740R84102
TSCA CONFIDENTIAL
BUSINESS INFORMATION
SECURITY MANUAL
OCTOBER, 1984
^ U 3. Environmental Protection Agency
• Region V, Library
^230 South Dearborn Street
hicago, Hiinois 60604
United States Environmental Protection Agency
Washington, D.C. 20460
-------�
-------�
TABLE OF CONTENTS
Glossary of Acronyms vi
Glossary vii
I. Introduction 1
A. Applicable Federal Statutes and Regulations 1
B. Security Violations. 1
C. Authorization for Access to TSCA CBI 2
1. Requesting Authorization for Access to TSCA CBI 2
2. Background Investigation and Related Forms 3
3. Authorizing Contractors for Access to TSCA CBI 3
4. Maintaining the Authorized Access List 4
II. Responsibilities 5
A. Assistant Administrator for Pesticides and Toxic Substances
(AA/OPTS) 5
B. Director, Office of Toxic Substances (OD/OTS) 5
C. Director, Information Management Division (IMD) 5
D. Office of the Inspector General (OIG) 5
E. Director, Office of Information Resource Management (OIRM) 5
F. General Services Branch, Facilities Services and Support
Division (GSB, FSSD) 6
G. Division Directors 6
H. Branch Chiefs 6
I. Security, Information Management Division 7
J. EPA Project Officers 8
K. Document Control Officers and Document Control Assistants 8
1 . Headquarters 8
(a) Document Control Officer (DCO) Specific Duties 8
(b) Document Control Assistant (DCA) Specific Duties... 9
(c) DCO/DCA Joint Duties 9
2. Regional & Laboratory DCO/DCAs 9
L. EPA Employees 10
III. Procedures for Handling TSCA Confidential Business Information 11
A. Introduction 11
B. Forms Required for Implementation of TSCA CBI Security
Procedures 11
C. Obtaining TSCA CBI Documents.... ..12
D. Storage 12
1. At EPA Facility 12
(a) Required Storage 12
(b) Open Storage 13
(c) Multiple User Container Storage 13
2. When Traveling 13
(a) Plane/Other Public Conveyance 13
(b) Locked Trunk of Car 13
(c) Hotel Safe 14
iii
-------�
Table of Contents (cont'd)
E. Safeguards During Use 14
1. Secretarial Procedures 14
2. Incoming Mail from Outside Firms 15
3. Telephone Calls 15
4. Meetings ..16
5. Lost or Unaccounted-for Documents 17
F. Transmittal 17
1 . Within an EPA Facility 17
2. Outside an EPA Facility 17
G. Reproduction/Destruction 18
1 . Reproduction 18
2. Destruction 18
H. Photographs 19
I. Retiring of Documents 19
J. Remote Terminals 19
K. Personal Computers (PCs) 20
1. Policy for Storage of TSCA CBI Data on PC Storage Media....20
(a) Hard disks 20
(b) Floppy disks 20
2. "Downloading" TSCA CBI data 20
3. Printing of TSCA CBI data on PC Printers 20
4. Use of TSCA CBI on a PC 21
L. Internally Produced Documents and Declassification of
Hardcopy and Magnetic Media 21
1. Printout Declassification 21
2. Magnetic Tape Declassification and Transfer 21
3. Hardcopy Declassification 22
M. Retaining Logs 22
N. Drafts and Temporary internal Documents 23
O. Annual Inventory 23
P. Reconciliation of Documents 23
1. When DCOs Change 23
2. When a Contract Ends 24
IV. Security Requirements For Other Federal Agencies 25
A. Purpose 25
B. Policy 25
C. Procedures for Answering Requests 25
D. Procedures for Interagency Agreements 26
E. Exemption for the Department of Justice. 27
F. On-site Access ..27
G. Violations 27
IV
-------�
Table of Contents (cont'd)
Appendices. 28
Appendix I
Appendix II
Appendix III
Appendix IV
Appendix V
Appendix VI
Appendix VII
Appendix VIII
Appendix IX
Appendix X
Appendix XI
Appendix XII
Appendix XIII
Appendix XIV
Appendix XV
Appendix XVI
Excerpts from EPA Conduct & Discipline Manual
Inventory Log
User Sign Out Log
Destruction Log
Contractor/Subcontractor Sign Out Log
Federal Agency, Congress, and Federal Court
Sign Out Log
Request for TSCA CBI Access Approval
Request for TSCA CBI Computer Access Approval
TSCA CBI Cover Sheet
Termination Agreement
Telephone Contact Report
TSCA Confidential Business Information
Meeting Sign In Sheet
Federal Register Notice Example (Transfer
of Data to Contractor)
Safe/Cabinet Security Check Sheet
Request for Approval of Contractor Access
To TSCA Confidential
Business Information
Loan Receipt for TSCA Confidential
Business Information
Index.
.48
v
-------�
Glossary of Acronyms
AA/OPTS Assistant Administrator for Pesticides and Toxic Substances
ADP Automated Data Processing
CBJ Confidential Business Information
CFR Code of Federal Regulations
CIB Chemical Information Branch
OD/OTS Office Director for Toxic Substances
DCA Document Control Assistant
DCO Document Control Officer
DMB Data Management Branch
DOJ Department of Justice
EPA United States Environmental Protection Agency
FSSD Facilities and Support Services Division
GSB General Services Branch
JAG Interagency Agreement
IMD Information Management Division
NACI National Agency Check and Inquiries
OGC Office of General Counsel
OIG Office of the Inspector General
OIRM Office of Information Resources Management
OPTS Office of Pesticides and Toxic Substances
OTS Office of Toxic Substances
TSCA Toxic Substances Control Act
VI
-------�
Glossary
General access is the ability and opportunity to gain knowledge of TSCA CBI in any
manner whatsoever including computer printouts.
The Authorized Access List is a compilation of the names of all employees who have
been authorized for access to TSCA CBI. Included in the list are the employee's ID
number, organizational location, type of access, and the date of the last security
briefing attended. The list is updated and distrubuted on a monthly basis to all
Document Control Officers and Document Control Assistants for use in the protection
of TSCA CBI.
An Authorized Computer Facility is an EPA or contractor's computer facility that
meets the Office of Toxic Substances security standards and that has been approved
for handling TSCA CBI.
An Authorized Person is any person who is authorized, in accordance with the
requirements of Chapter III, for access to TSCA CBI.
A Briefing is a meeting at which instruction is given regarding the use and
safeguarding of TSCA CBI. Attendance on an annual basis is required for all
employees authorized by the Director, IMD for access to TSCA CBI.
Computer Access is the ability to write and alter data from an EPA computer system
or system established by a contractor which contains TSCA CBI, and is only granted
to persons authorized for general access to TSCA CBI.
Confidential Business Information (CBI) is any information in any form received by
EPA from any person, firm, partnership, corporation, association, or local, state,
or Federal agency, or foreign government, which contains trade secrets or commercial
or financial information, and which has been claimed as confidential by the person
submitting it, and which has not been determined to be non-confidential under the
procedures in 40 CFR Part 2.
A Document is any recorded information, regardless of its physical form or char-
acteristics, including, without limitation: written or printed material; data
processing card decks, printouts, tapes, discs, diskettes; maps and charts;
paintings; photographs; drawings; engravings; sketches; samples; working notes and
papers; and reproductions of such items by any means, including sound, voice, or
visual electronic recordings in any form.
A Document Control Assistant (DCA) assists the Document Control Officer in
performing duties related to information processing, document control, and security.
A Document Control Number (DCN) is the unique number assigned by a Document Control
Officer or Assistant, or through computer-system numbering to a document containing
TSCA CBI.
A Document Control Officer (DCOJ or Document Control Assistant (DCA) is a person
designated, in accordance with Chapter II, to be responsible for the security,
control, and distribution of all TSCA CBI received by him/her.
vii
-------�
The Document Tracking System (DTS) collects and stores general data and tracks the
circulation of document copies by: automatically assigning document control numbers;
tracking the life cycle of documents, including number of copies made, distributed,
returned, and shredded; automatically calculating the completion dates of certain
types of documents; validating data entries, analyzing document workload patterns
and document profiles; flagging "overdue" documents, and supporting on-line updates
and retrieval of information.
An Employee is any person employed on a full-time or part-time basis by the U.S.
Environmental Protection Agency, including EPA Administrative Law Judges, other
Federal Agencies, or contract firms.
A Federal Agency is any organization or entity comprised of United States officers
or employees excluding the Federal Courts and Congress.
A Secure Facility is a building or portion of a building (room) that meets the
requirements of this Manual for handling TSCA CBI and has been approved for securing
TSCA CBI by the Director, IMD.
A Submitter Representative is an authorized representative of a company who may be
permitted to review his/her company's own TSCA CBI submissions.
A Violation is the failure to comply with any provision in these procedures, or
other Federal requirements governing the protection of TSCA CBI, whether or not such
failure leads to actual unauthorized disclosure of TSCA CBI.
VI IX
-------�
I. INTRODUCTION
The Assistant Administrator for Pesticides and Toxic Substances (AA/OPTS) is
responsible for designing and implementing an Agencywide security program to
control the receipt, handling, and dissemination of TSCA CBI. Requirements
promulgated under this authority supplement, but do not supersede, general
Agency regulations pertaining to Freedom of Information requests and
confidentiality of business information set forth in 40 CFR Part 2.
The procedures in this manual prescribe standards and establish responsibility
and accountability for the control of documents and computer systems that
contain Confidential Business Information (CBI) received by the U. S.
Environmental Protection Agency (EPA) under the Toxic Substances Control Act
(TSCA) (15 U.S.C. § 2601 et seq.).
All reasonable measures must be taken to prevent the unauthorized disclosure of
TSCA CBI. EPA employees and EPA contractor employees are prohibited from
disclosing, in any manner or to any extent not authorized by law or EPA
regulations, the TSCA CBI to which they have access in the course of performing
their duties. Employees of other Federal agencies are also prohibited from
disclosing TSCA CBI unless authorized by law and by the terms of their
agreement with EPA regarding TSCA CBI released to them.
A. Applicable Federal Statutes and Regulations
o 15 U.S.C. § 2613, Disclosure of Data (TSCA).
o 5 U.S.C. § 552, Freedom of Information Act.
o 40 CFR Part 2, Confidentiality of Business Information.
o 41 CFR Chapter 15, Public Contracts and Property Management.
B. Security Violations
To operate a security system successfully, discipline must be maintained among
employees. Any unauthorized disclosure of TSCA CBI may subject an employee to
the following criminal penalties under TSCA § 14(d) (1):
Criminal Penalty for Wrongful Disclosure—(1) Any officer or employee of
the United States or former officer or employee of the United States, who
by virtue of such employment or official position has obtained possession
of, or has access to, material, the disclosure of which is prohibited by
subsection (a), and who knowing that disclosure of such material is
prohibited by such subsection, willfully discloses the material in any
manner to any person not entitled to receive it, shall be guilty of a
misdemeanor and fined not more than $5,000 or imprisoned for not more than
one year, or both.
Chapter 5 and Appendix C of the EPA Conduct and Discipline Manual deal with
this subject in depth. All employees, and especially supervisors, should
become familiar with this publication. Pertinent excerpts from Chapter 5 and
Appendix C of the EPA Conduct and Discipline Manual are included in Appendix I.
-1-
-------�
Corrective action, not mentioned in the EPA Conduct and Discipline Manual which
may be taken by supervisors at the Division Director level and above, is
removal of the name of the offending employee from the TSCA CBI Authorized
Access List. Although removal from the Authorized Access List is an informal
sure, it is a serious step and should be used cautiously. Additional penalties
may be assessed, including dismissal. These procedures are outlined in the EPA
Conduct and Discipline Manual [Chapter 5 and Appendix C, Table of Offenses and
Penalties, 35(b)]. This step is designed to impress upon the employee the
seriousness of his/her actions and to prevent further violations.
