United States
 Environmental Protection
 Agency
Office of Air Quality
Planning and Standards
Planning, Resources & Regional
Management Planning Staff (MD-11)
Research Triangle Park, NC 27711
                                EPA 450/B-98-001 *
                                August 1998 Edition
        CLEAN  AIR ACT
CONFIDENTIAL  BUSINESS
          INFORMATION
      SECURITY  MANUAL

-------
                              EPA 450/B-98-001
    CLEAN AIR ACT
    CONFIDENTIAL
    BUSINESS
    INFORMATION
    SECURITY MANUAL
                     U.S. Environmental Protection Agency
                     Region ii.libi-ary (PL-12J)
                     77 West Jackson Boulevard, 12th Floor
                     Chicago, II 60604-3590
U.S. Environmental Protection Agency
Office of Air Quality Planning and Standards (MD-11)
Research Triangle Park, NC 27711
August 1998 (Revised Version)

-------
                       TABLE  OF CONTENTS
I.     PURPOSE, SCOPE, AUTHORITY, & RESPONSIBILITY	   1
      A.    Purpose	   1
      B.    Scope	   2
      C.    Policy	   2
      D.    Authority	   2
      E.    Responsible Officials	   3
            1.    Director, OAQPS	   3
            2.    Director, Planning, Resources and Regional
                  Management Staff (PRRMS)	   3
            3.    OAQPS Document Control Officer	   4
            4.    OAQPS Documents Control Assistants	   6
            5.    OAQPS Division Directors	   6
            6.    OAQPS Program Project Officers	   6
            7.    OAQPS Group Leaders	   7
            8.    OAQPS Work Assignment Manager/Task Order
                  Project Officer (WAM/TOPO)	   8
            9.    Employees	   9
            10.   Contractor Document Control Officers	  10

//.    EDUCATION AND TRAINING	  13
      A.    Overview	  13
      B.    Initial Briefing	  13
      C.    Annual Briefing	  13
      D.    Terminal Briefing	  14

///.   ACCESS TO SPECIFIC CAA CBI	  15
      A.    Overview	  15
      B.    General Access Requirements	  15
      C.    Employee Access	  15
            1.    Procedures	  15
            2.    Authorized Access Lists	  17
      D.    Withdrawal Of Clearance	  20
            1.    Periodic Review	  20
            2.    Removal From Access Lists	  20
      E.    Contractor Employee Access	  21
            1.    Prerequisite	  21
            2.    Conditions	  21
            3.    Obtaining Approval	  22

-------
            4.     Security Plan	  22
            5.     Contractor DCO/DCA Requirement	  26
            6.     Completion of Contracts, Work Assignments or
                  Task Orders	  26
            7.     Authorized Access Lists	  26
            8.     Withdrawal of Access	  27
      F.    Subcontractor/Consultant Access	  27

IV.   RECORDS MANAGEMENT FOR CAA CBI	  30
      A.    Overview	  30
      B.    Intent	  30
      C.    OAOPS CAA CBI Records Management System	  30
            1.     OAQPS CAA CBI Automated Tracking System	  31
            2.     CAA CBI Control Record	  32
            3.     Cover Sheets	  32
            4.     Custody Receipts	  32
            5.     Pending Log	  32
            6.     Inventory	  33
      D.    Obtaining CBI Documents	  33
      E.    OAOPS CAA CBI Document Control Numbers	  34
      F.    Creating CBI Documents	  34
            1.     Working Papers	  34
            2.     Typing/Word Processing Requirements	  35
            3.     Use in Meetings	  35
      G.    Creating Non CBI Documents	  36
            1.     Deleting or Replacing CBI	  36
            2.     Masking or Aggregating CBI	  36
            3.     Dropping CBI Claim	  36
      H.    Relinquishing Of CAA CBI Status	  37
            1.     Original CAA CBI	  37
            2.     CBI Created by OAQPS	   37
      I.     Determining Claim To Validity	   38
      J.     Reproduction	  38
            1.     CBI Material	   38
            2.     Equipment	  38
            3.     Broken Equipment	   39
      K.    CDCO Record Management Responsibilities	  39
            1.     CAA Control Numbers	   39
            2.     CAA CBI Inventories	  39
            3.     Reproduction	  40

V.    DISCLOSURE OF CAA CBI  	  41
      A.    Overview	  41

                                      ii

-------
      B.    Disclosure To Other Federal. State Or Local
             Agencies	  41
             1.     Non-disclosure Agreement	  42
            2.     Notice to Affected Businesses	  43
             3.     Before Approval	  43
            4.     Before Disclosure	  43
      C,    Disclosure To EPA Contractors And Subcontractors	  44
      D.    Discussing CBI On The Telephone	  44
             1.     Telephone Memorandum	  44
            2.     Telephone Calls with Providing Organizations	  44
      E.     CAA CBI Disclosed At Meetings	  45
             1.     Access	  45
            2.     Chairperson's Duties	  46
             3.     Chairperson's Limitations	  46
            4.     Notes or Recordings	  46
             5.     Safeguarding	  46
             6.     Controls	  47

VI.   CATEGORIES OF CAA CBI	  48
      A.     Overview	  48
      B.     Original CBI	  48
      C,    Derivative CBI	  48

VIL   CAA CBI MARKINGS	  49
      A.     Overview	  49
      B.     CBI Stamps	  49
      C.     Computer Output	  49
      D.    Special Categories Of Materials	  49
             1.     Charts, Maps, and Drawings	  49
             2.     Photographs, Films, and Recordings	  50
             3.     CAA CBI Waste	  50

VIIL  TRANSFERRING CUSTODY OF CAA  CBI	  51
      A.     Overview	 51
      B.     Transferring CAA CBI To EPA Contractors and
            Providing Plants/Facilities	  51
      C     Transferring CAA CBI from Contractors to OAQPS	  52
      D.     Transferring CAA CBI to Government and State Agencies
             Outside OfOAOPS	  52
      E.     Confidential Business Information Security Agreement	  53
      F.     Preparation And Packaging	 53
             1.     Inner and Outer Covers	 53
             2.     Addressing	 54

                                       iii

-------
             3.     Packaging	  54
      G.     Custody Receipt	  54
      H.     Transfer Methods	  54
             1.     Hand Carrying	  55
             2.     Registered Mail	  56
             3.     Couriers and Express Mail	  56

IX.   STORAGE OF OAQPS CAA CBI	  57
      A.     Overview	  57
      B.     Intent	  57
      C.     Storage Equipment Specifications	  57
      D.     Procedures For Lock Combinations	  57
             1.     Changing Combinations	  58
             2.     Granting Access to Combinations	  58
      E.     Evacuation Procedures	  58
      F.     Safeguarding CAA CBI in the Event of a Disaster	  58
             1.     Prevention	  59
             2.     Preparedness	  59
             3.     Response	  60

X.    CAA CBI COMPUTER SECURITY	  61
      A.     Overview	  61
      B.     Directives	  61
      C.     Basic Security Requirement	  62
             1.     Security Mode	  62
             2.     Authenticity and Verification	  62
             3.     Remote Operation	  62
             4.     Users Requirements	  62
             5.     Visitors	  63
      D.     CBI Computer Room	  63
      E.     Safeguarding CBI During Personal Computer Use	  64
             1.     Computer Storage Media	  64
             2.     Terminating a CBI Computer Session	  64
             3.     Use of aPrinter	  65
      F.     System Security Software For Multi-User System	  65
             1.     User Authority	  65
             2.     Event Record	  66
      G.     General Procedures	  66
             1.     Checkout	  66
             2.     User Privileges  (Multi-year system only)	  66
             3.     CBI Computer Room DCA	  67
             4.     Back-up Files	  67
             5.     Transmission	  67

                                        iv

-------
      H.     Destruction and Release Of Data Media	  67
             1.     Magnetic Storage	  67
             2.     Rigid Magnetic Storage Media	  68
      /.      Security Plan	  68
      J.      Risk Analyses	  68

XI.   DISPOSAL AND DESTRUCTION	  69
      A.     Overview	  69
      B.     Intent	  69
      C.     Notice of Intent to Destroy	  69
      D.     Original CBI	  69
      E.     Derivative CBI	  70
      F.     CBI Waste	  70
      G.     Records of Destruction	  70
      H.     Methods of Destruction	  70

 XIL  CAA CBI SECURITY VIOLATIONS	  71
      A.     Overview	  71
      B.     Responsibility Of Discoverer	  71
      C.     Violations of This Manual	 71
      D.     Preliminary Inquiry	  71
      E.     Investigation	  71
      F.     Reports And Findings	 72
             1.     Finding of No Damage	  72
             2.     Lost Documents	 72
             3.     Compromise	  72
             4.     Finding of Damage	  72
      G.     Resulting Actions	 73
             1.     Violations Subject to Punitive Measures	 73
             2.     Punitive Measures	 73

XIII.  CAA CBI DEFINITIONS	 74
XIV.  GLOSSARY OF ACRONYMS	 77
XV.  APPENDICES	 79
                                        v

-------
                           LIST OF FIGURES

Figure                                                                      Page

1.     Steps for Obtaining Access to CAA CBI	 16
2.     Sample Specific Access Letter (Single Projects)	 18
3.     Sample Specific Access Letter (Multiple Projects)	 19
4.     Contractor Steps for Obtaining Access to CAA CBI	 23
5.     Contractor Request for Access to Specific CAA CBI	 24
6.     Sample Letter for Subcontractor or Consultant Designation
        (Notice to Industry)	 28
                                       VI

-------
                         SECTION  I.
      PURPOSE,  SCOPE,  POLICY,  AUTHORITY  &
                      RESPONSIBILITY
A.   PURPOSE
      The procedures in this manual provide Federal,
 contractor, and subcontractor employees with the information
 necessary to utilize Confidential Business Information to
 perform their assigned duties without violating applicable
 Federal regulations protecting the rights of its owners.
     The purpose of this manual  is to set  forth policies and
procedures for Federal,  contractor,  and subcontractor employees
to follow in the handling of information claimed  as Confidential
Business Information (CBI),  obtained under Section 114 of the
Clean Air Act (CAA),  and governed by U.S.  Environmental
Protection Agency (EPA)  regulations at 40  Code of Federal
Regulations  (CFR),  Part  2,  Subpart B,  and  other EPA regulations
and policies.  CBI  collected under the authority  of other
environmental legislation is managed according to similar
applicable procedures.

     The need to safeguard CBI cannot be overstated.  Valid and
secure CBI procedures are essential to EPA's  decisionmaking and
therefore is required to effectively safeguard the environment.
Any compromise to CBI threatens  not only the  businesses providing
data, but also EPA's ability to  make,  implement and enforce
environmental policy, and ultimately,  the  communities that
benefit from that policy.  Therefore,  the  Office  of Air Quality
Planning and Standards (OAQPS)  has designed and implemented a
four-pronged security system to  ensure protection of CAA CBI and
at the same time permit  effective operations  of the OAQPS CBI
Office  (CBIO).   The CAA CBI security system consists of
controlled access,  document tracking,  training, and monitoring of
CAA CBI operations.

-------
B.    SCOPE

     This manual sets forth policies and procedures to manage and
safeguard CAA CBI.  Unless otherwise noted the phrase
"Confidential Business Information" or ("CBI" refers to Clean Air
Act Confidential Business Information only).

C.   POLICY

     As outlined in the provisions of Section 114 of the Clean
Air Act as amended, it is OAQPS'  policy to protect any
information claimed as confidential collected from 114
information requests and site visits by OAQPS personnel and
authorized contractors.  The information may be either
documentary information  (e.g.,  written responses to questions,
photographs, records or charts) or non-documentary (e.g.,  oral
communications,  taking of photographs,  or visual observations).
The providing organization may assert a claim of confidentiality
under the procedures established in 40 CFR Part 2 by noting such
claim on documentary and nondocumentary materials provided to
OAQPS.

     Any material or information claimed as confidential or trade
secret will be treated as confidential by OAQPS and its
contractors in accordance with its contract and provisions of 40
CFR Part 2.   Any material or information for which a claim of
confidentiality is NOT made may be made available to the public
by OAQPS without notice to the providing organization.

     Documents created by OAQPS or its contractors from
information collected from 114 responses or site visits will be
treated as pending CAA CBI until a determination is made
regarding the status by the providing organization, OAQPS, or the
Office of General Counsel  (OGC).

D.    AUTHORITY

     The policies and procedures found in this manual provide
guidance for compliance with the following Federal statutes and
regulations:

•    Clean Air Act as amended

-------
•    40 CFR,  Part 2, Subpart B
•    Freedom of Information Act
•    Privacy Act
•    EPA IRM Policy Manual, Chapter 8,  Information Security

E.    RESPONSIBLE OFFICIALS

     The responsibilities of OAQPS officials and personnel
concerning CAA CBI are outlined below.

     1.   Director, OAQPS

          The OAQPS Director or his designee has overall
responsibility for controlling CAA CBI  within the Office.  The
Director or Acting Director may delegate his/her authority to
perform security control functions.

     2.   Director, Planning, Resources & Regional Management
          Staff

          The Director, Planning, Resources & Regional Management
(PRRMS), has been delegated authority to direct and administer
the CAA CBI program for OAQPS.  In performing these duties, the
Director has authority for setting policies, standards,  and
procedures that ensure compliance with the laws and regulations
described in EPA IRM Policy Manual, Chapter 8. The Director
provides oversight, a security education program, and a security
assurance program for effective implementation of the OAQPS CAA
CBI program.   Specific responsibilities are to:

•    Advise the OAQPS Director on the OAQPS CBI CAA program,  as
     requested;

•    Approve initial contract access for OAQPS contractors to
     access CAA CBI; and

•    Review and approve all outside requests and transfers of
     OAQPS CAA CBI to other Federal and State agencies,  special
     circumstances.

Approval of contractor employee access to specific CAA CBI
documents is delegated to the OAQPS Group Leaders.

-------
     3.    OAQPS Document Control Officer

          The OAQPS Document Control Officer (DCO)  is directly
responsible to the PRRMS Director for implementing the CAA CBI
program.  The OAQPS DCO implements and monitors the activities of
the CBIO and provides guidance and technical direction as needed.
The following are responsibilities of the OAQPS DCO:

•    Ensures that OAQPS security procedures for handling CAA CBI
     are continually reviewed, updated,  and enforced;

•    Ensures compliance with the security education program and
     security assurance program;

•    Reviews security plans, procedures,  and inspects facilities
     of  EPA contractors handling and storing CAA CBI  files;

•    Reviews contractor employee CAA CBI security,  education and
     training programs;

•    Reviews CAA CBI access requests for contractors  and other
     Federal/State and Local agencies. (The PRRMS Director must
     approve requests for all initial contractor access);

•    Evaluates proposed system improvements;

•    Promptly conducts preliminary inquiries and investigations
     of  alleged procedural violations and reports findings to the
     PRRMS Director; and

•    Advises the PRRMS Director concerning appropriate actions
     for CAA CBI security violations.

•    Signs receipts for CAA CBI arriving and departing OAQPS;

•    Reviews documentation of all CAA CBI being transmitted from
     OAQPS;

•    Transmits CAA CBI to contractor upon the request of the work
     assignment manager/task order project officer (WAM/TOPO) or
     the responsible Group Leader;

-------
    Declassifies  or destroys  CAA CBI  material  after receipt of
    authorization from OGC, the owner,  WAM/TOPO,  or after the
    CBI  has  served its purposes;

    Briefs and debriefs all persons designated by Group Leaders
    as  requiring  access to CAA CBI.

    Keeps an Authorized Access List of  all  persons cleared for
    CAA CBI  access and a record of each person's  briefing
    status;

    Assigns  OAQPS CBI  control numbers,  attach  Control  Records
    and apply markings (when  applicable)  to all new CAA CBI
    documents and reproduce documents as required;

    Establishes,  maintains, and controls an automated  OAQPS CAA
    CBI  file system.   Logs in and out all CAA  CBI documents.
    Conduct  periodic inventories of all CBI documents  stored at
    the OAQPS CBIO or  contractor facilities;

    Maintains a tracking system to ensure that CBI transmitted
    to  other organizations is received;

    Prepares CBI  for mailing  to other Federal  agencies,  plants
    or  facilities,  and contractors when authorized and maintain
    records  of all such actions;

    Locks CBI in  appropriate  containers whenever  the information
    is  not in use or under the supervision of  cleared  personnel;

    Ensures  at the end of each day that all classified materials
    used during the day have  been returned to  the CBIO and are
    properly stored; and

    Monitors support staff providing  clerical  assistance to the
    CBIO.
    The CBI Office maintains "custody" of CAA CBI at all times
even when being accessed by authorized individuals.  Custody of
CAA CBI may only be transferred from one CBI Office to
another.

