts and
Congress.
Holder: A Federal employee or OAQPS contractor employee who is
authorized access to specific CAA CBI, and is currently in
possession of the CAA CBI.
Original CBI: Confidential business information in its
original form as submitted by a providing organization or as
recorded during a visit to the providing organization.
Project Officer (PO): EPA's primary technical representative
of the CO for a contract. Responsibilities include: evaluating
contractor proposals; assisting in writing statement of work;
reviewing contractor progress reports; reviewing contractor
requests and recommending approval or disapproval to the CO; and
assisting the CO in the resolution of problems associated with
contractor performance.
Specific CAA CBI: Confidential business information
collected for an individual project or work assignment/task order
under a contract.
Subcontractor: A contractor that provides a portion of the
level of effort on an OAQPS contract through a contractual
agreement with the OAQPS prime contractor. The EPA's contractual
agreement is with the prime contractor, not the subcontractor.
Violation: The failure to comply with any provision of these
procedures, whether or not such failure leads to actual
unauthorized disclosure of CAA CBI.
Work Assignment Manager/Task Order Project Officer
(WAM/TOPO) : An EPA program official who monitors a specific
work assignment written under a contract. The WAM/TOPO develops
the statement of work for specific work assignments or task
orders and monitors the technical performance of the contractor.
76
-------�
SECTION XIV.
GLOSSARY OF ACRONYMS
ACRONYMS
AAL
ADP
CAA
CBI
CBIO
CDCA
CDCO
CFR
CWA
DCA
DCO
EPA
FEMA
FIFRA
GAO
OAQPS
LAN
OIG
Authorized Access List
Automatic Data Processing
Clean Air Act
Confidential Business Information
Confidential Business Information Office
Contractor Document Control Assistant
Contractor Document Control Officer
Code of Federal Register
Clean Water Act
Document Control Assistant
Document Control Officer
United States Environmental Protection Agency
Federal Emergency Management Agency
Federal Insecticide, Fungicide and
Rodenticide Act
General Accounting Office
Office of Air Quality Planning and Standards
Local Area Network
Office of the Inspector General
77
-------�
OGC
OSW
PC
PRRMS
RCRA
TSCA
WAM/TOPO
Office of General Counsel
Office of Solid Waste
Personal Computer
Planning, Resources & Regional Management
Staff
Resource Conservation and Recovery Act
Toxic Substances Control Act
Work Assignment Manager/Task Order Project
Officer
78
-------�
SECTION XIV.
APPENDICES
APPENDIX TITLE
A Authorization for Access to CAA CBI for
Federal Employees, CAA CBI Form 2
Authorization for Access to CAA CBI for
Contractor Employees, CAA CBI Form 3
B Confidentiality Agreement for United States
Employees Upon Relinquishing CAA CBI Access
Authority, CAA CBI Form 4
Confidentiality Agreement for Contractor
Employees Upon Relinquishing CAA CBI Access
Authority, CAA CBI Form 5
C Memorandum of CAA CBI Telephone Conversation,
CAA CBI Form 6
D CAA CBI Meeting Sign-In Sheet, CAA CBI Form 7
E CAA CBI Markings
F CAA Confidential Business Information Cover
Sheet, CAA CBI Form 8
Pending CAA Confidential Business Information
Cover Sheet, CAA CBI Form 9
G Request, Approval, and Registration for CAA
CBI Computer Access, CAA CBI Form 10
H Request for Approval of Contractor Access to
CAA CBI, CAA CBI Form 11
Contractor Information Sheet-Contractor CAA
CBI Access/Transfer, CAA CBI Form lla
79
-------�
I CAA CBI Inventory Log, CAA CBI Form 12
CAA CBI Pending Log, CAA CBI Form 13
J CAA Confidential Business Information Control
Record, CAA CBI Form 1
K CAA CBI Custody Receipt, CAA CBI Form 14
L Confidential Business Information Security
Agreement, CAA CBI Form 15
M Sample CAA CBI Transfer Letters
80
-------�
APPENDIX A
1. AUTHORIZATION FOR ACCESS TO CAA CBI FOR FEDERAL EMPLOYEES
FULL NAME
POSITION
SSN
OFFICE
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her
supervision who require access to CAA CBI:
1. Sign the Confidentiality Agreement for EPA Employees
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
SIGNATURE OF AUTHORIZING OFFICIAL*
TELEPHONE NO.
