United States
Environmental Protection
Agency
Office of
Toxic Substances
Washington, D.C. 20460
TSCA Confidential
Business Information
Security Manual
•'*:'-
-------�
TSCA CONFIDENTIAL BUSINESS INFORMATION
SECURITY MANUAL--1985 Edition
1. PURPOSE. This Transmittal provides a new version of the
TSCA Confidential Business Information Security Manual.
2, EXPLANATION. This Manual sets forth procedures for EPA
employees and other Federal employees to follow in handling
information claimed as TSCA confidential business information
(CBI).
3. FILING INSTRUCTIONS. Discard the old version of this
Manual and file the attached edition in a three-ring binder.
Gary M. Katz, Director
Management and Organization Division
ORIGINATOR:
Management and Organization Division/Office of Administration
EPA Form 1315-12
-------�
TSCA CONFIDENTIAL BUSINESS INFORMATION
SECURITY MANUAL
[FEDERAL EMPLOYEES MANUAL]
NOVEMBER 1985
U.S. ENVIRONMENTAL PROTECTION AGENCY
OFFICE OF TOXIC SUBSTANCES (TS-793)
WASHINGTON. D-C- 20160
-------�
TSCA CBI Security Manual 7700
• 11/1/85.
TABLE OF CONTENTS
I. Introduction.... * ... . 1
Important Terminology 1
II. Authorizing Federal Employees for Access to TSCA CBI .3
A. Initial Request for Access Authority.. •. 3
1. Forms and procedures. 3
2. 'Security briefing .4
B. Authorized Access List. 5
1. Contents of Access List 5
2. Monthly Review of the Access List ."6
C. When an Employee No Longer Needs Access .5
' 1. In general. . . . .5
2. Forms and procedures .6
. D. Maintaining Access...... ..._...'.7
1. In general... 7
2. Scheduling the annual briefing 7
3. Quarterly briefings 7
III. Procedures for Using and Safeguarding TSCA CBI 7
A. In General. 7
1. Document Tracking Systems * 7
2. CBI cover sheets...... 8
3. CBI stamp 8
4. DAPSS. ; 8
B. Procedures for Obtaining CBI from a DCO 8
1. In general. 8
2. Requesting CBI from a'DCO. ,.8
a. In general. ; 8
b. Logging out CBI from a DCO 9
3. Receipt of CBI in the mail 9
4 . TSCA CBI Cover Sheets 9
C. .Storage of TSCA CBI Materials 9
1. In general. 9
2. Approved storage containers .......10
3. Secure storage areas 10
4. Lock combinations 11
5. Electronic card entry devices 11
D. Procedures for Transferring Custody of CBI ....12
1. In general... 12
2. Transfer within CBI-cleared facilities.. 12
3. Transfer .of CBI to individuals at other
facilities. 13
a. In general ..13
b. Double-wrapping of CBI materials...... 13
c. Hand-carrying .13
-------�
TSCA CBI Security Manual 7700
11/1/85
d. Mailing CBI 13
e. Courier service 13
E. Creating New CBI Documents and Personal
Working Papers 14
1. New CBI documents 14
2. Personal working papers 14
a. In general 14
b. Use in meetings 14
c. Storage 15
d. Transfer of CBI documents for typing 15
3. Creating non-CBI documents 15
4. Declassifying CBI materials 16
F. Reproduction of TSCA CBI Materials 16
1. In general 16
2. DCO's role 17
3. Control of copies 17
4. Broken machines 17
G. Destruction of TSCA CBI Materials 18
1. In general 18
2. Destruction method 18
3. Documenting destruction 18
H. Meetings at which TSCA CBI is Discussed 18
1. Meeting sign-in sheets 18
2. Meeting chairperson's duties 19
3. Notes or recordings 19
4. Meeting defined 19
I. Traveling with TSCA CBI 20
1. In general.: 20
2. CBI handling procedures 20
3. Control and storage, of CBI 20
J. Telephone Calls During Which TSCA CBI is
Discussed 20
1. Calls with other individuals authorized
for TSCA CBI access 20
2. Calls with submitters 21
3 . Telephone logs 21
K. Computer Security 21
1. In general 21
2. Safeguarding TSCA CBI during PC use 22
a. In general 22
b. PC storage media 22
c. Terminating a CBI PC session 22
d. Use of a PC printer 23
3. Obtaining and using computer printouts 23
L. Violations of Procedures, Lost Documents, and
Unauthorized Disclosures 23
-------�
TSCA CBI Security Manual 7700
11/1/85
1. In general 23
2. Notifying the IMD Director 24
3. Unaccounted for CBI materials 25
4. Unauthorized disclosure of CBI materials 25
5. Violations of this Manual's procedures 25
IV. Document Control Officer Responsibilities 26
A. In General 26
B. Assigning DCOs 26
C. When DCOs Relinquish DCO Responsibilities 26
D. Document Tracking Systems 26
1. In general 26
2. Receipt of CBI materials 27
3. Storage of CBI materials 28
4. Use of CBI Materials 28
a. Providing CBI to Federal employees 28
b. The Inventory Log 28
c. Checking out CBI from the DCO 29
d. Determining whether documents contain CBI....29
5. Reproduction and destruction of CBI materials.... 30
6. Transfer of CBI materials outside
a DCO's facility 30
E. Inventory of CBI Documents 31
V. Authorizing Other Agencies for Access to TSCA CBI 31
A. In General 31
B. Procedures for Authorizing Another Federal
Agency for Access to TSCA CBI 32
1. Upon request of the other Agency 32
a. The written request 32
b. Notice to affected businesses 32
c. Approval by EPA 33
2. To perform a function on behalf of EPA 33
C. Access to TSCA CBI at Facilities Outside of OTS 34
VI. Congressional Access to TSCA CBI 35
Index 36
-------�
TSCA CBI Security Manual 7700
11/1/85
Appendix Title
1 TSCA CBI Stamp
2 TSCA CBI Cover Sheet
3 TSCA CBI Access Request, Agreement, and
Approval
4 TSCA CBI Computer Access Request,
Approval, and Registration
5 Confidentiality Agreement for United
States Employees Upon Relinquishing
TSCA CBI Access Authority
6 Safe/Cabinet Security Check Sheet
7 TSCA CBI Visitors Log
8 Temporary Loan Receipt for TSCA
Confidential Business Information
9 Destruction Log
10 TSCA CBI Meeting Sign-in Sheet
11 Memorandum of TSCA CBI Telephone
Conversation
12 Guidelines for Determining Penalties for
Violations of This Manual's Procedures
13 Receipt Log
14 Inventory Log
15 Federal Agency, Congress, and Federal
Court Sign-out Log
-------�
TSCA CBI Security Manual 7700
11/1/85
CONTACTS
Questions about the procedures in this manual should be
directed to:
Chief, Confidential Data Branch
Information Management Division
Office of Toxic Substances (TS-793)
401 M St., SW.
Wash., D.C. 20460
Phone: (202) 382-3938
The OTS DCO can be contacted at:
Document Control Officer
Office of Toxic Substances (TS-793)
401 M St., SW.
Washington, D.C. 20460
Phone: (202) 382-3534
The TSCA Security Staff can be contacted at:
TSCA Security Staff
Information Management Division
Office of Toxic Substances (TS-793)
401 M St., SW.
Washington, D.C. 20460
Phone: (202) 382-3938
The IMP Director can be contacted at:
Director
Information Management Division
Office of Toxic Substances (TS-793)
401 M St., SW.
Washington, D.C. 20460
Phone: (202) 382-3938
-------�
TSCA CBI Security Manual 7700
11/1/85
Glossary of Acronyms
CBI Confidential Business Information
CBIC Confidential Business Information Center
CDB Confidential Data Branch
CFR Code of Federal Regulations
CIB Chemical Information Branch
DAPSS Document and Personnel Security System
DCO Document Control Officer
DMB Data Management Branch
EPA United States Environmental Protection Agency
FSSD Facilities and Support Services Division
IMD Information Management Division
OGC Office of General Counsel
OTS Office of Toxic Substances
PMN Premanufacture Notification
PC Personal Computer
TSCA Toxic Substances Control Act
-------�
TSCA CBI Security Manual 770°
I. INTRODUCTION
This manual sets forth procedures for Environmental
Protection Agency (EPA) employees and other Federal employees to
follow in handling information claimed as confidential business
information (CBI) under section 14 of the Toxic Substances
Control Act (TSCA) (15 U.S.C. §2613). That section of TSCA
requires EPA to protect from public disclosure CBI obtained under
TSCA and it imposes criminal penalties for the knowing and
willful unauthorized release or disclosure of such information.
EPA has issued regulations (40 CFR Part 2) which implement TSCA's
confidentiality provisions. The procedures in this manual
supplement those set forth in TSCA and in 40 CFR Part 2.
Another manual, "Contractor Requirements for the Control
and Security of TSCA Confidential Business Information,"
describes procedures to be followed by EPA Contractors and
subcontractors and their employees and describes how such
contractors and subcontractors are given authorization tor access
to TSCA CBI.
Section 14(a)(l) of TSCA permits EPA to authorize a Federal
employee tor access to TSCA CBI when such access is necessary to
perform work in connection with the employee's duties under a
health or environmental protection statute or tor specific law
enforcement purposes.
Most TSCA CBI access occurs at EPA Headquarters, where the
primary storage and use facility for TSCA CBI is the EPA
Confidential Business Information Center (CBIC). If a showing of
need is established, EPA may also authorize CBI access at other
facilities, including EPA Regional Offices, other Federal agency
offices, and contractor facilities. Procedures for handling,
using, and storing TSCA CBI are generally uniform at all
facilities. However, some differences in security procedures are
required at facilities outside of EPA Headquarters (Procedures
tor access at a contractor's site are set forth in the contractor
manual cited above).
Important Terminology
A number of terms are used frequently throughout this
manual. TSCA CBI (also referred to in this manual as CBI) is
information claimed to be business confidential under EPA's
confidentiality regulations at 40 CFR Part 2. TSCA CBI materials
are documents or any other information-bearing media that contain
TSCA CBI. Most CBI materials consist only partially of
confidential information.
Federal employees are persons employed by Federal
agencies. Procedures tor obtaining approval for access to TSCA
CBI for Federal employees are described in Section II. Section V
describes procedures for authorizing other Federal agencies for
-1-
-------�
TSCA CBI Security Manual 7700 .
access to TSCA CBI. Individuals who are authorized for access to
TSCA CBI are listed on the TSCA CBI Authorized Access List. EPA
Employees include employees of other Federal agencies who have
been detailed to EPA and experts and consultants hired by EPA.'
The Director of the Office of Toxic Substances (OTS) has
overall supervisory authority for TSCA activities,including TSCA
security programs. The Information Management Division (IMP)
Director is responsible for day-to-day implementation of TSCA CBI
and security programs, including developing policies for the use
and handling of CBI, operating the EPA Headquarters CBIC, and
supervising the TSCA Security Staff. The TSCA Security Staff is
responsible for security-related activities, including reviewing
security plans, performing security inspections, and processing
forms and records pertaining to requests for TSCA CBI access
authority tor organizations and individuals. •
-. ' An authorizing official is an EPA Division Director or a
supervisor of equivalent authority who nominates a Federal
employee for TSCA CBI access. Authorizing officials'
responsibilities also include ensuring that their employees renew
their CBI access authority yearly, determining when their
employees no longer require access authority, authorizing their
employees to transfer CBI using a courier or express mail, and
initiating or reviewing their employees' reports of violations of
this manual's procedures.
A Document Control Officer (DCO) manages the Document
Tracking System tor the facility at which he or she is employed
and has overview authority for the receipt, storage, and use of
TSCA CBI at his or her facility. DCO responsibilities are
outlined in Section IV. In this manual, the title ."DCO" includes
the-person designated as the DCO as well as other employees who
perform document control functions under the DCO's supervision.
Therefore, it a procedure in this manual requires that a document
be taken to the DCO, the document may be taken to either the
designated DCO or any other employee-working under the DCO's
supervision who has been assigned the responsibility of receiving
documents tor the DCO. in addition, when this manual refers to
an employee's DCO> it means the DCO assigned to the employee's
organization or facility. For example,.each OTS Division has an
assigned DCO who assists Division employees in requesting and
renewing CBI access authorization (Section II) and has other
responsibilities described throughout this manual relating to the
control ot documents in the possession of Division employees.
