560978502
xvEPA
TSCA Confidential
Business Information
Security Manual
-------�
TSCA CONFIDENTIAL BUSINESS INFORMATION
SECURITY MANUAL
U.S. Environmental Protection Agency
Office of Toxic Substances
VJashington, D.C.
U.S. Environmental Protection Agency
Region 5, Library (PL-12J)
77 West Jackson Boulevard, 22th Floor
Chicago, IL 60604-3590
-------�
KP3^:
-------�
PREFACE
This manual deals with a very serious obligation we at EPA
have under the Toxic Substances Control Act (TSCA)—the
need t£ protect confidential business information from
unauthorized disclosure.
TSCA requires industry to entrust large volumes of data to
EPA concerning the tens of thousands of chemical substances
in U.S. commerce. This information has never been compiled
in such a complete way before, and it forms the basis for
our ability to carry out TSCA's preventive approach to
minimizing the health and environmental risks of toxic
chemicals.
Some of these industry data may be claimed as "confidential,"
meaning that they involve trade secrets or other kinds of
information that one company doesn't want another to have.
Understandably, industry has expressed great concern about
EPA's ability to protect confidential business information
from unauthorized disclosure.
Because it's so important for us to have this information
to carry out TSCA, we have made considerable effort to
develop security procedures for handling it that we believe
are second to none, in government or in industry. But
any security system of this kind is only as good as the
people who maintain it. Its effectiveness depends on constant,
careful adherence to established procedures by each and every
person involved.
I urge you to study and learn these procedures and to encourage
those you work with to do the same. While I don't wish to
overemphasize this point, TSCA provides strict criminal
penalties for any person who discloses this confidential
business information in a knowing and unauthorized way. And
we have gone on public record with the promise to prosecute
any acts of wrongful disclosure to the fullest extent of
the law.
These procedures are the result of many hours of hard work
by the TSCA Data Security Task Force. They reflect comments
from industry and others, and provide the kind of protection
-------�
we at EPA must offer in order to have the information we
need to carry out TSCA. I hope we can count on you to help
carry this system out as best as we possibly can.
Dated
Assistant Administrator
for Toxic Substances
-------�
TABLE OF CONTENTS
CHAPTER I General 1
CHAPTER II Responsibilities . . . 6
CHAPTER III Procedures 14
CHAPTER IV Security Requirements for EPA
Computer Centers 21
CHAPTER V Security Requirements for
Contractors and Subcontractors .... 26
CHAPTER VI Security Requirements for Other
Federal Agencies 32
Appendices
I. Inventory Log 36
II. User Copy Signout Log 37
III. TSCA Confidential Business
Information Cover Sheet 38
IV. Confidentiality Agreement for EPA
Employees 39
V. Confidentiality Agreement for EPA
Employees Upon Termination or Transfer ... 40
VI. Request for Access to TSCA Confidential
Business Information 41
VII. Treatment of Confidential Business
Information (clause for contractors) .... 42
VIII. Security Requirements for Handling
Confidential Business Information
(clause for contractors) 44
IX. Laboratories and Field Stations Eligible
to Have a Document Control Officer 46
X. Special Category TSCA Confidential
Business Information 47
XI. Computer Security (clause for contractors) . . 48
XII. TSCA Contractor/Subcontractor Data Security
Requirements 49
XIII. TSCA Contractor Employee Confidentiality
Agreement 52
XIV. TSCA Federal Non-EPA Employee
Confidentiality Agreement 53
XV. EPA Contractor/Subcontractor Signout Log ... 54
XVI. Federal Agency, Congress and Federal
Court Signout Log 55
XVII. Loan Receipt for TSCA Confidential
Business Information 56
XVIII. Screening Business Information for Claims
of Confidentiality (Clause for Contractors) . 57
-------�
CHAPTER I
General
1. Purpose. These procedures prescribe minimum standards
and establish responsibility and accountability for the
control and security of documents and computer systems that
contain Confidential Business Information received under the
Toxic Substances Control Act (TSCA) (15 U.S.C. 2601 et
seq.).
2. Policy. EPA recognizes the trust placed in it by the
reporters of Confidential Business Information. It is the
policy of EPA to take all reasonable measures to prevent the
unauthorized disclosure of Confidential Business Informa-
tion. EPA employees are prohibited from disclosing, in any
manner and to any extent not authorized by law or EPA reg-
ulations, any TSCA Confidential Business Information coming
to them in the course of their employment or official duties,
EPA contractors and subcontractors are prohibited from
disclosing any TSCA Confidential Business Information except
in accordance with the terms of the contract or subcontract
under which they receive the information. Employees of
other Federal agencies are prohibited from disclosing, in
any manner and to any extent not authorized by law or the
terms of any agreement between EPA and the other agency, any
TSCA Confidential Business Information coming to them from
EPA. TSCA Confidential Business Information is to be held
in confidence, and handled in accordance with these proce-
dures .
3. Applicable Federal Statutes and Regulations.
a. 15 USC 2613, Disclosure of Data (TSCA)
b. 5 USC 552, Freedom of Information Act
c. 40 CFR Part 2, Confidentiality of Business Infor-
mation
d. 41 CFR Chapter 15, Public Contracts and Property
Management
4. Authority. The Assistant Administrator for Toxic
Substances shall design and implement an Agency-wide se-
curity program to control the receipt, handling, and dis-
semination of TSCA Confidential Business Information.
-------�
Policies and procedures promulgated under this author-
i t y shall supplement and not supersede the general Agency
regulations pertaining to Freedom of Information Requests
and Confidentiality as set forth in 40 CFR Part 2.
5. Treatment of Violations.
a. Unauthorized disclosure of TSCA Confidential
Business Information may subject an employee to the
criminal penalties under TSCA Section 14(d)(1) as
follows:
"Criminal Penalty for Wrongful Disclosure - (1)
Any officer or employee of the United States or
former officer or employee of the United States,
who by virtue of such employment or official
position has obtained possession of, or has access
to, material the disclosure of which is prohibited
by subsection (a), and who knowing that disclosure
of such material is prohibited by such subsection,
willfully discloses the material in any manner to
any .person not entitled to receive it, shall be
guilty of a misdemeanor and fined not more than
$5,000 or imprisoned for not more than one year,
or both."
b. Violations of these Procedures by employees may
result in removal from the authorized access list and
disciplinary action with penalties up to and including
dismissal, under policies and procedures detailed in
the EPA Conduct and Discipline Manual (Chapter 5 and
Appendix C, Table of Offenses and Penalties, 35(b)).
6. Definitions.
a. "Access" is the ability and opportunity to gain
knowledge of Confidential Business Information (in any
manner whatsoever).
b. "Authorized Computer Facility" is any EPA or
contractor computer facility which meets the security
standards contained in Chapter IV (for EPA) or Chapter V
(for contractors) and which has been approved, in
accordance with Chapter Il.l.f., for handling TSCA
Confidential Business Information.
c. "Authorized Person" is any person authorized, in
accordance with the requirements of Chapter III.l. to
receive TSCA Confidential Business Information.
-------�
d. "Computer Access Authorization" is special author-
ization issued, upon approval by the Assistant Administrator
for Toxic Substances, to an authorized person by the appro-
priate Assistant Administrator, Head of Staff Office,
Regional Administrator, or Laboratory Director for access to
computerized Confidential Business Information.
e. "Computer Document Control Officer" is a document
control officer (DCO) within a computer facility responsible
for the security and control of TSCA Confidential Business
Information contained in the computer facility.
f. "Confidential Business Information" is any information
in any form received by EPA from any person, firm, partner-
ship, corporation, association, or local, state, or Federal
agency, or foreign government, which contains trade secrets
or commercial or financial information, and which has been
claimed as confidential by the person submitting it and
which has not been determined to be non-confidential under
the procedures in 40 CFR Part 2
g. "Contractor or subcontractor" is any person, asso-
ciation, partnership, corporation, firm, educational in-
stitution, governmental body, or other entity performing
work for EPA under a contract or subcontract with EPA.
h. "Contractor Document Control Officer" is a person
appointed by a contractor or subcontractor who is responsi-
ble for the security, control, and distribution of all TSCA
Confidential Business Information in the possession of the
contractor or subcontractor.
i. "Document" is any recorded information regardless of
its physical form or characteristics, including, without
limitation, written or printed material; data processing
card decks, printouts, and tapes; maps, charts; paintings;
drawings; engravings; sketches; working notes and papers;
reproductions of such things by any means or process; and
sound, voice or electronic recordings in any form.
j. "Document Control Assistant (OCA)" is a person who is
responsible for assisting the Document Control Officer in
performing duties related to information processing, document
control and security.
k. "Document Control Number" is the unique number assigned
by a Document Control Officer or through computer system
numbering to a document containing TSCA Confidential Business
Information.
-------�
1. "Document Control Officer (DCO)" is a person
designated, in accordance with Chapter II.2.a., to be
responsible for the security, control, and distribution
of all TSCA Confidential Business Information received
by him/her.
m. "Employee" is any person employed by the Environ-
mental Protection Agency on a full time or part time
basis in accordance with the procedures of the Civil
Service Commission. This definition does not include
contractors, grantees, or their employees.
n. "Federal Agency" is any organization or entity
comprised of United States officers or employees except
for federal courts and Congress.
o. "Information" is knowledge which can be communi-
cated by any means.
p. "OTS Document Control Officer" is the person des-
ignated by the Assistant Administrator for Toxic Sub-
stances to be responsible for the security, control,
and distribution of all TSCA Confidential Business
Information received by him/her.
q. "Secure Facility" is a building or portion of a
building which has been inspected and approved prior to
use by the Security and Inspection Division for handling
TSCA Confidential Business Information.
r. "Secure Room" is a room approved prior to use by
the Security and Inspection Division for storage and/or
use of documents, electronic media, and microforms in
accordance with Chapter Ill.S.b.
s. "Security Representative" is the authorized person
designated by the Regional Administrator or Laboratory
Director, and approved by the Security and Inspection
Division, to establish and maintain adequate safeguards
for the protection of personnel, property, and data.
This individual is the liaison on all security matters
between SID and his/her region or laboratory.
t. "Special Category TSCA Confidential Business Infor-
mation" is specific TSCA Confidential Business Infor-
mation as designated in Appendix X which may be dis-
closed only with the explicit authorization of the
Assistant Administrator for Toxic Substances.
-------�
u. "Violation" is the failure to comply with any
provision in these procedures, whether or not such
failure leads to actual unauthorized disclosure of TSCA
Confidential Business Information.