DATE
TITLE
LOCATION
II. CONFIDENTIALITY AGREEMENT FOR FEDERAL EMPLOYEES
I understand that I will have access to certain Confidential Business Information submitted to EPA or
its authorized representatives under the Clean Air Act (CAA). This access is granted in accordance
with my official duties as an employee of the Environmental Protection Agency.
I understand that CAA CBI may not be disclosed except as authorized by CAA and Agency
regulations. I understand that I am liable for a possible fine of up to $1,000 and/or imprisonment for
up to 1 year if I willfully disclose CAA CBI to any person not authorized to receive it. In addition I
understand that I may be subject to disciplinary action for violation of this agreement with penalties
ranging up to and including dismissal.
I agree that I will treat any CAA CBI furnished to me as confidential and that I will follow the
procedures set forth in the CAA Confidential Business Information Security Manual.
I have read and understand these procedures.
SIGNATURE
TELEPHONE NO.
DATE
III. HAVING COMPLETE REQUIRED TRAINING AND PASSED REQUIRED
TEST, THE ABOVE-NAMED EMPLOYEE IS HEREBY AUTHORIZED TO HAVE
ACCESS TO CAA CBI.
SIGNATURE DCO
TELEPHONE NO.
DATE
* Must be Division Director (or equivalent) or above.
CAA CBI Form 2 (Rev. 9/98)
81
-------�
APPENDIX A
FULL NAME
SSN
POSITION
CONTRACTOR
SIGNATURE OF AUTHORIZING OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
1. AUTHORIZATION FOR ACCESS TO CAA CBI FOR CONTRACTOR EMPLOYEES
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her
supervision who require access to CAA CBI:
1. Sign the Confidentiality Agreement for EPA Employees
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
II. CONFIDENTIALITY AGREEMENT FOR CONTRACTOR EMPLOYEES
I understand that I will have access to certain Confidential Business Information submitted to EPA or
its authorized representatives under the Clean Air Act (CAA). This access is granted in accordance
with my official duties as an employee of the Environmental Protection Agency contractor.
I understand that CAA CBI may not be disclosed except as authorized by CAA and Agency
regulations. I understand that I am liable for a possible fine of up to SI ,000 and/or imprisonment for
up to 1 year if I willfully disclose CAA CBI to any person not authorized to receive it. In addition I
understand that I may be subject to disciplinary action for violation of this agreement with penalties
ranging up to and including dismissal.
I agree that I will treat any CAA CBI furnished to me as confidential and that I will follow the
procedures set forth in the CAA Confidential Business Information Security Manual.
I have read and understand these procedures.
SIGNATURE
TELEPHONE NO.
DATE
III. HAVING COMPLETE REQUIRED TRAINING AND PASSED REQUIRED
TEST, THE ABOVE-NAMED EMPLOYEE IS HEREBY AUTHORIZED TO HAVE
ACCESS TO CAA CBI.
SIGNATURE CONTRACTOR DCO
TELEPHONE NO.
DATE
* Must be Contractor Management
CAA CBI Form 3 (Rev. 9/98)
82
-------�
APPENDIX B
US Environmental Protection Agency
Washington, DC 20460
\ \W^ £ Confidentiality Agreement for Federal Employees
%. PROT^ Upon Relinquishing CAA CBI Access Authority
In accordance with my official duties as an employee of the United States, I have had access
to. Confidential Business Information under the Clean Air Act (CAA) (42 U.S.C. 1857 et
seq.). I understand that CAA Confidential Business Information may not be disclosed except
as authorized by CAA or Agency regulations.
I certify that I have returned all copies of any materials containing CAA Confidential Business
Information in my possession to the OAQPS CBI Office.
I agree that I will not remove any copies of materials containing CAA Confidential Business
Information from the premises of the Agency upon my termination or transfer. I further agree
that I will not disclose any CAA Confidential Business Information to any person after my
termination or transfer.
I understand that as an employee of the United States who has had access to CAA Confidential
Business Information, under 18U.S.C. 1905,1am liable for a possible fine of up to $1,000
and/or imprisonment for up to one year if I willfully disclose CAA Confidential Business
Information to any person.