-------
     4.    OAQPS Document Control Assistants

          Document Control Assistants (DCA) are employees of
OAQPS in locations other than the Office of the Director, PRRMS
who are charged with implementing the OAQPS CBI program at their
location.  The OAQPS DCO oversees their activities and provides
guidance and technical direction as needed.

     5.    OAQPS Division Directors

          The responsible Division Director's responsibilities
are to:

•    Ensure that their employees comply with the procedures
     listed in this manual.

•    Approve all authorizations for their Division employees to
     access CAA CBI; and

•    Sign as requesting official for contractor employee access
     to CAA CBI.

     6.    OAQPS Program Project Officers

          The respective program project officers (POs)
responsibilities are as follows:

•    To notify the OAQPS DCO when a contract will require CAA CBI
     access and to serve as an interface between the OAQPS DCO,
     contractors,  WAM/TOPO and the EPA Contracting Officer;

•    To issue notification to the affected businesses via Federal
     Register notice at the start of a contract by identifying
     the contractor or subcontractor who will have access to CAA
     CBI submitted to OAQPS in performing their assigned duties;

•    Assists WAM/TOPO in preparing individual notification to
     affected businesses or industries on an as-needed-basis; and

•    Ensures compliance with all CBI procedures set forth in the
     applicable contract.

-------
     7.    OAQPS Group Leaders

          Group Leaders are responsible for ensuring that their
employees and contractors comply with the procedures listed in
this manual.   Group Leaders are responsible for the following
functions:

•    Designates EPA and contractor employees who need access to
     specific CBI associated with each project.  This
     responsibility may not be delegated, and authorizations made
     by formerly responsible Group Leaders will remain in effect
     until  access lists are reviewed and updated;

•    Ensures that Group employees and other persons whom they
     designate are qualified and authorized to access CBI
     utilizing procedures found in Section II-C;

•    Authorizes transfer of CAA CBI to providing companies,
     facilities or contractors.  The authority to transfer CAA
     CBI to all other outside organizations is reserved for the
     PRRMS  Director;

•    Ensures that any CBI the Group receives directly is sent
     immediately to the OAQPS CBIO;

•    Recommends to the PRRMS Director whether to release CBI to
     Congress, the Comptroller General, or other Federal agencies
     and ensure that releases are in accordance with Section
     2.209  of 40 CFR, Part 2;

•    Ensures that CBI is not used in publications or improperly
     released in any documents;

•    Authorizes necessary creation  (by summarization and masking)
     of nonCBI materials from CBI and review and approve those
     nonCBI materials prior to their release;

•    Cooperates with the OAQPS DCO in establishing and improving
     CBI safeguards, and implementing and maintaining CBI
     education and quality within their Groups; and

-------
    Reports cases of CBI  disclosures  or possible compromise to
    the OAQPS DCO and cooperate with  investigations conducted
    under the OAQPS CAA CBI  security  program.

    8.    OAQPS Work Assignment  Manager/Task Order Project
         Officer (WAM/TOPO)
     The OAQPS WAM/TOPO has primary responsibility for
ensuring that his/her contractors maintain control over
project related CAA CBI and adhere to prescribed procedures.
         OAQPS WAM/TOPOs are responsible for the following:

    Ensures that contractors and EPA employees working on
    his/her project comply with procedures in this manual and
    CBI procedures set forth in the applicable contract for  CBI
    related to his/her project;

    Analyzes technical aspects of all project work written or
    otherwise created and determine whether CBI is involved  and,
    if so,  have it logged in the CBIO;

    Ensures that necessary paperwork is submitted in accordance
    with 40 CFR, Part 2, Subpart B, to enable Office of General
    Counsel (OGC)  to make a final determination as to whether
    information that has been received is entitled to
    confidential treatment;

    Authorizes necessary reproduction of CBI and ensure that CBI
    is reproduced only under the supervision of the OAQPS DCO as
    described in Section IV-J;

    Ensures that memos, notes and reports from telephone
    conversations, visits, inspections, or tests are protected
    as CBI and filed in the CBIO until a determination is made
    regarding the status;

    Ensures that CBI is not used in publications or improperly
    released in any document;

-------
•    Initiates the process for destruction and disposal of CBI
     material;

•    Ensures that CBI to be transferred or mailed is processed by
     the CBIO for proper wrapping and disposition;

•    Ensures that any CBI received associated with his/her
     project is logged by the OAQPS CBIO;

•    Authorizes contractor to return CAA CBI files to the OAQPS
     CBIO at the end of a work assignment  or when the information
     is no longer required to be maintained at contractor
     facilities;

•    Provides assistance to the OAQPS DCO  in determining the
     status of returned CBI materials from the contractor; and

•    Reports cases of wrongful disclosure  or possible compromise
     of CAA CBI to the responsible Group Leader and OAQPS DCO,
     and cooperate with investigations conducted under the OAQPS
     CAA CBI security program.

     9.    Employees

          Contractor/subcontractor and Federal, State and Local
employees are responsible for the following:

•    Complies with all applicable procedures in this manual;

•    Complies with all CBI procedures set  forth in the applicable
     contract;

•    Maintains possession of CBI until returned to the CBIO;

•    Stores CAA CBI in the CBIO only;

•    Discusses CBI only with authorized persons;

•    Ensures that any CBI received directly is sent immediately
     to the OAQPS CBIO for storage and proper logging;

•    Ensures that CBI is not used in publications or improperly
     released in any document;

-------
•    Reports alleged violations of security procedures to the
     OAQPS DCO immediately; and

•    Ensures that memos, notes, and reports concerning CBI
     obtained from telephone conversations, visits, inspections,
     inquiries,  or tests are protected as CBI, logged and stored
     in the CBIO.

     10.  Contractor Document Control Officers

          Contractor's management must nominate a Contractor
Document Control Officer (CDCO) and a Contractor Document Control
Assistant (CDCA).  Before OAQPS recognizes them as CDCOs, they
must be properly trained and required paperwork on file at OAQPS.
The CDCO controls the receipt,  storage, and handling of CAA C3I
by employees in their facilities and manages a document tracking
system.

          a.   CDCO responsibilities include:

•    Serves as the principal contact for OAQPS regarding the
     security and control of CAA CBI;

•    Provides security plan for safeguarding CAA CBI;

•    Maintains a secure CBI facility;

•    Conducts CAA CBI briefings (including testing) for all
     contractor employees authorized to handle or access CAA CTBI ;

•    Obtains signed Authorization for Access  to CAA CBI for
     Contractor Employees,  CAA CBI Form 3  (Appendix B) from each
     contractor employee who will have access to CAA CBI before
     the employee is granted access.  The original of this
     completed form shall be forwarded to the OAQPS DCO.

•    Conducts annual briefings and testing in support of the
     OAQPS CAA CBI education and training program.

•    Inspects facilities and review CAA CBI procedures of
     subcontractors and obtain OAQPS's approval.  The OAQPS DCO
     shall accompany the CDCO on inspections.
                                10

-------
Maintains a list of contractor employees who are authorized
to access CAA CBI including administrative or computer
support,  or as designated by the OAQPS Group Leader as
having a need-to-know specific CAA CBI to perform their
work.

Releases CAA CBI only to authorized persons;

Reviews and update access lists continuously of contractor
employees and notify the OAQPS DCO immediately of any
changes;

Submits updated access lists to the OAQPS DCO monthly;

Provides guidance, technical assistance and administrative
support to contractor employees on all matters concerning
CAA CBI security;

Establishes, maintains, and controls a CAA CBI file system
(including disposition) in compliance with OAQPS' CAA CBI
Records Management procedures;

Logs in and out all CAA CBI documents, summaries,
tabulations, and materials to users,-

Maintains a CAA CBI document retrieval system;

Ensures all CAA CBI is properly stored when not in use;

Ensures CAA CBI is properly wrapped, marked and transferred;

Maintains an inventory of all CAA CBI, conduct periodic
audits, and submit inventory annually to the OAQPS DCO;

Destroys drafts and working papers as authorized by the
OAQPS DCO or project lead;

Maintains in a secure location a record of combinations of
all locks, safes, and cabinets that contain CAA CBI, and
ensure combinations are changed annually, or whenever anyone
who knows the combination terminates or transfers
employment;
                           11

-------
     Reports alleged violations of contractor security procedures
     immediately to contractor management and the OAQPS DCO; and

     Obtains a signed Confidential Agreement for Contractor
     Employees Upon Relinquishing CAA CBI Access Authority, CAA
     CBI Form 5 (Appendix B)  for any employee who terminates
     employment or transfers to a position not requiring access
     to CAA CBI.   One copy of this completed form shall be
     forwarded to the OAQPS DCO.
      Whenever CDCOs terminate their employment or relinquish
 their responsibilities, an inventory of CAA CBI materials must
 be performed within 30 days of their departure.
          Jb.   Contractor Document Control Assistant

          The Contractor Document Control Assistant (CDCA) will
perform the aforementioned CDCO responsibilities in the absence
of the CDCO.
                                12

-------
                        SECTION II.
                EDUCATION  AND  TRAINING
A.   OVERVIEW

     The OAQPS Confidential Business Information (CBI)  education
and training program is implemented by the OAQPS DCO.   Group
Leaders and contractor management must arrange for  employees to
be available for briefings in support of the OAQPS  CAA CBI
program.  Designated employees must meet all requirements of the
program to obtain and maintain authorization to access CAA  CBI.

B.   INITIAL BRIEFING

     All access designees shall:

     1.   read this manual;

     2.   receive a briefing on the responsibilities and
          procedures for proper handling of CAA CBI; and

     3.   pass a competency test  at the end of the  briefing.

After receiving the briefing and passing the competency test,
each employee will sign an Authorization for Access to CAA  CBI
for Federal Employees, CAA CBI Form 2 or CAA CBI Form 3 for
contractors  (Appendix A).   Employees may then be nominated  and
approved for access to specific CAA CBI and their name placed on
the authorized project access list.

C.   ANNUAL BRIEFING

     Federal and contractor employees approved for  CAA CBI  access
must maintain their access authority by attending an annual
security briefing and passing a written test.  Annual  briefings
will be given in the month of employee's initial access.
Employees who fail to attend their last annual briefing will be
given an opportunity to attend other scheduled briefings.   If
they fail to attend a makeup session, within 3 months  of expired
                                13

-------
access, their names will be removed from the OAQPS CAA CBI
Authorized Access List.

     The OAQPS DCO will notify the Group Leader of the
suspension.  If the employee fails to attend the next scheduled
briefing within 30 days of the suspension notice,  the employee
must relinquish authorized access to CAA CBI.  The employee must
return all CBI materials which they may have in their possession
to the CBIO and sign a Confidential Agreement for U.S. Employees
Upon Relinquishing CAA CBI Access Authority, CAA CBI Form 4
(Appendix C)  or CAA CBI Form 5 for contractors (Appendix B).  If
access to CAA CBI is relinquished, the Group Leader must
renominate the employee to access CAA CBI, direct the employee to
attend a briefing, and obtain authorization to access CAA CBI by
completing CAA Form 2.

D.   TERMINAL BRIEFING

      All employees who have been granted access to CAA CBI shall
receive a terminal briefing and sign a Confidential Agreement for
U.S. Employees Upon Relinquishing CAA CBI Access Authorized, CAA
CBI Form 4 or CAA CBI Form 5  (contractors) when they terminate
their employment or transfer to a position in which CAA CBI
access is not required.
                                14

-------
                       SECTION III.

             ACCESS TO  SPECIFIC CAA CBI

A.   OVERVIEW

     This section describes policies  and procedures for allowing
access to Confidential Business Information (CBI)  and for
dissemination of CAA CBI to OAQPS contractors.

B.   GENERAL ACCESS REQUIREMENTS

     No person has a right of access  to CBI by virtue of
organizational title or position alone.  A person must also have
a need-to-know specific CBI before access is granted.  There is a
responsibility to the organization providing CAA CBI to protect
its information and a parallel responsibility of OAQPS employees
and contractors to minimize their liability.

C.   FEDERAL EMPLOYEE  ACCESS

     Care in granting access to CBI is important in ensuring a
secure CBI system.  A secure CBI system requires the continuous
updating of the employee Authorization Access List (AAL)  ensuring
attendance of yearly briefings,  and the continuous updating the
specific Project AAL to reflect current employee work
assignments.

     1.    Procedures

          Upon determining that an OAQPS employee needs access to
CAA CBI, Group Leaders refer those employees to the OAQPS DCO.
The employee attends an initial OAQPS CAA CBI security briefing.
After passing the written test  (as explained in Section II,
Education and Training),  the employee and OAQPS DCO sign an
Authorization for Access to CAA CBI for Federal Employees,  CAA
CBI Form 2 (Appendix A).   The form is then forwarded to the
responsible Division Director for signature and final approval.
Approved forms are returned to the CBIO for filing.   See Figure 1
for steps in obtaining access to CAA  CBI.
                               15

-------
Steps for Obtaining Access to CAA CBI
         GROUP LEADER NOMINATES
              Employee Needing Access
            EMPLOYEE ATTENDS
                 CBI Briefings
             EMPLOYEE PASSES
                  Written Test
             EMPLOYEE SIGNS
              Confidentiality Agreement
            DIVISION DIRECTOR
             Approves Employee Access
        GROUP LEADER DESIGNATES
               Access to Specific CBI
           CBI OFFICE MAINTAINS
              Authorized Access Lists
                 Figure 1
                     16

-------
          In addition, the responsible Group Leaders must
designate and approve employees who have a need-to-know for
specific CAA CBI in order to access individual projects by
submitting an authorization (memo) to the OAQPS DCO  (Figures 2
and 3).   The authorization may include OAQPS and contractor
personnel who require access to specific projects containing CAA
CBI .

** NOTE:  Approval of CAA Form 2 does not automatically allow
          access to all individual projects. **

          Administrative support personnel, DCOs, and DCAs,
CDCOs,  CDCAs etc. may obtain administrative access to CAA CBI to
provide typing,  word processing, supervised reproduction,
courier, and document handling support of CAA CBI.   This access
may be granted upon nomination, attendance of briefing and
passing written test and does not require designation by Group
Leaders to access specific CBI.

          Federal or contractor employees who require on-line
access to a computer system or database containing CAA CBI must
complete a Computer Request, Approval, and Registration for CAA
CBI Computer Access, CAA CBI Form 10  (Appendix G),  and notify the
DCO.   See Section X, CAA CBI Computer Security.

          Other EPA employees  (outside of OAQPS), who have a
need-to-know specific CAA CBI may request OAQPS CAA CBI access
authority.  An Authorization for Access to CAA CBI for Federal
Employees, CAA CBI Form 2 (Appendix A) must be requested from the
OAQPS CBIO, completed and returned.  In addition to completion of
this  form, the requested CAA CBI and the OAQPS WAM/TOPO
responsible for that CBI must be identified. Upon approval by the
responsible OAQPS Group Leader and the requestors management
(equivalent to the Director or higher),  the employee may access
the material as outlined in Section VIII. The WAM/TOPO verifies
CAA CBI to be transferred, and the OAQPS DCO will properly
package and transfer materials.
     2.    Authorized Access Lists

          Upon receiving approval to access CAA CBI, the employee
name(s)  is placed on the OAQPS CAA CBI Authorized Access List.

                                17

-------
                                EXAMPLE
MEMORANDUM

SUBJECT:   Confidential Business Information (CBI) Access

FROM:      (Name of Group Leader)
            (Name of Group)

TO:         Melva Toomer, OAQPS Document Control Officer

      This memorandum is to request that the following personnel name(s) be removed from
the CAA CBI authorized access list for the (name of the project), (ESD Project # or CBI #).

      (Name(s) of individuals including affiliation)

      Also, please add (name(s) of to the CBI authorized access list for the (name of project,
etc.). Description of material: Any material received as a result of developing the NESHAP for
(name ofindustiy or NESHAP).

      (List name(s) and affiliation)
                                  Figure 2
                                        18

-------
                                 Example
MEMORANDUM

SUBJECT:   Authorization for Access to CAA CBI Files

FROM:      (Name of Group Leader)
            (Group Name, Mail Drop)

TO:         Melva Toomer, OAQPS DCO
            PRRMS, CBIO, MD-11

ESD Project No & Title:    97/06 - Cellulose Production MACT
                        97/14 - Leather Tanning & Finishing MACT

      This memorandum is to request that the following individual(s) name(s) be added to the
access list for CAA CBI information collected for the (name of project and project #}.

97/06:       (List names including OAQPS and contractor personnel)

97/14:       (List names including OAQPS and contractor personnel)
                                 Figure 3
                                      19

-------
When the Group Leader designates an employee for access to
specific CBI, the name is placed on the OAQPS Authorized Project
Access List.  These access lists are used as a reference to
determine whether an individual is currently authorized to access
CAA CBI and what specific CBI they are authorized to access on a
need-to-know basis.

