United i'-ates .
Envirorinental Protection
Agency
Office of Air Quality
Planning and Standards
Emission Standards Division (MD-13)
Research Triangle Park, NC 27711
EPA 453/B-95-002
June 1995 Edition
f
/
CLEAN AIR ACT
CONFIDENTIAL BUSINESS
INFORMATION
SECURITY MANUAL
-------�
EPA 453/B-95-002
CLEAN AIR ACT
CONFIDENTIAL
BUSINESS
INFORMATION
SECURITY MANUAL
U.S. Environmental Protection Agency
Office of Air Quality Planning and Standards (MD-13)
Research Triangle Park, NC 27711
June 1995 (Revised Version)
-------�
TABLE OF CONTENTS
I. PURPOSE, SCOPE, AUTHORITY, AND RESPONSIBILITY 1
A. Purpose 1
B. Scope 1
C. Authority 1
D. Responsible Officials 2
1. Director, OAQPS 2
2. Director, Emission Standards Division 2
3. OAQPS Program Project Officers 2
4. OAQPS Document Control Officer 2
5. OAQPS Documents Control Assistants 3
6. OAQPS CBI Manager 4
7. OAQPS Group Leaders 5
8. OAQPS Work Assignment Managers 6
9. Employees 7
10. Contractor Document Control Officers 8
JJ. EDUCATION AND TRAINING 11
A. Overview 11
B. Initial Brie finer 11
C. Annual Briefing 11
D. Terminal Briefing 12
III. DISCLOSURE OF CAA CBI 13
A. Overvi ew 13
B. Disclosure To Other Federal, State or Local
Agencies 13
1. Non-disclosure Agreement 14
2. Notice to Affected Businesses 14
3 . Before Approval 15
4. Before Disclosure 15
C. Disclosure To EPA Contractors and Subcontractors .... 15
D. Discussing CBI On The Telephone 15
1. Telephone Memorandums 16
2. Telephone Calls with Providing Organizations .. 16
E. CAA CBI Disclosed At Meetings 16
1. Access 16
2. Chairperson's Duties 17
3. Chairperson's Limitations 17
4. Notes or Recordings 17
5. Safeguarding 17
6. Controls 18
IV. CATEGORIES OF CAA CBI 19
A. Overview 19
B. Original CBI 19
C. Derivative CBI
-------�
V. CAA CBI MARKINGS 21
A. Overview 21
B. CBI Stamps 21
C. Computer Output 21
D. Special Categories of Materials 21
1. Charts, Maps, and Drawings 21
2. Photographs, Films, and Recordings 21
3 . CAA CBI Waste 22
VI. ACCESS TO SPECIFIC CAA CBI 23
A. Overview 23
B. General Access Requirements 23
C. Employee Access 23
1. Procedures 23
2. Authorized Access List 27
D. Withdrawal of Clearance 28
1. Periodic Review 28
2 . Removal From Access 28
E. Contractor Access 28
1. Prerequisite 28
2 . Conditions 29
3. Obtaining Approval 29
4 . Security Plan 31
5. Contractor DCO/DCA Requirement 32
6 . Completion of Contracts 32
7. Authorized Access Lists 32
8. Withdrawal of Access 32
VII. RECORDS MANAGEMENT FOR CAA CBI 33
A. Overview 33
B. Intent 33
C. CAA CBI Records Management System 33
1. Automated Database 34
2 . CAA CBI Control Record 34
3 . Cover Sheets 35
4. Custody Receipts 35
5. Pending Log 35
6 . Inventory 35
D. Obtaining CBI Documents 3g
E. CAA CBI Document Control Numbers 36
F. Creating CBI Documents 3g
1. Working Papers 37
2 . Use in Meetings 37
3. Typing/Word Processing Requirements \ .37
G. Creating Non-CBI Documents 33
1. Masking or Aggregating CBI 38
2 . Dropped Claim to CBI ' ^Q
3. Determining Claim to Validity ' 33
11
-------�
H. REPRODUCTION 38
1. CBI Material 39
2. Equipment 39
3. Broken Equipment 39
I. CDCO RECORD MANAGEMENT RESPONSIBILITIES 39
1. CAA CBI Control Numbers 39
2. CAA CBI Inventories 40
3 . Reproduction 40
VIII. TRANSFERRING CUSTODY 41
A. Overview 41
J3. Transferring CAA CBI To EPA Contractors
and Providing Plants/Facilities 42
C. Transferring- CAA CBI from Contractors to OAOPS 42
D. Transferring CAA L'BI to Government Agencies
Outside OAOPS 42
E. Confidential Business Information Security
Agreement 43
F. Preparation and Packaging 43
1. Inner and Outer Covers 43
2 . Addressing 43
3 . Packaging 43
G. Custody Receipt 44
H. Transfer Methods 44
1. Hand Carrying 44
2. Registered Mail 45
3. Couriers and Express Mail 45
IX. STORAGE of CAA CBI 46
A. Overvi ew 46
B. Intent 46
C. Storage Equipment Specifications 46
D. Procedures for Lock Combinations 46
1. Changing Combinations 46
2. Granting Access To Combinations 47
E. Evacuation Procedures 47
F. Safeguarding CAA CBI in the Event of a Disaster .... 47
1. Prevention 47
2. Preparedness 48
3 . Response 48
X. CAA CBI COMPUTER SECURITY 49
A. Overvi ew 49
B. Directives 49
C. Basic Security Requirement 49
1. Security Mode 49
2. Authenticity and Verification 50
3. Remote Operation 50
4. Users Requirements 50
5. Visitors 51
D. CBI Computer Room 51
111
-------�
E. Safeguarding CBI During Computer Use 51
1. Computer Storage Media 51
2. Terminating a CBI Computer Session 52
3. Use of a Printer 52
F. System Security Software for Multi-User System 52
1. User Authority 52
2. Event Record 53
G. General Procedures 53
1. Checkout 53
2. User Privileges 53
3 . CBI Computer Room DCA 54
4. Back-up Files 54
5. Transmission 54
H. Destruction and Release of Data Media 54
1. Magnetic Storage 54
2. Rigid Magnetic Storage Media 54
I. Security Plan 55
J. Risk Analyses 55
XI.DISPOSAL AND DESTRUCTION 56
A. Overview 56
B. Intent 56
C. Notice of Intent to Destroy 56
D. Original CBI 56
E. Derivative CBI 56
F. CBI Waste 57
G. Records of Destruction 57
F. Methods of Destruction 57
XII. CAA CBI SECURITY VIOLATIONS 58
A. Overview 58
B. Responsibility of Discoverer 58
C. Violations of this Manual 58
D. Preliminary Inquiry 58
E. Investigation 58
F. Reports and Findings 59
1. Finding of No Damage 59
2 . Lost Documents 59
3 . Compromise 59
4 . Finding of Damage 59
G. Kesultinqr Actions 59
1. Violations Subject to Punitive Measures 60
2. Punitive Measures go
XIII. CAA CBI DEFINITIONS 61
XIV. GLOSSARY OF ACRONYMS 64
XV- APPENDICES 66
IV
-------�
SECTION I.
PURPOSE, SCOPE. AUTHORITY & RESPONSIBILITY
A. PURPOSE
The procedures in this manual provide Federal,
contractor, and subcontractor employees with the information
necessary to utilize Confidential Business Information to
perform their assigned duties without violating applicable
Federal regulations protecting the rights of its owners.
The purpose of this manual is to set forth policies and
procedures for Federal, contractor, and subcontractor employees
to follow in the handling of information claimed as Confidential
Business Information (CBI), obtained under Section 114 of the
Clean Air Act (CAA), and governed by U.S. Environmental
Protection Agency (EPA) regulations at 40 Code of Federal
Regulations (CFR), Part 2, Subpart B, and other EPA regulations
and policies. CBI collected under the authority of other
environmental legislation is managed according to similar
applicable procedures.
The need to safeguard CBI cannot be overstated. Valid and
secure CBI procedures are essential to EPA's decisionmaking and
therefore to effectively safeguard of the environment is
required. Any compromise to CBI threatens not only the
businesses providing data, but also EPA's ability to make,
implement and enforce environmental policy, and ultimately, the
communities that benefit from that policy. Therefore, OAQPS has
designed and implemented a four-pronged security system to ensure
protection of CAA CBI and at the same time permit effective
operations of the OAQPS CBI Office. The CAA CBI security system
consists of controlled access, document tracking, training, and
monitoring of CAA CBI operations.
B. SCOPE
This manual sets forth policies and procedures to manage and
safeguard CAA CBI. Unless otherwise noted the phrase
"Confidential Business Information" or ("CBI" refers to Clean Air
Act Confidential Business Information only).
C. AUTHORITY
The policies and procedures found in this manual provide
guidance for compliance with the following Federal statutes and
regulations:
-------�
Clean Air Act
40 CFR, Part 2, Subpart B
Freedom of Information Act
Privacy Act
D. RESPONSIBLE OFFICIALS
The responsibilities of OAQPS officials and personnel
concerning CAA CBI are outlined below.
1. Director. OAQPS
The OAQPS Director or his designee has overall
responsibility for controlling CAA CBI within the Office. The
Director or Acting Director may delegate his/her authority to
perform security control functions.
2. Director, Emission Standards Division
The Director, Emissions Standard Division (ESD), has
been delegated authority to direct and administer the CAA CBI
program for OAQPS. In performing these duties, the Director has
authority for setting policies, standards, and procedures that
ensure compliance with the laws and regulations described in
I.C., Authority. The Director provides oversight, a security
education program, and a security assurance program for effective
implementation of the CAA CBI program. The Director must
authorize the transfer of CAA CBI outside OAQPS including other
Federal or State governmental agencies. Initial authorization to
transfer CAA CBI to a contractor is authorized by the Director
approving a Request for Approval of Contractor Access to CAA CBI.
Approval of contractor employee access to specific CAA CBI
documents is delegated to the Group Leaders.
3. OAQPS Program Project Officers
The respective program project officers (POs)
responsibilities are as follows:
To notify the OAQPS Document Control Officer when
a contract will require CAA CBI access and to
serve as an interface between the OAQPS DCO, WAMs
and the EPA Contracting Officer;
To issue notification to the affected businesses
via Federal Register notice at the start of a
contract by identifying the contractor or
subcontractor who will have access to CAA CBI
submitted to OAQPS in performing their assigned
duties; 3
-------�
Assists Work Assignment Managers (WAMs) in
preparing individual notification to affected
businesses or industries on an as-needed-basis;
and
Ensures compliance with all CBI procedures set
forth in the applicable contract.
4. OAOPS Document Control Officer
The OAQPS Document Control Officer (DCO) is directly
responsible to the BSD Director for implementing the CAA CBI
program. The OAQPS DCO monitors the activities of the CBI Office
and provides guidance and technical direction as needed. The
following are responsibilities of the OAQPS DCO:
Ensures that OAQPS security procedures for
handling CAA CBI are continually reviewed,
updated, and enforced;
Ensures compliance with the security education
program and security assurance program;
Reviews security plans and provides for inspection
of security facilities and procedures of EPA
contractors storing CAA CBI files;
Reviews contractor employee CAA CBI security,
education and training programs;
Reviews CAA CBI access requests for contractors
and other Federal/State and Local agencies. (The
BSD Director must approve requests for all initial
contractor access);
Evaluates proposed system improvements;
Promptly conducts preliminary inquiries and
investigations of alleged procedural violations
and reports findings to the BSD Director; and
Advises the BSD Director concerning appropriate
actions for CAA CBI security violations.
5. OAQPS Document Control Assistants
Document Control Assistants (DCA) are employees of
OAQPS in locations other than the Office of the Director, ESD who
are charged with implementing the OAQPS CBI program at their
location. The OAQPS DCO/CBI Manager oversees their activities and
provides guidance and technical direction as needed.
-------�
6. OAOPS CBI
The CBI Office maintains "custody" of CAA CBI at all times
even when being accessed by authorized individuals. Custody of
CAA CBI may only be transferred from one CBI Office to
another.
The CBI Office (CBIO) within OAQPS, managed by the OAQPS CBI
Manager, acting under the technical direction of the OAQPS DCO,
is responsible for the following:
Signs receipts for CAA CBI arriving and departing
OAQPS;
Reviews documentation of all CAA CBI being
transmitted from OAQPS;
Transmits CAA CBI to contractor upon the request
of the Work Assignment Manager or the responsible
Group Leader;
Declassifies or destroys CAA CBI material after
receipt of authorization from the Office of
General Counsel (OGC), the owner, work assignment
manager (WAM), or after the CBI has served its
purposes;
Briefs and debriefs all persons designated by
Group Leaders as requiring access to CAA CBI.
Keeps an Authorized Access List of persons cleared
for CAA CBI access and a record of each person's
briefing status;
Assigns CBI control numbers, attach Control
Records and apply markings, when applicable, to
all new CAA CBI documents and reproduce documents
as required;
Establishes, maintains, and controls an automated
CAA CBI file system. Logs in and out all CAA CBI
documents. Conduct periodic inventories of all
CBI documents;
Maintains a tracking system to ensure that CBI
transmitted to other organizations is received;
-------�
Prepares CBI for mailing to other Federal
agencies, plants or facilities, and contractors
when authorized and maintain records of all such
actions;
Reports cases of procedure violations and alleged
wrongful disclosures immediately to the OAQPS DCO,
and provide guidance, technical assistance, and
administrative support on all matters concerning
CBI security;
Locks CBI in appropriate containers whenever the
information is not in use or under the supervision
of cleared authorities;
Ensures at the end of each day that all classified
materials used during the day have been returned
to the CBIO and are properly stored; and
Monitors support staff providing clerical
assistance to the CBIO.
7. OAQPS Group Leaders
Group Leaders are responsible for ensuring that their
employees and contractors comply with the procedures listed in
this manual. Group Leaders are responsible for the following
functions:
Designates EPA and contractor employees who need
access to specific CBI associated with each
project. This responsibility may not be
delegated, and authorizations made by formerly
responsible Group Leaders will remain in effect
until access lists are reviewed and updated;
Ensures that Group employees and other persons
whom they designate are qualified and authorized
to access CBI utilizing procedures found in
Section II-C;
Authorizes transfer of CAA CBI to providing
companies, facilities or contractors. The
authority to transfer CAA CBI to all other outside
organizations is reserved for the BSD Director;
Ensures that any CBI the Group receives directly
is sent immediately to the OAQPS CBI Office;
-------�
Recommends to the BSD Director whether to release
of CBI to Congress, the Comptroller General, or
other Federal agencies and ensure that releases
are in accordance with Section 2.209 of 40 CFR,
Part 2;
Ensures that CBI is not used in publications or
improperly released in any documents;
Authorizes necessary creation (by summarization
and masking) of nonCBI materials from CBI and
review and approve those nonCBI materials prior to
their release;
Cooperates with the OAQPS DCO in establishing and
improving CBI safeguards, and implementing and
maintaining CBI education and quality within their
Groups; and
Reports cases of CBI disclosures or possible
compromise to the OAQPS DCO and cooperate with
investigations conducted under the OAQPS CAA CBI
program.
