United States
Environmental Protection
Agency
Office of
Toxic Substances
Washington, D.C. 20460
TSCA Confidential
Business Information
Security Manual
                   •'*:'-

-------
              TSCA CONFIDENTIAL BUSINESS  INFORMATION
                  SECURITY MANUAL--1985 Edition
 1.  PURPOSE.  This Transmittal provides  a new version of the
 TSCA Confidential Business  Information Security Manual.

 2,  EXPLANATION.  This Manual sets  forth procedures for EPA
 employees and other Federal employees to follow in handling
 information claimed as TSCA confidential business information
 (CBI).

 3.  FILING INSTRUCTIONS.  Discard the old version of this
 Manual  and file the attached edition  in  a three-ring binder.
                          Gary  M.  Katz,  Director
                          Management  and Organization Division
ORIGINATOR:
         Management and Organization  Division/Office of Administration
EPA Form 1315-12 
-------
TSCA CONFIDENTIAL BUSINESS INFORMATION
             SECURITY MANUAL
       [FEDERAL EMPLOYEES MANUAL]


             NOVEMBER  1985
  U.S. ENVIRONMENTAL PROTECTION AGENCY
  OFFICE OF TOXIC SUBSTANCES  (TS-793)
         WASHINGTON. D-C-  20160

-------
TSCA CBI Security Manual                               7700
                                                   •    11/1/85.
                         TABLE OF CONTENTS
 I.    Introduction.... * ... .	1
           Important  Terminology	1

 II.   Authorizing Federal Employees for Access  to TSCA CBI	.3

       A.  Initial Request for Access Authority.. •.	3
           1.  Forms  and  procedures.	 3
           2.  'Security  briefing	.4

       B.  Authorized Access List.	5
           1.  Contents  of Access  List	5
           2.  Monthly  Review of the Access List	."6

       C.  When an Employee  No Longer Needs Access	.5
          ' 1.  In general. . . .	.5
           2.  Forms  and  procedures	.6

      . D.  Maintaining  Access......	..._...'.7
           1.  In general...	7
           2.  Scheduling the annual briefing	7
           3.  Quarterly  briefings	7

 III.  Procedures for Using  and Safeguarding  TSCA CBI	7

       A.  In General.	7
           1.  Document  Tracking Systems	*	7
           2.  CBI cover  sheets......	8
           3.  CBI stamp	8
           4.  DAPSS.	;	8

       B.  Procedures for Obtaining CBI  from  a  DCO	8
           1.  In general.	8
           2.  Requesting CBI from a'DCO.	,.8
               a.  In general.	;	8
               b.  Logging out CBI  from  a  DCO	9
           3.  Receipt  of CBI in the mail	9
           4 .  TSCA  CBI  Cover Sheets	9

       C.  .Storage of TSCA CBI Materials	9
           1.  In general.	9
           2.  Approved  storage containers	.......10
           3.  Secure storage areas	10
           4.  Lock  combinations	11
           5.  Electronic card entry devices	11

       D.  Procedures for Transferring Custody  of CBI	....12
           1.  In general...	12
           2.  Transfer within CBI-cleared facilities..	12
           3.  Transfer .of CBI to  individuals at other
               facilities.	13
               a.  In general	..13
               b.  Double-wrapping of CBI materials......	13
               c.  Hand-carrying	.13

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85
              d.   Mailing CBI	13
              e.   Courier service	13

      E.  Creating New CBI  Documents and Personal
          Working  Papers	14
          1.  New  CBI documents	14
          2.  Personal working papers	14
              a.   In general	14
              b.   Use in meetings	14
              c.   Storage	15
              d.   Transfer  of CBI documents for typing	15
          3.  Creating non-CBI documents	15
          4.  Declassifying CBI materials	16

      F.  Reproduction of TSCA CBI Materials	16
          1.  In general	16
          2.  DCO's role	17
          3.  Control of copies	17
          4.  Broken machines	17

      G.  Destruction of TSCA CBI Materials	18
          1.  In general	18
          2.  Destruction method	18
          3.  Documenting destruction	18

      H.  Meetings at which TSCA CBI is Discussed	18
          1.  Meeting sign-in sheets	18
          2.  Meeting chairperson's duties	19
          3.  Notes or recordings	19
          4.  Meeting defined	19

      I.  Traveling with TSCA CBI	20
          1.  In general.:	20
          2.  CBI handling  procedures	20
          3.  Control and storage, of CBI	20

      J.  Telephone Calls During Which TSCA CBI is
          Discussed	20
          1.  Calls with other individuals authorized
              for TSCA CBI  access	20
          2.  Calls with submitters	21
          3 .  Telephone logs	21

      K.  Computer Security	21
          1.  In general	21
          2.  Safeguarding  TSCA CBI during PC use	22
              a.   In general	22
              b.   PC storage media	22
              c.  Terminating a CBI PC session	22
              d.   Use of a  PC printer	23
          3.  Obtaining and using computer printouts	23

      L.  Violations of Procedures, Lost Documents, and
          Unauthorized Disclosures	23

-------
TSCA CBI Security Manual                              7700
                                                      11/1/85
            1.   In general	23
            2.   Notifying the IMD Director	24
            3.   Unaccounted for CBI materials	25
            4.   Unauthorized disclosure of CBI materials	25
            5.   Violations of this Manual's procedures	25

  IV.   Document Control Officer Responsibilities	26

        A.  In General	26

        B.  Assigning DCOs	26

        C.  When DCOs Relinquish DCO Responsibilities	26

        D.  Document Tracking Systems	26
            1.   In general	26
            2.   Receipt of CBI materials	27
            3.   Storage of CBI materials	28
            4.   Use of CBI Materials	28
                a.  Providing CBI to Federal employees	28
                b.  The Inventory Log	28
                c.  Checking out CBI from the DCO	29
                d.  Determining whether documents contain CBI....29
            5.   Reproduction and destruction of CBI materials.... 30
            6.   Transfer of CBI materials outside
                a DCO's facility	30