          The OAQPS DCO provides Group Leaders with both access
lists on a regular basis to determine whether any names of
employees within their jurisdiction should be added or deleted.
Group Leaders confirm the names listed or make appropriate
changes, if assignments are shifted or employment terminated, and
return the list to the OAQPS DCO to use in updating the
"official" OAQPS CAA CBI access lists.

D.   WITHDRAWAL OF CLEARANCE

     CAA CBI clearances are withdrawn as a result of a Federal or
contractor employee no longer having a need to access CAA CBI .

     1.    Periodic Review

          All CAA CBI accesses will be reviewed periodically to
minimize the number of people authorized access.  A Group Leader
may determine that a currently cleared Federal or contractor
employee no longer requires access to specific CAA CBI for the
performance of official duties and obligations.  Should that
happen,  access is withdrawn.

     2.    Removal From Access Lists

          The name of employees who no longer need access to CAA
CBI is removed from the OAQPS CAA CBI access lists.  Access is
terminated under the following circumstances:

•    termination of employment;

•    termination of duties requiring access to CBI; and

•    failure to attend the yearly briefing and pass the written
     test explained in Section II, Education and Training.
                                20

-------
E.   CONTRACTOR  EMPLOYEE ACCESS

     1.    Prerequisite

     The respective program Project Officers shall notify the
OAQPS DCO immediately upon determining that a prospective
contract may require that contractors be granted access to CAA
CBI.   The following information must be furnished:

•    The name of the prospective contractors and the location of
     the contractor's facility.

•    A copy of the Federal Register notification for contractor
     access to CAA CBI collected under the specific contract,
     including the contract number.

•    A copy of the statement of work.

•    Whether the contractor's facility is to receive and store
     CBI under the contract.

     2.    Conditions

          Contractors may not receive access to CAA CBI until the
contractor meets the following conditions:

•    Obtain OAQPS approval for access to CAA CBI;

•    Prepare and have OAQPS approve a security plan;

•    Have the contractor site inspected and approved by OAQPS;

•    Nominate and train a Contractor Document Control Officer
      (CDO),  and a Contractor Document Control Assistant (CDCA)
     acceptable to OAQPS; and

•    Obtain OAQPS approval from responsible Group Leader for
     access to specific CAA CBI for each contractor employee
     required to work with CAA CBI.
                                21

-------
     3.    Obtaining Approval

          When access to CAA CBI is necessary, the contractor
must complete a Request for Approval of Contractor Access  to CAA
CBI, CAA CBI From 11, (Appendix H).   The form must explain the
reasons CAA CBI access is necessary under the contract.  The
OAQPS WAM/TOPO must forward the form and Contractor Information
Sheet, CAA CBI Form lla, (Appendix H)  to his/her Division
Director,  who will sign the form as the requesting official arid
forward it and the information sheet to the OAQPS DCO  for revi.ew.
The OAQPS DCO will then forward the form and the information
sheet to the PRRMS Director for final approval.

          After the above prerequisites and conditions for
contractor access have been met, the OAQPS WAM/TOPO confers with
contractor officials to determine which work assignments or task
orders,  and which employees will require access to CAA CBI.  Upon
receiving the requirements for contractor employee access to CAA
CBI, the CDCO will have the designated employee(s) attend an
initial briefing, pass a written test, obtain signatures on the
Authorization for Access to CAA CBI for Contractor Employees, CAA
CBI Form 3,  (Appendix A).   The contractor employee names are then
submitted to the OAQPS DCO to be included on the OAQPS authorized
access list.  Employees requiring access to computerized CAA CBI
must also complete a .Request, Approval and Registration for CAA
CBI Computer Access, CAA CBI Form 10,  (Appendix G).   The
originals of these forms are also forwarded to the OAQPS DCO for
the record.  See Figures 4 and 5, Contractor Steps for Obtaining
Contractor Access to CAA CBI, and Contractor Request for Specific
CAA CBI Access.

     4.    Security Plan

          The contractor must prepare and OAQPS must approve a
security plan for access to CAA CBI at a location away from trie
OAQPS headquarters facilities.  Security plans must describe
physical security mechanisms at the contractor's site  and
procedures to be followed by employees when handling CAA CBI at
the site.
                                22

-------
                  Contractor
Steps for Obtaining Access to CAA CBI
              Obtain Approval from Director
              PRRMS to Access CAA CBI
              Prepare & Submit an Adequate
                    Security Plan
              Pass OAQPS Inspection of Site
              Nominate & Obtain Approval
               of Contractor Employees to
               Serve as CDCO and CDCA
              CDCO Brief & Test Employees
                 on Security Procedures
                Submit Name(s) & Obtain
               Approval for Individual(s) to
                  Access Specific CBI
                     Figure 4
                        23

-------
                              EXAMPLE
   CONTRACTOR REQUEST FOR ACCESS TO SPECIFIC
                                CAA CBI


Date:        June 23, 1998

Subject:      Access Request to Clean Air Act Confidential Business Information
            Contract No:	
            Work Assignment No:	 (or Title of Project)
            BSD Project No:

From:       (Name of Requestor)
            Contract Document Control Officer
            (Name of company)

To:         Melva Toomer, OAQPS DCO
            OAQPS, PRRMS/CBIO, MD-11

      (Name of individual(s)) have been assigned to work on the referenced project, and their
work will require them to access confidential business information (CBI) that has been collected
under the Clean Air Act (CAA). The mentioned (name of company) personnel have been trained
and are authorized to access CAA CBI.
Approved by:
    (WAM/TOPO)        Date                       (Group Leader)     Date
                                Figure 5
                                     24

-------
          The procedures described within this manual and the
OAQPS forms in the appendices are intended to serve as guidelines
for the preparation of contractor security plans and need not be
incorporated verbatim in the plans.   However, contractor security
plans must equal or surpass the security standards described in
this manual.

          The following is an outline of a Security Plan.

•    CDCO responsibilities

•    Access procedures

•    Accountability system

•    Pending file system

•    CAA CBI storage

•    CAA CBI transfers

•    CAA CBI safeguards (including disaster prevention,
     preparedness, and recovery plan)

•    Security violations

•    Education and training

•    Computer security  (if applicable)

     The OAQPS DCO is responsible for reviewing contractor
security plans,  discussing any perceived deficiencies with the
OAQPS PO and the contractor, and sending a memorandum through the
PO to the contractor either approving or disapproving the
security plan.  In addition, the OAQPS DCO must inspect and
approve contractor facilities before CAA CBI can be received or
stored.  All facilities authorized for CAA CBI access are
inspected by OAQPS on an annual basis.  If during an inspection
or review of the security plan, only minor problems are noted,
the OAQPS DCO will work with the contractor to correct them.  If
there are major deficiencies, the contractor may be given 30 days
to correct the deficiencies.  The contractor shall conduct
periodic internal audits of its facilities, employees, and the

                                25

-------
CAA CBI security system to ensure compliance with its security
plan.   Records of such audits will be available upon request.

     5.   Contractor DCO/DCA Requirement

          Prior to the commencement of access to CAA CBI,
contractor management must nominate contractor employees who will
serve as CDCO/CDCA and obtain approval by OAQPS.   The CDCO/CDCA
must be trained in proper CAA CBI handling procedures prior to
being assigned to their positions.  The OAQPS CAA CBI Security
Manual is provided,  and the CDCO/CDCA may attend a CAA CBI
briefing offered by the OAQPS DCO.  The requirement that a CDCO
be assigned before actual access may begin applies even if access
to CAA CBI under the contract is limited to the OAQPS
headquarters facilities.  The CDCO serves as the liaison betwsen
OAQPS and the contractor on issues relating to CAA CBI and plays
important roles in requesting and maintaining access
authorization for individual contractor employees and in handling
CBI.  The CDCA is a back-up for the CDCO.

     6.   Completion of Contracts, Work Assignments, or Task
          Orders

          Upon completion of the contract, work assignment, or
task order, the CDCO must inventory all CBI materials and report
the results to the OAQPS DCO.  Within 30 days of completion, the
contractor must collect all CBI materials and document control
materials, including logs and control records  (see Section VIII)
and transfer them to the OAQPS DCO.  The OAQPS DCO will inventory
the materials, the WAM/TOPO will review the materials, determine
status, and initiate process for proper disposition of returned
CAA CBI materials.

     7.   Authorized Access Lists

          The contractor must maintain CAA CBI Authorized Access
Lists:  names of individuals with CAA CBI access including test
date and specific project access authorization, and submit an
updated list to the OAQPS DCO monthly.  The list is used to
ensure that only individuals with current CAA CBI access
authority obtain materials from the CDCO.
                                26

-------
     8.    Withdrawal of Access

          When a contractor employee no longer requires access to
CAA CBI,  the CDCO will have the employee sign a Confidential
Agreement for Contractor Employees Upon Relinquishing CAA CBI
Access,  CAA CBI Form 5, (Appendix B).   Remove their name from the
authorized access lists, notify the OAQPS DCO of the deletion,
and forward a copy of CAA CBI Form 5 to the OAQPS DCO.

F.   SUBCONTRACTOR/CONSULTANT ACCESS

     The program PO is responsible for notifying the public and
affected business of all subcontractors who require access to CAA
CBI collected under the respective contracts.  If this
information is known at the beginning of the contract,  a Federal
Register notice must be published according to the guidelines as
specified in the Clean Air Act.

     The prime contractor is responsible for notifying  OAQPS of
all subcontractors or consultants being used prior to releasing
any CAA CBI to them.  This also includes subcontractors or
consultants accompanying the prime contractor or EPA staff on
site visits.  Figure 6, is a sample letter that must be prepared
and sent to affected businesses notifying them of who will have
access to their information submitted to OAQPS.  A ten  day
waiting period must be allowed before CAA CBI is disclosed to the
subcontractor/consultant.
                                27

-------
                                     SAMPLE
Name of Recipient
Title of Recipient
Recipient's Address

Dear Mr./Ms. (Recipient's Last Name):

       The United States Environmental Protection Agency has authorized the following
subcontractor to access information that has been, or will be, submitted to the EPA under section
114 of the Clean Air Act (CAA) as amended: list name and address of subcontractor/consultant.
Some of this information may be claimed to be confidential business information (CBI) by the
submitter. This subcontractor will be providing support to the EPA under contract (list contract
number).  The prime contractor on this contract is (list name and address of the prime
contractor).  Under the direction of the prime contractor, this subcontractor will provide
technical support to the Office  of Air Quality Planning and Standards (OAQPS) in developing
Federal Air Pollution Control Regulations.

       The EPA is issuing this notice to inform all submitters of information under section 114
of the CAA that the EPA may provide the above mentioned subcontractor access to these
materials on a need-to-know basis.  Notification of the prime contractor's potential access to CBI
was done through a previous Federal Register notice.

       In accordance with 40 CFR 2.30l(h), the EPA has determined that the above
subcontractor requires access to CBI submitted to the EPA under sections 112 and 114 of the
CAA in order to perform work satisfactorily under the above noted contract. The subcontractor's
personnel will be given access  to information submitted under section 114 of the CAA. The
subcontractor's personnel will  be required to sign nondisclosure agreements and will receive
training on appropriate security procedures  before they are permitted access to CBI. The above
subcontractor's clearance for access to CAA CBI is scheduled to expire on September 30, 2001.
                                      Figure 6
                                          28

-------
      Please provide any comments regarding the above subcontractor's access to CBI
submitted by your company within ten working days of your receipt of this letter.  Comments
should be submitted to Melva Toomer, Document Control Officer, Office of Air Quality
Planning and Standards (MD-11), U.S. Environmental Protection Agency, Research Triangle
Park, North Carolina 27711, (919) 541-0880.

                                      Sincerely,
                                      Name ofTOPO/WAM
                                      Emission Standards Division

cc:    Melva Toomer (MD-11)
      leva Spons (MD-11)
      Tim Watkins I Carolyn Wigington, Project Officer (MD-13)
                             Figure 6 (continued)
                                        29

-------
                        SECTION IV.
          RECORDS  MANAGEMENT FOR CAA CBI

A.   OVERVIEW

     This section describes how Confidential Business Information
 (CBI) either originated by OAQPS or its contractors  as derivative
CBI or received as original CBI is identified,  protected,  logged,
controlled,  and managed.
     When any OAQPS employee or contractor employee receives or
 otherwise obtains material containing or suspected of
 containing CBI, they shall deliver those materials immediately
 to the CBI office for proper logging and storage.
B.   INTENT

     The OAQPS CAA CBI Records Management System must be able to
trace the movement of CBI,  identify the persons with authorized
access to it,  detect its misplacement and make prompt retrieval
possible.  The OAQPS CAA CBI Records Management System ensures
these objectives are accomplished by the maintaining of
authorized access lists, assigning unique numerical identifiers
(CBI control numbers) to each document,  maintaining an automated
inventory of all documents  submitted/logged into the system,  and
by monitoring the movement  of CBI through manual or automated
logs, records of receipt,  usage,  and transmission.   All material
submitted to OAQPS and all  material generated at OAQPS containing
information claimed to be CBI are controlled through the OAQPS
CAA CBI Records Management  System.

C.   OAQPS CAA  CBI RECORDS MANAGEMENT SYSTEM

     The foundation of the  OAQPS  CAA CBI Records Management
System includes the following basic items:

•    Automated database (all CBI  re: TSCA,  CWA,  RCRA,  FIFRA,
     etc. )
•    Control Records (for each item in the system)
•    Custody Receipts (for  transfer of material)
                               30

-------
•    Cover Sheets (for document protection/identification)
•    Destruction and Declassification Logs
•    Pending Log (for new material)
•    Inventory (by project,  WAM/TOPO,  disposition, etc.)
•    Employee Authorized Access List
•    Project Authorized Access List

     1.    OAOPS CAA CBI Automated Tracking System

          An automated database is used to record pertinent
information about CAA CBI materials filed in the CBIO, persons
authorized to access specific CAA CBI,  and contains the following
information.

•    Date received
•    Date of document
•    Number of copies
•    CBI control number
•    Project name
•    Document description
•    Provider identification
•    Transfer information
•    Destruction record
•    Authorized access clearances

          Various reports may be generated on a routine basis or
when requested by management.   They are:

•    Complete inventory of all CBI documents including
     disposition (pending, permanent inventory, destruction,
     declassification, etc.);
•    Listing by specific regulating Acts;
•    Listing by specific CBI projects;
•    Listing of documents assigned to individual WAMs ,• and
•    Listings of authorized personnel (EPA and contractors).

          The CAA CBI database is continuously updated and  allows
the OAQPS DCO to determine the disposition of documents, retrieve
documents in a timely manner,  and to generate an accurate up-to-
date inventory on a monthly basis or when requested.
                                31

-------
     2.   CAA CBI Control Record

          CAA CBI Control Record, CAA Form 1  (Appendix J) is
placed in each CAA CBI file as a permanent record of authorized
personnel access.  It also contains reproduction, transfer,
declassification, destruction, and any other pertinent
information about the document.  The Control Record facilitates
timely and accurate accounting for CAA CBI material during the
work day.  Each user of CAA CBI must sign and date the Control
Record each time access is granted to a CBI document.

          The Control Record is extracted from the file and
retained by the OAQPS CBIO or contractor CBIO as a receipt for
the material while it is checked out.  It is signed and dated by
the OAQPS DCO or CDCO upon the return of the CBI material and
filed in the appropriate folder.

          When a CAA CBI document is declassified or destroyed,
the CAA CBI Control Record or register must be retained for a
period of two-years after the completion of a project or until
the specific CAA CBI project file has been reconciled.

     3.   Cover Sheets

          A CAA CBI Cover Sheet, CAA Forms 8 and 9 (Appendix F)
is a yellow sheet of paper inscribed with a claim of
confidentiality and handling instructions.  The Cover Sheet
conceals the front of each document and should not be removed.

     4.   Custody Receipts

          CBI Custody Receipts are discussed in Section VIII,
Transferring Custody of CAA CBI.

     5.   Pending Log

          The CAA CBI Pending Log, CAA CBI Form 13 (Appendix I)
is used to account for all CBI materials upon initial receipt
pending a decision by the appropriate personnel.  The WAM/TOPO
will review submitted materials and remove any nonCBI (as
appropriate)  and, verify the accuracy of information contained
within.   After review of the materials and the confidentiality
is determined,  the documents are logged into the OAQPS CAA CBI

                                32

-------
Inventory.  WAMs/TOPOs are contacted every 30 days to determine
the status of materials stored as pending and to solicit further
instructions concerning the disposition of these materials.

     CDCO shall contacr their employees to determine the status
of materials with a pending disposition and solicit further
instructions concerning materials if there has been no action
within the preceding 30 days.