8. OAQPS Work Assignment Managers (WAMs)
The OAQPS Work Assignment Manager has primary
responsibility for ensuring that his/her contractors maintain
control over project related CAA CBI and adhere to prescribed
procedures.
OAQPS Work Assignment Managers are responsible for the
following:
Ensures that contractors and EPA employees working
on his/her project comply with procedures in this
manual and CBI procedures set forth in the
applicable contract for CAA CBI related to his/her
proj ect;
Analyzes technical aspects of all project work
written or otherwise created and determine whether
CBI is involved and, if so, have it logged by the
CBI Office;
Ensures that necessary paperwork is submitted in
accordance with 40 CFR, Part 2, Subpart B to
enable Office of General Counsel (OGC) to'make a
final determination as to whether information that
-------�
has been received is entitled to confidential
treatment;
Authorizes necessary reproduction of CBI and
ensure that CBI is reproduced only under the
supervision of the CBI Manager as described in
Section III-H;
Ensures that memos, notes and reports from
telephone conversations, visits, inspections, or
tests are protected as CBI and filed in the CBI
Office until a determination is made regarding the
status;
Ensures that CBI is not used in publications or
improperly released in any document;
Initiates the process for destruction and disposal
of CBI material;
Ensures that CBI to be transferred or mailed is
processed by the CBIO for wrapping and
disposition;
Ensures that any CBI received associated with
his/her project is logged by the OAQPS CBI Office;
Authorizes Contractor to return CAA CBI files to
the OAQPS CBIO when the information is no longer
needed and determine disposition of returned
files; and
Reports cases of wrongful disclosure or possible
compromise of CAA CBI to appropriate Group Leader,
OAQPS DCO or CBI Manager and cooperate with
investigations conducted under the CAA CBI
security program.
5. Employees
Contractor/subcontractor and Federal, State and Local
employees are responsible for the following:
Complies with all applicable procedures in this
manual;
Complies with all CBI procedures set forth in the
applicable contract;
Maintains possession of CBI until returned to the
CBIO;
-------�
Stores CAA CBI in the CBIO only;
Discusses CBI only with authorized persons;
Ensures that any CBI received directly is sent
immediately to the OAQPS CBIO for storage and
proper logging;
Ensures that CBI is not used in publications or
improperly released in any document;
Reports alleged violations of security procedures
to the CBIO immediately;
Ensures that memos, notes, and reports concerning
CBI obtained from telephone conversations, visits,
inspections, inquiries, or tests are protected as
CBI and filed in the CBIO.
10. Contractor Document Control Officers
Contractor's management must nominate a Contractor
Document Control Officer (CDCO) and a Contractor Document Control
Assistant (CDCA) approved by OAQPS. The CDCO controls the
receipt, storage, and handling of CAA CBI by employees in their
facilities and manages a document tracking system.
a. CDCO responsibilities include:
Serves as the principal contact for OAQPS
regarding the security and control of CAA CBI;
Provides security plan for safeguarding CAA CBI;
Maintains a secure CBI facility;
Conducts CAA CBI briefings (including testing) for
persons designated by the OAQPS Group Leader as
having a need-to-know specific CAA CBI to perform
their work.
Obtains signed Authorization for Access to CAA CBI
for Contractor Employees, CAA CBI Form 3 (Appendix
B) from each contractor employee who will have
access to CAA CBI before the employee is granted
access. The original of this completed form shall
be forwarded to the OAQPS CBI Manager.
Conducts annual briefings and testing in support
of the CAA CBI education and training program.
-------�
Inspects facilities and review CAA CBI procedures
of subcontractors and obtain OAQPS's approval.
The OAQPS DCO shall accompany the CDCO on
inspections.
Maintains a list of contractor employees who are
authorized access to specific CAA CBI, including
those authorized for computer access, and
releasing CAA CBI only to those employees.
Reviews and update access lists continuously of
employees with a need-to-know specific CAA CBI;
and notify OAQPS CBI Manager immediately of any
changes;
Provides guidance, technical assistance and
administrative support to contractor employees on
all matters concerning CBI security;
Establishes, maintains, and controls a CAA CBI
file system (including disposition) in compliance
with OAQPS' CAA CBI Records Management System;
Logs in and out all CAA CBI documents, summaries,
tabulations, and materials to users;
Maintains a CAA CBI document retrieval system;
Releases CAA CBI only to employees authorized
access;
Ensures all CAA CBI is properly stored when not in
use ;
Ensures CAA CBI is properly wrapped and
dispatched;
Maintains an inventory of all CAA CBI, conduct
periodic audits, and submit inventory annually to
OAQPS CBI Manager;
Destroys drafts and working papers;
Maintains in a secure location a record of
combinations of all locks, safes, and cabinets
that contain CAA CBI, and ensure combinations are
changed annually, or whenever anyone who knows the
combination terminates or transfers employment;
Reports alleged violations of contractor security
procedures immediately to contractor management
and the OAQPS DCO; and
-------�
Obtains a signed Confidential Agreement for
Contractor Employees Upon Relinquishing CAA CBI
Access Authority, CAA CBI Form 5 (Appendix B) for
any employee who terminates employment or
transfers to a position not requiring access to
CAA CBI. One copy of this completed form shall be
forwarded to the OAQPS CBI Manager.
Whenever CDCOs terminate their employment or relinquish
their responsibilities, an inventory of CAA CBI materials must
be performed within 30 days of their departure.
b. Contractor Document Control Assistant
The Contractor Document Control Assistant (CDCA) will
perform the aforementioned CDCO responsibilities in the absence
of the CDCO.
10
-------�
SECTION II.
EDUCATION AND TRAINING
A. OVERVIEW
The Confidential Business Information (CBI) education and
training program is conducted by the OAQPS CBI Manager under the
direction of the OAQPS DCO. Group Leaders and contractor
management must arrange for employees to be available for
briefings in support of the CBI program. Designated employees
must meet all requirements of the program to obtain and maintain
access to CAA CBI.
B. INITIAL BRIEFING
All access designees shall:
1. read this manual;
2. receive a briefing on the responsibilities and
procedures for proper handling of CAA CBI; and
3. pass a competency test at the end of the briefing.
After receiving the briefing and passing the competency test,
each employee will sign an Authorization for Access to CAA CBI
for Federal Employees, CAA CBI Form 2 or CAA CBI Form 3 for
contractors (Appendix A). Employees may then be approved for
access to specific CAA CBI and their name placed on the
authorized project access list.
C. ANNUAL BRIEFING
Federal and contractor employees approved for CAA CBI access
must maintain their access authority by attending an annual
security briefing and passing a written test. Annual briefings
will be given in the month of employee's initial access.
Employees who fail to attend their last annual briefing will be
given an opportunity to attend other scheduled briefings. If
they fail to attend a makeup session, within 3 months of expired
access, their names will be removed from the OAQPS CAA CBI
Authorized Access List.
The OAQPS CBI Office will notify the Group Leader of the
suspension. If the employee fails to attend the next scheduled
briefing within 30 days of the suspension notice, the employee
must relinquish authorized access to CAA CBI. The employee must
return all CBI materials which they may have in their possession
to the CBI Office and sign a Confidential Agreement for U.S.
11
-------�
Employees Upon Relinquishing CAA CBI Access Authority, CAA CBI
Form 4 (Appendix C) or CAA CBI Form 5 for contractors (Appendix
B) . If access to CAA CBI is relinquished, the Group Leader must
renominate the employee to access CAA CBI, direct the employee to
attend a briefing, and obtain authorization to access CAA CBI by
completing CAA Form 2.
D. TERMINAL BRIEFING
All employees who have been granted access to CAA CBI shall
receive a terminal briefing and sign a Confidential Agreement for
U.S. Employees Upon Relinquishing CAA CBI Access Authorized, CAA
CBI Form 4 or CAA CBI Form 5 (contractors) when they terminate
their employment or transfer to a position in which CAA CBI
access is not required.
12
-------�
SECTION III.
DISCLOSURE OF CAA CBI
A. OVERVIEW
This section discusses minimum procedures required to ensure
the security of Confidential Business Information (CBI) during
authorized disclosures.
The holder of CAA CBI (the person authorized access to
specific CBI) is responsible for protecting it from persons
not authorized access to it. CAA CBI shall not be left
unattended; and when work with CBI materials is completed or
suspended, all materials containing CAA CBI (originals,
drafts, memos, and notes) shall be taken to the CBI Office for
storage. Holders of CAA CBI shall not allow unauthorized
persons to view CAA CBI materials nor shall holders discuss
CAA CBI with persons not authorized access to it.
B. DISCLOSURE TO OTHER FEDERAL, STATE OR LOCAL
AGENCIES
EPA regulations at 40 CFR Part 2 allow disclosure of CBI to
another Federal or State agency in either of two circumstances:
When the official purpose for which the information is
needed by the other agency is in connection with its
duties under any law for protection of health or the
environment or for specific law enforcement purposes;
or
When disclosure is necessary to enable the other agency
to perform a function on behalf of EPA.
In either circumstance, the BSD Director must be notified
immediately via the OAQPS DCO upon receipt of a request for
documents or information requiring access to CAA CBI. In
addition, the procedures described below must be followed before
CAA CBI may be disclosed to other agencies. These procedures do
not apply to disclosure of CAA CBI to individual employees of
other agencies performing functions on behalf of OAQPS where
access is confined to OAQPS premises.
EPA may disclose CAA CBI to other Federal, State or Local
agencies upon the written request from the agency. Because of
the time needed for processing, the written request should
normally be directed to the BSD Director at least 30 days prior
13
-------�
to the time access is needed. The request must be signed by an
official of the other agency who is at least equivalent in
authority to an BSD Director. It should state specifically the
information to which access is requested. The official purpose
for which the CAA CBI is needed should be set forth in detail as
well as any other pertinent information, such as previous efforts
to obtain the information. The need must be in connection with
the agency's duties under a law for the protection of public
health or the environment or for a specific law enforcement
purpose.
CAA CBI may be given to States or Local agencies with the
written permission of the submitter. Also, it may be possible to
aggregate data or sanitize documents containing CAA CBI without
disclosing information claimed as CBI.
NOTE: TSCA and FIFRA CBI maintained in OAQPS (by OAQPS) may
not be disclosed to States.
1. Non-disclosure Agreement
In addition, as part of its written request, the other
agency must agree in writing (Appendix L) not to disclose further
any information designated as confidential unless it meets the
following conditions:
It has statutory authority both to compel production of
the information and to make the proposed disclosure
and, prior to the disclosure, it has furnished affected
business with at least the same notice that EPA would
provide under its regulations;
It has obtained the consent of each affected business
to the proposed disclosure; and
It has obtained a written statement from the EPA Office
of General Counsel or an EPA Regional Counsel that
disclosure of the information would be proper under
EPA's regulations.
2. Notice to Affected Businesses
When disclosure is requested by another agency, OAQPS
must give the affected businesses at least 10 calendar days
notice before granting access to the other agency. Notice to the
affected businesses may be given by FEDERAL REGISTER notice,
registered mail (return receipt requested) , or telegram. The
notice is usually be prepared by the Project Officer at the
beginning of a contract and must include:
The identity of the agency to which CBI is to be
disclosed;
14
-------�
The official purpose for the access;
Whether access is authorized only on EPA premises or
also at the other agency's facilities;
A non-confidential description of the specific
information to be disclosed; and
The period of time for which access to the CBI is
authorized.
3. Before Approval
The BSD Director will notify the requesting official of
the other agency acknowledging receipt of the written request and
will issue the required notice to affected businesses. The BSD
Director will also notify the requesting official from the other
agency if approval is not granted.
4. Before Disclosure
Before CAA CBI may be disclosed, the BSD Director must
notify the other agency that the information being disclosed is
classified as CAA CBI, that it was acquired under authority of
the CAA, and that any unauthorized disclosure of the information
may subject employees of the other agency to criminal penalties.
C. DISCLOSURE TO EPA CONTRACTORS AND SUBCONTRACTORS
EPA's regulations (40 CFR, Part 2) allow disclosure of CAA
CBI to contractors and subcontractors when disclosure is
necessary to enable the contractor to perform work on a contract.
Notice to affected businesses must be given before CAA CBI is
disclosed to the contractor with the same requirements as
indicated above.
D. DISCUSSING CBI ON THE TELEPHONE
Federal and contractor employees with CAA CBI access may
discuss CAA CBI on the telephone with other individuals who are
authorized access to the specific CBI. However, caution must be
used because interception of telephone communications is an easy
means by which unauthorized persons may obtain CBI.
Each party to a telephone call is responsible for verifying
that the other is authorized access to the specific CAA CBI to be
discussed. Access authority can be confirmed by referring to the
CAA CBI Authorized Project Access List. The individual who
initiates a discussion that is to include CAA CBI must indicate
that the conversation will involve specific CBI. Interoffice
15
-------�
communication systems (i.e., speaker phones) should not be used
to discuss CAA CBI if conversations may be overheard by
unauthorized persons.
1, Telephone Memorandums
Federal and contractor employees shall complete a
telephone memorandum, Memorandum of CAA CBI Telephone
Conversation, CAA CBI Form 6 (Appendix C) for all telephone calls
in which CAA CBI is discussed. Telephone memorandums must be
submitted to the CBI Office for filing on the day of the call or
the following workday if the call was made after 4:00 p.m.
2. Telephone Calls With Providing Organizations
OAQPS employees, contractors and subcontractors may
discuss CAA CBI from a providing organization with an employee of
that organization. Before discussion begins, the employees must:
Verify the identity of the providing organization's
employee with whom they are speaking;
Inform the providing organization's employee that the
telephone lines are not secured;
Assure the providing organization's employee that a
telephone discussion of CAA CBI with a Federal or
contractor employee does not constitute a waiver of any
claim of confidentiality; and
Inform the providing organization's employee that any
further information provided in the telephone
conversation can be claimed as confidential.
E. CAA CBI DISCLOSED AT MEETINGS
OAQPS offices or its contractors that host or convene any
meeting (conference, symposium, seminar, exhibit, convention,
scientific, or technical gathering) of two or more people, at
which CAA CBI is disclosed shall take appropriate security-
measures. The OAQPS CBI Manager shall be informed that a meeting
is scheduled when CAA CBI materials must be reproduced for use at
the meeting. Requirements include, but are not limited to, those
listed below.