The OTS DCQ, who is assigned to the Information Management
Division, manages the CBIC, oversees other Headquarters DCOs, and
provides training materials and guidance to all DCOs on
appropriate CBI handling procedures.
Secure storage areas, like the CBIC at EPA Headquarters,
either house the bulk ot an organization's or facility's CBI
tiles, serve as an organization's or facility's primary CBI work
area, or both. Secure storage areas are areas that are secured
-2-
-------�
TSCA CBI Security Manual 7700
11/1/85
from access by persons not authorized for access to TSCA CBI and
in which some of the normal storage requirements of Section II.I
do not apply.
A Document Tracking System is a system for accounting for
the location or disposition of TSCA CBI materials. Materials in
a Document Tracking System are assigned unique numerical
identifiers, or document control numbers, and their locations are
tracked through manual or automated logs, or records of receipt,
usage, and transfer. TSCA CBI materials must always be marked,
at least on the front of the first page and back of the last
page, with a stamp that identifies the materials as TSCA CBI
(Appendix 1), and must be covered with a TSCA CBI cover sheet
(Appendix 2). Users of a TSCA CBI document must sign the cover
sheet once, the first time they read or take possession of
(hereinafter "gain access to") the document.
The remainder of this manual is organized into the
following sections: Authorizing Federal Employees for Access to
TSCA CBI (Section II), Procedures for Using and Safeguarding TSCA
CBI (Section III), DCO Responsibilities (Section IV), Authorizing
Other Agencies for Access to TSCA CBI (Section V), and •
Congressional Access to TSCA CBI (Section VI). In addition,
there are extensive appendices that provide examples of forms and
logs and an index that cross-references activities, procedures,
and responsibilities.
II. AUTHORIZING FEDERAL EMPLOYEES FOR ACCESS TO TSCA CBI
A. Initial Request for Access Authority.
1. Forms and procedures. EPA employees and individual employees
of other Federal Agencies who either perform work for EPA or for
other agencies which have been authorized for TSCA CBI access
pursuant to Section V may request TSCA CBI access authority by
completing EPA Form 7740-6 (TSCA CBI Access Request, Agreement,
and Approval, Appendix 3) and submitting it for approval in the
manner described in the paragraphs that follow.
A Federal employee who requires on-line access to a TSCA
CBI computer system or data base must also complete EPA Form
7740-7 (Request for TSCA CBI Computer Access Approval) (see
Section III (K) and Appendix 4).
These forms, like all others described in this manual, can
be obtained from either the TSCA Security Staff or an EPA form
distribution center.
EPA employees must complete the forms and forward them to
their Division Director or supervisor of equivalent authority
(hereinafter referred to as Division Director). Employees of
other agencies must forward completed forms to their DCO or, if
no DCO is assigned for that agency, to their supervisor, who must
-3- :
-------�
TSCA CBI Security Manual 770°
11/1/85
be at least equivalent in authority to an EPA Division Director,
or to an EPA Division Director it the employee's work is on
behalf of EPA..
To complete EPA Form 7740-6, the Federal employee must
describe why access to TSCA CBI is necessary for the successful
performance of his or her duties under a health or environmental
protection statute or must identity the law enforcement purpose
served by the access. The employee must also identify, by
section of TSCA, the types of confidential information to which
access is needed to perform his or her duties.
An EPA employee's Division Director must review the
completed forms for accuracy and completeness, approve (by
signing line 12 of the general access request form or line 9 of
the computer access request form) or disapprove them, and, if
approving, submit them to the TSCA Security Staff tor its
review. DCOs at other agencies must review the forms for
completeness and accuracy before forwarding them to the
employee's supervisor. The employee's supervisor will review and
approve or disapprove the forms and, it approving, forward them
to the TSCA Security Staff. (This manual will hereinafter refer
to the supervisor who signs an employee's access request form as
the employee's authorizing official.)
After completing their review, the TSCA Security Staff will
submit the forms to the IMD Director for final approval.
2. Security briefing. It final CBI access approval is given,
the TSCA Security Staff will notify the employee's authorizing
otticial that the employee has been approved tor TSCA CBI
access. Before actual access to CBI may commence, the employee
must attend a security briefing and pass a written test on TSCA
CBI security procedures. (However, an employee may be allowed
access to TSCA CBI tor a period of up to 10 days before receiving
word of final approval from the TSCA Security Staff if the
required forms have been completed and submitted to the TSCA
Security Staff, the employee has attended the required security
briefing and passed the written test, and the employee's
authorizing official has determined that immediate access is
necessary.) The TSCA Security Statt will also notify the
authorizing official if final approval is not given.
Authorizing officials must ensure that their employees read
this manual and attend a security briefing. The briefing is in
the form of a slide show with an accompanying cassette tape. A
written test at the end of the briefing covers procedures
described in this manual.
Employees can attend one of the briefings administered on a
regular basis at EPA Headquarters by the TSCA Security Staff. In
addition, copies of the slide show and test can be obtained from
the TSCA Security Staff and administered by DCOs outside of EPA
-4-
-------�
TSCA CBI Security Manual 11/1/85
Headquarters. These DCOs must provide the TSCA Security Staff
with the names ot employees who attend briefings. The DCOs also
must retain a copy of each employee's test and forward the
original to the TSCA Security Staff.
B. Authorized Access List.
1. Contents of the Access List. After Federal employees receive
approval for TSCA CBI access, attend a security briefing, and
pass the required test, their names will be added to the TSCA CBI
Authorized Access List.
The Authorized Access List is used as a reference to
determine whether an individual has TSCA CBI access authorization
(including TSCA CBI computer access) and to determine the type
TSCA CBI (by section ot TSCA) for which access is authorized. At
the EPA Headquarters CBIC, the list is used in conjunction with
an automated Document Tracking System to ensure that only
individuals with TSCA CBI access authority can obtain CBI
materials.
Questions regarding whether a particular employee has TSCA
Cbl access authorization and the scope of such access should be
directed to the TSCA Security Staff.
2. .Monthly review ot the Access List. DCOs (or authorizing
officials in offices without assigned DCOs) are responsible for
reviewing the TSCA CBI Authorized Access List on a monthly basis
to determine whether any names of employees within their
jurisdiction should be added to or deleted from the list (see
subsection C below) or whether any employee's access authority
should be broadened or narrowed (an employee must complete a new
EPA.Form 7740-6 and submit it in the manner described in
subsection A above to request that his or her access authority be
broadened or narrowed).
Authorizing officials are responsible for ensuring that
employees under their supervision complete the forms required to
request the changes needed in the access list and are responsible
tor forwarding the forms to the TSCA Security Staff by the 20th
day of each month. Revised access lists will be distributed to
all DCOs by the fifth day ot the following month.
C. When an Employee No Longer Needs Access.
1. In general. Federal employees must be removed from the TSCA
CBI Authorized Access List under the following circumstances:
o termination of their employment;
o termination of duties requiring access to TSCA CBI; or
-5-
-------�
TSCA CBI Security Manual 770o
11/1/85
o failure to attend the yearly briefing and pass the
written test described in subsection D below.
In addition, if an employee transfers to another branch,
division, or office at which the employee may continue to require
CBI access, his or her former authorizing official must notify
the TSCA Security Staff of the change. The TSCA Security Staff
will notify the employee's new authorizing official, who must
determine whether the employee continues to require CBI access
and must notify the TSCA Security Staff if access is no longer
necessary (see subsection C.2 below) or if the employee's access
authority needs to be broadened or narrowed (see subsection B.2
below).
2. Forms and Procedures. An employee must complete EPA Form
7740-16 (Confidentiality Agreement for United States Employees
Upon Relinquishing TSCA CBI Access Authority, Appendix 5) when
access authority is relinquished or revoked. The employee must
submit the completed form to his or her authorizing official, who
will
o retain a copy of the form;
o send a copy of the form to the facility's DCO; and
o send the original of the form to the TSCA Security
Staff.
Authorizing officials are responsible for ensuring that their
employees complete Form 7740-16 at the time their TSCA CBI access
authority is cancelled.
Upon receipt of a Form 7740-16, the TSCA Security Staff
will remove the employee's name from the TSCA CBI Authorized
Access List, ensure that the employee's DCO has been informed
that the employee is no longer authorized for CBI access, and
direct the Facilities and Support Services Division (FSSD),
Office of Administration, to invalidate the employee's electronic
entry card for EPA Headquarters secure storage areas. In
addition, if the employee has TSCA CBI computer access authority,
the TSCA Security Staff will direct iMD's Data Management Branch
to invalidate the employee's CBI computer user identification
code and password.
Employees who are relinquishing their CBI access authority
are responsible for returning all TSCA CBI documents in their
possession to the appropriate DCO. Employees who are terminating
their employment must return to FSSD any electronic entry cards
for EPA Headquarters facilities that they have been issued. EPA
Headquarters employees who are terminating their employment must
obtain signatures from the OTS DCO, FSSD, and the TSCA Security
Staff on EPA Form 3110-1 when checking out and must return CBI
— 6 —
-------�
TSCA CBI Security Manual 7700
11/1/85
documents and electronic entry cards at that time if they have
not done that previously.
D. Maintaining Access.
1. In general. Federal employees who are approved for TSCA CBI
access must maintain their access authority by annually attending
the security briefing slide show and passing a written test.
Employees who fail to attend this briefing within a year of their
initial approval for access or their last annual briefing will be
removed by the TSCA Security Staff from the TSCA CBI Authorized
Access List and will have their access authority suspended. If
an employee fails to attend an annual security briefing, the TSCA
Security Staff will notify the employee's authorizing official of
the suspension. If the employee fails to attend the briefing
within 30 days of the suspension notice, the authorizing official
is responsible for ensuring that the employee completes Form
7740-16 and follows the other steps outlined in the preceding
subsection.
2. Scheduling the annual briefing. The authorizing official is
responsible for scheduling his or her employees for renewal
security briefings. The briefing and test are prepared and
administered on a regular basis at EPA Headquarters by the TSCA
Security Staff or can be administered by the employees' DCO.
Information regarding renewal dates can be obtained from either
the TSCA Security Staff or the TSCA CBI Authorized Access List.
3. Quarterly briefings. On a quarterly basis, authorizing
officials are responsible for ensuring that their employees who
are authorized for access to TSCA CBI are given an oral briefing
on different aspects of TSCA CBI security procedures.
III. PROCEDURES FOR USING AND SAFEGUARDING TSCA CBI
A. In General.
1. Document Tracking Systems. All documents submitted to EPA
and all those generated by Federal employees (except those
described in subsection E of this section) containing information
claimed to be CBI must be controlled through a Document Tracking
System. That system may be manual or, as at EPA Headquarters,
automated. The Document Tracking System enables the DCO to track
a document's movement from the time that it is written or
received at EPA until the time that it is destroyed or
transferred to another facility or organization.
—7 —
-------�
TSCA CBI Security Manual 7700
11/1/85
DCO responsibilities and procedures for logging CBI
materials into the Document Tracking System are described in
Section IV.
2. CBI cover sheets. Every TSCA CBI document must have a TSCA
CBI cover sheet (Appendix 2) inscribed with the date of document
receipt by the DCO or the date of creation by the author and a
brief description of the document that indicates what type of
TSCA CBI, by section of the Act, is contained in the document.
In addition, it the document is controlled in the Document
Tracking System, the document's cover sheet must be inscribed
with a document control number and the name of the DCO who
assigned the number and entered the document into the system.
The first time an employee gains access to the document, he or
she must write the date and his or her name, employee
identification number, and signature on the cover sheet.
3. CBI Stamp. In addition, the first page and the back of the
last page of the document must be labeled with a stamp that
identifies that the document contains TSCA CBI (Appendix 1). If
the document is a copy or is received from outside the Agency,
the document should be stamped by the DCO. The document's author
applies the stamp in all other cases.
4. DAPSS. The automated Document Tracking System in use at the
Headquarters CBIC, called the Document and Personnel Security
System (DAPSS), utilizes a machine-readable bar code affixed to
each CBI document controlled by the Document Tracking System to
facilitate efficient processing of documents. Bar codes are also
affixed to the electronic card entry identification cards of
employees with TSCA CBI access authorization. These codes enable
the OTS DCO to verify through DAPSS that the employees are
authorized for access to the CBI documents that they request from
the DCO.
B. Procedures for Obtaining CBI from a DCO.
1. In general. Employees may obtain possession of an existing
CBI document through transfer from another employee or from a
DCO. This section describes the proper procedures for obtaining
CBI through a DCO; procedures applicable to the transfer of CBI
between employees are outlined in subsection D below.