     6.    Inventory

          The OAQPS CAA CBI Inventory Log, CAA CBI Form 12
(Appendix I),  is also maintained by the OAQPS DCO.   This
inventory must have an accurate nonCBI description of each
document.  The inventory log includes the following information:

•    Date received
•    CBI control number (OAQPS & contractor)
•    Provider's name and address
•    Name of project or work assignment
•    Description of materials (number of copies, pages, etc.)
•    Date of document
•    Disposition status
•    Inventory date

          It identifies all CBI material for which OAQPS is
accountable; An inventory of CBI material is conducted at least
once a year, during which time each CBI file is reviewed and
purged of unneeded materials with the assistance of the WAM/TOPO.

D.   OBTAINING  CBI DOCUMENTS

     Employees and contractors who are authorized access to
specific CAA CBI may obtain CBI materials from the OAQPS CBIO
from 7:30 a.m. to 5:00 p.m., Monday through Thursday, and Fridays
from 7:30 a.m. to 3:30 p.m.  The OAQPS DCO verifies that the
employee is authorized access to the requested CBI.  Employees
must sign the OAQPS CBI Control Record upon receipt of the
document and safeguard CBI materials while in their possession.
Any time an employee relinquishes physical custody of the CAA CBI
(lunch or at the end of the day), he/she must obtain a release of
responsibility for the document by having the DCO sign and date
the Control Record.  (Direct transfer of CAA CBI materials

                                33

-------
between employees is not permitted).   CBI materials are
transferred only through CBI offices or DCOs.

E.   OAOPS CAA  CBI DOCUMENT CONTROL NUMBERS

     The OAQPS DCO assigns an individual control number to each
CAA CBI document.  The number consists of a least ten digits
(e.g., 94111-C02-09).   The first five digits are the fiscal year
and project identification numbers;  first two numbers are the
fiscal year the document was initially received and next three
numbers are assigned for each specific project  (e.g., 94111); the
next three digits identify the responsible and WAM/TOPO (e.g.,
C03); and the last digit refers to the number of documents
received by CBIO for a specific project.  The OAQPS CBI control
number is placed on the cover sheet,  the first page, and on the
back of the last sheet or back cover of the document.  The number
is also placed on the custody receipts and folders  for
identification purposes.

F.   CREATING CBI DOCUMENTS
      All CBI and pending CBI documents generated by OAQPS will
 be treated and protected as such until a CBI determination has
 been made by the responsible Group Leader,  providing
 organization (affected business)  or OGC.
     Documents and other materials generated by OAQPS or its
contractors that contain information from CBI documents are
usually CBI themselves.

     1.    Working Papers

          Newly created CBI is at first in the form of working
papers pending the creation of new CBI documents.   The category
of CAA CBI working papers includes materials such as notes and
outlines; initial drafts of documents; computations, drawings,
and diagrams; and pending documents.  Working papers are labeled
as PENDING CBI, provided a OAQPS CAA CBI Control Record and Cover
Sheet, secured in the CBIO, and otherwise used and handled like
any other CBI document except they are labeled pending until the
disposition is determined.  After the document has been deemed as
confidential, the status is changed to permanent and maintained

                                34

-------
according to OAQPS records management policies governing CAA CBI.

     2.    Typing/Word Processing Requirements

          The author of a CAA CBI document may provide the
document to a typist who is authorized access CAA CBI.   The
typist must return to the author the newly typed materials and
the original draft when typing is completed.  All materials used
in typing documents containing CAA CBI,  including word processing
disks, ribbons,  carbons, and waste paper must be treated as CBI
and submitted to the CBIO for storage or destruction.

          The typist should not use the Local Area Network (LAN)
for preparation or storage of CAA CBI documents.  Documents are
to be prepared using the local version of the word processing
program on the hard drive of the personal computer vs.  the LAN
version.  Data,  reports, etc., must be stored on a floppy
diskette and submitted to the CBIO for proper logging and
storage.  Turn off the printer after printing the newly created
CBI document to ensure that all CBI is removed from the buffer of
the printer.

     3 .    Use in Meetings

          The author of a CAA CBI document may circulate copies
of the document at a meeting for discussion, if the author:

•    Notifies the OAQPS DCO, and has the document reproduced by
     the OAQPS DCO;

•    Attends the meeting and is present when the document is
     discussed;

•    Collects all copies of the document at the end of the
     meeting; and

•    Submits all copies of the document for destruction to the
     OAQPS CBIO after the meeting.

          The OAQPS DCO must number the copies i.e., 1 of 6,  2 of
6 and number the pages and ensure that every page of each copy is
returned at the end of the meeting.  All other procedures for
general access and meetings  (Section V.E, CBI Disclosed at

                                35

-------
Meetings General Requirements)  must be followed when CAA CBI
materials are circulated at meetings.

G.   CREATING NONCBI  DOCUMENTS

     Materials produced from CAA CBI need not be confidential.
Nonconfidential documents may be produced by deleting CBI from an
existing document or by masking or aggregating the CBI so that it
cannot be linked to its source.

     1.    Deleting or Replacing CBI

          CAA CBI can be replaced in a document with nonCBI data
or generic descriptive terms data or terms derived from CBI data
but that are not themselves CBI.

     2.    Masking or Aggregating CBI

          Group Leaders must be consulted in advance by authors
who wish to produce nonconfidential documents by masking or
aggregating CBI.   Group Leaders shall also review all submissions
of masked and aggregate material to ensure that no CBI is exposed
and approve the final nonCBI version.

     3.    Dropping CBI Claim

          NonCBI documents can also be created from information
submitted by a providing organization which drops its claim of
confidentiality,  or for which EPA determines that the claim is
not valid.

     In all instances, the WAM/TOPO is responsible for ensuring
that documents contain no CBI.   Materials produced using CBI must
be treated as CBI until a determination is made by the Group
Leader or providing organization.
                                36

-------
H.   RELINQUISHING OF CAA CBI STATUS

     1.   Original CAA CBI

          If a providing organization relinquishes its claim of
confidentiality for original CBI, the WAM/TOPO must obtain a
written statement from the provider before the information can be
released to the public. Any original CAA CBI no longer needed by
OAQPS is destroyed or returned to the business firm.

     2.   CBI Created by OAOPS

          Documents created by OAQPS such as: site surveys,  test
reports, telephone conversations, and meeting minutes are
forwarded to the affected business (providing organization)  for
review of accuracy and confidentiality by the responsible Group
Leader.  The responsible industry official is requested by cover
letter to review the report, clearly mark any information
considered to be confidential,  and return the marked-up report
within the specified timeframe.   The original is kept in the CBIO
with a "pending" disposition until the marked copy is returned by
the business firm.  When the reviewed, marked-up copy of the
report is returned, OAQPS will have the option of:

•    protecting the whole document as CBI;
•    creating a nonCBI version with all CBI removed by
     aggregating or masking, and maintaining a complete CBI
     version;
•    creating a CBI addendum when indicated CBI is at a minimum;
     or
•    challenging the validity of the business'  claim through OGC.
      All revised final CBI documents must be submitted to the
 providing organization for review before release to the public
     If the report is determined to be accurate and
     nonconfidential,  the business firm will so note,  or not
     respond  by the requested date.
                                37

-------
•    If the firm does not respond by the requested date,  the
     WAM/TOPO shall contact the providing organization and verify
     the claim; and provide a written response to the OAQPS CBIO
     for declassification or release purposes.

•    If the document has CBI status, it is placed in the OAQPS
     CBIO and logged into the OAQPS CAA CBI inventory.

I.   DETERMINING CLAIM TO VALIDITY

          To determine that a claim of confidentiality is valid,
EPA's Office of General Counsel (OGC) or an EPA Regional Counsel,
where appropriate, must render a final determination pursuant to
40 CFR, Part 2, Subpart B.  That determination is made based on a
review of the submitter's responses to substantiation questions.
If a claim is denied, the information may not be released for 30
days, during which time the providing organization may challenge
EPA's determination in a Federal District Court.

J.   REPRODUCTION

     This subsection details the procedures for controlling and
safeguarding CAA CBI reproduction or other copying.
      There is a risk of losing control over CBI whenever it is
 reproduced in hard copy and disseminated.  Copying of CAA CBI
 material is limited to the minimum extent possible.
     1.    CBI Material

          Group Leaders or WAM/TOPOs authorize the reproduction
of CAA CBI materials.  Only the DCO is authorized to make
reproductions.  The DCO enters additional copies of documents
into the OAQPS Records Management System and records the
distribution of reproduced copies.

     2.    Equipment

          Copy machines must be dedicated solely to CBI document
reproduction while CBI documents are being copied, and the OAQPS
DCO must directly supervise the machine while the CBI materials
                                38

-------
are being duplicated.  Only persons authorized access to the
specific CAA CBI being copied may be present while CBI materials
are being reproduced.  After copying is finished,  the operator
must pass three blank copies through the machine to ensure that
any impressions on the image surfaces of the machine have been
erased.

     3.   Broken Equipment

          If the equipment used for reproducing CAA CBI materials
has a malfunction while in use, the DCO must inspect the
machine's paper path and image surface to retrieve any materials
containing CBI that are caught in the equipment before the repair
person is called.

K.   CDCO RECORD MANAGEMENT RESPONSIBILITIES

     Contractor DCOs must comply with the aforementioned
requirements of this manual to ensure adequate safeguarding and
handling of CAA CBI documents.  CDCO may use sample CAA CBI Forms
or design own in-house forms as long as required OAQPS
information is available.

     1.   CAA CBI Control Numbers

          CDCOs may implement an internal CAA CBI  control
numbering system, but must cross-reference OAQPS CAA CBI Control
numbers on custody receipts, inventories, derivative CBI,
correspondence, etc. regarding specific CAA CBI.

     2.   CAA CBI Inventories

          CDCO must maintain an accurate nonCBI description of
each document and in a CAA CBI inventory  (see CAA CBI Form 12).
The CDCO shall conduct an inventory of all CAA CBI materials
stored at their facility at least once a year during which time
each CAA CBI file is reviewed.  A copy of the inventory files
shall be submitted to the OAQPS DCO.  Any CAA CBI  no longer
needed at their facility must be returned to OAQPS.
                                39

-------
     3.    Reproduction

          Copying of CAA CBI by contractors is limited to working
papers,  drafts of technical reports, drafts of trip reports,
meeting handouts, and similar temporary documents.  Copying must
be done under the direction and guidance of the CDCO.
                                40

-------
                         SECTION  V.
                 DISCLOSURE OF  CAACBI
A.   OVERVIEW

     This section discusses minimum procedures  required to  ensure
the security of Confidential Business Information (CBI)  during
authorized disclosures.
      The holder of CAA CBI (the person in possession of
 specific CBI) is responsible for protecting it from persons
 not authorized access to it.  CAA CBI shall not be left
 unattended; and when work with CBI materials is completed or
 suspended, all materials containing CAA CBI (originals,
 drafts, memos, and notes) shall be taken to the CBIO for
 storage.  Holders of CAA CBI shall not allow unauthorized
 persons to view CAA CBI materials nor shall holders discuss
 CAA CBI with persons not authorized access to it.
B.   DISCLOSURE TO OTHER FEDERAL,  STATE  OR LOCAL
     AGENCIES

     EPA regulations at 40 CFR Part 2 allow disclosure  of  CBI  to
another Federal or State agency in either of two circumstances:

•    When the official purpose for which the information is
     needed by the other agency is in connection with its  duties
     under any law for protection of health or the environment or
     for specific law enforcement purposes;  or

•    When disclosure is necessary to enable the other agency to
     perform a function on behalf of EPA.

In either circumstance, the PRRMS Director must be notified
immediately via the OAQPS DCO upon receipt of  a request for
documents or information requiring access to CAA CBI.   In
addition, the procedures described below must  be followed  before
CAA CBI may be disclosed to other agencies.   These procedures  do
                               41

-------
not apply to disclosure of CAA CBI to individual employees of
other agencies performing functions on behalf of OAQPS where
access is confined to OAQPS premises.

     EPA may disclose CAA CBI to other Federal,  State or Local
agencies upon the written request from the requestor.  Because of
the time needed for processing,  the written request should be
directed to the PRRMS Director at least 30 days prior to the time
access is needed.  The request must be signed by an official of
the other agency who is at least equivalent in authority to a
Division Director.  It should state specifically the information
to which access is requested.  The official purpose for which the
CAA. CBI is needed should be set forth in detail as well as any
other pertinent information,  such as previous efforts to obtain
the information.  The need must be in connection with the
agency's duties under a law for the protection of public health
or the environment or for a specific law enforcement purpose.

     OAQPS CAA CBI may be released to States or Local agencies
with the written permission from the submitter.   Also, it may be
possible to aggregate data or sanitize documents containing CAA
CBI without disclosing information claimed as CBI.

     NOTE:  TSCA and FIFRA CBI maintained in OAQPS (by OAQPS) may
not be disclosed to States.

     1.   Non-disclosure Agreement

          In addition, as part of its written request, the other
agency must agree in writing  (Appendix L) not to disclose further
any information designated as confidential unless it meets the
following conditions:

•    It has statutory authority both to compel production of the
     information and to make the proposed disclosure and, prior
     to the disclosure, it has furnished affected business with
     at least the same notice that EPA would provide under its
     regulations;

•    It has obtained the consent of each affected business to the
     proposed disclosure; and
                                42

-------
•    It has obtained a written statement from the EPA Office of
     General Counsel or an EPA Regional Counsel that disclosure
     of the information would be proper under EPA's regulations.

     2.   Notice to Affected Businesses

          When disclosure is requested by another agency, OAQPS
must give the affected businesses at least 10 calendar days
notice before granting access to the other agency.  Notice to the
affected businesses may be given by Federal Register,  letter sent
by registered mail  (return receipt requested),  or telegram and
must include.

•    The identity of the agency/contractor to which CBI is to be
     disclosed;

•    The official purpose for the access;

•    Whether access is authorized only on EPA premises or also at
     the other agency or contractor's facilities;

•    A non-confidential description of the specific information
     to be disclosed; and

•    The period of time for which access to the CBI is
     authorized.

     3.   Before Approval

          The PRRMS Director will notify the requesting official
of the other agency acknowledging receipt of the written request
and will direct issue of required notice to affected businesses.
The PRRMS Director will also notify the requesting official from
the other agency if approval is not granted.

     4.   Before Disclosure

          Before CAA CBI may be disclosed, the PRRMS Director
must notify the other agency that the information being disclosed
is classified as CAA CBI, that it was acquired under authority of
the CAA, and that any unauthorized disclosure of the information
may subject employees of the other agency to criminal  penalties
(Chapter 8, Information Security. IRM Policy Manual 2100).

                                43

-------
C.   DISCLOSURE TO EPA CONTRACTORS AND SUBCONTRACTORS

     EPA's regulations (40 CFR,  Part 2) allow disclosure of CAA
CBI to contractors and subcontractors when disclosure is
necessary to enable the contractor to perform work on a contract.
Notice to affected businesses must be given before CAA CBI is
disclosed to the contractor with the same requirements as
indicated above.  The initial notice is usually prepared by the
OAQPS PO and is published in the Federal Register notifying the
public and affected businesses of OAQPS contractors and
subcontractors who will have access to CBI collected under the
Clean Air Act.

D.   DISCUSSING CBI  ON THE TELEPHONE

     Federal and contractor employees with CAA CBI access may
discuss CAA CBI on the telephone with other individuals who are
authorized access to the specific CBI.  However,  caution must be
used because interception of telephone communications is an easy
means by which unauthorized persons may obtain CBI.

     The person initiating the discussion of CBI during a
telephone call is responsible for verifying that the other has
authorized access to the specific CAA CBI.  Access authority can
be confirmed by referring to the OAQPS CAA CBI Authorized Project
Access List.  Interoffice communication systems (i.e., speaker
phones) should not be used to discuss CAA CBI  if conversations
may be overheard by unauthorized persons.

     1.   Telephone Memorandum

          Federal and contractor employees shall complete a
telephone memorandum, Memorandum of CAA CBI Telephone
Conversation, CAA CBI Form 6 (Appendix C) for all telephone calls
in which CAA CBI is discussed.   Telephone memorandums must be
submitted to the CBIO for filing on the day of the call or the
following workday if the call was made after 4:00 p.m.

     2.   Telephone Calls With Providing Organizations

          OAQPS employees, contractors and subcontractors may
discuss CAA CBI from a. providing organization with an employee of
                                44

-------
that organization.  Before discussion begins, the employees must:

•    Verify the identity of the providing organization's employee
     with whom they are speaking;

•    Inform the providing organization's employee that the
     telephone lines are not secured;

•    Assure the providing organization's employee that a
     telephone discussion of CAA CBI with a Federal or contractor
     employee does not constitute a waiver of any claim of
     confidentiality; and

•    Inform the providing organization's employee that any
     further information provided in the telephone conversation
     claimed as confidential will be properly safeguarded.