C. Authorization for Access to TSCA CBI
1. Requesting Authorization for Access to TSCA CBI
To receive authorization for access to TSCA CBI, the forms listed below must be
completed and returned to Security, IMD.
Federal Employees/Consultants
General Access:
EPA Form 7740-6, Request for Authorized Access to TSCA CBI (Appendix VII)
Computer Access:
EPA Form 7740-6, Request for Authorized Access to TSCA CBI
EPA Form 7740-7, Request for TSCA CBI Computer Access Approval (Appendix
VIII)
Summer Employees
EPA Form 7740-6; and if applicable, EPA Form 7740-7; and
Justification Memorandum from the Authorizing Official
Contractor Employees
EPA Form 7740-6; and if applicable, EPA Form 7740-7
SF-86, Security Investigation Data for Sensitive Position,
(original and 2 copies)
SF-85A, National Agency Check Data for Nonsensitive or Noncritical
Position (must be typed)
OPM 329a, Authority for Release of Information, and
FD-258, Fingerprint Chart (no substitution)
All forms must be fully completed and signed and a security briefing
attended. When the briefing is attended and the completed forms received by
Security, IMD, the person may be authorized for access to TSCA CBI, and his/her
name placed on the Authorized Access List. Security, IMD, will notify the
appropriate DCO/DCA, who will in turn notify the employee. At EPA Headquarters
all forms must be received by Security, IMD, before a briefing is attended.
Contractors employees must complete all required forms and submit them to their
DCO, who will review them for accuracy and completeness and send them to the
EPA Project Officer. The EPA Project Officer reviews and initials the forms
and then forwards them to the Division Director who signs EPA Form 7740-6 as
the authorizing official. After they are signed, the forms are transmitted to
Security, IMD. All forms must be received by Security, IMD, before the
security briefing may be attended.
-2-
-------�
Summer employees for a period of no more than 4 months, and temporary employees
limited to 3 months, will not be authorized for access to TSCA CBI without the
written authorization of the Director, IMD. Division Directors or above must
submit to the Director, IMD, a memorandum of justification with the EPA Form
7740-6, Request for TSCA CBI Access Approval, explaining in detail why access
is required. Access must be approved by the Director, IMD, prior to the
employee's gaining access to TSCA CBI.
2. Background Investigation and Related Forms
All employees who will have access to TSCA CBI are required to undergo a
background investigation. All Federal employees with permanent appointments or
temporary appointments of 700 hours or more must complete investigation forms
at the time they begin employment, and a National Agency Check and Inquiries
(NACI) investigation is immediately initiated.
If an investigation reveals information that reflects adversely on an
employee's suitability or trustworthiness to handle TSCA CCI, OIG/Personnel
Security will conduct an interview with the subject of the investigation to
afford the individual the opportunity to explain, refute, or mitigate
actionable security/suitability information developed in the investigation.
OIG refers the results of the investigation and the interview to Security, IMD,
and when warranted, to the employee's supervisor for a suitability
determination.
3. Authorizing Contractors for Access to TSCA CBI
When a contract work statement and EPA Form 1900-8, Procurment Request/Order,
are completed prior to the awarding of a contract, or modification of an
existing contract, the EPA Project Officer must complete and insert in the
package EPA Form 7710-15a, Request for Approval of Contract Access to TSCA
Confidential Business Information (Appendix XV), for the contract being
considered. The contract package must be sent to the Director, IMD, for
concurrence prior to being forwarded to the OD/OTS for final approval.
Section 14(a)(2) of TSCA provides the authority for EPA to release TSCA CBI "to
contractors with the United States and employees of such contractors if in the
opinion of the Administrator such disclosure is necessary for the satisfactory
performance by the contractor of a contract with the United States....for the
performance of work in connection with [TSCA]..." EPA regulations require that
EPA notify TSCA CBI submitters either by publishing a Federal Register notice
(Appendix XIII) stating that a contractor will have access to TSCA CBI
submitted to EPA or through letters to the affected submitters not less than 5
days before providing access.
It is the responsibility of the EPA Project Officer for the contract who will
receive TSCA CBI to prepare the Federal Register notice or letters.
The Project Officer, after preparing the Federal Register notice or letters
will have the document(s) signed by his/her division director and concurred
upon by Security, IMD, the Chemical Information Branch (CIB), IMD, the
Director, IMD, the Office of General Counsel (OGC), and the Federal Register
Section, OPTS, and will have the document(s) signed by the Director, Office of
Toxic Substances. Under no circumstances will TSCA CBI be transferred to an
-3-
-------�
EPA contractor, or other Federal agency contractor, before a Federal Register
notice is published or notification letters are sent and the receiving facility
is inspected and approved by Security, IMD.
It is the responsibility of the Project Officer of the contract to ensure that
the Federal Register notice is published with sufficient time allowed for the
contractor's facility to be inspected for on-site storage of TSCA CBI prior to
the contract start date and in conjunction with other facilities within the
same region in which that facility is located. The Project Officer should
contact Security, IMD, upon awarding of the contract to ensure that sufficient
lead time for the inspection is provided.
Security procedures for contractors and subcontractors are contained in a
separate manual, Contractor Requirements for the Control and Security of TSCA
Confidential Business Information, which also includes the procedures for
solicitation and award of contracts (or modification of existing contracts)
that involve receipt or handling of TSCA CBI.
4. Maintaining the Authorized Access List
The Authorized Access List must be kept current. By the 20th day of each
month, every DCO/DCA in the Federal government and contractors' offices will
send to Security, IMD, an updated copy of the Authorized Access List showing
changes for their organization. A revised TSCA CBI Authorized Access List will
be distributed by Security, IMD (by the fifth day of the next: month) to Federal
government and contractor offices handling TSCA CBI information. Copies of the
list showing only the names of Federal government employees are distributed to
SPA contractors and their subcontractors requiring the use of TSCA CBI. The
names of contractor employees will not be released to other contractors.
When an employee who has had access to TSCA CBI terminates employment, no
longer requires access, or transfers to a position not requiring access to TSCA
CBI, he/she must be processed through the local DCO/DCA to ensure that all TSCA
CBI documents have been returned and must sign EPA Form 7710-17,
Confidentiality Agreement for United States Employees Upon Termination or
Transfer (Appendix X) . A copy of this agreement will be kept on file by the
local DCO/DCA for 5 years; the original will be forwarded to Security, IMD.
The local DCO/DCA will immediately delete the terminated or transferred
employee's name from the TSCA CBI Authorized Access List and will ensure that
this deletion is reflected in the next monthly update sent to Security, IMD.
-4-
-------�
II. RESPONSIBILITIES
A. Assistant Administrator for Pesticides and Toxic Substances (AA/OPTS)
The AA/OPTS is responsible for the overall implementation of the procedures
contained herein.
B. Director, Office of "toxic Substances (OD/OTS)
The OD/OTS is responsible for ensuring that the Office of Toxic Substances,
other EPA Program Offices, Regional and Laboratory facilities, other Federal
agencies, and contractor firms comply with the policies, procedures and
directives contained herein.
C. Director, Information Management Division (IMD)
The Director, IMD, is responsible for developing new policies and procedures
for managing TSCA CBI; approving contractors and subcontractors for access to
TSCA CBI; approving Computer Center Security Plans for any computer facility
that will receive TSCA CBI; approving ADP Application Security Plans prepared
by software development managers; and approving the Headquarters DCO and
computer DCOs and DCAs.
0. Office of the Inspector General (OIG)
The OIG is responsible for oversight of TSCA CBI operations, and for conducting
audits and investigations as it deems appropriate. To carry out these
responsibilities, personnel from the OIG investigate cases of alleged
intentional or actual wrongful disclosure of TSCA CBI. Disclosures believed to
have been knowingly and willfully made will be referred to the Department of
Justice, as appropriate. The OIG investigates cases of alleged or actual
wrongful disclosures of TSCA CBI in connection with interagency agreements
(lAGs) developed under Chapter IV of this manual. Personnel from the OIG are
authorized access to all records that are available to the EPA Administrator
and the OD/OTS after all requirements for access to TSCA CBI have been met.
The OIG's Office of Management and Technical Assessment is responsible for
ensuring that National Agency Checks and Inquiries (NACIs) are conducted on
federal employees, as appropriate.
E. Director, Office of Information Resources Management (OIRM)
The Director of the Office of Information Resources Management, Research
Triangle Park, NC, will, upon request, assist Security, IMD, in reviewing
Computer Center Security Plans as specified in OTS Computer Center guidelines;
review and comment on ADP Application Security Plans; and recommend approval or
disapproval to the Director, IMD and assist Security, IMD, in conducting
inspections of computer facilities for compliance with security requirements.
-5-
-------�
F. General Services Branch, Facilities and Support Services Division (GSB,
PSSD)
The General Services Branch is responsible for assisting OPTS in establishing
appropriate written physical security standards for EPA facilities to comply
with the requirements of this manual and for assisting OPTS in inspecting EPA
facilities to ensure that they comply with these established security
standards.
G. Division Directors
Division Directors are responsible for the implementation of the requirements
outlined in this manual within their Divisions. EPA Headquarters Division
Directors may appoint, in writing, DCAs; however, in Regional Offices and
Laboratories, this responsibility may not be delegated to a level lower than
Deputy Regional Administrator or Laboratory Director.
Division Directors are also responsible for requesting TSCA CBI access approval
for their employees and contractor employees. Access may be authorized only on
a need-to-know basis and only for that TSCA CBI required to complete program
responsibilities. Division Directors must request that Security, IMD, remove
names of their employees who no longer require access.
Division Directors must ensure that authorized persons participate in required
annual security training and educational programs, regarding the handling of
TSCA CBI; must take appropriate disciplinary action when any employee fails to
comply with the procedures set forth in this manual and notify the Director,
IMD, of violations and any disciplinary action taken; must refer cases to the
OIG, through the Director, IMD, when there is an alleged wrongful disclosure of
TSCA CBI; and must approve all requests for TSCA CBI that involve the movement
of documents outside an EPA facility.
H. Branch Chiefs
Branch Chiefs are responsible for the implementation of the requirements set
forth in this manual and for ensuring that their employees adhere to the
procedures for handling and protecting TSCA CBI, which includes proper storage
and marking of all records containing TSCA CBI, such as temporary documents,
working papers, and activity logs maintained in the Branch. Branch Chiefs, or
their designees, are responsible for reviewing documents produced within the
Branch in their final form when there is a question as to whether the documents
contain TSCA CBI. Similarly, the sanitizing of staff-produced documents is the
responsibility of Branch Chiefs or their designees.
Branch Chiefs will ensure that their employees are properly approved for access
to TSCA CBI, prior to use of TSCA CBI material.
Branch Chiefs shall also provide a quarterly TSCA CBI security discussion, in
addition to the annual slide presentation, to their employees to ensure a
thorough understanding by all employees of the security requirements and
procedures. Branch Chiefs will ensure that all of their personnel who are
authorized for TSCA CBI access maintain a "current status" with regard to the
annual TSCA CBI security briefing requirement. The date of the last briefing
attended by each person appears on the monthly TSCA CBI Authorized Access List
distributed by Security, IMD, to all DCOs/DCAs.
-6-
-------�
Branch Chiefs will oversee responsible Contract Project Officers to ensure that
contractor employees having access to TSCA CBI for the support of Branch
activities follow the procedures contained in the contractor Requirements for
the Control and Security of TSCA Confidential Business Information manual.
This includes review and concurrence of EPA Form, 7710-15a, Request for
Approval of Contract Access to TSCA Confidential Business Information,
(Appendix XV), prior to inclusion in the extramural package prepared for the
awarding or modification of a contract. The Branch Chief will ensure that all
TSCA CBI documents forwarded to, or produced by, contractors are returned to
the Agency or destroyed at the end of their contract. The Branch Chief will
certify, in writing, to the Director, IMD, that this has been accomplished.
