United States
Environmental Protection
Agency
Office of Solid Waste
and Emergency Response
(6104)
EPA 550-8-99-019
June 1999
www.epa.gov/ceppo/
c/EPA
CONFIDENTIAL BUSINESS
INFORMATION SECURITY
MANUAL for CEPPO
PROGRAMS
U.S. EPA Headquarters Library
Mail code 3201
1200 Pennsylvania Avenue NW
Washington DC 20460
..
Chemical Emergency Preparedness and Prevention Office
Printed on recycled paper
-------�
-------�
U.S. EPA Headquarters Library
Mail code 3201
1200 Pennsylvania Avenue NW
Washington DC 20460
SECTION I.
PURPOSE. SCOPE. POLICY. AUTHORITY & RESPONSIBILITY . . . . 1
A. PURPOSE 1
C. POLICY 2
D. AUTHORITY 2
E. RESPONSIBLE OFFICIALS 2
1. Director. CEPPO 3
2. Director. Program Development Division 3
3. CEPPO Document Control Officer 3
4. CEPPO Managers and Team Leaders 4
5. CEPPO Work Assignment Managers (WAM/DOPO) ... 5
6. Employees 7
7. Contractor Document Control Officers 7
a. CDCQ responsibilities include: 8
b. Contractor Document Control Assistant ... 9
SECTION II.
EDUCATION AND TRAINING 10
A. OVERVIEW 10
B. INITIAL BRIEFING 10
C. ANNUAL BRIEFING 10
D. CONFIDENTIAL AGREEMENT ON RELINQUISHING CBI .... 11
SECTION III.
ACCESS TO CBI 12
A. OVERVIEW 12
B. GENERAL ACCESS REQUIREMENTS 12
C. FEDERAL EMPLOYEE ACCESS 12
1. Procedures 12
2. Authorized Access Lists 14
D. WITHDRAWAL OF CLEARANCE 14
1. Periodic Review 14
2. Removal From Access Lists 14
E. CONTRACTOR EMPLOYEE ACCESS 14
1. Prerequisite 14
2. Conditions 15
3. Obtaining Approval 15
4. Security Plan 15
5. Contractor DCO/DCA Requirement 18
6. Completion of Contracts. Work Assignments, or Task
Orders 18
7. Authorized Access Lists 18
8. Withdrawal of Access 18
F. SUBCONTRACTOR/CONSULTANT ACCESS 18
SECTION IV.
-------�
RECORDS MANAGEMENT FOR CEPPO CBI 21
A. OVERVIEW 21
B. INTENT 21
C. CEPPO CBI RECORDS MANAGEMENT SYSTEM 21
D. CREATING CBI DOCUMENTS 23
1. Working Papers 23
2. Typing/Word Processing Requirements 23
3. Use in Meetings 24
E. CREATING NONCBI DOCUMENTS 24
1. Deleting or Replacing CBI 24
2. Masking or Aggregating CBI 25
3 . Dropping CBI Claim 25
F. RELINOUISHrNG OF CBI STATUS 25
1. Original CBI 25
2. CBI Created by CEPPO 25
G. DETERMINING CLAIM TO VALIDITY 26
H. REPRODUCTION 26
1. CBI Material 26
2. Equipment 26
3. Broken Equipment 27
I. CDCO RECORD MANAGEMENT RESPONSIBILITIES 27
1. CBI Control Numbers 27
2. CBI Inventories 27
3. Reproduction 27
SECTION V.
DISCLOSURE OF CBI
28
A. OVERVIEW 28
B. DISCLOSURE TO OTHER FEDERAL. STATE OR LOCAL AGENCIES
28
1. Non-disclosure Agreement 29
2. Notice to Affected Businesses 29
3 . Before Approval 30
4. Before Disclosure 30
C. DISCLOSURE TO EPA CONTRACTORS AND SUBCONTRACTORS . 30
D. DISCUSSING CBI ON THE TELEPHONE 30
1. Telephone Memorandum 31
2. Telephone Calls With Providing Organizations . 31
E. CBI DISCLOSED AT MEETINGS 31
1. Access 31
2. Chairperson's Duties 32
3. Notes or Recordings 32
4. Safeguarding 32
5. Controls 32
SECTION VI.
CBI MARKINGS 33
A. QVERVIEW 33
B. CBI STAMPS 33
11
-------�
C. COMPUTER OUTPUT 33
D. SPECIAL CATEGORIES OF MATERIALS 33
1. Charts. Maps, and Drawings 33
2. Photographs. Films, and Recordings 33
3. CBI Waste 33
SECTION VII.
TRANSFERRING CUSTODY Of CBI
34
A. OVERVIEW 34
B. TRANSFERRING CBI TO/FROM EPA CONTRACTORS AND PROVIDING
PLANTS/FACILITIES 34
C. TRANSFERRING CBI FROM CONTRACTORS TO CEPPO .... 34
D. TRANSFERRING CBI TO GOVERNMENT AND STATE AGENCIES
OUTSIDE OF EPA
35
E. TRANSFER BETWEEN EPA CEPPO HO AND EPA REGIONAL OFFICES
35
F- CONFIDENTIAL BUSINESS INFORMATION SECURITY AGREEMENT
35
G. PREPARATION AND PACKAGING 36
1. Inner and Outer Covers 36
2. Addressing 36
3. Packaging 36
H. CUSTODY. RECEIPT 36
I. TRANSFER METHODS 37
1. Hand Carrying 37
2. Registered Mail 37
3. Couriers and Express Mail 37
SECTION VIII.
STORAGE OF CBI 39
A. OVERVIEW 39
B. INTENT 39
C. STORAGE EQUIPMENT SPECIFICATIONS 39
D. PROCEDURES FOR LOCK COMBINATIONS 39
1. Changing Combinations 39
2. Granting Access to Combinations 40
E. EVACUATION PROCEDURES 40
F. SAFEGUARDING CBI IN THE EVENT OF A DISASTER .... 40
1. Prevention 40
2. Preparedness 41
3. Response 41
SECTION IX.
CAA CBI COMPUTER SECURITY 42
A. OVERVIEW 42
SECTION X.
ill
-------�
DISPOSAL AND DESTRUCTION 43
A. OVERVIEW 43
B. INTENT 43
C. NOTICE OF INTENT TO DESTROY 43
D. ORIGINAL CBI 43
E. DERIVATIVE CBI 43
F. CBI WASTE 43
G. RECORDS OF DESTRUCTION 44
H. METHODS OF DESTRUCTION 44
SECTION XI.
CAA CBI ^SECURITY VIOLATIONS
45
A. OVERVIEW 45
B. RESPONSIBILITY OF DISCOVERER 45
C. VIOLATIONS OF THIS MANUAL 45
D. PRELIMINARY INQUIRY 45
E. INVESTIGATION 45
F. REPORTS AND FINDINGS 45
1. Finding of No Damage 46
2. Lost Documents 46
3. Compromise 46
4. Finding of Damage 46
G. RESULTING ACTIONS 46
1- Violations Subject to Punitive Measures . . . 46
2. Punitive Measures . 47
SECTION XII.
CBI DEFINITIONS
48
SECTION XIII.
GLOSSARY OF ACRONYMS
50
SECTION XIV.
APPENDICES
52
IV
-------�
A.
SECTION I.
PURPOSE. SCOPE. POLICY. AUTHORITY & RESPONSIBILITY
PURPOSE
The procedures in this manual provide Federal,
contractor, and subcontractor employees with the information
necessary to utilize Confidential Business Information to
perform their assigned duties without violating applicable
Federal regulations protecting the rights of its owners.
The purpose of this manual is to set forth policies and
procedures for Federal, contractor, and subcontractor employees
to follow in the handling of information claimed as Confidential
Business Information (CBI), obtained under Section 114 and
Section 112(r) of the Clean Air Act (CAA), and under the
Superfund law governed by U.S. Environmental Protection Agency
(EPA) regulations at 40 Code of Federal Regulations (CFR), Part
2, Subpart B, and other EPA regulations and policies relating to
chemical emergency preparedness, prevention and response. CBI
collected under the authority of other environmental legislation
is managed according to similar applicable procedures.
The need to safeguard CBI cannot be overstated. Valid and
secure CBI procedures are essential to EPA's decisionmaking and
therefore is required to effectively safeguard the environment.
Any compromise to CBI threatens not only the businesses providing
data, but also EPA's ability to make, implement and enforce
environmental policy, and ultimately, the communities that
benefit from that policy. Therefore, the Chemical Emergency
Preparedness and Prevention Office (CEPPO) has designed and
implemented a security system to ensure protection of CAA CBI
both in its contractor operations and in-house. The CBI
security system consists of controlled access, document tracking,
training, and monitoring of CBI operations.
B.
SCOPE
This manual sets forth policies and procedures to manage and
safeguard CBI. Unless otherwise noted the phrase "Confidential
Business Information" or "CBI" in this manual refers to
information claimed as CBI collected as part of programs
implemented by EPA's Chemical Emergency Preparedness and
Prevention Office dealing with chemical emergency preparedness,
prevention and response. This includes but is not limited to
submissions of Risk Management Plans claimed as CBI under the
Clean Air Act section 112 (r) or Section 114, or information
collected as part of accident investigations or prevention and
-------�
preparedness activities under the Clean Air Act or the
Comprehensive Environmental Response, Compensation, and Liability
Act (CERCLA).
C. POLICY
It is CEPPO's policy to protect any information claimed as
confidential, collected under the Clean Air Act or CERCLA from
accident investigation site visits or other activities related to
prevention of chemical accidents by CEPPO or regional personnel
and authorized contractors, or collected as part of Risk
Management Plans by CEPPO personnel or its authorized
contractors. The information may be either documentary
information (e.g., written responses to questions, photographs,
records or charts) or non-documentary (e.g., oral communications,
taking of photographs, or visual observations), or information
submitted as part of a Risk Management Plan and claimed as CBI.
The providing organization may assert a claim of confidentiality
under the procedures established in 40 CFR Part 2 by noting such
claim on documentary and nondocumentary materials provided to
CEPPO or under procedures outlined in regulations at 40 CFR Part
68.
Any material or information claimed as confidential or trade
secret will be treated as confidential by CEPPO and its
contractors in accordance with its contract and provisions of 40
CFR Part 2. Any material or information for which a claim of
confidentiality is NOT made may be made available to the public
by CEPPO without notice to the providing organization.
Documents created by CEPPO or its contractors based on CBI
information collected from RMP submissions or site visits will be
is made regarding the status by the providing organization,
CEPPO, or the Office of General Counsel (OGC).
D. AUTHORITY
The policies and procedures found in this manual provide
guidance for compliance with the following Federal statutes and
regulations:
Clean Air Act as amended
40 CFR, Part 2, Subpart B
Freedom of Information Act
Privacy Act
EPA IRM Policy Manual, Chapter 8, Information Security
CERCLA
E. RESPONSIBLE OFFICIALS
The responsibilities of CEPPO personnel concerning CBI are
2
-------�
outlined below.
1.
Director, CEPPO
The CEPPO Director or his designee has overall
responsibility for controlling CBI within the Office. The
Director or Acting Director may delegate his/her authority to
perform security control functions.
2. Director. Program Development Division
The Director, Program Development Division (PD), has
been delegated authority to direct and administer the CBI program
for CEPPO. In performing these duties, the Director has
authority for setting policies, standards, and procedures that
ensure compliance with the laws and regulations described in
Section D, "Authority," above. The Director provides oversight, a
security education program, and a security assurance program for
effective implementation of the CEPPO CBI program. Specific
responsibilities are to:
» Advise the CEPPO Director on the CEPPO CBI program, as
requested;
• Approve initial contract access for CEPPO contractors to
access CBI;
« Review and approve all outside requests and transfers of
CEPPO CBI to other Federal and State agencies, special
circumstances ,-
• Oversee operations of CEPPO's CBI program.