1. Access
All persons attending the meeting must be cleared for
access to the specific CBI being presented and be positivelv
identified before CBI is revealed. If non-OAQPS personnel are
16
-------�
present, the meeting chairperson must provide a CAA CBI Meeting
Sign-In Sheet, CAA CBI Form 7 (Appendix D) as a meeting record.
The following information shall be recorded: date, time, place,
chairperson, and subject. All persons attending the meeting must
sign this sheet. All sign-in sheets shall be delivered to the
CBI Office by the close of the next business day after the
meeting.
2. Chairperson's Duties
The meeting chairperson is usually the person who
schedules and organizes the meeting. The chairperson is
responsible for ensuring (by referring to the specific CAA CBI
Authorized Access Lists) that only persons authorized access to
the specific CBI to be discussed at the meeting are in attendance
when the discussion involves CBI. Non-cleared attendees must be
excused from the meeting by the chairperson before CAA CBI is
discussed. The chairperson must also ensure that the meeting
room is cleared of all CAA CBI materials after the meeting.
3. Chairperson's Limitations
Work Assignment Managers shall inform the chairperson
of any restrictions that must be imposed on a presentation
because of the CAA CBI or of need-to-know restrictions on certain
members of the audience. The chairperson is responsible for
seeking that information, and for keeping disclosures within the
limits prescribed.
4. Notes or Recordings
The meeting chairperson must remind those in attendance
of their duty to treat as confidential any notes or recordings
taken at the meeting and submit them to the CBIO for storage
until the CBI status of the material can be determined.
5. Safeguarding
Notes, minutes, summaries, recordings, proceedings, and
reports on the CAA CBI classified portions of the meeting must be
safeguarded and controlled throughout the meeting. Any CAA CBI
material generated or received as a result of the meeting, as
appropriate, shall be forwarded to attendees by an approved means
of transfer and when the meeting ends rather than being
hand-carried by attendees from the meeting site.
17
-------�
6. Controls
Physical and technical security controls shall be
established to control access. The meeting room shall be cleared
of all CAA CBI materials after the meeting. This includes
cleaning all chalkboards, returning any unneeded CAA CBI
materials to the CBI Office for destruction, and ensuring that
nothing is left in the room that could lead to the unauthorized
disclosure of CAA CBI.
18
-------�
SECTION IV.
CATEGORIES OF CAA CBI
A. OVERVIEW
This section provides instructions on how Confidential
Business Information (CBI) is categorized.
B. ORIGINAL CBI
Original CAA CBI is generally obtained under Section 114 of
the Clean Air Act in two basic forms. It is usually received in
the form of a request response from a solicited business or from
a trip report submitted by an OAQPS employee or a contractor
employee after visiting a solicited business.
Because data-gathering visits, plant inspections, and source
testing can involve inadvertent receipt of CBI, it is the policy
of OAQPS to protect all parties involved. Prior to or at the
inception of a plant inspection, data-gathering visit, or source
test, OAQPS representatives discuss with the responsible industry-
official the information sought, how it is to be used, and how it
is to be protected.
Following an inspection, visit, or test, a trip report is
prepared to include, as practicable, all information received by
OAQPS or its authorized representatives during the visit or test.
A copy of the report is forwarded by OAQPS to the responsible
industry official for review. The responsible industry official
is requested by cover letter to review the report, clearly mark
any information considered to be confidential, and return the
marked report within the specified timeframe. The original is
kept in the CBI Office with a "pending" disposition until the
marked copy is returned by the business firm. When the reviewed
copy of the report, as marked by the responsible plant official,
is received by OAQPS, information designated confidential is
placed in the OAQPS CAA CBI permanent inventory.
If the report is determined to be nonconfidential, the
business firm will so note or not respond by the requested date.
Therefore, the document is either sanitized and unneeded CAA CBI
is destroyed, or is returned to the business firm.
C. DERIVATIVE CBI
Derivative CBI is the result of incorporation, paraphrasing,
restating, or generating information from original CBI. Along
with the file or record copy of a newly created CBI document, the
OAQPS CBI Manager must keep a copy of the source document or
19
-------�
sufficient identifying information from the source document.
This information includes the originator's name and title and the
date received. The OAQPS WAM's name, title, and office must also
be shown on the new document.
NonCBI documents may be created from CAA CBI documents by
deleting, masking or aggregating the CBI so it cannot be linked
to its source. In all instances, the Group Leader must have
prior knowledge of the intent, and approves the final nonCBI
document.
20
-------�
SECTION V.
CAA CBI MARKINGS
A. OVERVIEW
This chapter explains how materials that have been claimed
as CAA CBI materials must be marked.
B. CBI STAMPS
Both original and derivative CAA CBI documents are stamped
on the first and last page "Subject to Confidentiality Claim. "
See Appendix E for additional CAA CBI stamps or markings.
C. COMPUTER OUTPUT
Documents that are generated as computer output may be
marked automatically by systems software. If automatic marking
is not practicable, these documents must be marked manually -
Removable storage media and devices used with ADP systems,
typewriters, or word processing equipment shall bear both
external (affixed) and internal (software generated) CBI
markings. Documents produced by ADP equipment shall have at a
minimum their first page and their last page marked.
D. SPECIAL CATEGORIES OF MATERIALS
Markings are conspicuously stamped, printed, written or
affixed on classified material other than paper documents. If
this is not practicable, the containers of such material shall be
marked. The means by which material is marked varies according
to the physical characteristics of the material and
organizational and operational requirements.
1. Charts, Maps, and Drawings
The markings on charts, maps, and drawings are
inscribed both at the top and the bottom of each document. When
the document is unfolded, the classification marking shall be
clearly visible on each folded portion. The marking must also be
visible when the document is rolled or folded for storage.
2. Photographs, Films, and Recordings
Photographs must be marked as confidential. Their
containers are also marked. The markings on each transparency or
slide must be on the image and on the holder or frame.
Classified motion picture films and videotapes are marked at the
21
-------�
beginning and end with a clear statement of classification. The
containers or reels on which they are kept are also marked.
3. CAA CBI Waste
Such documents and materials as rejected copy, typewriter
ribbons, and carbons used in working with confidential
information shall be handled in such a way that the information
is adequately protected. Unless these documents and materials
are destroyed immediately, they must be marked. Section XI,
gives instructions for disposal and destruction of CAA CBI.
22
-------�
SECTION VI.
ACCESS TO SPECIFIC CAA CBI
A. OVERVIEW
This section describes policies and procedures for allowing
access to Confidential Business Information (CBI) and for
dissemination of CAA CBI to EPA contractors.
No person has a right of access to CBI by virtue of
organizational title or position alone. A person must also have
a need-to-know specific CBI before access is granted. There is a
responsibility to the organization providing CAA CBI to protect
its information and a parallel responsibility of OAQPS employees
and contractors to minimize their liability.
C. FEDERAL EMPLOYEE ACCESS
Care in granting access to CBI is important in ensuring a
secure CBI system. A secure CBI system requires the continuous
updating of the employee Authorization Access List (AAL) ensuring
attendance of yearly briefings, and the continuous updating the
specific Project AAL to reflect current, employee work
assignments.
1. Procedures
Upon determining that an OAQPS employee needs access to
CAA CBI, Group Leaders nominate those employees for access by
having them sign an Authorization for Access to CAA CBI for
Federal Employees, CAA CBI Form 2 (Appendix A) and forward it to
the CBIO. The CBI Manager reviews and signs the form; after
verification of attendance of a security briefing and passing of
the written test (as explained in Section II, Education and
Training). Forms are forwarded to the employees' Division
Director for signature approving access to CAA CBI for the
nominated employee. Approved forms are returned to the CBIO for
filing. See Figure 1 for steps in obtaining access to CAA CBI.
In addition, responsible Group Leaders must designate
employees who have a need-to-know specific CAA CBI in order to
access individual projects by submitting an authorization (memo)
to the CBI Manager (Figures 2 and 3). The authorization may
include EPA employees and contractor personnel who require access
to specific projects containing CBI.
23
-------�
Gaining Access to CAA CBI
GROUP LEADER NOMINATES
Employee Needing Access
EMPLOYEE ATTENDS
CBI Briefings
i
EMPLOYEE PASSES
Written Test
I
EMPLOYEE SIGNS
Confidentiality Agreement
I
DIRECTOR, ESD
Approves Employee Access
1
GROUP LEADER DESIGNATES
Access to Specific CBI
i
CBI OFFICE MAINTAINS
Authorized Access Lists
Figure 1
24
-------�
EXAMPLE
MEMORANDUM
SUBJECT: Authorization for Access to CAA CBI Files
FROM: Group Leader
Specific Group, OAQPS, MD-13
TO: Melva Toomer, CBI Manager
OAQPS, MD-13
ESD Project Number and Title: 13/15 Silk NESHAP
11/11 Mineral Water NESHAP
Description of Material: Any material received as a result of developing the NESHAP for
the silk manufacturing industry or the mineral water production industry.
Please add the following individuals to the authorization access lists for these projects:
13/15; Jack Johnson, Southern Triangle Institute (STI)
John Clinton, GOB
Jackie Red, WIG
Sandy Whitehair, OLD
11/11; Joe Black, Nancy White, Lisa Blue
Bill Clinton, Newt Whathisname; (STI)
(name) Group Leader
(name) of Specific Group
Figure 2
25
-------�
EXAMPLE
MEMORANDUM
SUBJECT: Changes to CAA CBI Authorized Access List
FROM: Group Leader
OAQPS,ESD(MD-13)
TO: Melva Toomer,
OAQPS CBI Manager (MD-13)
Jack Redman has taken over the lead on the Polly and Crackers project
(CBI # ), which was previously manager by U. Know Who.
Please add Jack's name to the list of authorized users for the Polly and
Crackers confidential business information projects. At least for now, U.
Know Who should remain on the list for access.
Also, please remove the following individuals from the authorized
access list:
Jack Sprat, (XXX)
Jack Jones, (XXX)
Jill Smith. (XXX)
These people are from XXX and are are no longer involved with this project.
Figure 3
26
-------�
** NOTE: Approval of CAA Form 2 does not automatically allow
access to all individual projects. **
Administrative support personnel, DCOs, and DCAs,
CDCOs, CDCAs etc. may obtain administrative access to CAA CBI to
provide typing, word processing, supervised reproduction,
courier, and document handling support of CAA CBI. This access
may be granted upon nomination, attendance of briefing and
passing written test and does not require designation by Group
Leaders to access specific CBI.
Federal or contractor employees who requires on-line
access to a CBI computer system or database must also complete a
Computer Request, Approval, and Registration for CAA CBI Computer
Access, CAA CBI Form 10 (Appendix G). See Section X, CAA CBI
Computer Security.
Other EPA employees (outside of OAQPS), who have a
need-to-know specific CAA CBI may request OAQPS CAA CBI access
authority. An Authorization for Access to CAA CBI for Federal
Employees, CAA CBI Form 2 (Appendix A) must be requested from the
OAQPS CBIO, completed and returned. In addition to completion of
this form, the requested CAA CBI and the OAQPS WAM responsible
for that CBI must be identified. The WAM is responsible for
ensuring completion of this form, obtaining approval of the Group
Leader, and submission to the CBIO.
Upon receipt of CAA Form 2, approval by the Group
Leader and the requestors management (equivalent to the BSD
Director or higher) and at the direction of the OAQPS DCO, a
Letter to the CBI requesters Outside OAQPS is prepared for the
BSD Director's signature (Appendix 0). Also, a Confidential
Business Information Security Agreement, CAA CBI Form 15
(Appendix L) is included along with the letter being sent to the
requestor. After the signed security agreement is returned by
the requestor, a Letter to Accompany CAA CBI Transferred Outside
OAQPS (Appendix O) is prepared for the BSD Director's signature,
the WAM verifies CAA CBI to be transferred, and the CBIO will
properly package and transfer materials.
2. Authorized Access Lists
Upon receiving approval for access to CAA CBI employee
names are placed on the OAQPS CAA CBI Authorized Access List.
When the Group Leader designates an employee for access to
specific CBI, the name is placed on the OAQPS Authorized Project
Access List. These access lists are used as a reference to
determine whether an individual is currently authorized to access
CAA CBI and what specific CBI they are authorized to access on a
need-to-know basis.
27
-------�
The CBI Manager provides Group Leaders with both access
lists on a regular basis to determine whether any names of
employees within their jurisdiction should be added or deleted.
Group Leaders confirm the names listed or make appropriate
changes if assignments are shifted or employment terminated and
return the list to the CBI Office to use in updating the
"official" OAQPS CAA CBI Authorized Access Lists.
D. WITHDRAWAL OF CLEARANCE
CAA CBI clearances are withdrawn as a result of a Federal or
contractor employee no longer having a need to access CAA CBI.
1. Periodic Review
All CAA CBI accesses will be reviewed periodically to
minimize the number of people authorized access. A Group Leader
may determine that a currently cleared Federal or contractor
employee no longer requires access to specific CAA CBI for the
performance of official duties and obligations. Should that
happen, access is withdrawn.
2. Removal From Access
The name of employees who no longer need access to CBI
is removed from the CAA CBI Authorized Access Lists. Access is
terminated under the following circumstances:
termination of employment;
termination of duties requiring access to CBI; and
failure to attend the yearly briefing and pass the
written test explained in Section X, Education and
Training.
E. CONTRACTOR EMPLOYEE ACCESS
1. Prerequisite
The respective program Project Officers shall notify the
OAQPS Document Control Officer immediately upon determining that
a prospective contract may require that the contractor be granted
access to CAA CBI. The following information must be furnished:
The name of the prospective contractor and the
location of the contractors facility.
A copy of the statement of work.
28
-------�
Whether the facility is to receive and store CBI
under the contract.
2. Conditions
Contractors may not receive access to CAA CBI until the
contractor meets the following conditions:
Obtain OAQPS approval for access to CAA CBI;
Prepare and have OAQPS approve a security plan;
Have the contractor site inspected and approved by
OAQPS;
Nominate and train a Contractor Document Control
Officer (CDO) and a Contractor Document Control
Assistant (CDCA) acceptable to OAQPS; and
Obtain OAQPS approval from responsible Group
Leader for access to specific CAA CBI for each
contractor employee required to work with CAA CBI.
3. Obtaining Approval
When access to CAA CBI is necessary, the contractor
must complete a .Request for Approval of Contractor Access to CAA
CBI, CAA CBI From 11, (Appendix H). The form must explain the
reasons CAA CBI access is necessary under the contract. The
OAQPS WAM must forward the form and Contractor Information Sheet,
CAA CBI Form lla, (Appendix H) to his/her Group Leader, who will
sign the form as the requesting official and forward it and the
information sheet to the OAQPS DCO for review. The OAQPS DCO
will then send the form and the information sheet to the BSD
Director for final approval.