E.   CAA  CBI DISCLOSED AT MEETINGS

     OAQPS offices or its contractors that host or convene any
meeting (conference, symposium, seminar, exhibit, convention,
scientific, or technical gathering) of two or more people, at
which CAA CBI is disclosed shall take appropriate security
measures.   The OAQPS DCO shall be informed that a meeting is
scheduled when CAA CBI materials must be reproduced for use at
the meeting.  Requirements include, but are not limited to, those
listed below.

     1.    Access

          All persons attending the meeting must be cleared for
access to the specific CBI being presented and be positively
identified before CBI is revealed.   If non-OAQPS personnel are
present, the meeting chairperson must provide a CAA CBI Meeting
Sign-In Sheet, CAA CBI Form 7  (Appendix D) as a meeting record.
The following information shall be recorded:  date, time, place,
chairperson, and subject.  All persons attending the meeting must
sign this sheet.  All sign-in sheets shall be delivered to the
CBIO by the close of business or the next business day after the
meeting.
                                45

-------
     2.   Chairperson's Duties

          The meeting chairperson is usually the person who
schedules and organizes the meeting.  The chairperson is
responsible for ensuring (by referring to the OAQPS CAA CBI
Authorized Access Lists) that only persons authorized access to
the specific CBI to be discussed at the meeting are in attendance
when the discussion involves CBI.  Non-cleared attendees must be
excused from the meeting by the chairperson before CAA CBI is
discussed.  The chairperson must also ensure that the meeting
room is cleared of all CAA CBI materials after the meeting.

     3.   Chairperson's Limitations

          WAM/TOPOs shall inform the chairperson of any
restrictions that must be imposed on a presentation because of
the CAA CBI or of need-to-know restrictions on certain members of
the audience.  The chairperson is responsible for seeking that;
information, and for keeping disclosures within the limits
prescribed.

     4.   Notes or Recordings

          The meeting chairperson must remind those in attendance
of their duty to treat any notes or recordings taken at the
meeting as confidential.  These materials are submitted to the
CBIO for storage or proper disposition until the CBI status is
determined.

     5.   Safeguarding

          Notes, minutes, summaries, recordings, proceedings, and
reports on the CAA CBI classified portions of the meeting must be
safeguarded and controlled throughout the meeting.  Any CAA CBI
material generated or received as a result of the meeting, as
appropriate, shall be forwarded to attendees by an approved means
of transfer when the meeting ends rather than being hand-carried
by attendees from the meeting site.
                                46

-------
     6.    Controls

          Physical and technical security controls shall be
established to control access.  The meeting room shall be cleared
of all CAA CBI materials after the meeting.  This includes
cleaning all chalkboards, returning any unneeded CAA CBI
materials to the CBIO for destruction, and ensuring that nothing
is left in the room that could lead to the unauthorized
disclosure of CAA CBI.
                                47

-------
                        SECTION VI.
                 CATEGORIES  OF  CAA  CBI
A.   OVERVIEW

     This section provides instructions on how Confidential
Business Information (CBI) is categorized.

B.   ORIGINAL  CBI

     Original CAA CBI is generally obtained under Section 114  of
the Clean Air Act in two basic forms.   It is usually received  in
the form of a request response from a solicited business or  from
a site visit conducted by an OAQPS employee or contractor
employee after visiting a solicited business.

     Because data-gathering visits,  plant inspections,  and source
testing can involve inadvertent receipt of CBI,  it is the policy
of OAQPS to protect all parties involved.  Prior to or at the
inception of a plant inspection,  data-gathering visit,  or source
test, OAQPS representatives discuss with the responsible industry
official the information sought,  how it is to be used,  and how it
is to be protected.

C.   DERIVATIVE CBI

     Derivative CBI is the result of incorporation,  paraphrasing,
restating,  or generating information from original CBI.   Along
with the file or record copy of a newly created CBI document,  the
OAQPS CBIO must keep a copy of the source document or sufficient
identifying information from the source document.   This
information includes the originator's name and title and the date
received.  The OAQPS WAM/TOPO's name,  title, and office must also
be shown on the new document.
                               48

-------
                       SECTION VII.
                    CAACBI MARKINGS
A.   OVERVIEW
     This chapter explains how materials  that  have  been  claimed
as CAA CBI materials must be marked.

B.   CBI STAMPS

     Both original and derivative CAA CBI documents are  stamped
on the first and last page "Subject to Confidentiality Claim."
See Appendix E for additional CAA CBI stamps or  markings.

C.   COMPUTER OUTPUT

     Documents that are generated as computer  output may be
marked automatically by systems software.  If  automatic  marking
is not practicable, these documents must  be marked  manually.
Removable storage media and devices used  with  ADP systems,
typewriters, or word processing equipment shall  bear both
external  (affixed) and internal (software generated)  CBI
markings.  Documents produced by ADP equipment shall have at  a
minimum their first page and their last page marked.

D.   SPECIAL CATEGORIES OF  MATERIALS

     Markings are conspicuously stamped,  printed, written or
affixed on classified material other than paper  documents.  If
this is not practicable, the containers of such  material shall be
marked.  The means by which material is marked varies according
to the physical characteristics of the material  and
organizational and operational requirements.

     1.   Charts, Maps,  and Drawings

          The markings on charts,  maps, and drawings are
inscribed both at the top and the bottom  of each document.  When
the document is unfolded, the classification marking shall be
clearly visible on each folded portion.   The marking must also be
visible when the document is rolled or folded  for storage.

                               49

-------
     2.    Photographs,  Films,  and Recordings

          Photographs must be  marked as confidential.   Their
containers are also marked.   The markings on each transparency or
slide must be on the image and on the holder or frame.
Classified motion picture films and videotapes are marked at the
beginning and end with a clear statement of classification.   The
containers or reels on which they are kept are also marked.

     3.    CAA CBI Waste

     Such documents and materials as rejected copy,  typewriter
ribbons,  and carbons used in working with confidential
information shall be handled in such a way that the information
is adequately protected.  Unless these documents and materials
are destroyed immediately, they must be marked.  Section XI,
gives instructions for disposal and destruction of CAA CBI.
                                50

-------
                      SECTION VIII.

         TRANSFERRING CUSTODY Of CAA CBI

A.   OVERVIEW

     This section describes how  custody of Confidential Business
Information (CBI)  is transferred.  Before a transfer is
initiated,  the OAQPS DCO or CDCO must verify the intended
recipient is authorized  to  access the specific CAA CBI to be
transferred.

B.   TRANSFERRING CAA  CBI TO EPA CONTRACTORS AND
     PROVIDING PLANTS/FACILITIES

     CAA CBI documents are  transferred by the OAQPS DCO to
contractor DCOs or authorized persons at the providing plant or
facility.  A CAA CBI letter of transfer  (Appendix S)  shall be
prepared for the responsible Group Leader's signature to initiate
the process of transferring CAA  CBI  to the providing
organization.   The WAM/TOPO or employee delivers the letter of
transfer along with the  OAQPS CAA CBI control number or
sufficient information identifying the specific CAA CBI to be
transferred to the CBIO.  Upon review and approval,  the document
will be properly transferred. The letter of transfer, custody
receipt  (and one copy) are  enclosed  with the transferred CAA CBI.

     A checklist for transferring CBI to a facility is as
follows:

•    WAM/TOPO submits letter of  transfer to Group Leader for
     signature;

«    Letter of transfer  and CAA  CBI  control number is submitted
     to the CBIO;

•    The DCO prepares the custody receipt, properly packages CAA
     CBI including letter of transfer; and

•    Releases package to authorized  contractor employee or mails
     package via registered mail or  Federal Express.
                               51

-------
     Pending CAA CBI documents (draft reports,  revisions,
telephone contact reports,  etc.)  are transferred to the
contractor at the WAM/TOPO's request via Custody Receipt.    A
Letter of Transfer signed by the Group Leader is not required.
      CAA CBI is transferred from OAQPS to the contractor and
 from the contractor to OAQPS.  The Prime Contractor is
 responsible for the transfer of CAA CBI to their designated
 subcontractors or consultants.  NOTE:  The OAQPS CBI Office
 administratively handles all transfers for OAQPS.
C.   TRANSFERRING CAA  CBI FROM CONTRACTORS TO  OAOPS

     CAA CBI to be transferred to OAQPS should be identified and
instructions given to the CDCO to return the material to the
OAQPS CBIO.  The material being transferred must be listed on the
CAA CBI Custody Receipt,  CAA CBI Form 14 (including the OAQPS CAA
CBI control number).   Under no circumstances will contractors
dispose of original CAA CBI materials that  have been logged into
the OAQPS Records Management System in any  way other than
returning them to the OAQPS CBIO.
      Direct transfer of CAA CBI materials between contractor
 employees is not permitted.  CAA CBI materials must be
 transferred through the CDCO only.
D.   TRANSFERRING CAA  CBI TO GOVERNMENT AND STATE
     AGENCIES  OUTSIDE  OF OAOPS

     Upon receipt of a request for CAA CBI from a Government or
State entity outside OAQPS and after it is determined that
disclosure of the CAA CBI is allowed (Section V.B),  a letter 30
the requesting agency is prepared for signature of PRRMS Director
to explain the procedures that must be followed prior to release
of the information requested.   A sample Letter to CAA CBI
Requestors Outside of OAQPS is illustrated in Appendix O,  and
included along with the letter shall be a Confidential Business
Information Security Agreement, CAA CBI Form 15  (Appendix L).
The agreement must be signed by the requesting agency official
equivalent or superior to the PRRMS Director.   By signing this


                                52

-------
agreement,  the agency official agrees to safeguard CAA CBI in a
manner comparable with EPA's procedures as found in 40 CFR,  part
2,  Subpart B.

     When the signed agreement is returned,  it shall be forwarded
to the OAQPS CBIO along with a Letter to Accompany CAA CBI
Transferred Outside OAQPS (Appendix 0).   This letter will
constitute direction to the OAQPS DCO to transmit the CAA CBI
materials to the requestor.   The OAQPS DCO will send the
materials,  the letter and the original and one copy of a CAA CBI
Custody .Receipt to the requestor.

E.   CONFIDENTIAL BUSINESS  INFORMATION  SECURITY
     AGREEMENT

     A Confidential Business Information Security Agreement,  CAA
CBI Form 15 (Appendix L)  must be signed by an official of a
government entity requesting transfer of CAA CBI prior to
transfer of custody.  This form requires the official of the
receiving agency to verify that the information will be
safeguarded utilizing procedures comparable to EPA's procedures
for handling CBI found in 40 CFR, Part 2,  Subpart B.

F.   PREPARATION AND PACKAGING

     CAA CBI materials to be transferred will be processed by the
DCO.  The following guidelines set forth the procedures for
preparing and packaging CBI materials.

     1.    Inner and Outer Covers

          Before CAA CBI  may be transferred or hand carried out
of the OAQPS facility, the materials to be transferred must be
double wrapped with opaque paper.  The inner cover must bear
markings that indicate the classification and instructions,  "CBI
Confidential Business Information," and "To Be Opened by
Addressee Only."  The person to whom the material is intended is
included in the address as an "Attention"  line on the inner
envelope.  Markings on the inner cover shall not show through the
outer cover.
                                53

-------
     2.   Addressing

          CAA CBI being transferred from the OAQPS CBIO to
another facility or being returned from a facility to the CBI
Office shall bear the name of the sending and receiving DCO only
in the address on the outer label.  The outer cover shall not
bear any classification markings or other indication that CAA CBI
information is enclosed.  The return address of the transferror
is required on both the inner and outer covers.

     3.   Packaging'

          Materials used in packaging CAA CBI must be strong e.nd
durable enough to provide protection in transit and prevent items
from protruding through the covers.  Upon receipt, packages must
be inspected to ensure that the seals have not been broken.

G.   CUSTODY RECEIPT

     A CAA CBI Custody Receipt, CAA CBI Form 14 (Appendix K) is
included with all transfers of CAA CBI materials and prepared in
triplicate.   This form provides the previous holder of CAA CB]
with proof of accountability that the material was transferred
and received.  The recipient signs and dates custody receipt,
after verifying all materials were received, forwards the
original copy to sender and retains the second copy for his/her
records.   The previous holder retains the original copy as a
record of the transfer.   The third copy is retained by the
previous holder as a suspense copy until the signed original is
returned by the recipient, or the Domestic Return Receipt from
the U.S.  Postal Service acknowledging receipt of the document ,s) .
(See Section IV. CAA CBI Records Management for more information
on accountability, control records, and the CAA CBI control
numbers.)

H.   TRANSFER METHODS

     OAQPS CAA CBI may be transferred or transported by the
following methods:

•    Hand carried to another facility by an employee or
     contractor employee who is authorized access to the CAA CBI;
                                54

-------
•    U.S.  Postal Service registered mail (return receipt
     requested), Express Mail;  or

•    Private courier (Federal Express).

     1.    Hand Carrying

          Appropriately cleared OAQPS employees may be authorized
to hand carry CAA CBI material  between facilities (when
traveling)  if the conditions outlined below are met.

•    Individuals authorized to carry CBI must contact the CBIO to
     be fully briefed on the provisions  of this Section before
     departing.

•    While traveling by plane or other public conveyance,
     employees must keep CAA CBI materials in their possession,
     and should not check them with their luggage.

•    When employees travel with CAA CBI  materials and are unable
     to deliver or ship the CAA CBI materials to a facility
     authorized to store CAA CBI, they may store the materials
     for short periods inside the locked trunk of a motor
     vehicle.  CAA CBI materials may also be stored overnight in
     hotel safes, if a receipt  is obtained from the hotel
     management.  Otherwise, CAA CBI materials must be kept in
     the possession of the traveler.

•    The storage provisions for CAA CBI  are detailed in Section
     IX. Storage of CAA CBI, shall apply to all stops en route to
     a destination.  CAA CBI materials shall not be unwrapped
     until the traveler's destination is reached.  If the
     materials are to be transferred to  someone at that location,
     they must immediately be taken to the local DCO and logged
     into the local Document Tracking System.

•    The CBI Office shall log out CAA CBI carried or escorted by
     traveling personnel.   CAA CBI must  be accounted for upon
     return by count and inspection of materials or by inspection
     of receipts for materials, if delivered.
                               55

-------
     2.    Registered Mail

          If CAA CBI material is to be mailed, it must be
prepared by the OAQPS DCO for registered mail (return receipt
requested).   Regular first class mail must never be used to
transfer CAA CBI.

     3.    Couriers and Express Mail

          EPA and contractor employee couriers,  commercial
couriers, and U.S. Postal Service Express Mail may be used in the
transmission of CAA CBI.
                                56

-------
                        SECTION  IX.

              STORAGE OF  OAOPS CAA CBI

A.   OVERVIEW

     This section describes  the minimum standards  for the
physical safeguarding and storage  of  CAA Confidential Business
Information (CBI).

B.   INTENT

     Employees using CAA CBI material are responsible for
ensuring that no unauthorized disclosures of that  information
occur.  This means that employees  must either maintain constant
control over the CAA CBI material  in  their possession or return
it to the CBIO.

C.   STORAGE EQUIPMENT SPECIFICATIONS

     When not in use,  CBI materials must be  secured in approved
CAA CBI storage containers.   The type of container approved for
CAA CBI storage is a metal file cabinet with bar hasp and three-
way, changeable combination  lock.

     "OPEN/CLOSED"  magnetic  signs  shall be posted  on each CAA CBI
storage container to readily identify containers that are open or
locked, and to provide a visual spot  checked and at the end of
the work day to ensure containers  are properly secured.  Storage
containers must be located within  a room dedicated to CBI
security.  The room must have a lockable entrance  secured by a
GSA approved,  changeable combination  Simplex lock.  All CBI
storage containers and the entry door shall be locked during the
lunch hour and at the end of each  business day.

D.   PROCEDURES  FOR LOCK  COMBINATIONS

     Since all storage containers  are secured by combination
locks, the matter of combinations  is  important.
                               57

-------
     1.   Changing Combinations

          Combinations to security equipment shall be changed
only by cleared personnel having that responsibility.
Combinations shall be changed only under these circumstances:

•    Whenever someone who knows the combination no longer
     requires access;

•    In the event of suspected compromise of CAA CBI;

•    When deemed necessary by the custodians; or

•    At least once each year.

     2.   Granting Access to Combinations

          Knowledge of combinations is limited to CBI Office
personnel and DCOs.   Records of combinations must be protected as
though CAA CBI.