7. Forms. The forms required for the implementation of
these Procedures are as follows.
a. "Inventory Log" (Appendix I)
b. "User Copy Sign Out Log" (Appendix II)
c. "TSCA Confidential Business Information Cover
Sheet" (Appendix III)
d. "Confidentiality Agreement For EPA Employees"
(Appendix IV)
e. "Confidentiality Agreement For United States
Employees Upon Termination or Transfer" (Appendix V)
f. "Request for Access to TSCA Confidential Business
Information" (Appendix VI)
g. "TSCA Contractor Employee Confidentiality Agreement"
(Appendix XIII)
h. "TSCA Federal non-EPA Employee Confidentiality
Agreement" (Appendix XIV)
i. "EPA Contractor/Subcontractor Sign Out Log"
(Appendix XV)
j. "Federal Agency, Congress, and Federal Court
Sign Out Log" (Appendix XVI)
k. "Loan Receipt for TSCA Confidential Business
Information" (Appendix XVII)
-------�
CHAPTER II
Responsibilities
1. Assistant Administrator for Toxic Substances. The
Assistant Administrator for Toxic Substances is responsible
for the overall implementation of these procedures. Specifi-
cally, in addition to the responsibilities indicated in
Chapter II.2., he/she is responsible for the following:
a. Designating a Document Control Officer (DCO) for
the Office of Toxic Substances (OTS), and, if neces-
sary, Document Control Assistants (DCAs).
b. Approving DCOs and DCAs designated by those
persons specified in Chapter II.2., including those re-
quiring computer system access to TSCA Confidential
Business Information.
c. Approving all EPA employees identified by those
persons specified in Chapter II.2. as requiring access
to TSCA Confidential Business Information.
d. Approving all EPA contractors or subcontractors
who will receive TSCA Confidential Business Information
to perform work under the contract or subcontract.
e. Approving other Federal agencies for access to
TSCA Confidential Business Information.
f. Approving the Computer Center Security Plan for any
computer facility which will receive TSCA Confidential
Business Information.
g. Approving ADP Application Security Plans prepared
by software development managers.
h. Approving requests for access to Special Category
TSCA Confidential Business Information.
2. Assistant Administrators, Heads of Staff Offices, Regional
Administrators, and Certain Laboratory Directors (see Appen-
dix IX). Assistant Administrators, Heads of Staff Offices,
Regional Administrators, and certain Laboratory Directors
(as designated in Appendix IX) are responsible for imple-
mentation of these procedures within their areas of respon-
sibility. Specifically, their responsibilities include the
following:
-------�
a. Designating DCOs and DCAs as needed. The number
of DCOs and DCAs shall be kept to a minimum and all
designees are subject to approval of the Assistant
Administrator for Toxic Substances and concurrence of
the Security and Inspection Division.
b. Designating employees in their areas of responsi-
bility for access to TSCA Confidential Business Infor-
mation, subject to the approval of the Assistant Admin-
istrator for Toxic Substances and concurrence of the
Security and Inspection Division.
c. Obtaining a Confidentiality Agreement (Appendix
IV) from all employees requiring access to TSCA Con-
fidential Business Information.
d. Ensuring that authorized persons participate in
training and education programs, as available, re-
garding the security of TSCA Confidential Business
Information.
e. Taking appropriate disciplinary action when any
employee fails to comply with these procedures.
f. Approving all written requests for Confiden-
tial Business Information which involve movement of
documents from one EPA facility to another.
g. Designating contractors or subcontractors to have
access to TSCA Confidential Business Information to
perform work under a contract or subcontract, subject
to the approval of the Assistant Administrator for
Toxic Substances.
h. Designating DCOs, DCAs, and authorized persons
for Computer Access Authorization.
3. OTS Document Control Officer. The OTS DCO is respon-
sible for the control and security of all TSCA Confidential
Business Information received by OTS. In addition to the
responsibilities listed in Chapter II. 4., his/her respon-
sibilities include the following:
a. Maintaining a current list of DCOs and DCAs
throughout EPA and furnishing copies to all DCOs.
b. Maintaining a current list of DCOs and DCAs
with computer access authorization.
c. Maintaining a current list of authorized persons
throughout EPA.
-------�
d. Coordinating an annual EPA-wide inventory of all
Confidential Business Information documents.
e. Furnishing other DCOs with a list of authorized
persons in their area of responsibility.
f. Furnishing TSCA Confidential Business Information
through the appropriate project officer to EPA contrac-
tors and subcontractors authorized to receive the
information by the Assistant Administrator for Toxic
Substances.
g. Furnishing TSCA Confidential Business Information
to other Federal agencies authorized to receive the in-
formation by the Assistant Administrator for Toxic Sub-
stances .
h. Interpreting and/or clarifying these procedures as
needed to facilitate their implementation.
i. Serving as a consultant to all other DCOs re-
garding these Procedures and any other matters relating
to security of Confidential Business Information.
4. All Document Control Officers. All DCOs are responsi-
ble for the control and security of TSCA Confidential
Business Information received by them. Specifically, their
responsibilities include the following.
a. Logging of all TSCA Confidential Business Informa-
tion received, both incoming and outgoing, including
computer generated printouts.
b. Assigning a document control number, attaching a
cover sheet, and stamping the first page (see Chapter
III.3.) of all TSCA Confidential Business Information
documents which do not already have them.
c. Keeping on file a list furnished by the OTS DCO of
authorized persons in their area of responsibility, and
DCOs and DCAs throughout EPA.
d. Releasing Confidential Business Information to
authorized persons only.
e. Ensuring that authorized persons who need to
retain TSCA Confidential Business Information overnight
have proper storage capability prior to release of such
information.
f. Maintaining a system for retrieval of documents.
-------�
g. Maintaining a system to ensure that any TSCA Con-
fidential Business Information transmitted to other
offices is received.
h. Authorizing and supervising the reproduction and
destruction of TSCA Confidential Business Information.
i. Providing document control and handling services
to those EPA components without a DCO.
j. Conducting an annual inventory of all Confidential
Business Information documents in their area of respon-
sibility and furnishing the results to the OTS DCO.
k. Directing DCAs in their area of responsibility.
1. Furnishing TSCA Confidential Business Information
to other Federal agencies and contractors when author-
ized by the Assistant Administrator for Toxic Substances
5. Document Control Officers (and DCAs) Approved for Com-
puter Access. In addition to the responsibilities listed in
Chapter II.4., DCOs and DCAs approved for computer access
are responsible for preparing inputs to, and receiving out-
puts from, authorized computer facilities. Specifically,
their responsibilities include the following:
a. Keeping confidential their computer access keys
and passwords and changing them frequently.
b. Ensuring that TSCA Confidential Business Informa-
tion is transmitted to authorized computer facilities
only, and that use of the facility is in accordance
with any restrictions placed on that use by the Assis-
tant Administrator for Toxic Substances or his/her
designee.
6. Computer DCOs. In addition to the responsibilities
listed in Chapter II. 4., computer DCOs are responsible for
the security of all TSCA Confidential Business Information
contained within the computer facility. Specifically, their
responsibilities include the following:
a. Maintaining a system to ensure that physical and
electronic access to TSCA Confidential Business Infor-
mation contained in the facility is restricted to
authorized computer support personnel internal to the
facility, and to authorized DCOs and DCAs external to
the facility.
b. Ensuring that the TSCA security requirements
specified in Chapter IV (for EPA computer centers) or
Chapter V (for contractor computer centers) are satis-
fied by the computer facility.
-------�
c» notifying the Assistant Administrator for Toxic
Substances, or his designee, and the Security and In-
spection Division of any violations of Chapter IV or^~
V requirements including any discovered incident
involving unauthorized disclosure, modification, or
destruction of user data or programs associated with
confidential business information.
7. Document Control Assistants. DCAs are responsible for
performing the duties listed in Chapter II. 4., as assigned
by the DCO to whom they report. In the absence of the DCO,
the DCA may act for him/her in routine matters. Difficult,
unusual, or non-routine questions or situations should be
referred to the DCO.
8. Employees. Employees are responsible for the control
and security of all TSCA Confidential Business Information
received by them. Specifically, their responsibilities
include the following:
a. Discussing TSCA Confidential Business Information
only with authorized persons.
b. Safeguarding Confidential Business Information
when in actual use as specified in Chapter III.3.C.
c. Storing TSCA Confidential Business Information as
specified in Chapter III.3.b. of this Procedure when
not in use and at close of business.
d. Safeguarding combinations to locks, safes, and
rooms that secure Confidential Business Information.
e. Reporting immediately possible violations of TSCA
or of these Procedures to the Security and Inspection
Division. This is pursuant to EPA Order 3120.1A on the
reporting of allegations of a Federal criminal vio-
lation or impropriety.
f. Not reproducing TSCA Confidential Business Infor-
mation documents. Copies must be obtained through the
DCO.
g. Not discussing TSCA Confidential Business Infor-
mation over the telephone except upon approval of an
Assistant Administrator, Regional Administrator, Labor-
atory Director, or Head of Staff Office.
h. Employees with computer access authorization
are responsible for keeping confidential their computer
access keys and passwords and changing them frequently,
and for using the computer facility in accordance
with any restrictions placed on that use by the Assis-
tant Administrator for Toxic Substances.
10
-------�
9. Director of the Security and Inspection Division. The
Director of the Security and Inspection Division (SID) is
responsible for assisting OTS and other affected agency
offices in implementing these procedures. Specifically,
his/her responsibilities include the following:
a. Ensuring that appropriate investigations on em-
ployees are conducted.
b. Maintaining a current list of all DCOs, DCAs, and
authorized persons throughout EPA.
c. Maintaining a file of signed Confidentiality
Agreements for all authorized persons throughout EPA.
d. Conducting periodic physical security surveys to
ensure compliance with these Procedures.
e. With the assistance of the Management Information
and Data Systems Division, conducting inspections of
computer facilities to ensure complia nee with TSCA
security performance requirements.
f. Investigating cases of any alleged or actual
wrongful disclosure of Confidential Business Infor-
mation, referring the case to the Department of Justice
when appropriate, and furnishing the results of the
investigation to the appropriate official(s).
g. Investigating cases of violations of these proce-
dures where no wrongful disclosure of Confidential
Business Information is evident and furnishing the
results to the appropriate Assistant Administrator,
Head of Staff Office, Regional Administrator, or Lab-
oratory Director for remedial and/or disciplinary
action.
h. Administering, witnessing, and keeping on file the
Confidentiality Agreement For United States Employees
Upon Termination or Transfer for employees who have had
access to Confidential Business Information and are
transferring or terminating.
i. Conducting inspections of contractor or subcon-
tractor facilities at the request of the Assistant
Administrator for Toxic Substances or the Director of
the Contracts Management Division.
j. Conducting reviews of security procedures at other
Federal agencies and physical inspections of their
security facilities at the request of the Assistant
Administrator for Toxic Substances.