After the above prerequisites and conditions for
contractor access have been met, the OAQPS WAM confers with
contractor officials to determine which projects and which
employees will require CAA CBI access. Upon receiving the
requirements for contractor employee access to CAA CBI, the CDCO
will have the designated employee(s) attend an initial briefing,
pass a written test, and sign an Authorization for Access to CAA
CBI for Contractor Employees, CAA CBI Form 3, (Appendix A).
Employees' name will then be placed on the OAQPS Authorized
Project Access List. Employees requiring access to computerized
CAA CBI must also complete a Request, Approval and Registration
for CAA CBI Computer Access, CAA CBI Form 10, (Appendix G). The
originals of these forms are also forwarded to the OAQPS CBI
Manager for the record. See Figure 4, Steps in Obtaining
Contractor Access to CAA CBI.
29
-------�
Steps in Obtaining Contractor Access
to CAA CBI
Obtain Approval from Director ESD
to access CAA CBI
1
Prepare an Adequate Security Plan
Pass OAQPS DCO Inspection of Site
I
Obtain Approval of Contractor Employees
as CDCO and CDCA
i
CDCO Brief and Test Employees
on Security Procedures
Obtain Approval for Individual to Access Specific CBI
Figure 4
30
-------�
4. Security Plan
The contractor must prepare and OAQPS must approve a
security plan for access to CAA CBI at a location away from the
OAQPS headquarters facilities. Security plans must describe
physical security mechanisms at the contractor's site and
procedures to be followed by employees when handling CAA CBI at
the site.
The procedures set forth and the OAQPS forms in the
appendices are intended to serve as guidelines for the
preparation of contractor security plans and need not be
incorporated verbatim in the plans. However, contractor security
plans must equal or surpass the security standards set forth in
this manual.
The following is an outline of a Security Plan.
CDCO responsibilities
Access procedures
Accountability system
Pending file system
CAA CBI storage
CAA CBI transfers
CAA CBI safeguards (including disaster prevention,
preparedness, and recovery plan)
Security violations
Education and training
Computer security (if applicable)
The OAQPS DCO is responsible for reviewing contractor
security plans, discussing any perceived deficiencies with the
OAQPS Project Officer (PO) and the contractor, and sending a
memorandum through the PO to the Contracting Officer either
approving or disapproving the security plan. In addition, the
OAQPS DCO must provide for inspection and approval of the
contractor's facilities before CAA CBI may be received. All
facilities authorized for CAA CBI access are inspected by OAQPS
on an annual basis. If during an inspection, there are only
minor problems with the security plan, the OAQPS CBI Manager
Officer will work with the contractor to correct them. If there
are major deficiencies, the contractor may be given 30 days to
correct the deficiencies. The contractor shall conduct periodic
31
-------�
internal audits of its facilities, employees, and the CAA CBI
security system to ensure compliance with its security plan.
Records of such audits will be available upon request.
5. Contractor DCO/DCA Requirement
Prior to the commencement of access to CAA CBI,
contractor management must nominate contractor employees who will
serve as CDCO/CDCA and obtain approval by OAQPS. The CDCO/CDCA
must be trained in proper CAA CBI handling proocedures prior to
being assigned to their positions. CAA CBI Security Manuals are
provided, and the CDCO/CDCA may attend a CAA CBI briefing offered
by the OAQPS CBI Manager. The requirement that a CDCO be
assigned before actual access may begin applies even if access to
CAA CBI under the contract is limited to the OAQPS headquarters
facilities. The CDCO serves as the liaison between OAQPS and the
contractor on issues relating to CAA CBI and plays important
roles in requesting and maintaining access authorization for
individual contractor employees and in handling CBI. The CDCA is
a back-up for the CDCO.
6. Completion of Contracts
Upon completion of the contract, the CDCO must
inventory all CBI materials and report the results to the OAQPS
CBI Manager. Within 30 days of contract completion, the
contractor must collect all CBI materials and document control
materials, including logs and control records (see Section VII)
and transfer them to the OAQPS CBI Manager. The OAQPS CBI
Manager will inventory the materials, the WAM will review the
materials, determine disposition, and initiate procedure for
destruction of unneeded CBI materials.
7. Authorized Access Lists
The contractor must maintain CAA CBI Authorized Access
Lists the names of individuals with CAA CBI access and specific
project access authorization and submit an updated list to the
OAQPS CBI Manager monthly. The list is used to ensure only
individuals with CAA CBI access authority can obtain materials
from the CDCO.
8. Withdrawal of Access
When a contractor employee no longer require access to
CAA CBI, the CDCO have the employee sign a Confidential Agreement
for Contractor Employees Upon Relinquishing CAA CBI Access CAA
CBI Form 5, (Appendix B) . Remove their name from the authorized
access list and forward a copy of CAA CBI Form 5 to the OAQPS CBI.
Manager.
32
-------�
A. OVERVIEW
This section describes how Confidential Business Information
(CBI) either originated by OAQPS or its contractors as derivative
CBI or received as original CBI is identified, protected, logged,
controlled, and managed.
When any OAQPS employee or contractor employee receives or
otherwise obtains materials containing or suspected of
containing CBI, they shall deliver those materials immediately
to the CBI office for proper logging and storage.
B. INTENT
The OAQPS CAA CBI Records Management System must be able to
trace the movement of CBI, identify the persons authorized access
to it, detect its misplacement and make prompt retrieval
possible. The OAQPS CAA CBI Records Management System ensures
these objectives are accomplished by the maintaining authorized
access lists, assigning unique numerical identifiers (CBI control
numbers) to each document, maintaining an automated inventory of
all documents submitted/logged into the system, and by monitoring
the movement of CBI through manual or automated logs, records of
receipt, usage, and transmission. All material submitted to
OAQPS and all material generated at OAQPS containing information
claimed to be CBI are controlled through the OAQPS CAA CBI
Records Management System.
C.
CAA CBI RECORDS MANAGEMENT SYSTEM
The foundation of the OAQPS CAA CBI Records Management
System includes the following basic items:
Automated database (all CBI re: TSCA, CWA, FIFRA, etc.)
Control Records (for each item in the system)
Custody Receipts (for transfer of material)
Cover Sheets (for document protection/identification)
Certificates of Destruction
Pending Log (for new material)
Inventory (by project, WAM, disposition, etc.)
Employee Authorized Access List
Project Authorized Access List
33
-------�
1. Automated Database
An automated database is used to record pertinent
information on CAA CBI materials filed in the CBI Office and
persons authorized to access specific CAA CBI, and contains the
following information.
Date received
Date of document
Number of copies
CBI control number
Project name
Document description
Provider identification
Transfer information
Destruction record
Authorized clearance access
Various reports may be generated on a routine basis or
when requested by management. They are:
Complete inventory of all CBI documents including
disposition (pending, permanent inventory,
destruction, declassification, etc.);
Listing by specific regulating Acts;
Listing by specific CBI projects;
Listing of documents assigned to individual WAMs;
and
Listings of authorized personnel (EPA and
contractors).
The CAA CBI database is continuously updated and allows
the CBI Manager to determine the disposition of documents,
retrieve documents in a timely manner, and to generate an
accurate up-to-date inventory on a monthly basis or when
requested.
2. CAA CBI Control Record
CAA CBI Control Record, CAA Form 1 (Appendix J) is
placed in each CAA CBI file as a permanent record of access. It
also provides the reproduction record, transfer information,
destruction record and any other pertinent information about the
document. The Control Record facilitates timely and accurate
accounting for CAA CBI material during the work day. Each user
of CAA CBI must sign and date the Control Record each time access
is granted.
The Control Record is extracted from the file and
retained by the OAQPS CBIO or contractor CBIO as a receipt for
the material while it is checked out. It is signed and dated by
34
-------�
the OAQPS CBI Manager or CDCO upon the return of the CAA CBI
material and filed in the appropriate folder with the material.
When a CAA CBI document is declassified or destroyed,
the CAA CBI Control Record must be retained for a period of
three-years after the completion of a project or until the
specific CAA CBI project file has been reconciled.
3. Cover Sheets
A CAA CBI Cover Sheets, CAA Forms 8 and 9 (Appendix F)
is an yellow sheet of paper inscribed with a claim of
confidentiality and handling instructions. The Cover Sheet
conceals the front of each document and should not be removed.
4. Custody Receipts
CBI Custody Receipts are discussed in Section VIII,
Transferring CBI.
5. Pending Log
The CAA CBI Pending Log, CAA CBI Form 13 (Appendix I)
is used to account for all CBI materials upon initial receipt at
OAQPS pending a decision by the appropriate WAM. The WAM reviews
materials and removes nonCBI and, upon determining the accuracy
of information contained within and confirming the
confidentiality of that information has the documents logged into
the OAQPS CAA CBI Inventory- WAMs are contacted every 30 days to
determine the status of materials stored as pending and to
solicit further instructions concerning the disposition of these
materials.
CDCO shall contact their employees to determine the status
of materials with a pending disposition and solicit further
instructions concerning materials if there has been no action
within the preceding 30 days.
6. Inventory
The CAA CBI Inventory Log, CAA CBI Form 12
(Appendix I), is also maintained by the CBI Office. This
inventory must have an accurate nonCBI description of each
document. The Inventory Log includes the following information:
Date of document
CBI control number
Provider
Project name
Number of copies
Initials of the CBI Manager
Disposition
35
-------�
Inventory date
It identifies all CBI material for which OAQPS is
accountable; An inventory of CBI material is conducted at least
once a year, during which time each CBI file is reviewed and
purged of unneeded materials.
D. OBTAINING CBI DOCUMENTS
Employees and contractors who are authorized access to
specific CAA CBI may obtain CBI materials from the OAQPS CBI
Office from 7:30 a.m. - 12:00 noon and 1:00 p.m. - 4:30 p.m.,
Monday through Thursday, and Fridays 7:30 a.m. - 3:00 p.m. The
CBI Office must verify that the employee is authorized access to
the specific CBI that is requested. Employees must sign the CBI
Control Record upon receipt of the document and safeguard CBI
materials while in their possession. Employees must return the
CAA CBI materials to the CBI Office no later than 4:30 p.m.
Monday - Thursday, and 3:00 pm on Fridays. Any time an employee
relinquishes physical custody of the CAA CBI (lunch or at the end
of the day), he/she must obtain a release of responsibility for
the document by having the CBI Manager signed and dated the
Control Record. (Direct transfer of CBI materials between
employees is not permitted). CBI materials may only be
transferred through CBI offices or DCOs.
E. CAA CBI DOCUMENT CONTROL NUMBERS
The CBI Office assigns an individual control number to each
CAA CBI document. The number consists of a least ten digits
(e.g., 94111-C02-09). The first five digits are the fiscal year
and project identification number; first two numbers are the
fiscal year the document was initially received and next three
numbers are assigned for each specific project (e.g., 94111); the
next three digits identifies the responsible group and WAM (e.g.,
COS); and the last digits refers to the number of documents
submitted to the CBIO from the employee on the specific project.
The CBI control number is placed on the cover sheet, the first
page, and on the back of the last sheet or back cover of the
document. The number is also placed on the custody receipts for
identification purposes.
F. CREATING CBI DOCUMENTS
Documents and other materials generated by OAQPS or its
contractors that use information from CBI documents frequently
become CBI themselves.
36
-------�
1. Working Papers
Newly created CBI is at first in the form of working
papers pending the creation of new CBI documents. The category
of CAA CBI working papers includes materials such as notes and
outlines; initial drafts of documents; computations, drawings,
and diagrams; and pending documents. Working papers are stamped
as PENDING CBI, provided a CBI Control Record and Cover Sheet,
secured in the CBIO, and otherwise used and handled like any
other CBI document except that they will remain labeled with a
pending disposition until the WAM determine that they be logged
into the permanent CAA CBI Inventory or destroyed.
2. Use in Meetings
The author of a CAA CBI document may circulate copies of the
document at a meeting if the author:
Has the document reproduced in the OAQPS CBIO;
Attends the meeting and is present when the
document is discussed;
Collects all copies of the document at the end of
the meeting; and
Submits all copies of the document for destruction
to the OAQPS CBIO after the meeting.
The CBI Office must number the copies i.e., 1 of 6, 2
of 6 and number the pages and ensure that every page of each copy
is returned at the end of the meeting. All other procedures for
general access and meetings (Section III-D and VI-B, CBI
Disclosed at Meetings General Requirements) must be followed when
CBI materials are circulated at meetings.
3. Twiner/Word Processing Requirements
The author of a CAA CBI document may provide the
document to a typist who is authorized access CAA CBI. The
typist must return to the author the newly typed materials and
the original draft when typing is completed. All materials used
in typing documents containing CAA CBI, including word processing
disks, ribbons, carbons, and waste paper must be treated as CBI
and submitted to the CBIO for storage or destruction.
The typist should not use the Local Area Network (LAN)
for preparation of CAA CBI documents. Documents are to be
prepared using the local version of the word processing program
on the personal computer vs. the LAN version. Data, reports,
etc., must be stored on a floppy diskette and submitted to the
CBIO for proper logging and storage.
37
-------�
G. CREATING NONCBI DOCUMENTS
Materials produced from CAA CBI need not be confidential.
Nonconfidential documents may be produced by deleting CBI from an
existing document or by masking or aggregating the CBI so that it
cannot be linked to its source. CBI can be replaced in a
document with nonCBI data or generic descriptive terms data or
terms derived from CBI data but that are not themselves CBI.
NonCBI documents can also be created from information submitted
by a providing organization which drops its claim of
confidentiality, or for which EPA determines that the claim is
not valid. In all instances, the Group Leader is responsible for
ensuring that it contains no CBI. Materials produced using CBI
must be treated as CBI until a determination is made by the Group
Leader or providing organization.
1. Masking or Aggregating CBI
Group Leaders must be consulted in advance by authors
who wish to produce nonconfidential documents by masking or
aggregating CBI. Group Leaders shall also review all submissions
of masked and aggregate material to ensure that no CBI is
exposed. The means of masking confidential data is the
responsibility of the Group Leader and the WAM.
2. Dropped Claim to CBI
If a providing organization relinquishes its claim of
confidentiality, the document author must obtain a written
statement from the provider before the information can be
released to the public.
3. Determining Claim to Validity
To determine that a claim of confidentiality is valid,
EPA's Office of General Counsel (OGC) or an EPA Regional Counsel,
where appropriate, must render a final determination pursuant to
40 CFR, Part 2, Subpart B. That determination is made based on a
review of the submitter's responses to substantiation questions.
If a claim is denied, the information may not be released for 30
days, during which time the providing organization may challenge
EPA's determination in a Federal District Court.