E.   EVACUATION PROCEDURES

     In the event of a fire or other emergency (e.g., natural
disaster or civil disturbance)  requiring evacuation of office
spaces, CAA CBI  shall be returned immediately to the OAQPS CBIO
where it will be stored properly.  Persons who are unable to
return CAA CBI material in their possession to the CBIO shall
ensure that such material is safeguarded by covering it from view
and taking it with them.  The employee must keep it under
personal observation at all times until it can be secured in a
facility approved for CBI storage.

F.   SAFEGUARDING CAA CBI IN THE  EVENT OF A DISASTER
      A disaster plan is a little like insurance; we know we
 should have it, it costs money, and we hope we never have to
 use it!
     A disaster plan is required by the Federal Emergency
Management Agency  (FEMA) to ensure the safety of personnel and to

                                58

-------
protect vital records.  OAQPS and its contractors are required to
protect any records/documents affecting the legal and financial
rights of the Government and of the people affected by its
actions.  The OAQPS CAA CBI Disaster plan has three components:
prevention, preparedness, and response.

     1.   Prevention

     Procedural prevention relates to activities performed on a
day-to-day, month-to-month, or annual basis, relating to security
and recovery.  It begins with assigning responsibility for
overall security of the organization to an individual with
adequate competence and authority to meet the challenges.  The
objective of procedural prevention is to define activities
necessary to prevent various types of disasters and ensure that
these activities are performed regularly.

     Physical prevention begins when a CAA CBI storage site is
identified or constructed.  It includes special requirements for
room construction, as well as fire protection for various
equipment.  Special considerations include:  computers,  fire
detection and extinguishing systems, record(s) protection, air
conditioning, heating and ventilation, electrical supply,
emergency procedures, and storage specifications to protect CAA
CBI records.

•    OAQPS DCO will conduct an annual site inspection of the
     OAQPS CBIO to identify problem areas and foster awareness of
     disaster prevention issues among the staff.

•    Provide training for the CBIO staff in records management,
     protection, and how to respond to a disaster.

     2.   Preparedness

          OAQPS DCO will ensure that there are appropriate
supplies on hand to deal with immediate needs, and keep a current
list of suppliers of materials that are needed to handle
disasters.  The OAQPS DCO will also keep up-to-date on current
technology, procedures, and services available for disaster
planning and recovery, and ensure the staff is informed about
these issues.  Ensure appropriate security measures are taken to
prevent damage or destruction of CAA CBI, approve off-site

                                59

-------
storage of CAA CBI,  arranging for security guards when needed,
establish and maintain an emergency recall list (including EPA
designated personnel,  police and fire departments, hospitals,
utility companies,  selected resources,  etc.),  and whatever else
might be required in the circumstances.

     3.    Response

          The OAQPS DCO is responsible for directing all disaster
operations affecting damage or destruction CAA CBI records.  All
of OAQPS staff (Directors, Group Leaders,  POs, WAM/TOPOs and
employees) must be involved in order for the disaster plan to be
an effective one.  Preventing, preparing for,  and responding to
disasters has to be a team effort.   We all have to be aware of
the issues, and integrate prevention and preparedness into our
daily routines and consciousness.  In the event of a disaster,  we
have to be able to pull together as a team and respond quickly
and effectively to protect OAQPS's CAA Confidential Business
Information.  The OAQPS DCO will also evaluate the damage, plan
and execute recovery operations, and do post-disaster
assessments.
                                60

-------
                         SECTION X.
              CAA  CBI COMPUTER  SECURITY
     NOTE:  Computer security is difficult  and expensive  to
 maintain.  OAQPS personnel and its contractors should not use
 CAA CBI in an identifiable form in computer  programs, if at
 all possible.
A.   OVERVIEW

     This policy applies to all  automated data processing  (ADP)
systems processing and/or storing  CAA  Confidential Business
Information (CBI).   It shall apply equally when the ADP systems
are owned and operated by EPA or by its contractors or
consultants.

B.   DIRECTIVES

     The computer processing of  CAA CBI must be in compliance
with the following directives issued to all Federal agencies
processing sensitive data by computer:

•    Office of Management and Budget OMB Circular A-130, TM
     No .  1 ;

•    Office of Personnel Management FPM 732-7;

•    National Bureau of Standards  FTPS PUBS; and

•    General Services Administration 41 CFR Ch. 101.

     These directives require all  Federal agencies processing
sensitive information by computer  to establish and maintain a
formal security system.
                               61

-------
C.   BASIC SECURITY REQUIREMENT
      OAQPS must provide a system with a level of security
 adequate to protect any CBI being processed from alteration,
 loss, or from unauthorized access.
     1.    Security Mode

          OAQPS CAA CBI must be entered into an isolated system
with access control safeguards as well as additional safeguards
within the system.  In addition,  file and data separation are
required since all users are not  authorized to access all data.

     2.    Authenticity and Verification

          The system will authenticate the password for each
project, verify each user's identity, and validate each user's
file access authority and privileges.  System output must have
special  markings that identify particular data sets or programs
to provide audit trails.  These audit trails will produce an
activity and, when possible, an event record to permit analysis
of system operation by the CBI Office.

     3.    Remote Operation

          There shall be no communication system to interface
with remote terminals.

     4.    Users Requirements

          All system users and persons allowed unescorted access
to the ADP system shall meet the  following criteria:

•    They are authorized access to CAA CBI;

•    They have completed a Request, Approval, and Registration
     for CAA CBI Computer Access, CAA CBI Form 3;

•    They have been informed of the proper security procedures
     for operation of the system;
                                62

-------
•    They have been informed of the proper action to be taken in
     the event of system malfunction (spillage,  etc.);

•    They have been trained in the use of the system;

•    They have been authorized access to specific 'data in the
     system and have been given the password to that data; and

•    They have signed an acknowledgment of having been provided
     the above information.

     OAQPS and contractor employees who are authorized access to
specific CBI may view a computer screen that contains the CBI to
which they are authorized access.

     5.   Visitors

          Administrative approval may be given to permit
unauthorized persons to visit the computer facility, but they
shall be escorted and shall sign a log indicating the date and
time of their visit.

D.   CBI  COMPUTER ROOM

     All ADP central processing and ancillary equipment, shall be
located in a specific room.  This room in its totality is herein
referred to as the CBI Computer Room.

The CBI Computer Room:

»    Shall be located in an interior part of the building;

•    Shall be on a floor not accessible from the exterior of the
     building;

•    Shall be in an area not adjacent to, above, or below an area
     that would constitute a high-risk area from the standpoint
     of fire or explosion;

•    Shall maintain only one entrance for personnel access. Other
     doors, if any, shall be secured;
                                63

-------
•    Shall,  when unoccupied,  be secured with a Simplex
     combination lock,  mounted on a solid wooden or metal door;
     and

•    Shall,  during hours of operation,  have access controlled by
     means of an access control lock.

E.   SAFEGUARDING CBI DURING PERSONAL COMPUTER USE

     While using CAA CBI at a computer in an unsecured area,  the
operator must retain exclusive control over the operation of the
computer and printer and must ensure that only individuals
authorized for access to the CAA CBI can view the terminal
screen.  If the operator must leave the terminal for any reason,
the computer session shall be terminated.

     1.   Computer Storage Media
            ** DO NOT  store CAA CBI data on the LAN **
           CBI data generated or processed on a personal computer
must be stored on either floppy, compact diskettes,  or detachable
hard disks.  Floppy or compact disks are preferable and shall be
secured in the CBIO.  Floppy disks containing CAA CBI must also
be removed from the computer after each session and returned to
the CBIO.

          Obsolete or damaged disks shall be provided to the
WAM/TOPO for review who will authorize the DCO to return the
disks to the providing organization or to destroy them.

     2.   Termination of a CBI Computer Session

          Proper termination of a computer session involving CBI
consists of the following steps:

•    Transferring and verifying the transfer of the CBI data to
     the storage medium  (floppy disk, detachable hard disk, or
     printout);
                                64

-------
•    Removing the storage medium from the computer;

•    Erasing the computer's internal memory with a utility
     program disk;

•    Turning off the computer to erase data from the Random
     Access Memory; and

•    Returning the disks and generated printouts to the CBIO.

     3.    Use of a Printer

          If CAA CBI is printed out, the printed material must be
secured in the CBIO.  All data printed may not contain CBI,
therefore the employee who generates or obtains a printout from
the computer must first determine whether the printout contains
CBI.  All printouts and any information obtained from a computer
screen containing CBI and written down must be logged in and out
through the CBI office.
 Since most printers contain buffers,  turn off the printer to
 ensure removal of any CBI information stored in the printer
 buffer.
F.   SYSTEM SECURITY  SOFTWARE FOR  MULTI-USER  SYSTEM

     Only the operating system shall execute instructions to
control and perform all input/output operations and changes to
memory boundaries,  data elements, tables,  execution state
variables,  and files of the system.   The operating system will
protect itself and provide an authorization function to permit
only approved sets of individuals and programs to be combined for
a project.   One class of machine instructions will be reserved
for exclusive use of the operating system,  and one class will be
usable by the operating system and user applications.

     1.   C7ser Authority

          Where possible,  a memory bounds mechanism will be
included so that memory allocated to any particular user can be
restricted to prohibit the user from reading or writing in the

                                65

-------
operating system memory or the memory of another user.  The
system will enforce the user privileges as authorized for
given file and will include execute only,  read only,  read/write,
and prohibit scratching or renaming files.  Authentication of
project passwords, verification of user identity,  and validation
of user file authority are performed by the system.

     2.   Event Record

          Except for password maintenance activities,  unique
identifiers (passwords) may not be printed or displayed on any
output or terminal.  Within the limits of system capability, an
access and event journal will be maintained by the system in a
secure manner to record system activity,  log-on attempts,  and
program execution.  This audit function should permit event
attribution to the individual user.  An exception audit will be
produced by the system of all unauthorized activity,  including
log-on and file access attempts for daily review by the CBI
Computer Room Document Control Assistant (DCA).   The system will
include a time clock for recording events.  The system activity
log will have a write-only mode.  The system will maintain user
and file isolation on time share and concurrent processing.

G.   GENERAL PROCEDURES

     Changes to the operating system will be made off-line,
reviewed,  and approved before being installed on the active
system.  Changes in the application programs will be made
off-line using non-sensitive data and implemented after review.

     1.   Checkout

          Portable storage disks must be checked out from the CBI
Office using procedures described in Section III,  Document
Control, and Office when the processing is terminated.

     2.   User Privileges (Multi-year system only)

          User privileges will be limited to those necessary.
The user will log-out the appropriate floppy disk from the CBI
Office before logging into the CBI Computer Room with the CBI
Computer Room DCA.
                                66

-------
          Uni-que identifiers (passwords)  shall be used for
project identification in the log-on procedure and for data file
access. These identifiers shall be treated as confidential and
shall be changed at frequent intervals of at least every 3
months.  Two passwords are required to begin a program.  The CBI
Computer Room DCA shall provide a system access password and the
user shall provide a data file access password.

     3.   CBI Computer Room DCA

          When termination of processing is ended and the system
is to be shut down, the user will log-out with the CBI Computer
Room DCA. The CBI computer room DCA shall also be responsible for
opening and closing the CBI computer room and starting and
shutting-down the computer.

     4.   Back-up Files

          Back-up files will be maintained in the CBIO.
Periodically, the backup files will be updated and tested to
ensure operational condition.

     5.   Transmission

          Input and output media shall be transmitted only
between the CBI Office and the users who are authorized access to
specific data contained on the media.  In no case will input
media be accepted from or delivered to a third party.  Any system
processing and/or storing CBI must be a system that maintain CBI
controls.

H.   DESTRUCTION AND  RELEASE OF  DATA MEDIA

     All paper products, program listings and cards,  when no
longer needed, are to be destroyed in accordance with current
procedures for disposal of CBI documents listed in Section XI,
Disposal and Destruction.

     1.   Magnetic Storage

          Any magnetic storage media used to process or store CAA
CBI may be released from control after they have been degaussed
in an approved manner on an approved degausser.  Prior to

                                67

-------
release,  all identifying markings must be removed from the media
and the erasure of the data must be verified.

     2.   Rigid Magnetic Storage Media

          Rigid magnetic storage media,  used for processing or
storing CAA CBI,  when no longer needed,  may be released from
control after it has been overwritten alternately by ones and
zeros at least three times.  In the case of malfunctioning or
damaged data storage media, when overwriting is not possible, the
data storage media must be degaussed.  Overwriting or degaussing
must be verified prior to release of the media.

J.   SECURITY PLAN

     In addition to computer security procedures, EPA's
Information Security policy calls for a methodology for a risk
analysis,  security plan, and the requirement for confidentiality
agreements from all contractor personnel.   This security plan is
subject to approval by the PRRMS Director and shall be available
to representatives of EPA's Office of the Inspector General
(OIG).

J.   RISK ANALYSIS

     A risk analyses must be conducted for each computer
installation operated by or on behalf of EPA is required under
the provision of OMB Circular A-130, TM No.  1.  These analyses
are specified as needed, before approving design specifications
for new systems; whenever there is a significant change to the
physical facility, hardware, and/or software;  or at periodic
intervals not to exceed 5 years.  These risk analyses are tc
provide an evaluation of the relative vulnerabilities at the
installation in order to maximize the effectiveness of security
measures within the constraints of available resources.
                                68

-------
                        SECTION  XI.
              DISPOSAL AND DESTRUCTION
A.   OVERVIEW

     The purpose of this  section  is to explain how Confidential
Business Information (CBI)  must be disposed of or destroyed.

B.   INTENT

     CAA CBI that is of no  use to OAQPS and not wanted by the
providing organization, will be destroyed only under the
supervision of the DCO.   CBI borrowed from TSCA or RCRA may not
be destroyed but must be  returned.

C.   NOTICE OF  INTENT  TO DESTROY

     The providing organization or owner of original CAA CBI  that
is no longer needed by OAQPS must be informed of the intent to
destroy the material.  This notice is given to allow the owner an
option to reclaim the materials or have OAQPS destroy them.

D.   ORIGINAL CBI
      Under no circumstances will  contractors dispose of
 original CAA CBI materials that have been  logged into the
 OAQPS Records Management System in any way other than
 returning them to the OAQPS CBI Office.
     WAM/TOPOs or the responsible Group Leaders shall initiate
the process for destruction  or  disposal  (return to the providing
organization)  of original  CBI material.  The materials must be
identified for destruction.  The OAQPS DCO will destroy specified
documents and maintain a record of all destroyed documents.  At
no time shall destruction  of CAA CBI material take place without
proper authorization from  the WAM/TOPO or providing organization.
                               69

-------
E.   DERIVATIVE CBI

     Authors of derivative CBI (CBI created from original CBI)
may authorize the CBI Office to destroy their work that contains
CAA CBI.

F.   CBI  WASTE

     Waste material including handwritten notes, sheets of carbon
paper, diskettes, and working papers that contain CAA CBI must be
returned to the CBI Office daily for destruction.  No record of
destroying this type of material need be kept.

G.   RECORDS OF DESTRUCTION

     Records of destruction are required for CAA CBI materials.
When a document is destroyed, the OAQPS DCO or the CDCO must
indicate on the CAA CBI Control Record, CAA CBI Form 1 (Appendix
J) the destruction date, person destroying document, and attach
documentation authorizing the destruction to the CAA CBI Control
Record.

     The control records of destroyed documents must be retained
for audit purposes in accordance with OAQPS records management
requirements, and the CDCO shall submit the list of destroyed
documents with the annual inventory and upon completion of the
contract.   The destruction of CBI materials logged into the OAQPS
CAA CBI Records Management System shall documented in the CAA CBI
automated database and purged annually.

H.   METHODS OF DESTRUCTION

     CAA CBI documents and material shall be destroyed in a
manner that precludes recognition or reconstruction.  In general,
CAA CBI materials are destroyed by one of two methods:  shredding
(including any type of paper substance) or burning  (including
microfiche, typewriter ribbons, diskettes,  and data tapes).
                                70

-------
                       SECTION  XII.
            CAA  CBI  SECURITY  VIOLATIONS
A.   OVERVIEW

     This section sets  forth the procedures to be followed
whenever CAA Confidential Business Information (CBI)  security
procedures may have  been violated.

B.   RESPONSIBILITY OF DISCOVERER

     Any OAQPS employee who is either aware of actual or possible
violations regarding loss of CBI materials or unauthorized
disclosures must report immediately this information to the DCO.

C.   VIOLATIONS  OF THIS MANUAL

     All alleged violations of this manual's procedures shall be
investigated,  even if there is no evidence of a lost document or
unauthorized disclosure.

D.   PRELIMINARY INQUIRY

     The PRRMS Director will have the OAQPS DCO conduct a
preliminary inquiry  into the circumstances surrounding an actual
or possible compromise.  The findings of this inquiry,  undertaken
to determine if a compromise did occur,  are to be given to the
PRRMS Director for evaluation.