11
-------�
k. Investigating cases of suspected violations of
contract or subcontract security procedures set forth
in Chapter V of these Procedures.
1. Investigating cases of suspected violations of
security provisions of interagency agreements developed
under Chapter VI of these Procedures at the request of
the Assistant Administrator for Toxic Substances.
10. Contracts Management Division. The Director, Contracts
Management Division (CMD), Cincinnati; the Director, CMD,
Research Triangle Park; and the Chief, Headquarters Contract
Operations, under the overall supervision of the Director of
the Contracts Management Division, are responsible for admin-
istering procurement actions, contracts, and subcontracts
under which TSCA Confidential Business Information is or
will be furnished to a contractor or subcontractor to
perform specific work under a contract or subcontract.
Specifically, their responsibilities include the following:
a. Ensuring that the proper contract clauses reques-
ted by a specific program office are included in any
contract or subcontract as specified in Chapter V.
b. Ensuring that the proper provisions are included
in any Request for Proposals for a contract or subcon-
tract that will permit contractor or subcontractor
access to TSCA Confidential Business Information as
specified in Chapter V.
c. Reporting any alleged violations of the contract
or subcontract security provisions to the Security and
Inspection Division.
11. Director Management Information and Data Systems Division.
The Director of the Management Information and Data Systems
Division (MIDSD) is responsible for:
a. Reviewing Computer Center Security Plans as speci-
fied in Chapter IV.l.b. and recommending approval or
disapproval to the Assistant Administrator for Toxic
Substances.
b. Reviewing ADP application security plans as speci-
fied in Chapter IV.2.c. and recommending approval or
disapproval to the Assistant Administrator for Toxic
Substances.
c. Assisting the Security and Inspection Division in
conducting inspections of computer facilities for com-
pliance with security requirements.
12. Security Representatives. Security Representatives are
responsible for:
12
-------�
a. Assisting their regions and laboratories in es-
tablishing and maintaining the safeguards as prescribed
by these procedures.
b. Referring all allegations of wrongful disclosures
immediately to the Security and Inspection Division in
accordance with Chapter II.8.e. of these Procedures.
c. Assisting the Security and Inspection Division
with any other security matters in their facility, as
directed.
d. Administering, witnessing, and forwarding to SID
the Confidentiality Agreement for United States Employees
Upon Termination or Transfer for employees who have had
access to Confidential Business Information and are
transferring or terminating.
13
-------�
CHAPTER III
Procedures
1. Authorization for Access to TSCA Confidential Business
Information.
a. Initiating Requests. Assistant Administrators,
Heads of Staff Offices, Regional Administrators and
Laboratory Directors shall initiate requests for any of
their employees to be placed on the authorized access
list for TSCA Confidential Business Information. This
shall be done by (1) completing Part I of Appendix VI
(Request for Access to TSCA Confidential Business In-
formation) ; (2) obtaining from the employee a signed
Confidentiality Agreement; and (3) transmitting both to
the Assistant Administrator for Toxic Substances.
b. Approving Operational Needs. The Assistant Ad-
ministrator for Toxic Substances will approve or dis-
approve the request on the basis of operational need by
completing Part II of Appendix VI. He may limit or
circumscribe such access in any way he deems appro-
priate. If approved, the form will be sent to the
Chief, Security Branch, Security and Inspection Divi-
sion (SID).
c. Investigation. All employees authorized for
access to Confidential Business Information must have,
at a minimum, a National Agency Check and Inquiries
(NACI) prior to such access, unless a waiver is appro-
ved (see paragraph (d) below). Employees such as DCOs,
DCAs, and others designated by the Assistant Adminis-
trator for Toxic Substances who require full and
continuous access to Confidential Business Information
must have a full background investigation prior to
access. SID will verify that (1) an appropriate in-
vestigation has been conducted, and (2) there is nothing
of record to preclude access to TSCA Confidential
Business Information. If these two conditions are met,
the Chief, Security Branch, or his/her designee, will
complete Part III of Appendix VI. Upon this action by
the Chief of the Security Branch, the employee becomes
an authorized person and the OTS DCO will place his/her
name on the authorized access list. The OTS DCO will
furnish each DCO with a list of authorized persons
within his/her area of responsibility.
d. Waivers. If the appropriate investigation has not
been completed and there is an urgent need for an
employee to have access, the Assistant Administrator
for Toxic Substances may request a waiver from SID.
14
-------�
SID will initiate an NACI or full field investigation,
as appropriate, and concurrently obtain a name check
from the FBI and Civil Service Commission. If the name
checks reveal nothing of record to preclude access, the
employee will be placed on the authorized access list.
2. Procedures for Gaining Access to TSCA Confidential
Business Information.
a. The procedure for obtaining documents containing
TSCA Confidential Business Information, except for
Special Category TSCA Confidential Business Informa-
tion, is as follows:
(1) The authorized person will request the docu-
ment from the appropriate DCO.
(2) The DCO will verify that the requestor is on
the authorized access list.
(3) The DCO will obtain the document from (a)
local secure storage, (b) the OTS DCO, or (c) an
authorized computer facility and make a copy of
it. The original shall remain with the DCO.
(4) If the requestor has storage capability as
described in Chapter III.B.b.l., he/she may check
the document out for a maximum of 30 days. Other-
wise, the document must be returned to the DCO by
close of business that same day.
(5) The DCO will enter the appropriate informa-
tion in the User Copy Sign Out Log and will assure
that the copy has a document control number, a
cover sheet, and a TSCA Confidential Business In-
formation stamp.
b. The procedure for obtaining documents containing
Special Category TSCA Confidential Business Information
is as follows:
(1) The authorized person will request the docu-
ments from the appropriate DCO. The request must
be in writing and must identify the specific need
for which the person requires access to the Spe-
cial Category TSCA Confidential Business Informa-
tion.
(2) The DCO will refer the request to the Assis-
tant Administrator for Toxic Substances.
15
-------�
(3) The Assistant Administrator for Toxic Sub-
stances will decide whether the specific need
stated for access to Special Category TSCA Con-
fidential Business Information justifies access.
If the Assistant Administrator for Toxic Sub-
stances decides to authorize access, he may place
conditions upon that access.
(4) The Assistant Administrator for Toxic Sub-
stances will notify the DCO of the decision and of
any conditions to be placed upon the access.
(5) After receiving authorization from the Assis-
tant Administrator for Toxic Substances, the DCO
will follow the procedures set forth in paragraph
2.a. of this chapter.
3. Procedures for Handling TSCA Confidential Business In-
formation .
a. Receipt. Upon receipt of documents, including
computer generated printouts, containing TSCA Confi-
dential Business Information, the Document Control
Officer shall:
(1) Assign a Document Control Number to any
document that does not already have one.
(2) Stamp the first page of each document with
the Confidential Business Information stamp if it
has not already been stamped.
(3) Attach a TSCA Confidential Business Informa-
tion Cover Sheet to any document that does not
already have one; and
(4) Enter all TSCA Confidential Business Infor-
mation received into the Inventory Log (Appen-
dix I) .
Such a document will be considered the original.
When an authorized person wishes to gain access to the
document, the procedures in Chapter III.2.a. shall be
followed.
b. Storage.
(1) When not in use and at close of business, TSCA
Confidential Business Information must be stored,
at a minimum, within a metal cabinet with a bar
and 3-way changeable combination padlock approved
by SID.
16
-------�
(2) When warranted by the volume of Confidential
Business Information, Central Document Storage
rooms may be authorized by the Assistant Admin-
istrator for Toxic Substances provided they are
approved, prior to use, by the Security and In-
spection Division. These rooms must include com-
bination locked doors and may include one or more
of the following, depending upon the location,
construction and configuration of the room.
(a) Contact alarmed doors/windows
(b) Ultrasonic alarm
(c) Vibration alarms
(d) Other remote intrusion alarms
(3) Combinations to cabinets and/or rooms where
Confidential Business Information is stored may be
issued only to authorized persons. Combinations
must be changed once each year or every time a
person who knows a combination terminates or
transfers, whichever comes first.
c. Safeguards During Use. Confidential Business
Information, when in actual use by an authorized per-
son, shall be protected as follows:
(1) Kept under the constant surveillance of an
authorized person, who is in a physical position
to exercise direct security controls over the
material.
(2) Covered, turned face down, placed in storage
containers, or otherwise protected, when unauthor-
ized persons are present.
(3) Returned to approved storage containers when
not in use and at close of business.
(4) Discussed only with other authorized persons.
(5) Within a division one authorized person may
transfer custody of a confidential business infor-
mation document to another authorized person,
provided the Loan Receipt for TSCA Confidential
Business Information (Appendix XVII) is used. A
copy of the Receipt Form shall be furnished to the
DCO. The secondary recipient shall also sign the
Cover Sheet.
d. Transmission.
(1) External
(a) Requests for TSCA Confidential Business
Information which require the transmission of
17
-------�
documents from one EPA facility to.another,
or to persons or parties outside EPA, must
be in writing and signed by the appropriate
official (see Chapter II, paragraphs 1 and
2.f.).
(b) TSCA Confidential Business Information
must be transmitted by Registered Mail,
return receipt requested, in a double envel-
ope. The inner envelope must reflect the
address of the recipient with the following
additional wording on the front side of the
inner envelope: Confidential Business
Information To Be Opened By Addressee
Only." The outer envelope must reflect the
normal address without the additional wording.
(c) When TSCA Confidential Business Infor-
mation is transmitted electronically through
communications lines, such lines must be pro-
tected in accordance with the National Bureau
of Standards' Data Encryption Standards.
Such encryption is not required for hard-
wired connections within a secure facility.
(d) Authorized persons may handcarry TSCA
Confidential Business Information to other
EPA facilities or to persons or parties out-
side EPA, providing the dispatching Document
Control Officer maintains a record and obtains
a receipt from the person receiving the
information. Information being handcarried
should be packaged as described in Chapter III.
3.d.l.(b).
(e) Any terminal or printer used to read or
print Confidential Business Information must
be located in a secure room, and used for
this purpose only by a person with computer
access authorization.
(2) Internal. Within an EPA installation, TSCA
Confidential Business Information shall be hand-
delivered only, by one authorized person to another.