2. Requesting CBI from a DCO.
a. In General. Employees who are authorized for access to
TSCA CBI and who wish to obtain CBI materials from the CBIC or
from other centralized CBI storage facilities must do so through
a DCO. The DCO will retrieve the requested documents from the
•8-
-------�
TSCA CBI Security Manual 7700
11/1/85
storage tacility and will log them out to the requestor through
the facility's Document Tracking System, after verifying that the
employee is authorized for access to that type of CBI.
Employees are responsible tor signing the TSCA CBI cover
sheet upon receipt of the document and for safeguarding all CBI
materials in their possession until the materials are logged back
into the storage facilities. Employees must return the CBI
materials to the centralized storage facilities at the end of
each day, unless they have access to individual approved storage
containers or work in secure storage areas (see subsection C
below).
b. Logging out CBI from a DCO. TSCA CBI materials may be
logged out trom the CBIC or trom other centralized CBI storage
facilities for only 90 days, unless the DCO in charge of the
storage tacility grants an extension at the end of the 90 day
period.
DCOs in charge of centralized storage facilities will
periodically review document checkout activity to spot documents
not returned within the 90-day period. DCOs must circulate a
weekly list of any CBI materials that are overdue from the
Document Tracking System. Employees and their authorizing
officials are responsible for returning overdue materials to
their DCO. Documents not returned within 30 days after they
first appear on the overdue notice will be considered to have
been lost on the 30th day (see subsection L below).
3. Receipt of CBI in the mail. TSCA CBI sent by mail should
always be sent to a DCO. If, however, employees receive mail
containing materials labeled as CBI or materials which, though
unlabeled, are believed to be CBI, those materials must be taken
immediately to the facility's DCO tor proper entry into the
Document Tracking System. Once entered, the documents can be
logged out by the DCO like any other CBI documents.
4. TSCA CBI Cover Sheets. Whenever employees first gain access
to a CBI document, whether it is logged out to them or to another
employee, they must enter the date of access, their employee
identification number, and their signature on the document's TSCA
CBI cover sheet. The purpose of the CBI cover sheet is to record
who has had access to the document; it is not intended to record
the chain of custody of the document. Therefore, employees need
only sign tha cover sheet of a document the first time they gain
access to that document.
C. Storage of TSCA CBI Materials.
1. In general. Employees using TSCA CBI are responsible for
ensuring that no unauthorized disclosures of that information
-9-
-------�
TSCA CBI Security Manual 7700
11/1/85
occur. This means that employees must either maintain constant
control over the TSCA CBI documents in their possession (unless
the employees are working in secure storage areas, as described
in subsection C.3 below), return the CBI materials to the DCO, or
store the materials in a TSCA CBI approved storage container.
2. Approved storage containers. TSCA CBI materials must never
be left unattended where persons not authorized for CBI access
might gain access to them. When not in use TSCA CBI materials
must be secured in' approved CBI storage containers. The two
types of containers approved for TSCA CBI storage are:
o metal file cabinets with bar locks and three-way
changeable combination locks; or
o GSA-approved Class 6 security containers.
A safe/cabinet security check sheet (Appendix 6) must be posted
on each CBI storage container, unless the container is located in
a secure storage area, to record the time the container is
opened, locked, and checked at the end of the work day.
If necessary, a storage container may be used by more than
one individual to store TSCA CBI materials, but each individual
must be authorized tor access to the types of CBI to be stored
there. Each person using the cabinet or safe should be assigned
a separate storage space within the cabinet or safe and is
responsible for any TSCA CBI he or she stores there.
3. Secure storage areas. The IMD Director may, as an exception
to the procedures in the subsection C.2 above, authorize the use
ot secure storage areas (e.g., the Headquarters CBIC) when such a
designation is justified by a large volume and high frequency of
daily use ot TSCA CBI in an area of an EPA or other Federal
Agency facility. Secure storage areas must be secured by:
o a pin tumbler lock;
o an intrusion alarm; and
o either an electronic card entry system or a changeable
push-button door lock.
Secure storage areas can be used primarily as a TSCA CBI
work area, as a storage area for TSCA CBI, or both.
The requirement, described in the preceding subsection,
that CBI be stored while not in use, is recommended but not
required in secure storage areas.
The IMD Director will not approve areas proposed for secure
storage until they are inspected and approved by the TSCA
-10-
-------�
TSCA CBI Security Manual 11/1/85
Security Staff. The facility's DCO is responsible for
requesting, in writing, through his or her Division Director, the
IMD Director's approval of a secure storage area and for
arranging an inspection by the TSCA Security Staff. The TSCA
Security Staff will maintain a record of the locations of all
TSCA CBI secure storage areas.
The DCO must designate an employee (usually the DCO or a
DCO employee) who will assume responsibility for the secured
area. The employee's responsibilities include monitoring the
area to ensure that only employees authorized tor that type of
TSCA CBI access have access to it and ensuring that the devices
that secure the area are operating properly. In addition, if the
secure area is a centralized storage area, a DCO must be assigned
to maintain the Document Tracking System for the materials stored
in the area.
4. Lock combinations. A list of all combinations to locks for
containers and rooms in which TSCA CBI is stored at a facility
must be maintained by the facility's DCO. DCOs should obtain and
store combinations for individual storage containers in sealed
envelopes to be opened only in emergencies. FSSD maintains a
list ot combinations tor all locks at EPA Headquarters. In
addition, OTS Division DCOs are responsible for maintaining a
list ot combinations for CBI storage containers and rooms under
their Division's control. The TSCA Security Staff is responsible
tor maintaining a list tor all other containers and rooms in
OTS. DCOs assigned for other EPA Headquarters offices are
responsible tor maintaining, lists for their offices.
C9mbinations may be disclosed only to employees with TSCA
CBI access authorization and a need to review the CBI materials
stored in the containers or rooms.
The DCO must change the combinations to locks at his or her
facility at least once a year and each time a person who knows
the combination no longer requires TSCA access authorization (at
EPA Headquarters, DCOs should direct FSSD to make changes to lock
combinations).
5. Electronic card entry devices. Electronic card entry devices
are often used to secure CBI storage ar.eas. Entry cards may be
issued only to employees with TSCA CBI access authorization for
and a need to review the type ot TSCA CBI materials stored in the
area secured by the electronic card entry system.
Employees must use their cards each time they enter the
secure area, even if they enter the room at the same time as
others, and may not loan their entry cards to other employees to
allow them to gain access to secure storage areas.
It a person who does not have a card or does not have his
-11-
-------�
TSCA CBI Security Manual-- 7700
11/1/85
or her card with him or her needs to enter the secure area, the
employee or DCO in charge ot the area must first determine
whether the individual is authorized for access to that type of
TSCA CBI by referring to the TSCA CBI Authorized Access List. If
the person is authorized for access, the DCO or other employee in
charge ot the area will require the person to sign a Visitors Log
(Appendix 7) and then allow entry.
Persons not authorized tor access to TSCA CBI may gain
entry to a secure area only it they sign the Visitors Log and are
escorted at all times by a person with TSCA CBI access
authorization.
A current copy of the TSCA CBI Authorized Access List
should be stored near the door ot every secure storage area by
the DCO or other employee in charge of the area.
D. Procedures for Transferring Custody of CBI.
1. in general. Before any transfer is initiated, the transferor
ot a CBI document must verity that the intended recipient is
authorized for access to that type of CBI by referring, if
necessary, to the TSCA CBI Authorized Access List.
2. Transfer within a facility. Custody of CBI may be
transferred from one employee authorized tor TSCA CBI access to
another within the same facility only by means of direct hand
delivery or through a DCO. There must be a record (i.e., a
Document Tracking System log entry or loan receipt) indicating
that the transfer was completed.
It hand delivery is used, the CBI materials must be given
directly to the recipient. Inter-office mail must never be used
for such transfers. CBI materials must not be left unattended in
an in-box or on the recipient's desk. Transferors must obtain
signed loan receipts (Appendix 8) from recipients and must retain
them until the documents are returned to their possession. The
hand delivery/loan receipt transfer method may be used only for
short-term CBI transfers.
It the transferee intends to retain the CBI for more than a
month or intends to, in turn, transfer it to a third person, the
transfer must be made through the DCO who will log the documents
in from the transferor and out to the recipient (see Section IV
tor DCO logging procedures).
Transfers of CBI materials between a DCO and individuals
supervised by the DCO in a centralized storage area are exempt
from this subsection's document transfer logging and loan receipt
requirements. However, transfers between DCOs for different
organizations within the same facility, e.g., transfers from the
-12-
-------�
TSCA CBI Security Manual 7700
11/1/85
OTS DCO to an OTS Division DCO, must be recorded in the Document
Tracking System.
3. Transfer of CBI to individuals at other facilities.
a. In general. TSCA CBI materials destined for persons
authorized tor access to that CBI who are located outside of the
facility in which the materials are stored (including the
submitter that claimed them as confidential) may be transferred:
o through hand-carrying by an employee who is authorized
tor CBI access;
o through registered mail, return receipt requested; or
o through a courier or U.S. Postal Service Express Mail.
b. Double-wrapping of CBI materials. Regardless of which
transfer method is used, the materials being transferred must be
double-wrapped. The inner wrapping must be labelled with the
transferee's name and the statement "TSCA Confidential Business
Information -- To Be Opened by Addressee Only." The outer
wrapping must be labelled only with the name ana address of the
recipient and the return address of the transferor; nothing on
the outer wrapping should indicate that the package contains TSCA
CBI.
c. Hand-carrying CBI. It the CBI material is to be hand-
carried by a person authorized for CBI access, it must be
protected at all times in accordance with the procedures
described in subsection I below.
d. Mailing CBI. If the CBI material is to be mailed, it
must be sent through the employee's DCO (except that OTS
employees must mail all CBI materials to contractors through the
OTS DCO rather than through Division DCOs) via registered mail,
return receipt requested. Regular first class mail must never be
used by Federal employees to transfer TSCA CBI. •
e. Courier service. With the approval of an employee's
authorizing official, CBI may also be transferred using a courier
service or the U.S. Postal Service Express Mail. These services
may only be used when time is of the essence, because, unlike
registered mail, they do not require each person who handles the
package to sign for it as it changes hands.
If a courier service or Express Mail is used, materials
must be sent through the transferor's DCO. That DCO must obtain
a receipt from the courier employee who picks up the package.
The transferor DCO must also enclose a return receipt with the
package for the receiving DCO to sign, date, and send back to the
transferor, verifying receipt.
-13-
-------�
TSCA CBI Security Manual . 7700
11/1/85
E. Creating New CBI Documents and Personal Working Papers.
1. New CBI documents. Documents and other materials produced by
Federal employees using TSCA CBI documents are frequently CBI
themselves. It a newly created document is CBI, the document's
author must stamp it as CBI, cover it with a TSCA CBI cover
sheet, and take it to the DCO to be logged into the Document
Tracking System at the employee's facility (exceptions to the
logging requirement are described in part E.2 of this
subsection). The DCO will assign the CBI document a document
control number and either log it out or retain it for storage.
2. Personal working papers.
a. In general. There is a limited exception from logging
procedures for personal working papers which remain in the
possession and control of the author. The category of personal
working papers includes materials such as:
o notes;
o outlines; and
o initial drafts of documents.
It a personal working paper leaves the originator's
possession and control, it must be assigned a document control
number and must be logged into the Document Tracking System as
would any other CBI document (but see part E.2 of this subsection
for secretarial procedures).
Therefore, if an employee drafts an outline of a document
and wishes to temporarily transfer it to someone else at the
employees' facility for review, the document must be logged into
the Document Tracking System. The employee can do this by taking
the document to his or her Division or facility DCO, having a
document control number assigned and the document logged into a
manual or automated tracking system, and transferring the
document via loan receipt (see subsection D above) to the person
who is to review it.
b. Use in meetings. The author of a CBI document may
circulate copies ot the document at a meeting without logging the
document into the Document Tracking System if the author:
o attends the meeting and is present when the document is
discussed;
o collects all copies of the document at the end of the
meeting; and
o submits all copies of the document for destruction
after the meeting.