H. REPRODUCTION
This subsection details the procedures for controlling and
safeguarding CAA CBI reproduction or other copying.
38
-------�
There is a risk of losing control over CBI whenever it is
reproduced in hard copy and disseminated. Copying of CAA CBI
material is limited to the minimum extent possible.
1. CBI Material
Group Leaders or WAMs authorize the reproduction of CBI
materials. Only the CBI Manager is authorized to make
reproductions. The CBI Office enters additional copies of
documents into the OAQPS Records Management System and records
the distribution of reproduced copies.
2. Equipment
Copy machines must be dedicated solely to CBI document
reproduction while CBI documents are being copied, and the CBI
Manager must directly supervise the machine while the CBI
materials are being duplicated. Only persons authorized access
to the specific CAA CBI being copied may be present while CBI
materials are being reproduced. After copying is finished, the
operator must pass three blank copies through the machine to
ensure that any impressions on the image surfaces of the machine
have been erased.
3. Broken Equipment
If the equipment used for reproducing CAA CBI materials
has a malfunction while in use, the CBI Manager must inspect the
machine's paper path and image surface to retrieve any materials
containing CBI that are caught in the equipment before the repair
person is called.
J. CDCO RECORD MANAGEMENT RESPONSIBILITIES
Contractor DCOs must comply with the aforementioned
requirements of this manual to ensure adequate safeguarding and
handling of CAA CBI documents. CDCO may use sample CAA CBI Forms
or design own in-house forms as long as required OAQPS
information is available.
1. CAA CBI Control Numbers
CDCOs may implement an internal CAA CBI control
numbering system, but must cross-reference OAQPS CAA CBI Control
numbers on custody receipts, inventories, derivative CBI,
correspondence, etc. regarding specific CAA CBI.
39
-------�
2. CAA CBI Inventories
CDCO must maintain an accurate nonCBI description of
each document and in a CAA CBI inventory (see CAA CBI Form 12) .
The CDCO shall conduct an inventory of all CAA CBI materials at
least once a year during which time each CAA CBI file is
reviewed. Any CAA CBI no longer needed must be returned to
OAQPS. An inventory of all CAA CBI files shall be submitted to
the OAQPS CBI Manager yearly.
3. Reproduction
Copying of CAA CBI by contractors is limited to working
papers, drafts of technical reports, drafts of trip reports,
meeting handouts, and similar temporary documents. Copying must
be done under the direction and guidance of the CDCO.
40
-------�
SECTION VIII.
TRANSFERRING CUSTODY
A. OVERVIEW
This section describes how custody of Confidential Business
Information (CBI) is transferred. Before a transfer is
initiated, the OAQPS CBI Manager or CDCO must verify the intended
recipient is authorized to access the specific CAA CBI to be
transferred.
B. TRANSFERRING CAA CBI TO EPA CONTRACTORS AND
PROVIDING PLANTS/FACILITIES
CAA CBI documents are transferred by the OAQPS CBI Manager
to contractor DCOs or authorized persons at the providing plant
or facility. A CAA CBI letter of transfer (Appendix S) shall be
prepared for the responsible Group Leader's signature to initiate
the process of transferring CAA CBI. The WAM or employee
delivers the letter of transfer along with the CAA CBI control
number or sufficient information identifying the specific CAA CBI
to be transferred to the CBIO. Upon review and approval, the
document will be properly transferred. A CAA CBI Custody
Receipt, CAA CBI Form 14 (Appendix K) is prepared in triplicate.
The letter of transfer, custody receipt (and one copy) are
enclosed with the transferred CAA CBI. The third copy of the
custody receipt is retained by the CBIO as a temporary record of
transfer until the signed original custody receipt is returned by
the recipient or Domestic Return Receipt from the U.S. Postal
Service is returned acknowledging receipt of the documents.
A checklist for transferring CBI to a facility is as
follows:
WAM submits letter of transfer to Group Leader for
signature;
Letter of transfer and CAA CBI control number is
submitted to the CBI Office;
CBIO prepares the custody receipt, properly packages
CAA CBI including letter of transfer; and
CBI Office releases package to authorized contractor
employee or mails package via registered mail or
Federal Express.
Pending CAA CBI documents (draft reports, revisions,
telephone contact reports, etc.) are transferred to the
41
-------�
contractor at the WAN's request via Custody Receipt. A Letter
of Transfer signed by the Group Leader is not required.
CAA CBI is transferred from OAQPS to contractor and from
contractor to OAQPS. The Prime Contractor is responsible for
the transfer of CAA CBI to their designated subcontractors.
NOTE: The OAQPS CBI Office administratively handles all
transfers for OAQPS.
C. TRANSFERRING CAA CBI FROM CONTRACTORS TO OAOPS
CAA CBI to be transferred to OAQPS should be identified and
instructions given to the CDCO to return the material to the
OAQPS CBI Office. The material being transferred must be listed
on the CAA CBI Custody Receipt, CAA CBI Form 14 (including the
OAQPS CAA CBI control number). Under no circumstances will
contractors dispose of original CAA CBI materials that have been
logged into the OAQPS Records Management System in any way other
than returning them to the OAQPS CBI Office.
Direct transfer of CAA CBI materials between contractor
employees is not permitted. CAA CBI materials must be
transferred through the CDCO only.
D. TRANSFERRING CAA CBI TO GOVERNMENT AND STATE
AGENCIES OUTSIDE OF OAOPS
Upon receipt of a request for CAA CBI from a Government or
State entity outside OAQPS and after it is determined that
disclosure of the CAA CBI is allowed (Section III. B), a letter
to the requesting agency is prepared for signature by the BSD
Director to explain the procedures that must be followed prior to
release of the information requested. A sample Letter to CAA CBI
Requestors Outside of OAQPS is illustrated in Appendix O, and
included along with the letter shall be a Confidential Business
Information Security Agreement, CAA CBI Form 15 (Appendix L)
The agreement must be signed by the requesting agency official
equivalent or superior to the BSD Director. By signing this
agreement, the agency official agrees to safeguard CAA CBI in a
manner comparable with EPA's procedures as found in 40 CFR, part
2, Subpart B.
When the signed agreement is returned, it shall be forwarded
to the OAQPS CBI Office along with a Letter to Accompany CAA CBI
Transferred Outside OAQPS (Appendix 0). This letter will
constitute direction to the OAQPS CBI Manager to transmit the CAA
CBI materials to the requestor. The CBI Office will send the
materials, the letter and the original and one copy of a CAA CBI
42
-------�
Custody Receipt, CAA CBI Form 14 (Appendix K) to the requestor.
The third copy of the custody receipt will be retained as a
temporary record of transfer until the signed original is
returned acknowledging receipt of materials.
E. CONFIDENTIAL BUSINESS INFORMATION SECURITY
AGREEMENT
A Confidential Business Information Security Agreement, CAA
CBI Form 15 (Appendix L) must be signed by an official of a
government entity requesting transfer of CAA CBI prior to
transfer of custody. This form requires the official of the
receiving agency to verify that the information will be
safeguarded utilizing procedures comparable to EPA's procedures
for handling CBI found in 40 CFR, Part 2, Subpart B.
F. PREPARATION AND PACKAGING
CAA CBI materials to be transferred will be packaged by the
CBI Office. The following guidelines set forth the procedures
for preparing and packaging CBI materials.
1. Inner and Outer Covers
Before CAA CBI may be transferred or hand carried out
of the OAQPS facility, the materials to be transferred must be
double wrapped with opaque paper. The inner cover must bear
markings that indicate the classification and instructions, "CBI
Confidential Business Information," and "To Be Opened by
Addressee Only." The outer cover shall not bear any
classification markings or other indication that CAA CBI
information is enclosed. Markings on the inner cover shall not
show through the outer cover.
2. Addressing-
CAA CBI being transferred from the OAQPS CBI Office to
another facility or being returned from a facility to the CBI
Office shall bear the name of the sending and receiving DCOs only
in the addresses on the outer label. The person to whom the
material is intended is included in the address as an "Attention"
line on the inner envelope. The return address of the
transferror is required on both the inner and outer covers.
3. Packaging
Materials used in packaging CAA CBI must be strong and
durable enough to provide protection in transit and prevent items
from protruding through the covers. Upon receipt packages must
be inspected to ensure that the seals have not been broken.
43
-------�
G. CUSTODY RECEIPT
A CAA CBI Custody Receipt, CAA CBI Form 14 (Appendix K) is
included for all transfers of CAA CBI materials (two copies).
This form provides the previous holder of CAA CBI with proof of
accountability that the material was transferred and received.
The recipient signs and date custody receipt, after verifying all
materials were received, forwards the original copy to sender and
retains the second copy for his/her records. The previous holder
retains the original copy as a record of the transfer. The third
copy is retained by the previous holder as a suspense copy until
the signed original is returned. (See Section VII. CAA CBI
Records Management for more information on accountability,
control records, and the CAA CBI control numbers.)
H. TRANSFER METHODS
CAA CBI may be transferred or transported by the following
methods:
Hand carried to another facility by an employee or
contractor employee who is authorized access to the CAA
CBI;
U.S. Postal Service registered mail (return receipt
requested), Express Mail; or
Private courier (Federal Express).
1. Hand Carrying
Appropriately cleared OAQPS employees may be authorized
to hand carry CAA CBI material between facilities (when
traveling) if the conditions outlined below are met.
Individuals authorized to carry CBI must contact the
CBI Office to be fully briefed on the provisions of
this Section before departing.
While traveling by plane or other public conveyance,
employees must keep CAA CBI materials in their
possession, and should not check them with their
luggage.
When employees travel with CAA CBI materials and are
unable to deliver or ship the CAA CBI materials to a
facility authorized to store CAA CBI, they may store
the materials for short periods inside the locked trunk
of a motor vehicle. CAA CBI materials may also be
stored overnight in hotel safes, if a receipt is
obtained from the hotel management. Otherwise, CAA CBI
44
-------�
materials must be kept in the possession of the
traveler.
The storage provisions for CAA CBI, detailed in Section
IX. Storage of CAA CBI, shall apply to all stops
enroute to a destination. CAA CBI materials shall not
be unwrapped until the traveler's destination is
reached. If the materials are to be transferred to
someone at that location, they must immediately be
taken to the local DCO and logged into the local
Document Tracking System.
The CBI Office shall log out CAA CBI carried or
escorted by traveling personnel. CAA CBI must be
accounted for upon return by count and inspection of
materials or by inspection of receipts for materials,
if delivered.
2. Registered Mail
If CAA CBI material is to be mailed, it must be
prepared by the CBI Office for registered mail (return receipt
requested). Regular first class mail must never be used by
Federal employees to transfer CAA CBI.
3. Couriers and Express Mail
EPA and contractor employee couriers, commercial
couriers, and U.S. Postal Service Express Mail may be used in the
transmission of CAA CBI.
45
-------�
SECTION IX.
STORAGE OF CAA CBI
A. OVERVIEW
This section describes the minimum standards for the
physical safeguarding and storage of CAA Confidential Business
Information (CBI).
B. INTENT
Employees using CAA CBI material are responsible for
ensuring that no unauthorized disclosures of that information
occur. This means that employees must either maintain constant
control over the CAA CBI material in their possession or return
it to the CBI office.
C.
When not in use, CBI materials must be secured in approved
CAA CBI storage containers. The type of container approved for
CAA CBI storage is a metal file cabinet with bar hasp and three-
way, changeable combination lock.
"OPEN/CLOSED" magnetic signs shall be posted on each CAA CBI
Storage container to readily identify containers that are open or
locked, and to provide a visual spot checked and at the end of
the work day to ensure containers are properly secured. Storage
containers must be located within a room dedicated to CBI
security. The room must have a lockable entrance secured by a
GSA approved, changeable combination Simplex lock. All CBI
storage containers and the entry door shall be locked during the
noon hour and at the end of each business day.
D. PROCEDURES FOR LOCK COMBINATIONS
Since all storage containers are secured by combination
locks, the matter of combinations is important.
1. Changing Combinations
Combinations to security equipment shall be changed
only by cleared personnel having that responsibility-
Combinations shall be changed only under these circumstances:
Whenever someone who knows the combination no longer
requires access;
In the event of suspected compromise of CAA CBI;
46
-------�
When deemed necessary by the custodians; or
At least once each year.
2. Granting Access to Combinations
Knowledge of combinations is limited to CBI Office
personnel and DCOs. Records of combinations must be protected as
though CAA CBI.
E. EVACUATION PROCEDURES
In the event of a fire or other emergency (e.g., natural
disaster or civil disturbance) requiring evacuation of office
spaces, CAA CBI shall be returned immediately to the OAQPS CBI
Office where it will be stored properly. Persons who are unable
to return CAA CBI material in their possession to the CBI Office
shall ensure that such material is safeguarded by covering it
from view and taking it with them. The employee must keep it
under personal observation at all times until it can be secured
in a facility approved for CBI storage.
F. SAFEGUARDING CAA CBI IN THE EVENT OF A DISASTER
A disaster plan is a little like insurance; we know we
should have it, it costs money, and we hope we never have to
use it!
A disaster plan is required by the Federal Emergency
Management Agency (FEMA) to ensure the safety of personnel and to
protect vital records. OAQPS and its contractors are required to
protect any records/documents affecting the legal and financial
rights of the Government and of the people affected by its
actions. The OAQPS CAA CBI Disaster plan has three components:
prevention, preparedness, and response.
1. Prevention
Procedural prevention relates to activities performed on a
day-to-day, month-to-month, or annual basis, relating to security
and recovery. It begins with assigning responsibility for
overall security of the organization to an individual with
adequate competence and authority to meet the challenges. The
objective of procedural prevention is to define activities
necessary to prevent various types of disasters and ensure that
these activities are performed regularly.
Physical prevention begins when a CAA CBI storage site is
identified or constructed. It includes special requirements for
room construction, as well as fire protection for various
47
-------�
equipment. Special considerations include: computers, fire
detection and extinguishing systems, record(s) protection, air
conditioning, heating and ventilation, electrical supply.
emergency procedures, and storage specifications to protect CAA
CBI records.
OAQPS DCO will conduct an annual site inspections of
the OAQPS CBIO to identify problem areas and foster
awareness of disaster prevention issues among the
staff.
Provide training for the CBI Office staff in records
management, protection, and how to respond to a
disaster.
2. Preparedness
OAQPS DCO will ensure that there are appropriate
supplies on hand to deal with immediate needs, and keep a current
list of suppliers of materials that are needed to handle
disasters. The OAQPS DCO will also keep up-to-date on current
technology, procedures, and services available for disaster
planning and recovery, and ensure the staff is informed about
these issues. Ensure appropriate security measure are taken to
prevent damage or destruction of CAA CBI, approve off-site
storage of CAA CBI, arranging for security guards when needed,
establish and maintain an emergency recall list (including EPA
designated personnel, police and fire departments, hospitals,
utility companies, selected resources, etc.), and whatever else
might be required in the circumstances.