At no time shall Confidential Business Information
be transmitted through inter-office mailing channels
18
-------�
e. Reproduction. TSCA Confidential Business Infor-
mation may not be reproduced except upon approval by
and under the supervision of a DCO or DCA. Any repro-
duction should be kept to an absolute minimum. The DCO
or DCA shall enter all copies into the document control
system and apply the same control requirements as for
the original.
f. Destruction. TSCA Confidential Business Informa-
tion documents may not be destroyed except upon appro-
val by and under the supervision of a Document Control
Officer. Printed material shall be destroyed by shred-
ding or burning and the Document Control Officer shall
remove and retain the Cover Sheet for one year. Micro-
graphic material shall be chemically destroyed. Infor-
mation stored on magnetic material shall be destroyed
by degaussing. The DCO shall keep a record of the
destruction in the Inventory Log for originals, and
in the User Copy Sign Out Log for copies.
g. Meetings. For any meeting, symposium, panel dis-
cussion, or seminar at which Confidential Business
Information will be discussed, the meeting chairperson
shall:
(1) Provide a sign-in sheet, including the date,
time, place and subject of the meeting and require
all attendees to sign it and record their EPA
identification badge number. The chairperson shall
give the sign-in sheet to the appropriate Document
Control Officer who will retain it for one year.
(-2) The chairperson shall ensure that only
authorized persons are present and shall announce
that Confidential Business Information is to
be discussed.
(3) Review with the attendees their responsi-
bility for safeguarding Confidential Business
Information in any and all forms, including, but
not limited to any notes taken, and any sub-
sequent discussions.
(4) Ensure that no recording is made of the
meeting unless he/she has authorized it If auth-
orized, the recording must be treated as all other
Confidential Business Information and entered into
the document control system.
19
-------�
(5) Ensure that the meeting room is secured after
the meeting. This shall include erasing all
blackboards, destroying all tear sheets and other
notes and ensuring that nothing is left in the
room which could lead to the unauthorized dis-
closure of Confidential Business Information.
h. Generation of Confidential Business Information
Documents. When a document is generated from extracts
of Confidential Business Information documents (except
notes covered in paragraph (i)) , the newly generated
document shall be:
(1) Identified with a TSCA Confidential Business
Information stamp with a notation "CBI extracts
from document # _ , dated __ . "
(2) Entered into the document control system and
safeguarded as all other TSCA Confidential Busi-
ness Information.
i . Notes containing Confidential Business Information.
When notes containing Confidential Business Information
are taken from a document, a meeting, or any other
source, the notes must be protected as Confidential
Business Information. If the notes are to be cir-
culated to other authorized persons, they shall be
entered into the document control system. Any document
generated from the notes shall be treated as in Chapter
j . Retirement of documents. When Confidential Busi-
ness Information documents are to be retired for
legal, historical or reference purposes, they shall be
shipped to the Federal Records Center in accordance
with the procedures in the EPA Records Management
Manual .
k. Retention of Logs . All logs maintained under
these" procedures shall be retained for at least ten
years.
1. Lost or Unaccounted for Documents . If any employee
becomes aware that a TSCA Confidential Business Informa-
tion document is lost or otherwise unaccounted for, he/she
shall immediately notify the appropriate local DCO who
shall notify the OTS DCO. If the document is not located
within a reasonable time, the matter shall be referred to
SID.
20
-------�
CHAPTER IV
Security Requirements for
EPA Computer Centers
1. General. Whether the source of TSCA computer support
is an EPA facility dedicated to Confidential Business In-
formation processing, or a shared EPA facility, the facility
shall meet basic requirements for the protection of Confi-
dential Business Information maintained and processed on
that system. Due to the more complex security situation in
a shared environment, there are additional requirements
specified below for shared facilities. Requirements apply-
ing to shared facilities only are so identified.
a Basic Security Requirement. The system must pro-
vide a level of security adequate to protect Confiden-
tial Business Information being processed from unauthor-
i z e d access by users and other persons having access
to the facility.
b. Computer Center Security Plan. The Computer DCO
shall develop, maintain, and perform periodic audits
against a plan containing a comprehensive set of docu-
mented data security standards and procedures. This
plan must include provisions for periodic risk analyses,
provisions for obtaining confidentiality agreements
from all contractor or subcontractor personnel working
for the facility such as equipment maintenance con-
tractors, and provisions to meet all requirements
specified below. This security plan shall be subject
to approval by the Assistant Administrator for Toxic
Substances or his/her designee and shall be available
to EPA auditors as required.
2. Hardware and Software Characteristics.
a. Hardware. The computer hardware supporting the
system shall be capable of maintaining isolation be
tween authorized and non-authorized user tasks, and
shall prevent normal users from executing instructions
reserved for the operating system only which could
jeopardize security (shared facility only).
Since a well-designed system of software, as spe-
cified below, can adequately compensate for many de
sirable hardware features, no further hardware require-
ments are specified.
b. Software System Design. The operating system
software shall have data security as one of its primary
21
-------�
design requirements. This operating system shall
provide mechanisms to implement the following prin-
ciples.
Note: Software system design requirements (1) and (2)
are essentially identical to the hardware requirements
specified in (a) above, and may substitute for the
hardware requirement if proven effective.
(1) User/Task Isolation. Separate users or tasks
operating concurrently in the system shall be
totally isolated from one another (shared facility
only).
(2) Control of Interfaces and Security Sensitive
Work Spaces. Operating system interfaces shall
prevent users from gaining access to instructions
or data reserved for the operating system which
could jeopardize security. The operating system
shall not use user-accessible work areas for
passwords or other security sensitive data unless
such areas are cleared before control is returned
to the user (shared facility only).
(3) Audit Trails. The system shall provide ex-
tensive auditing data to record significant system
activities that are of a security concern, such as
logon attempts, file accesses, and program execu-
tion. The system shall provide to EPA a list of
all attempts to access EPA data files and/or
programs by unauthorized users.
(4) User Identification and Authorization.
There shall be mechanisms in the operating system
to identify individual users of the system and to
specify the system resources to which the user is
authorized access.
c. Applications Software Management. Any employee
responsible for developing software which will process
TSCA Confidential Business Information is required to
prepare an ADP Application Security Plan. This plan
shall describe the components of the system or subsys-
tems that may be accessible by authorized DCOs and DCAs
including computer programs, inputs, outputs, and data
bases. The Security Plan shall also state how this
security is to be enforced, and, in particular, how
unauthorized modifications to the programs will be
prohibited. The plan must also address controls to
22
-------�
ensure data integrity and systems assurance, including
audit trails. The Plan must be reviewed and approved
by the Assistant Administrator for Toxic Substances or
his/her designee, the Director of the Management Infor-
mation and Data Systems Division, and the Director of
the Security and Inspection Division. The program
instituted must be periodically reviewed for effective-
ness and shall be subject to periodic audit.
d. File-Catalog Structure. The operating system
shall provide a file cataloging mechanism that permits
isolation of one user's files from another's. It shall
not be possible for one user to access another's files
simply by having knowledge of the file name and account
number.
e. File Access Control/Permission Mechanism. The
operating system shall provide for file sharing through
a specific permission mechanism capable of the follow-
ing:
(1) Specific User Permissions. It shall be
possible to give selected users access to a par-
ticular file without giving all users access to
the file (shared facility only).
(2) Access Type Control. It shall be possible
for a file owner to restrict the type of access to
a file. Two minimum categories must be supported:
-- Read Only Access
-- Read/Write Access.
Additionally, it is highly desirable that it be
possible to restrict access to program files on an
execute only (i.e., no read) basis, and to restrict
"control" access to files (i.e., scratching or
renaming the file).
f. User Features. In order to enable user flexi-
bility in adding security features to applications, the
system should provide a range of optional protection
features, including the following:
(1) Password Change Capability. Individual users
(DCOs and DCAs authorized for computer access)
should have the capability to change their own
logon and file access passwords.
(2) File Encryption. The system should provide
an encryption routine that may be employed to
encipher and decipher disk or tape files.
23
-------�
(3) Idle Terminal Disconnect. The system should
provide a mechanism to automatically disconnect a
user terminal after a fixed period of no activity.
If the terminal is a CRT type, then the system
should clear the screen before the automatic dis-
connect.
g. Communications Facilities. The communications
network shall be adequately protected against inten-
tional or accidental misrouting of data traffic. Line
protocol and concentrator-modem interfaces shall be
designed to detect and protect against anomalous events
(such as spurious data or line disconnects) that might
otherwise cause misrouting or loss of data.
Communications equipment (modems, multiplexors,
concentrators, etc.) shall be located in non-public
areas accessible only to authorized personnel.
Refer to Chapter III.3.d. for transmission re-
quirements .
3. Media Handling. There shall exist policies and pro-
cedures in the Security Plans (Chapter IV.2.c. and IV.l.b.)
to fully control access to and handling of various data
media used in processing Confidential Business Information
including magnetic tape, disk packs, printed output, cards,
micrographic output, and other such media.
a. Media Labelling. Media shall be labeled only with
such information as is necessary for retrieval and
media management (shared facility only).
b. Separation of Storage Facilities. Storage areas
for various media, including mountable volumes, should
be separate from the machine operations areas (shared
facility only).
c. Transmittal of Media. Input and output media
shall be transmitted only between the Computer DCO and
the appropriate program area DCO. In no case shall
input media be accepted from or delivered to a third
party. Positive user identification procedures must be
in effect. Detailed logs of all media transmitted to
and from the computer facility shall be maintained.
d. Disposal of Media. When authorized in writing by
a DCO, media shall be disposed of by the Computer DCO
in a manner which will prevent any disclosure of data
to outside parties.
24
-------�
4. Facility Protection. All necessary steps shall be
taken to protect facilities, equipment, and the data they
contain from inadvertent or intentional access, damage, or
destruction.
a. Access Control. The computer DCO shall enforce a
policy of permitting no unescorted visitors to computer
operations areas or to areas where sensitive data is
handled. Only personnel having an ongoing need shall
be authorized unescorted access to such areas.
b. Personnel Identification. A system of positive
personnel identification (e.g., photo identification
badges) shall be in effect for all personnel permitted
access to operations and data handling areas.
c. Facility Security System. Any computer facility
processing confidential business information shall have
in place prior to receiving such data an adequate
facility or building security system to protect the
equipment and data approved by the Security and Inspec-
tion Division.
d. Hazard Protection. Computer and communications
facilities shall be protected by automatic hazard
detection and suppression equipment approved by the
Security and Inspection Division. Protection systems
shall be inspected and tested regularly. Personnel
shall be trained in emergency procedures and the use of
hazard protection equipment.