-14-
-------�
TSCA CBI Security Manual 7700
11/1/85
The document author must number the copies (i.e., 1 of 6, 2 of 6,
etc.) before handing them out at the meeting and check to make
sure that all copies are returned at the end of the meeting. All
other procedures in subsection H below for meeting must be
followed when personal working paper documents are circulated at
a meeting.
c. Storage. Personal working papers must be stored
securely, stamped as TSCA CBI, covered with a TSCA CBI cover
sheet, and otherwise used, stored, and handled like any other CBI
document (except that they need not be logged into the Document
Tracking System if the criteria outlined in subsection E.2.a.
above are met).
d. Transfer of CBI documents for typing. The author of a
CBI document may provide the document to a typist who is within
the author's division or equivalent office and authorized for
access to that CBI, without logging it into the Document Tracking
System. The typist must return to the author the typed materials
and the draft being typed from when typing is completed.
However, CBI materials must be logged into the Document Tracking
System it they are to be transferred by the typist to anyone
other than the author or if the materials are sent by the author
to a typing service for typing. The document author should keep
a record of transfers to typists until all the CBI materials that
are transferred are returned.
All the materials used in typing documents containing TSCA
CBI, including word processing disks, ribbons, carbons, and waste
paper, must also be treated as CBI and must be stored in the
manner described in subsection C when not in use.
3. Creating non-CBI documents. Some materials produced using
TSCA CBI are not contidential. Non-confidential documents are
produced if (1) the CBI is either not included in a new document
or is deleted from an existing document, (2) the CBI used is
masked or aggregated (i.e., replacing the CBI in a document with
non-CBI data or descriptive terms. The data or terms are derived
from CBI data but are not themselves CBI), or (3) either a
submitter drops its claim of confidentiality for the information
in the document or EPA determines that the claim is not valid.
In all instances, the author of the document is responsible for
ensuring that it contains no CBI. Materials produced using CBI
materials must be treated as CBI until determined not to be so by
their author.
The IMD Director must be consulted in advance by any
authors who wish to produce a non-confidential document by
masking or aggregating CBI. The IMD Director must review all
applications of masking and aggregating techniques to ensure that
appropriate techniques have been used.
-15-
-------�
TSCA CBI Security Manual •• 7700
11/1/85
If a submitter drops its claim, either the document author
or his or her DCO must obtain a written statement from the
submitter that the claim has been dropped before the information
can be released to the public.
To determine that a claim is not valid, EPA's Office of
General Counsel, or an EPA Regional Counsel, where appropriate,
must render a final confidentiality determination pursuant to 40
CFR $2.205, which is made applicable to TSCA by §2.306. That.
determination is made based on a review of the submitter's
responses to substantiation questions covering the topics
described in §2.204. Letters requesting submitters to
substantiate a claim ot confidentiality can be sent by any EPA
employee, but are usually sent by IMD for TSCA CBI in OTS.
Responses to substantiation questions must be forwarded to the
EPA General Counsel, or an EPA Regional Counsel, as appropriate.
It a final determination is rendered denying a claim, the
information may not be released for thirty days, during which
time the submitter may challenge EPA's determination in a Federal
District Court.
4. Declassifying CBI materials. To declassify CBI materials, an
employee must take the materials to his or her DCO and present
the DCO with evidence indicating that the materials either are no
longer confidential or contain no CBI. For example, if CBI
claims tor the materials have been withdrawn by the submitter,
the employee should present the DCO with the submitter's written
relinquishment of the claims. If an employee has determined
after studying a document that it contains no CBI, the employee
must explain to the DCO why it contains no CBI. Disputes about
whether a document contains TSCA CBI should be brought to the
Chief of IMD's Confidential Data Branch for resolution.
After being presented with evidence that a document
contains no CBI, the DCO must cross out all CBI markings on the
document and remove the document's cover sheet. The DCO must
then inscribe the document and cover sheet with the statement
"Contains no TSCA CBI," and sign and date them. In addition, the
DCO must log the document out of the Document Tracking System
with a message in the document's Inventory Log entry disposition
box (see Section IV.D) that the document contains no CBI.
F. Reproduction ot TSCA CBI Materials.
1. in general. Copying of TSCA CBI materials should be limited
to the maximum extent possible. TSCA CBI materials may be
reproduced only at copying machines located in:
o secure storage facilities; or
-16-
-------�
TSCA CBI Security Manual 7700
11/1/85
o non-secure locations approved for CBI duplication by
the TSCA Security Staft.
Secure storage areas are secured by a pin tumbler lock, an
intrusion alarm, and either an electronic card entry system or a
changeable push-button door lock (see subsection C above). DCOs
are responsible for obtaining the TSCA Security Staff's approval
ot any non-secure CBI reproduction locations at the DCO's
facilities.
2. DCO's role. CBI materials may be reproduced only by a DCO or
under a DCO's supervision. Employees should present the
materials they need reproduced to the DCO or to an individual
authorized by the DCO to reproduce CBI materials.
3. Control of copies. All copies of a TSCA CBI document must be
stamped by the DCO as TSCA CBI and covered with a new TSCA CBI
cover sheet. The cover sheet on the original must not be copied
for use with the copy.
Copies must be logged into the Document Tracking System and
must be assigned either unique document control numbers or copy
numbers (e.g., the copy should be marked with the same document
control number as the original and a copy number, e.g., 1 of 3, 2
ot 3, 3 of 3, etc.), except for those materials that fall into
the personal working papers exception described in subsection E
above for use in a meeting.
When copies of documents are to be given to other
employees, either (1) the copies should be logged out
individually through the DCO directly to the recipients, or (2)
all ot the copies should be logged out to the originator and lent
by him or her under the loan receipt procedures described in
subsection D above. Excess or unusable copies must be destroyed
by the DCO (see subsection G below).
4. Broken machines. It all machines in locations approved for
duplicating CBI materials are inoperable, the facility's DCO may
authorize the use ot other machines for duplicating CBI
materials. However, a machine must be dedicated solely to CBI
document reproduction while CBI documents are being copied, and
the DCO or the person assigned by the DCO must directly supervise
the machine while the CBI materials are being duplicated. Only
persons authorized for TSCA CBI access may be present while CBI
materials are being reproduced. After copying is finished, the
operator must pass three blank copies through the machine to
ensure that any impressions on the image surfaces of the machine
have been erased.
If the machine in a non-secure location malfunctions while
TSCA CBI materials are being copied, the facility's DCO must
-17-
-------�
TSCA CBI Security Manual . , . . ,. 7700
11/1/85
ensure that either the machine is directly supervised by a person
authorized for TSCA CBI access until it is repaired or that a
person authorized for access to CBI inspects the machine's paper
path and image surfaces to retrieve any materials containing TSCA
CBI that are caught in the machine.
G. Destruction of TSCA CBI Materials.
1. In general. TSCA CBI materials in the possession of a
Federal employee may be destroyed only under the supervision of a
OCO. The procedures in this section for destruction of CBI
materials apply to all materials containing TSCA CBI, including
handwritten notes, personal working papers, draft documents,
telephone records, typewriter ribbons, computer printouts,
diskettes, microfiche, and any other CBI materials, whether or
not logged into the Document Tracking System. Federal employees
wishing to have CBI materials destroyed must take them to the DCO
responsible for tracking those materials.
2. Destruction method. CBI materials such as papers, documents,
or printouts must be shredded. All other materials, including
microfiche and typewriter ribbons, must be burned. EPA Regional
or field office DCOs may send microfiche or typewriter ribbons to
EPA Headquarters for destruction if the facility's DCO logs the
materials out of the Document Tracking System before sending the
materials. Materials must be sent to the OTS DCO, attention TSCA
Security Staff, for destruction.
3. Documenting destruction. The destruction of TSCA CBI
materials logged into the Document Tracking System must be
documented by DCOs in a Destruction Log (Appendix 9). This log
is essential to the DCO for performing document inventories (see
Section IV).
TSCA CBI cover sheets taken from materials being destroyed
must be inscribed by the DCO with (1) the destruction date, (2)
the location at which the document is destroyed, and (3) the
DCO's name. The cover sheets must then be placed in the
appropriate file for storage (e.g., at EPA Headquarters a cover
sheet should be placed in the CBIC file for that document). TSCA
CBI cover sheets from destroyed documents must not be destroyed
themselves; they must be retained for audit purposes.
H. Meetings at Which TSCA CBI is Discussed.
1. Meeting sign-in sheets. When TSCA CBI is discussed at
meetings, the meeting chairperson must provide a sign-in sheet
(Appendix 10) to record the meeting (1) date, (2) time, (3)
place, (4) chairperson, and (5) subject. All persons attending
the meeting must sign this sheet.
-18-
-------�
TSCA CBI Security Manual 7700
11/1/85
After the meeting, the chairperson must give the sign-in
sheet to his or her DCO, who will file it in the appropriate EPA
decision record file (e.g., sign-in sheets for a meeting at EPA
headquarters at which CBI from a Section 5 notice is discussed
would be filed in the materials maintained for that notice in the
CBIC).
2. Meeting chairperson's duties. The meeting chairperson is
usually the person who schedules and organizes a meeting. If a
chairperson has not previously been identified, one must be
selected at the beginning of the meeting.
The chairperson is responsible for ensuring (by referring,
it necessary, to the TSCA CBI Authorized Access List) that only
persons authorized for access to the type of TSCA CBI to be
discussed at the meeting are in attendance when the discussion
involving CBI commences.
The chairperson must also ensure that the meeting
secured after the meeting. This includes cleaning all
chalkboards, taking any unneeded CBI materials to the D<
destruction, and ensuring that nothing is left in the r(
could lead to the unauthorized disclosure of TSCA CBI.
3. Notes or recordings. The meeting chairperson must remind
those in attendance of their duty to treat as confidential any
notes or recordings taken at the meeting until the CBI status of
the materials can be determined pursuant to the procedures in
subsection E above.
Pursuant to the personal working papers policy described in
subsection E, notes taken during a meeting that contain TSCA CBI
must be protected as CBI but need not be logged into the Document
Tracking System if they are retained by the note-taker. However,
if the note-taker wishes to transfer possession of the notes to
someone else, the notes must first be assigned a document control
number and be logged into the Document Tracking System.
Meetings may be tape recorded only with the permission of
the chairperson. Such recordings may contain CBI and must be
treated like any other CBI materials.
4. Meeting defined. For purposes ot this subsection, meetings
are scheduled gatherings of two or more people at which TSCA CBI
is discussed. This does not include informal discussions during
which CBI is mentioned, such as between a supervisor and an
employee or between two employees working on a matter concerning
that CBI. However, if CBI is to be discussed, use of these
procedures is encouraged no matter how informal the discussion.
-19-
-------�
TSCA CBI Security Manual 7700
11/1/85
I. Traveling with TSCA CBI.
1. In general. Federal employees who are authorized for TSCA
CBI access may travel with CBI materials in their possession. In
Addition, with the permission of their immediate supervisor,
employees travelling with TSCA CBI may take CBI materials home
with them prior to or after a trip only if it would be
impractical to return to work to pick up the materials before
departure or to drop them off after return.
2. CBI handling procedures. It a traveller intends to transfer
possession of the TSCA CBI materials which he or she is carrying,
before the trip the CBI materials must be double-wrapped by the
employee's DCO, in the manner described in subsection D above,
and logged out to the traveller from the Document Tracking
System. The materials should not be unwrapped until the
traveler's destination is reached, at which time they must
immediately be taken to the DCO and logged into that location's
Document Tracking System it the materials are being transferred
to someone at that location. If the employee does not transfer
possession of the CBI materials, for example if theya re being
brought for use in a meeting, they need not be double-wrapped.
However, the traveller must maintain the materials within his or
her constant possession or control.
Even it the traveler does not intend to transfer possession
ot the CBI materials, he or she may temporarily store the
materials with the DCO at the location he or she is visiting.
3. Control and storage of CBI. While traveling by plane or
other public conveyance, employees must keep the TSCA CBI
materials in their possession, and they may not check them with
their luggage.
When employees travel with CBI materials (including
chemical samples) and are unable to deliver or ship the CBI
materials to a facility authorized for TSCA CBI access, they may
store the materials tor short periods, but never overnight,
inside a locked trunk of a motor vehicle. TSCA CBI materials may
be stored overnight in hotel safes, if a receipt is obtained from
the hotel management, or otherwise must be kept in the possession
ot the traveler.
j. Telephone Calls During Which TSCA CBI is Discussed.