        E.  Inventory of CBI Documents	31


  V.    Authorizing Other Agencies for Access to TSCA CBI	31

        A.  In General	31

        B.  Procedures for Authorizing Another Federal
            Agency for Access to TSCA CBI	32
            1.   Upon request of the other Agency	32
                a.  The written request	32
                b.  Notice to affected businesses	32
                c.  Approval by EPA	33
            2.   To perform a function on behalf of EPA	33

        C.  Access to TSCA CBI at Facilities Outside of OTS	34


  VI.   Congressional Access to TSCA CBI	35


  Index	36

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85
Appendix                  Title

  1                     TSCA CBI Stamp

  2                     TSCA CBI Cover Sheet

  3                     TSCA CBI Access Request, Agreement, and
                        Approval

  4                     TSCA CBI Computer Access Request,
                        Approval, and Registration

  5                     Confidentiality Agreement for United
                        States Employees Upon Relinquishing
                        TSCA CBI Access Authority

  6                     Safe/Cabinet Security Check Sheet

  7                     TSCA CBI Visitors Log

  8                     Temporary Loan Receipt for TSCA
                        Confidential Business Information

  9                     Destruction Log

  10                    TSCA CBI Meeting Sign-in Sheet

  11                    Memorandum of TSCA CBI Telephone
                        Conversation

  12                    Guidelines for Determining Penalties for
                        Violations of This Manual's Procedures

  13                    Receipt Log

  14                    Inventory Log

  15                    Federal Agency, Congress, and Federal
                        Court Sign-out Log

-------
 TSCA CBI Security Manual                               7700
                                                        11/1/85
                           CONTACTS
Questions about the procedures in this manual should be
directed to:

          Chief, Confidential Data Branch
          Information Management Division
          Office of Toxic Substances (TS-793)
          401 M St.,  SW.
          Wash., D.C. 20460
          Phone: (202) 382-3938
The OTS DCO can be contacted at:

          Document Control Officer
          Office of Toxic Substances (TS-793)
          401 M St., SW.
          Washington, D.C.  20460
          Phone: (202) 382-3534
The TSCA Security Staff can be contacted at:

          TSCA Security Staff
          Information Management Division
          Office of Toxic Substances  (TS-793)
          401 M St., SW.
          Washington, D.C.  20460
          Phone: (202) 382-3938
The IMP Director can be contacted at:

          Director
          Information Management Division
          Office of Toxic Substances (TS-793)
          401 M St., SW.
          Washington, D.C. 20460
          Phone: (202) 382-3938

-------
 TSCA CBI Security Manual                               7700
                                                        11/1/85
                     Glossary of Acronyms



CBI       Confidential Business Information

CBIC      Confidential Business Information Center

CDB       Confidential Data Branch

CFR       Code of Federal Regulations

CIB       Chemical Information Branch

DAPSS     Document and Personnel Security System

DCO       Document Control Officer

DMB       Data Management Branch

EPA       United States Environmental Protection Agency

FSSD      Facilities and Support Services Division

IMD       Information Management Division

OGC       Office of General Counsel

OTS       Office of Toxic Substances

PMN       Premanufacture Notification

PC        Personal Computer

TSCA      Toxic Substances Control Act

-------
TSCA CBI Security Manual                               770°
I.    INTRODUCTION

      This manual sets forth procedures for Environmental
Protection Agency (EPA) employees and other Federal employees to
follow in handling information claimed as confidential business
information (CBI) under section 14 of the Toxic Substances
Control Act (TSCA) (15 U.S.C. §2613).  That section of TSCA
requires EPA to protect from public disclosure CBI obtained under
TSCA and it imposes criminal penalties for the knowing and
willful unauthorized release or disclosure of such information.
EPA has issued regulations (40 CFR Part 2) which implement TSCA's
confidentiality provisions.  The procedures in this manual
supplement those set forth in TSCA and in 40 CFR Part 2.

      Another manual, "Contractor Requirements for the Control
and Security of TSCA Confidential Business Information,"
describes procedures to be followed by EPA Contractors and
subcontractors and their employees and describes how such
contractors and subcontractors are given authorization tor access
to TSCA CBI.

      Section 14(a)(l) of TSCA permits EPA to authorize a Federal
employee tor access to TSCA CBI when such access is necessary to
perform work in connection with the employee's duties under a
health or environmental protection statute or tor specific law
enforcement purposes.

      Most TSCA CBI access occurs at EPA Headquarters, where the
primary storage and use facility for TSCA CBI is the EPA
Confidential Business Information Center  (CBIC).  If a showing of
need is established, EPA may also authorize CBI access at other
facilities, including EPA Regional Offices, other Federal agency
offices, and contractor facilities.  Procedures for handling,
using, and storing TSCA CBI are generally uniform at all
facilities.  However, some differences in security procedures are
required at facilities outside of EPA Headquarters  (Procedures
tor access at a contractor's site are set forth in the contractor
manual cited above).

Important Terminology

      A number of terms are used frequently throughout this
manual.  TSCA CBI (also referred to in this manual as CBI) is
information claimed to be business confidential under EPA's
confidentiality regulations at 40 CFR Part 2.  TSCA CBI materials
are documents or any other information-bearing media that contain
TSCA CBI.  Most CBI materials consist only partially of
confidential information.

      Federal employees are persons employed by Federal
agencies.  Procedures tor obtaining approval for access to TSCA
CBI for Federal employees are described in Section II.  Section V
describes procedures for authorizing other Federal agencies for
                               -1-

-------
TSCA CBI Security Manual                               7700 .
access to TSCA CBI.  Individuals who are authorized for access to
TSCA CBI are listed on the TSCA CBI Authorized Access List.  EPA
Employees include employees of other Federal agencies who have
been detailed to EPA and experts and consultants hired by EPA.'

      The Director of the Office of Toxic Substances (OTS) has
overall supervisory authority for TSCA activities,including TSCA
security programs.  The Information Management Division (IMP)
Director is responsible for day-to-day implementation of TSCA CBI
and security programs, including developing policies for the use
and handling of CBI, operating the EPA Headquarters CBIC, and
supervising the TSCA Security Staff.  The TSCA Security Staff is
responsible for security-related activities, including reviewing
security plans, performing security inspections, and processing
forms and records pertaining to requests for TSCA CBI access
authority tor organizations and individuals.              •
 -. '   An authorizing official is an EPA Division Director or a
supervisor of equivalent authority who nominates a Federal
employee for TSCA CBI access.  Authorizing officials'
responsibilities also include ensuring that their employees renew
their CBI access authority yearly, determining when their
employees no longer require access authority, authorizing their
employees to transfer CBI using a courier or express mail, and
initiating or reviewing their employees'  reports of violations of
this manual's procedures.