5. Backup and Recovery Capability. There shall be docu-
mented procedures to ensure adequate backup and recovery
capability in the event of loss of data or processing capa-
bility through accident or disaster. These procedures should
include a provision for periodic testing of the backup and
recovery capabilities.
a. File Backup. All files resident on the system
shall be copied to backup media on a regular basis.
b. Off-Site Storage. A complement of backup files
that will enable recovery to the previous end-of-week
position in the event of a major disaster resulting in
loss of on-site copies shall be stored off-site. An
off-site storage facility is defined as one that is so
located that it is highly unlikely to be affected by a
major disaster (fire, explosion, etc.) striking the
main facility. Off-site storage shall be as secure as
that at the primary location of data and shall be
approved by SID.
25
-------�
CHAPTER V
Security Requirements for
Contractors and Subcontractors
1. Purpose. The purpose of this chapter is to set forth
the circumstances and procedures under which TSCA Confiden-
tial Business Information may be furnished by EPA to a
contractor or subcontractor to perform work under an EPA
contract or subcontract.
2. Policy.
a. General. EPA policy is to furnish TSCA Confiden-
tial Business Information to EPA contractors or sub-
contractors when such information is necessary for the
performance of the work specified in the contract or
subcontract. Disclosures to contractors or subcontrac-
tors will be made only when the procedures in 40 CFR
Part 2 have been followed, when the contract or sub-
contract contains the required clauses, and when the
appropriate procedures set forth in this section have
been followed.
b. Treatment of Violations. If a contractor or sub-
contractor violates the terms of a contract or subcon-
tract obligating it to protect TSCA Confidential Busi-
ness Information, EPA will investigate the violations,
pursue the appropriate remedies under this section and
40 CFR Part 2, and, when appropriate, in cases of
unauthorized disclosure of information, notify any
affected business so that it too may pursue remedies as
set forth in the contract or subcontract.
3. Procedures for Solicitation and Award of a Contract that
will Require Access to TSCA Confidential Business Information
(see Chapter V.5. for special rules regarding contractor
computer use) .
a. Initiation of Request for Contract or Subcontract.
When an EPA program office decides to initiate a
request for a contract or subcontract for which the
office anticipates that the contractor or subcontractor
will require access to TSCA Confidential Business
Information to perform the work, the appropriate
Assistant Administrator, Head of Staff Office, Regional
Administrator, or Laboratory Director must request
approval for such access from the Assistant Administra-
tor for Toxic Substances. If the access would be to
Special Category TSCA Confidential Business Informa-
tion, the request must specify the need for such access.
26
-------�
b. Approval of Assistant Administrator for Toxic
Substances. Upon receipt of a request from an Assis-
tant Administrator, Head of Staff Office, Regional
Administrator, or Laboratory Director, the Assistant
Administrator for Toxic Substances shall approve or
disapprove the request and notify the person making the
request of the decision. In the case of Special Cate-
gory TSCA Confidential Business Information, the Assis-
tant Administrator for Toxic Substances may impose any
conditions he deems appropriate.
c. Preparation of Request for Proposals. The office
requesting the procurement, after the Assistant Admin-
istrator for Toxic Substances has approved, shall notify
the Contracts Management Division (CMD) that the Request for
Proposals must include the provisions set forth in
Appendices VII and VIII. CMD shall include the provi-
sions in the Request for Proposals.
d. Evaluation of Offerers. In evaluating the pro-
posals submitted by the offerers responding to the
Request for Proposals, CMD and the program office shall
consider any potential organizational conflicts of in-
terests that might preclude handling of TSCA Confiden-
tial Business Information by the offeror. They shall
also consider the offerer's past performance on similar
contracts or subcontracts that involved the handling of
confidential businesss information or other information
of a sensitive nature such as national defense informa-
tion or privacy information.
e. Contract or Subcontract Clauses. Any contract or
subcontract involving contractor or subcontractor use
of TSCA Confidential Business Information shall include
the clauses entitled "Treatment of Confidential Business
Information" and "Security Requirements for Han-
dlirg'Confidential Business Information" included in Appen-
dices VII and VIII.
4. Procedures for Modification of Existing Contracts or
Subcontracts, to Permit Contractor or Subcontractor Access
to TSCA Confidential Business Information (see Chapter V.5.
for special rules regarding contractor computer use). When
a contract or subcontract is already in effect and an EPA
program office determines that it will be necessary to
furnish TSCA Confidential Business Information to
the contractor or subcontractor in order to perform the work
required, the following procedures will be followed:
27
-------�
a. Initiation of Request for Modification. The ap-
propriate Assistant Administrator, Head of Staff Of-
fice, Regional Administrator, or Laboratory Director
must request the approval of the Assistant Adminis-
trator for Toxic Substances for the proposed modifi-
cation of the contract or subcontract to include use
of TSCA Confidential Business Information. If the
access would be to Special Category TSCA Confidential
Business Information, the request must specify the need
for such access.
b. Approval by Assistant Administrator for Toxic
Substances. (See 3.b. above.)
c. Review of Contractor or Subcontractor Past Per-
formance . CMD and the program office shall consider
any potential organizational conflicts of interest
that might preclude handling of TSCA Confidential Busi-
ness Information by the contractor or subcontractor.
They shall also consider the contractor's or subcon-
tractor's past performance on similar contracts or sub-
contracts that involved the handling of confidential
business information or other information of a sensi-
tive nature, such as national defense information or
privacy information.
d. Contract or Subcontract Clauses. (See 3.e.
above.)
5. Special Rules for Contractor Computer Use. If under a
proposed contract or subcontract or a proposed modification
of an existing contract or subcontract, TSCA Confidential
Business Information would be used in the contractor's or
subcontractor's computer, the following additional proce-
dures apply.
a. The request initiated under 3.a. and 4.a. of this
Chapter must specify the need for computer use.
b. The offerer, contractor, or subcontractor must
develop and submit for review a Computer Center Security
Plan addressing all of the computer security standards
and procedures for EPA computers as specified in Chap-
ter IV of these procedures. Any deviation from the re-
quirements of Chapter IV shall be identified in the
security plan, along with a rationale explaining why
the deviations would not significantly affect the level
of security provided by the contractor. If the contrac-
tor will be developing an ADP application system which
will process TSCA Confidential Business Information,
then the contractor must also develop an ADP Applica-
tion Security Plan in accordance with Chapter IV.2.c.
28
-------�
c. In the case of an offerer, the Assistant Adminis-
trator for Toxic Substances, with the assistance of the
Security and Inspection Division and the Management
Information and Data Systems Division, will review the
ADP Application Security Plan and/or the Computer Center
Security Plan. If the Assistant Administrator for
Toxic Substances determines that the security plan(s)
would provide at least the same degree of security as
provided by the procedures set forth in Chapter IV of
these Procedures, the offerer may be considered for
award of a contract or subcontract.
d. In the case of a proposal to modify an existing
contract or subcontract to include computer use, the
Assistant Administrator for Toxic Substances, with the
assistance of the Security and Inspection Division and
the Management Information and Data Systems Division,
will review the ADP Application Security Plan and/or
the Computer Center Security Plan. If the Assistant
Administrator for Toxic Substances determines that the
security plan(s) would provide at least the same degree
of security as provided by the policies set forth in
Chapter IV of these Procedures, the Assistant Adminis-
trator may authorize the modification.
e. In the case of inspections of facilities under
section 8 of this chapter, representatives of the
Management Information and Data Systems Division will
accompany and assist the Security and Inspection Divi-
sion.
f. The contract or subcontract must include the
clause entitled "Computer Security" appearing in Ap-
pendix XI.
6. Notification of Affected Business. When required by 40
CFR Part 2, the program office shall notify each affected
business in advance of any disclosure of TSCA Confidential
Business Information in accordance with 40 CFR Part 2.
7. Transfer of TSCA Confidential Business Information to
Contractor or Subcontractor.
a. The project officer responsible for the contract
or subcontract shall request the required TSCA Confi-
dential Business Information from the appropriate DCO.
The request shall include the identity of the contrac-
tor or subcontractor, the number of the contract or
subcontract, a statement that the appropriate clauses
are included in the contract or subcontract, and a copy
of the approval given by the Assistant Administrator
for Toxic Substances.
29
-------�
b. Upon receipt of such a request the DCO shall pro-
vide the requested information in accordance with the
procedures in Chapter III.
c. The project officer shall furnish the information
to the contractor or subcontractor in accordance with
the procedures in Chapter III.
d. The project officer shall obtain a written receipt
for the information from the contractor or subcontrac-
tor and send it to the appropriate DCO who shall enter
it in the log.
8. Inspection of Contractor or Subcontractor Facilities.
Prior to the award or modification of a contract, the Assis-
tant Administrator for Toxic Substances or the Contracts
Management Division shall request the Security and Inspec-
tion Division (SID) to verify that a contractor or subcon-
tractor has in place adequate facilities and procedures to
ensure the security of TSCA Confidential Business Informa-
tion. The same officials may request SID to conduct inspec-
tions during contract performance and SID on its own initiative
may conduct periodic inspections both scheduled and unscheduled
9. Violations.
a. Upon receipt of any allegation that a contractor
or subcontractor has violated the terms of the contract
or subcontract concerning security of TSCA Confidential
Business Information, SID shall initiate an investiga-
tion and report the allegation to the Assistant Admini-
strator for Toxic Substances, CMD, and the General
Counsel.
b. In all cases of violations of the contract or sub-
contract provisions where there is no evidence of a
criminal violation, the Assistant Administrator for
Toxic Substances and CMD shall take appropriate action
under the terms of the contract or subcontract and in
accordance with 40 CFR Part 2.
c. If the investigation by SID develops information
reflecting a possible criminal violation, the case
shall be referred to the Department of Justice. When
the Department of Justice accepts jurisdiction, any
further action, including notification to the affected
business, will be dictated by them.
d. The Assistant Administrator for Toxic Substances
shall be furnished a copy of the results of the inves-
tigation on all cases involving TSCA Confidential Busi-
ness Information.
30
-------�
e. The Assistant Administrator for Toxic Substances
in concert with the General Counsel and CMD shall notify
the affected business of the circumstances and the busi-
ness" legal rights under the contract or subcontract
on all cases except those referred to the Department
of Justice. The cases referred to the Department of
Justice require that Department's approval prior to
the release of any of the investigative data to an
affected business.
10. Additional Requirements. Any contract or subcontract
allowing access to TSCA Confidential Business Information
may include additional requirements, provided such require-
ments are as stringent or more stringent than those required
by this chapter.