Branch Chiefs will ensure that the Director, IMD, is notified, in writing, of
all other TSCA CBI procedural violations or suspected instances of unauthorized
disclosure of TSCA CBI. Branch Chiefs will also ensure that the Director, IMD,
is notified in writing of any credible derogatory information that is reported
to them which could adversely affect an employee's reliability or suitability
to handle TSCA CBI.
I. Security, Information Management Division (IMD)
Security, IMD, is responsible for recommending EPA policy in security matters
within che framework of these procedures and 40 CFR Part 2. Responsibilities
include interpreting and/or clarifying these procedures as needed to facilitate
their implementation and serving as a consultant to all DCOs/DCAs regarding
these procedures and any other matters relating to che control and security of
TSCA CSI.
Security, IMD, maintains current lists of all DCOs and DCAs and all persons
authorized for general and computer access to TSCA CBI. The Authorized Access
list is distributed monthly by Security, IMD, to all offices requiring approval
for access to TSCA CBI.
Security, IMD, is responsible for conducting initial and annual inspections of
Headquarters, Regional Offices, Laboratory, and contractor and subcontractor
facilities for compliance with the security requirements of this manual and the
Contractor Requirements for the Control and Security of TSCA Confidential
Business Information manual. Based on these inspections, Security, IMD, will
recommend approval or disapproval of these facilities for receipt and storage
of TSCA CBI, and, when appropriate, make recommendations for changes to their
procedures.
Security, IMD, is responsible for conducting reviews of security procedures at
other Federal agencies and inspecting their facilities prior to transfer of any
TSCA CBI to ensure compliance with the security standards set forth in this
manual. Based on the review and inspection, Security, IMD, will recommend
approval or disapproval of security procedures and facilities of other Federal
agencies to the OD/OTS through the Director, IMD.
Security, IMD, is responsible for the investigation of alleged procedural
violations. Security, IMD, will furnish the results of the investigation to
the Director, IMD, for remedial and/or disciplinary action. Security, IMD,
will expeditiously refer to the OIG all allegations involving criminal wrong
doing and will not be conducting criminal investigations concerning EPA
matters.
-7-
-------�
J. EPA PROJECT OFFICERS
EPA Project Officers are the principal link between the EPA program office and
contractor personnel. Specifically, their duties include: completion of EPA
Form, 7710-15a, Request for Approval of Contractor Access to TSCA Confidential
Business Information, (Appendix XV), for inclusion in the extramural package
prepared for the awarding or modification of a contract; preparation of the
Federal Register notice regarding transfer of TSCA CBI to a contractor or
subcontractor; and review of authorized access forms for contractor
employees. The Project Officer must notify Security, IMD, upon awarding of the
contract since inspection of the contractor facility must be completed before
any transfer of data may occur. When a contract ends, the Project Officer must
verify that all TSCA CBI documents are accounted for and that all user logs,
destruction logs, and green cover sheets are returned to EPA Headquarters along
with the TSCA CBI documents.
K. Document Control Officers and Document Control Assistants
1 . Headquarters
(a) Document Control Officer Specific Duties
The TSCA Document Control Officer and Document Control Office staff are a part
of the Chemical Information Branch, Information Management Division, OTS. The
DCO is responsible for the receipt, initial processing, reproduction
distribution, control, and destruction of all TSCA Confidential Business
Information submissions and for all support documents, including computer
printouts, produced both internally and outside the Agency under TSCA. The DCO
establishes and maintains the official TSCA CBI files for all submissions and
support documents. All documents to be included in these files must first be
assigned a Document Control Number (DCN) which may only be assigned by the OTS
DCO staff. This number is computer-generated at the time the DCO staff enters
the document into the OTS Document Tracking System. Any numbers not assigned
by the DCO staff will be considered invalid and may not be used for tracking or
identification purposes.
The DCO is available to brief Document Control Assistants (DCAs) on their
responsibilities, and to assist them in establishing logs and tracking systems
which will best fit their needs while remaining in compliance with the TSCA
Confidential Business Information Security manual and the Contractor
Requirements for the Control and Security of TSCA Confidential Business
Information manual.
The reproduction of any documents containing a DCN must be done by the DCO
staff, who will log the copy into the OTS DTS, and begin document tracking by
assigning it to the requestor.
The destruction of any documents containing a DCN must be done by the DCO
staff, who will make the proper notation in the OTS DTS and have the document
shredded in accordance with the procedures in this manual. (III. G. 2)
-8-
-------�
The DCO also provides document control and handling services to those EPA
offices which do not have a DCA. The DCO may furnish TSCA CBI to other Federal
agencies, in accordance with established procedures, which are authorized by
the OD/OTS to receive the information.
(b) Document Control Assistant Specific Duties
Document Control Assistants are appointed to individual offices as the need
arises to aid in the control and handling of TSCA CBI documents. These
appointments, made by the appropriate Division Director and subject to approval
by Security, IMD, are followed with a briefing by the DCO.
DCAs are responsible for the safeguarding of all TSCA CBI documents logged out
to their offices. This includes maintaining a log and tracking all internally
produced documents, except working drafts, which are to be circulated among the
immediate staff and outside the office for review and comments. (If these
documents are to eventually become part of the official file, the DCO will
assign the DCN at the time the documents are delivered to the DCO staff.)
The reproduction and destruction of internally produced documents to which the
DCA has assigned an interim number for tracking must be done by the DCA, with
the proper notation in the DCA log.
(c) DCO/DCA Joint Duties
The DCO and DCAs are responsible for attaching the properly completed EPA Form
7710-6, green TSCA CONFIDENTIAL BUSINESS INFORMATION cover sheet to each TSCA
CBI document logged into their offices. The first page, last page and each
page containing TSCA CBI of the document must be identified as TSCA CBI. All
TSCA CBI logs must'be marked and treated as TSCA CBI. Before releasing TSCA
CBI to anyone, the DCO/DCA must verify that the recipient is on the Authorized
Access List and has proper secure facilities in which to store the document.
A receipt log must be maintained to ensure that any TSCA CBI data sent via
cleared courier, US Postal Service, Registered or Express Mail has been
received by the addressee.
The DCO/DCAs must maintain a current list of persons authorized access to TSCA
CBI in their areas. They are responsible for transmitting any staff changes to
Security, IMD, by making the appropriate notations on the monthly computer
printout supplied to them by Security, IMD.
2. Regional & Laboratory DCO/DCAs
In the Regional Offices or Laboratories, the Document Control Officer is
appointed by the Deputy Regional Administrator or Laboratory Director. This
responsibility may not be delegated to a lower level. The Regional or
Laboratory DCO is responsible for the receipt, initial processing, distribution
and control of all TSCA CBI received by his/her office including computer
printouts and floppy disks to ensure compliance with the TSCA Confidential
Business Information Security Manual.
The DCO/DCA maintains all files for TSCA CBI and is responsible for assigning
document control numbers to TSCA CBI documents internally produced or received
from other offices which did not previously have them assigned, and establishes
-9-
-------�
logs and tracking systems to ensure accountability for all TSCA CBI documents
received by the office.
The DCO/DCA conducts annual security briefings of all personnel authorized for
access to TSCA CBI in his/her office and provides assistance in the control and
handling of TSCA CBI to maintain compliance with the TSCA Security Manual.
The DCO/DCA is responsible for the completion or forms required to request
access to TSCA CBI and is responsible for maintaining the authorized access
list for the office and notifying Security, IMD, of additions or deletions by
the 20th day of each month.
L. EPA Bnployees
EPA employees are responsible for the control and security of all TSCA CBI
received by them. They may discuss TSCA CBI only with authorized personnel and
safeguard TSCA CBI when it is in use, as specified in Chapter III.E. Employees
shall not discuss TSCA CBI over the telephone except as authorized by Chapter
III.E.3. When working with a submitter representative, EPA employees must
verify his/her identity before discussing any of the company's previously
submitted TSCA CBI.
Employees who are not located in an open storage area and who have TSCA CBI in
their possession must place it in approved storage containers when it is not in
use and at the close of each business day. (III.D.I.) They must also
safeguard the combinations to locks, safes, and rooms in which TSCA CBI is
located. Knowledge of combinations shall be limited, and the combination will
be given only to those persons who are authorized for access to TSCA CBI stored
therein.
Employees authorized for computer access are responsible for keeping their
passwords confidential and ensuring they are changed frequently. Failure to
comply may result in having computer access revoked.
Employees must immediately report any alleged violation of TSCA CBI Security
procedures to their immediate supervisor.
-10-
-------�
III. PROCEDURES FOR HANDLING
TSCA CONFIDENTIAL BUSINESS INFORMATION
A. Introduction
Under Section 14 of the Toxic Substances Control Act (TSCA), information
submitted to EPA may be claimed as TSCA CBI whether it is in the form in which
it was submitted or it appears in internally produced documents such as memos,
notes, drafts, telephone logs, computer printouts, or in any other form.
Information claimed as confidential must be protected pursuant to the
procedures outlined below.
Any physical form of the TSCA CBI must be entered into the Document Tracking
System or TSCA CBI inventory log. It must be assigned a document control
number, be stamped "TSCA Confidential Business Information.... Does not
contain National Security Information (E.G. 12065)" on the first and back page
of the document and each page actually containing TSCA CBI, and have a green
cover sheet, EPA Form 7710-6, attached. The green cover sheet must contain the
name of the DCO, the document control number, and the date of receipt of the
original document. Copies of documents must also bear the copy number, i.e., 1
of 3, etc.
TSCA CBI may be released, through the DCO/DCA, only to persons authorized
access to TSCA CBI and having a "need to know" the contents of the documents.
When an authorized person obtains TSCA CBI, he/she shall sign the green
document cover sheet giving his/her name, identification number (Social
Security number or EPA badge number) and the date. If a person uses the same
TSCA CBI document more than once, it is only necessary for that person to sign
the cover sheet the first time the document is logged out. Documents must be
charged out on the Document Tracking System or logged out each time the
document is removed from the custody of the DCO.
Within EPA, program offices, Regional offices, and Laboratories may develop
security procedures to meet their individual needs. Such procedures must meet
the standards contained in this TSCA Confidential Business Information Security
Manual and must be approved by the Director, IMD. If requested, Security, IMD,
staff will advise and assist offices in developing such procedures. However,
this policy does not apply to computer security procedures. Individual offices
may not develop their own computer security procedures.
B. Forms Required for Implementation of TSCA CBI Security Procedures
The forms required for the implementation of these procedures include the
Inventory Log (Appendix II); the User Sign-Out Log (Appendix III); the
Destruction Log (Appendix IV); the Contractor/Subcontractor Sign-Out Log
(Appendix V); and the Federal Agency, Congress, and Federal Court Sign-Out Log
(Appendix VI). Individual offices may design different logging systems to meet
their specific needs; however, such logs must contain the same information
required in the basic OTS logs contained in this manual.
-11-
-------�
Other forms used in implementing these procedures are:
o Confidentiality Agreement for United States Employees Upon Termi-
nation or Transfer (Appendix X).
o TSCA Confidential Business Information Cover Sheet (Appendix IX).
o Request for Authorized Access to TSCA CBI (Appendix VII).
o Request for TSCA CBI Computer Access Approval (Appendix VIII)
o TSCA Confidential Business Information Meeting Sign-In Sheet
(Appendix XII).
o Federal Register Notice re: Transfer of Confidential Information
to a Contractor (Appendix XIII).
C. Obtaining TSCA CBI Documents
Persons authorized access to TSCA CBI may obtain a TSCA CBI document by
requesting the document from the appropriate DCO/DCA who will verify that the
requester is on the TSCA CBI Authorized Access List. The DCO/DCA will then
obtain the document from either local secure storage, another DCO, or an
authorized computer facility.