3. CEPPO Document Control Officer
The CEPPO Document Control Officer (DCO) or Alternate
Document Control Officer is directly responsible to the PD
Director for implementing the CEPPO CBI program. The CEPPO DCO
implements and monitors the CBI activities in CEPPO and provides
guidance and technical direction as needed. The following are
responsibilities of the CEPPO DCO:
• Ensures that CEPPO security procedures for handling CBI are
continually reviewed, updated, and enforced;
• Ensures compliance with the security education program and
security assurance program;
• Advises CEPPO WAMs/DOPOs in reviewing security plans and
procedures, and in inspecting facilities of EPA contractors
handling and storing CBI files;
-------�
Advises CSPPO WAMs/DOPOs in reviewing contractor employee
CBI security, education and training programs;
Reviews CBI access requests for contractors (The PD Director
must approve requests for all initial contractor access);
Evaluates proposed system improvements;
Promptly conducts preliminary inquiries and investigations
of alleged procedural violations and reports findings to the
PD Director;
Advises the PD Director concerning appropriate actions for
CBI security violations;
Signs receipts for CBI arriving and departing CEPPO HQ from
the RMP Reporting Center Contractor, and logs these
documents in and out;
Oversees destruction of CBI material after receipt of
authorization from OGC, the owner, WAM/DOPO, or after the
CBI has served its purposes;
Briefs and debriefs all persons designated by PD Director as
requiring access to CBI;
Keeps an Authorized Access List of all CEPPO staff cleared
for CBI access and a record of each person's briefing
status;
Conducts periodic inventories of all CBI documents stored at
CEPPO headquarters;
Maintains a tracking system to ensure that CBI transmitted
to other organizations is received; and
Prepares or advises WAMs in preparing CBI for mailing to
other Federal agencies, plants or facilities, and
contractors when authorized, and maintains records of such
actions.
4. CEPPO Managers and Team Leaders
Managers and Team Leaders are responsible for ensuring
that their employees and contractors comply with the procedures
listed in this manual. Managers and Team Leaders are responsible
for the following functions:
" Ensure that any CBI the unit receives directly is sent
immediately to the DCO or Alternate DCO and thence logged
into CEPPO's Secure CBI Room, or to the cleared individual
-------�
who is working on the particular project, for logging into
their files that are secure, as described in Section VIII;
Recommends to the PD Director whether to release CBI to
Congress, the Comptroller General, or other Federal agencies
and ensures that releases are in accordance with Section
2.209 of 40 CFR, Part 2;
Ensures that CBI is not used in publications or improperly
released in any documents;
Authorizes necessary creation (by summarization and masking)
of nonCBI materials from CBI and reviews and approves those
nonCBI materials prior to their release;
Cooperates with the CEPPO DCO in establishing and improving
CBI safeguards, and implementing and maintaining CBI
education and quality within their units;
Notifies the CEPPO DCO when a contract will require CBI
access and serves as an interface between the CEPPO DCO,
contractors, WAM/DOPO and the EPA Contracting Officer;
Issues notification to the affected businesses via Federal
Register notice at the start of a contract by identifying
the contractor or subcontractor who will have access to CBI
submitted to CEPPO in performing their assigned duties;
Assists WAM/DOPO in preparing individual notification to
affected businesses or industries on an as-needed-basis;
Ensures compliance with all CBI procedures set forth in the
applicable contract;
Recommends to the Director, PD, EPA and contractor
employees who need access to CBI;
Authorizes transfer of CBI to providing companies,
facilities or contractors. The authority to transfer CBI to
all other outside organizations is reserved for the PD
Director; and
Reports cases of CBI disclosures or possible compromise to
the CEPPO DCO and cooperates with investigations conducted
under the CEPPO CBI security program.
5. CEPPO Work Assignment Managers (WAM/DOPO)
-------�
The CEPPO WAM/DOPO has primary responsibility for
ensuring that his/her contractors maintain control over
project related CBI and adhere to prescribed procedures.
CEPPO WAMs are responsible for the following:
Ensures that contractors and EPA employees working on
his/her project comply with procedures in this manual and
CBI procedures set forth in the applicable contract for CBI
related to his/her project;
Analyzes technical aspects of all project work written or
otherwise created and determines whether CBI is involved
and, if so, has it handled according to procedures in this
manual;
Ensures that necessary paperwork is submitted in accordance
with 40 CFR, Part 2, Subpart B, to enable Office of General
Counsel (OGC) to make a final determination as to whether
information that has been received is entitled to
confidential treatment;
Keeps an Authorized Access List of all Contractor personnel
cleared for CBI access and a record of each person's
briefing status;
Authorizes necessary reproduction of CBI and ensures that
CBI is reproduced only under the procedures specified in
this manual;
Ensures that memos, notes and reports from telephone
conversations, visits, inspections, or tests are protected
as CBI and filed in CEPPO secured containers until a
determination is made regarding the status;
Ensures that CBI is not used in publications or improperly
released in any document;
Initiates the process for destruction and disposal of CBI
material;
Ensures that CBI to be transferred or mailed is processed
for proper wrapping and disposition;
Ensures that any CBI received associated with his/her
project is logged and stored in CEPPO approved containers;
Authorizes contractor to return CBI files to the WAM for log
in to CEPPO approved containers at the end of a work
-------�
assignment or when the information is no longer required to
be maintained at contractor facilities;
Obtains assistance from the CEPPO DCO in determining the
status of returned CBI materials from the contractor; and
Reports cases of wrongful disclosure or possible compromise
of CBI to the responsible Team Leader and CEPPO DCO, and
cooperates with investigations conducted under the CEPPO CBI
security program.
6.
Employees
Contractor/subcontractor and Federal, State and Local
employees are responsible for the following:
• Secures ALL CBI logged out to them or in their possession
from a facility;
• Complies with all applicable procedures in this manual;
• Complies with all CBI procedures set forth in the applicable
contract ,-
* Maintains possession of CBI until returned to the secured
containers approved by the CEPPO DCO or alternate DCO only;
" Stores CBI in storage containers approved by the DCO or
alternate DCO only;
" Discusses CBI only with authorized persons;
« Ensures that any CBI received directly is immediately to the
CDCO for storage and proper logging, for contractor
employees; or logged in and stored in CEPPO approved
containers for materials held at Federal facilities;
" Ensures that CBI is not used in publications or improperly
released in any document;
• Reports alleged violations of security procedures to the
CEPPO Manager or Team Leader and CEPPO DCO immediately; and
• Ensures that memos, notes, and reports concerning CBI
obtained from telephone conversations, visits, inspections,
inquiries, or tests are protected as CBI, logged and stored
in approved secured containers.
7.
Contractor Document Control Officers
Contractor's management must nominate a Contractor
Document Control Officer (CDCO) and a Contractor Document Control
-------�
Assistant (CDCA). Before CEPPO recognizes them as CDCOs, they
must be properly trained and have required paperwork on file at
CEPPO. The CDCO controls the receipt, storage, and handling of
CBI by employees in their facilities and manages a document
tracking system.
a. CDCO responsibilities include:
• Serves as the principal contact for CEPPO regarding the
security and control of CAA CBI;
• Provides security plan for safeguarding CBI;
• Maintains a secure CBI facility;
• Conducts CBI briefings (including testing) for all
contractor employees authorized to handle or access CBI;
• Obtains signed Authorization for Access to CBI for
Contractor Employees, CBI Form 3 (Appendix A) from each
contractor employee who will have access to CBI before the
employee is granted access. The original of this completed
form shall be forwarded to the WAM/DOPO;
• Conducts annual briefings and testing in support of the
CEPPO CBI education and training program;
• Inspects facilities and reviews CBI procedures of
subcontractors and obtains CEPPO's approval;
• Maintains a list of contractor employees who are authorized
to access CBI including administrative or computer support;
• Releases CBI only; to authorized persons;
• Reviews and updates access lists continuously of contractor
employees and notifies the WAM/DOPO immediately of any
changes;
" Submits updated access lists to the CEPPO DCO monthly;
• Provides guidance, technical assistance and administrative
support to contractor employees on all matters concerning
CBI security;
• Establishes, maintains, and controls a CBI file system
(including disposition) in compliance with this manual;
" Logs in and out all CBI documents, summaries, tabulations,
and materials to users;
• Maintains a CBI document retrieval system;
8
-------�
Ensures all CBI is properly stored when not in use;
Ensures CBI is properly wrapped, marked and transferred;
Maintains an inventory of all CBI and conducts periodic
audits;
Destroys drafts and working papers as authorized by the DCO
or project lead;
Maintains in a secure location a record of combinations of
all locks, safes, and cabinets that contain CBI, and ensures
combinations are changed annually, or whenever anyone who
knows the combination terminates or transfers employment;
Reports alleged violations of contractor security procedures
immediately to contractor management and the CEPPO DCO; and
Obtains a signed Confidential Agreement for Contractor
Employees Upon Relinquishing CBI Access Authority, CBI Form
5 (Appendix B) for any employee who terminates employment or
transfers to a position not requiring access to CBI. One
copy of this completed form shall be forwarded to the CEPPO
DCO.
Whenever CDCOs terminate their employment or relinquish
their responsibilities, an inventory of CBI materials must be
performed within 30 days of their departure.
b. Contractor Document Control Assistant
The Contractor Document Control Assistant (CDCA) will
perform the aforementioned CDCO responsibilities in the absence
of the CDCO.
-------�
SECTION II.
EDUCATION AND TRAINING
A. OVERVIEW
The CEPPO Confidential Business Information (CBI) education
and training program is implemented by the DCO. Federal Team
Leaders, Managers, and contractor management must arrange for
employees to be available for briefings in support of the CEPPO
CBI program. Designated employees must meet all requirements of
the program to obtain and maintain authorization to access CBI.
B. INITIAL BRIEFING
All access designees shall:
l. read this manual;
2. receive a briefing or watch a video on the
responsibilities and procedures for proper handling of
CBI; and
3. pass a self-administered, open book competency test at
the end of the briefing.
After receiving the briefing and passing the competency test,
each employee will sign an Authorization for Access to CBI for
Federal Employees, CBI Form 2 or CBI Form 3 for contractors
(Appendix A). Employees may then be approved for access to CBI
and their name placed on the authorized project access list.
C. ANNUAL BRIEFING
Federal and contractor employees approved for CBI access
must maintain their access authority by attending an annual
security briefing and passing a written test. Annual briefings
will be taken in the month of the employee's initial access.
Employees who fail to attend their annual briefing will be given
an opportunity to arrange another briefing. If they fail to
attend a makeup session, within 3 months of expired access, their
names will be removed from the CEPPO CBI Authorized Access List.
The DCO will notify the Team Leader or Manager of the
suspension. If the employee fails to attend the next scheduled
briefing within 30 days of the suspension notice, the employee
must relinquish authorized access to CBI. The employee must
return all CBI materials which he may have in his possession to
the CDCO or DCO and sign a Confidential Agreement for U.S.
Employees Upon Relinquishing CBI Access Authority, CBI Form 4
(Appendix B) or CBI Form 5 for contractors (Appendix B). If
10
-------�
access to CBI is relinquished, the CEPPO Team Leader or Manager
or the Contractor Management must renominate the employee to
access CBI, direct the employee to attend a briefing, and obtain
authorization to access CBI by completing Form 2.
D.
CONFIDENTIAL AGREEMENT ON RELINQUISHING CBI
All employees who have been granted access to CBI shall
sign a Confidential Agreement for U.S. Employees Upon
Relinquishing CBI Access Authorized, CBI Form 4 or CBI Form 5
(contractors) when they terminate their employment or transfer to
a position in which CBI access is not required.
11
-------�
SECTION III.
ACCESS TO CBI
A. OVERVIEW
This section describes policies and procedures for allowing
access to Confidential Business Information (CBI) for federal
employees and CEPPO contractors.
B. GENERAL ACCESS REQUIREMENTS
All persons must be authorized access to CBI through the
training, testing and written approvals specified in this manual.
No person has a right of access to CBI by virtue of
organizational title or position alone. A person must also have
a need to know CBI associated with CEPPO's programs before access
is granted. There is a responsibility to the organization
providing CBI to protect its information and a parallel
responsibility of CEPPO employees and contractors to minimize
their liability.
C. FEDERAL EMPLOYEE ACCESS
Care in granting access to CBI is important in ensuring a
secure CBI system. A secure CBI system requires the continuous
updating of the employee Authorization Access List (AAL) ensuring
attendance of yearly briefings.