11. Contractor/Subcontractor Acquired Confidential Business
Information. All of the above procedures shall apply when
the contract or subcontract requires the contractor or sub-
contractor to obtain TSCA Confidential Business Information
directly from any business. Any contract or subcontract
with this requirement must include the clause entitled
"Screening Business Information for claims of Confidential-
ity" (Appendix XVIII).
12. Return of TSCA Confidential Business Information to EPA.
Upon completion of the contract or subcontract, the project
officer responsible for the contract or subcontract shall
obtain all copies of the information from the contractor
or subcontractor and send them to the appropriate DCO. How-
ever, if the same information is needed in another unexpired
contract or subcontract with the same contractor or sub-
contractor, the responsible project officer may instead ob-
tain written receipt for the information in accordance with
paragraph 7.d. of this chapter.
31
-------�
CHAPTER VI
Security Requirements for
Other Federal Agencies
1. Purpose. The purpose of this section is to set forth
the circumstances and procedures under which TSCA Confiden-
tial Business Information may be furnished by EPA to another
Federal agency with responsibilities under any law for the
protection of health or the environment or for specific law
enforcement purposes.
2. Policy. EPA policy is to furnish TSCA Confidential
Business Information to any Federal agency with responsi-
bilities under any law for protection of health or the en-
vironment or for specific law enforcement purposes, provided
the other agency is able and willing to meet certain stan-
dards for security of the information and promises to treat
the information as confidential in accordance with 40 CFR
Part 2.
3. Procedures for Answering Single Requests from Other
Federal Agencies for Access to TSCA Confidential Business
Information.
a. Any EPA office receiving a written request from
another Federal agency for access to TSCA Confidential
Business Information in accordance with 40 CFR Part 2
(other than requests made under section 4 of this chap-
ter) , must refer the request to the Assistant Adminis-
trator for Toxic Substances.
b. The Assistant Administrator for Toxic Substances,
or his/her designee, shall evaluate the official need
stated by the other Federal agency. If the need re-
lates to the other agency's duties under a law for
protection of health or the environment or is for
specific law enforcement purposes, the Assistant Admin-
istrator for Toxic Substances shall ensure that the
other agency has agreed to keep the information confi-
dential in accordance with the requirements of 40 CFR
Part 2.
c. If the other Federal agency has met the require-
ments of 40 CFR Part 2, the Assistant Administrator for
Toxic Substances shall ask the agency to furnish copies
of security procedures under which the agency proposes
to protect the information.
32
-------�
d. The Assistant Administrator for Toxic Substances,
with the assistance of the Security and Inspection
Division, shall determine whether the security proce-
dures and facilities of the other agency would provide
at least the same degree of security as that provided
by these Procedures. If so, the Security and Inspec-
tion Division shall make a physical inspection of the
other agency's facilities to ensure that they are ade-
quate to protect the information, and inform the Assis-
tant Administrator for Toxic Substances of the results.
Upon the approval of the Assistant Administrator, the
information may be furnished to the other agency.
e. If the Assistant Administrator for Toxic Sub-
stances determines that the security procedures of the
other agency would not provide at least the same degree
of protection provided by these procedures, the Assis-
tant Administrator for Toxic Substances shall notify
the other agency and shall inform them that they may
still qualify for access if they are willing to adopt
these procedures for handling TSCA Confidential Busi-
ness Information. If the other agency is willing, and
if the Security and Inspection Division determines that
the agency has the capability to protect the informa-
tion, it may be furnished to the other agency after
the agency has implemented these procedures.
f. If the other agency is authorized to receive TSCA
Confidential Business Information, and if the appli-
cable procedures in 40 CFR Part 2 have been followed,
the Assistant Administrator for Toxic Substances shall
notify the appropriate DCO who shall provide the infor-
mation in accordance with Chapter III of these proce-
dures.
g. Notwithstanding any other provision of the Proce-
dures, the Assistant Administrator for Toxic Substances
may not authorize any DCO to furnish TSCA Confidential
Business Information to another agency unless the
agency agrees to obtain signed copies of the TSCA Federal
Non-EPA Employee Confidentiality Agreement (Appendix XIV)
from each of its employees who will have access, and obtain
signed copies of the Confidentiality Agreement for United
States Employees Upon Termination or Transfer (Appendix V)
from each employee who terminates or transfers.
33
-------�
4. Procedures for Obtaining Interagency Agreements for
Furnishing TSCA Confidential Business Information.
a. If a particular Federal agency will have a con-
tinuing need for TSCA Confidential Business Informa-
tion, the agency may negotiate an interagency agreement
for access to TSCA Confidential Business Informaxion.
b. The Assistant Administrator for Toxic Substances
may negotiate an interagency agreement, in accordance
with EPA Order 1610, with another Federal agency for
access to TSCA Confidential Business Information if:
(1) The agreement meets the requirements of 40
CFR Part 2.
(2) The other agency agrees to treat all TSCA
Confidential Business Information obtained from
EPA in accordance with the agreement,
(3) The agreement sets forth the purposes for
which the information is needed and those purposes
are in connection with the agency's duties under
any laws to protect health or the environment or
for specific law enforcement purposes,
(4) The agreement specifies the security proce-
dures that will be used for protecting the infor-
mation, and the Assistant Administrator for Toxic
Substances determines, with the assistance of the
Security and Inspection Division, that the pro-
cedures will provide at least the same degree of
protection as these procedures (or the other
agency has adopted these procedures for purposes
of the agreement), and
(5) The agreement specifies the procedures that
will be followed by the other agency in making
specific requests for information under the
agreement and to whom the requests will be ad-
dressed.
c. The Assistant Administrator for Toxic Substances,
or his/her designee, shall notify the appropriate DCOs of
the agreement and the procedures to be followed in re-
sponding to specific requests.
34
-------�
d. Under such an agreement, if the applicable pro-
cedures in 40 CFR Part 2 have been followed, a DCO may
furnish Confidential Business Information to another
Federal agency, in accordance with Chapter III of these
Procedures, without receiving specific authorization
from the Assistant Administrator for Toxic Substances
for each request.
Violations.
a. Any violation of another Federal agency's security
procedures, when there is no evidence of unauthorized
disclosure, shall be investigated by that agency and
appropriate remedial action taken to correct the pro-
cedural deficiencies.
b. Any alleged or actual unauthorized disclosure of
TSCA Confidential Business Information by another
Federal agency shall be reported immediately by that
agency to the Director of the EPA Security and Inspec-
tion Division and the Assistant Administrator for Toxic
Substances.
c. Any violations of the security provisions of an
interagency agreement under this chapter shall be
investigated by the Security and Inspection Division
which shall report to the Assistant Administrator for
Toxic Substances. If the Assistant Administrator for
Toxic Substances finds that the other agency has
violated the terms of the interagency agreement, he/she
may terminate that agency's right of access pending
resolution of the matter.
d. If the investigation by SID develops information
reflecting a possible criminal violation, the case
shall be referred to the Department of Justice.
Approved:/
Stui;yen~ D. JelliJiek
rsistant AdminLstraror
for Toxic Substances
Date:
35
-------�
H
O W
w 2;
<
o o
E5 H I
W ^
§ Q
O M
M 25
> O
E! IH
W U
P*
W
O
O -H
O *->
O -H
o
M
O CU
(Tl 0] i
0) ED
6 <
~ 7^ W
GJ QJ O
6 < 4J
Q 55 PJ Q
-------�
X
H
D
2
W
o
M
>H H
< < e-
H M O
•Z. H (J
O i—I
oi fe
M 12
> O
IS O
UJ
<
4-J CJ
C Xi
a) e .
e ^ E
-------�
DO NOT DETACH
APPENDIX III
TSCA CONFIDENTIAL BUSINESS INFORMATION
DOCUMENT CONTROL OFFICER
DOCUMENT CONTROL NO.
DATE RECEIVED
The attached document contains Confidential Business Information obtained under the Toxic Substances
Control Act (TSCA) (15 U.S.C. 2601 et seq.). TSCA Confidential Business Information mav not be dis-
closed further or copied by you except as authorized in the procedures set forth in T-SCA
C3NFTDF.MTTAT, RTISINRSS INFORMATION SECURITY :":ANUAL.
If you willfully disclose TSCA Confidential Business Information to any person not authorized to receive
it, you may be liable under section 14 (d) of TSCA (15 U.S.C. 2613 (d) ) for a possible fine of up to
$5,000 and/or imprisonment for up to one year. In addition, disclosure of TSCA Confidential Business
Information or violation of the procedures cited above may subject you to disciplinary action with penal-
ties ranging up to and including dismisal.
Each person who is given access to this document must fill in the information below:
LAST NAME
SIGNATURE
EPA ID NO.
DATE OUT
DATE IN
DCO INITIAL
EPA Form 7710-4 (1-78)
DO NOT DETACH
38"
-------�
APPENDIX IV
Confidentiality Agreement
for EPA Employees
I understand that I will have access to certain Con-
r-!
-------�
APPENDIX V
Confidentiality Agreement
for United States Employees
Upon Termination or Transfer
In accordance with my official duties as an employee of
the United States, I have had access to Confidential Business
Information under the Toxic Substances Control Act (TSCA)
(15 U.S.C. 2601 et seq.). I understand that TSCA Confidential
Business Information may not be disclosed except as authorized
by TSCA or Agency regulations.
I certify that I have returned aJLL copies of any TSCA
Confidential Business Information in my posession to the ap-
propriate document control officer specified in the proce-
dures set forth in TSCA CONFIDENTIAL BUSINESS INFORMATION
SECURITY MANUAL.
I agree that I will not remove any copies of TSCA Con-
fidential Business .Information from the premises of the
Agency upon my termination or transfer. I further agree
that I will not disclose any TSCA Confidential Business
Information to any person after my termination or transfer.
I understand that as an employee of the United States
who has had access to TSCA Confidential Business Infor-
mation, under section 14(d) of TSCA (15 U.S.C. 2613(d)) I am
liable for a possible fine of up to $5,000 and/or imprison-
ment for up to one year if I willfully disclose TSCA Con-
fidential Business Information to any person.
If I am still employed by the United States, I also
understand that I may be subject to disciplinary action for
violation of this agreement.
I am aware that I may be subject to criminal penalties
under 18 U.S.C. 1001 if I have made any statement of material
facts knowing that such statement is false or if I willfully
conceal any material fact.
Signature Date
Name I. D. Number
40
-------�
APPENDIX VI
REQUEST FOR ACCESS TO TSCA CONFIDENTIAL BUSINESS INFORMATION
1. The following named employee will require access to TSCA Confidential Business
Information in the performance of official duties.