If the requester has access to an approved storage cabinet, or works in an
approved open shelf storage area, he/she may check the document out for a
maximum of 90 days, renewable at the discretion of the DCO/DCA; otherwise, the
document must be returned to the DCO/DCA by close of business the same day it
is logged out. Certain permanent records and logs containing TSCA CBI may be
exempted from the 90-day requirement and may be charged out to an individual on
an indefinite basis by the DCO. An annual inventory by the DCO is required of
these records.
Persons authorized for computer access to TSCA CBI for the purpose of reading
and modifying data may request from the Chief, Data Management Branch the use
of terminals connected to the TSCA CBI computer. These terminals are located
in secured areas and have encrypted telecommunication lines. Access for
computer use may also be verified through the TSCA CBI Authorized Access List.
D. Storage
1. At EPA Facility
(a) Required Storage
When not in use and/or at the close of each business day, TSCA CBI must be
returned to an approved TSCA CBI container. Approved containers are a file
cabinet with a bar lock and three-way changeable lock, or GSA approved Class 6
security container. The containers must have an EPA Form 1480-12,
Safe/Cabinet Security Check Sheet (Appendix XIV), to indicate opening and
closing as well as when checked.
-12-
-------�
(b) Open Storage
When justified by the volume of TSCA CBI, and the continuous daily use of TSCA
CBI, the Director, IMD, may authorize "open shelf" document storage facilities
provided they are inspected prior to use by Security, IMD. The following
security devices must be installed and be operational:
o Changeable push-button door lock, or
o Electronic Card Entry System and
o Pin tumbler door lock, and
o Intrusion alarm.
Combinations to containers and/or rooms where TSCA CBI is stored may be issued
only to authorized persons with a need to review the TSCA CBI file documents.
Combinations must be changed once a year or each time a person who knows the
combination terminates or transfers employment, or no longer requires access.
Instructions and assistance for changing the combinations are available from
Security, IMD, and the General Services Branch. The appropriate DCO must be
notified of any changed combinations. Security, IMD, should also be notified
and will notify the General Services Branch who will enter the changes into the
Agency's master system.
Employees who are issued electronic card entry identification badges must not
loan their card to any other employee to gain access to secured areas.
Employees having an entry card shall use their card each time they enter a card
entry secured area.
(c) Multiple User Container Storage
When warranted, a bar lock cabinet with multiple drawers may be used by
individuals to maintain TSCA CBI material. Each person using the cabinet is
assigned space in which to store TSCA CBI in their charge and are responsible
for safeguarding any TSCA CBI they place in the cabinet.
2. When Traveling
With the approval of a Division Director, TSCA CBI may be taken home by EPA
employees prior to a trip when it would be impractical to return to the office
to pick up the TSCA CBI material. Employees must keep the TSCA CBI in their
personal possession at all times. TSCA CBI must be double wrapped in
accordance with procedures outlined in III. F. 2 prior to being removed from
the office.
(a) When traveling by plane or other public conveyance, employees
must keep TSCA CBI in their possession and may not check it
with their luggage.
(b) When an employee is traveling with TSCA CBI (including
samples) and is unable to deliver or ship the TSCA CBI to an
authorized facility, TSCA CBI may be stored (for as short a
period as possible) inside the locked trunk of a motor
-13-
-------�
vehicle. A storage area that allows visual access, such as a
hatchback, is not acceptable.
(c) TSCA CBI may be stored in hotel safes, but a receipt must
be obtained from the management.
E. Safeguards During Use
TSCA CBI must be protected at all times. When not stored, TSCA CBI must be
kept under the constant surveillance of an authorized person who is able to
maintain personal control over the material. It must be covered, turned face
down, placed in approved storage containers, or otherwise protected when
unauthorized persons are present. When not in use, and at the close of each
business day, TSCA CBI must be returned to approved storage containers, unless
being used in an approved open storage area.
Employees may discuss TSCA CBI only with other authorized persons. To transfer
custody of a TSCA CBI document to another authorized person, an employee must
go through the local DCO/DCA or, within a DCO's area of responsibility, use a
Loan Receipt for TSCA CBI (Appendix XVI). The Loan Receipt must be given to
the DCO/DCA and the leaner should retain a copy. The recipient must also sign
the cover sheet if he/she has not signed it previously.
1. Secretarial Procedures
Only persons listed on the TSCA CBI Authorized Access List may type or edit
documents that contain TSCA CBI. At all times the typist must safeguard the
original, all "mag" cards, floppy disks, diskettes, or other recording media,
one-time carbon ribbons, drafts, scratch paper, notes, carbon sets, and any
other materials containing TSCA CBI. The typist must sign the green cover
sheet when obtaining the TSCA CBI from the originator and require the
originator to sign the green cover sheet attached to the completed typed
document when receiving the TSCA CBI. TSCA CBI may not be stored on hard disks
unless approved in advance by Security, IMD.
When typing documents containing TSCA CBI, the typist must take all reasonable
measures to ensure that no unauthorized person can see or otherwise gain access
to what is being typed. If the keyboard and printer are separate units, both
must be under the direct control of the user. If the processing unit has
internal storage capability, the memory (fixed disk storage utility) must be
cleared after the TSCA CBI is typed. Any machine which contains internal
memory and is used to type TSCA CBI must be approved in writing by Security,
IMD, prior to use.
Whenever it is necessary to stop typing before a task is finished (at lunchtime
or at the end of the day, for example), unless working in an approved open
storage area, the typist must take all materials that contain TSCA CBI back to
the author for safeguarding or lock them up in an approved storage container.
The typist shall check to be sure that he/she has left nothing on the desk or
in the typewriter, word-processor, personal computer, etc., that might permit
the inadvertent unauthorized disclosure of TSCA CBI. TSCA CBI may never be
stored in a desk, locked or otherwise. When the typing is completed, the
typist must sign the green cover sheet and take the original and all other
materials, which may include scrap paper and discarded drafts, to the author,
-14-
-------�
who will in turn take them to the DCO/DCA. The DCO/DCA will enter the final
version into the document control system and destroy all other materials.
Word processing disks used to type TSCA CBI must be dedicated only to TSCA CBI
use and must be protected as TSCA CBI and secured in approved storage
cabinets. They may not be written over for non-CBI use.
When disks become damaged or worn and are no longer usable, they must be
destroyed by shredding under the supervision of a DCO/DCA.
2. Incoming Mail from Outside Firms
TSCA CBI should be transmitted to EPA by registered mail, return receipt
requested, in a double envelope. The inner envelope should be addressed speci-
fically to the appropriate DCO/DCA with the following additional wording on the
front: "TSCA Confidential Business Information—To Be Opened By Addressee
Only." The outer envelope should be addressed to the appropriate DCO/DCA with-
out the additional wording. Any incoming mail so addressed must be immediately
taken to the appropriate DCO/DCA. TSCA CBI mailed to EPA Headquarters should
be addressed as follows:
Document Control Office
Information Management Division
Office of Toxic Substances (TS-793)
Environmental Protection Agency
401 M Street, S.W.
Washington, D.C. 20460
TSCA CBI documents should be clearly marked "TSCA Confidential" by the
submitter on the first page of the document.
Employees are responsible for safeguarding any unlogged TSCA CBI in their pos-
session. Any TSCA correspondence that is marked "Confidential," "proprietary
information," "company secret," etc., or otherwise contains a request for
confidential treatment, must be immediately taken to the appropriate DCO/DCA.
Also, whenever an employee becomes aware that correspondence may contain TSCA
CBI, whether it has been properly designated or not, the employee must take it
immediately to the appropriate DCO/DCA. If the DCO/DCA is not available, the
TSCA CBI must be secured, in accordance with III.D., until he/she is available.
3. Telephone Calls
TSCA CBI authorized EPA employees may discuss TSCA CBI over the telephone with
other persons authorized for access to TSCA CBI. Before beginning the
conversation, the EPA employees must verify, by contacting their DCO/DCA or
Security, IMD, that the other person is authorized for access and must also
indicate to the other party at what point in the conversation TSCA CBI is to be
discussed.
with the permission of the submitter representative and after verifying his/her
identity, authorized EPA employees may discuss TSCA CBI over the telephone with
the submitter. If submitters discuss TSCA CBI over the telephone, employees
shall advise them that the EPA phone lines are unsecured and that discussion of
TSCA CBI is at the discretion of the submitter.
-15-
-------�
With the permission of the submitter representative, TSCA CBI may be
transmitted electronically between EPA and a submitter through communications
lines (e.g., by telecopier). When an EPA employee requests additional
information over the telephone from a submitter, the EPA employee should inform
the submitter that the additional information discussed may be claimed as TSCA
CBI. A telephone contact report (Appendix XI) should be filled out noting the
additional claim and placed in the original document file. The submitter must
also confirm, in writing to the DCO, the request to claim any additional
information TSCA CBI.
4. Meetings
Before convening any meeting, symposium, panel discussion, or seminar at which
TSCA CBI will be discussed, the chairperson will verify that all attendees are
authorized for access using the monthly authorized access list and shall
provide a TSCA CBI Meeting Sign-In Sheet (Appendix XII) which all attendees
must sign. The chairperson will give the sign-in sheet to the DCO for
inclusion in the original document files. This sheet will contain the document
tracking system numbers for all TSCA CBI documents available at the meeting.
When copies of several documents are distributed at a meeting, they may be
incorporated into one package and the package numbered with a copy control
number. Each person attending a meeting of this type will sign the meeting
sheet and indicate on the sheet the copy number of the package of TSCA CBI
documents received by them. The meeting sheet will also have the Document
Tracking System or Document Control numbers for all TSCA CBI documents
discussed or available at the meeting. It is the responsibility of the
chairperson to retrieve all TSCA CBI documents and copies distributed at the
meeting and to return these TSCA CBI copies to the DCO for destruction or
storage. An attendee cannot retain a document package; it must be returned to
the DCO and may then be logged out to that person. A copy of the meeting sheet
will be attached to the master file copy of each document listed on the meeting
sheet. It is not necessary for the attendees to sign the green cover sheet of
each TSCA CBI document used in the meeting; however, the chairperson will sign
the green cover sheet of each original document used, indicating his
organization, the meeting date, and add the statement "see meeting sheet."
No recording, audio or visual, is to be made of the meeting unless the
chairperson has authorized it. If authorized, the recording must be treated as
TSCA CBI, delivered to the DCO, and entered into the document control system.
The meeting room shall be cleared of all TSCA CBI after the meeting by the
chairperson. This includes cleaning all chalkboards, destroying, by approved
methods (III.G.2), all tear sheets and other notes, and ensuring that nothing
is left in the room that could lead to the unauthorized disclosure of TSCA
CBI.
When notes containing TSCA CBI are taken from a document, at a meeting, or from
any other source, the notes must be protected as TSCA CBI. If the notes are to
be circulated to other authorized persons, they must be entered into the
document control system. The taking of notes is discouraged and should be kept
to a practical minimum.
-16-
-------�
5. Lost or Unaccounted-for Documents
When a TSCA CBI document is lost or cannot be accounted for, the employee
discovering the loss must notify his/her Section Head, who will notify the
Branch Chief of the loss. The Branch Chief must in turn notify the Division
Director if the loss is verified or the document cannot be located. If the
document is not found or accounted for within 2 working days after such
discovery, the Branch Chief must notify, in writing, the Director, IMD. An
investigation will be initiated by Security, IMD.
P. Transmittal
1 . Within an EPA Facility
Within an EPA facility, TSCA CBI must be hand-delivered, by one authorized
person to another. At no time may TSCA CBI be transmitted through the
interoffice mailing system.
2. Outside an EPA Facility
TSCA CBI transmitted by mail from EPA must be sent registered mail, return
receipt requested, in a double envelope. The inner envelope must contain the
name and address of the recipient with the following additional wording on the
front: "TSCA Confidential Business Information—To Be Opened By Addressee
Only." The outer envelope will have only the recipient's name and address
without the additional wording.