1. Procedures
Upon determining that a CEPPO employee needs access to
CBI associated with CEPPO's programs, Team Leaders or Managers
refer those employees to CEPPO1s DCO. The employee attends a CBI
security briefing or watches a video presentation. After passing
the written test {as explained in Section II, Education and
Training), the employee and DCO sign an Authorization for Access
to CBI for Federal Employees, CBI Form 2 (Appendix A). The form
is then forwarded to CEPPO's Program Development Division
Director for signature and final approval. Approved forms are
returned to the DCO for filing. See Figure 1 for steps in
obtaining access to CBI for EPA employees.
EPA employees (outside of CEPPO), who have a need to
know CBI associated with CEPPO1s programs may request CEPPO's CBI
access authority. An Authorization for Access to CBI for Federal
Employees, CBI Form 2 (Appendix A) must be requested from the
CEPPO DCO, completed and returned. Upon approval by the
responsible CEPPO Team Leader or Manager and the requestors
management (equivalent to the Director or higher), the employee
may access the CBI as outlined in this Section and in Sections V
and VII.
12
-------�
Steps for Obtaining Access to CBI for EPA Employees
MANAGEMENT NOMINATES
Employee Needing Access
I
EMPLOYEE ATTENDS/VIDEO & READS MANUAL
CBI Briefing
EMPLOYEE PASSES
Written Test
EMPLOYEE SIGNS
Confidentiality Agreement
DIRECTOR, PD
Approves Employee Access
DCO MAINTAINS
Authorized Access Lists
Figure 1
13
-------�
2. Authorized Access Lists
Upon receiving approval to access CBI, the employee
name(s) is placed on the CEPPO CBI Authorized Access List.Team
Leaders and Managers review the access list to confirm the names
listed or make appropriate changes, if assignments are shifted or
employment terminated, and return the list to the CEPPO DCO with
recommendations for updating.
D. WITHDRAWAL OF CLEARANCE
CBI clearances are withdrawn as a result of a Federal or
contractor employee no longer having a need to access CBI.
1. Periodic Review
All CBI accesses will be reviewed periodically to
minimize the number of people authorized access.
2. Removal From Access Lists
The names of employees who no longer need access to CBI
are removed from the CBI access lists. Access is terminated
under the following circumstances:
" termination of employment;
• termination of duties requiring access to CBI; and
« failure to attend the yearly briefing and pass the written
test explained in Section II, Education and Training.
E. CONTRACTOR EMPLOYEE ACCESS
1. Prerequisite
In 40 CFR Part 2, Section 2.301(h)(2) are laid out full
requirements before contractors can gain access to CBI. Once
these requirements are satisfied, the following internal steps
must be taken.
The respective program Project Officers shall notify the
CEPPO DCO immediately upon determining that a prospective
contract may require that contractors be granted access to CBI.
The following information must be furnished:
• The name of the prospective contractors and the location of
the contractor's facility.
• A copy of the Federal Register notification for contractor
access to CBI collected under the specific contract,
including the contract number (See 40 CFR Part 2 referenced
above).
14
-------�
A copy of the statement of work.
Whether the contractor's facility is to receive and store
CBI under the contract.
2.
Conditions
Contractors may not receive access to CBI until the
contractor meets the following conditions:
• Obtain CEPPO approval for access to CBI;
» Prepare and have CEPPO approve a security plan;
• Have the contractor site inspected and approved by CEPPO;
« Nominate and train a Contractor Document Control Officer
(CDCO), and a Contractor Document Control Assistant (CDCA)
acceptable to CEPPO.
3. Obtaining Approval
When access to CBI is necessary, the contractor must
complete a Request for Approval of Contractor Access to CBI, CBI
Form 11, (Appendix H). The form must explain the reasons CBI
access is necessary under the contract. The CEPPO WAM/DOPO must
forward the form and Contractor Information Sheet, CBI Form lla,
(Appendix H) to his/her Division Director, who will sign the form
as the requesting official and forward it and the information
sheet to the CEPPO DCO for review. The CEPPO DCO will then
forward the form and the information sheet to the PD Director for
final approval.
Upon receiving the requirements for contractor
employee access to CBI, the Contractor management will designate
employees proposed for access to CBI. CDCO will have the
designated employee(s) attend an initial briefing, pass a written
test, obtain signatures on the Authorization for Access to CBI
for Contractor Employees, CBI Form 3, (Appendix A). The
contractor employee names are then submitted to the WAM to be
included on the CEPPO authorized access list. See Figure 2,
Contractor Steps for Obtaining Access to CBI.
4.
Security Plan
The contractor must prepare and CEPPO must approve a
security plan for access to CBI at a location away from the CEPPO
headquarters facilities. Security plans must describe physical
security mechanisms at the contractor's site and procedures to be
followed by employees when handling CBI at the site.
15
-------�
Contractor Steps for Obtaining Access to CBI
Obtain Approval from Director, PD to access CBI
Prepare an Adequate Security Plan
^
Pass CEPPO DCO Inspection of Site
Obtain Approval of Contractor Employees as CDCO and CDC A
CDCO Brief and Test Employees on Security Procedures
I
Obtain Approval for Individual to Access CBI
Figure 2
16
-------�
The procedures described within this manual and the CBI
forms (note that since much of CEPPO's CBI is collected under
Clean Air Act authority, CEPPO uses the EPA's Office of Air
Quality Planning and Standards forms for Clean Air Act CBI) in
the appendices are intended to serve as guidelines for the
preparation of contractor security plans and need not be
incorporated verbatim in the plans. However, contractor security
plans must equal or surpass the security standards described in
this manual.
The following is an outline of a Security Plan.
• CDCO responsibilities
• Access procedures
• Accountability system
• Pending file system
• CBI storage
• CBI transfers
• CBI safeguards (including disaster prevention, preparedness,
and recovery plan)
• Security violations
• Education and training
• Computer security (if applicable)
The WAM/DOPO, in consultation with the CEPPO DCO, is
responsible for reviewing contractor security plans, discussing
any perceived deficiencies with the CEPPO PO and the contractor,
and sending a memorandum through the PO to the contractor either
approving or disapproving the security plan. In addition, the
WAM/DOPO, in consultation with the CEPPO DCO, must inspect and
approve contractor facilities before CBI can be received or
stored. All facilities authorized for CBI access are inspected
by CEPPO on an annual basis. If during an inspection or review
of the security plan, only minor problems are noted, the WAM will
work with the contractor to correct them. If there are major
deficiencies, the contractor may be given 30 days to correct the
deficiencies. The contractor shall conduct periodic internal
audits of its facilities, employees, and the CAA CBI security
system to ensure compliance with its security plan. Records of
17
-------�
such audits will be available upon request.
5 . Contractor DCO/DCA Requirement
Prior to the commencement of access to CBI, contractor
management must nominate contractor employees who will serve as
CDCO/CDCA and obtain approval by CEPPO. The CDCO/CDCA must be
trained in proper C3I handling procedures prior to being
assigned to their positions, according to the CEPPO CBI Security
Manual. The requirement that a CDCO be assigned before actual
access may begin applies even if access to CBI under the contract
is limited to the CEPPO headquarters facilities. The CDCO serves
as the liaison between CEPPO and the contractor on issues
relating to CBI and plays an important role in requesting and
maintaining access authorization for individual contractor
employees and in handling CBI . The CDCA is a back-up for the
CDCO.
6 . Completion of Contracts, Work Assignment's., or Task
Orders
Upon completion of the contract:, work assignment, or
delivery order, the CDCO must inventory ail CBI materials and
report the results to the WAM/DOPO. Within 30 days of
completion, the contractor must collect all CBI materials and
document control materials, including logs and control records
(see Sections IV and VII) and transfer them to the WAM/DOPO. The
WAM/DOPO will inventory and review the materials, determine
status, and initiate process for proper disposition of any
returned CBI materials.
7 . Authorized Access Lists
The contractor must maintain CBI Authorized Access
Lists: names of individuals with CBI access including test date,
and submit an updated list to the WAM/DOPO quarterly. The list
is used to ensure that only individuals with current CBI access
authority obtain materials from the CDCO.
8 . withdrawal o£ Access
When a contractor employee no longer requires access to
CBI, the CDCO will have the employee sign a Confidential
Agreement for Contractor Employees Upon Relinquishing CBI Access,
CBI Form 5, (Appendix B) . The CDCO will remove his name from the
authorized access lists, notify the WAM/DOPO of the deletion,
and forward a copy of CBI Form 5 to the WAM/DOPO.
F. SUBCONTRACTOR /CONSULTANT ACCESS
The program PO is responsible for notifying the public and
affected business of all subcontractors who require access to CBI
18
-------�
collected under the respective contracts. If this information is
known at the beginning of the contract, a Federal Register notice
must be published according to the guidelines as specified in the
Clean Air Act or other statutes applicable (see Section I).
The prime contractor is responsible for notifying CEPPO of
all subcontractors or consultants being used prior to releasing
any CBI to them. This also includes subcontractors or
consultants accompanying the prime contractor or EPA staff on
site visits. Figure 3 is a sample letter that must be prepared
and sent to affected businesses notifying them of who will have
access to their information submitted to CEPPO. A ten day
waiting period must be allowed before CAA CBI is disclosed to the
subcontractor/consultant.
19
-------�
Figure 3
SAMPLE NOTIFICATION OF SUBCONTRACTOR ACCESS TO CBI
Name of Recipient
Title of Recipient
Recipient's Address
Dear Mr./Ms. (Recipient's Last Name)
The United States Environmental Agency has authorized the following subcontractor to
access information that has been, or will be submitted to the EPA under section 112(r) of the
Clean Air Act (CAA) as amended (or applicable statute): list name and address of
subcontractor, consultant. Some of this infornation may be claimed to be confidential business
information (CBI) by the submitter. This subcontactor will be providing support to the EPA
under contract (list contract number) The prime contractor on this contract is (last name and
address of the prime contractor). Under the direction of the prime contractor, this subcontractor
will provide technical support to the Chemical Emergency Preparedness and Protection Office
(CEPPO)
The EPA is issuing this notice to inform all submitters of information under section 112(r)
of the CAA (or other applicable stutute) that the EPA may provide the above mentioned
subcontractor access to these materials on a need to know basis Notification of the prime
contractor's potential access to CBI was done through a previous Federal Register notice.
In accordance with 40 CFR 2.30l(h), the EPA has determined that the above
subcontractor requires access to CBI submitted to the EPA under sections 112(r) of the CAA (or
other statute) in order to perform work satisfactorily to the EPA under the above noted contract.
The subcontractor's personnel will be given access to this CBI information. The subcontractor's
personnel will be required to sign nondisclosure agreements and will receive training on
appropriate security procedures before they are permitted access to CBI. The above
subcontractor's clearance for access to CBI is scheduled to expire on (date).
Please provide any comments regarding the above subcontractor's access to CBI
submitted by your company within ten working days of your receipt of this letter. Comments
should be submitted to Dorothy McManus, Document Control Officer (or other appropriate
official), Chemical Emergency Preparedness and Prevention Office, Mail Code 5404, US EPA,
Washington, DC 20460..
Sincerely,
cc: Project Officer
David Speights
Associate Director
20
-------�
SECTION IV.
RECORDS MANAGEMENT FOR CEPPO CBI
A.
OVERVIEW
This section describes how Confidential Business Information
(CBI) either originated by CEPPO or its contractors as derivative
CBI or received as original CBI is identified, protected, logged,
controlled, and managed.
When any CEPPO employee or contractor employee receives or
otherwise obtains material containing or suspected of
containing CBI, he shall immediately ensure proper logging
and storage according to the procedures in this manual.
B.
INTENT
CEPPO must be able to trace the movement of CBI, identify
the persons with authorized access to it, detect its misplacement
and make prompt retrieval possible. CEPPO ensures these
objectives are accomplished by the maintaining of authorized
access lists and by monitoring the movement of CBI through manual
logs, records of receipt, usage, and transmission. All material
submitted to CEPPO and all material generated at CEPPO containing
information claimed to be CBI is covered in CEPPO's procedures.
C.
CEPPO CSI RECORDS MANAGEMENT SYSTEM
CEPPO's CBI records include the following components and
locations:
CEPPO RECORDS
• Records or documents obtained at chemical accident sites and
investigations, which may include materials claimed
confidential. These materials may be obtained by CEPPO
staff during field conditions or may be sent to CEPPO staff
in headquarters or regional offices.