      A Document Control Officer (DCO) manages the Document
Tracking System tor the facility at which he or she is employed
and has overview authority for the receipt, storage, and use of
TSCA CBI at his or her facility.  DCO responsibilities are
outlined in Section IV.  In this manual, the title ."DCO" includes
the-person designated as the DCO as well as other employees who
perform document control functions under the DCO's supervision.
Therefore, it a procedure in this manual requires that a document
be taken to the DCO, the document may be taken to either the
designated DCO or any other employee-working under the DCO's
supervision who has been assigned the responsibility of receiving
documents tor the DCO.  in addition, when this manual refers to
an employee's DCO> it means the DCO assigned to the employee's
organization or facility.  For example,.each OTS Division has an
assigned DCO who assists Division employees in requesting and
renewing CBI access authorization (Section II) and has other
responsibilities described throughout this manual relating to the
control ot documents in the possession of Division employees.
The OTS DCQ, who is assigned to the Information Management
Division, manages the CBIC, oversees other Headquarters DCOs, and
provides training materials and guidance to all DCOs on
appropriate CBI handling procedures.

      Secure storage areas, like the CBIC at EPA Headquarters,
either house the bulk ot an organization's or facility's CBI
tiles, serve as an organization's or facility's primary CBI work
area, or both.  Secure storage areas are areas that are secured
                               -2-

-------
TSCA CBI Security Manual                                7700
                                                        11/1/85


from access by persons not authorized for access to TSCA CBI and
in which some of the normal storage requirements of Section II.I
do not apply.

      A Document Tracking System is a system for accounting for
the location or disposition of TSCA CBI materials.  Materials  in
a Document Tracking System are assigned unique numerical
identifiers, or document control numbers, and their locations  are
tracked through manual or automated logs, or records of receipt,
usage, and transfer.  TSCA CBI materials must always be marked,
at least on the front of the first page and back of the last
page, with a stamp that identifies the materials as TSCA CBI
(Appendix 1), and must be covered with a TSCA CBI cover sheet
(Appendix 2).  Users of a TSCA CBI document must sign the cover
sheet once, the first time they read or take possession of
(hereinafter "gain access to") the document.

      The remainder of this manual is organized into the
following sections:  Authorizing Federal Employees for Access  to
TSCA CBI (Section II), Procedures for Using and Safeguarding TSCA
CBI (Section III), DCO Responsibilities (Section IV), Authorizing
Other Agencies for Access to TSCA CBI (Section V), and   •
Congressional Access to TSCA CBI (Section VI).  In addition,
there are extensive appendices that provide examples of forms  and
logs and an index that cross-references activities, procedures,
and responsibilities.


II.   AUTHORIZING FEDERAL EMPLOYEES FOR ACCESS TO TSCA CBI

      A.  Initial Request for Access Authority.

1.  Forms and procedures.  EPA employees and individual employees
of other Federal Agencies who either perform work for EPA or for
other agencies which have been authorized for TSCA CBI access
pursuant to Section V may request TSCA CBI access authority by
completing EPA Form 7740-6 (TSCA CBI Access Request, Agreement,
and Approval, Appendix 3) and submitting it for approval in the
manner described in the paragraphs that follow.

      A Federal employee who requires on-line access to a TSCA
CBI computer system or data base must also complete EPA Form
7740-7  (Request for TSCA CBI Computer Access Approval) (see
Section III (K) and Appendix 4).

      These forms, like all others described in this manual, can
be obtained from either the TSCA Security Staff or an EPA form
distribution center.

      EPA employees must complete the forms and forward them to
their Division Director or supervisor of equivalent authority
(hereinafter referred to as Division Director).  Employees of
other agencies must forward completed forms to their DCO or, if
no DCO is assigned for that agency, to their supervisor, who must


                               -3-                             :

-------
TSCA CBI Security Manual                                770°
                                                        11/1/85
be at least equivalent  in authority to an EPA Division Director,
or to an EPA Division Director  it the employee's work is on
behalf of EPA..

      To complete EPA Form 7740-6, the Federal employee must
describe why access to TSCA CBI is necessary for the successful
performance of his or her duties under a health or environmental
protection statute or must identity the law enforcement purpose
served by the access.  The employee must also identify, by
section of TSCA, the types of confidential information to which
access is needed to perform his or her duties.

      An EPA employee's Division Director must review the
completed forms for accuracy and completeness, approve (by
signing line 12 of the general access request form or line 9 of
the computer access request form) or disapprove them, and, if
approving, submit them to the TSCA Security Staff tor its
review.  DCOs at other agencies must review the forms for
completeness and accuracy before forwarding them to the
employee's supervisor. The employee's supervisor will review and
approve or disapprove the forms and, it approving, forward them
to the TSCA Security Staff.  (This manual will hereinafter refer
to the supervisor who signs an employee's access request form as
the employee's authorizing official.)

      After completing their review, the TSCA Security Staff will
submit the forms to the IMD Director for final approval.


2.  Security briefing.  It final CBI access approval is given,
the TSCA Security Staff will notify the employee's authorizing
otticial that the employee has been approved tor TSCA CBI
access.  Before actual access to CBI may commence, the employee
must attend a security briefing and pass a written test on TSCA
CBI security procedures.  (However, an employee may be allowed
access to TSCA CBI tor a period of up to 10 days before receiving
word of final approval from the TSCA Security Staff if the
required forms have been completed and submitted to the TSCA
Security Staff, the employee has attended the required security
briefing and passed the written test, and the employee's
authorizing official has determined that immediate access is
necessary.)  The TSCA Security Statt will also notify the
authorizing official if final approval is not given.

      Authorizing officials must ensure that their employees read
this manual and attend a security briefing.  The briefing is in
the form of a slide show with an accompanying cassette tape.  A
written test at the end of the briefing covers procedures
described in this manual.