If I am still employed by the United States, I also understand that I may be subject to
disciplinary action for violation of this agreement.
I am aware that I may be subject to criminal penalties under 18 U.S.C. 1001 if I have made
any statement of material facts knowing that such statement is false or if I willfully conceal
any material fact.
Name (Please type or print)
SSN
Signature
Date
CAA CBI Form 4 (Rev. 6/95)
83
-------�
APPENDIX B
\
O
Environmental Protection Agency
Washington, DC 20460
CONFIDENTIALITY AGREEMENT FOR
CONTRACTOR EMPLOYEES UPON
RELINQUISHING CAA CBI ACCESS AUTHORITY
Name of Employer
Contract Number
As an employee of the contractor/subcontractor named above performing work for the United
States Government, I have been authorized access to Confidential Business Information (CBI)
submitted under the Clean Air Act (CAA) (42 U.S.C. 1857 et.seq.). This access authority was
granted to me in order to perform my work under the contract number cited above.
I understand that CAA CBI to which I have had access under the contract may not be used for
any purposes other than for performing the contract. I also understand that CAA CBI may not
be disclosed except as authorized by CAA or EPA regulations.
I certify that I have returned all copies of CAA CBI materials in my possession to my
company Document Control Officer.
I agree that I will not remove any copies of materials containing CAA CBI from the premises
of my company or from EPA premises upon my relinquishment of CAA CBI to any person
after my relinquishment of CAA CBI access authority.
I understand that as a contractor employee who has been authorized access to CAA CBI, I may
face criminal prosecution if I willfully disclose CAA CBI to any person.
If I am still employed by the contractor, I also understand that I may be subject to disciplinary
action for violation of this agreement.
I am aware that I may be subject to criminal penalties under 18 USC Section 1001 if I have
made any statement of material facts knowing that such statement is false or I willfully
conceal any material fact.
NAME (Please type of print)
Social Security Number
Signature
Date
CAA Form 5 (Rev. 6/95)
-------�
APPENDIX C
US Environmental Protection Agency
Washington, DC 20460
MEMORANDUM OF CAA CBI
TELEPHONE CONVERSATION
I. EMPLOYEE IDENTIFICATION
Name of Employee
Date
Organization
Time
II. SECOND PARTY IDENTIFICATION
Call is:
D To
D From
Name
Number
Organization
III. Concerning What CAA CBI?
IV. Content of Conversation: (CONTINUE ON SEPARATE SHEET)
CAA CBI Form 6 (Rev. 6/95)
85
-------�
APPENDIX D
v^fcD sr/,^ U.S. Environmental Protection Agency
>> ^. Washington, DC 20460
1" ^J^ ^
*S£*i ^
\ X5EZ ® CAA CBI MEETING SIGN-IN SHEEET
^ ^^••1^^^ >
%> ^
^ PRO^-0
CHAIRPERSON
MEETING PLACE (ROOM, BUILDING, CITY, STATE)
DATE
TIME
SUBJECT OF MEETING
NAME (Print)
Signature
ORGANIZATION
-
THIS SIGN-IN SHEET MUST BE GIVEN TO THE CBI MANAGER
CAA CBI Form 7 (Rev. 6/95)
86
-------�
APPENDIX E
CAA CBI MARKINGS
"SUBJECT TO CONFIDENTIALITY CLAIM"
"TO BE OPENED BY ADDRESSEE ONLY"
"CBI -- CONFIDENTIAL BUSINESS INFORMATION"
"DETERMINED CONFIDENTIAL BY OAQPS"
"DESTROYED BY / DATE
87
-------�
APPENDIX F
Contractor Control No.:
EPA Control No.:
Copy No.:
CAA
CONFIDENTIAL
BUSINESS INFORMATION
The attached document contains data claimed to be confidential business information (CBI)
under the authority of the Clean Air Act (CAA) as amended (42 U.S.C. 7401,7411, 7412,
7414, 7416, 7601). CBI may not be disclosed or copied for release to another party. Any
excerpts or summaries must also be treated as CBI. If you willfully disclose CAA CBI to any
person not authorized to receive it, you may be liable for a disciplinary action with penalties
ranging up to and including dismissal. In addition, disclosure of CAA CBI or violation of
security procedures may subject you to a fine of up to $1,000.00 and/or imprisonment for up
to one year.