3. Response
The OAQPS DCO is responsible for directing all disaster
operations affecting damage or destruction CAA CBI records. All
of OAQPS staff (Directors, Group Leaders, POs, WAMs and
employees) must be involved in order for the disaster plan to be
an effective one. Preventing, preparing for, and responding to
disasters has to be a team effort. We all have to be aware of
the issues, and integrate prevention and preparedness into our
daily routines and consciousness. In the event of a disaster, we
have to be able to pull together as a team and respond quickly
and effectively to protect OAQPS's CAA Confidential Business
Information. The OAQPS DCO will also evaluate the damage, plan
and execute recovery operations, and do post-disaster
assessments.
48
-------�
SECTION X.
CAA CBI COMPUTER SECURITY
NOTE: Computer security is difficult and expensive to
maintain. OAQPS personnel and its contractors should not use
CAA CBI in an identifiable form in computer programs, if at
all possible.
A. OVERVIEW
This policy applies to all automated data processing (ADP)
systems processing and/or storing CAA Confidential Business
Information (CBI). It shall apply equally when the ADP systems
are owned and operated by EPA or by its contractors or
consultants.
B. DIRECTIVES
The computer processing of CAA CBI must be in compliance
with the following directives issued to all Federal agencies
processing sensitive data by computer:
Office of Management and Budget OMB Circular A-130,
TM No. 1;
Office of Personnel Management FPM 732-7;
National Bureau of Standards FIPS PUBS; and
General Services Administration 41 CFR Ch. 101.
These directives require all Federal agencies processing
sensitive information by computer to establish and maintain a
formal security system.
C. BASIC SECURITY REQUIREMENT
OAQPS must provide a system with a level of security
adequate to protect any CBI being processed from alteration,
loss, or from unauthorized access.
1. Security Mode
OAQPS CAA CBI must be entered into an isolated system
with access control safeguards as well as additional safeguards
49
-------�
within the system. In addition, file and data separation are
required since all users are not authorized to access all data.
2. Authenticity and Verification
The system will authenticate the password for each
project, verify each user's identity, and validate each user's
file access authority and privileges. System output must have
special markings that identify particular data sets or programs
to provide audit trails. These audit trails will produce an
activity and, when possible, an event record to permit analysis
of system operation by the CBI Office.
3. demote Operation
There shall be no communication system to interface
with remote terminals.
4. Users Requirements
All system users and persons allowed unescorted access
to the ADP system shall meet the following criteria:
They are authorized access to CAA CBI;
They have completed a Request, Approval, and
Registration for CAA CBI Computer Access, CAA CBI Form
3;
They have been informed of the proper security
procedures for operation of the system;
They have been informed of the proper action to be
taken in the event of system malfunction (spillage,
etc . ) ;
They have been trained in the use of the system before
being given the password;
They have been authorized access to specific data in
the system and have been given the password to that
data; and
They have signed an acknowledgement of having been
provided the above information.
OAQPS and contractor employees who are authorized
access to specific CBI may view a computer screen that contains
the CBI to which they are authorized access.
50
-------�
5. Visitors
Administrative approval may be given to permit
unauthorized persons to visit the computer facility, but they
shall be escorted and shall sign a log indicating the date and
time of their visit.
D. CBI COMPUTER ROOM
All ADP central processing and ancillary equipment, shall be
located in a specific room. This room in its totality is herein
referred to as the CBI Computer Room.
The CBI Computer Room:
Shall be located in an interior part of the building;
Shall be on a floor not accessible from the exterior of
the building;
Shall be in an area not adjacent to, above, or below an
area that would constitute a high-risk area from the
standpoint of fire or explosion;
Shall maintain only one entrance for personnel access.
Other doors, if any, shall be secured;
Shall, when unoccupied, be.secured with a Simplex
combination lock, mounted on a solid wooden or metal
door; and
Shall, during hours of operation, have access
controlled by means of an access control lock.
E. SAFEGUARDING CBI DURING COMPUTER USE
While using CAA CBI at a computer in an unsecured area, the
operator must retain exclusive control over the operation of the
computer and printer and must ensure that only individuals
authorized for access to the CAA CBI can view the terminal
screen. If the operator must leave the terminal for any reason,
the computer session shall be terminated.
1. Computer Storage Media
CBI data used on a computer may be stored on either
floppy disks or permanent hard disks. Floppy disks are
preferable and shall be secured in the CBI Office. Floppy disks
containing CBI must also be removed from the computer after each
session and returned to the CBI Office.
51
-------�
Obsolete or damaged disks shall be given to the WAM who
will authorize the CBI Office to return the disks to the
providing organization or to destroy them.
2. Terminating of a CBI Computer Session
Proper termination of a computer session involving CBI
consists of the following steps:
Transferring and verifying the transfer of the CBI data
to the storage medium (floppy disk, hard disk, or
printout);
Removing the storage medium from the computer;
Erasing the computer's internal memory with a utility
program disk;
Turning off the computer; and
Returning the disks to the CBI Office.
3. Use of a Printer
If CAA CBI is printed out, the printed material must be
secured in the CBI Office. All printouts and any information
obtained from a computer screen and written down must be logged
in and out through the CBI office.
Since not all data on a CBI computer may be CBI, an
employee who obtains a printout from the CBI computer must first
determine whether the printout contains CBI.
F. SYSTEM SECURITY SOFTWARE FOR MULTI-USER SYSTEM
Only the operating system shall execute instructions to
control and perform all input/output operations and changes to
memory boundaries, data elements, tables, execution state
variables, and files of the system. The operating system will
protect itself and provide an authorization function to permit
only approved sets of individuals and programs to be combined for
a project. One class of machine instructions will be reserved
for exclusive use of the operating system, and one class will be
usable by the operating system and user applications.
1. User Authority
Where possible, a memory bounds mechanism will be
included so that memory allocated to any particular user can be
restricted to prohibit the user from reading or writing in the
operating system memory or the memory of another user. The
52
-------�
system will enforce the user privileges as authorized for any
given file and will include execute only, read only, read/write,
and prohibit scratching or renaming files. Authentication of
project passwords, verification of user identity, and validation
of user file authority are performed by the system.
2. Event Record
Except for password maintenance activities, unique
identifiers (passwords) may not be printed or displayed on any
output or terminal. Within the limits of system capability, an
access and event journal will be maintained by the system in a
secure manner to record system activity, log-on attempts, and
program execution. This audit function should permit event
attribution to the individual user. An exception audit will be
produced by the system of all unauthorized activity, including
log-on and file access attempts for daily review by the CBI
Computer Room Document Control Assistant (DCA). The system will
include a time clock for recording events. The system activity
log will have a write-only mode. The system will maintain user
and file isolation on time share and concurrent processing.
G. GENERAL PROCEDURES
Changes to the operating system will be made off-line,
reviewed, and approved before being installed on the active
system. Changes in the application programs will be made
off-line using non-sensitive data and implemented after review.
1. Checkout
Portable storage disks must be checked out from the CBI
Office using procedures described in Section III, Document
Control, and Office when the processing is terminated.
2. User Privileges (Multi-year system only)
User privileges will be limited to those necessary.
The user will log-out the appropriate floppy disk from the CBI
Office before logging into the CBI Computer Room with the CBI
Computer Room DCA.
Unique identifiers (passwords) shall be used for
project identification in the log-on procedure and for data file
access. These identifiers shall be treated as confidential and
shall be changed at frequent intervals of at least every 3
months. Two passwords are required to begin a program. The CBI
Computer Room DCA shall provide a system access password and the
user shall provide a data file access password.
53
-------�
3. CBI Computer Room DCA
When termination of processing is ended and the system
is to be shut down, the user will log-out with the CBI Computer
Room DCA. The CBI computer room DCA shall also be responsible for
opening and closing the CBI computer room and starting and
shutting-down the computer.
4. Back-up Files
Back-up files will be maintained in the CBI Office.
Periodically, the backup files will be tested to ensure
operational condition.
5. Transmission
Input and output media shall be transmitted only
between the CBI Office and the users who are authorized access to
specific data contained on the media. In no case will input
media be accepted from or delivered to a third party. A system
processing and/or storing CBI must never be system that does not
contain CBI information.
H. DESTRUCTION AND RELEASE OF DATA MEDIA
All paper products, program listings and cards, when no
longer needed, are to be destroyed in accordance with current
procedures for disposal of CBI documents listed in Section XI,
Disposal and Destruction.
1. Magnetic Storage
Floppy disks used to process or store CAA CBI may be
released from control after they have been degaussed in an
approved manner on an approved degausser. Prior to release, all
identifying markings must be removed from the media and the
erasure of the data must be verified.
2. Rigid Magnetic Storage Media
Rigid magnetic storage media, used for processing or
storing CAA CBI, when no longer needed, may be released from
control after it has been overwritten alternately by ones and
zeros at least three times. In the case of malfunctioning or
damaged data storage media, when overwriting is not possible, the
data storage media must be degaussed. Overwriting or degaussing
must be verified prior to release of the media.
54
-------�
I. SECURITY PLAN
In addition to computer security procedures, the OAQPS
security plan calls for a methodology for a risk analysis, and
the requirement for confidentiality agreements from all
contractor personnel. The plan must also meet all specified
below. This security plan is subject to approval by the BSD
Director and shall be available to representatives of EPA's
Office of the Inspector General (DIG).
J. RISK ANALYSIS
The conduct of risk analyses for each computer installation
operated by or on behalf of EPA is required under the provision
of OMB Circular A-130, TM No. 1. These analyses are specified as
needed, before approving design specifications for new systems;
whenever there is a significant change to the physical facility,
hardware, and/or software; or at periodic intervals not to exceed
5 years. These risk analyses are to provide an evaluation of the
relative vulnerabilities at the installation in order to maximize
the effectiveness of security measures within the constraints of
available resources.
55
-------�
SECTION XI.
DISPOSAL AND DESTRUCTION
A. OVERVIEW
The purpose of this section is to explain how Confidential
Business Information (CBI) must be disposed of or destroyed.
B. INTENT
CAA CBI that is of no use to OAQPS and not wanted by the
providing organization, will.be destroyed only under the
supervision of the DCO or CBI Manager. CBI borrowed from TSCA or
RCRA may not be destroyed but must be returned.
C. NOTICE OF INTENT TO DESTROY
The providing organization or owner of original CAA CBI that
is no longer needed by OAQPS must be informed of the intent to
destroy the material. This notice is given to allow the owner an
option to reclaim the materials or have OAQPS destroy them.
D. ORIGINAL CBI
Under no circumstances will contractors dispose of
original CAA CBI materials that have been logged into the
OAQPS Records Management System in any way other than
returning them to the OAQPS CBI Office.
Work Assignment Managers or their Group Leaders shall
initiate the process for destruction or disposal (return to the
providing organization) of original CBI material. The materials
must be'identified for destruction. The OAQPS CBI Manager will
destroy specified documents and maintain a record of all
destroyed documents. At no time shall destruction of CAA CBI
material take place without proper authorization from the WAM or
providing organization.
E. DERIVATIVE CBI
Authors of derivative CBI (CBI created from original CBI}
may authorize the CBI Office to destroy their work that contains
CAA CBI.
56
-------�
F. CBT WASTE
Waste material including handwritten notes, sheets of carbon
paper, diskettes, and working papers that contain CAA CBI must be
returned to the CBI Office daily for destruction. No record of
destroying this type of material need be kept.
G. RECORDS OF DESTRUCTION
Records of destruction are required for CAA CBI materials.
When a document is destroyed, the OAQPS CBI Manager or the CDCO
must indicate on the CAA CBI Control Record, CAA CBI Form 1
(Appendix J) the destruction date, person destroying document,
and attach documentation authorizing the destruction to the CAA
CBI Control Record.
The control records of destroyed documents must be retained
for audit purposes and the CDCO shall submit the list of
destroyed documents with the annual inventory and upon completion
of the contract. The destruction of CBI materials logged into
the OAQPS CAA CBI Records Management System shall documented in
the CAA CBI automated database and purged annually.
H. METHODS OF DESTRUCTION
CAA CBI documents and material shall be destroyed in a
manner that precludes recognition or reconstruction. In general,
CAA CBI materials are destroyed by one of two methods: shredding
(including any type of paper substance) or burning (including
microfiche, typewriter ribbons, diskettes, and data tapes) .
57
-------�
SECTION XII.
CBI SECURITY VIOLATION*
A. OVERVIEW
This section sets forth the procedures to be followed
whenever CAA Confidential Business Information (CBI) security
procedures may have been violated.
B.
Any OAQPS employee who is either aware of actual or possible
violations regarding loss of CBI materials or unauthorized
disclosures must report immediately this information to the DCO.
C. VIOLATIONS OF THIS MANUAL
All alleged violations of this manual's procedures shall be
investigated, even if there is no evidence of a lost document or
unauthorized disclosure.
D. PRELIMINARY INQUIRY
The BSD Director will have the OAQPS DCO conduct a
preliminary inquiry into the circumstances surrounding an actual
or possible compromise. The findings of this inquiry, undertaken
to determine if a compromise did occur, are to be given to the
ESD Director for evaluation.
E. INVESTIGATION
The ESD Director may direct the OAQPS DCO to conduct a full
investigation based on the results of the preliminary inquiry.
An investigation shall include the following:
A complete identification of each item of classified
information involved.
A thorough search for the CBI.
Identification of any persons or procedures responsible
for the compromise.
A statement that a compromise did occur, may have
occurred, or did not occur, and an estimate of the risk
of damage to the affected business.
A thorough discussion of all facts uncovered.
58
-------�
F. REPORTS AND FINDINGS
Investigative reports shall include, if possible, the
document date, subject, name and address of the originator, and a
description of the material.
1. Finding of No Damage
If it is determined that compromise could not
reasonably be expected to cause identifiable damage .to the
affected business the report of the preliminary inquiry will be
sufficient to resolve the incident and, if appropriate, support
the administration of disciplinary action.
2. Lost Documents
If a document is lost or missing, the report should
include the time, date, surrounding the loss; and the steps taken
to locate the material. If possible, the person responsible for
the loss should be identified.
3. Compromise
Where a compromise is believed to have occurred, a
narrative statement by the WAM should detail the circumstances,
the identity of the unauthorized person(s) who had or may have
had access to the material, the steps taken to determine whether
a compromise did in fact occur, and the WAM's evaluation of the
importance of the material.