• Elements of Risk Management Plans claimed as CBI by
facilities and submitted to EPA at its contractor-operated
Reporting Center. These materials may be logged out to the
CEPPO DCO at EPA headquarters, and in turn be accessed by
CEPPO headquarters staff; or to the DCO at EPA Regions; or
to other authorized federal staff (see 40 CFR Part 2,
Section 2.209(c)),- or to other users according to
regulations at 40 CFR Part 2 governing CBI.
• CBI held by authorized CEPPO contractors assisting EPA with
analysis of information containing CBI.
21
-------�
CEPPO's In-house CBI Control System
STORAGE SPACE
For the relatively small amount of CBI CEPPO expects to collect
or use temporarily in headquarters space, CEPPO maintains a CBI
secure room in its headquarters space in accord with physical
security measures specified in Section VIII. Other secure space
in CEPPO headquarters may also be used co store CBI, in accord
with measures in Section VIII.
LOG SYSTEM AND PROCEDURE
CEPPO maintains a manual paper log for all CBI received in CEPPO
headquarters.
CEPPO uses these forms {forms are Clean Air Act CBI forms)
for its CBI security system:
« Log in Inventory Sheets {for log in and tracking of all CBI)
(CAA CBI Form 12, Appendix I)
• CBI Control Record Sheets (for each CBI document, for record
of access by authorized staff {CAA CBI Form 1 {Appendix J)
• Custody Receipts (for transfer of material)
• Cover Sheets {for document protection/identification)
• Destruction and Declassification Logs
« Employee Authorized Access List
All documents containing CBI received in CEPPO headquarters,
either RMPs containing CBI transferred from the RMP reporting
center or documents related to accident investigation or
prevention, are immediately upon arrival in CEPPO logged onto
Inventory Sheets with the DCO or ADCO. The Inventory Sheets are
maintained in the CBI room. The log (itself non-CBI) includes
the following information:
Date received
Date of document
CBI control number
Project name
Document description
Provider identification
Transfer information
Destruction record
A brightly-colored Cover Sheet is attached to each document.
A Sample CBI Cover Sheet, CAA Forms 8 and 9 (Appendix F) is a
yellow sheet of paper inscribed with a claim of confidentiality
and handling instructions. The Cover Sheet conceals the front of
each document and should not be removed.
A file is created in the CBI Room for each document or group
of related documents. Each document is given a sequential number
22
-------�
(RMPs are logged in with an "RMP" prefix, investigation documents
with an "I" prefix, etc.; the year follows the letter
determination; and a sequential number follows the year). A CBI
Control Record Sheet is placed in each folder for each document.
Authorized staff sign out documents as working papers by
means of the Control Sheets, which remain in the folder in the
CBI Room as a permanent record of authorized personnel access.
The control sheet also contains reproduction, transfer,
declassification, destruction, and any other pertinent
information about the document. Each user of CBI must sign and
date the Control Record each time access is granted to a CBI
document. Authorized staff who sign out documents follow physical
storage and handling procedures specified in Section VIII.
When a CBI document is declassified or destroyed, the CBI
Control Record or register must be retained for a period of two-
years after the completion of a project or until the specific CBI
project file has been reconciled.
An inventory of CBI material is conducted at least once a
year, during which time each CBI file is reviewed and purged of
unneeded materials.
D.
CREATING CBI DOCUMENTS
All CBI and pending CBI documents generated by CEPPO will
be treated and protected as such until a CBI determination has
been made by the responsible Team Leader or manager, providing
organization (affected business) or OGC.
Documents and other materials generated by CEPPO or its
contractors that contain information from CBI documents are
sometimes CBI themselves.
1.
Working Papers
Newly created CBI is at first in the form of working
papers pending the creation of new CBI documents. The category
of CBI working papers includes materials such as notes and
outlines; initial drafts of documents; computations, drawings,
and diagrams; and pending documents. Working papers are labeled
as CBI, provided a CBI Control Record and Cover Sheet, stored in
secured space as described in Section VIII, and otherwise used
and handled like any other CBI document.
2.
Typing/Word Processing Requirements
The author of a CBI document may provide the document
to a typist who is authorized access to CBI. The typist must
return to the author the newly typed materials and the original
23
-------�
draft when typing is completed. All materials used in typing
documents containing CBI, including word processing disks and
waste paper, must be treated as CBI and submitted to the CBI room
for storage or destruction.
Any authorized staff including typists should not use
the Local Area Network (LAN) for preparation or storage of CBI
documents. Documents are to be prepared using the local version
of the word processing program on the hard drive of the personal
computer vs. the LAN version. Data, reports, etc., must be
stored on a floppy diskette and submitted to proper logging and
storage. Turn off the printer after printing the newly created
CBI document to ensure that all CBI is removed from the buffer of
the printer.
3 . Use in Meetings
The author of a CBI document may circulate copies of
the document at a meeting for discussion, if the author:
• Notifies the DCO, and reproduces any CBI documents according
to procedures in this manual;
« Attends the meeting and is present when the document is
discussed;
* Collects all copies of the document at the end of the
meeting; and
• Submits all copies of the document for destruction to the
CEPPO DCO after -he meeting.
The author must number the copies i.e., 1 of 6, 2 of 6
and number the pages and ensure that every page of each copy is
returned at the end of the meeting. All other procedures for
general access and meetings (Section V.E, CBI Disclosed at
Meetings General Requirements) must be followed when CBI
materials are circulated at meetings.
E. CREATING NONCBI DOCUMENTS
Materials produced from CBI need not be confidential.
Nonconfidential documents may be produced by deleting CBI from an
existing document or by masking or aggregating the CBI so that it
cannot be linked to its source.
1. Deleting or Replacing CBI
CBI can be replaced in a document with nonCBI data or
generic descriptive terms data or terms derived from CBI data but
that are not themselves CBI.
24
-------�
2.
Masking or Aggregating CBI
Team Leaders or Managers must be consulted in advance
by authors who wish to produce nonconfidential documents by
masking or aggregating CBI. Team Leaders or managers shall also
review all submissions of masked and aggregate material to ensure
that no CBI is exposed and approve the final nonCBI version.
3.
Dropping CBI Claim
NonCBI documents can also be created from information
submitted by a providing organization which drops its claim of
confidentiality, or for which EPA determines that the claim is
not valid.
In all instances, the Team Leader or manager is
responsible for ensuring that documents contain no CBI.
Materials produced using CBI must be treated as CBI until a
determination is made by the Team Leader or providing
organization.
P.
RELINQUISHING OF CBI STATUS
1.
Original CBI
If a providing organization relinquishes its claim of
confidentiality for original CBI, CEPPO staff must obtain a
written statement from the provider before the information can be
released to the public. Any original CBI no longer needed by
CEPPO is destroyed or returned to the business firm.
2.
CBI Created bv CEPPO
Documents created by CEPPO such as: site surveys, test
reports, telephone conversations, and meeting minutes are
forwarded to the affected business (providing organization) for
review of accuracy and confidentiality by the responsible Team
Leader or CEPPO staff. The responsible industry official is
requested by cover letter to review the report, clearly mark any
information considered to be confidential, and return the marked-
up report within the specified timeframe. The original is kept
in CEPPO until the marked copy is returned by the business firm.
When the reviewed, marked-up copy of the report is returned,
CEPPO will have the option of:
• protecting the whole document as CBI;
« creating a nonCBI version with all CBI removed by
aggregating or masking, and maintaining a complete CBI
version;
• creating a CBI addendum when indicated CBI is at a minimum;
or
• challenging the validity of the business1 claim through OGC.
25
-------�
I All revised final CBI documents roust be submitted to the
providing organization for review beforerelease to the public.
• If the report is determined to be accurate and
nonconfidential, the business firm will so note, or not
respond by the requested date.
" If the firm does not respond by the requested date, EPA
regards this as a waiver of any confidentiality claim to
factual information in the report and will proceed to
publication of the report.
G. DETERMINING CLAIM TO VALIDITY
To determine that a claim of confidentiality is valid,
EPA's Office of General Counsel (OGC) or an EPA Regional Counsel,
where appropriate, must render a final determination pursuant to
40 CFR, Part 2, Subpart B. That determination is made based on a
review of the submitter's responses to questions requesting
substantiation of the submitter's claims. If a claim is denied,
the information may not be released for 30 days, during which
time the providing organization may challenge EPA's determination
in a Federal District Court.
H. REPRODUCTION
This subsection details the procedures for controlling and
safeguarding CBI reproduction or other copying.
There is a risk of losing control over CBI whenever it ±8
reproduced in hard copy and disseminated. Copying of CBI
material is limited to the minimum extent possible.
1. CBI Material
Group Leaders or CEPPO authorized staff authorize the
reproduction of CBI materials. Authorized staff record the
number and distribution of reproduced copies. Contractor DCOs
must oversee all reproduction of materials at Contractor
facilities.
2. Equipment
Copy machines must be dedicated solely to CBI document
reproduction while CBI documents are being copied, and the
authorized CEPPO staff must directly supervise the machine while
the CBI materials are being duplicated. Only persons authorized
26
-------�
access to CBI being copied may be present while CBI materials are
being reproduced. After copying is finished, the operator must
pass three blank copies through the machine to ensure that any
impressions on the image surfaces of the machine have been
erased.
3.
Broken Equipment
If the equipment used for reproducing CBI materials has
a malfunction while in use, staff must inspect the machine's
paper path and image surface to retrieve any materials containing
CBI that are caught in the equipment before the repair person is
called.
I.
CDCO RECORD MANAGEMENT RESPONSIBILITIES
Contractor DCOs must comply with the aforementioned
requirements of this manual to ensure adequate safeguarding and
handling of CBI documents. CDCO may use sample CBI Forms or
design own in-house forms as long as required CEPPO information
is available.
1.
system.
2.
CBI Control Numbers
CDCOs may implement an internal CBI control numbering
CBI Inventories
CDCO must maintain an accurate nonCBI description of
each document. Any CBI no longer needed at their facility must
be returned to CEPPO.
3.
Reproduction
Copying of CBI by contractors is limited to working
papers, drafts of technical reports, drafts of trip reports,
meeting handouts, and similar temporary documents, or copying for
transmittal of CBI to other users outside EPA at the direction of
the DCO, in accord with Section VII. Copying must be done under
the direction and guidance of the CDCO.
27
-------�
SECTION V.
DISCLOSURE OF CBI
A. OVERVIEW
This section discusses minimum procedures required to ensure
the security of Confidential Business Information (CBI) during
authorized disclosures.
The holder of CBI (the person in possession of CBI) is
responsible for protecting it from persons not authorized
access to it. CBI shall not be left unattended; and when work
with CBI materials is completed or suspended, all materials
containing CBI (originals, drafts, memos, and notes) shall be
taken to authorized storage. Holders of CBI shall not allow
unauthorized persons to view CBI materials nor shall holders
discuss CBI with persons not authorized access to it.
B. DISCLOSURE TO OTHER FEDERAL. STATE OR LOCAL AGENCIES
EPA regulations at 40 CFR Part 2 allow disclosure of CBI to
another Federal agency (Section 2.209(c)) or State or local
agency (Section 2.301(h)(3)) in either of two circumstances:
• When the official purpose for which the information is
needed by the other agency is in connection with its duties
under any law for protection of health or the environment or
for specific law enforcement purposes; or
• When disclosure is necessary to enable the other agency to
perform a function on behalf of EPA.
In either circumstance, the PD Director must be notified
immediately via the DCO upon receipt of a request for documents
or information requiring access to CBI. In addition, the
procedures described below must be followed before CBI may be
disclosed to other agencies. These procedures do not apply to
disclosure of CBI to individual employees of other agencies
performing functions on behalf of CEPPO where access is confined
to CEPPO premises.
EPA may disclose CBI to other Federal, State or Local
agencies upon the written request of the requestor. Because of
the time needed for processing, the written request should be
directed to the PD Director at least 30 days prior to the time
access is needed. The request must be signed by an official of
the other agency who is at least equivalent in authority to a
28
-------�
Division Director. It should state specifically the information
to which access is requested. The official purpose for which the
CBI is needed should be set forth in detail as well as any other
pertinent information, such as previous efforts to obtain the
information. The need must be in connection with the agency's
duties under a law for the protection of public health or the
environment or for a specific law enforcement purpose.