1. Calls with other individuals authorized for TSCA CBI
access. Federal employees with TSCA CBI access authority may
discuss CBI on the telephone with other individuals (Federal
employees or employees of Contractors) who are authorized for
access to that type ot TSCA CBI. Both parties to a telephone
call are responsible for verifying, by using the TSCA CBI
-20-
-------�
TSCA CBI Security Manual 7700
11/1/85
Authorized Access List if needed, that the other is authorized
tor access to such TSCA CBI. The individual who initiates a
discussion that includes TSCA CBI must indicate that the
conversation involves CBI.
2. Calls with submitters. With the permission of the submitter,
Federal employees who are authorized tor TSCA CBI access may
discuss CBI on the telephone with a submitter. The Federal
employee must:
o verify the identity of the submitter employee to whom
he or she is speaking;
o inform the submitter that the telephone lines are not
secured;
o assure the submitter that discussion of CBI with a
Federal employee on the telephone does not constitute a
waiver of any claim of confidentiality; and
o inform the submitter that any further information
provided in the telephone conversation can be claimed
as confidential.
Care must be taken to discuss CBI from a submission only with
submitter employees named in the submission or others identified
by the submission's signatory.
3. Telephone logs. Employees must keep telephone logs of all
telephone calls with individuals located outside their facilities
during which TSCA CBI is discussed (Appendix 11). Telephone logs
must be logged into the Document Tracking System. All
Headquarters telephone logs relating to individual TSCA section 5
notices must be filed in the CBIC's official file for those
not ices.
K. Computer Security.
1. In general. Mainframe computers used for processing TSCA CBI
must be dedicated solely to TSCA CBI data. Passwords or other
security devices may not be relied on to segregate the system
into confidential and non-confidential portions.
In addition, mainframe computers may be used tor processing
TSCA CBI only if their specifications are reviewed and the
computer site is inspected by the TSCA Security Staff and
approved by the IMP Director. Requests for approval must be made
in writing to the IMD Director.
Federal employees may use TSCA CBI on a personal computer
(PC), subject to the restrictions in part K.2 of this
-21-
-------�
TSCA CBI Security Manual 7700
11/1/85
subsection. Employees need not obtain TSCA CBI Computer access
authorization to use CBI on a PC. TSCA CBI Computer access
authorization (see Section II) is required only by employees
needing on-line access to a dedicated CBI mainframe computer.
On-line access is access that gives the individual the ability to
read, change, manipulate, or obtain data from the CBI data base
or program a computer that houses TSCA CBI.
All Federal employees who are authorized for access to TSCA
CBI may use printouts from a CBI computer and may view a computer
screen that contains CBI. Procedures for obtaining printouts and
determining whether they contain CBI are described in subsection
K.3.
2. Safeguarding TSCA CBI during PC use.
a. In general. While using TSCA CBI on a PC in an
unsecured area, the PC operator must retain exclusive control
over the operation of the computer and printer and must ensure
that only individuals authorized for access to that type of TSCA
CBI can view the PC's screen. If the PC operator must leave the
PC for any reason, the computer session must be terminated.
b. PC storage media. TSCA CBI data used on a PC can be
stored on either floppy disks or detachable hard disks. Floppy
disks are preferable. Green floppy disks for CBI storage can be
obtained from IMD's Data Management Branch. Floppy disks and
detachable hard disks containing TSCA CBI must be removed from
the PC after each session, unless the PC is located in a secured
storage area, and stored like any other CBI materials (see
storage procedures in subsection C above).
Disks which are no longer needed or which are damaged must
be transferred by a PC operator to his or her DCO for destruction
(see destruction procedures in subsection G above).
The use of a fixed hard disk in a PC for processing of TSCA
CBI is not recommended unless the PC is located in a secured
storage area. However, if one must be used in an unsecured area,
it must be erased with a utility program disk at the end of each
session, and the erasure must be verified by the PC operator.
c. Terminating a CBI PC session. Proper termination of a
PC session involving TSCA CBI consists of the following steps:
o transferring and verifying the transfer of the CBI data
to the storage medium (floppy or detachable hard disk);
o removing the storage medium from the PC;
-22-
-------�
TSCA CBI Security Manual 7700
11/1/85
o erasing the PC's internal memory with a utility program
disk; and
o turning off the PC.
d. Use of a PC printer. If TSCA CBI is printed on a PC
printer, the printed material and the printer's ribbon must be
treated as TSCA CBI and stored in an approved CBI storage
container when not in use (see subsection C above).
3. Obtaining and Using Computer Printouts. Information from
the EPA Headquarters TSCA CBI computer can be requested and
obtained from the CBIC, which is supervised by the OTS DCO. CBI
computer printers (except PC printers) at other locations must be
supervised by the facility's DCO. All printouts and any
information obtained from a computer screen and written down must
be logged out through the facility's DCO.
All printouts from a TSCA CBI mainframe computer or CBI
printouts from a PC must be printed on TSCA CBI computer paper,
obtainable from IMD's Data Management Branch.
Because not all data on a CBI computer is CBI, an employee
who obtains a printout from the TSCA CBI computer must first
determine, in the DCO's presence, whether the printout contains
CBI. Printout from a CBI computer must be assumed to be CBI
unless they are determined not to be.
o If a printout contains CBI, it must be immediately
logged by the DCO into the Document Tracking System,
stamped as TSCA CBI, assigned a document control
number, covered with a TSCA CBI cover sheet, and be
treated like any other CBI document.
o If a printout contains no CBI, the employee must
certify that fact by signing and dating the front page
of the printout and must notify the DCO of that fact.
o If a printout is initially thought by the employee to
contain CBI and is logged into the Document Tracking
System, but is later determined not to contain CBI, the
employee must sign and date the front page of the
printout, initial and remove the TSCA CBI cover sheet
(noting on it that the printout is being declassified),
and notify the DCO and return the cover sheet thereto,
so that the Document Tracking System can be updated.
L. Violations of Procedures, Lost Documents, and
Unauthorized Disclosures.
1. In General. The procedures described in this manual are
designed to secure TSCA CBI from unauthorized public
-23-
-------�
TSCA CBI Security Manual 7700
11/1/85
disclosure. Therefore, it is imperative that the IMP Director be
notified any time these procedures may have been breached. The
IMD Director must notify a business whenever he or she:
o cannot account for materials submitted by that business
which have been claimed as CBI under TSCA; or
o has reason to believe that information claimed as CBI
by the business has been disclosed to individuals not
authorized for access to it.
In addition, the IMD Director will enforce the procedures in this
manual by employing the administrative penalties set forth in
Appendix 12 when necessary, even if a breach of procedures does
not result in the loss or unauthorized disclosure of TSCA CBI
materials.
All employees who are authorized for TSCA CBI access are
responsible for reporting (1) possible violations, (2) the loss
of TSCA CBI materials, or (3) any unauthorized disclosure of CBI
materials to their Division Director, who will notify the IMD
Director. The IMD Director is responsible for investigating the
report and determining the appropriate action to take.
This section describes procedures for notifying the IMD
Director when a possible breach of procedures, loss of CBI, or
unauthorized disclosure of CBI has occurred and outlines the
actions to be taken by the IMD Director when he or she is so
notified.
The procedures in this section apply to all TSCA CBI
materials, including personal working papers (see subsection E.2
above).
2. Notifying the IMD Director. Employees who believe that:
o a possible violation of the procedures set forth in
this manual or an EPA^approved contractor security plan
has occurred,
o TSCA CBI materials have been lost or misplaced, or
o someone not authorized access to TSCA CBI has had
access to such CBI
must provide oral notice to their Division Director or supervisor
of equivalent authority within one working day of the discovery,
followed by a written report no later than the end of the second
working day.
The written report must describe the possible violation of
procedures or unauthorized disclosure of CBI or identify the
materials believed lost or misplaced. It must also include a
-24-
-------�
TSCA CBI Security Manual
11/1/85
description of any relevant circumstances known by the employee.
The employee or his or her supervisor may examine files and
discuss the matter with other individuals to try to determine
what occurred. However, detailed investigations, including
interviews and reviews of logs, are to be performed only by the
TSCA Security Staff after receiving an investigation request from
the IMD Director. If the TSCA Security Staff's investigation
reveals any evidence of a knowing and willful unauthorized
disclosure of TSCA CBI, the matter must be immediately
transferred to the EPA Office of Inspector General.
Unless he or she concludes that the report is incorrect and
that no violation of procedures, loss of CBI, or unauthorized
disclosure took place, the Division Director must forward the
written report, within two working days of receiving it, to the
IMD Director, together with any relevant additional comments or
information. The IMD Director will review the matter and may
request the TSCA Security Staff to investigate it.
3. Unaccounted for CBI Materials. If a CBI document reported as
lost or misplaced in the written report cannot be accounted for
by the IMD Director and the TSCA Security Staff within four
working days after the IMD Director receives the written report
described in subsection L.2 above, the IMD Director must give the
affected business written notice that identifies the lost or
misplaced document and states the date it was discovered to be
lost or misplaced.
4. Unauthorized disclosure of CBI materials. After investigat-
ing a written report under subsection L.2 above to determine
whether an unauthorized disclosure (i.e., a disclosure of CBI to
someone not authorized for access to it) has taken place, the IMD
Director will either:
o conclude that it is unlikely that any disclosure took
place and give the affected business no notice; or
o determine that an unauthorized disclosure may have
taken place, upon which determination the IMD Director
must provide the affected business written notice
within two working days of making that determination,
but no later than four days after receiving the written
report described in subsection L.2.
Written notice to the affected business must contain a
description of the TSCA CBI that may have been disclosed and the
date of the disclosure.
5. Violations of this manual's procedures. The IMD Director
will investigate any alleged violation of this manual's
-25-
-------�
TSCA CBI Security Manual
7700
11/1/85
procedures, even if there is no evidence in a written report,
under subsection L.2, of a lost document or unauthorized
disclosure. The IMD Director will (1) direct the TSCA Security
Staff to investigate the reported violation, (2) determine what
administrative penalties, if any, are appropriate (see guidelines
in Appendix 12), and (3) notify the supervisors of affected
employees of recommended sanctions. Supervisors are responsible
for imposing sanctions. The IMD Director will also confer with
supervisors to identify document handling or CBI use or storage
procedures that can be implemented to prevent the recurrence of
violations.
IV. Document Control Officer Responsibilities.
A. In General. Document Control Officers (DCOs) manage
their facilities' Document Tracking Systems and oversee the
receipt, storage, and use of TSCA CBI by employees in their
facilities. This section outlines the responsibilities of
DCOs. All facilities that are authorized for access to TSCA CBI
are required to have a DCO (see Section V).
B. Assigning DCOs. DCOs must be nominated, in writing, by
either an authorizing official or the individual in charge of the
facility to which TSCA CBI is to be transferred. The nomination
must be approved by the IMD Director.
All facilities that are authorized to receive TSCA CBI must
have an approved and trained DCO before TSCA CBI can be
transferred to that facility. The OTS DCO is responsible for
providing training materials and guidance on appropriate document
handling procedures to all DCOs.
C. When DCOs Relinquish DCO Responsibilities. Whenever
DCOs at Regional EPA offices or at other agencies terminate their
employment or relinquish their DCO responsibilities, an inventory
of CBI materials within the departing DCO's jurisdiction must be
performed, pursuant to the guidelines outlined in subsection E
below, and the results must be forwarded to the TSCA Security
Staff within thirty days of the DCO's departure. The procedures
of Section III.L must be followed if there are any TSCA CBI
materials that cannot be accounted for.
D. Document Tracking Systems.
1. In general. The Document Tracking System is the system which
is used to record and monitor the location of TSCA CBI
materials. As the official assigned to oversee the operation of
-26-
-------�
TSCA CBI Security Manual 7700
11/1/85
his or her facility's Document Tracking System, the DCO must
ensure that:
o all manual or automated logs are properly maintained
and updated and stored securely;
o document control numbers are assigned to those
documents requiring them; and
o the proper procedures for the use of CBI materials are
closely followed.
Other DCO responsibilities are described below.
2. Receipt of CBI materials. All TSCA CBI materials sent
through the mail or by courier must be addressed to and received
by the DCO. CBI materials hand carried to a facility or
generated by employees at the facility must be taken immediately
to the DCO (except in Section III.E above). The DCO should
maintain a manual or automated Receipt Log (Appendix 13) that
records:
o the document's document control number or copy number
assigned by an EPA, Contractor, or other Federal agency
DCO (if a document has already been assigned a document
control number, that number should be used);
o the date on which the document was received or
generated;
o the source of the document (e.g., submitter's name if
received directly from the submitter, the author's name
it it is a document generated by a Federal or
Contractor employee, or the sending DCO's name it it is
a document received from another facility authorized
tor CBI access); and
o a brief description of the document (e.g., "an
engineering report on PMN-Y" or "letter from company X
on PMN-W").