DO NOT DETACH
CAA CBI Form 8 (Rev. 6/95)
-------�
APPENDIX F
Contractor Control No.
EPA Control No.:
Copy No.:
CAA
CONFIDENTIAL
BUSINESS INFORMATION
PENDING
The attached document contains data claimed to be confidential business information (CBI)
under the authority of the Clean Air Act (CAA) as amended (42 U.S.C. 7401, 7411, 7412,
7414, 7416, 7601). CBI may not be disclosed or copied for release to another party. Any
excerpts or summaries must also be treated as CBI. If you willfully disclose CAA CBI to any
person not authorized to receive it, you may be liable for a disciplinary action with penalties
ranging up to and including dismissal. In addition, disclosure of CAA CBI or violation of
security procedures may subject you to a fine of up to $1,000.00 and/or imprisonment for up
to one year.
DO NOT DETACH
CAA CBI Form 9 (Rev. 6/95)
89
-------�
APPENDIX G
\
U.S. Environmental Protection Agency
Washington, DC 20460
Request, Approval, and Registration
for CAA CBI Computer Access
I. Request for CAA CBI Computer Access
Name (Last.Firsl,MI)
2 Requestor (Oflice/Division/Branch)
3 System and Data Base to Be Accessed
4. Describe fully the duties that require access to each system
5 Signature of Requesting Official (Division Director or above)
6 Date
II. Computer Room DC A Approval
1 Date Received
2. Signature of Computer Room DC A
III. DCO Approval
1 Date Received
2. Holds Current CAA CBI Access
D Yes D No
3 Approved
n Yes DNo (Explain
On back)
4 Signature DCO
CAA CBI Form 10 (Rev 6/95)
90
-------�
APPENDIX H
\v/
U.S. Environmental Protection Agency
Washington, DC 20460
REQUEST FOR APPROVAL OF
CONTRACTOR ACCESS TO CAA CBI
Requesting Official
Signature
Date
Title and Office
Contractor and contract number
EPA Project Officer
EPA Contracting Officer
; L Brief DescripttoB:0f «H3fr£ct, ::jncludmg purpose, scope,:.lengJh, and other jjnportarii details^
.. •-.....':.. : (Cpntajuadon
What CAA CBI Will tjereqaifeiJ, And Why?
(Contiauedoa bade if necessary)
Approved (Signature)
Date
CAA CBI Form 11 (Rev. 6/95)
91
-------�
APPENDIX H
CONTRACTOR INFORMATION SHEET
CAA CBI ACCESS/TRANSFER
1. Contractor
2. Address :
3. Contract #:
4. Is this a renewal of a previous contract? Yes D No D
5. Previous contact number:
6. EPA Project Officer
7. EPA Contracting Officer
8. EPA Work Assignment Manager:
Phone: Room: Mail Code:.
9. Contractor Project Officer:
10. Description of duties to be performed by contractor that require CAA CBI access:
11. Type(s) of data to be transferred/disclosed:
12. Will CBI be transferred offsite under this contract? Yes D No D
13. If so, to where?
14. Have contractor security plan and facilities been approved by the OAQPS DCO? Yes D No D
15. If so, date of test site inspection:
16. Date access scheduled to commence:
17. Contract expiration date:
18. Is computer CBI access needed under this contract? Yes D No D
19. Has computer access been approved? Yes D No D
CAA CBI Form 1 la (Rev. 6/95)
92
-------�
APPENDIX I
O
O
bO
.2
"S
110 I
g
o
Qi
P
C
U,
5
u
<
<
u
93
-------�
APPENDIX I
o
o
U
U
S B
C c3
§ D
T3
U
D
o
o.
e
.2
'D.
o
pi
o
>
p
CBI
Control Numbe
0
o
tJ-
00
U
U
94
-------�
APPENDIX J
CAA CONFIDENTIAL BUSINESS INFORMATION
CONTROL RECORD
DATE RECEIVED:
DATE OF DOCUMENT:
RESPONSIBLE GROUP:
CONTROL NUMBER:
DOCUMENT AUTHOR:
DESCRIPTION (PROVIDING ORGANIZATION, TITLE, SUBJECT, NUMBER OF COPIES, NUMBER OF PAGES)
RETURN DATE:
EACH PERSON WHO IS GIVtN ACCESS
DESTRUCTION DATE:
INITIALS:
TO THIS DOCUMENT MUST FILL IN THE INFORMATION BELOW.