In emergency situations, when registered mail would not meet required delivery
schedules, Express Mail of the U.S. Postal Service, return receipt requested,
or a private courier service, may be utilized. If a private courier service is
used, it must provide the same level of receipt control as registered mail
(each person handling the document must sign for it). A Division Director must
provide the DCO, IMD, with written approval for the use of Express Mail. A
return receipt, listing DCO's date of receipt and signature of addressees, must
be included inside the inner package or envelope.
Samples, such as those collected during a TSCA inspection, which are claimed to
be TSCA CBI, shall be placed in a sealed package or container and the seal
•narked "TSCA Confidential Business Information." Such samples shall be
delivered or shipped as soon as possible to the appropriate DCO/DCA. If
immediate shipping or delivery is not possible, as when an employee is
traveling, the sample shall be safeguarded as prescribed in III.D.2.
Authorized persons may hand-carry TSCA CBI to other EPA facilities or to per-
sons outside EPA, provided that the dispatching DCO maintains a transfer record
and obtains a receipt from the DCO/DCA at the facility receiving the
information. TSCA CBI being hand-carried shall be double-wrapped, as discussed
in III.F.2 above.
When circumstances warrant, and with the approval of the Director, IMD, special
arrangements may be made for transporting of TSCA CBI within a local area,
e.g., the Washington, D.C., metropolitan area.
-1 7-
-------�
G. Reproduction/Destruction
1 . Reproduction
TSCA CBI should only be reproduced in a secured TSCA CBI copy center. When
equipment failure makes duplicating in a secured area impossible, copies may be
made on a non-CBI machine, provided that the room is first cleared of all
persons who are not authorized for access to TSCA CBI. When making copies on a
non-CBI machine, the user must ensure that all waste copies are retrieved and
taken to a DCO/DCA for destruction and that the machine is run in a blank mode
several times to ensure that the image surfaces of the machine do not retain
TSCA CBI and reproduce the data on subsequent copies.
If the machine breaks down during use, the user must ensure that all copies of
the page being duplicated at the time of the breakdown are removed from the
machine. This may require the assistance of a duplicating machine operator.
If assistance is required, the user must either lock the room or have a person
authorized for access to TSCA CBI in attendance to safeguard any TSCA CBI
caught in the machine. With the exception of working paper and draft copies,
the DCO/DCA shall enter all copies into the Document Tracking System or
inventory log for document control.
In certain cases, additional copies, including the green cover sheet, of a TSCA
CBI document may be made by the DCO for use at a meeting or for some other
reason. In these instances the date and a copy control number will be placed
on each copy of the document and a blank green TSCA CBI cover sheet, EPA Form
7710-6, will be affixed to the front of each copy. It is the responsibility of
the person requesting these copies to ensure that all copies are retrieved and
returned to the DCO for destruction within 30 days.
2. Destruction
TSCA CBI documents may be destroyed when they are no longer needed. However,
destruction must be:
a. Under the supervision of a DCO/DCA;
b. By shredding; and
c. Noted in a destruction log.
The DCO/DCA must remove the green cover sheet, EPA Form 7710-6, make a notation
of the destruction date and the name of the person who destroyed the document
on the cover sheet as well as in the destruction log. In addition, the
Inventory Log, EPA Form 7710-10, should also show the destruction of the
document.
Regional offices, laboratories, contractors, and program offices located
outside the Office of Toxic Substances must maintain the destruction log and
green cover sheets in order that all documents may be accounted for during
inventory or document reconciliation.
-18-
-------�
TSCA CBI documents destroyed within OTS at EPA Headquarters must be destroyed
under the supervision of the DCO, IMD, who will remove the green cover sheet
for attachment to the original document file and record the destruction in the
destruction log and the inventory log.
The destruction log and green cover sheets provide the last step of an audit
trail in accounting for all TSCA CBI documents. They must not be destroyed,
and it is essential that they be maintained in accordance with procedures
outlined above.
H. Photographs
Whenever it is necessary for an EPA employee to take photographs that contain
TSCA CBI, such as during a TSCA inspection, either an "instant" camera must be
used or the 35 mm film must be processed by an authorized lab. The 35mm CBI
film is supplied by and processed at the Environmental Photographic
Interpretation Center in Warrenton, VA. Document Control Officers may request
up to 10 rolls of the film (It may be stored in a freezer until needed) from
the Center and return it directly to the Center for processing. The exposed
film must be mailed in accordance with procedures for transmitting TSCA CBI.
Requests -nay be directed to:
Chief
EPA, Environmental Photographic Interpretation Center
Vint Hill Farms
Warrenton, VA 22186
I. Retiring of Documents
When TSCA CBI documents are to be retired for legal, historical, or reference
purposes, they shall be shipped to the Federal Records Center in accordance
with the procedures in Chapter 3, "Disposition of Records," of the EPA Records
Management Manual. Prior to shipment, Regional and Field installations will
notify Security, IMD, in writing, of their intent to retire documents to the
Federal Records Center.
J. Remote Terminals
1. Terminals used as input/output devices with print capability
remote from the TSCA CBI ADP Facility will be located in secured
areas. These areas will be secured during non-duty hours using a
Group I combination lock and will be equipped with an approved
intrusion alarm.
2. User terminals without print capability must also be located in
secured areas. During non-duty hours, the area will also be
secured using a Group I combination lock.
3. Unsupervised access to terminal areas will be limited to persons
with TSCA CBI computer access authorization.
-19-
-------�
4. Remote terminals and lines will be secured in one of the following
methods:
a. In conduit from the terminal to the TSCA CBI Computer
Facility, or
b. By means of encrypted telecommunication lines which have been
inspected prior to operation by Security, IMD.
K. Personal Computers (PCs)
Personal Computers are authorized for processing of TSCA CBI data subject to
the following provisions.
1. Policy for Storage of TSCA CBI Data on PC Storage Media.
a. Hard disks
If the PC is located in an approved secure area (III. D.1.b.) TSCA
CBI data may be temporarily stored on hard disk; however, the data
should be cleared immediately after use. If the PC is not located
in an approved TSCA CBI area, TSCA CBI data may not be stored on a
hard disk.
b. Floppy disks
TSCA CBI may be stored on color-coded floppy disks specifically
approved for TSCA CBI use. An "approved" floppy disk is one that
is solid green and/or enclosed in a green jacket and is identified
with a bar code label or DCN. At EPA Headquarters, floppy disks
for TSCA CBI use must be logged out from the DCO, IMD. DCOs
located outside of OTS may request TSCA CBI green disks from the
DCO, IMD. The floppy disk must remain under the personal control
of the user, and he/she will be fully responsible for the
safeguarding of the disk as TSCA CBI data. A TSCA CBI green
floppy disk may not be removed from an EPA facility. When the
green disks are no longer required or are damaged, they will be
returned to the DCO, IMD, for initialization (overwriting) and re-
issue or destruction.
2. "Downloading" TSCA CBI data.
a. Downloading, the transfer of data from the IBM 4341 mainframe to a
PC, will only occur to a PC located in a secured TSCA CBI area
(III. D.1.b) so that data is properly encrypted during
transmission.
3. Printing of TSCA CBI Data on PC Printers.
a. All hardcopy will be printed on TSCA CBI approved paper. TSCA CBI
computer paper can be obtained from the DCO, IMD, or the computer
DCO at Research Triangle Park, NC. All hardcopy obtained from a
PC must be treated as TSCA CBI in accordance with procedures
outlined in this chapter for handling both permanent and temporary
TSCA CBI documents. (III. D., III. E., and III. N.)
-20-
-------�
4. Use of TSCA CBI on a PC
a. It is the user's responsibility to safeguard TSCA CBI data on
terminal screens, hardcopy, etc., from unauthorized disclosure.
b. Once TSCA CBI data has been placed on the PC, the user must remain
in control of the PC and printer. If the user must leave the
area, the TSCA CBI session must be properly terminated.
c. At the termination of a session, all temporary files on hard
disk must be cleared. Proper system log-off will be verified by
the user. The floppy disk will be removed from the machine, and
any hardcopy will be safeguarded as a TSCA CBI document. The PC
will be powered "OFF" and cleared of TSCA CBI data after a TSCA
CBI session even if it is to be immediately used by another person
in the TSCA CBI mode.
L. Internally Produced Documents and Declassification of Bardcopy and Magnetic
Media
Internally produced documents, magnetic media, and computer printouts developed
from documents or data bases containing TSCA CBI, are the responsibility of the
originator. Final versions of documents containing TSCA CBI will be
immediately taken to the DCO for marking and entry into the TSCA CBI control
system.
1. Printout Declassification
vlien the document is a printout from a computer system containing TSCA CBI, the
printout will be on color coded TSCA CBI paper and will be entered into the
appropriate log by the DCO/DCA. If, after careful review by the requester, it
is determined that no TSCA CBI is contained in the printout, the requester will
enter a statement at the top of the printout stating "Contains No TSCA CBI" and
affix his/her signature and the date. After the originator certifies that the
printout contains no TSCA CBI, the DCO will indicate this on the log entry for
the printout, thus releasing the printout from TSCA CBI control.
2. Magnetic Tape Declassification and Transfer
Contractors or other users who need to transfer programs or source code from a
TSCA CBI computer to a non-CBl environment shall submit a written request to
the Data Management Branch (DMB). The request shall include the requester's
name and organization, the purpose of the transfer, and a list of the files,
directories or programs needed.
DMB will review and approve or disapprove the transfer request. If the
transfer is approved, the following steps will be performed.
DMB will ask the Data Center CBI Operations Staff to prepare a degaussed
(erased) tape for use as the transfer media, and will inform DMB of the TSCA
CBI tape number.
-21-
-------�
DMB will execute the programs necessary to copy the requested files or programs
to the degaussed tape.
Following creation of the tape, DMB will execute a program which will read the
tape and print a formatted listing of all of the files on the tape. This
listing will be printed on the printer located in the CBI Computer Room at
Research Triangle Park or in the CBIC Center at Headquarters.
The Data Center CBI Staff will pack and ship the listing, in accordance with
procedures for shipping TSCA CBI data, to the Chief Information Control Section
(ICS), Chemical Information Branch. ICS/CIB will log the listing as a TSCA CBI
Document and turn it over to the Chief, DMB.
DMB will review the listing to verify that the correct files and programs were
written on the tape and that the tape contains no TSCA CBI Data. Upon
satisfactory completion of the verification process, DMB will notify Security,
IMD, that the tape contains no TSCA CBI data.
Security, IMD, will notify the Data Center DCO that the tape may be transferred
to a non-CBI environment.
Under the supervision of the Data Center DCO, the Data Center staff will remove
the tape from the CBI computer room, assign a non-CBI (Foreign) tape number,
and inform DMB of the new tape number. The Data Center DCO will maintain a
record of all tape declassifications and transfers.
3. Hardcopy Declassification
When the information in a document has been claimed as TSCA CBI by the
submitter, but, with written approval by the submitter, is now to be removed
from TSCA CBI control and treated as non-CBI, the document must be submitted to
the DCO who will certify, in writing, the reason the information no longer
requires TSCA CBI protection. The document and DCO certification will be
submitted to the Chief, Chemical Information Branch, or his/her designee, who
will have the authority to declassify the information and remove it from
further TSCA CBI control. The green cover sheet must be retained for audit
purposes and a notation of the date of declassification and the name of the
person authorizing the declassification made on the green cover sheet and
document control log.
In cases where the declassified information still appears in the document file
or in other documents as TSCA CBI, the DCO will initiate action to remove the
information from TSCA CBI control in all other documents where it appears, and
a notation and the declassification papers will be placed in the source
document. If the information is contained in a TSCA CBI computer system, such
as TDIS, or DTS, the Chief, DMB, or his/her designee will have the authority to
declassify the information and will initiate action to remove the confidential
designation from all systems in which it appears.
M. Retaining Logs
All TSCA CBI logs shall be retained for at least 5 years from date of last
entry in secure storage. When these logs are inactive and are no longer needed
by the originating office, they will be delivered to the DCO, IMD for
retention.