4. Finding of Damage
If it is determined that the probability of
identifiable damage to the affected company cannot be ruled out,
the BSD Director shall notify the affected business that the
materials claimed as CBI are not in account and that there is
reason to believe the information may have been disclosed to
individuals not authorized for access to it. Written notice to
the affected business must contain a description of the CBI in
question and the date of the disclosure.
G. RESULTING ACTIONS
After receiving an inquiry and/or investigation report, the
ESD Director will notify appropriate Division Directors of the
report findings and recommend actions in keeping with the EPA
Conduct and Discipline Order. Division Directors are responsible
for imposing punitive measures as deemed necessary.
59
-------�
1. Violations Subject to Punitive
Employees may be subject to punitive measures if they
do any of the following:
Compromise CBI through negligence;
Knowingly and willfully violate any provisions of this
manual; or
Knowingly and willfully, and without authorization,
disclose properly classified CBI.
2. Punitive Measures
Punitive measures for security violations include, but
are not limited to, warning notice, admonition, reprimand,
termination of authorization for access to CBI, suspension
without pay, forfeiture of pay, removal, discharge, or legal
charges. These measures will be imposed in accordance with
applicable law and EPA regulations.
60
-------�
SECTION XIII.
CAA CBI DEFINITIONS
Access: The ability and opportunity to gain knowledge of CAA
CBI in any manner whatsoever. Access to CAA CBI by individuals
not authorized according to procedures in Section VI must be
reported as a security violation.
Affected Business: Any providing organization that could be
affected adversely by the unauthorized disclosure of its CAA CBI.
Authorized Person: Any person duly authorized pursuant to
OAQPS procedures to have access to CAA CBI.
CAA CBI Control Number: Unique number assigned by the OAQPS
CBI Office to any document received or generated that contains
CAA CBI. The number consists of a least ten digits (e.g.,
94111-C02-09). The first five digits are the fiscal year and
project identification number; first two numbers are the fiscal
year and next the three numbers are assigned for each specific
project (e.g., 94111); the next three digits identifies the
responsible group and WAM (e.g., COS); and the last digits refers
to the number of documents submitted to the CBIO from the
employee on the specific project.
Confidential Business Information: Any information, in any
form, received by OAQPS from a person, firm, partnership,
corporation, association, or local, State or Federal agency that
relates to trade secrets or commercial or financial information
and that has been claimed as confidential by the person
submitting it under the procedures in 40 CFR, Part 2, Subpart B.
Contractor: Any person, association, partnership,
corporation, business, educational, institution, governmental
body or other entity uhat performs work under a contract with the
United States Government.
Contracting Officer (CO): EPA delegated official with the
authority to enter into contracts on behalf of the EPA. The CO
has sole authority to sign contracts, obligate funds for a
contract, issue work assignments, modify contract terms or
conditions, and terminate a contract.
Custody: Formal responsibility for controlling access to CAA
CBI according to the procedures found in this manual.
61
-------�
Derivative CBI: Confidential Business Information created by
incorporating, paraphrasing, restating, or generating a new form
of the information.
Document: Any recorded information regardless of its physical
form or characteristics, including, without limitation, written
or printed materials; data processing cards, disks, and tapes;
maps; charts; photographs; paintings; drawings; engravings;
sketches; working notes and papers; reproductions of such items
by any means or processes; and sound, voice, or electronic
recordings in any form.
OAQPS CBI Office: Secured interior room at OAQPS headquarters
where all CAA CBI is stored.
OAQPS Document Control Officer: A Government employee
designated by the BSD Director to oversee the OAQPS CAA CBI
program.
Document Tracking System: A system to account for the
location or disposition of CAA CBI materials. Materials in a
Document Tracking System are assigned unique numerical
identifiers, or CBI control numbers, and their locations are
tracked through manual or automated logs or records of receipt,
usage, and transfer.
Employee: Any person employee by EPA on a full-time or part-
time basis in accordance with the procedures of the Office of
Personnel Management. (This definition does not include
contractors, grantees, or their employees.)
Federal Agency: Any organization or entity composed of United
States officers or employees except for Federal courts and
Congress.
Holder: A Federal employee or OAQPS contractor employee who is
authorized access to specific CAA CBI, and is currently in
possession of the CAA CBI.
Original CBI: Confidential business information in its
original form as submitted by a providing organization or as
recorded during a visit to the providing organization.
Project Officer (PO): EPA's primary technical representative
of the CO for a contract. Responsibilities include: evaluating
contractor proposals; assisting in writing statement of work;
reviewing contractor progress reports; reviewing contractor
requests and recommending approval or disapproval to the CO; and
assisting the CO in the resolution of problems associated with
contractor performance.
62
-------�
Specific CAA CBI: Confidential business information
collected for an individual project or work assignment under a
contract.
Subcontractor: A contractor that provides a portion of the
level of effort on an EPA contract through a contractual
agreement with the prime EPA contractor. The EPA's contractual
agreement is with the prime contractor, not the subcontractor.
Violation: The failure to comply with any provision of these
procedures, whether or not such failure leads to actual
unauthorized disclosure of CAA CBI.
Work Assignment Manager (WAM) : An EPA program official who
monitors a specific work assignment written under a contract.
The WAM develops the statement of work for specific work
assignments and monitors the technical performance of the
contractor.
63
-------�
SECTION XIV.
GLOSSARY OF ACRONYMS
ACRONYMS
AAL
ADP
CAA
CBI
CBIO
CDCA
CDCO
CFR
CWA
DCA
DCO
BSD
EPA
FEMA
FIFRA
GAO
OAQPS
DIG
OGC
OS
PC
RCRA
Authorized Access List
Automatic Data Processing
Clean Air Act
Confidential Business Information
Confidential Business Information Office
Contractor Document Control Assistant
Contractor Document Control Officer
Code of Federal Register
Clean Water Act
Document Control Assistant
Document Control Officer
Emission Standards Division
United States Environmental Protection Agency
Federal Emergency Management Agency
Federal Insecticide, Fungicide and
Rodenticide Act
General Accounting Office
Office of Air Quality Planning and Standards
Office of the Inspector General
Office of General Counsel
Office of Solid Waste
Personal Computer
Resource Conservation and Recovery Act
64
-------�
TSCA Toxic Substances Control Act
WAM Work Assignment Manager
65
-------�
SECTION XIV.
APPENDICES
APPENDIX TITLE
A Authorization for Access to CAA CBI for
Federal Employees, CAA CBI Form 2
Authorization for Access to CAA CBI for
Contractor Employees, CAA CBI Form 3
B Confidentiality Agreement for United States
Employees Upon Relinquishing CAA CBI Access
Authority, CAA CBI Form 4
Confidentiality Agreement for Contractor
Employees Upon Relinquishing CAA CBI Access
Authority, CAA CBI Form 5
C Memorandum of CAA CBI Telephone Conversation,
CAA CBI Form 6
D CAA CBI Meeting Sing-In Sheet, CAA CBI Form 7
E CAA CBI Markings
F CAA Confidential Business Information Cover
Sheet, CAA CBI Form 8
Pending CAA Confidential Business Information
Cover Sheet, CAA CBI Form 9
G Request, Approval, arid Registration for CAA
CBI Computer Access, CAA CBI Form 10
H Request for Approval of Contractor Access to
CAA CBI, CAA CBI Form 11
Contractor Information Sheet-Contractor CAA
CBI Access/Transfer, CAA CBI Form lla
I CAA CBI Inventory Log, CAA CBI Form 12
CAA CBI Pending Log, CAA CBI Form 13
J CAA Confidential Business Information Control
Record, CAA CBI Form 1
K CAA CBI Custody Receipt, CAA CBI Form 14
66
-------�
L Confidential Business Information Security
Agreement, CAA CBI Form 15
M Sample CAA CBI Transfer Letters
67
-------�
APPENDIX A
FULL NAME
EPA ID NUMBER
POSITION
OFFICE
1. AUTHORIZATION FOR ACCESS TO CAA CBI FOR FEDERAL EMPLOYEES
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her
supervision who require access to CAA CBI:
1. Sign the Confidentiality Agreement for EPA Employees
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
SIGNATURE OF AUTHORIZING OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
II. CONFIDENTIALITY AGREEMENT FOR FEDERAL EMPLOYEES
I understand that I will have access to certain Confidential Business Information submitted to EPA or
its authorized representatives under the Clean Air Act (CAA). This access is granted in accordance
with my official duties as an employee of the Environmental Protection Agency.
I understand that CAA CBI may not be disclosed except as authorized by CAA and Agency
regulations. I understand that I am liable for a possible fine of up to $1,000 and/or imprisonment for
up to 1 year if I willfully disclose CAA CBI to any person not authorized to receive it. In addition I
understand that I may be subject to disciplinary action for violation of this agreement with penalties
ranging up to and including dismissal.
I agree that I will treat any CAA CBI furnished to me as confidential and that I will follow the
procedures set forth in the CAA Confidential Business Information Security Manual.
I have read and understand these procedures.
SIGNATURE
TELEPHONE NO.
DATE
III. HAVING COMPLETE REQUIRED TRAINING AND PASSED REQUIRED
TEST, THE ABOVE-NAMED EMPLOYEE IS HEREBY AUTHORIZED TO HAVE
ACCESS TO CAA CBI.
SIGNATURE CBI MANAGER/DCO
TELEPHONE NO.
DATE
* Must be Division Director (or equivalent) or above.
CAA CBI Form 2 (Rev. 6/95)
68
-------�
APPENDIX A
1. AUTHORIZATION FOR ACCESS TO CAA CBI FOR CONTRACTOR EMPLOYEES
FULL NAME
SSN
POSITION
CONTRACTOR
It is the responsibility of each Authorizing Official* to ensure that the employees under his/her
supervision who require access to CAA CBI:
1. Sign the Confidentiality Agreement for EPA Employees
2. Are fully informed regarding their security responsibilities for CAA CBI.
3. Obtain access only to that CAA CBI required to perform their official duties
SIGNATURE OF AUTHORIZING OFFICIAL*
TITLE
TELEPHONE NO.
DATE
LOCATION
II. CONFIDENTIALITY AGREEMENT FOR CONTRACTOR EMPLOYEES
I understand that I will have access to certain Confidential Business Information submitted to EPA or
its authorized representatives under the Clean Air Act (CAA). This access is granted in accordance
with my official duties as an employee of the Environmental Protection Agency contractor.
I understand that CAA CBI may not be disclosed except as authorized by CAA and Agency
regulations. I understand that I am liable for a possible fine of up to $1,000 and/or imprisonment for
up to 1 year if I willfully disclose CAA CBI to any person not authorized to receive it. In addition I
understand that I may be subject to disciplinary action for violation of this agreement with penalties
ranging up to and including dismissal.
I agree that I will treat any CAA CBI furnished to me as confidential and that I will follow the
procedures set forth in the CAA Confidential Business Information Security Manual.
I have read and understand these procedures.
SIGNATURE
TELEPHONE NO.
DATE
III. HAVING COMPLETE REQUIRED TRAINING AND PASSED REQUIRED
TEST, THE ABOVE-NAMED EMPLOYEE IS HEREBY AUTHORIZED TO HAVE
ACCESS TO CAA CBI.
SIGNATURE CONTRACTOR/DCO
TELEPHONE NO.
DATE
* Must be Contractor Management
CAA CBI Form 3 (Rev. 6/95)
69
-------�
APPENDIX B
US Environmental Protection Agency
Washington, DC 20460
Confidentiality Agreement for Federal Employees
Upon Relinquishing CAA CBI Access Authority
In accordance with my official duties as an employee of the United States, I have had access
to. Confidential Business Information under the Clean Air Act (CAA) (42 U.S.C. 1857 et
seq.). I understand that CAA Confidential Business Information may not be disclosed except
as authorized by CAA or Agency regulations.
I certify that I have returned all copies of any materials containing CAA Confidential Business
Information in my possession to the OAQPS CBI Office.
I agree that I will not remove any copies of materials containing CAA Confidential Business
Information from the premises of the Agency upon my termination or transfer. I further agree
that I will not disclose any CAA Confidential Business Information to any person after my
termination or transfer.
I understand that as an employee of the United States who has had access to CAA Confidential
Business Information, under 18 U.S.C. 1905,1 am liable for a possible fine of up to $1,000
and/or imprisonment for up to one year if I willfully disclose CAA Confidential Business
Information to any person.
If I am still employed by the United States, I also understand that I may be subject to
disciplinary action for violation of this agreement.
I am aware that I may be subject to criminal penalties under 18 U.S.C. 1001 if I have made
any statement of material facts knowing that such statement is false or if I willfully conceal
any material fact.
Name (Please type or print)
Signature
SSN
Date
CAA CBI Form 4 (Rev. 6/95)
70
-------�
APPENDIX B
Environmental Protection Agency
Washington, DC 20460
CONFIDENTIALITY AGREEMENT FOR
CONTRACTOR EMPLOYEES UPON
RELINQUISHING CAA CBI ACCESS AUTHORITY
Name of Employer
Contract Number
As an employee of the contractor/subcontractor named above performing work for the United
States Government, I have been authorized access to Confidential Business Information (CBI)
submitted under the Clean Air Act (CAA) (42 U.S.C. 1857 et.seq.). This access authority was
granted to me in order to perform my work under the contract number cited above.
I understand that CAA CBI to which I have had access under the contract may not be used for
any purposes other than for performing the contract. I also understand that CAA CBI may not
be disclosed except as authorized by CAA or EPA regulations.
I certify that I have returned all copies of CAA CBI materials in my possession to my
company Document Control Officer.
I agree that I will not remove any copies of materials containing CAA CBI from the premises
of my company or from EPA premises upon my relinquishment of CAA CBI to any person
after my relinquishment of CAA CBI access authority.
I understand that as a contractor employee who has been authorized access to CAA CBI, I may
face criminal prosecution if I willfully disclose CAA CBI to any person.
If I am still employed by the contractor, I also understand that I may be subject to disciplinary
action for violation of this agreement.
I am aware that I may be subject to criminal penalties under 18 USC Section 1001 if I have
made any statement of material facts knowing that such statement is false or I willfully
conceal any material fact.