CBI may be released to States or Local agencies with the
written permission from the submitter and in accord with 40 CFR
Part 2, Section 2.301{h){3} . Also, it may be possible to
aggregate data or sanitize documents containing CBI without
disclosing information claimed as CBI.
NOTE: Any TSCA and FIFRA CBI maintained in CEPPO may not be
disclosed to States.
1. Non-disclosure Agreement
In addition, as part of its written request, the other
agency must agree in writing (Appendix L) not to disclose further
any information designated as confidential unless it meets the
following conditions:
• It has statutory authority both to compel* production of the
information and to make the proposed disclosure and, prior
to the disclosure, it has furnished affected business with
at least the same notice that EPA would provide under its
regulations;
• It has obtained the consent of each affected business to the
proposed disclosure; and
• It has obtained a written statement from the EPA Office of
General Counsel or an EPA Regional Counsel that disclosure
of the information would be proper under EPA's regulations.
2. Notice to Affected Businesses
When disclosure is requested by another agency, CEPPO
must give the affected businesses at least 10 calendar days
notice before granting access to the other agency. Notice to the
affected businesses may be given by Federal Register, letter sent
by registered mail (return receipt requested), or telegram and
must include.
• The identity of the agency/contractor to which CBI is to be
disclosed;
« The official purpose for the access;
• Whether access is authorized only on EPA premises or also at
29
-------�
the other agency or contractor's facilities;
A non-confidential description of the specific information
to be disclosed; and
The period of time for which access to the CBI is
authorized.
3.
Before Approval
The PD Director will notify the requesting official of
the other agency acknowledging receipt of the written request and
will direct issue of required notice to affected businesses. The
PD Director will also notify the requesting official from the
other agency if approval is not granted.
4.
Before Disclosure
Before CBI may be disclosed, the PD Director must
notify the other agency that the information being disclosed is
classified as CBI, under which authority the information was
collected, and that any unauthorized disclosure of the
information may subject employees of the other agency to criminal
penalties (Chapter 8, Information Security. IRM Policy Manual
2100). Refer to Section VII of this manual for proper transfer
procedures,
C.
DISCLOSURE TO EPA CONTRACTORS AND SUBCONTRACTORS
EPA's regulations (40 CFR, Part 2, Section 2.301(h)(2),
allow disclosure of CAA CBI to contractors and subcontractors
when disclosure is necessary to enable the contractor to perform
work on a contract. Notice to affected businesses must be given
before CBI is disclosed to the contractor with the same
requirements as indicated above. The initial notice is usually
prepared by the CEPPO PO and is published in the Federal Register
notifying the public and affected businesses of OAQPS contractors
and subcontractors who will have access to CBI collected under
the Clean Air Act.
D.
DISCUSSING CBI ON THE TELEPHONE
Federal and contractor employees with CBI access may discuss
CBI on the telephone with other individuals who are authorized
access to the CBI. However, caution must be used because
interception of telephone communications is an easy means by
which unauthorized persons may obtain CBI.
The person initiating the discussion of CBI during a
telephone call is responsible for verifying that the other has
authorized access to the CBI. Access authority can be confirmed
by referring to the C3I Authorized Project Access List.
30
-------�
Interoffice communication systems (i.e., speaker phones) should
not be used to discuss CBI if conversations may be overheard by
unauthorized persons.
1. Telephone Memorandum
Federal and contractor employees shall complete a
telephone memorandum. Memorandum of CAA CBI Telephone
Conversation, CBI Form 6 (Appendix C) for all telephone calls in
which CBI is discussed. Telephone memorandums must be filed in
the appropriate file in the CBI secure room on the day of the
call or the following workday if the call was made after 4:00
p.m.
2. Telephone Calls With Providing Organizations
CEPPO employees, contractors and subcontractors may
discuss CBI from a providing organization with an employee of
that organization. Before discussion begins, the employees must:
• Verify the identity of the providing organization's employee
with whom they are speaking;
• Inform the providing organization's employee that the
telephone lines are not secured;
• Assure the providing organization's employee that a
telephone discussion of CBI with a Federal or contractor
employee does not constitute a waiver of any claim of
confidentiality; and
• Inform the providing organization's employee that any
further information provided in the telephone conversation
claimed as confidential will be properly safeguarded.
E. CBI DISCLOSED AT MEETINGS
CEPPO offices or its contractors that host or convene any
meeting (conference, symposium, seminar, exhibit, convention,
scientific, or technical gathering) of two or more people at
which CBI is disclosed shall take appropriate security measures.
The DCO shall be informed that a meeting is scheduled when CBI
materials must be reproduced for use at the meeting.
Requirements include, but are not limited to, those listed below.
1. Access
All persons attending the meeting must be cleared for
access to the specific CBI being presented and be positively
identified before CBI is revealed. If non-CEPPO personnel are
present, the meeting chairperson must provide a CBI Meeting Sign-
In Sheet, CAA CBI Form 7 (Appendix D) as a meeting record. The
31
-------�
following information shall be recorded: date, time, place,
chairperson, and subject. All persons attending the meeting must
sign this sheet. All sign-in sheets shall be filed in the secure
file for the CBI being discussed by the close of business or the
next business day after the meeting.
2. Chairperson'e Duties
The meeting chairperson is usually the person who
schedules and organizes the meeting. The chairperson is
responsible for ensuring {by referring to the CBI Authorized
Access Lists) that only persons authorized access to the specific
CBI to be discussed at the meeting are in attendance when the
discussion involves CBI. Non-cleared attendees must be excused
from the meeting by the chairperson before CBI is discussed. The
chairperson must also ensure that the meeting room is cleared of
all CBI materials after the meeting.
3. Notes or Recordings
The meeting chairperson must remind those in attendance
of their duty to treat any notes or recordings taken at the
meeting as confidential. These materials must undergo all CBI
security procedures.
4. Safeguarding
Notes, minutes, summaries, recordings, proceedings, and
reports on the CBI classified portions of the meeting must be
safeguarded and controlled throughout the meeting. Any CBI
material generated or received as a result of the meeting, as
appropriate, shall be forwarded to attendees by an approved means
of transfer when the meeting ends rather than being hand-carried
by attendees from the meeting site.
5. Controls
Physical and technical security controls shall be
established to control access. The meeting room shall be cleared
of all CBI materials after the meeting. This includes cleaning
all chalkboards, returning any unneeded CBI materials to the DCO
for destruction, and ensuring that nothing is left in the room
that could lead to the unauthorized disclosure of CBI.
32
-------�
SECTION VI.
CBI MARKINGS
A. OVERVIEW
This chapter explains how materials that have been claimed
as CAA CBI materials must be marked.
B. CBI STAMPS
Both original and derivative CBI documents are stamped on
the first and last page "Confidential" or "CBI."
C. COMPUTER OUTPUT
Documents produced by ADP equipment shall have at a minimum
their first page and their last page marked.
D. SPECIAL CATEGORIES OF MATERIALS
Markings are conspicuously stamped, printed, written or
affixed on classified material other than paper documents. If
this is not practicable, the containers of such material shall be
marked.
1. Charts. Maps, and Drawings
The markings on charts, maps, and drawings are
inscribed both at the top and the bottom of each document. When
the document is unfolded, the classification marking shall be
clearly visible on each folded portion. The marking must also be
visible when the document is rolled or folded for storage.
2. photographs. Films, and Recordings
Photographs must be marked as confidential. Their
containers are also marked. The markings on each transparency or
slide must be on the image and on the holder or frame.
Classified motion picture films and videotapes are marked at the
beginning and end with a clear statement of classification. The
containers or reels on which they are kept are also marked.
3- CBI Waste
Such documents and materials as rejected copy used in
working with confidential information shall be handled in such a
way that the information is adequately protected. Unless these
documents and materials are destroyed immediately, they must be
marked. Section X gives instructions for disposal and
destruction of CBI.
33
-------�
SECTION VII.
TRANSFERRING CUSTODY Of CBI
A.
OVERVIEW
This section describes how custody of Confidential Business
Information (CBI) is transferred. Before a transfer is
initiated, the CEPPO DCO or CDCO must verify the intended
recipient is authorized to access the specific CBI to be
transferred.
B. TRANSFERRING CBI TO/FROM EPA CONTRACTORS AND PROVIDING
PLANTS/FACILITIES
CBI documents may be transferred between CEPPO and
contractor DCOs or authorized persons at a providing plant or
facility. A CBI letter of transfer (Appendix M) shall be
prepared for the responsible CEPPO staff signature to initiate
the process of transferring CBI to the providing organization.
The WAM or employee delivers the letter of transfer along with
the CBI control number or sufficient information identifying the
CBI to be transferred. The letter of transfer and a custody
receipt are enclosed with the transferred CBI.
A checklist for transferring CBI to a facility is as
follows:
• Staff submits letter of transfer to Team Leader for
signature;
• A copy of letter of transfer and CBI control number is
retained in the CBI file;
• CEPPO authorized staff properly packages CBI including
letter of transfer; and
• Releases package to authorized contractor employee or mails
package via registered mail or Federal Express.
CBI is transferred from CEPPO to the contractor and from
the contractor to CEPPO. The Prime Contractor is responsible
for the transfer of CBI to their designated subcontractors or
consultants. NOTE: The DCO or WAM administratively handles
all transfers for CBI.
C.
TRANSFERRING CBI FROM CONTRACTORS TO CEPPO
CBI to be transferred to CEPPO should be identified and
instructions given to the CDCO to return the material to the
CEPPO DCO or the WAM. The material being transferred must be
34
-------�
listed on the CBI Custody Receipt, Appendix K. Under no
circumstances will contractors dispose of original CBI materials
that have been logged into the CEPPO System in any way other than
returning them to the WAM.
Direct transfer of CBI materials between contractor
employees is not permitted. CBI materials must be transferred
through the CDCO only.
D. TRANSFERRING CBI TO GOVERNMENT AND STATE AGENCIES OUTSIDE OF
EPA
Upon receipt of a request for CBI from a Government or State
entity outside EPA and after it is determined that disclosure of
the CBI is allowed (Section V), a letter to the requesting agency
is prepared for signature of PD Director to explain the
procedures that must be followed prior to release of the
information requested. A sample Letter to CBI Requestors Outside
of CEPPO is illustrated in Appendix M, and included along with
the letter shall be a Confidential Business Information Security
Agreement (Appendix L). The agreement must be signed by the
requesting agency official equivalent or superior to the PD
Director. By signing this agreement, the agency official agrees
to safeguard CBI in a manner comparable with EPA's procedures as
found in 40 CFR, part 2, Subpart B.
When the signed agreement is returned, it shall be forwarded
to the CEPPO DCO along with a Letter to Accompany CBI Transferred
Outside EPA (Appendix M). This letter will constitute direction
to the CEPPO DCO to transmit the CBI materials to the requestor.
The DCO will send the materials, the letter and the original and
one copy of a CBI Custody Receipt to the requestor.
E.
TRANSFER BETWEEN EPA CEPPO HO AND EPA REGIONAL OFFICES
All such transfers must be between CEPPO's DCO or ADCO,
if directed CDCO, and a DCO named by the Regional Office
(Division Director designation). All packaging and Custody
Receipt procedures apply to such transfers.
or
F.
CONFIDENTIAL BUSINESS INFORMATION SECURITY AGREEMENT
A Confidential Business Information Security Agreement
(Appendix L) must be signed by an official of a government entity
requesting transfer of CBI prior to transfer of custody. This
form requires the official of the receiving agency to verify that
the information will be safeguarded utilizing procedures
comparable to EPA's procedures for handling CBI found in 40 CFR,
Part 2, Subpart B.
35
-------�
G. PREPARATION AND PACKAGING
CBI materials to be transferred will be processed by the
WAM/DOPO, DCO or CDCO. The following guidelines set forth the
procedures for preparing and packaging CBI materials.
1. Inner and Outer Covers
Before CBI may be transferred or hand carried out of
contractor's or CEPPO HQ, the materials to be transferred must be
double wrapped with opaque paper. The inner cover must bear
markings that indicate the classification and instructions, "CBI
Confidential Business Information," and "To Be Opened by
Addressee Only." The person to whom the material is intended is
included in the address as an "Attention" line on the inner
envelope. Markings on the inner cover shall not show through the
outer cover.