-22-
-------�
N. Drafts and Temporary Internal Documents
A temporary document is a working report which is to be incorporated into
another TSCA CBI document or discarded within 30 days of origination. Because
of its temporary nature, it does not have to be assigned a document control
number. It must, however, be dated, have a green cover sheet attached and be
protected as TSCA CBI. It is the responsibility of the originator to protect
the document and to take it to a DCO for destruction when the information has
been incorporated into the final TSCA CBI document or is no longer needed. If
the temporary document remains in existence after 30 days, it must be given a
document control number and be entered into the document tracking system or
inventory log.
Multiple drafts of a report which contains TSCA CBI may be prepared and
circulated before the report is finalized. In these instances the originator
of the drafts is responsible for retrieving and delivering them to the DCO/DCA
for destruction within 30 days of the date of origination. The first draft
will be assigned a document control number and will be numbered for
accountability and marked as 1st Draft. Later versions will use the same
control number but will be marked as 2nd Draft, 3rd Draft, etc. Each copy of
the reproduced draft and the original must be dated and have a green cover
sheet attached for visual identification as TSCA CBI.
O. Annual Inventory
On an annual basis or when directed by Security, IMD, every person shall make a
physical inventory and accounting of all TSCA CBI records in his/her possession
including those charged out on an indefinite basis or for longer than a 90-day
period. The inventory shall consist of a review of items listed in the
Document Tracking System or inventory log as charged to the office, other than
those on a temporary 90-day basis. The inventory shall include an examination
of the evidence of proper disposition of records (certification of destruction,
etc.). A report will be submitted indicating successful completion of the
inventory and listing all discrepancies discovered, if any. This report will
be forwarded to Security, IMD, within 30 days after completion of the
inventory.
P. Reconciliation of Documents
1 . When DCOs Change
When a Document Control Officer terminates or transfers employment and a new
DCO is assigned, all TSCA CBI documents must be accounted for before the change
occurs.
Reconciliation must be made by visual inspection against the user sign out log
to ensure that the documents are actually located in the files.
If the document has been logged out, the person to whom it is logged out must
verify that the document is in his/her possession.
-23-
-------�
If the document has been transmitted to EPA Headquarters, for instance, a
return receipt must be on file verifying transmittal.
If the document has been destroyed, an entry must be made in the destruction
log to indicate the date of destruction. The green cover sheet must also be
removed from the document and retained. Green cover sheets may not be
destroyed.
2. When a Contract Ends
When an EPA contract requiring access to TSCA CBI ends, the TSCA CBI documents,
user logs, destruction logs and green cover sheets must be reconciled by the
Contractor DCO and returned with the documentation to the EPA Headquarters DCO.
The EPA Project Officer and the Headquarters DCO will verify that all documents
are accounted for, and, if the documents are originals, will ensure that they
are placed in the original document file.
If they are copies of documents already on file at EPA Headquarters, they may
be destroyed in accordance with procedures outlined in this manual.
-24-
-------�
IV. SECURITY REQUIREMENTS FOR OTHER FEDERAL
AGENCIES OR CONGRESS
A. Purpose
This section sets forth the circumstances and procedures under which EPA may
provide access to TSCA CBI to employees of other Federal agencies or to
Congress.
B. Policy
Section 14(a)(1) of TSCA authorizes EPA to furnish TSCA CBI to other Federal
agencies with responsibilities under any law for the protection of health or
the environment or for specific law enforcement purposes. EPA will furnish
such TSCA CBI provided that the other agency meets the statutory eligibility
requirements, is able and willing to meet prescribed standards for ensuring the
security of the information, and agrees to treat the information as
confidential in accordance with EPA's regulations on Confidentiality of
Business Information in 40 CFR Part 2. 40 CFR 2.209, made applicable to TSCA
CBI through 40 CFR 2,306, requires other agencies to request access to TSCA CBI
and to state the official purpose for which the information is needed.
However, EPA may provide such access without a written request if EPA
determines that such disclosure is necessary for the other agency to carry out
a function on behalf of EPA, or when ordered by a Federal court. Authorization
will be strictly limited to only that information required to fulfill the need.
Section 14(e) of TSCA authorizes EPA to furnish TSCA CBI to a committee of
Congress upon written request of the committee. 40 CFR 2.209(b), through 40
CFR 2.306, outlines procedures to be followed in disclosing TSCA CBI to
Congress.
C. Procedures for Answering Requests
Any EPA office that receives a written request from another Federal agency for
access to TSCA CBI must refer the request to the Director, OTS.
The OD/OTS or his/her designee must first evaluate the purpose for access. If
it is determined that the stated need relates to the other agency's duties
under a law for the protection of health or the environment or for specific law
enforcement purposes, access to TSCA CBI may be provided. The OD/OTS must
ensure that the other agency has agreed to keep the information confidential in
accordance with the requirements of 40 CFR Part 2 and this manual.
If the other Federal agency has met the requirements of the statute and 40 CFR
Part 2, and needs to remove TSCA CBI from EPA to its own premises, the OD/OTS
will require the other agency to develop security procedures for the protection
of the information. The procedures must provide at least the same degree of
security as is provided by this manual and include a requirement for obtaining
signed copies of the Request for TSCA CBI Access Approval form (Appendix VII)
from each agency employee who will have access and the Confidentiality
Agreement for United States Employees Upon Termination or Transfer (Appendix X)
from each employee who terminates or transfers employment. Copies of these
-25-
-------�
agreements should be forwarded to Security, IMD, to keep the authorized access
list current. (These requirements do not apply to Department of Justice
employees described in Section E below.)
If the other Federal agency requests access to TSCA CBI only on EPA premises
and has met the requirements of 40 CFR Part 2, the agency must obtain signed
copies of the Request for TSCA CBI Access Approval form (Appendix VII) as in
the above paragraph, and forward same to Security, IMD.
If the other Federal agency requires TSCA CBI access on its own premises there
are two ways to meet EPA's requirement that the agency's facilities and written
security procedures provide at least the same degree of protection for TSCA CBI
as EPA provides: (1) The other Federal agency may develop its own procedures
and forward them to EPA. The Director, IMD, will determine if the procedures
meet EPA's minimum requirements and forward a report to the OD/OTS. After
approval of the plan by the OD/OTS, Security, IMD, will make a physical
inspection of the other Federal agency's facilities to determine that they meet
the requirements of their security plan and report the results to the OD/OTS;
(2) The other Federal agency may adopt EPA's security procedures. If they do,
Security, IMD, will inspect their facilities and report to the OD/OTS as in
Number 1.
After the approval of the OD/OTS and publication of a Federal Register Notice
announcing the disclosure of TSCA CBI to employees of another agency as
required by 40 CFR 2.209 through 40 CFR 2.306, TSCA CBI will be furnished to
the other agency in accordance with procedures outlined in this manual,
including the use of the Federal agency sign-out log. In addition, a log of
disclosures to Congress and other Federal agencies must be maintained. The log
must include: (1) the name of the submitter; (2) the date of disclosure; (3)
the person(s) to whom the disclosure is made; and (4) a description of the
information disclosed.
If the other agency is authorized to receive TSCA CBI, the Director, IMD, shall
notify the OTS DCO, who shall provide the requested information.
D. Procedures for Interagency Agreements
If another Federal agency has a continuing need for access to TSCA CBI in
accordance with the EPA contracts manual, the OD/OTS may negotiate an
interagency agreement (IAG) with that agency to provide ongoing access to TSCA
CBI. The IAG must meet all the requirements of Section C above and specify the
procedures that will be followed by the other agency in making specific
requests for information under the IAG.
The Director, IMD, shall notify the appropriate DCOs of the agreement, the
procedures to be followed in responding to specific requests, and of the
identities of the individuals who have been authorized for access to TSCA CBI.
Under such an agreement, if the requirements of 40 CFR Part 2 have been
followed, a DCO may furnish TSCA CBI to another Federal agency, in accordance
with procedures in this manual, without receiving specific authorization from
the OD/OTS for each request.
-26-
-------�
E. Exemption for the Department of Justice
Department of Justice (DOJ) employees may be furnished TSCA CBI when prose-
cuting cases under TSCA or providing legal assistance to EPA. The Department
of Justice, including the FBI, shall be presumed to meet EPA's security
requirements. No security plans need be submitted and no inspection of facil-
ities is required. DOJ employees are not required to sign a confidentiality
agreement. However, the receiving DOJ office will be advised of the need to
maintain appropriate security controls on all TSCA CBI furnished them.
Any transfer of TSCA CBI documents from EPA to DOJ must be accomplished through
an EPA DCO/DCA, and all requirements which are outlined in this manual
regarding security of TSCA CBI during transfer must be met.
Authorized EPA employees, with the permission of a Division Director or higher
authority, may discuss TSCA CBI with appropriate DOJ employees, either in
person or on the phone. Any TSCA CBI discussed will be clearly identified as
such.
F. On—site Access
Employees of other Federal agencies authorized for access to TSCA CBI are also
permitted to review TSCA CBI on-site at EPA. Such individuals must be fully
informed of their security responsibilities, must sign the green cover sheet of
any document to which tney have access, and will be under direct EPA
supervision at all times. They will not be allowed to remove TSCA CBI from
the EPA facility, and the individuals will be told that (1) they may discuss
the information only with other employees of their agency authorized for access
and authorized EPA employees, (2) they may not produce any notes or
correspondence containing TSCA CBI, (3) they may not discuss TSCA CBI on the
telephone, and (4) they are subject to fines and imprisonment if they willfully
disclose TSCA CBI.
G. Violations
Any violation of another Federal agency's security procedures for safeguarding
TSCA CBI, even when there is no evidence of wrongful disclosure, shall be
investigated by that agency and appropriate remedial action taken. Results of
the investigation and subsequent action must be forwarded to EPA's OIG and
Security, IMD. Any alleged or actual wrongful disclosure of TSCA CBI by an
employee of another Federal agency shall be reported immediately by that agency
to the EPA OIG and Security, IMD.
Violations of the security provisions of an interagency agreement under this
chapter shall be investigated by the EPA, OIG, which shall report to the
AA/OPTS. The OIG has primary responsibility for investigating statutory
violations involving unlawful release of TSCA CBI. If the AA/OPTS finds that
the other agency has violated the terms of the interagency agreement, he/she
may terminate that agency's right of access pending resolution of the matter.
If an investigation develops information indicating a possible criminal
violation, the case shall be referred to the Department of Justice. When the
Department of Justice accepts jurisdiction, any further action, including
notification of the company involved, will be dictated by it.
-27-
-------�
APPENDIX I
Excerpts From EPA Conduct and Discipline Manual
GENERAL
The achievement of constructive discipline as it relates to compliance with
the requirements of the TSCA CBI Security Manual is a responsibility of
supervisors. An atmosphere of constructive discipline is brought about by a
supervisor's good example, practice, instruction, fair and equal treatment of
all employees, and firm and decisive leadership.
DETERMINING CORRECTIVE ACTION TO BE TAKEN
Supervisors and management officials at all levels are responsible for main-
taining discipline in their organizations by taking appropriate corrective
actions .... Any supervisor or management official may take informal
corrective actions and issue official reprimands. The following procedures
will be followed in the exercise of both formal and informal corrective
action:
The action taken must be consistent with the precept of like penalties for
like offenses with mitigating or aggravating circumstances taken into
consideration. The action taken should be fair and equitable; and if a
penalty is warranted, it should be no more severe than sound judgment
indicates is required to correct the situation and maintain discipline.
When the appropriate corrective actions are being considered, it should be
established whether the employee knew, or could reasonably be expected to have
known, what standard of conduct or performance was expected of him/her.
Repetition of the same offense must be considered in the assessing of any
penalty, as such repetition may imply a disregard for authority.