CHECK-OUT
SIGNATURE
DATE
TIME
CHECK-IN
SIGNATURE
DATE
TIME
CAA Form 1
95
-------�
APPENDIX K
US Environmental Protection Agency
Office of Air Quality Planning and Standards
CBI Office (MD-11)
Research Triangle Park, NC 27711
DATE:
SENT VIA:
RECEIPT NO:
PROJECT:
CONTACT:
CAA CBI CUSTODY RECEIPT
TO:
FROM: Document Control Officer
Ms Melva W Toomer
U.S. EPA/OAQPS/PRRMS/CBIO
MD-11
Research Triangle Park, NC 27711
INSTRUCTIONS:
1. Original of this receipt to be signed by recipient and returned to sender.
2. Duplicate of this receipt to be retained by recipient.
CBI CONTROL NO.
COPY NO.
DESCRIPTION OF MATERIAL
I have personally received material, enclosures, and attachments as identified above I assume full
responsibility for the safe handling, storage, and transmittal of this material in accordance with existing
Confidential Business Information regulations.
DATE RECEIVED:
SIGNATURE OF RECIPIENT:
CBI Form 14 (Rev. 9/98)
96
-------�
-------�
APPENDIX L
CONFIDENTIAL BUSINESS INFORMATION
SECURITY AGREEMENT
In requesting information claimed to be business confidential
from the Office of Air Quality Planning and Standards, I agree
to safeguard this information according to [ Name of
Agency ]'s procedures comparable to EPA's procedures for
handling Confidential Business Information as found in 40 CFR,
Part 2, Subpart B, Confidentiality of Business Information. I
further agree that access will be limited to only those persons
in our organization having a "need to know, " that the
information will be kept in a secure storage contained (e.g., a
lockable file cabinet) while it is in our custody, that a
record of persons accessing the information be maintained, and
that it will be returned to OAQPS at the conclusion of our
project.
Name, Title (Please Type or Print)
Signature Date
CAA CBI Form 15 (Rev. 6/95)
97
-------�
APPENDIX M
LETTER TO CAA CBI REQUESTERS OUTSIDE OAQPS
Mr. Agency Official
Director, Planning Division
Some Government Agency
1168 14th Street
Washington, D.C.
Dear Mr. Agency Official:
(Cite the name of local contact or letter of request) indicates that you want a copy of
certain information in our Confidential Business Information (CBI) files. Please be advised that
our long-standing policy is to release CBI to only those persons duly authorized to have access.
Since we have not previously granted clearance for access to Clean Air Act (CAA) information
to you or anyone in your organization, we request assurance that this information will be handled
according to applicable federal regulations. To provide a record of your agreement to safeguard
the information, we require that you sign and return the accompanying CBI Security Agreement.
We will release the requested information to you upon receipt of this agreement.
Sincerely,
leva G. Spons, Director
Planning, Resources and
Regional Management Staff
Enclosures
98
-------�
APPENDIX M
LETTER TO ACCOMPANY CAA CBI TRANSFERRED
OUTSIDE OAOPS
Mr. Agency Official
Director, Planning Division
Some Government Agency
1108 14th Street
Washington, D.C. 20460
Dear Mr. Agency Official:
Your security agreement associated with the request for access to (describe information)
has been received. We are therefore releasing the enclosed Confidential Business Information to
your custody. Please sign the attached Custody Receipt and return it to:
Melva W. Toomer, OAQPS Document Control Officer
U.S. Environmental Protection Agency
Office of Air Quality Planning & Standards
Planning, Resources & Regional Management Staff (MD-11)
Research Triangle Park, NC 27711
Sincerely,
leva G. Spons, Director
Planning, Resources and
Regional Management Staff
Enclosures
99
-------�
APPENDIX M
SAMPLE
TRANSFER LETTER TO PROVIDING FACILITIES
Name of recipient
Title of Recipient
Recipient's Address
Dear Mr. Noel:
Thank you for your efforts in coordinating a visit to the Name of the facility, address,
and date. The U.S. Environmental Protection Agency (EPA) appreciates the time you spent
discussing the manufacturing process at your facility.