FULL NAME EPA ID NO. POSITION OFFICE
DATA REQUIRED:
JUSTIFICATION:
Please authorize access to TSCA Confidential Business Information. A copy of
the Confidentiality Agreement is attached.
Signature of Designating Official Date
Title Location
Assistant Administrator for Toxic Substances
The authorization for the above named individual has been:
Approved for access contingent upon verification by the Security and
[ ] Inspection Division that a satisfactory investigation has been conducted,
Access is limited to that information specified in 1. above.
[ ] Disapproved — Operational need for access not justified.
Signature Date
3. Security and Inspection Division
[ ] The individual named above meets the investigative requirement and
nothing is of record to preclude subject having access.
[ ] NACI [ ] FULL FIELD
[ ] A waiver has been requested by the Assistant Administrator for Toxic
Substances and the individual approved for access.
Signature Date
41
-------�
APPENDIX VII
The Contracting Officer has determined that during the
performance of this contract, EPA may furnish confidential
business information to the Contractor that EPA obtained under
the Clean Air Act (42 U.S.C. 1857 et seq.), the Federal
Water Pollution Control Act (33 U.S.C. 1251 et seq.), the
Safe Drinking Water Act (42 U.S.C. 300f et seq.), the Fed-
eral Insecticide, Fungicide and Rodenticide Act (7 U.S.C.
136 et seq.), the Federal Food, Drug, and Cosmetic Act
(21 U.S.C. 301 et seq.), the Resource Conservation and Re-
covery Act (42 U.S.C. 2901 et seg.), or the Toxic Substances
Control Act (15 U.S.C. 2601 et seq.). EPA regulations on
confidentiality of business information in 40 CFR Part 2
Subpart B require that the Contractor agree to the clause
entitled "Treatment of Confidential Business Information"
before any confidential business information may be furnished
to the Contractor.
Treatment of Confidential Business Information
A. The Contracting Officer, after a written deter-
mination by the appropriate program office, may disclose
confidential business information to the Contractor neces-
sary to carry out the work required under this contract.
The Contractor agrees to use the confidential information
only under the following conditions:
1. The Contractor and Contractor's Employees
shall: (i) use the confidential information only for
the purposes of carrying out the work required by the
contract; (ii) not disclose the information to anyone
other than EPA employees without the prior written
approval of the Deputy Associate General Counsel for
Contracts and General Administration; and (iii) return
to the Contracting Officer all copies of the information,
and any abstracts or excerpts therefrom, upon request
by the Contracting Officer, whenever the information
is no longer required by the Contractor for the perfor-
mance of the work required by the contract, or upon
completion of the contract.
2. The Contractor shall obtain a written agree-
ment to honor the above limitations from such of the
Contractor's Employees who will have access to the in-
formation, before the employee is allowed access.
3. The Contractor agrees that these contract con-
ditions concerning the use and disclosure of confiden-
tial information are included for the benefit of, and
shall be enforceable by, both EPA and any affected busi-
ness having a proprietary interest in the information.
42
-------�
4. The Contractor shall not use any confiden-
tial information supplied by EPA or obtained during
performance-; hereun-Jor to compete with any business to
which the confidential information relates.
B. The Contractor agrees to obtain the written con-
sent of the Contracting Officer, after a written determina-
tion by the appropriate program office, prior to entering
into any subcontract that will involve the disclosure of con-
fidential business information by the Contractor to the sub-
contractor. The Contractor agrees to include this clause,
including this paragraph (B), in all subcontracts awarded
pursuant to this contract that require the furnishing of
confidential business information to the subcontractor.
43
-------�
APPENDIX VIII
The Contracting Officer has determined that during the
performance of this contract, EPA may furnish confidential
business information to the Contractor that EPA has obtained
under the Toxic Substances Control Act (15 U.S.C. 2601 et
seq.). The procedures set forth in chapter V.3.e. require
that the Contractor agree to the clause entitled "Security
Requirements for Handling Confidential Business Information"
before any confidential business information obtained under
tje Toxic Substances Control Act may be furnished to the
Contractor. The clause entitled "Treatment of Confidential
Business Information" is also included in this contract.
Security Requirements for Handling
Confidential Business Information
A. The Contracting Officer, after a written determina-
tion by the appropriate program office, may disclose confi-
dential business information to the Contractor necessary to
carry out the work required under this contract. The Con-
tractor agrees to protect the confidential business in-
formation in accordance with the following requirements:
1. The Contractor and Contractor's Employees
shall follow the security procedures set forth in Ap-
pendix XII Of TSCA CONFIDENTIAL BUSINESS INFORT.ATIUJN
SECURITY MANUAL.
2. The Contractor, shall upon request by the
Contracting Officer, permit access to and inspection of
the Contractor's facilities in use under this contract
by representatives of EPA's Security and Inspection
Division.
3. The Contractor shall obtain a signed copy of
the "TSCA Contractor Employee Confidentiality Agree-
ment" from each of the Contractor's Employees who will
have access to the information, before the employee is
allowed access, and shall furnish the signed agreements
to the Contracting Officer.
B. The Contractor agrees that these requirements con-
cerning protection of confidential business information are
included for the benefit of, and shall be enforceable by,
both EPA and any affected business having a proprietary in-
terest in the information.
44
-------�
C. The Contractor understands that confidential busi-
ness information obtained by EPA o ne'er the Toxic Substances
Control Act may not be disclosed except as authorised by
the Act and that any unauthorized disclosure by the Contrac-
tor or the Contractor's Employees may subject the Contractor
and the Contractor's Employees to the criminal penalties in
section 14(d) of the Act. For purposes of this contract, the
only disclosures that EPA autborir.es the Contractor to make
are those disclosures set forth in the clause entitled "Treat-
ment of Confidential Business Information."
D. The Contractor agrees to include this clause, in-
cluding this paragraph (D), in all subcontracts awarded
pursuant to this contract that require the furnishing of
confidential business information to the subcontractor.
4 5
-------�
APPENDIX IX
Laboratories and Field Stations
Eligible to Have a
Document Control Officer
Because of their size, geographic location, and/or
overall program responsibilities, the EPA laboratories and
field stations listed below are eligible to designate a
Document Control Officer. Facilities not cited will be
serviced in their TSCA data needs either by the Regional
Office to which they report or by OTS at Headquarters. This
list may be revised by the Assistant Administrator for Toxic
Substances as required to support evolving needs for data
and data control services.
Health Effects Research Laboratory; Research Triangle Park,
North Carolina
Health Effects Research Laboratory; Cincinnati, Ohio
Environmental Research Laboratory; Corvallis, Oregon
Environmental Research Laboratory; Duluth, Minnesota
Environmental Research Laboratory; Narragansett, Rhode Island
Environmental Research Laboratory; Gulf Breeze, Florida
Environmental Monitoring and Support Laboratory; Las Vegas,
Nevada
Environmental Monitoring and Support Laboratory; Cincinnati,
Ohio
Environmental Monitoring and Support Laboratory; Research
Triangle Park, North Carolina
Environmental Sciences Research Laboratory; Research Triangle
Park, North Carolina
Municipal Environmental Research Laboratory; Cincinnati,
Ohio
Environmental Research Laboratory; Athens, Georgia
Environmental Research Laboratory; Ada, Oklahoma
Industrial Environmental Research Laboratory; Cincinnati,
Ohio
Industrial Environmental Research Laboratory, Research
Triangle Park, North Carolina
46
-------�
APPENDIX X
Special Category TSCA
Confidential Business Information
The following types of TSCA Confidential Business In-
formation are designated as Special Category TSCA Confiden-
tial Business Information for purposes of these procedures:
1. Information about specific chemical substances
whose chemical identities have been treated as confi-
dential for purposes of the Inventory of Chemical Sub-
stances under section 8(b) of TSCA,
2. Information about product formulations.
3. Information about specific processes used in manu-
facturing or processing chemical substances.
47
-------�
APPENDIX XI
The Contracting Officer has determined that during the
performance of this contract, EPA may furnish confidential
business information to the Contractor that EPA has obtained
under the Toxic Substances Control Act (15 U.S.C. 2601 et
seq.). The Contractor will use this confidential business
information in a computer. The procedures set forth in
chapter V.S.f. require that the Contractor agree to the
clause entitled Computer Security" before any confidential
business information obtained under the Toxic Substances
Control Act may be furnished to the Contractor. The clause
entitled "Security Requirements for Handling Confidential
Business Information" is also included in this contract.
Computer Security
A. The Contractor agrees to protect confidential
business information used in its computer operations in
accordance with the following requirements:
1. The Contractor and the Contractor's Employees
shall follow the computer security procedures set forth
in the Computer Center Security Plan and/or ADP
Application Security Plan proposed by the Contrac-
tor and accepted by EPA.
2. The Contractor and the Contractor's Employees
shall follow the procedures required by the clause
entitled Security Requirements for Handling Confiden-
tial Business Information" of this Contract for all
confidential business information removed from the
computer.
3. The Contractor shall, upon request by the
Contracting Officer, permit access to and inspection of
the Contractor's computer facilities in use under this
contract by representatives of EPA's Security and In-
spection Division and EPA's Management Information and
Data Systems Division.
B. The Contractor agrees that these requirements con-
cerning computer security of confidential business informa-
tion are included for the benefit of, and shall be enforce-
able by, both EPA and any affected business having a pro-
prietary interest in the information.
C. The Contractor agrees to include this clause, in-
cluding this paragraph (C), in all subcontracts awarded pur-
suant to this contract that require use of confidential
business information in computers.
48
-------�
APPENDIX XII
TSCA Contractor/Subcontractor
Data Security Requirements
1. General. These data security requirements apply
to any contractor/subcontractor performing work under a con-
tract/subcontract for EPA where the contractor/subcontractor
is furnished TSCA Confidential Business Information to per-
form its work. The term "contractor" will be used through-
out these Requirements to mean any contractor or subcontractor.
2. Documented Security Procedures. Each contractor
must have documented security procedures consistent with these
Requirements. These security procedures must be available
to EPA upon request by the Contracting Officer.
3. Training of Employees. Each contractor must have
a program to train each of its employees who will have access
to TSCA Confidential Business Information in the procedures
to be followed for safeguarding that information as well as
the potential penalties for violations of the procedures.
4. Employee Confidentiality Agreements. Each contractor
must obtain a signed copy of the "TSCA Contractor Employee
Confidentiality Agreement" (Appendix XIII) from each employee
who will have access to TSCA Confidential Business Information
prior to granting such access. These signed agreements must
be furnished to the Contracting Officer.