      Employees can attend one of the briefings administered on a
regular basis at EPA Headquarters by the TSCA Security Staff.  In
addition, copies of the slide show and test can be obtained from
the TSCA Security Staff and administered by DCOs outside of EPA
                               -4-

-------
TSCA CBI Security Manual                               11/1/85
Headquarters.  These DCOs must provide the TSCA Security Staff
with the names ot employees who attend briefings.  The DCOs also
must retain a copy of each employee's test and forward the
original to the TSCA Security Staff.


      B.  Authorized Access List.

1.  Contents of the Access List.  After Federal employees receive
approval for TSCA CBI access, attend a security briefing, and
pass the required test, their names will be added to the TSCA CBI
Authorized Access List.

      The Authorized Access List is used as a reference to
determine whether an individual has TSCA CBI access authorization
(including TSCA CBI computer access) and to determine the type
TSCA CBI (by section ot TSCA) for which access is authorized.  At
the EPA Headquarters CBIC, the list is used in conjunction with
an automated Document Tracking System to ensure that only
individuals with TSCA CBI access authority can obtain CBI
materials.

      Questions regarding whether a particular employee has TSCA
Cbl access authorization and the scope of such access should be
directed to the TSCA Security Staff.


2.  .Monthly review ot the Access List.  DCOs (or authorizing
officials in offices without assigned DCOs) are responsible for
reviewing the TSCA CBI Authorized Access List on a monthly basis
to determine whether any names of employees within their
jurisdiction should be added to or deleted from the list  (see
subsection C below) or whether any employee's access authority
should be broadened or narrowed  (an employee must complete a new
EPA.Form 7740-6 and submit it in the manner described in
subsection A above to request that his or her access authority be
broadened or narrowed).

      Authorizing officials are responsible for ensuring  that
employees under their supervision complete the forms required to
request the changes needed in the access list and are responsible
tor forwarding the forms to the TSCA Security Staff by the 20th
day of each month.  Revised access lists will be distributed to
all DCOs by the fifth day ot the following month.


      C.  When an Employee No Longer Needs Access.

1.  In general.  Federal employees must be removed from the TSCA
CBI Authorized Access List under the following circumstances:

      o   termination of their employment;

      o   termination of duties requiring access to TSCA  CBI; or
                               -5-

-------
TSCA CBI Security Manual                               770o
                                                       11/1/85
      o   failure to attend the yearly briefing and pass the
          written test described in subsection D below.

In addition, if an employee transfers to another branch,
division, or office at which the employee may continue to require
CBI access, his or her former authorizing official must notify
the TSCA Security Staff of the change.  The TSCA Security Staff
will notify the employee's new authorizing official, who must
determine whether the employee continues to require CBI access
and must notify the TSCA Security Staff if access is no longer
necessary (see subsection C.2 below) or if the employee's access
authority needs to be broadened or narrowed (see subsection B.2
below).
2.  Forms and Procedures.  An employee must complete EPA Form
7740-16 (Confidentiality Agreement for United States Employees
Upon Relinquishing TSCA CBI Access Authority, Appendix 5) when
access authority is relinquished or revoked.  The employee must
submit the completed form to his or her authorizing official, who
will

      o   retain a copy of the form;

      o   send a copy of the form to the facility's DCO; and

      o   send the original of the form to the TSCA Security
          Staff.

Authorizing officials are responsible for ensuring that their
employees complete Form 7740-16 at the time their TSCA CBI access
authority is cancelled.

      Upon receipt of a Form 7740-16, the TSCA Security Staff
will remove the employee's name from the TSCA CBI Authorized
Access List, ensure that the employee's DCO has been informed
that the employee is no longer authorized for CBI access, and
direct the Facilities and Support Services Division (FSSD),
Office of Administration, to invalidate the employee's electronic
entry card for EPA Headquarters secure storage areas.  In
addition, if the employee has TSCA CBI computer access authority,
the TSCA Security Staff will direct iMD's Data Management Branch
to invalidate the employee's CBI computer user identification
code and password.

      Employees who are relinquishing their CBI access authority
are responsible for returning all TSCA CBI documents in their
possession to the appropriate DCO.  Employees who are terminating
their employment must return to FSSD any electronic entry cards
for EPA Headquarters facilities that they have been issued.  EPA
Headquarters employees who are terminating their employment must
obtain signatures from the OTS DCO, FSSD, and the TSCA Security
Staff on EPA Form 3110-1 when checking out and must return CBI


                               — 6 —

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


documents and electronic entry cards at that time if they have
not done that previously.


      D.  Maintaining Access.

1.  In general.  Federal employees who are approved for TSCA CBI
access must maintain their access authority by annually attending
the security briefing slide show and passing a written test.
Employees who fail to attend this briefing within a year of their
initial approval for access or their last annual briefing will be
removed by the TSCA Security Staff from the TSCA CBI Authorized
Access List and will have their access authority suspended.  If
an employee fails to attend an annual security briefing, the TSCA
Security Staff will notify the employee's authorizing official of
the suspension.  If the employee fails to attend the briefing
within 30 days of the suspension notice, the authorizing official
is responsible for ensuring that the employee completes Form
7740-16 and follows the other steps outlined in the preceding
subsection.
2.  Scheduling the annual briefing.  The authorizing official  is
responsible for scheduling his or her employees  for renewal
security briefings.  The briefing and test are prepared  and
administered on a regular basis at EPA Headquarters by the TSCA
Security Staff or can be administered by the employees'  DCO.
Information regarding renewal dates can be obtained from either
the TSCA Security Staff or the TSCA CBI Authorized Access List.