Before logging new CBI materials into the Receipt Log, the DCO
must review all such materials received to determine whether they
appear complete:
o If they do not appear complete, the DCO should
immediately contact the submitter to determine whether
there is an omission.
o If the materials do appear to be complete, the DCO must
stamp the document as TSCA CBI (Appendix 1) on at least
the first page and the back of the last page, assign it
a document control number, complete a TSCA CBI cover
sheet (Appendix 2), and attach it to the front of the
-27-
-------�
TSCA CBI Security Manual 7700
11/1/85
document. The DCO must write the document control
number on both the cover sheet and the first page of
the document.
Users of the document must sign and date the cover sheet the
first time they have access to the document.
3. Storage of CBI materials. DCOs are responsible for
monitoring the implementation of the document storage procedures
of Section III.C by employees at their facilities.
CBI materials at a facility are kept in storage containers
or in a centralized secure storage area (e.g., the CBIC at EPA
Headquarters) under the supervision of the DCO, except where
necessity requires the assignment of secure storage containers to
individual employees.
The DCO must maintain a record of all combinations used for
locks for rooms and containers in which TSCA CBI materials are
stored at the DCO's facility. The DCO must change the
combinations annually or any time a person who knows a
combination relinquishes his or her TSCA CBI access authority.
4. Use of CBI materials.
a. Providing CBI to Federal employees. TSCA CBI materials
are obtained by a Federal employee from his or her DCO as
follows:
o the employee will request a specific document;
o the DCO will locate it in the DCO's CBI storage files
or obtain it from another Federal agency DCO or
employee, a contractor, or a submitter; and
o after verifying that the requesting employee is
authorized for access to the document, the DCO will log
the document out to the employee using an automated or
manual Inventory Log (Appendix 14).
b. The Inventory Log. The Inventory Log is the record of
all transactions involving TSCA CBI documents that are logged
into the Document Tracking System. The Inventory Log contains
entries for:
o the document control number;
o the dates on which it is being checked out from the DCO
and returned;
o the identity of the individual checking it out; and
-28-
-------�
TSCA CBI Security Manual 7700
11/1/85
o the disposition of the document, whether it is being
transferred outside the DCO's jurisdiction or
destroyed.
If the document is being transferred outside the DCO's
jurisdiction by the requesting employee, the Inventory Log
disposition book entry must include the date and destination of
the transfer.
If the document is being destroyed, the entry in the
disposition block of the log must include the date of destruction
and the identity of the individual destroying it.
When a manual logging system is used, the document log-in
and log-out dates must also be marked on the appropriate lines on
the TSCA CBI cover sheet. This will assist the DCO in locating
the correct entry in the Inventory Log. Each time a document is
logged out or in, new dates should be placed by the DCO on the
line below the previous "out" and "in" entries on the cover
sheet.
c. Checking out CBI documents from the DCO. TSCA CBI
materials may not be checked out from a centralized CBI storage
facility for more than 90 days, unless the DCO in charge of the
storage facility grants an extensions at the end of the initial
90-day period.
DCOs in charge of centralized storage facilities must
periodically monitor the Inventory log to identify any CBI
materials not subject to an extension that have not been returned
within the 90-day period. The DCO is responsible for identifying
materials that are overdue and for notifying the responsible
employees and their supervisors by circulating a weekly list of
overdue materials.
Employees are responsible for returning the overdue
materials to the DCO. If materials on the weekly list have not
been returned to the DCO within 30 days after they first appear
on the list, the materials will be presumed to have been lost or
misplaced and the DCO must notify his or her Division Director,
pursuant to the procedures in Section III.L.
d. Determining whether documents contain CBI. DCOs assist
employees in determining whether documents contain CBI and in
sanitizing CBI documents by deleting CBI from them when a
document is needed for public disclosure. Although the ultimate
responsibility for determining whether documents contain CBI
rests with the document's author (see Section III.E), DCOs should
assist document authors in making the determination and instruct
them on the mechanics of creating a sanitized version of a CBI
document. Employees who are unable to determine whether
something is confidential should first consult with their
supervisor and, if the issue cannot be resolved by their
supervisor, with the IMD Director.
-29-
-------�
TSCA CBI Security Manual 7700
11/1/85
5. Reproduction and destruction of CBI materials. The DCO is
responsible for controlling and documenting the reproduction and
destruction of CBI materials. Specific procedures for
reproduction and destruction are set forth in Sections III.F and
III.G. Copies of documents must be (1) assigned unique document
control numbers, (2) logged into the Receipt Log, and (3) checked
out using the Inventory Log (unless the copies are personal
working papers, pursuant to Section III.E).
Destruction of a CBI document must be recorded by the DCO
on the appropriate entry of the Inventory Log, on the document's
TSCA CBI cover sheet, and in the DCO's CBI Destruction Log
(Appendix 9). The DCO must remove the TSCA CBI cover sheet from
the document, mark it with the destruction date and his or her
name, and store it with related materials, such as a PMN file at
EPA Headquarters.
TSCA CBI materials can be reproduced or destroyed only by
the DCO or someone assigned to the task and supervised by the
DCO. Except when deemed necessary by the DCO, TSCA CBI materials
may be reproduced only with photocopying machines located in CBI
secure areas or in locations approved by the TSCA Security Staff
for duplicating TSCA CBI (see section III.F). Hardcopy TSCA CBI
materials must be shredded. Other forms of TSCA CBI materials
must be burned (see section III.G).
6. Transfer of CBI materials outside a DCO's facility. TSCA CBI
materials transferred to individuals outside a DCO's facility
must be transferred through the DCO.
If the document being sent is an existing CBI document
already recorded in the Document Tracking System and is in the
possession of an employee, the document must first be returned to
the DCO. The DCO must mark the return date on the cover sheet
and fill in the disposition box in the appropriate entry in the
Inventory Log with the date the document is being sent and the
identity of the recipient.
If a new CBI document not yet recorded in the Document
Tracking System is being transferred to someone outside the
author's facility, the author must first stamp it as CBI and
cover it with a TSCA CBI Cover Sheet. The author must then take
it to his or her DCO who must (1) log it into the Receipt Log,
(2) assign it a document control number, and (3) log it out to
the DCO at the facility where the document is being sent by
marking in the Inventory Log's disposition box the date the
document is sent and the identity of the recipient DCO.
As specified in Section III.D, TSCA CBI materials must be
double-wrapped when taken or transferred outside the DCO's
facilities. TSCA CBI materials may be (1) sent by registered
-30-
-------�
TSCA CBI Security Manual 7700
11/1/85
mail, return receipt requested, (2) hand-carried by an individual
authorized for CBI access, or, (3) if approved by the transferor
employee's authorizing official, sent by a private courier or the
U.S. Postal Service's Express Mail. TSCA CBI materials must
always be sent or taken directly to the recipient's DCO and must
contain a return receipt to be filled out by the receiving DCO
and mailed back to the sending DCO.
E. Inventory of CBI Documents. Before July 31 of each
year, each DCO must perform an inventory of all hard copy TSCA
CBI materials controlled in the DCO's Document Tracking System.
This involves determining the location or status of all CBI
materials in the System and is done by comparing the CBI
documents listed by document control number in the Receipt Log
with the list of transactions in the Inventory Log.
Materials listed in the Receipt Log, but not in the
Inventory Log should be in the DCO's possession and must be
inventoried. The status (e.g., destroyed or transferred outside
the DCO's facility) or location (e.g., checked out to an
employee) of materials listed in the Inventory Log must be
reviewed and any documents checked out for over 90 days to
employees in the DCO's facility must be located by the DCO. The
status of documents indicated in the Inventory Log as having been
destroyed must be reviewed in conjunction with the Destruction
Log.
Upon completing the inventory, the DCO must provide a
written report through his or her supervisor to the TSCA Security
Staff by October 1. The procedures in Section III.L must be
followed if there are any TSCA CBI materials which cannot be
located.
V. AUTHORIZING OTHER AGENCIES FOR ACCESS TO TSCA CBI
A. In General. EPA's regulations (40 CFR Part 2) allow
disclosure of TSCA CBI to another Federal agency in either of two
circumstances:
o when the official purpose for which the information is
needed by the other agency is in connection with its
duties under any law for protection of health or the
environment or for specific law enforcement purposes;
or
o when disclosure is necessary to enable the other agency
to perform a function on behalf of EPA.
In either circumstance, the procedures described below must be
followed before TSCA CBI may be disclosed to the other agency.
These procedures do not apply to disclosure of TSCA CBI to
-31-
-------�
TSCA CBI Security Manual 7700
11/1/85
individual employees of other agencies performing functions on
behalt of EPA where access is confined to EPA premises (see
section II for procedures to be used in such situations).
B. Procedures tor Authorizing Another Federal Agency for
Access to TSCA CBI.
1. Upon request of the other agency.
a. The written request. EPA may disclose TSCA CBI to
another Federal agency upon the written request of that agency.
Because of the time needed for processing, the written request
should be directed to the IMD Director at least one month prior
to the time access is needed. The request must be signed by an
official of the other agency who is at least equivalent in
authority to an EPA Division Director. It should state with
specificity the information to which access is requested and the
official purpose for which the TSCA CBI is needed. That official
purpose, which should be set forth in detail, must be either
(1) in connection with the agency's duties under a law for the
protection of health or the environment or (2) tor a specific law
enforcement purpose.
In addition, preferably as part of its written request, the
other agency must agree in writing not to disclose any further
information designated as confidential unless (1) it has
statutory authority both to compel production of the information
and to make the proposed disclosure and, prior to the disclosure,
it has furnished affected businesses with at least the same
notice that EPA would provide under its regulations; or (2) it
has obtained the consent of each affected business to the
proposed disclosure; or (3) it has obtained a written statement
trom the EPA General Counsel or an EPA Regional Counsel that
disclosure of the information would be proper under EPA's
regulations.
b. Notice to affected businesses. When disclosure is upon
request of another agency, EPA must give affected businesses at
least ten calendar days notice before access by the other agency
to TSCA CBI may take place. Notice may be given by FEDERAL
REGISTER notice, certified mail (return receipt requested), or
telegram. The notice generally will be prepared by IMD and must
include:
o the identify of the agency to which TSCA CBI is to be
disclosed;
o the official purpose for the access;
o whether access is authorized only on EPA premises or
also at the other agency's facilities (see subsection C
of this section);
-32-
-------�
TSCA CBI Security Manual 7700
11/1/85
o the type of information to be disclosed; and
o the period of time for which access to TSCA CBI is
authorized.
c. Approval by EPA. If the IMD Director approves the
request tor access, he or she will forward it to the OTS Director
for his or her approval. It approval is granted by the OTS
Director, the IMD Director will notify the requesting official of
the other agency and will issue the required notice to affected
businesses (the IMD Director will also notify the requesting
official from the other agency if approval is not granted).
Before TSCA CBI may be disclosed, the IMD Director must
notify the other agency that (1) the information being disclosed
is CBI and was acquired under authority ot TSCA and (2) any
unauthorized disclosure of the information may subject employees
of the other agency to the criminal penalties in section 14(d) of
TSCA.
Once approval for access has been granted, designated
employees ot the other agency may be given access to the
specified TSCA CBI on EPA premises after the notice period has
run and in accordance with the procedures set forth in section II
ot this Manual.
2. To perform a function on behalf of EPA. EPA also may
disclose TSCA CBI to another Federal agency to perform a function
on behalf of EPA. Usually, such disclosure will be upon the
initiative ot EPA. The EPA office needing to make the disclosure
should contact the IMD Director to begin the approval process.
Before TSCA CBI may be disclosed, the IMD Director must
notify the other agency that (1) the information being disclosed
is CBI and was acquired under the authority ot TSCA and (2) any
unauthorized disclosure ot the information may subject employees
ot the other agency to the criminal penalties in section 14(d) of
TSCA.
In addition, the other agency must agree in writing not to
disclose further any information designated as confidential
unless (1) it has statutory authority both to compel production
ot the information and to make the proposed disclosure and, prior
to the disclosure, it has furnished each affected business with
at least the same notice that EPA would provide under its
regulations; or (2) it has obtained the consent ot each affected
business prior to the proposed disclosure; or (3) it has obtained
a written statement from the EPA General Counsel or an EPA
Regional Counsel that disclosure ot the information would be
proper under EPA's regulations.