E.   INVESTIGATION

     The PRRMS Director may direct the OAQPS DCO to conduct a
full investigation based on the results of the preliminary
inquiry.  An investigation shall include the following:

•    A complete identification of each item of classified
     information involved.

•    A thorough search  for the CBI.
                               71

-------
•    Identification of any persons or procedures responsible for
     the compromise.

•    A statement that a compromise did occur,  may have occurred,
     or did not occur, and an estimate of the  risk of damage to
     the affected business.

•    A thorough discussion of all facts uncovered.

F.   REPORTS AND FINDINGS

     Investigative reports shall include, if possible, the
document date,  subject, name and address of the originator,  and a
description of the material.

     1 .    Finding of No Damage

          If it is determined that compromise  could not
reasonably be expected to cause identifiable damage to the
affected business the report of the preliminary inquiry will be
sufficient to resolve the incident and, if appropriate, support
the administration of disciplinary action.

     2 .    Lost
          If a document is lost or missing,  the report should
include the time,  date, surrounding the loss;  and the steps taken
to locate the material.  If possible,  the person responsible for
the loss should be identified.

     3 .    Compromise

          Where a compromise is believed to have occurred,  a
narrative statement by the WAM/TOPO should detail the
circumstances, the identity of the unauthorized person (s)  who had
or may have had access to the material, the steps taken to
determine whether a compromise did in fact occur, and the WAM ' s
evaluation of the importance of the material.

     4.    Finding of Damage

          If it is determined that the probability of
identifiable damage to the affected company cannot be ruled out,

                                72

-------
the PRRMS Director shall notify the affected business that the
materials claimed as CBI are not in account and that there is
reason to believe the information may have been disclosed to
individuals not authorized for access to it.  Written notice to
the affected business must contain a description of the CBI in
question and the date of the disclosure.

G.   RESULTING ACTIONS

     After receiving an inquiry and/or investigation report, the
PRRMS Director will notify appropriate Division Directors of the
report findings and recommend actions in keeping with the EPA
Conduct and Discipline Order.  Division Directors are responsible
for imposing punitive measures as deemed necessary.

     1.    Violations Subject to Punitive Measures

          Employees may be subject to punitive measures if they
do any of the following:

•    Compromise CBI through negligence;

•    Knowingly and willfully violate any provisions of this
     manual;  or

•    Knowingly and willfully, and without authorization,  disclose
     properly classified CBI.

     2.    Punitive Measures

          Punitive measures for security violations include, but
are not limited to, warning notice, admonition, reprimand,
termination of authorization for access to CBI, suspension
without pay,  forfeiture of pay, removal, discharge, or legal
charges.  These measures will be imposed in accordance with
applicable law and EPA regulations.
                                73

-------
                      SECTION XIII.
                  CAA  CBI  DEFINITIONS
Access:  The ability and opportunity to gain knowledge of CAA
CBI in any manner whatsoever.  Access to CAA CBI by individuals
not authorized according to  procedures in Section VI must be
reported as a security violation.

Affected Business:    Any providing organization that could be
affected adversely by the unauthorized disclosure of its CAA CBI.

Authorized  Person-.   Any person duly authorized pursuant to
OAQPS procedures to have access  to CAA CBI.

CAA  CBI Control Number:   Unique  number  assigned by the OAQPS
DCO to any document received or  generated that contains CAA CBI.
The number consists of a least ten digits (e.g., 98111-C02-09).
The first five digits are the fiscal year and project
identification number; first two numbers are the fiscal year and
next the three numbers are assigned  for each specific project
(e.g., 98111); the next three digits identify the responsible
group and WAM/TOPO (e.g.,  C03);  and  the last digit refers to the
number of documents submitted to the CBIO from the employee on
the specific project.

Confidential Business  Information:   Any documentary or
nondocumentary information,  in any form, received by OAQPS from a
person,  firm, partnership, corporation, association, or local,
State or Federal agency that relates to trade secrets or
commercial or financial information  and that has been claimed as
confidential by the person submitting it under the procedures in
40 CFR,  Part 2,  Subpart B.

Contractor:  Any person, association, partnership,
corporation,  business, educational,  institution, governmental
body or other entity that performs work under a contract with the
United States Government.
                               74

-------
Contracting Officer (CO):  EPA delegated official with the
authority to enter into contracts on behalf of  the  EPA.   The  CO
has sole authority to sign contracts,  obligate  funds  for a
contract, issue work assignments,  modify contract terms  or
conditions,  and terminate a contract.

Custody:  Formal responsibility for controlling access to CAA
CBI according to the procedures found in this manual.

Derivative  CBI:   Confidential Business Information created by
incorporating, paraphrasing,  restating,  or  generating a  new form
of the information.

Document:   Any recorded  information regardless of its physical
form or characteristics,  including,  without limitation,  written
or printed materials; data processing cards,  disks, and  tapes;
maps; charts; photographs; paintings;  drawings;  engravings;
sketches; working notes and papers;  reproductions of  such items
by any means or processes; and sound,  voice,  or electronic
recordings in any form.

OAQPS CBI Office:  Secured interior  room at  OAQPS  headquarters
where all CAA CBI is stored.

OAQPS Document  Control Officer:  A Government employee
designated by the PRRMS Director to oversee the OAQPS CAA CBI
program.

Document Tracking System:  A system to account  for the
location or disposition of CAA CBI materials.  Materials in a
Document Tracking System are assigned unique numerical
identifiers,  or CBI control numbers, and their  locations are
tracked through manual or automated logs or records of receipt,
usage, and transfer.

Employee:   Any person employed by  EPA  on  a  full-time or  part-
time basis in accordance with the procedures of the Office of
Personnel Management.  (This definition does not include
contractors,  grantees, or their employees.)
                                75

-------
Federal Agency:  Any organization or entity composed of United
States officers or employees except  for Federal  courts  and
Congress.

Holder:  A Federal employee or OAQPS contractor employee who  is
authorized access to specific CAA CBI,  and  is  currently in
possession of the CAA CBI.

Original CBI:   Confidential business information in its
original form as submitted by a providing organization  or as
recorded during a visit  to the providing organization.

Project Officer (PO):   EPA's primary technical representative
of the CO for a contract.  Responsibilities include:  evaluating
contractor proposals;  assisting in writing  statement  of work;
reviewing contractor progress reports;  reviewing contractor
requests and recommending approval or  disapproval to  the CO; and
assisting the CO in the  resolution of  problems associated with
contractor performance.

Specific CAA CBI:   Confidential business information
collected for an individual project  or work assignment/task order
under a contract.

Subcontractor:  A contractor that  provides a portion of the
level of effort on an OAQPS contract through a contractual
agreement with the OAQPS prime contractor.   The  EPA's contractual
agreement is with the prime contractor,  not the  subcontractor.

Violation:   The  failure to  comply  with any provision of these
procedures,  whether or not  such failure leads  to actual
unauthorized disclosure  of  CAA CBI.

Work Assignment Manager/Task  Order Project Officer
(WAM/TOPO) :   An EPA program official  who  monitors a specific
work assignment written  under a contract.   The WAM/TOPO develops
the statement of work for specific work assignments or  task
orders and monitors the  technical performance  of the  contractor.
                               76

-------
                       SECTION  XIV.
                 GLOSSARY OF  ACRONYMS
ACRONYMS

AAL

ADP

CAA

CBI

CBIO

CDCA

CDCO

CFR

CWA

DCA

DCO

EPA

FEMA

FIFRA


GAO

OAQPS

LAN

OIG
Authorized Access  List

Automatic Data Processing

Clean Air Act

Confidential Business Information

Confidential Business Information Office

Contractor Document  Control Assistant

Contractor Document  Control Officer

Code of Federal Register

Clean Water Act

Document Control Assistant

Document Control Officer

United States Environmental Protection Agency

Federal Emergency  Management Agency

Federal Insecticide, Fungicide and
Rodenticide Act

General Accounting Office

Office of Air Quality Planning and Standards

Local Area Network

Office of the Inspector General
                               77

-------
OGC

OSW

PC

PRRMS


RCRA

TSCA

WAM/TOPO
Office of General Counsel

Office of Solid Waste

Personal Computer

Planning, Resources & Regional Management
Staff

Resource Conservation and Recovery Act

Toxic Substances Control Act

Work Assignment Manager/Task Order Project
Officer
                                78

-------
                       SECTION XIV.

                         APPENDICES


APPENDIX           	TITLE	

  A                 Authorization for Access  to  CAA CBI  for
                    Federal Employees,  CAA  CBI Form 2

                    Authorization for Access  to  CAA CBI  for
                    Contractor Employees, CAA CBI  Form 3

  B                 Confidentiality Agreement for  United States
                    Employees Upon Relinquishing CAA CBI Access
                    Authority,  CAA CBI  Form 4

                    Confidentiality Agreement for  Contractor
                    Employees Upon Relinquishing CAA CBI Access
                    Authority,  CAA CBI  Form 5

  C                 Memorandum of CAA CBI Telephone Conversation,
                    CAA CBI Form 6

  D                 CAA CBI Meeting Sign-In Sheet, CAA CBI Form  7

  E                 CAA CBI Markings

  F                 CAA Confidential Business Information Cover
                    Sheet,  CAA CBI Form 8

                    Pending CAA Confidential  Business Information
                    Cover Sheet,  CAA CBI  Form 9

  G                 Request,  Approval,  and  Registration  for CAA
                    CBI Computer Access,  CAA  CBI Form 10

  H                 Request for Approval  of Contractor Access to
                    CAA CBI,  CAA CBI Form 11

                    Contractor Information  Sheet-Contractor CAA
                    CBI Access/Transfer,  CAA  CBI Form lla
                               79

-------
I                 CAA CBI Inventory Log, CAA CBI Form 12

                  CAA CBI Pending Log, CAA CBI Form 13

J                 CAA Confidential Business Information Control
                  Record, CAA CBI Form 1

K                 CAA CBI Custody Receipt, CAA CBI Form 14

L                 Confidential Business Information Security
                  Agreement, CAA CBI Form 15

M                 Sample CAA CBI Transfer Letters
                              80

-------
                                                                   APPENDIX A
 1. AUTHORIZATION FOR ACCESS TO CAA CBI FOR FEDERAL EMPLOYEES
 FULL NAME
POSITION
 SSN
OFFICE
 It is the responsibility of each Authorizing Official* to ensure that the employees under his/her
 supervision who require access to CAA CBI:

    1. Sign the Confidentiality Agreement for EPA Employees
    2. Are fully informed regarding their security responsibilities for CAA CBI.
    3. Obtain access only to that CAA CBI required to perform their official duties
 SIGNATURE OF AUTHORIZING OFFICIAL*
TELEPHONE NO.
DATE
 TITLE
LOCATION
 II. CONFIDENTIALITY AGREEMENT FOR FEDERAL EMPLOYEES
 I understand that I will have access to certain Confidential Business Information submitted to EPA or
 its authorized representatives under the Clean Air Act (CAA).  This access is granted in accordance
 with my official duties as an employee of the Environmental Protection Agency.

 I understand that CAA CBI may not be disclosed except as authorized by CAA and Agency
 regulations. I understand that I am liable for a possible fine of up to $1,000 and/or imprisonment for
 up to 1 year if I willfully disclose CAA CBI to any person not authorized to receive it.  In addition I
 understand that I may be subject to disciplinary action for violation of this agreement with penalties
 ranging up to and including dismissal.

 I agree that I will treat any CAA CBI furnished to me as confidential and that I will follow the
 procedures set forth in the CAA Confidential Business Information Security Manual.

 I have read and understand these procedures.
 SIGNATURE
TELEPHONE NO.
DATE
 III. HAVING COMPLETE REQUIRED TRAINING AND PASSED REQUIRED
 TEST, THE ABOVE-NAMED EMPLOYEE IS HEREBY AUTHORIZED TO HAVE
 ACCESS TO CAA CBI.
 SIGNATURE DCO
TELEPHONE NO.
DATE
 * Must be Division Director (or equivalent) or above.
CAA CBI Form 2 (Rev. 9/98)
                                          81

-------
                                                                  APPENDIX A
FULL NAME
SSN
POSITION
CONTRACTOR
SIGNATURE OF AUTHORIZING OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
 1.  AUTHORIZATION FOR ACCESS TO CAA CBI FOR CONTRACTOR EMPLOYEES
 It is the responsibility of each Authorizing Official* to ensure that the employees under his/her
 supervision who require access to CAA CBI:

    1. Sign the Confidentiality Agreement for EPA Employees
    2. Are fully informed regarding their security responsibilities for CAA CBI.
    3. Obtain access only to that CAA CBI required to perform their official duties
 II.  CONFIDENTIALITY AGREEMENT FOR CONTRACTOR EMPLOYEES
 I understand that I will have access to certain Confidential Business Information submitted to EPA or
 its authorized representatives under the Clean Air Act (CAA). This access is granted in accordance
 with my official duties as an employee of the Environmental Protection Agency contractor.

 I understand that CAA CBI may not be disclosed except as authorized by CAA and Agency
 regulations. I understand that I am liable for a possible fine of up to SI ,000 and/or imprisonment for
 up to 1 year if I willfully disclose CAA CBI to any person not authorized to receive it.  In addition I
 understand that I may be subject to disciplinary action for violation of this agreement with penalties
 ranging up to and including dismissal.

 I agree that I will treat any CAA CBI furnished to me as confidential and that I will follow the
 procedures set forth in the CAA Confidential Business Information Security Manual.

 I have read and understand these procedures.
SIGNATURE
TELEPHONE NO.
DATE
 III. HAVING COMPLETE REQUIRED TRAINING AND PASSED REQUIRED
 TEST, THE ABOVE-NAMED EMPLOYEE IS HEREBY AUTHORIZED TO HAVE
 ACCESS TO CAA CBI.
SIGNATURE CONTRACTOR DCO
TELEPHONE NO.
DATE
 * Must be Contractor Management
CAA CBI Form 3 (Rev. 9/98)
                                          82

-------
                                                             APPENDIX  B
                                 US Environmental Protection Agency
                                       Washington, DC 20460
  \ \W^ £       Confidentiality Agreement for Federal Employees
   %. PROT^          Upon Relinquishing CAA CBI Access Authority
 In accordance with my official duties as an employee of the United States, I have had access
 to. Confidential Business Information under the Clean Air Act (CAA) (42 U.S.C. 1857 et
 seq.).  I understand that CAA Confidential Business Information may not be disclosed except
 as authorized by CAA or Agency regulations.

 I certify that I have returned all copies of any materials containing CAA Confidential Business
 Information in my possession to the OAQPS CBI Office.

 I agree that I will not remove any copies of materials containing CAA Confidential Business
 Information from the premises of the Agency upon my termination or transfer. I further agree
 that I will not disclose any CAA  Confidential Business Information to any person after my
 termination or transfer.

 I understand that as an employee of the United States who has had access to CAA Confidential
 Business Information, under 18U.S.C. 1905,1am liable for a possible fine of up to $1,000
 and/or imprisonment for up to one year if I willfully disclose CAA Confidential Business
 Information to any person.

 If I am still employed by the United States, I also understand that I may be subject to
 disciplinary action for violation of this agreement.

 I am aware that I may be subject to criminal penalties under 18 U.S.C. 1001 if I have made
 any statement of material facts knowing that such statement is false or if I willfully conceal
 any material fact.
 Name (Please type or print)
SSN
 Signature
Date
CAA CBI Form 4 (Rev. 6/95)
                                          83

-------
                                                               APPENDIX B
            \
            O
               Environmental Protection Agency
                    Washington, DC 20460

      CONFIDENTIALITY AGREEMENT FOR
        CONTRACTOR EMPLOYEES UPON
RELINQUISHING CAA CBI ACCESS AUTHORITY
 Name of Employer
                       Contract Number
 As an employee of the contractor/subcontractor named above performing work for the United
 States Government, I have been authorized access to Confidential Business Information (CBI)
 submitted under the Clean Air Act (CAA) (42 U.S.C. 1857 et.seq.). This access authority was
 granted to me in order to perform my work under the contract number cited above.

 I understand that CAA CBI to which I have had access under the contract may not be used for
 any purposes other than for performing the contract. I also understand that CAA CBI may not
 be disclosed except as authorized by CAA or EPA regulations.

 I certify that I have returned all copies of CAA CBI materials in my possession to my
 company Document Control Officer.

 I agree that I will not remove any copies of materials containing CAA CBI from the premises
 of my company or from EPA premises upon my relinquishment of CAA CBI to any person
 after my relinquishment of CAA CBI access authority.

 I understand that as a contractor employee who has been authorized access to CAA CBI, I may
 face criminal prosecution if I willfully disclose CAA CBI to any person.