INFORMAL CORRECTIVE ACTIONS
When a supervisor decides that corrective action is warranted, he/she should
first consider informal measures that are nonpunitive in nature but that will
instruct offending employees and remedy problem situations. Supervisors are
urged to ensure that informal measures are considered before formal corrective
actions, which are recorded in an employee's official personnel folder, are
utilized such as:
o Closer Supervision.
o On-the-Job Training.
o Oral Reprimands—Perhaps the most common of corrective actions
is the face-to-face session between employee and supervisor. To
be most effective, such discussions should be conducted in pri-
vate without undue embarrassment to the employee .... Basic
facts of the discussion, including the reason for the reprimand
and the corrective steps necessary, should be recorded in a
memorandum for file and maintained in local files. No record of
-28-
-------�
such informal discussions may be placed in an employee's
personnel folder.
o Written Warnings — This kind of corrective measure lacks the give
and take of the oral interview and should usually be employed
only if the supervisor has already tried an oral warning or
feels that it would be inappropriate. A written warning should
describe exactly what improper actions the employee is engaging
in, outline positive corrective steps, and state what penalty
might result if the actions continue. A copy of the written
warning should not be placed in the employee's official
personnel folder, but copies should be retained in the super-
visor's local files. Written warnings are often effective in
influencing those employees who require a more tangible expres-
sion of a supervisor's view.
FORMAL DISCIPLINARY ACTIONS
A formal disciplinary action may be an official written reprimand, a sus-
pension, a change to a lower grade, or removal. Records of formal disci-
plinary actions become a part of the employee's official personnel folder.
Supervisors should initiate such actions only after coordinating any proposed
action with their operating personnel officers. [Detailed information con-
cerning these actions is contained in Chapter 5 of the Conduct and Discipline
Manual, ]
REASSIGNMENT AS A CORRECTIVE ACTION
Reassignment of personnel may serve as a useful corrective tool. If an
employee is considered to have the skills and desires needed to perform
successfully at his/her grade level but is unable to function effectively in
his/her immediate work situation, a reassignment to a new environment may be
considered. In other cases, a reassignment to a position where closer
supervision is possible [or access to TSCA CBI is not required] can prove
beneficial to both the employee and EPA.
EXCERPTS FROM APPENDIX C, TABLE OF OFFENSES AND PENALTIES
[formal] disciplinary action becomes necessary, this guide should be used
in order to facilitate action throughout the Agency in comparable cases.
Penalties for offenses usually will fall within the ranges indicated, but, in
unusual circumstances, greater or lesser penalties may be applied unless
otherwise provided by law.
When disciplinary action is being determined in a specified case,
consideration should be given to the record of the employee, and, when there
is a repetition of offenses, to the time interval between offenses.
When an employee has committed a combination or series of different offenses,
a greater penalty than is listed for a single offense should be considered.
-29-
-------�
NATURE OF FIRST SECOND THIRD
OFFENSE OFFENSE OFFENSE OFFENSE
Violation of security Oral/Written Written 5-day
regulations involving reprimand reprimand suspension
other than classified to 1-day to removal
[national defense] suspension
information
Failure to assess a Written 10-day Removal
penalty when the facts reprimand suspension
are known and warrant to 5-day to 30-day
disciplinary action suspension suspension
-30-
-------�
Appendix II
(Actual Size 8 1/2" x 11")
TSCA CBI u S ENVIRONMENTAL PROTECTION AGENCY DQES NQT CONTA(N NATtONAL
WHEN FILLED 'N TSCACONF,DlNNT,ANLTB°U?,YNELS^NFORMAT,ON SECUR'TY 'NFORMATiON (E 0 12065,
DATE
RECEIVED
DOCUMENT
CONTROL NO
NO
PAGES
RECEIVED FROM
(Enter company city, and state)
DESCRIPTION
DISPOSITION
LOCATION OF STORAGE FACILITY
INCLUDING DIVISION AND ROOM NO
EPA Form 7710-10 (Rev 9-81) Previous edition is obsolete.
31
-------�
Appendix III
(Actual Size 8 1/2" x 11")
TSCACBI US ENVIRONMENTAL PROTECTION AGENCY DOES NOT CONTAIN NATIONAL
«HE" F"->-ED IN TSCA co^f^f'^N JsS?NGFORMAT,ON SECUR'TV 'FORMATION IE O ,0265)
DATE
CHECKED
OUT
DOCUMENT
CONTROL NO ,
COPY NO
USER INFORMATION
EPA ID NO
SIGNATURE
DATE
RETURNED
DCO
INITIAL
DISPOSITION
EPA Form 7710-11 (Rev. 9-81) Previous edition is obsolete.
32
-------�
Appendix IV
(Actual Size 8 1/2" x 11")
TSCA CBI
WHEN FILLED IN
US ENVIRONMENTAL PROTECTION AGENCY
DESTRUCTION LOG
TSCA CONFIDENTIAL BUSINESS INFORMATION
DOES NOT CONTAIN
NATIONAL SECURITY
INFORMATION
(EO 12065)
DCO/DCANAME
LOCATION
DATE
DE-
STROYED
DOCUMENT
CONTROL
NUMBER
DESCRIPTION
DCO/DCA
SIGNATURE
EPA Form 7710-45 (9-81)
33
-------�
Appendix V
(Actual Size 8 1/2" x 11")
US ENVIRONMENTAL PROTECTION AGENCY DOES NOT CONTAIN NATIONAL
WH ™L™0 IN MM!&^&?ir.^^^^^ — " ,NFORMAT,0N ,E 0 ,„«,
DATE OUT
EPA DOCUMENT CON-
TROL NO /COPY NO
NO
PAGES
DESCRIPTION
(SUB)CONTRACTOR/
(SUB)CONTRACT NO
EPA PROJECT
OFFICER
DCO
INITIAL
RECEIPT
DATE
RETURNED
DCO
INITIAL
EPA Form 7710-12 (Rev. 9-81) Previous edition is obsolete.
34
-------�
Appendix VI
(Actual Size 8 1/2" x 11")
TSCACBI US ENVIR°™ENTAL PROTECTION AGENCY DOES NOT CONTAIN NATIONAL
FEDERAL AGENCV.cCONNGDREESS. ANDFEMRALCOU^S.GN OUT LOG SECURITY INFORMAT,ON ,E o ,2065,
DATE OUT
EPA DOCUMENT CON
TROL NO /COPY NO
NO
PAGES
DESCRIPTION
FEDERAL AGENCY,
CONGRESS, COURT
RECIPIENT
DCO
INITIAL
RECEIPT
DATE
RETURNED
DCO
INITIAL
EPA Form 7710 13 (Rev/ 9-81) Previous edition is obsolete
35
-------�
Appendix VII
(Actual Size 8V x 11")
1. REQUEST FOR TSCA-CBI ACCESS APPROVAL
1 REQUESTING COMPONENT (Off ice/Division /Branch)
3 FULL NAME (Last, first, middle)
6 DATE OF BIRTH Month /day /year)
9. POSITION
12 TSCA CBI SECURITY BRIEFING DATE
2. DCO & PHONE NUMBER
4 SOCIAL SECURITY NUMBER
7. PLACE OF BIRTH (City. State)
10. PHONE NUMBER
5. LOCATION/CONTRACTOR
8. CLEARANCE REQUESTED
(DDO, OCA, ADP, General Access)
11. PREVIOUS CBI CLEARANCE
TYPE
DYes DNO
13 FORMS ATTACHED
DsF 85 (Category II & III) DEPA Form 1480-29 (Category 1) DoPM 87 DoPM 329-A
D Other (Specify)
14. OTHER CLEARANCES (Current or past)
Clearances
Dates
Sponsoring Agency
An authorizing official (Division Director at Headquarters, Regional Administrator or Laboratory Director in the Field, or
Contractor Project Officer) must sign this section.
SIGNATURE AND TITLE OF REQUESTING OFFICIAL
DATE
II. CONFIDENTIALITY AGREEMENT
I understand that I will have access to certain Confidential Business Information submitted under the Toxic Substances Control
Act (TSCA, 15 USC 2601 et seq.]. This access has been granted in accordance with my official duties relating to the Environ-
mental Protection Agency programs.
I understand that TSCA CBI may not be disclosed except as authorized by TSCA and Agency regulations. I understand that
under section 14(d) of TSCA (15 USC 2613(d)l I am liable for a possible fine of up to $5,000 and/or imprisonment for up to
one year if I willfully disclose TSCA CBI to any person not authorized to receive it. In addition, I understand that I may be
subject to disciplinary action for violation of this agreement with penalties ranging up to and including dismissal.
I agree that I will treat any TSCA CBI furnished to me as confidential and that I will follow the procedures set forth in the
TSCA Confidential Business Information Security Manual.
I have read and understand the procedures.
SIGNATURE
III. REQUIREMENTS
DFFI DNACI DNAC
SUBMITTED
DATE
[Upending DoPM DoiSCO
COMPLETED
APPROVED BY
APPROVED
DYes DNo
DATE
EPA Form 7740-6 (5-83)
Replaces EPA Form 7710-47, which It obsolete.
36
-------�
Appendix VIII
(Actual Size 8V x 11")
I. REQUEST FOR TSCA-CBI COMPUTER ACCESS APPROVAL
1 REQUESTING COMPONENT (Office/Division/BranchI
2. DCO & PHONE NUMBER
3. FULL NAME (Last, first, middle)
4. SOCIAL SECURITY NUMBER
5. LOCATION/CONTRACTOR
6. POSITION
7. PHONE NUMBER
8. Holdt Current TSCA-CBI Access Approval
9. SYSTEM AND DATABASE TO BE ACCESSED
10. PRIVILEGES
DR/W DR
D Other /Specify)
DE
11. OTHER CLEARANCES (Current or fist)
Clearances
Dates
Sponsoring Agency
12. REASON FOR ACCESS
13 FORMS ATTACHED
DsF 85 (Category II & III)
orm 1480-29 (Category I)
DCSC329-A
D CSC 87
14 REQUESTING OFFICIAL
DCO SIGNATURE
II. SECURITY/MSD
CATEGORY UNDER OPM 732-7
Di
BASIS OF CLEARANCE
DNAC DNACI [Upending DoPM DoiSCO Pother (Specify)
DATE SUBMITTED
DATE COMPLETED
COMMENTS
RECOMMENDED
DNO
Chief /Security/MSD
III. DIRECTOR/OFFICE OF TOXIC SUBSTANCES
D Approved D Disapproved
SIGNATURE
EPA Form 7740-7 (5-83)
-------�
Appendix IX
[Actual Size 8 1/2" x 11'
Printed on Heavy,
Dark Green Paper Stock)
TSCA CONFIDENTIAL BUSINESS INFORMATION
DOES NOT CONTAIN NATIONAL SECURITY INFORMATION (S.O. 120651
oocu«
«ENT CONTROL Off
CEH
DOCUMENT CONTROL NO
DATE RECEIVED
The attacned document contains Confidential Business Information obtained under the Toxic
Substances Control ACT (TSCA. 75 U 3.C. 2601 etsiq ) TSCA Confidential Business Informa-
tion mav not be disclosed further or cooied bv vou except as authorized in the procedures set
forth .n the TSCA CONFIDENTIAL BUSINESS INFORMATION SECURITY MANUAL
tipn with penalties ranging up to and including dismissal
Each oerson who is given access ro this document must fill m the information oelow me fir
time that he/she has access.
LAST\AM6
SIGN A TURE
DO NOT DETACH
38
-------�
Appendix X
(Actual Size 8V x 11")
CONFIDENTIALITY AGREEMENT FOR
UNITED STATES EMPLOYEES UPON TERMINATION OR TRANSFER
In accordance with my official duties as an employee of the United States, 1 ha\e had access to Confidential
Business Information under the Toxic Substances Control Act (TSCA, 15 U.S C. 26(11 t'f1 ser/J. I understand that
TSCA Confidential Business Information may not be disclosed except as authorized by TSCA or Agency regula-
tions.