3.  Quarterly briefings.  On a quarterly basis,  authorizing
officials are responsible for ensuring that their employees who
are authorized for access to TSCA CBI are given  an oral  briefing
on different aspects of TSCA CBI security procedures.
III.  PROCEDURES FOR USING AND SAFEGUARDING TSCA CBI

      A.  In General.

1.  Document Tracking Systems.   All documents submitted  to  EPA
and all those generated by Federal employees  (except  those
described in subsection E of this section) containing  information
claimed to be CBI must be controlled through  a Document Tracking
System.  That system may be manual or, as at  EPA Headquarters,
automated.  The Document Tracking System enables the  DCO  to  track
a document's movement from the time that it is written or
received at EPA until the time that it is destroyed or
transferred to another facility or organization.
                               —7 —

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


      DCO responsibilities and procedures  for  logging CBI
materials into the Document Tracking System are described  in
Section IV.
2.  CBI cover sheets.  Every TSCA CBI document must have a TSCA
CBI cover sheet (Appendix 2) inscribed with the date of document
receipt by the DCO or the date of creation by the author and a
brief description of the document that indicates what type of
TSCA CBI, by section of the Act, is contained in the document.
In addition, it the document is controlled in the Document
Tracking System, the document's cover sheet must be inscribed
with a document control number and the name of the DCO who
assigned the number and entered the document into the system.
The first time an employee gains access to the document, he or
she must write the date and his or her name, employee
identification number, and signature on the cover sheet.


3.  CBI Stamp.  In addition, the first page and the back of the
last page of the document must be labeled with a stamp that
identifies that the document contains TSCA CBI (Appendix 1).  If
the document is a copy or is received from outside the Agency,
the document should be stamped by the DCO.  The document's author
applies the stamp in all other cases.


4.  DAPSS.  The automated Document Tracking System in use at the
Headquarters CBIC, called the Document and Personnel Security
System (DAPSS), utilizes a machine-readable bar code affixed to
each CBI document controlled by the Document Tracking System to
facilitate efficient processing of documents.  Bar codes are also
affixed to the electronic card entry identification cards of
employees with TSCA CBI access authorization.  These codes enable
the OTS DCO to verify through DAPSS that the employees are
authorized for access to the CBI documents that they request from
the DCO.
      B.  Procedures for Obtaining CBI from a DCO.

1.  In general.  Employees may obtain possession of an existing
CBI document through transfer from another employee or from a
DCO.  This section describes the proper procedures for obtaining
CBI through a DCO; procedures applicable to the transfer of CBI
between employees are outlined in subsection D below.
2.  Requesting CBI from a DCO.

      a.  In General.  Employees who are authorized for access to
TSCA CBI and who wish to obtain CBI materials from the CBIC or
from other centralized CBI storage facilities must do so through
a DCO.  The DCO will retrieve the requested documents from the
                                •8-

-------
TSCA CBI Security Manual                              7700
                                                      11/1/85


storage tacility and will log them out to the requestor through
the facility's Document Tracking System, after verifying that the
employee is authorized for access to that type of CBI.

      Employees are responsible tor signing the TSCA CBI cover
sheet upon receipt of the document and for safeguarding all CBI
materials in their possession until the materials are logged back
into the storage facilities.  Employees must return the CBI
materials to the centralized storage facilities at the end of
each day, unless they have access to individual approved storage
containers or work in secure storage areas (see subsection C
below).

      b.  Logging out CBI from a DCO.  TSCA CBI materials may be
logged out trom the CBIC or trom other centralized CBI storage
facilities for only 90 days, unless the DCO in charge of the
storage tacility grants an extension at the end of the 90 day
period.

      DCOs in charge of centralized storage facilities will
periodically review document checkout activity to spot documents
not returned within the 90-day period.  DCOs must circulate a
weekly list of any CBI materials that are overdue from the
Document Tracking System.  Employees and their authorizing
officials are responsible for returning overdue materials to
their DCO.  Documents not returned within 30 days after they
first appear on the overdue notice will be considered to have
been lost on the 30th day (see subsection L below).


3.  Receipt of CBI in the mail.  TSCA CBI sent by mail should
always be sent to a DCO.  If, however, employees receive mail
containing materials labeled as CBI or materials which, though
unlabeled, are believed to be CBI, those materials must be taken
immediately to the facility's DCO tor proper entry into the
Document Tracking System.  Once entered, the documents can be
logged out by the DCO like any other CBI documents.


4.  TSCA CBI Cover Sheets.  Whenever employees first gain access
to a CBI document, whether it is logged out to them or to another
employee, they must enter the date of access, their employee
identification number, and their signature on the document's TSCA
CBI cover sheet.  The purpose of the CBI cover sheet  is to record
who has had access to the document; it is not intended to record
the chain of custody of the document.  Therefore, employees need
only sign tha cover sheet of a document the first time they gain
access to that document.
      C.  Storage of TSCA CBI Materials.

1.  In general.  Employees using TSCA CBI are responsible  for
ensuring that no unauthorized disclosures of that information
                               -9-

-------
TSCA CBI Security Manual                                7700
                                                        11/1/85


occur.  This means that employees must either maintain  constant
control over the TSCA CBI documents in their possession  (unless
the employees are working in secure storage areas, as described
in subsection C.3 below), return the CBI materials to the DCO, or
store the materials in a TSCA CBI approved storage container.


2.  Approved storage containers.  TSCA CBI materials must never
be left unattended where persons not authorized for CBI  access
might gain access to them.  When not in use TSCA CBI materials
must be secured in' approved CBI storage containers.  The two
types of containers approved for TSCA CBI storage are:

      o   metal file cabinets with bar locks and three-way
          changeable combination locks; or

      o   GSA-approved Class 6 security containers.

A safe/cabinet security check sheet (Appendix 6) must be posted
on each CBI storage container, unless the container is  located in
a secure storage area, to record the time the container  is
opened, locked, and checked at the end of the work day.

      If necessary, a storage container may be used by more than
one individual to store TSCA CBI materials, but each individual
must be authorized tor access to the types of CBI to be  stored
there.  Each person using the cabinet or safe should be  assigned
a separate storage space within the cabinet or safe and  is
responsible for any TSCA CBI he or she stores there.


3.  Secure storage areas.  The IMD Director may, as an  exception
to the procedures in the subsection C.2 above, authorize the use
ot secure storage areas (e.g., the Headquarters CBIC) when such a
designation is justified by a large volume and high frequency of
daily use ot TSCA CBI in an area of an EPA or other Federal
Agency facility.  Secure storage areas must be secured  by:

      o   a pin tumbler lock;

      o   an intrusion alarm; and

      o   either an electronic card entry system or a changeable
          push-button door lock.

      Secure storage areas can be used primarily as a TSCA CBI
work area, as a storage area for TSCA CBI, or both.