2. Addressing
CBI being transferred from the CEPPO or its contractors
to another facility or being returned from a facility to the
contractor's or CEPPO HQ shall bear the name of the sending and
receiving DCO only in the address on the outer label. The outer
cover shall not bear any classification markings or other
indication that CBI information is enclosed. The return address
of the transferror is required on both the inner and outer
covers.
3. Packaging
Materials used in packaging CBI must be strong and
durable enough to provide protection in transit and prevent items
from protruding through the covers. Upon receipt, packages must
be inspected to ensure that the seals have not been broken.
H. CUSTODY RECEIPT
A CBI Custody Receipt (Appendix K) is included with all
transfers of CBI materials and prepared in triplicate. This form
provides the previous holder of CBI with proof of accountability
that the material was transferred and received. The recipient
signs and dates custody receipt, after verifying all materials
were received, forwards the original copy to sender and retains
the second copy for his/her records. The previous holder retains
the original copy as a record of the transfer. The third copy is
retained by the previous holder as a suspense copy until the
signed original is returned by the recipient, or the Domestic
Return Receipt from the U.S. Postal Service acknowledging receipt
of the document(s). {See Section IV, Records Management for
CEPPO CBI, for more information on accountability, control
records, and the CBI control numbers.)
36
-------�
I.
TRANSFER METHODS
CBI may be transferred or transported by the following
methods:
• Hand carried to another facility by an employee or
contractor employee who is authorized access to the CBI;
• U.S. Postal Service registered mail (return receipt
requested), Express Mail; or
• Private courier (Federal Express).
2.. Hand Carrying
Appropriately cleared CEPPO employees may be authorized
to hand carry CBI material between facilities (when traveling) if
the conditions outlined below are met.
" While traveling by plane or other public conveyance,
employees must keep CBI materials in their possession, and
should not check them with their luggage.
• When employees travel with CBI materials and are unable to
deliver or ship the CBI materials to a fa'cility authorized
to store CBI, they may store the materials for short periods
inside the locked trunk of a motor vehicle. CBI materials
may also be stored overnight in hotel safes, if a receipt is
obtained from the hotel management. Otherwise, CBI
materials must be kept in the possession of the traveler.
• The storage provisions for CBI are detailed in Section VIII.
Storage provisions for CBI shall apply to all stops en route
to a destination. CBI materials shall not be unwrapped
until the traveler's destination is reached. If the
materials are to be transferred to someone at that location,
they must immediately be taken to the local DCO and logged
into the local Document Tracking System.
« The DCO or CDCO shall log out CBI carried or escorted by
traveling personnel. CBI must be accounted for upon return
of materials by count and inspection of materials or by
inspection of receipts for materials, if delivered.
2.
Registered Mail
If CBI material is to be mailed, it must be prepared by
the WAM/DOPO, appropriate staff, DCO or CDCO for registered mail
(return receipt requested). Regular first class mail must never
be used to transfer CBI.
3.
Couriers and Express Mail
37
-------�
EPA and contractor employee couriers, commercial
couriers, and U.S. Postal Service Express Mail may be used in the
transmission of CBI.
38
-------�
SECTION VIII.
STORAGE OFCBI
A.
OVERVIEW
This section describes the minimum standards for the
physical safeguarding and storage of CEPPO's Confidential
Business Information (CBI).
B.
INTENT
Employees using CBI material are responsible for ensuring
that no unauthorized disclosures of that information occur. This
means that employees must either maintain constant control over
the CBI material in their possession or return it to authorized
secure containers.
C.
STORAGE EQUIPMENT SPECIFICATIONS
When not in use, CBI materials must be secured in approved
CBI storage containers. The type of container approved for CBI
storage is a metal file cabinet with bar hasp and three-way,
changeable combination lock.
"OPEN/CLOSED" magnetic signs shall be posted on each CBI
storage container to readily identify containers that are open or
locked, and to provide a visual spot checked and at the end of
the work day to ensure containers are properly secured. Storage
containers must be located within a room dedicated to CBI
security or, in CEPPO Headquarters space, in a room or suite with
a lockable entrance secured by a GSA approved, changeable
combination Simplex lock. All CBI storage containers and the
entry door shall be locked during the lunch hour and at the end
of each business day.
D.
PROCEDURES FOR LOCK COMBINATIONS
Since all storage containers are secured by combination
locks, the matter of combinations is important.
1. Changing Combinations
Combinations to security equipment shall be changed
only by cleared personnel having that responsibility.
Combinations shall be changed only under these circumstances:
• Whenever someone who knows the combination no longer
requires access;
• In the event of suspected compromise of CBI;
39
-------�
• When deemed necessary by the custodians; or
• At least once each year.
2. Granting Access to Combinations
Knowledge of combinations is limited to DCOs and CDCOs
Records of combinations must be protected as though CBI.
E.
EVACUATION PROCEDURES
In the event of a fire or other emergency (e.g., natural
disaster or civil disturbance) requiring evacuation of office
spaces, CBI shall be returned immediately to the CBI secure room
where it will be stored properly. Persons who are unable to
return CBI material in their possession to the secure storage
shall ensure that such material is safeguarded by covering it
from view and taking it with them. The employee must keep it
under personal observation at all times until it can be secured
in a facility approved for CBI storage.
F.
SAFEGUARDING CBI IN THE EVENT OF A DISASTER
A disaster plan is a little like insurance; we know we
should have it, it costs money, and we hope we never have to
use it!
A disaster plan is required by the Federal Emergency
Management Agency (FEMA) to ensure the safety of personnel and to
protect vital records. CEPPO and its contractors are required to
protect any records/documents affecting the legal and financial
rights of the Government and of the people affected by its
actions.
1.
Prevention
Procedural prevention relates to activities performed on a
day-to-day, month-to-month, or annual basis, relating to security
and recovery. It begins with assigning responsibility for
overall security of the organization to an individual with
adequate competence and authority to meet the challenges. The
objective of procedural prevention is to define activities
necessary to prevent various types of disasters and ensure that
these activities are performed regularly.
Physical prevention begins when a CBI storage site is
identified or constructed. It includes special requirements for
room construction, as well as fire protection for various
equipment. Special considerations include: computers, fire
detection and extinguishing systems, record(s) protection, air
40
-------�
conditioning, heating and ventilation, electrical supply,
emergency procedures, and storage specifications to protect CBI
records.
• The CEPPO DCO will conduct an annual site inspection of the
CEPPO Headquarters storage space to identify problem areas
and foster awareness of disaster prevention issues among the
staff.
2.
Preparedness
The CEPPO DCO will ensure that there are appropriate
supplies on hand to deal with immediate needs.
3.
Response
The DCO is responsible for directing all disaster
operations affecting damage or destruction of CBI records. All
of CEPPO staff {Directors, Team Leaders, POs, WAM/DOPOs and
employees) must be involved in order for the disaster plan to be
an effective one. Preventing, preparing for, and responding to
disasters has to be a team effort. We all have to be aware of
the issues, and integrate prevention and preparedness into our
daily routines and consciousness. In the event of a disaster, we
have to be able to pull together as a team and respond quickly
and effectively to protect Confidential Business Information.
The DCO will also evaluate the damage, plan and execute recovery
operations, and do post-disaster assessments.
41
-------�
SECTION IX.
CAA CBI COMPUTER SECURITY
NOTE: Computer security is difficult and expensive to
maintain. CEPPO personnel and its contractors should not use
CBI in an identifiable form in computer programs, if at all
possible. __^_
A.
OVERVIEW
CEPPO's collection of Risk Management Plans, a contractor
operated function, does not involve entry of any CBI into a
computerized system. All CBI associated with RMPs are submitted
to CEPPO and its contractors in paper form.
CEPPO or its contractors may include CBI in reports of
accident investigations or other chemical accident prevention
activities; those instances and procedures for their entry into
the computer environment are described in Section IV.
42
-------�
SECTION X.
DISPOSALAND DESTRUCTION
A.
OVERVIEW
The purpose of this section is to explain how Confidential
Business Information (CBI) must be disposed of or destroyed.
B.
INTENT
CBI that is of no use to CEPPO and not wanted by the
providing organization will be destroyed only under the
supervision of the DCO, CBI borrowed from TSCA or RCRA may not
be destroyed but must be returned.
C.
NOTICE OF INTENT TO DESTROY
The providing organization or owner of original CBI that is
no longer needed by CEPPO must be informed of the intent to
destroy the material. This notice is given to allow the owner an
option to reclaim the materials or have CEPPO destroy them.
D.
ORIGINAL CBI
Under no circumstances will contractors dispose of
original CBI materials that have been logged into CEPPO's
manual log in any way other than returning them to CEPPO HQ.
WAM/DOPOs or the responsible Team Leaders or managers shall
initiate the process for destruction or disposal (return to the
providing organization) of original CBI material. The materials
must be identified for destruction. The WAM, Team Leader or
manager, with oversight from the DCO, will destroy specified
documents and maintain a record of all destroyed documents. At
no time shall destruction of CBI material take place without
proper authorization from the WAM/DOPO or providing organization.
E.
DERIVATIVE CBI
Authors of derivative CBI (CBI created from original CBI)
may destroy their work that contains CBI under the direction of
the DCO, the WAM, or the Team Leader or manager.
F.
CBI WASTE
Waste material including handwritten notes, sheets of carbon
paper, diskettes, and working papers that contain CBI must be
destroyed under the direction of the DCO, WAM/DOPO or Team
43
-------�
Leader. No record of destroying this type of material need be
kept.
G.
RECORDS OF DESTRUCTION
Records of destruction are required for CBI materials. When
a document is destroyed, the WAM/DOPO, Team Leader or manager,
DCO or the CDCO must indicate on the CBI Control Record, CAA CBI
Form 1 (Appendix J) the destruction date, person destroying
document, and attach documentation authorizing the destruction to
the CBI Control Record.
The control records of destroyed documents must be retained
for audit purposes in accordance with records management
requirements, and for contractor-held records, the CDCO shall
submit the list of destroyed documents with the annual inventory
and upon completion of the contract.
H.
METHODS OF DESTRUCTION
CBI documents and material shall be destroyed in a manner
that precludes recognition or reconstruction. In general, CBI
materials are destroyed by one of two methods: shredding
{including any type of paper substance) or burning (including
microfiche, typewriter ribbons, diskettes, and data tapes).
44
-------�
SECTION XI.
CAA CBI SECURITY VIOLATIONS
A.
OVERVIEW
This section sets forth the procedures to be followed
whenever Confidential Business Information (CBI) security
procedures may have been violated.
B.
RESPONSIBILITY OF DISCOVERER
Any CEPPO employee who is either aware of actual or possible
violations regarding loss of CBI materials or unauthorized
disclosures must report immediately this information to the DCO.
C.
VIOLATIONS OF THIS MANUAL
All alleged violations of this manual's procedures shall be
investigated, even if there is no evidence of a lost document or
unauthorized disclosure.
D.
PRELIMINARY INQUIRY
The PD Director will have the CEPPO DCO conduct a
preliminary inquiry into the circumstances surrounding an actual
or possible compromise. The findings of this inquiry, undertaken
to determine if a compromise did occur, are to be given to the
PD Director for evaluation.
E.
INVESTIGATION
The PD Director may direct the DCO to conduct a full
investigation based on the results of the preliminary inquiry.
An investigation shall include the following:
• A complete identification of each item of CBI involved.
• A thorough search for the CBI.
• Identification of any persons or procedures responsible for
the compromise.
• A statement that a compromise did occur, may have occurred,
or did not occur, and an estimate of the risk of damage to
the affected business.
F.
A thorough discussion of all facts uncovered.
REPORTS AND FINDINGS
45
-------�
Investigative reports shall include, if possible, the
document date, subject, name and address of the originator, and a
description of the material.
1 . Finding of No Damage
If it is determined that compromise could not
reasonably be expected to cause identifiable damage to the
affected business the report of the preliminary inquiry will be
sufficient to resolve the incident and, if appropriate, support
the administration of disciplinary action.
2 . Lost
If a document is lost or missing, the report should
include the time, date surrounding the loss; and the steps taken
to locate the material. If possible, the person responsible for
the loss should be identified.