-33-
-------�
TSCA CBI Security Manual 7700
11/1/85
When disclosure is authorized to allow another agency to
pertorm a function on behalf of EPA, no notice to affected
businesses need be made.
If the IMD Director approves the EPA office's request that
another agency be granted access, he or she will forward the
request to the OTS Director for his or her approval. The IMD
Director will notify the office making the request that access
has been approved or disapproved.
It approval for access is granted, designated employees of
the other agency may be given access to specified TSCA CBI on EPA
premises in accordance with the procedures set forth in Section
II of this manual.
C. Access to TSCA CBI at Facilities Outside of OTS. EPA
will encourage other agencies to restrict their access to TSCA
CBI to EPA premises. However, where this is not practical, the
provisions of this subsection must be followed before access is
granted at the other agency's premises. Other Federal agencies
requiring access to TSCA CBI on their premises must have security
procedures and standards in place which equal or surpass those
set forth in this manual. Also, each such facility must be
inspected and approved by the TSCA Security Staff and a DCO for
the facility must be appointed, pursuant to the procedures in
Section IV, before CBI can be transferred there. In addition,
all facilities approved tor TSCA CBI access must be inspected by
the TSCA Security Staff on an annual basis.
The official requesting CBI access authority for his or her
agency is responsible for preparing and forwarding to the TSCA
Security Staff a written statement of the agency's security
procedures for handling TSCA CBI if they differ from those set
forth in this manual. It the procedures in this manual are
adopted by the agency without change, the requesting official
must notify the TSCA Security Staff by letter. The official must
also arrange the initial and yearly inspections by the TSCA
Security Staff of his or her agency's CBI use and storage
facilities.
Employees of another agency may be authorized for TSCA CBI
access at OTS' Headquarters facilities even it the other agency's
or office's facilities are not approved for CBI access. However,
the employees will not be allowed to remove from EPA premises any
documents, notes, or correspondence containing TSCA CBI and must
not discuss CBI with individuals not authorized for TSCA CBI
access.
-34-
-------�
TSCA CBI Security Manual 7700
11/1/85
VI. CONGRESSIONAL ACCESS TO TSCA CBI.
The IMD Director must be immediately notified if a
Congressional request is received tor documents or information
that would require access to TSCA CBI by Congress or the General
Accounting Office. Pursuant to 40 CFR 2.209, access may be
allowed only if the request is made by the Speaker of the House,
the President of the Senate, a chairman of a committee or
subcommittee, or the Comptroller General. Access must be
recorded on a Congressional Access Log (Appendix 15). Generally,
the requestor will be asked whether access can be limited to EPA
premises. Any notice to affected businesses of such access must
identify the requestor, the type of information to be disclosed,
whether access will occur only on EPA premises, and the period of
time during which access will take place. The notice generally
will be prepared by IMD.
-35-
-------�
TSCA CBI Security Manual
7700
11/1/85
INDEX
Access to CBI by other agencies
approval by IMD Director
notice to affected businesses
Access to CBI outside of OTS
Authorized Access list
use at meetings
Authorizing officials
access list
approving use of couriers
assigning DCOs
ovedue documents
quarterly briefing
requesting access approval for
employees
when employees relinquish access
CBIC
DAPSS
printouts
telephone logs
Computer security
PCs
printouts
storage media
Confidential Data Branch
Congressional access
Congressional Access Log
Contractor Security Manual
Copy numbers
personal working papers
Receipt Log
Creating new CBI documents
Creating non-CBI documents
final confidentiality determination
masking or aggregating
submitter drops claim
3, 31-34
32-34
32-33
34
2, 5-7, 12, 19
19
2, 4-7, 9, 13, 27
5
13
26
9
7
4-5
6
1-2, 5, 8-10, 18-19,
21, 23, 28
8
23
21
21-23
21-23
22-23
22
16
3, 35
35
15, 17, 27
15
27
14
15-16
15-16
15
16
-36-
-------�
TSCA CBI Security Manual
7700
11/1/85
Criminal penalties
DAPSS
Data Management Branch
obtaining PC floppy disks
relinquishing computer access
Destruction of CBI
hardcopy CBI
ribbons and microfiche
Destruction Log
annual inventory
Director, Office of Toxic Substances
Division Director
overdue documents
secure storage areas
reporting violations
Document control numbers
copies
Inventory Log
new documents
printouts
Receipt Log
Document Control Officers (DCOs)
Authorized Access List
access outside OTS
assigning DCOs
broken reproduction machines
computer access
declassifying CBI materials
destruction of CBI materials
Document Tracking System
double-wrapping CBI materials
initial security briefing
inventory
Inventory Log
maintaining access authorization
new CBI documents
obtaining CBI from DCOs
OTS DCO
OTS Division DCOs
receipt of CBI materials
relinquishing CBI access
8
6, 22
22
6
14, 18, 30
18
18
18, 30-31
31
3-4, 10, 24-26, 29
29
10
24-26
3, 8, 14, 17, 23,
27-30
17
28
14
23
27
2-14, 16-18, 20,
22-23, 26-31, 34
5
34
26, 34
17-18
22-23
16
18, 29-30
7, 26-31
13, 20
4-5
26,
28
7
14
8,
2,
2,
27
6
31
29
13,
13,
26
14
-37-
-------�
TSCA CBI Security Manual
7700
11/1/85
reproduction of CBI materials
secure storage areas
transfer of CBI through mail,
courier, and express mail
Document Tracking System
Authorized Access List
automated tracking systems
copies
DAPSS
Destruction Log
destruction of CBI materials
inventory
Inventory Log
meeting notes and recordings
new documents
overdue documents
personal working papers
printouts
Receipt Log
telephone logs
transfer of CBI materials for
typing
traveling with CBI materials
Electronic entry cards
bar codes
secure storage areas
Individual CBI storage containers
safe/cabinet security check
sheet
IMD Director
access by other agencies
approval of requests for access
assigning DCOs
computer security
Congressional access
secure storage areas
violations, lost documents,
and unauthorized disclosures
Inventory
DCO relinquishes responsibilities
annual
Inventory Log
copies
17, 29-30
10-11, 28
12-13, 30
2-3, 5, 7-8, 11-21,
23, 26-31
5
7-8
17
8
18, 30-31
18, 29-30
26, 31
28-31
19
14
9
14-15
23
27, 29, 31
21
16
20
6, 8, 10-11
8
10
9-10, 28
10
2, 4, 10, 21, 23-26,
32-35
32-34
4
26
21
35
10
23-26
26, 31
26
31
28-31
30
-38-
-------�
TSCA CBI Security Manual
7700
11/1/85
Inventory
Lock combinations
Lost Documents
Meetings
chairperson
notes and recordings
personal working papers
sign-in sheet
Personal working papers
copy numbers
meetings
storing
Quarterly briefings
Receipt Log
reproduction of CBI materials
inventory
Receipt of CBI in mail
Relinquishing access authority
failure to attend annual briefing
form
Reproduction of CBI materials
broken reproduction machines
personal working papers
Request for CBI access authority
form
Request for CBI computer access
authority
form
Secure storage areas
reproduction of CBI materials
requirements
Security briefing
annual briefing
location
test and slideshow
Storage of CBI materials
personal working papers
Transferring custody of CBI materials
31
11, 28
9, 23-25
14-15, 18-19
18-19
19
14-15
18-19
14-15, 24, 30
15
14-15
15
27, 29, 31
29
31
5-7
7
6
14-15, 18-19, 29-30
17-18
14-15
3-4
3
3-4, 21
3
2, 9-12, 16, 28-29
16
10
4-5, 7
7
4,7
4,7
2, 9-11, 14-16,
28-29
14-15
12-13, 17, 19-20, 30
-39-
-------�
TSCA CBI Security Manual 7700
11/1/85
by hand delivery 12-13, 20
by registered mail, courier, or
express mail 13
double-wrapping CBI materials 13, 20, 30
loan receipts 12, 17
return receipts 13
transfer of CBI through a DCO 12, 27-30
transfer of CBI to individuals
at other facilities 13, 30
Traveling with CBI materials 20
taking CBI home 20
double-wrapping CBI materials 13, 30
TSCA CBI Cover Sheets 3-4, 8-9, 14, 17-18
23, 27, 30
copies 17
destruction of CBI materials 18
new documents 14
printouts 23
TSCA CBI Stamp 3, 8, 14, 17, 23, 27,
30
copies 17
new documents 14
printouts. 23
TSCA Security Staff 2-7, 11, 16, 21,
24-25, 34
access to CBI outside of OTS 34
Authorized Access List 5
computer access 21
maintaining CBI access authority 7
relinquishing CBI access authority 6
reproduction of CBI materials 16
requesting CBI access authority 3-4
secure storage areas 11
security briefing 4-5, 7
violations 24-25
Typing CBI materials 15
Unauthorized disclosure of CBI materials 1, 23-25
Violations of this manual's procedures 23-25
Visitors Log 12
-40-
-------�
TSCA CBI Security Manual 7700
1I/I/O 3
APPENDIX 1
TSCA CONFIDENTIAL
BUSINESS INFORMATION
DOES NOT CONTAIN NATIONAL
SECURITY INFORMATION (E.O. 1206B)
-------�
TSCA CBI Security Manual
APPENDIX 2
7700
11/1/85
SEPA
United States Environmental Protection Agency
Washington. DC 20460
TSCA Confidential Business Information
Does Not Contain National Security Information (E.O. 12065)
Document Control Officer
Date
)ocument Description
Document Control Number
Each person who has access to this document must fill in the information below
the first time that he/she has access.
The attached document contains Confidential Business Information obtained
under the Toxic Substances Control Act (TSCA 15 U.S.C. 2601 et seq.)TSCA
Confidential Business Information may not be disclosed further or copied by you
except as authorized in the procedures set forth in the TSCA Confidential Busi-
ness Information Security Manual.
If you willfully disclose TSCA Confidential Business Information to any person
not authorized to receive it, you may be liable under section 14(d) of TSCA (15
U.S.C. 2613(d)> for a possible fine up to $5,000 and/or imprisonment for up to
one year. In addition, disclosure of TSCA Confidential Business Information or
violation of the procedures cited above may subject you to disciplinary action
with penalties ranging up to and including dismissal.
DCO must fill in
blanks below if a
manual loggin;
system is used.
Date
Logged
In
Date
Logged
Out
Print Last Name
Signature
EPA ID Number
Date
Do Not Detach
6PA Form 7740-9 (10-851 Replaces EPA Form 7710-6, which is obsolete
rw-y nu-851 Replaces EPA Form 771O-6, which is obsolete.
MIMMIIMIIIIMIIIMIIIIIIMMIII
-------�
TSCA CBI Security Manual
APPENDIX 3
Please read Privacy Act Statement on Reverse.
7700
11/1/85
1. Federal Employee Request for TSCA CBI Access
1. Name (L**t first. M.I.I
4. Position Title
7. Requester (Offica/ 'Division/ 'Branch)
9. TSCA CBI Security Briefing Attendance Date
2. Social Security No.
5. Room No.
3. Access Required
Dr— 1 Computer
Document I— I (Attach EPA
Form 7740-7;
6. Telephone Number
8. Document Control Officer or Assistant and Telephone Number
10. Previous CSI Access
D FIFRA O RCRA D TSCA ('Daw;
United States Environmental Protection Agency
&EPA
Washington, DC 20460
TSCA CBI Access Request, Agreement, and Approval
11. Indicate TSCA CBI to which access is requested by checking the specf ic sections of TSCA.
DA D 5 D 6 'D 8 D 13 D Other (Specify)
Describe how the performance of the employee's duties will require such access by section. Be specific and complete.
12. Signature and Title of Requesting Official (Division Director or above/
13. Date
II. Confidentiality Agreement
I understand that I will have access to certain Confidential Business Information submitted
under the Toxic Substances Control Act (JSCA, 15 USC 2601 et seq.). This access has been
granted in accordance with my official duties relating to the Environmental Protection
Agency programs.
I understand that TSCA CBI may be used only in connection with my official duties and may
not be disclosed except as authorized by TSCA and Agency regulations. I have read and
understand the procedures set forth in the TSCA Confidential Business Information Security
Manual. I agree that I will treat any TSCA CBI furnished to me as confidential and that I will
follow these procedures.