      The requirement, described in the preceding subsection,
that CBI be stored while not in use, is recommended but  not
required in secure storage areas.

      The IMD Director will not approve areas proposed  for secure
storage until they are inspected and approved by the TSCA
                               -10-

-------
TSCA CBI Security Manual                               11/1/85
Security Staff.  The facility's DCO is responsible for
requesting, in writing, through his or her Division Director, the
IMD Director's approval of a secure storage area and for
arranging an inspection by the TSCA Security Staff.  The TSCA
Security Staff will maintain a record of the locations of all
TSCA CBI secure storage areas.

      The DCO must designate an employee (usually the DCO or a
DCO employee) who will assume responsibility for the secured
area.  The employee's responsibilities include monitoring the
area to ensure that only employees authorized tor that type of
TSCA CBI access have access to it and ensuring that the devices
that secure the area are operating properly.  In addition,  if the
secure area is a centralized storage area, a DCO must be assigned
to maintain the Document Tracking System for the materials  stored
in the area.


4.  Lock combinations.  A list of all combinations to locks for
containers and rooms in which TSCA CBI is stored at a facility
must be maintained by the facility's DCO.  DCOs should obtain and
store combinations for individual storage containers in sealed
envelopes  to be opened only in emergencies.  FSSD maintains a
list ot combinations tor all locks at EPA Headquarters.  In
addition, OTS  Division DCOs are responsible for maintaining a
list ot combinations for CBI storage containers and rooms under
their Division's control.  The TSCA Security Staff is responsible
tor maintaining a list tor all other containers and rooms in
OTS.  DCOs assigned for other EPA Headquarters offices are
responsible tor maintaining, lists for their offices.

      C9mbinations may be disclosed only to employees with  TSCA
CBI access authorization and a need to review the CBI materials
stored in  the  containers or rooms.

      The  DCO  must change the combinations to locks at his  or her
facility at least once a year and each time a person who knows
the combination no longer requires TSCA access authorization  (at
EPA Headquarters, DCOs should direct FSSD to make changes to  lock
combinations).


5.  Electronic card entry devices.  Electronic card entry devices
are often used to secure CBI storage ar.eas.  Entry cards may  be
issued only to employees with TSCA CBI access authorization for
and a need to  review the type ot TSCA CBI materials stored  in the
area secured by the electronic card entry system.

      Employees must use their cards each time they enter the
secure area, even if they enter the room at the same time as
others, and may not loan their entry cards to other employees to
allow them to  gain access to secure storage areas.

      It a person who does not have a card or does not have his


                               -11-

-------
TSCA CBI Security Manual--                              7700
                                                       11/1/85
or her card with him or her needs to enter the secure area, the
employee or DCO in charge ot the area must first determine
whether the individual is authorized for access to that type of
TSCA CBI by referring to the TSCA CBI Authorized Access List.  If
the person is authorized for access, the DCO or other employee in
charge ot the area will require the person to sign a Visitors Log
(Appendix 7) and then allow entry.

      Persons not authorized tor access to TSCA CBI may gain
entry to a secure area only it they sign the Visitors Log and are
escorted at all times by a person with TSCA CBI access
authorization.

      A current copy of the TSCA CBI Authorized Access List
should be stored near the door ot every secure storage area by
the DCO or other employee in charge of the area.


      D.  Procedures for Transferring Custody of CBI.

1.  in general.  Before any transfer is initiated, the transferor
ot a CBI document must verity that the intended recipient is
authorized for access to that type of CBI by referring, if
necessary, to the TSCA CBI Authorized Access List.


2.  Transfer within a facility.  Custody of CBI may be
transferred from one employee authorized tor TSCA CBI access to
another within the same facility only by means of direct hand
delivery or through a DCO.  There must be a record (i.e., a
Document Tracking System log entry or loan receipt) indicating
that the transfer was completed.

      It hand delivery is used, the CBI materials must be given
directly to the recipient.  Inter-office mail must never be used
for such transfers.  CBI materials must not be left unattended in
an in-box or on the recipient's desk.  Transferors must obtain
signed loan receipts (Appendix 8) from recipients and must retain
them until the documents are returned to their possession.  The
hand delivery/loan receipt transfer method may be used only for
short-term CBI transfers.

      It the transferee intends to retain the CBI for more than a
month or intends to, in turn, transfer it to a third person, the
transfer must be made through the DCO who will log the documents
in from the transferor and out to the recipient (see Section IV
tor DCO logging procedures).

      Transfers of CBI materials between a DCO and individuals
supervised by the DCO in a centralized storage area are exempt
from this subsection's document transfer logging and loan receipt
requirements.  However, transfers between DCOs for different
organizations within the same facility, e.g., transfers from the
                               -12-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


OTS DCO to an OTS Division DCO, must be recorded in the Document
Tracking System.

3.  Transfer of CBI to individuals at other facilities.

      a.  In general.  TSCA CBI materials destined for persons
authorized tor access to that CBI who are located outside of the
facility in which the materials are stored (including the
submitter that claimed them as confidential) may be transferred:

      o   through hand-carrying by an employee who is authorized
          tor CBI access;

      o   through registered mail, return receipt requested; or

      o   through a courier or U.S. Postal Service Express Mail.

      b.  Double-wrapping of CBI materials.  Regardless of which
transfer method is used, the materials being transferred must be
double-wrapped.  The  inner wrapping must be labelled with  the
transferee's name and the statement "TSCA Confidential Business
Information -- To Be Opened by Addressee Only."  The outer
wrapping must be labelled only with the name ana address of the
recipient and the return address of the transferor; nothing on
the outer wrapping should indicate that the package contains TSCA
CBI.

      c.  Hand-carrying CBI.  It the CBI material is to be hand-
carried by a person authorized for CBI access, it must be
protected at all times in accordance with the procedures
described in subsection I below.

      d.  Mailing CBI.  If the CBI material is to be mailed, it
must be sent through the employee's DCO (except that OTS
employees must mail all CBI materials to contractors through the
OTS DCO rather than through Division DCOs) via registered mail,
return receipt requested.  Regular first class mail must never be
used by Federal employees to transfer TSCA CBI. •

      e.  Courier service.  With the approval of an employee's
authorizing official, CBI may also be transferred using a courier
service or the U.S. Postal Service Express Mail.  These services
may only be used when time is of the essence, because, unlike
registered mail, they do not require each person who handles the
package to sign for it as it changes hands.