5. Content of Security Procedures. Each contractor
must have security procedures that meet the minimum criteria
set forth in these Requirements. If the contractor chooses
to adopt and use the procedures set forth in chapters III
and IV of these Procedures, the contractor will be presumed
to have met these Requirements.
6. Appointment of Contractor Document Control Officers.
Each contractor shall appoint one or more Contractor Document
Control Officers.
7. Responsibilities of Contractor Document Control
Officers. Contractor Document Control Officers are respon-
sible for:
a. Controlling all TSCA Confidential Business
Information in the posession of the contractor.
b. Serving as a contact person for EPA regarding
the contractor's handling and control of TSCA Confiden-
tial Business Information.
c. Conducting periodic checks of the contractor's
security.
49
-------�
8. Physical Security. Each contractor must have se-
cure work areas where TSCA Confidential Business Information
is used. When not in use, TSCA Confidential Business Infor-
mation must be locked up in secure cabinets, safes, or
special locked rooms. The minimum acceptable storage con-
tainer is a cabinet with a bar and three-way changeable com-
bination padlock. The contractor must also have building or
office security sufficient to prevent unauthorized entry.
9. Logging and Control of Confidential Business Infor-
mation. Each contractor must have a system for logging and
control of TSCA Confidential Business Information within the
contractor's facilities. Such a system must include a log
that, at a minimum, includes the name of the person using the
information, the date checked out, and the date returned.
The system must also include special labels to identify TSCA
Confidential Business Information and time limits for which
information may be checked out. All logs and other control
documents, as well as copies of all the TSCA Confidential
Business Information, must be available for inspection and
copying by EPA.
10. Reproduction and Destruction. All copying and de-
struction of TSCA Confidential Business Information must be
done under the supervision and control of the Contractor
Document Control Officer. Any copying or destruction must
be entered in the control logs. Destruction must be by
shredding, burning, or other means that assures that the in-
formation may not be recovered.
11. Audits. Each contractor shall conduct periodic
audits of its facilities, employees, and TSCA Confidential
Business Information control system to ensure compliance
with its security procedures.
12. Security Violations. If a contractor discovers a
violation of its security procedures, it must take appropri-
ate measures to ensure that such a violation will not recur,
including such measures as employee disciplinary actions.
If a contractor discovers or has reason to believe that TSCA
Confidential Business Information has been disclosed by one
of its employees in violation of its security procedures and
the contract, the contractor shall report the circumstances
to the Contracting Officer. The contractor must allow repre-
sentatives of EPA's Security and Inspection Division to in-
vestigate such disclosures and must cooperate fully and ensure
the full cooperation of its employees.
13. EPA Assistance in Security Matters. The contractor
may request assistance from EPA through the Contracting Officer
in any matter related to TSCA Confidential Business Information
security procedures. EPA will assist contractors to comply
with these requirements through advice, audits, and inspections,
50
-------�
14. Computer Security. The contractor must follow the
Computer Center Security Plan and/or the ADP application
Security Plan submitted to and approved by EPA in its
handling of TSCA Confidential Business Information in its
computer operations. In addition, the contractor must meet
the following requirements:
a. The contractor must appoint a Contractor Com-
puter Document Control Officer who will be responsible
for all security aspects of the contractor's computer
use of TSCA Confidential Business Information and will
log and control all use of the computer facilities.
b. The contractor must maintain records of com-
puter use and make them available to EPA upon request
by the Contracting Officer.
c. The contractor must make its computer facilities
available for inspection by EPA upon request by the Con-
tracting Officer.
51
-------�
APPENDIX XIII
TSCA Contractor Employee Confidentiality Agreement
I understand that as an employee of
a contractor performing work for the United States Environmental
Protection Agency, I will have access to certain Confidential
Business Information submitted under the Toxic Substances
Control Act (TSCA) (15 U.S.C. 2601 et seq.). This access
has been granted to me in order to perform my work under the
contract.
I understand that TSCA Confidential Business Informa-
tion may not be disclosed by me except as authorized by
TSCA, the contract, and the security procedures used by my
employer under the contract. I understand that under sec-
tion 14(d) of TSCA (15 U.S.C. 2613(d)), I am liable for a
possible fine of up to $5,000 and/or imprisonment for up to
one year if I willfully disclose TSCA Confidential Business
Information to any person not authorized to receive it. In
addition, I understand that I may be subject to disciplinary
action for violation of this agreement up to and including
dismissal.
I agree that I will treat any TSCA Confidential Business
Information furnished to me as confidential and that I will
follow the security procedures used by my employer under the
contract. I have been informed of and understand the proce-
dures .
Signature Date
Name
52
-------�
APPENDIX XIV
TSCA Federal Non-EPA Employee
Confidentiality Agreement
I understand that as an employee of a Federal agency
that has obtained certain Confidential Business Information
submitted to the Environmental Protection Agency under the
Toxic Substances Control Act (TSCA) (15 U.S.C. 2601 et
seg.), I will have access to such information. This access
has been granted in accordance with my official duties under
a law to protect health or the environment or for specific
law enforcement purposes.
I understand that TSCA Confidential Business Informa-
tion may not be disclosed by me except as authorized by
TSCA, the agreement between my agency and the Environmental
Protection Agency, and the security procedures in effect at
my agency. I understand that under section 14(d) of TSCA
(15 U.S.C. 2613(d)), I am liable for a possible fine of up
to $5,000 and/or imprisonment for up to one year if I will-
fully disclose TSCA Confidential Business Information to any
person not authorized to receive it. In addition, I under-
stand that I may be subject to disciplinary action for
violation of this agreement up to and including dismissal.
I agree that I will treat any TSCA Confidential Busi-
ness Information furnished to me as confidential and that I
will follow the security procedures in effect at my agency
for the handling of this type of information. I have been
informed of and understand the procedures.
I am aware that I may be subject to criminal penalties
under 18 U.S.C. 1001 if I have made any statement of material
facts knowing that such statement is false or if I willfully
conceal any material fact.
Signature Date
Name
53
-------�
X
H
Q
2
W
O -H
O "
O -H
O
PL,
I H
J5
O
'S. u ^~
2 Q Bi
c >-• o
O5 f^. H
M 2; o
E> o <;
S u 2
i—r~r
-------�
X
X
H
Q
ft
ft
CJ W O
W 25 W
H n to
C M
nj C O
H O
OJ O
IT)
in
-------�
LOAN RECEIPT
pnn
TSCA CONFIDENTIAL BU^INF^ INFORMATION
I ACKNOWLEDGE RECEIPT OF TSCA. CONFIDENTIAL BUSINESS INFORMATION
LISTED BELOW:
DOCUMENT CONTROL NO. + COPY MO.
I UNDERSTAND THAT I AM RESPONSIBLE FOR PROJECTING THIS DATA u\ ACCORDANCE
VflTH THE TSCA CONFIDENTIAL BUSINESS INFLATION SECURITY MANUAL. ALSO THAT
I AM LIABLE FOR A FINE OF UP TO $5,000 HD/OR P'PPJSnN^FPT FO". UP in ONE
YEAR IF I WILLFULLY DISCLOSE IT TO ANY UNAUTHORIZED PERSON. I f^AY MS*
BE SUBJECT TO DISCIPLINARY ACTION UP TO Af'D INCLUDINH niSVISSAL FOR ANY
VIOLATION OF THE PROCEDURES FOR SAFEGUARDING T!ITS PATA.
I ALSO AGREE THAT I i-'TI.I. NOT DUPLICATE THE OncUf<'rMT(S) IDENTIFY Ap.OVE.
NAME OF RECIPIENT DATE DOCt!MFMT(S) PFCFIVFD
NAME OF LOANER
-------�
APPENDIX XVIII
The Contracting Officer has determined that during
performance of this contract the Contractor may be required
to collect information to perform the work required under
this contract. Some of the information may consist of trade
secrets or commercial or financial information that would be
considered as proprietary or confidential by the business
that has the right to the information. The following
clause is included in this contract to enable EPA to resolve
any claims of confidentiality concerning the information that
the Contractor will furnish under this contract. The clause
entitled " Treatment of Confidential Business Information"
is also included in this contract.
SCREENING BUSINESS INFORMATION FOR
CLAIMS OF CONFIDENTIALITY
(a) Whenever collecting information under this contract,
the Contractor agrees to comply with the following require-
ments :
(1) If the Contractor collects information from
public sources, such as books, reports, journals, periodicals,
public records, or other sources that are available to the
pbulic without restriction, the Contractor shall submit a
list of these sources to the appropriate program office at
the time that information is initially submitted to EPA.
The Contractor shall identify the information according to
source.
(2) If the Contractor collects information from a
State or local government or from a Federal agency, the Con-
tractor shll submit a list of these sources to the appropriate
program office at the time the information is initially
submitted to EPA. The Contractor shall identify the infor-
mation according to source.
(3) If the Contractor collects information directly
from a business or from a source that represents a business
or businesses, such as a trade association:
(i) Before asking for the information, the
Contractor shall indentify itself, explain that it is perform-
ing contractual work for the U.S. Environmental Protection
Agency, identify the information that it is seeking to collect,
explain what will be done with the information, and give the
following notice:
57
-------�
(A) You may, if you desire, assert a business
confidentiality claim covering part or all of the information.
If you do assert a claim, the information will be disclosed
by EPA only to the extent, and by means of the procedures, set
forth in 40 CFR Part 2 Subpart B, 41 Federal Register 36906,
September 1 , 1976.
(B) If no such claiifTis made at the time
this information is received by (the Contractor), it may be
made available to the public by the Environmental Protection
Agency without further notice to you.
(ii) Upon receiving the information, the Contractor
shall make a written notation that the notice set out above
was given to the source, by whom, in what form, and on what
date.
(iii) At the time the Contractor initially submits
the information to the appropriate program office, the Con-
tractor shallsubmit a list of these sources, identify the
information according to source, and indicate whether the
source made any confidentiality claim and the nature and
extent of the claim.
(b) The Contractor shall keep all information collected
from nonpublic sources confidential in accordance with the
clause in this contract entitled "Treatment of Confidential
Business Information" as if it had been furnished to the
Contractor by EPA.
(c) The Contractor agrees to obtain the written consent
of the Contracting Officer, after a written determination by
the appropriate program office, prior to entering into any
subcontract that will require the subcontractor to collect
information. The Contractor agrees to include this clause,
including this paragraph (c), and the clause entitled "Treat-
ment of Confidential Business Information" in all subcontracts
awarded pursuant to this contract that require the sub-
contractor to collect information.
* U S GOVERNMENT PRINTING OFFICE 1978— 2J-J3,,,]:- 5 Q
-------� |