I understand that undersection 14
-------�
TbUA ^ov./ «**«„.*,«
1. Request for TSCA
1 . Name (Last, first. Ml.)
3. Privileges Requested
D R/W D R DA U Other (Specify)
CBI Computer Access
2. Requester (0/fice/Division/Branch)
4. Holds Current TSCA CBI Access
D Yes D No
5. System and Database To Be Accessed
6. Describe fully the duties to be performed which require access to each system
7. Indicate TSCA C8I to which access is requested by checking the specific sections of TSCA
D 4 D 5 D 6 Da Dl2 D All Sections D Other (Specify)
8. Signature of Requesting Official (Division Director or above)
9. Date
II. OTS Security Approval
1 . Date Received
2. Approved
LJ Yes LJ Ho (£xplain)
3. Signature of Security Official
4. Date
III. Account Registration
1 . Date Received
2. Signature of ADP Coordinator
EPA Form 7740-7 (Rev. 10-85) Previous edition is obsolete.
-------�
TSCA CBI Security Manual //oc
1l/I/ob
APPENDIX 5
Confidentiality Agreement for United States Employees
Upon Relinquishing TSCA CBI Access Authority
In accordance with my official duties as an employee of the United States, I have
had access to Confidential Business Information under the Toxic Substances
Control Act (TSCA, 15 U.S.C. 2601 et seq.). I understand that TSCA Confidential
Business Information may not be disclosed except as authorized by TSCA or
Agency regulations.
I certify that I have returned all copies of any materials containing TSCA
Confidential Business Information in my possession to the appropriate docu-
ment control officer specified in the procedures set forth in the TSCA Con-
fidential Business Information Security Manual.
I agree that I will not remove any copies of materials containing TSCA
Confidential Business Information from the premises of the Agency upon my
termination or transfer. I further agree that I will not disclose any TSCA
Confidential Business Information to any person after my termination or
transfer.
I understand that as an employee of the United States who has had access to
TSCA Confidential Business Information, under section 14(d)ofTSCA(15U.S.C.
2613(d)) I am liable for a possible fine of up to $5,000 and/or imprisonment for
up to one year if I willfully disclose TSCA Confidential Business Information to
any person.
If I am still employed by the United States, I also understand that I may be subject
to disciplinary action for violation of this agreement.
I am aware that I may be subject to criminal penalties under 18 U.S.C. 1001 if I
have made any statement of material facts knowing that such statement is false
or if I willfully conceal any material fact.
Name (Please type or print)
Signature
EPA ID Number
Date
EPA Form 7740-16 (10-85) Replaces EPA Form 7710-17, which is obsolete.
-------�
TSCA CBI Security Manual
7700
11/1/85
U.S. ENVIRONMENTAL PROTECTION AGENCY
SAFE/CABINET SECURITY CHECK SHEET
AFFIX A COPY OF THIS FORM TO EACH CABINET CONTAINING CLASSIFIED MATERIAL OR CONFIDENTIAL BUSINESS INFORMATION
TO LOCK SAFES AND BARRED FILE CABINETS: (a) ROTATE COMBINATION DIAL AT LEAST FOUR («) COMPLETE REVOLUTIONS.
(b) CHECK EACH DRAWER BY DEPRESSING THE THUMB LATCH AND SHAKING THE DRAWER.
MONTH
DATE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
OPENED BY
INI Tl ALS
TIME
OFFICE CODE
ROOM NUMBER
LOCKED BY
INI Tl ALS
TIME
CONTAINER NUMBER
CHECKED BY
INITIALS
TIME
FORWARD COMPLETED FORM TO LOCAL EPA SECURITY OFFICER
GUARD
INITIALS
CHECK
TIME
EPA Form 1480-12 (Rev. 3-80) PREVIOUS EDITION MAY BE USED UNTIL SUPPLY'IS EXHAUSTED
-------�
TSCA CBI Security Manual
APPENDIX 7
7700
11/1/85
United States Environmental Protection Agency
A _ Washington, DC 20460
V> E PA TSCA CBI Visitors Loa
Individual's Name
Organization
Date
Time
Purpose of Visit
EPA Form 7740-13 (10-85)
-------�
TSCA CBI Security Manual
APPENDIX 8
7700
11/1/85
United States Environmental Protection Agency
Washington, DC 20460
Ap PA TemPorary Loan Receipt for TSCA
Confidential Business Information
1 acknowledge receipt of the following documents containing
TSCA Confidential Business Information.
1. DCN/Copy Number
2. DCN/Copy Number
3. DCN/Copy Number
4. DCN/Copy Number
5. DCN/Copy Number
6. DCN/Copy Number
7. DCN/Copy Number
Date Loaned
Name of Recipient
Description
Description
Description
Description
Description
Description
Description
Name of Lender
Signature of Recipient
Instructions
1 . To be used only for temporary transfer of TSCA
CBI. Transfers for more than thirty (30) days must
be made through a DCO.
2. The lender must keep.the original of this form
after it has been completed and signed by the recip-
ient, and give the copy to the recipient.
3. The lender must give his or her copy of this form
to the recipient when the recipient returns the doc-
ument(s) to the lender. The recipient should destroy
both copies.
EPA Form 7740-14 (10-85)
-------�
TSCA CBI Security Manual
7700
11/1/85
APPENDIX 9
T
*•«€•
oco/oc
DATE
Dt
5TROVEC
US. ENVIRONMENTAL PROTECTION AGENCV OOfS NOT CONTAIN
«C* Cii DiSTMUCTION LOG >»T!ON*i $ICU«ITY
-------�
TSCA CBI Security Manual
APPENDIX 10
7700
11/1/85
United States Environmental Protection Agency
fl _ Washington, DC 20460
OEPA TSCA CBI Meeting Siqn-in Sheet
Chairperson
Meeting Place (Room. Building, City, State)
Date
Time
Subject of Meeting
Name (Print)
Signature
Office. Division, Branch
EPA ID Number
This Sign-in Sheet Must Be Given to the Appropriate DCO
EPA Form 7740-1 5 (10-85) Replaces EPA Form 7710-44. which is obsolete.
-------�
TSCA CBI Security Manual
APPENDIX 11
7700
11/1/85
United States Environmental Protection Agency
Washington. DC 20460
Memorandum of TSCA CBI Telephone Conversation
I. EPA Employee Identification
Name of Employee
Date
Organization
Time
II. Second Party Identification
)all Is:
QTo
Name
Number
Organization
III. Concerning what TSCA CBI?
IV. Content of Conversation:
EPA Form 7740-12 (10-85)
-------�
TSCA CBI Security Manual 7700
11/1/85
APPENDIX 12
Guidelines for Determining Penalties for
Violations of This Manual's Procedures
A. In General. Section ITI.L of this manual describes
procedures for notifying the IMD Director whenever it appears
that this manual's procedures have been violated. The IMD
Director is responsible for reviewing reports of alleged
violations and determining whether to recommend administrative
penalties or other corrective actions. The IMD Director will
notify the affected employee's Division Director of recommended
actions. Responsibility for implementing recommendations rests
with the employee's Division Director.
This appendix provides guidelines for determining
appropriate penalties and corrective actions. The guidelines are
based on those set forth in the EPA Conduct and Discipline Order.
B. Using These Guidelines.
1. In general. The purpose of the actions described in these
guidelines is to prevent or discourage the reoccurrance of
violations. Penalties imposed or actions taken must be fair,
consistent, and well-reasoned. After receiving a report of an
alleged violation, the IMD Director must first determine whether
an individual's actions constitute a violation of this manual's
procedures. This determination is based on a review of the
initial written report and the TSCA Security Staff's
investigation report.
After determining that a violation has occurred, the IMD
Director must identify and recommend to the individual's
supervisor an appropriate course of action. Possible courses of
action described in these guidelines are broken into three
categories: (1) administrative penalties, (2) corrective actions,
and (3) no action. In addition, a remedy that includes both
administrative penalties and corrective actions can be
recommended if the situation warrants.
-------�
TSCA CBI Security Manual 7700
11/1/85
-2-
2. Determining an appropriate remedy. To determine an
appropriate remedy the IMD Director must weigh the following
factors:
o the seriousness of the violation and the potential for
unauthorized disclosure of TSCA CBI because of the
violation;
o the degree of the employee's negligence;
o whether the individual has previously committed a similar
violation;
o whether the individual has previously committed any other
violation of this manual's procedures; and
o the frequency with which the individual uses or handles
TSCA CBI in the course of fulfilling his or her duties.
If the violation is serious, the individual is grossly
negligent, or the violatipn, even if not a serious one, is a
repetition of a similar violation, the IMD Director should
recommend an administrative penalty.
Corrective actions should be recommended whenever the IMD
Director determines that (1) an administrative penalty would be
too severe a remedy and (2) the corrective action is likely to
prevent or discourage future violations either by the individual
or by other individuals. The IMD Director should recommend that
no action be taken if either fault cannot be ascribed to any
individual or a modification of CBI handling procedures would
yield no greater level of protection to TSCA CBI.
The guidelines in the previous paragraph can be modified in
a number of ways. Unless the violation resulted from the
individual's gross negligence, the IMD Director should consider
reducing the severity of the recommended penalty or action if the
employee handles CBI frequently. Similarly, the IMD Director can
reduce the severity of the recommended penalty or action if the
violation is serious, but the individual's negligence is
slight. However, the IMD Director should increase the severity
of a recommended penalty or action if the individual has
committed a previous violation or violations of other procedures
of this manual.
-------�
TSCA CBI Security Manual
7700
11/1/85
3. Administrative penalties. Administrative penalties dictated
by the EPA Conduct and Discipline Order are described below:
Nature of Offense 1st Offense
2nd Offense
3rd Offense
CBI is not compro-
mised and breach
is unintentional
oral reprimand written repri- 5-day
or written mand to 1-day suspension
reprimand suspension to removal
CBI is compromised
but breach is
unintentional
written repri- 1-day to
mand to 5-day 14-day
suspension suspension
5-day suspen-
sion to
removal
Deliberate
procedural
violation i
30-day suspen- removal
sion to removal
* This category covers only deliberate procedural violations that
do not result in the unauthorized disclosure of TSCA CBI. If
IMD's investigation reveals any evidence of the knowing and
wilfull unauthorized disclosure of TSCA CBI, the matter will be
immediately referred to the EPA Office of Inspector General.
4. Corrective Actions. Corrective actions recommended by the
IMD Director should fit the individual characteristics of each
violation. This category includes actions ranging from
corrective training and revision of work procedures to removal
the individual's name from the TSCA CBI Authorized Access List,
The purpose of corrective actions is to prevent or discourage
future violations. Therefore corrective actions may be
procedural, instructional, or disciplinary in nature.
of
-------�
US Environmental Protection Agency
tr'artA TSCACBI n _•_* • ^_ Does not contain National
^BVtr'/A When Filled In H 608101 LOQ Security Information fE.O. 120651
*~ ' ** TSCA Confidential Business Information
Date
Received
Document
Control Number
Number
of Pages
Received From
(Enter company, city, and State)
Description
Audit
TJ
^
PI
Z
o
H
CO
O
o
DO
CO
CO
o
0)
3
0)
\ o
I-1 O
00
EPA Form 7740-10 (10-85) Replaces EPA Form 7710-10. which is obsolete.
-------�
US Environmental Protection Agency
SJ' EPA When Filled In InVePtOfy LOQ Sec^,tyMo^lfo"(EaO°"2065)
TSCA Confidential Business Information
Date
Checked
Out
Document
Control Number/
Copy Number
User Information
EPA ID Number
User's Name
/!
Date
Returned
DCO
Initial
Disnosition
Audit
Cfl
o
o
03
CD
O
PI C
X
h-
4>
*— -J
I— -J
\ O
t-> O
\
00
Ul
EPA Form 7740-11 (10-86) Replaces EPA Form 7710-11, which is obsolete.
-------�
TSCA CBI Security Manual
7700
11/1/85
APPENDIX 15
•^"'D ,N ««*«*•. ™&-^i&t^%tttss?!s?M OUT LOG «"""< *.***«» « 9 ,».,.
DATE OUT
[» DOCUMENT CON
TBOL NO 'CO'» NO
NO
'AGES
DESCRIPTION
FEDERAL ACENCV.
CONGRESS. COURT
RECIPIENT
OCO
INITIAL
"ECEiPT
DATE
RETURNED
lK.i1
INITIAL
EPA Form 7710-13 (Rev. 9-811 Previous edition it obsolete.
-------� |