      If a courier service or Express Mail is used, materials
must be sent through the transferor's DCO.  That DCO must obtain
a receipt from the courier employee who picks up the package.
The transferor DCO must also enclose a return receipt with the
package for the receiving DCO to sign, date, and send back to the
transferor, verifying receipt.
                               -13-

-------
TSCA CBI Security Manual                     .          7700
                                                       11/1/85


      E.  Creating New CBI Documents and Personal Working Papers.

1.  New CBI documents.  Documents and other materials produced by
Federal employees using TSCA CBI documents are frequently CBI
themselves.  It a newly created document is CBI, the document's
author must stamp it as CBI, cover it with a TSCA CBI cover
sheet, and take it to the DCO to be logged into the Document
Tracking System at the employee's facility (exceptions to the
logging requirement are described in part E.2 of this
subsection).  The DCO will assign the CBI document a document
control number and either log it out or retain it for storage.


2.  Personal working papers.

      a.  In general.  There is a limited exception from logging
procedures for personal working papers which remain in the
possession and control of the author.  The category of personal
working papers includes materials such as:

      o   notes;

      o   outlines; and

      o   initial drafts of documents.

      It a personal working paper leaves the originator's
possession and control, it must be assigned a document control
number and must be logged into the Document Tracking System as
would any other CBI document (but see part E.2 of this subsection
for secretarial procedures).

      Therefore, if an employee drafts an outline of a document
and wishes to temporarily transfer it to someone else at the
employees' facility for review, the document must be logged into
the Document Tracking System.  The employee can do this by taking
the document to his or her Division or facility DCO, having a
document control number assigned and the document logged into a
manual or automated tracking system, and transferring the
document via loan receipt (see subsection D above) to the person
who is to review it.

      b.  Use in meetings.  The author of a CBI document may
circulate copies ot the document at a meeting without logging the
document into the Document Tracking System if the author:

      o   attends the meeting and is present when the document is
          discussed;

      o   collects all copies of the document at the end of the
          meeting; and

      o   submits all copies of the document for destruction
          after the meeting.
                               -14-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85
The document author must number the copies (i.e., 1 of 6, 2 of 6,
etc.) before handing them out at the meeting and check to make
sure that all copies are returned at the end of the meeting.  All
other procedures in subsection H below for meeting must be
followed when personal working paper documents are circulated at
a meeting.

      c.  Storage.  Personal working papers must be stored
securely, stamped as TSCA CBI, covered with a TSCA CBI cover
sheet, and otherwise used, stored, and handled like any other CBI
document  (except that they need not be logged into the Document
Tracking  System if the criteria outlined in subsection E.2.a.
above are met).

      d.  Transfer of CBI documents for typing.  The  author of a
CBI document may provide the document to a typist who is within
the author's division or equivalent office and authorized for
access to that CBI, without logging it into the Document Tracking
System.   The typist must return to the author the typed materials
and the draft being typed from when typing is completed.
However,  CBI materials must be logged into the Document Tracking
System it they are to be transferred by the typist to anyone
other than the author or if the materials are sent by the author
to a typing service for typing.  The document author  should keep
a record  of transfers to typists until all the CBI materials that
are transferred are returned.

      All the materials used in typing documents containing TSCA
CBI, including word processing disks, ribbons, carbons, and waste
paper, must also be treated as CBI and must be stored in the
manner described in subsection C when not in use.
3.  Creating non-CBI documents.  Some materials produced using
TSCA CBI are not contidential.  Non-confidential  documents  are
produced if  (1) the CBI  is either not included  in a  new document
or  is deleted  from an existing document,  (2)  the  CBI used  is
masked or aggregated (i.e., replacing the CBI in  a document with
non-CBI data or descriptive terms.  The data  or terms are  derived
from CBI data  but are not themselves CBI), or (3)  either a
submitter drops its claim of confidentiality  for  the information
in  the document or EPA determines that the claim  is  not valid.
In  all instances, the author of the document  is responsible for
ensuring that  it contains no CBI.  Materials  produced using CBI
materials must be treated as CBI until determined not to be so by
their author.

      The IMD  Director must be consulted  in advance  by any
authors who wish to produce a non-confidential  document by
masking or aggregating CBI.  The IMD Director must review  all
applications of masking  and aggregating techniques to ensure that
appropriate  techniques have been used.
                               -15-

-------
TSCA CBI Security Manual                           ••   7700
                                                       11/1/85


      If a submitter drops its claim, either the document author
or his or her DCO must obtain a written statement from the
submitter that the claim has been dropped before the information
can be released to the public.

      To determine that a claim is not valid, EPA's Office of
General Counsel, or an EPA Regional Counsel, where appropriate,
must render a final confidentiality determination pursuant to 40
CFR $2.205, which is made applicable to TSCA by §2.306.  That.
determination is made based on a review of the submitter's
responses to substantiation questions covering the topics
described in §2.204.  Letters requesting submitters to
substantiate a claim ot confidentiality can be sent by any EPA
employee, but are usually sent by IMD for TSCA CBI in OTS.
Responses to substantiation questions must be forwarded to the
EPA General Counsel, or an EPA Regional Counsel, as appropriate.

      It a final determination is rendered denying a claim, the
information may not be released for thirty days, during which
time the submitter may challenge EPA's determination in a Federal
District Court.
4.  Declassifying CBI materials.  To declassify CBI materials, an
employee must take the materials to his or her DCO and present
the DCO with evidence indicating that the materials either are no
longer confidential or contain no CBI.  For example, if CBI
claims tor the materials have been withdrawn by the submitter,
the employee should present the DCO with the submitter's written
relinquishment of the claims.  If an employee has determined
after studying a document that it contains no CBI, the employee
must explain to the DCO why it contains no CBI.  Disputes about
whether a document contains TSCA CBI should be brought to the
Chief of IMD's Confidential Data Branch for resolution.