NAME (Please type of print)
Social Security Number
Signature
Date
CAA Form 5 (Rev. 6/95)
71
-------�
APPENDIX C
US Environmental Protection Agency
Washington, DC 20460
MEMORANDUM OF CAA CBI
TELEPHONE CONVERSATION
I. EMPLOYEE IDENTIFICATION
Name of Employee
Date
Organization
Time
II. SECOND PARTY IDENTIFICATION
Call is:
D To
From
Name
Number
Organization
III. Concerning What CAA CBI?
IV. Content of Conversation: (CONTINUE ON SEPARATE SHEET)
CAA CBI Form 6 (Rev. 6/95)
72
-------�
APPENDIX D
vtf £D Sfy ^ U.S. Environmental Protection Agency
>> ^ **. Washington, DC 20460
£«fi*^
\ XSEZ § CAA CBI MEETING SIGN-IN SHEEET
r ^^fH^^ >
\ ^
^ PRO^°
CHAIRPERSON
MEETING PLACE (ROOM, BUILDING, CITY, STATE)
DATE
TIME
SUBJECT OF MEETING
NAME (Print)
Signature
ORGANIZATION
THIS SIGN-IN SHEET MUST BE GIVEN TO THE CBI MANAGER
CAA CBI Form 7 (Rev. 6/95)
73
-------�
APPENDIX E
CAA CBI MARKINGS
"SUBJECT TO CONFIDENTIALITY CLAIM"
"TO BE OPENED BY ADDRESSEE ONLY"
"CBI -- CONFIDENTIAL BUSINESS INFORMATION"
"DETERMINED CONFIDENTIAL BY OAQPS"
"DESTROYED BY / DATE
74
-------�
APPENDIX F
Contractor Control No.:
EPA Control No.:
Copy No.:
CAA
CONFIDENTIAL
BUSINESS INFORMATION
The attached document contains data claimed to be confidential business information (CBI)
under the authority of the Clean Air Act (CAA) as amended (42 U.S.C. 7401, 7411, 7412,
7414, 7416, 7601). CBI may not be disclosed or copied for release to another party. Any
excerpts or summaries must also be treated as CBI. If you willfully disclose CAA CBI to any
person not authorized to receive it, you may be liable for a disciplinary action with penalties
ranging up to and including dismissal. In addition, disclosure of CAA CBI or violation of
security procedures may subject you to a fine of up to $1,000.00 and/or imprisonment for up
to one year.
DO NOT DETACH
CAA CBI Form 8 (Rev. 6/95)
75
-------�
APPENDIX F
Contractor Control No.:
EPA Control No.:
Copy No.:
CAA
CONFIDENTIAL
BUSINESS INFORMATION
PENDING
The attached document contains data claimed to be confidential business information (CBI)
under the authority of the Clean Air Act (CAA) as amended (42 U.S.C. 7401, 7411, 7412,
7414, 7416, 7601). CBI may not be disclosed or copied for release to another party. Any
excerpts or summaries must also be treated as CBI. If you willfully disclose CAA CBI to any
person not authorized to receive it, you may be liable for a disciplinary action with penalties
ranging up to and including dismissal. In addition, disclosure of CAA CBI or violation of
security procedures may subject you to a fine of up to $1,000.00 and/or imprisonment for up
to one year.
DO NOT DETACH
CAA CBI Form 9 (Rev. 6/95)
76
-------�
APPENDIX G
\
s
U.S. Environmental Protection Agency
Washington, DC 20460
Request, Approval, and Registration
for CAA CBI Computer Access
I. Request for CAA CBI Computer Access
1. Name (Last,First,MI)
2. Requestor (Office/Division/Branch)
3. System and Data Base to Be Accessed
4. Describe fully the duties that require access to each system
5. Signature of Requesting Official (Division Director or above)
6. Date
II. Computer Room DC A Approval
1. Date Received
2. Signature of Computer Room DC A
III. DCO Approval
1. Date Received
2. Holds Current CAA CBI Access
D Yes D No
3. Approved
D Yes DNo (F.xplain
On back)
4. Signature DCO
CAA CBI Form 10 (Rev. 6/95)
77
-------�
APPENDIX H
U.S. Environmental Protection Agency
Washington, DC 20460
REQUEST FOR APPROVAL OF
CONTRACTOR ACCESS TO CAA CBI
Requesting Official
Signature
Date
Title and Office
Contractor and contract number
EPA Project Officer
EPA Contracting Officer
t Brief Description 0£«anfcack induing {Wpose,, scope, fengtfj, and other j«tpo&a*tf 4efe«J$v
(Continued on, tfeiB back of this form if
JL W6itt CAA CBI will i>e paired, Afidwfcy?
" (CoMiaaedoa back if necessary)
'^.-, --,- -'< \ Jt<
Approved (Signature)
Date
CAA CBI Form 11 (Rev. 6/95)
78
-------�
APPENDIX H
CONTRACTOR INFORMATION SHEET
CAA CBI ACCESS/TRANSFER
1. Contractor.
2. Address :
3. Contract #:
4. Is this a renewal of a previous contract? Yes D No D
5. Previous contact number:
6. EPA Project Officer
7. EPA Contracting Officer.
8. EPA Work Assignment Manager:
Phone: Room: Mail Code:.
9. Contractor Project Officer:
10. Description of duties to be performed by contractor that require CAA CBI access:
11. Type(s) of data to be transferred/disclosed:
12. Will CBI be transferred offsite under this contract? Yes DNoD
13. If so, to where?
14. Have contractor security plan and facilities been approved by the OAQPS DCO? Yes D No D
15. If so, date of test site inspection:
16. Date access scheduled to commence:
17. Contract expiration date:
18. Is computer CBI access needed under this contract? Yes D No D
19. Has computer access been approved? Yes DNoD
CAA CBI Form 1 la (Rev. 6/95)
79
-------�
CO
o
^eosr.^ U.S. Environmental Protection Agency
if ^± \ Washington, DC 20460 J
S ,*^^^^ (?, /~< A A /"*T~>T TTVTl 7"T?XTrr/"VT» XT' T /"V/"1
g vjjy J CAA CB1 IN VbNTORY LOG
^L^^^^P" uontidential Business Intormation
^ PRO^" DoKr not conlain National Security Information (E.O. 12066)
Date
Received
CBI
Control Number
Provider/
Description
Recipient
Disposition
Disposed
Date
Inventory
Date
CAA CBI Form 12 (R§V: 6/95)
-------�
00
^tDST^ U.S. Environmental Protection Agency
tf j^ \ Washington, DC 20460
i *^^<* 5 P A A PRT PFXrnrMfT- T C\C1
§ VwV^ f ^r\r\ L/J31 r rl/lNUliNvJ JLvJvJ
^T^^^T^ Contidential Business Intormation
^ pnO"^ Does no conlain NMional Security Information (E.O 12066)
Date
Received
CBI
Control Number
Provider/
Description
Recipient
Disposition
Disposed
Date
Inventory
Date
>
^
^
ft
2
C
H
tx
h
CAA CBI Form 13 (Rev, 6/95)
-------�
APPENDIX J
CAA CONFIDENTIAL BUSINESS INFORMATION
CONTROL RECORD
DATE RECEIVED:
DATE OF DOCUMENT:
RESPONSIBLE BRANCH:
CONTROL NUMBER:
DOCUMENT AUTHOR:
DESCRIPTION (Providing organization, title, subject, number of copies and number of pages)
RETURN DATE:
DESTRUCTION DATE:
INITIALS:
Each person given access to this document must fill in the information below
CHECK-OUT
SIGNATURE
DATE
TIME
CHECK-IN
SIGNATURE
DATE
TIME
CAA CB1 Form 1 (Rev. 6/95)
82
-------�
APPENDIX K
CAA CBI CUSTODY RECEIPT
U. S. Environmental Protection Agency DATE:
Office of Air Quality Planning & Standards
CBI Office (MD-13) SENT VIA:
Research Triangle Park, NC 27711
RECEIPT NO:
TO: FROM: Document Control Officer
Melva W. Toomer, CBI Manager
U. S. EPA, OAQPS, ESD, CBIO
MD-13
Research Triangle Park, NC 27711
INSTRUCTIONS:
1. Original of this receipt to be signed by recipient and returned to sender.
2. Duplicate of this receipt to be retained by recipient.
CBI CONTROL
NO.
COPY NO.
DESCRIPTION OF MATERIAL
I have personally received material, enclosures, and attachments as identified above. I assume full responsibility for
the safe handling, storage, and transmittal of this material in accordance with existing Confidential Business
Information regulations.
DATE RECEIVED:
SIGNATURE OF RECIPIENT:
CAA CBI Form 14 (Rev. 6/95)
83
-------�
APPENDIX L
NFIDENTIAL B
SS INFORMATI
In requesting information claimed to be business confidential
from the Office of Air Quality Planning and Standards, I agree
to safeguard this information according to [ Name of
Agency ]'s procedures comparable to EPA's procedures for
handling Confidential Business Information as found in 40 CFR,
Part 2, Subpart B, Confidentiality of Business Information. I
further agree that access will be limited to only those persons
in our organization having a "need to know," that the
information will be kept in a secure storage contained (e.g., a
lockable file cabinet) while it is in our custody, that a
record of persons accessing the information be maintained, and
that it will be returned to OAQPS at the conclusion of our
project.
Name, Title (Please Type or Print)
Signature
Date
CAA CBI Form 15(Rev.6/95)
84
-------�
APPENDIX M
LETTER TO CAA CBI REQUESTERS OUTSIDE OAOPS
Mr. Agency Official
Director, Planning Division
Some Government Agency
1168 14th Street
Washington, D.C.
Dear Mr. Agency Official:
(Cite the name of local contact or letter of request)
indicates that you want a copy of certain information in our
Confidential Business Information (CBI) files. Please be advised
that our long-standing policy is to release CBI to only those
persons duly authorized to have access. Since we have not
previously granted clearance for access to Clean Air Act (CAA)
information to you or anyone in your organization, we request
assurance that this information will be handled according to
applicable federal regulations. To provide a record of your
agreement to safeguard the information, we require that you sign
and return the accompanying CBI Security Agreement. We will
release the requested information to you upon receipt of this
agreement.
Sincerely,
Bruce C. Jordan
Director, BSD
Enclosure
85
-------�
APPENDIX M
LETTER TO ACCOMPANY CAA CBI TRANSFERRED
OUTSIDE OAOPS
Mr. Agency Official
Director, Planning Division
Some Government Agency
1108 14th Street
Washington, B.C. 20460
Dear Mr. Agency Official:
Your security agreement associated with the request for
access to (describe information) has been received. We are
therefore releasing the enclosed Confidential Business
Information to your custody. Please sign the attached Custody
Receipt and return it to:
Melva W. Toomer, OAQPS CBI Manager
Emission Standards Division (MD-13)
Office of Air Quality Planning and Standards
U.S. Environmental Protection Agency
Research Triangle Park, NC 27711
Sincerely,
Bruce C. Jordan
Director
Emission Standards Division
Enclosures
86
-------�
APPENDIX M
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
Office of Air Quality Planning and Standards
Research Triangle Park, North Carolina 2771 1
SAMPLE
TRANSFER LETTER TO PROVIDING FACILITIES
Mr. Thomas Jones
Environmental Control Manager
Toomer's Steel, Inc.
1040 Pine Avenue, SE
Warren, WA 44483-6528
Dear Mr. Jones:
Thank you for your efforts in coordinating a visit to
Toomer's Steel facility in Warren, Washington on August 31, 1993.
The EPA appreciates the time that you spent discussing your
manufacturing processes and conducting an inspection of your
facility.
Enclosed is a draft of the trip report that has been
prepared based on the information obtained during our site visit.
We would appreciate your reviewing the report for any errors or
omissions. You may return the enclosed copy of the report with
your written comments. Since this report will eventually become
a part of the public record, we want to portray your operations
as accurately as possible.
If you believe that disclosure of any specific information
contained in the trip report would reveal trade secrets or other
confidential information, you should clearly identify the
specific information. Please do not label the entire report
"confidential" if only certain portions consist of trade secret
information. If the Environmental Protection Agency (EPA)
determines that there is a need to disclose such information, we
will need, at that time, the following to support your claim:
1. Measures taken by Toomer's Steel, Inc. to guard against
undesired disclosure of the specific information to others;
2. The extent to which the specific information has been
disclosed to others and the precautions taken in connection
therewith;
87
-------�
3. Pertinent confidentiality determinations, if any, by
other Federal agencies (furnish a copy of any such determination
or reference to it, if available); and
4. Whether Toomer's Steel, Inc. asserts that disclosure of
the specific information would be likely to result in substantial
harmful effects on its competitive position, and, if so, what
those harmful effects would be, why they should be viewed as
substantial, and an explanation of the causal relationship
between disclosure and such harmful effects.
Any specific information subsequently determined to
constitute a trade secret will be protected under 18 U.S.C. 1905.
If no claim of confidentiality accompanies the information when
it is received by EPA, it may be made available to the public by
EPA without further notice (40 CFR Part 2.203, September 1,
1976) . All emission data, however, will be available to the
public. A clarification of what EPA considers to be emission
data is contained in Enclosure 2.
We respectfully request that you submit your review comments
on the trip report by June 1, 1995. If you concur with the
information contained in the report and if no confidential
information is contained in the report, we would appreciate a
letter to that effect. Please return the report and attachments
along with this letter. If we do not hear from you by June 1,
1995, EPA will consider the report nonconfidential, complete,
correct, and final.
Thank you for your cooperation. The information supplied by
Toomer's Steel, Inc. will be most helpful in our study. If you
have any questions or wish to give comments by phone, please call
Phil Hinson at (919) 541-5289.
Sincerely,
, Leader
Metals Group
Emission Standards Division
2 Enclosures
88
-------�
APPENDIX M.
UNITED STATES ENVIRONMENTAL PROTECTION AGENCY
Office of Air Quality Planning and Standards
Research Triangle Park, North Carolina 2771 1
SAMPLE
TRANSFER LETTER TO PROVIDING FACILITY
Mr. Gordon Brown
Environmental Manager
State Paper Board
Post Office Box 9999
Whitehouse, Georgia 30913
Dear Mr. Brown:
Thank you for reviewing the trip report for the September
14, 1994 visit to the State Paper Board mill in Whitehouse, GA,
by representatives from the U.S. Environmental Protection Agency
and Northwest Research Institute (NRI). Your comments have been
incorporated in the enclosed final trip report.
The trip report includes a nonconfidential version plus a
confidential addendum. The confidential addendum consists of
those items you identified as confidential business information
(CBI) in your February 7, 1995 letter. Unless we hear from you
by April 19, 1995 with further comments or corrections, we will
treat the nonconfidential trip report and the confidential
addendum as final. In its final form, the nonconfidential trip
report may be accessed by the general public following proposal
of the national emission standards for hazardous air pollutants
for combustion sources in the sand and paper industry. The
confidential addendum can only be accessed by those authorized to
view CAA CBI pertaining to the sand and paper industry.
If you have any questions or additional comments, please
contact Mr. John Smith of my staff at (919) 541-9999 or Ms. Sally
Sue of NRI at (919) 685-1234 (ext. 349). Thank you for your
cooperation.
Sincerely,
Group Leader
(name) Specific Group
Enclosures
89
-------� |