3. Compromise
Where a compromise is believed to have occurred, a
narrative statement by the involved CEPPO staff should detail the
circumstances, the identity of the unauthorized person (s) who had
or may have had access to the material, the steps taken to
determine whether a compromise did in fact occur, and the Team
Leader, manager's or WAM/DOPO's evaluation of the importance of
the material.
4 . Finding of pam^ge
If it is determined that the probability of
identifiable damage to the affected company cannot be ruled out,
the PD Director shall notify the affected business that the
materials claimed as CBI are not in account and that there is
reason to believe the information may have been disclosed to
individuals not authorized for access to it. Written notice to
the affected business must contain a description of the CBI in
question and the date of the disclosure.
G. RESULTING ACTIONS
After receiving an inquiry and/or investigation report, the
PD Director will notify appropriate Division Directors of the
report findings and recommend actions in keeping with the EPA
Conduct and Discipline Order. Division Directors are responsible
for imposing punitive measures as deemed necessary.
1. Violations Subject to Punitive Measures
Employees may be subject to punitive measures if they
do any of the following:
46
-------�
Compromise CBI through negligence;
Knowingly and willfully violate any provisions of this
manual; or
Knowingly and willfully, and without authorization, disclose
properly classified CBI.
2.
Punitive Measures
Punitive measures for security violations include, but
are not limited to, warning notice, admonition, reprimand,
termination of authorization for access to CBI, suspension
without pay, forfeiture of pay, removal, discharge, or legal
charges. These measures will be imposed in accordance with
applicable law and EPA regulations.
47
-------�
SECTION XII.
CBI DEFINITIONS
Access: The ability and opportunity to gain knowledge of CBI in
any manner whatsoever. Access to CBI by individuals not
authorized according to procedures in Section III must be
reported as a security violation.
Affected Business: Any providing organization that could be
affected adversely by the unauthorized disclosure of its CBI.
Authorized Person: Any person duly authorized pursuant to CEPPO
procedures to have access to CBI.
CBI Control Number: Unique number assigned by the DCO to any
document received or generated in CEPPO Headquarters that
contains CBI.
Confidential Business Information (CBI): Any documentary or
nondocumentary information, in any form, received by CEPPO from a
person, firm, partnership, corporation, association, or local,
State or Federal agency that relates to trade secrets or
commercial or financial information and that has been claimed as
confidential by the person submitting it under the procedures in
40 CFR, Part 2, Subpart B.
Contractor: Any person, association, partnership, corporation,
business, educational, institution, governmental body or other
entity that performs work under a contract with the United States
Government.
Contracting Officer (CO): EPA delegated official with the
authority to enter into contracts on behalf of the EPA. The CO
has sole authority to sign contracts, obligate funds for a
contract, issue work assignments, modify contract terms or
conditions, and terminate a contract.
Custody: Formal responsibility for controlling access to CBI
according to the procedures found in this manual.
Derivative CBI: Confidential Business Information created by
incorporating, paraphrasing, restating, or generating a new form
of the information.
Document: Any recorded information regardless of its physical
form or characteristics, including, without limitation, written
or printed materials; data processing cards, disks, and tapes;
maps; charts; photographs; paintings; drawings; engravings;
sketches; working notes and papers; reproductions of such items
by any means or processes; and sound, voice, or electronic
48
-------�
recordings in any form.
CEPPO Secure CBI Room: Secured interior room at CEPPO
headquarters where CBI is stored.
Document Control Officer: A Government employee designated by
the Division Director to oversee the CEPPO CBI program.
Employee: Any person employed by EPA on a full-time or part-time
basis in accordance with the procedures of the Office of
Personnel Management. (This definition does not include
contractors, grantees, or their employees.)
Federal Agency: Any organization or entity composed of United
States officers or employees except for Federal courts and
Congress.
Holder: A Federal employee or contractor employee who is
authorized access to CBI, and is currently in possession of the
CBI.
Original CBI: Confidential business information in its original
form as submitted by a providing organization or as recorded
during a visit to the providing organization.
Project Officer (PO) .- EPA's primary technical representative of
the CO for a contract. Responsibilities include: evaluating
contractor proposals; assisting in writing statement of work;
reviewing contractor progress reports; reviewing contractor
requests and recommending approval or disapproval to the CO; and
assisting the CO in the resolution of problems associated with
contractor performance.
Subcontractor: A contractor that provides a portion of the level
of effort on a contract through a contractual agreement with the
prime contractor. The EPA's contractual agreement is with the
prime contractor, not the subcontractor.
Violation: The failure to comply with any provision of these
procedures, whether or not such failure leads to actual
unauthorized disclosure of CBI.
Work Assignment Manager/ Delivery Order Project Officer
(WAM/DOPO): An EPA program official who monitors a specific work
assignment written under a contract. The WAM/DOPO develops the
statement of work for specific work assignments or task orders
and monitors the technical performance of the contractor.
49
-------�
SECTION XIII.
GLOSSARY OF ACRONYMS
ACRONYMS
AAL
ADP
CAA
CERCLA
CBI
CDCA
CDCO
CEPPO
CFR
CWA
DCO
EPA
FEMA
FIFRA
GAO
LAN
DIG
OGC
OSWER
PC
PD
Authorized Access List
Automatic Data Processing
Clean Air Act
Comprehensive Environmental Response,
Compensation and Liability Act
Confidential Business Information
Contractor Document Control Assistant
Contractor Document Control Officer
Chemical Emergency Preparedness and
Prevention Office
Code of Federal Regulations
Clean Water Act
Document Control Officer
United States Environmental Protection Agency
Federal Emergency Management Agency
Federal Insecticide, Fungicide and
Rodenticide Act
General Accounting Office
Local Area Network
Office of the Inspector General
Office of General Counsel
Office of Solid Waste and Emergency Response
Personal Computer
Program Development
50
,
-------�
RCRA
RMP
TSCA
WAM/DOPO
Resource Conservation and Recovery Act
Risk Management Plan
Toxic Substances Control Act
Work Assignment Manager/ Delivery Order
Project Officer
51
-------�
SECTION XIV.
APPENDICES
[N.B. As most of CEPPO's CBI is collected under Clean Air Act
authority, CEPPO uses CAA Forms]
APPENDIX
A
B
D
E
F
H
TITLE
Authorization for Access to CAA CBI for
Federal Employees, CAA CBI Form 2
Authorization for Access to CAA CBI for
Contractor Employees, CAA CBI Form 3
Confidentiality Agreement for United States
Employees Upon Relinquishing CAA CBI Access
Authority, CAA CBI Form 4
Confidentiality Agreement for Contractor
Employees Upon Relinquishing CAA CBI Access
Authority, CAA CBI Form 5
Memorandum of CAA CBI Telephone Conversation,
CAA CBI Form 6
CBI Meeting Sign-In Sheet, CAA CBI Form 7
CBI Markings
Sample Confidential Business Information
Cover Sheet, CAA CBI Form 8
Pending CAA Confidential Business Information
Cover Sheet, CAA CBI Form 9
Request, Approval, and Registration for CAA
C3I Computer Access, CAA CBI Form 10
Request for Approval of Contractor Access to
CAA CBI, CAA CBI Form 11
Contractor Information Sheet-Contractor CAA
CBI Access/Transfer, CAA CBI Form lla
CAA CBI Inventory Log, CAA CBI Form 12
CAA CBI Pending Log, CAA CBI Form 13
CAA Confidential Business Information Control
Record, CAA CBI Form 1
52
-------�
K
L
M
CAA CBI Custody Receipt
Confidential Business Information Security
Agreement
Sample CAA CBI Transfer Letters
53
-------�
APPENDIX A
1. AUTHORIZATION FOR ACCESS TO CAA CBI FOR FEDERAL EMPLOYEES
FULL NAME
SSN
POSITION
OFFICE
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her supervision
who require access to CAA CBI:
1. Sign the Confidentiality Agreement for EPA Employees
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
SIGNATURE OF AUTHORIZING
OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
II. CONFIDENTIALITY AGREEMENT FOR FEDERAL EMPLOYEES
I understand that 1 will have access to certain Confidential Business Information submitted to EPA or its
authorized representatives under the Clean Air Act (CAA). This access is granted in accordance with my
official duties as an employee of the Environmental Protection Agency.
I understand that CAA CBI may not be disclosed except as authorized by CAA and Agency regulations. I
understand that I am liable for a possible fine of up to $1,000 and/or imprisonment for up to 1 year if I
willfully disclose CAA CBI to any person not authorized to receive it. In addition I understand that I may
be subject to disciplinary action for violation of this agreement with penalties ranging up to and including
dismissal.
I agree that I will treat any CAA CBI furnished to me as confidential and that I will follow the procedures
set forth in the CAA Confidential Business Information Security Manual.
I have read and understand these procedures.
SIGNATURE
TELEPHONE NO.
DATE
HAVING COMPLETE REQUIRED TRAINING AND PASSED REQUIRED TEST,
THE ABOVE-NAMED EMPLOYEE IS HEREBY AUTHORIZED TO HAVE ACCESS
TO CAA CBI.
SIGNATURE DCO
TELEPHONE NO.
DATE
* Must be Division Director (or equivalent) or above.
CAA CBI Form 2 (Rev. 9/98)
54
-------�
FULL NAME
SSN
POSITION
CONTRACTOR
SIGNATURE OF AUTHORIZING
OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
I. AUTHORIZATION FOR ACCESS TO CAA CBI FOR CONTRACTOR EMPLOYEES
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her supervision
who require access to CAA CBI:
I. Sign the Confidentiality Agreement for EPA Employees
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
II. CONFIDENTIALITY AGREEMENT FOR CONTRACTOR EMPLOYEES
I understand that I will have access to certain Confidential Business Informa'tion submitted to EPA or its
authorized representatives under the Clean Air Act (CAA). This access is granted in accordance with my
official duties as an employee of the Environmental Protection Agency contractor
I understand that CAA CBI may not be disclosed except as authorized by CAA and Agency regulations. I
understand that I am liable for a possible fine of up to $1,000 and/or imprisonment for up to 1 year if I
willfully disclose CAA CBI to any person not authorized to receive it. In addition I understand that I may-
be subject to disciplinary action for violation of this agreement with penalties ranging up to and including
dismissal.
I agree that I will treat any CAA CBI furnished to me as confidential and that I will follow the procedures
set forth in the CAA Confidential Business Information Security Manual.
I have read and understand these procedures.
SIGNATURE
TELEPHONE NO.
DATE
IIL HAVING COMPLETE REQUIRED TRAINING AND PASSED REQUIRED
TEST, THE ABOVE-NAMED EMPLOYEE IS HEREBY AUTHORIZED TO HAVE
ACCESS TO CAA CBI.
SIGNATURE CONTRACTOR
DCO
TELEPHONE NO.
DATE
CAA CBI Form 3 (Rev. 9/98)
Must be Contractor Management
55
-------�
Appendix B
&
US Environmental Protection Agency
Washington, DC 20460
Confidentiality Agreement for Federal Employees
Upon Relinquishing CAA CBI Access Authority
In accordance with my official duties as an employee of the United States, I have had access to.
Confidential Business Information under the Clean Air Act (CAA) (42 U.S.C. 1857 et seq.). I
understand that CAA Confidential Business Information may not be disclosed except as
authorized by CAA or Agency regulations.
I certify that I have returned all copies of any materials containing CAA Confidential Business
Information in my possession to the OAQPS CBI Office.
I agree that I will not remove any copies of materials containing CAA Confidential Business
Information from the premises of the Agency upon my termination or transfer. I further agree
that I will not disclose any CAA Confidential Business Information to any person after my
termination or transfer.
I understand that as an employee of the United States who has had access to CAA Confidential
Business Information, under 18 U.S.C. 1905,1 am liable for a possible fine of up to $1,000
and/or imprisonment for up to one year if I willfully disclose CAA Confidential Business
Information to any person.
If I am still employed by the United States, I also understand that I may be subject to
disciplinary action for violation of this agreement.
I am aware that I may be subject to criminal penalties under 18 U.S.C. 1001 if I have made any
statement of material facts knowing that such statement is false or if I willfully conceal any
material fact.