Enclosed is a draft of the trip report that has been prepared based on the information
obtained during our site visit. We would appreciate irour reviewing the report for any errors or
omissions. You may return the enclosed copy of the report with your written comments. Since
this report will eventually become a part of the public record, we want to portray your operations
as accurately as possible. A copy of the final version of the report incorporating your comments
will be sent to you for your records.
The custody receipt for the trip report is also enclosed. Please sign and date the form to
acknowledge receipt of the report and return a copy of the form to the Document Control Officer,
Planning, Resources and Regional Management Staff (MD-11), U. S. Environmental Protection
Agency, Research Triangle Park, North Carolina 27711.
If you believe the disclosure of any specific information contained in the trip report
would reveal trade secrets or other confidential information, you should clearly identify-the
specific information. Please do not label the entire report "confidential" if only certain portions
consist of trade secret information. If the EPA determines that there is a need to disclose such
information, we will need, at that time, the following to support your claim:
1. Measures taken by Name of facility to guard against undesired disclosure of the
specific information to others;
2. The extent to which the specific information has been disclosed to others and the
precautions taken in connection therewith;
3. Pertinent confidentiality determinations, if any, by other Federal agencies (furnish a
copy of any such determination, or references to it, if available); and
100
-------�
4. Whether Name of facility asserts that disclosure of the specific information would be
likely to result in substantial harmful effects on facility Name's competitive position, and if so,
what those harmful effects would be, why they should be viewed as substantial, and an
explanation of the causal relationship between disclosure and such harmful effects.
Any specific information subsequently determined to constitute a trade secret will be protected
under 18 U.S.C. 1905. If no claim of confidentially accompanies the information when it is
received by EPA, it may be made available to the public by EPA without further notice (40 CFR
part 2.203, September 1, 1976). Any specific information subsequently determined to constitute
a trade secret will be protected under 18 U.S.C. 1905. However, all emission data will be
available to the public. A clarification of what EPA considers to be emission data is contained in
Enclosure 2.
We respectfully request that you submit your review comments on the trip report by date.
If you concur with the information contained in the report, we would appreciate a letter to that
effect. In addition. Please indicate in your letter the specific parts of the report, if any, that
Facility Name considers to be confidential. If we do not receive a response by date, the report
will be considered nonconfidential and accurate.
Thank you for your cooperation. The information supplied by Facility Name will be
most helpful in our study. If you have any questions, please call name of WAM/TOPO,
telephone number, or Contractor's name, company name and telephone number.
Sincerely,
Group Leader
Division
Enclosure
101
-------�
APPENDIX M
SAMPLE
TRANSFER LETTER TO PROVIDING FACILITY
Mr. Gordon Brown
Environmental Manager
State Paper Board
Post Office Box 9999
Whitehouse, Georgia 3 0913
Dear Mr. Brown:
Thank you for reviewing the trip report for the September 14, 1994 visit to the State
Paper Board Mill in Whitehouse, GA, by representatives from the U.S. Environmental Protection
Agency and Northwestern Research Institute (NRI). Your comments have been incorporated in
the enclosed final trip report.
The trip report includes a nonconfidential version plus a confidential addendum. The
confidential addendum consist of those items you identified as confidential business information
(CBI) in your February 7, 1998 letter. Unless we hear from you by April 19, 1998 with further
comments or corrections, we will treat the nonconfidential trip report and the confidential
addendum as final. In its final form, the nonconfidential trip report may be accessed by the
general public following proposal of the national emission standards for hazardous air pollutants
for combustion sources in the sand and paper industry. The confidential addendum can only be
accessed by those authorized to view C AA CBI pertaining to the sand and paper industry.
If you have any questions or additional comments, please contact Mr. John Smith of my
staff at (919) 541-9999 or Ms. Sally Sue of NRI at (919) 685-1234 (ext. 349). Thank you for your
cooperation.
Sincerely,
Group Leader
(Name) Specific Group
Enclosures
102
-------�
U S Environmental Protection Agency
Region 5, Library (PI.-12J)
77 West Jackson Boulevard, 12tn floor
Chicago, !L 60604-3590
-------� |