 If I am still employed by the contractor, I also understand that I may be subject to disciplinary
 action for violation of this agreement.

 I am aware that I may be subject to criminal penalties under 18 USC Section 1001 if I have
 made any statement of material facts knowing that such statement is false or I willfully
 conceal any material fact.
 NAME (Please type of print)
                       Social Security Number
 Signature
                       Date
CAA Form 5 (Rev. 6/95)

-------
                                                     APPENDIX C
                              US Environmental Protection Agency
                                  Washington, DC 20460
                       MEMORANDUM OF CAA CBI
                       TELEPHONE CONVERSATION
                        I. EMPLOYEE IDENTIFICATION
 Name of Employee
                          Date
 Organization
                          Time
                      II. SECOND PARTY IDENTIFICATION
 Call is:
        D  To
D  From
         Name
 Number
         Organization
 III. Concerning What CAA CBI?
 IV. Content of Conversation: (CONTINUE ON SEPARATE SHEET)
CAA CBI Form 6 (Rev. 6/95)
                                85

-------
                                                                  APPENDIX D
v^fcD sr/,^ U.S. Environmental Protection Agency
>> 	 ^. Washington, DC 20460
1" ^J^ ^
*S£*i ^
\ X5EZ ® CAA CBI MEETING SIGN-IN SHEEET
^ ^^••1^^^ >
%> ^
^ PRO^-0
CHAIRPERSON
MEETING PLACE (ROOM, BUILDING, CITY, STATE)
DATE
TIME
SUBJECT OF MEETING
NAME (Print)

















Signature

















ORGANIZATION









-







THIS SIGN-IN SHEET MUST BE GIVEN TO THE CBI MANAGER
CAA CBI Form 7 (Rev. 6/95)
                                          86

-------
                             APPENDIX E
         CAA CBI MARKINGS
"SUBJECT TO CONFIDENTIALITY CLAIM"
"TO BE OPENED BY ADDRESSEE ONLY"
"CBI  --  CONFIDENTIAL BUSINESS INFORMATION"
"DETERMINED CONFIDENTIAL BY OAQPS"
"DESTROYED BY           / DATE
                87

-------
                                     APPENDIX F
                               Contractor Control No.:

                               EPA Control No.:	
                                      Copy No.:	
                        CAA
            CONFIDENTIAL
  BUSINESS INFORMATION
 The attached document contains data claimed to be confidential business information (CBI)
 under the authority of the Clean Air Act (CAA) as amended (42 U.S.C. 7401,7411, 7412,
 7414, 7416, 7601). CBI may not be disclosed or copied for release to another party. Any
 excerpts or summaries must also be treated as CBI. If you willfully disclose CAA CBI to any
 person not authorized to receive it, you may be liable for a disciplinary action with penalties
 ranging up to and including dismissal. In addition, disclosure of CAA CBI or violation of
 security procedures may subject you to a fine of up to $1,000.00 and/or imprisonment for up
 to one year.
                DO NOT DETACH
CAA CBI Form 8 (Rev. 6/95)

-------
                                       APPENDIX F
                             Contractor Control No.

                             EPA Control No.:	
                                    Copy No.:	
                      CAA
           CONFIDENTIAL
 BUSINESS INFORMATION
                 PENDING
 The attached document contains data claimed to be confidential business information (CBI)
 under the authority of the Clean Air Act (CAA) as amended (42 U.S.C. 7401, 7411, 7412,
 7414, 7416, 7601). CBI may not be disclosed or copied for release to another party. Any
 excerpts or summaries must also be treated as CBI. If you willfully disclose CAA CBI to any
 person not authorized to receive it, you may be liable for a disciplinary action with penalties
 ranging up to and including dismissal.  In addition, disclosure of CAA CBI or violation of
 security procedures may subject you to a fine of up to $1,000.00 and/or imprisonment for up
 to one year.
               DO NOT DETACH
CAA CBI Form 9 (Rev. 6/95)
                          89

-------
                                                                      APPENDIX  G
\
                                     U.S. Environmental Protection Agency
                                            Washington, DC  20460

                              Request, Approval, and Registration
                                 for CAA CBI Computer Access
                             I. Request for CAA CBI Computer Access
   Name (Last.Firsl,MI)
                                           2 Requestor (Oflice/Division/Branch)
 3 System and Data Base to Be Accessed
 4. Describe fully the duties that require access to each system
 5 Signature of Requesting Official (Division Director or above)
                                                        6 Date
                               II. Computer Room DC A Approval
 1 Date Received
                      2.  Signature of Computer Room DC A
                                     III. DCO Approval
 1  Date Received
                      2.  Holds Current CAA CBI Access
                         D Yes         D No
3 Approved
n   Yes     DNo (Explain
                 On back)
 4 Signature DCO
CAA CBI Form 10 (Rev 6/95)
                                          90

-------
                                                                         APPENDIX H

\v/
                                      U.S. Environmental Protection Agency
                                             Washington, DC  20460

                                      REQUEST FOR APPROVAL OF
                                 CONTRACTOR ACCESS TO CAA CBI
 Requesting Official
                                     Signature
Date
 Title and Office
 Contractor and contract number
 EPA Project Officer
                                     EPA Contracting Officer
       ;  L Brief DescripttoB:0f «H3fr£ct, ::jncludmg purpose, scope,:.lengJh, and other jjnportarii details^
       ..  •-.....':..  :        (Cpntajuadon
                              What CAA CBI Will tjereqaifeiJ, And Why?
                                 (Contiauedoa bade if necessary)
 Approved (Signature)
                                                                    Date
CAA CBI Form 11 (Rev. 6/95)
                                           91

-------
                                                                 APPENDIX H
                CONTRACTOR INFORMATION SHEET
                      CAA CBI ACCESS/TRANSFER
 1. Contractor
 2. Address :
 3. Contract #:
 4. Is this a renewal of a previous contract?   Yes  D      No D
 5. Previous contact number:	
 6. EPA Project Officer	
 7. EPA Contracting Officer	
 8. EPA Work Assignment Manager:	
   Phone:	   Room:	    Mail Code:.
 9. Contractor Project Officer:	
 10. Description of duties to be performed by contractor that require CAA CBI access:
 11. Type(s) of data to be transferred/disclosed:
 12. Will CBI be transferred offsite under this contract?  Yes  D No D
 13. If so, to where?  	
 14.  Have contractor security plan and facilities been approved by the OAQPS DCO?  Yes  D No D
 15.  If so, date of test site inspection:	
 16.  Date access scheduled to commence:	
 17.  Contract expiration date:	
 18.  Is computer CBI access needed under this contract?   Yes  D No D
 19.  Has computer access been approved?  Yes  D No D
CAA CBI Form 1 la (Rev. 6/95)
                                      92

-------
                                                                                 APPENDIX  I
       O

       O
 
 bO
            .2
            "S
110  I
 g 
                                                                                                              o
                                                                                                              Qi
                                                                                                              P

                                                                                                              C
                                                                                                              U,

                                                                                                              5
                                                                                                              u

                                                                                                              <
                                                                                                              <
                                                                                                              u
                                                      93

-------
                                                                              APPENDIX  I
      o
o
        U
      U
                   S  B
                   C  c3

                   §  D
                   T3
                   U
                   D
                      o
                      o.
                      e
                      .2
                      'D.
                      o
                      pi
                      o
                   >
                   p
CBI

Control Numbe
                                                                                                      0
                                                                                                       o
                                                                                                      tJ-

                                                                                                      00
                                                                                                      U
                                                                                                      U
                                                 94

-------
                                                           APPENDIX J
CAA CONFIDENTIAL BUSINESS INFORMATION
CONTROL RECORD
DATE RECEIVED:
DATE OF DOCUMENT:
RESPONSIBLE GROUP:
CONTROL NUMBER:
DOCUMENT AUTHOR:
DESCRIPTION (PROVIDING ORGANIZATION, TITLE, SUBJECT, NUMBER OF COPIES, NUMBER OF PAGES)
RETURN DATE:
EACH PERSON WHO IS GIVtN ACCESS
DESTRUCTION DATE:
INITIALS:
TO THIS DOCUMENT MUST FILL IN THE INFORMATION BELOW.
CHECK-OUT
SIGNATURE






















DATE






















TIME






















CHECK-IN
SIGNATURE






















DATE






















TIME






















CAA Form 1
                                      95

-------
                                                                 APPENDIX K
  US Environmental Protection Agency
  Office of Air Quality Planning and Standards
  CBI Office (MD-11)
  Research Triangle Park, NC 27711
                               DATE:
                           SENT VIA:
                         RECEIPT NO:
                           PROJECT:
                           CONTACT:
                           CAA CBI CUSTODY RECEIPT
 TO:
                           FROM: Document Control Officer
                                 Ms Melva W Toomer
                                 U.S. EPA/OAQPS/PRRMS/CBIO
                                 MD-11
                                 Research Triangle Park, NC 27711
   INSTRUCTIONS:
   1. Original of this receipt to be signed by recipient and returned to sender.
   2. Duplicate of this receipt to be retained by recipient.
 CBI CONTROL NO.
COPY NO.
DESCRIPTION OF MATERIAL
  I have personally received material, enclosures, and attachments as identified above  I assume full
  responsibility for the safe handling, storage, and transmittal of this material in accordance with existing
  Confidential Business Information regulations.
DATE RECEIVED:
               SIGNATURE OF RECIPIENT:
   CBI Form 14 (Rev. 9/98)
                                    96

-------

-------
                                            APPENDIX L
       CONFIDENTIAL  BUSINESS  INFORMATION
                  SECURITY  AGREEMENT
In requesting  information claimed to be  business  confidential

from the Office of Air Quality Planning  and  Standards,  I  agree

to safeguard  this information  according  to  [	Name of

Agency	]'s procedures  comparable to EPA's  procedures  for

handling Confidential Business Information as  found  in  40  CFR,

Part 2, Subpart B, Confidentiality of Business Information.   I

further agree that access will be limited to  only those  persons

in  our  organization  having  a  "need   to  know, "   that   the

information will be kept in a secure storage  contained (e.g.,  a

lockable  file  cabinet)  while  it  is in  our  custody,  that  a

record of persons accessing  the information  be maintained,  and

that  it  will be  returned to OAQPS at  the  conclusion  of  our

project.
                    Name,  Title  (Please Type or Print)
                    Signature                 Date
 CAA CBI  Form 15  (Rev.  6/95)
                             97

-------
                                                               APPENDIX M
LETTER  TO  CAA  CBI  REQUESTERS  OUTSIDE  OAQPS
Mr. Agency Official
Director, Planning Division
Some Government Agency
1168 14th Street
Washington, D.C.

Dear Mr. Agency Official:

      (Cite the name of local contact or letter of request) indicates that you want a copy of
certain information in our Confidential Business Information (CBI) files. Please be advised that
our long-standing policy is to release CBI to only those persons duly authorized to have access.
Since we have not previously granted clearance for access to Clean Air Act (CAA) information
to you or anyone in your organization, we request assurance that this information will be handled
according to applicable federal regulations. To provide a record of your agreement to safeguard
the information, we require that you sign and return the accompanying CBI Security Agreement.
We will release the requested information to you upon receipt of this agreement.
                                             Sincerely,
                                            leva G. Spons, Director
                                            Planning, Resources and
                                            Regional Management Staff

Enclosures
                                        98

-------
                                                    APPENDIX M

      LETTER TO ACCOMPANY CAA CBI TRANSFERRED
                             OUTSIDE OAOPS
Mr. Agency Official
Director, Planning Division
Some Government Agency
1108 14th Street
Washington, D.C. 20460

Dear Mr. Agency Official:

      Your security agreement associated with the request for access to (describe information)
has been received. We are therefore releasing the enclosed Confidential Business Information to
your custody. Please sign the attached Custody Receipt and return it to:
                         Melva W. Toomer, OAQPS Document Control Officer
                         U.S. Environmental Protection Agency
                         Office of Air Quality Planning & Standards
                         Planning, Resources & Regional Management Staff (MD-11)
                         Research Triangle Park, NC  27711
                                           Sincerely,
                                           leva G. Spons, Director
                                           Planning, Resources and
                                           Regional Management Staff

Enclosures
                                      99

-------
                                                                  APPENDIX M


                                     SAMPLE


         TRANSFER LETTER TO PROVIDING FACILITIES


Name of recipient
Title of Recipient
Recipient's Address

Dear Mr. Noel:

       Thank you for your efforts in coordinating a visit to the Name of the facility, address,
and date.  The U.S. Environmental Protection Agency (EPA) appreciates the time you spent
discussing the manufacturing process at your facility.

       Enclosed is a draft of the trip report that has been prepared based on the information
obtained during our site visit. We would appreciate irour reviewing the report for any errors or
omissions.  You may return the enclosed copy of the report with your written comments. Since
this report will eventually become a part of the public record, we want to portray your operations
as accurately as possible.  A copy of the final version of the report incorporating your comments
will be sent to you for your records.

       The custody receipt for the trip report is also enclosed. Please sign and date the form to
acknowledge receipt of the report and return a copy of the form to the Document Control Officer,
Planning, Resources and Regional Management Staff (MD-11), U. S. Environmental Protection
Agency, Research Triangle Park, North Carolina 27711.

       If you believe the disclosure of any specific information contained in the trip report
would reveal trade secrets or other confidential information, you should clearly identify-the
specific information. Please do not label the entire report "confidential" if only certain portions
consist of trade  secret information. If the EPA determines that there is a need to disclose such
information, we will need, at that time, the following to support your claim:

       1.  Measures taken by Name of facility to guard against undesired disclosure of the
specific information to others;

       2.  The extent to which the specific information has been disclosed to others and the
precautions taken in connection therewith;

       3.  Pertinent confidentiality determinations, if any, by other Federal agencies (furnish a
copy of any such determination, or references to it, if available); and
                                           100

-------
       4.  Whether Name of facility asserts that disclosure of the specific information would be
likely to result in substantial harmful effects on facility Name's competitive position, and if so,
what those harmful effects would be, why they should be viewed as substantial, and an
explanation of the causal relationship between disclosure and such harmful effects.
Any specific information subsequently determined to constitute a trade secret will be protected
under 18 U.S.C. 1905. If no claim of confidentially accompanies the information when it is
received by EPA, it may be made available to the public by EPA without further notice (40 CFR
part 2.203, September 1, 1976).  Any specific information subsequently determined to constitute
a trade secret will be protected under 18 U.S.C. 1905. However, all emission data will be
available to the public. A clarification of what EPA considers to be emission data is contained in
Enclosure 2.

       We respectfully request that you submit your review comments on the trip report by date.
 If you concur with the information contained in the report,  we would appreciate a letter to that
effect. In addition. Please indicate in your letter the specific parts of the report, if any, that
Facility Name considers to be confidential. If we do not receive a response by date, the report
will be considered nonconfidential and accurate.

       Thank you for your cooperation.  The information supplied by Facility Name will be
most helpful in our study. If you have any questions, please call name of WAM/TOPO,
telephone number, or Contractor's name, company name  and telephone number.

                                        Sincerely,
                                        Group Leader
                                        Division

Enclosure
                                      101

-------
                                                         APPENDIX M


                                    SAMPLE

         TRANSFER LETTER TO PROVIDING FACILITY
Mr. Gordon Brown
Environmental Manager
State Paper Board
Post Office Box 9999
Whitehouse, Georgia 3 0913

Dear Mr. Brown:

      Thank you for reviewing the trip report for the September 14, 1994 visit to the State
Paper Board Mill in Whitehouse, GA, by representatives from the U.S. Environmental Protection
Agency and Northwestern Research Institute (NRI).  Your comments have been incorporated in
the enclosed final trip report.

      The trip report includes a nonconfidential version plus a confidential addendum. The
confidential addendum consist of those items you identified as confidential business information
(CBI) in your February  7, 1998  letter. Unless we hear from you by April 19, 1998 with further
comments or corrections, we will treat the nonconfidential trip report and the confidential
addendum as final. In its final form, the nonconfidential trip report may be accessed by the
general public following proposal of the national emission standards for hazardous air pollutants
for combustion sources  in the sand and paper industry. The confidential addendum can only be
accessed by those authorized to view C AA CBI pertaining to the sand and paper industry.

      If you have any questions or additional comments, please contact Mr. John Smith of my
staff at (919) 541-9999 or Ms. Sally Sue of NRI at (919) 685-1234 (ext. 349). Thank you for your
cooperation.

                                       Sincerely,
                                       Group Leader
                                       (Name) Specific Group
Enclosures
                                        102

-------
U S  Environmental Protection Agency
Region 5, Library (PI.-12J)
77 West Jackson Boulevard, 12tn floor
Chicago,  !L  60604-3590

-------