Name (Please type or print)
SSN
Signature
Date
CAA CBI Form 4 (Rev. 6/95)
56
-------�
f
'i
UJ
O
Environmental Protection Agency
Washington, DC 20460
CONFIDENTIALITY AGREEMENT FOR
CONTRACTOR EMPLOYEES UPON
RELINQUISHING CAA CBI ACCESS AUTHORITY
Name of Employer
Contract Number
As an employee of the contractor/subcontractor named above
performing work for the United States Government, I have been
authorized access to Confidential Business Information (CBI)
submitted under the Clean Air Act (CAA) (42 U.S.C. 1857
et.seq.). This access authority was granted to me in order to
perform my work under the contract number cited above.
I understand that CAA CBI to which I have had access under the
contract may not be used for any purposes other than for
performing the contract. I also understand that CAA CBI may
not be disclosed except as authorized by CAA or EPA
regulations.
I certify that I have returned all copies of CAA CBI materials
in my possession to my company Document Control Officer.
I agree that I will not remove any copies of materials
containing CAA CBI from the premises of my company or from EPA
premises upon my relinquishment of CAA CBI to any person after
my relinquishment of CAA CBI access authority.
I understand that as a contractor employee who has been
authorized access to CAA CBI, I may face criminal prosecution
if I willfully disclose CAA CBI to any person.
If I am still employed by the contractor, I also understand
that I may be subject to disciplinary action for violation of
this agreement.
I am aware that I may be subject to criminal penalties under 18
USC Section 1001 if I have made any statement of material facts
knowing that such statement is false or I willfully conceal any
material fact.
NAME (Please type of print)
Social Security Number
Signature
Date
CAA Form 5 (Rev. 6/95)
57
-------�
APPENDIX C
US Environmental Protection Agency
Washington, DC 20460
MEMORANDUM OF CAA CBI
TELEPHONE CONVERSATION
I. EMPLOYEE IDENTIFICATION
Name of Employee
Date
Organization
Time
II. SECOND PARTY IDENTIFICATION
Call is:
D To
D From
Name
Number
Organization
III. Concerning What CAA CBI?
IV. Content of Conversation: (CONTINUE ON SEPARATE SHEET)
CAA CBI Form 6 (Rev 6/95)
58
-------�
Appendix D
.tftosr^ U.S. Environmental Protection Agency
•° ^. Washington, DC 20460
1" ^^ \
f xS0Z ^ CAA CBI MEETING SIGN-IN SHEET
VTT^
^ PRO^°
CHAIRPERSON
MEETING PLACE (ROOM, BUILDING, CITY. STATE)
DATE
TIME
SUBJECT OF MEETING
NAME (Print)
Signature
«
ORGANIZATION
THIS SIGN-IN SHEET MUST BE GIVEN TO THE CBI MANAGER
CAA CBI Form 7 (Rev 6/95)
59
-------�
APPENDIX E
CAA CBI MARKINGS
"SUBJECT TO CONFIDENTIALITY CLAIM"
"TO BE OPENED BY ADDRESSEE ONLY"
'CBI -- CONFIDENTIAL BUSINESS INFORMATION"
DETERMINED CONFIDENTIAL BY EPA"
'DESTROYED BY
DATE
60
-------�
APPENDIX F
Contractor Control No,
EPA Control No.;
Copy No. :_
CAA
CONFIDENTIAL
BUSINESS INFORMATION
The attached document contains data claimed to be confidential
business information (CBI) under the authority of the Clean Air
Act (CAA) as amended (42 U.S.C. 7401, 7411, 7412, 7414, 7416,
7601). CBI may not be disclosed or copied for release to
another party. Any excerpts or summaries must also be treated
as CBI. If you willfully disclose CAA CBI to any person not
authorized to receive it, you may be liable for a disciplinary
action with penalties ranging up to and including dismissal.
In addition, disclosure of CAA CBI or violation of security
procedures may subject you to a fine of up to $1,000.00 and/or
imprisonment for up to one year.
DO NOT DETACH
CAA CBI Form 8 (Rev. 6/95)
61
-------�
Contractor Control No.:
EPA Control No.:
Copy No. :.
CAA
CONFIDENTIAL
BUSINESS INFORMATION
PENDING
The attached document contains data claimed to be confidential
business information (CBI) under the authority of the Clean Air
Act (CAA) as amended (42 U.S.C. 7401, 7411, 7412, 7414, 7416,
7601}. CBI may not be disclosed or copied for release to
another party. Any excerpts or summaries must also be treated
as CBI. If you willfully disclose CAA CBI to any person not
authorized to receive it, you may be liable for a disciplinary
action with penalties ranging up to and including dismissal.
In addition, disclosure of CAA CBI or violation of security
procedures may subject you to a fine of up to $1,000.00 and/or
imprisonment for up to one year.
DO NOT DETACH
CAA CBI Form 9 (Rev. 6/95)
62
-------�
APPENDIX G
/A\
1 vBfe I
\^
U.S. Environmental Protection Agency
Washington, DC 20460
Request, Approval, and Registration
for CAA CBI Computer Access
I . Request for CAA CBI Computer Access
1. Name (Last, First, MI)
3 . System and Data Base
2. Requestor (Office/Division/Branch)
to Be Accessed
4 . Describe fully the duties that require access to each system
S. Signature of Requesting Official (Division 6. Date
Director or above)
II. Computer Room DCA Approval
1 . Date Received 2 . S
1 . Date Received 2 . I-
Acces
H r
4 . Signature DCO
>ignature of Computer Room DCA
III. DCO Approval
[olds Current CAA CBI 3. Approved
s • D Yes
G Yes (Explain
to
On back)
D No
CAA CBI Form 10 (Rev. 6/95)
63
-------�
APPENDIX H
XvX
\
U.S. Environmental Protection Agency
Washington, DC 20460
REQUEST FOR APPROVAL OF
CONTRACTOR ACCESS TO CAA CBI
Requesting Official
Signature
Date
Title and Office
Contractor and contract number
EPA Project Officer
EPA Contracting Officer
i. Brief Description of contract, including purpose, scope, length, and other important details.
{Continued Ott theiiifeack;*?! this'Iorm iferiecessaryhf li ;
II, What CAA CBI wilt be required, and why?
(Continued on back if necessary)
JIL Will computer access to CAA: CBI beirequired by the contract?
;-:;:;s; :;i:; |f :;so, why anilto what extent onfthe back of this form
Approved (Signature)
Date
CAA CBI Form 11 (Rev. 6/95)
64
-------�
Appendix H
CONTRACTOR INFORMATION SHEET
CAA CBI ACCESS/TRANSFER
1. Contractor
Address :
2.
3. Contract #:
4. Is this a renewal of a previous contract? Yes H No
5. Previous contact number:
6. EPA Project Officer
7. EPA Contracting Officer.
8. EPA Work Assignment Manager:
Phone: Room:.
9. Contractor Project Officer:
Mail Code:
10. Description of duties to be performed by contractor that require CAA CBI access:
11. Type(s) of data to be transferred/disclosed:
12. Will CBI be transferred offsite under this contract? Yes G No D
13. If so, to where? 14.
Have contractor security plan and facilities been approved by the OAQPS OCO? Yes !2 No C:
1 5. If so, date of test site inspection:
16. Date access scheduled to commence:,
17. Contract expiration date:
18. Is computer CBI access needed under this contract? Yes
19. Has computer access been approved? Yes Z No Z
CAA CBI Form 11a (Rev. 6/95)
No
65
-------�
— ~
X
•5
c
O>
o.
o.
<
03
10
o
ISI
O
•OJ
3
e
3
•s
JS
1
t/>
s
5
S
Z
c
'ft)
5
u
1
V
o
O
^ 0
c 0 c
§> -J -2
?o > 1
g£ cc 1
.— ^T —^ O
"S ° =
ajtN i_ —
& 5 I
(D g > 5)
IS 2 co
E| «
f— -t- 'J
l| 5 £
'>§ (J T3
c ^^ *:
UJ -^ c
d 0
0*3^
/-«%
fe ^gsJ o
o %n ?
\ W #
*>, 4?
"^-VHROTW*
>
SE
zS
*Q
_c
•o
'o
Ew
Q. »
O
CBI
Control Number
-o
<£$
ro'5
Q n^
(U
cc.
-------�
to
o
p*
q
Lu
£
6
§
(/3
~n
O
53
z
':C
B
[J
o
c
1
O
CD
. 0
U 1
c —1 c
0> O
Is i I
.2-* tfC o
og — "c
2 Q «
oU *-J «
«t°. Z i
2§ UJ |
g» Q_ m
E| «
l| DO I
I5 o l
o
Cfl •* &
^VlRO^
>.
O
DC
C
t o
to'f
•o a
'§"«
£ CO
Q. CO
a
CBI
Control Number
•o
QJ
£.>
to
CO
0
oc
CO
o
u.
m
u
u
-------�
APPENDIX J
CAA CONFIDENTIAL BUSINESS INFORMATION
CONTROL RECORD
DATE RECEIVED:
DATE OF DOCUMENT:
RESPONSIBLE BRANCH:
DOCUMENT AUTHOR:
CONTROL NUMBER:
DESCRIPTION (Providing organization, title, subject, number of copies and number of pages)
RETURN DATE:
DESTRUCTION DATE:
INITIALS:
Each person given access to this document must fill in the information below
CHECK-OUT
SIGNATURE
DATE
TIME
CHECK-IN
SIGNATURE
DATE
TIME
CAA CBI Form 1 (Rev. 6/95)
68
-------�
APPENDIX K
US Environmental Protection Agency DATE:
Chemical Emergency Preparedness and Prevention Office
Mail Code - 5104 SENT VIA: 401 M
Street, S.W.
Washington, D.C. 20460
RECEIPT:
CONTACT:
CBI CUSTODY RECEIPT
TO: FROM: Document Control Officer
Dorothy McManus
U.S. EPA/OSWER/CEPPO/PD
401 M Street S.W.
Washington, DC 20460
INSTRUCTIONS:
1 . Original of this receipt to be signed by recipient and returned to sender.
2. Duplicate of this receipt to be retained by recipient.
CBI CONTROL NO.
COPY NO.
DESCRIPTION OF MATERIAL
1 have personally received material, enclosures, and attachments as identified above. 1 assume full responsibility for
the safe handling, storage, and transmittat of this material in accordance with existing Confidential Business
Information regulations.
DATE RECEIVED: SIGNATURE OF RECIPIENT:
APPENDIX L
69
-------�
CONFIDENTIAL BUSINESS INFORMATION
SECURITY AGREEMENT
In requesting information claimed to be business confidential from the Chemical Emergency
Preparedness and Prevention Organization, I agree to safeguard this information according to
( Name of Agency }'s procedures comparable to EPA's procedures for handling
Confidential Business Information as found in 40 CFR, Part 2, Subpart B, Confidentiality of Business
Information. I further agree that access will be limited to only those persons in our organization having
a "need to know," that the information will be kept in a secure storage container (e.g., a lockable file
cabinet) while it is in our custody, that a record of persons accessing the information be maintained, and
that it will be returned to CEPPO at the conclusion of our project.
Name, Title (Please Type or Print)
Signature
Date
APPENDIX M
70
-------�
LETTER TO ACCOMPANY CBI TRANSFERRED
OUTSIDE CEPPO
Mr. Agency Official
Federal Government Agency
1108 14th Street
Washington, D.C. 20460
Dear Mr. Agency Official:
Your security agreement associated with the request for access to (describe
information) has been received. We are therefore releasing the enclosed Confidential
Business Information to your custody. Please sign the attached Custody Receipt and
return to:
Dorothy McManus
Document Control Officer
(Or Alternate DCO)
Sincerely,
David Speights
Associate Director
Enclosures
APPENDIX M
71
-------�
LETTER TO CBI REQUESTERS OUTSIDE CEPPO
Mr. Agency Official
Federal Government Agency
1168 14th Street
Washington, D.C.
Dear. Mr. Agency Official:
(Cite the name of local contact of letter of request) indicates that you want a
copy of certain information in our Confidential Business Information(CBI) files. Please
be advised that our long-standing policy is to release CBI to only those persons duly
authorized to have access. Since we have not previously granted clearance for access
to CBI information to you or anyone in your organization, we request assurance that
this information will be handled according to applicable federal regulations. To provide
a record of your agreement to safeguard the information, we require that you sign and
return the accompanying CBI Security Agreement. We will release the requested
information to you upon receipt of this agreement.
Sincerely,
David Speights
Associate Director
72
-------� |