I certify that I have returned all copies of any TSCA Confidential Business Information in my possession to the
appropriate document control officer specified in the procedures s ' forth in TSCA Confidential Business Inform-
ation Security Manual.
I agree that I will not remove any copies of TSCA Confidential Business Information from the premises of the
Agency upon my termination or transfer. I further agree that I will not disclose any TSCA Confidential Business
Information to any person after my termination or transfer.
I understand that as an employee of the United States who has had access to TSCA Confidential Business Inform-
ation, under section I4(d) of TSCA (15 U.S.C. 2613(d)) I am liable for a possible fine of up to $5,000 and 'or
imprisonment for up to one year if I willfully disclose TSCA Confidential Business Information to any person.
If I am still employed by the United States, I also understand that I may be subject to disciplinary action for
violation of this agreement.
I am aware that I may be subject to criminal penalties under 18 U.S.C. 1001 if I have made any statement of
material facts knowing that such statement is false or if I willfully conceal any material fact.
SIGNATURE
EPA Fo™ 7710-17 (7-78)
39
-------�
Appendix XI
(Actual Size 8V x 11")
TELEPHONE CONTACT REPORT!
DATE
TIME
SUBMTR/ORGANIZATION
NAME OF EPA REP.
NAME OF SUBMTR/ORGANIZATION
TYPE OF CONTACT
TELEPHONE
OTHER
MEETING
TOPICS COVERED:NOTE ANY RESOLUTIONS AND/OR ADDITIONAL ACTIONS
REQUIRED ON THIS FORM
PAGE
OF
40
-------�
Appendix XII
(Actual Size 8 1/2" x 11")
TSCA CONFIDENTIAL BUSINESS INFORMATION
MEETING SIGN-IN SHEET
DATE
MEETING PLACE (Room. Building, City, State)
TIME
CHAIRPERSON
SUBJECT OF MEETING
NAME (Print 1
SIGNATURE
OFFICE/DIVISION/BRANCH
EPA ID NO
THIS SIGN-IN SHEET MUST BE GIVEN TO THE APPROPRIATE DCO/DCA
EPA Form 7710-44 (9/811
41
-------�
APPENDIX XIII
FEDERAL REGISTER NOTICE EXAMPLE
ENVIRONMENTAL PROTECTION AGENCY
TRANSFER OF DATA TO CONTRACTOR AND SUBCONTRACTOR
AGENCY: Environmental Protection Agency (EPA).
ACTION: Notice.
SUMMARY: EPA will transfer to its contractor, , and its subcontractor
information which has been or will be submitted to EPA under section
5 of the Toxic Substances Control Act (TSCA) . Some of the
informatin may be claimed as confidential. These firms will review
this information and use it to evaluate the potential economic
impacts of regulatory actions taken under section 5 of TSCA.
DATE: The transfer of the confidential data submitted to EPA will
occur no sooner than 10 working days after date of publication of
this notice in the FEDERAL REGISTER.
42
-------�
FOR FURTHER INFORMATION CONTACT:
Edward A. Klein,
Director, TSCA Assistance Office (TS-799)
Office of Toxic Substances,
Environmental Protection Agency,
Rm. E-543,
401 M St., SW.,
Washington, D.C. 20460
Toil-Free: (800-424-9065),
In Washington, D.C.: (554-1404),
Outside the USA: (Operator - 202-554-1404).
SUPPLEMENTARY INFORMATION: Provisions including Executive Order 12291, the
Regulatory Flexibility Act, and section 2(o) of TSCA, the Act's general policy
statement, require SPA to consider the economic impact of proposed regulatory
actions under TSCA. In evaluating the necessity of regulatory actions under
TSCA in a given instance, EPA considers economic factors like cahracteristics
of a particular market, the availability of substitutes for a substance, and
ootential uses that could be made of the substance. in evaluating alternative
courses of regulaoty action, EPA considers fafctors like the relative cost
effectiveness and availability of various control technologies and the
practicality of other regulatory options.
Under EPA Contract No.
Washington, D.C., and its subcontractor
will assist the Regulatory Impacts Branch
(RIB) of the Office of Toxic Substances in performing regulatory and general
economic impact analyses for TSCA regulatory programs.
In accordance with 40 CFR 2.306(j), EPA has determined that
43
-------�
employees may require access to confidential business
information (CBI) submitted to EPA under section 5 of TSCA to perform work
satisfactorily under the above-noted contract. EPA is issuing this notice to
inform all submitters of information under section 5 of TSCA that EPA may
transfer to these firms, on a need-to-know basis, confidential business
information on specific chemicals that are nder review or are subjects of
possible regulatory actions. Upon completing their review of materials
submitted for a specific chemical, the firm receiving confidential business
information will return all such materials to EPA.
have been authorized to have access to TSCA
confidential business information under the EPA "Contractor Requirements for
the Control and Security of TSCA Confidential Business Information" security
manual. EPA has approved the security plan of its contractors and will
inspect the facility and approve it prior to TSCA being transmitted to the
contractors. Personnel from these two firms will be required to sign a non-
disclosure agreement and be briefed on appropriate security procedures before
they are permitted access to confidential information, in accordance with the
"TSCA Confidential Business Information Security Manual" and the Contractor
Requirements manual.
Dated:
Don R. Clay,
Director,
Office of Toxic Substances.
44
-------�
Appendix XIV
(Actual Size 8V x 11")
U.S. ENVIRONMENTAL PROTECTION AGENCY
SAFE/CABINET SECURITY CHECK SHEET
AFFIX A COPY OF THIS FORM TO EACH CABINET CONTAINING CLASSIF ED MATERIAL OR CONFIDENT A L BUSINESS INFORMATION
(a) T 14) O P E O
(b) CHECK EACH DRAWER BY DEPRESSING THE THUMB LATCH AND SHAKING THE DRAWER
MON TH
DATE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
OPEN ED BY
INITIALS
TIME
O FFI C E CODE
ROOM NUMBER
LOCKED BY
INITIALS
TIME
CONTAINER NUMBER
CHECKED BY
INI Tl ALS
TIME
GUARD CHECK
INITIALS
TIME
EPA Form 1480-12 (Rev. 3-80) PREVIOUS EDITION MAY BE USED UNTIL SUPPLY is EXHAUSTED
45
-------�
Appendix XV
[Actual Size 8V x 11")
REQUEST FOR APPROVAL OF CONTRACTOR ACCESS
TO TSCA CONFIDENTIAL BUSINESS INFORMATION
Requesting Official*
Signature
Date
Title and Office
Contractor and contract number (if modification)
I. Brief description of contract, including purpose, scope, length, and other important details {Continue on the
back of this form if necessary }
What TSCA CBI will be required, and why7 {Continue on back if necessary )
III. Will computer access to TSCA CBI be required by the contract7 If so, explain why and to what extent on
the back of this form.
If you approve this request, this office will initiate procedures to ensure compliance with the "TSCA CBI
Security Manual" and "Contractor Requirements for the Control and Security of TSCA Confidential Business
Information
*Must be Division Director (or equivalent) or above
Office Director for
Toxic Substances
EPA Form 7710-15a {9-81)
Approved
Date
46
-------�
Appendix XVI
(Actual Size 6h" x 4")
LOAN RECEIPT FOR
TSCA CONFIDENTIAL BUSINESS INFORMATION
1 acknowledge receipt of TSCA Confidential Business Information Document(s) listed below:
la DOCUMENT CONTROL NO
2a DOCUMENT CONTROL NO
3a DOCUMENT CONTROL NO
4a DOCUMENT CONTROL NO
5a DOCUMENT CONTROL NO
1b. COPY NO.
2b. COPY NO
3b COPY NO
4b COPY NO.
5b COPY NO.
6a DOCUMENT CONTROL NO.
7a. DOCUMENT CONTROL NO
8a DOCUMENT CONTROL NO
9a. DOCUMENT CONTROL NO
lOa DOCUMENT CONTROL NO
6b COPY NO
7b. COPY NO
8b. COPY NO
9b. COPY NO
lOb COPY NO
1 understand that 1 am responsible for protecting these data in accordance with the TSCA Confidential Business Information
Security Manual. Also that 1 am liable for a fine of up to $5,000 and / or imprisonment up to 1 year if I willfully disclose it to any
unauthorized person. I may also be subject to disciplinary action up to and including dismissal for any violation of procedures
for safeguarding these data.
NAME OF RECIPIENT
NAME OF LOANER
SIGNATURE OF RECIPIENT
DATE DOCUMENTIS) RECEIVED
EPA Form 7710-14 (Rev 9/811
47
-------�
INDEX
AA/OPTS, Responsibilites of 5
Access,
Computer Defined vii
Contractor Authorization 2
Forms Required to Request. 2
General, Defined vii
How To Gain 2
Acronyms, Glossary of vi
Agreements, Interagency 26
Annual Inventory 23
Authorized Access List, Defined vii
Authorized Access List, Maintaining. 4
Background Investigation 3
Branch Chiefs, Responsibilities of 6
Briefing, Defined vii
Computer Access, Defined vii
Confidential Business Information, Defined vii
Corrective Actions,
Discussed. 1
Formal 30
Informal 29
Declassification
Hardcopy 22
Magnetic Tape 21
Printout 21
Department of Justice 27
Destruction of Documents 18
Director, Information Management Division, Responsibilities of 5
Director, Office of Information Resources Management,
Responsibilities of 5
Director, Office of Toxic Substances, Responsibilities of 5
Disks,
Floppy 20
Hard 20
Division Directors, Responsibilities of 6
Document, Defined vii
Document Control Assistant, Defined vii
Document Control Assistants, Responsibilities of 9, 10
Document Control Number, Defined vii
Document Control Officer, Defined vii
Document Control Officers, Responsibilities of 8, 9, 10
Document Tracking System, Defined viii
Documents,
Destruction of 18
Drafts 23
Lost 17
Obtaining 12
Reconciliation of 23
Reproduction of 7 18
48
-------�
Retiring of 19
Temporary Internal 23
Downloading TSCA CBI Data 20
Draft Documents 23
Electronic Transmission 16
Employee, Defined viii
Employees, EPA, Responsibilities of 10
EPA Employees, Responsibiliites of 10
EPA Project Officers, Responsibilities of 8
Facilities Support Services Division, General
Service Branch, Responsibilities of 6
Facility, Secure, Defined viii
Federal Agency, Defined viii
Forms for Gaining Access 2
Forms for Implementing Procedures 11
General Services Branch, Facilities and Support Services
Division, Responsibilities of.... 6
Interagency Agreements 26
Inventory, Annual. 23
Logs, Retaining 22
Los t Documents 17
Mail,
Express 17
Incoming 15
Registered 17
Meetings 16
Notes 16
Obtaining Documents 12
Office of the Inspector General, Responsibilities of 5
Other Federal Agencies 27
PCs 20
Personal Computers 20
Photographs 19
Procedures, Secretarial 14
Project Officiers, EPA, Responsibilities of 8
Reassignment 31
Reconciliation of Documents 23
Recordings
Audio 16
Visual 16
Remote Terminals 19
Reproduction 18
Retaining Logs 22
Retiring of Documents 19
Safeguards During Use 14
Secretarial Procedures 14
Secure Facility, Defined viii
Security, IMD, Responsibilities of 7
Security Procedures, Other Federal Agencies 25
Statutes, Applicable to TSCA CBI 1
49
-------�
Storage,
At EPA, Open 13
At EPA, Required 12
Multiple User Container 13
When Traveling. 13
Submitter Representative, Defined viii
Telephone Calls 15
Temporary Internal Documents 23
Transmission, Electronic 16
Transmittal
Outside an EPA Facility 17
Within an EPA Facility 17
Violation, Defined viii
50
-------�
U J. Environmental Protection Agency
Region V, Library
230 South Dearborn Street -X
Chicago, IIHnois 60604 _j**
-------� |