      After being presented with evidence that a document
contains no CBI, the DCO must cross out all CBI markings on the
document and remove the document's cover sheet.  The DCO must
then inscribe the document and cover sheet with the statement
"Contains no TSCA CBI," and sign and date them.  In addition, the
DCO must log the document out of the Document Tracking System
with a message in the document's Inventory Log entry disposition
box (see Section IV.D) that the document contains no CBI.
      F.   Reproduction ot TSCA CBI Materials.

1.  in general.  Copying of TSCA CBI materials should be limited
to the maximum extent possible.  TSCA CBI materials may be
reproduced only at copying machines located  in:

      o   secure storage facilities; or
                               -16-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


      o   non-secure locations approved for CBI duplication by
          the TSCA Security Staft.

Secure storage areas are secured by a pin tumbler lock, an
intrusion alarm, and either an electronic card entry system or a
changeable push-button door lock (see subsection C above).  DCOs
are responsible for obtaining the TSCA Security Staff's approval
ot any non-secure CBI reproduction locations at the DCO's
facilities.
2.  DCO's role.  CBI materials may be reproduced only by a DCO or
under a DCO's supervision.  Employees should present the
materials they need reproduced to the DCO or to an  individual
authorized by the DCO to reproduce CBI materials.


3.  Control of copies.  All copies of a TSCA CBI document must be
stamped by the DCO as TSCA CBI and covered with a new TSCA CBI
cover sheet.  The cover sheet on the original must  not be copied
for use with the copy.

      Copies must be  logged into the Document Tracking System and
must be assigned either unique document control numbers or copy
numbers (e.g., the copy should be marked with the same document
control number as the original and a copy number, e.g., 1 of 3, 2
ot 3, 3 of 3, etc.),  except for those materials that fall into
the personal working  papers exception described in  subsection E
above for use in a meeting.

      When copies of  documents are to be given to other
employees, either (1) the copies should be logged out
individually through  the DCO directly to the recipients, or  (2)
all ot the copies should be logged out to the originator and lent
by him or her under the loan receipt procedures described in
subsection D above.   Excess or unusable copies must be destroyed
by the DCO (see subsection G below).


4.  Broken machines.  It all machines in locations  approved  for
duplicating CBI materials are inoperable, the facility's DCO may
authorize the use ot  other machines for duplicating CBI
materials.  However,  a machine must be dedicated solely to CBI
document reproduction while CBI documents are being copied,  and
the DCO or the person assigned by the DCO must directly supervise
the machine while the CBI materials are being duplicated.  Only
persons authorized for TSCA CBI access may be present while CBI
materials are being reproduced.  After copying is finished,  the
operator must pass three blank copies through the machine to
ensure that any impressions on the image surfaces of the machine
have been erased.

      If the machine  in a non-secure location malfunctions while
TSCA CBI materials are being copied, the facility's DCO must
                               -17-

-------
TSCA CBI Security Manual               .       ,  .  .   ,.   7700
                                                        11/1/85


ensure that either the machine  is directly  supervised  by  a  person
authorized for TSCA CBI access  until  it  is  repaired  or  that  a
person authorized for access to CBI  inspects  the machine's  paper
path and image surfaces to retrieve  any  materials containing TSCA
CBI that are caught in the machine.


      G.  Destruction of TSCA CBI Materials.

1.  In general.  TSCA CBI materials  in the  possession of  a
Federal employee may be destroyed only under  the supervision of a
OCO.  The procedures in this section  for destruction of CBI
materials apply to all materials containing TSCA CBI,  including
handwritten notes, personal working papers, draft documents,
telephone records, typewriter ribbons, computer printouts,
diskettes, microfiche, and any other  CBI materials, whether  or
not logged into the Document Tracking System.   Federal employees
wishing to have CBI materials destroyed must  take them to the  DCO
responsible for tracking those materials.


2.  Destruction method.  CBI materials such as papers, documents,
or printouts must be shredded.  All other materials, including
microfiche and typewriter ribbons, must be  burned.  EPA Regional
or field office DCOs may send microfiche or typewriter ribbons to
EPA Headquarters for destruction if the facility's DCO logs  the
materials out of the Document Tracking System before sending the
materials.  Materials must be sent to the OTS DCO, attention TSCA
Security Staff, for destruction.


3.  Documenting destruction.  The destruction of TSCA CBI
materials logged into the Document Tracking System must be
documented by DCOs in a Destruction Log  (Appendix 9).  This  log
is essential to the DCO for performing document inventories  (see
Section IV).

      TSCA CBI cover sheets taken from materials being destroyed
must be inscribed by the DCO with (1) the destruction date,  (2)
the location at which the document is destroyed, and (3)  the
DCO's name.  The cover sheets must then be  placed in the
appropriate file for storage (e.g., at EPA  Headquarters a cover
sheet should be placed in the CBIC file for that document).  TSCA
CBI cover sheets from destroyed documents must not be destroyed
themselves; they must be retained for audit purposes.


      H.  Meetings at Which TSCA CBI  is Discussed.

1.  Meeting sign-in sheets.  When TSCA CBI  is discussed at
meetings, the meeting chairperson must provide a sign-in  sheet
(Appendix 10) to record the meeting  (1) date, (2) time, (3)
place, (4) chairperson, and (5) subject.  All persons attending
the meeting must sign this sheet.


                               -18-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85
      After the meeting, the chairperson must give the sign-in
sheet to his or her DCO, who will file it in the appropriate EPA
decision record file (e.g., sign-in sheets for a meeting at EPA
headquarters at which CBI from a Section 5 notice is discussed
would be filed in the materials maintained for that notice in the
CBIC).

2.  Meeting chairperson's duties.  The meeting chairperson is
usually the person who schedules and organizes a meeting.  If a
chairperson has not previously been identified, one must be
selected at the beginning of the meeting.

      The chairperson is responsible for ensuring (by referring,
it necessary, to the TSCA CBI Authorized Access List) that only
persons authorized for access to the type of TSCA CBI to be
discussed at the meeting are in attendance when the discussion
involving CBI commences.
      The chairperson must  also ensure  that  the meeting
secured after the meeting.  This includes cleaning  all
chalkboards, taking any unneeded CBI materials  to  the D<
destruction, and ensuring that nothing  is left  in  the r(
could lead to the unauthorized disclosure of TSCA  CBI.
3.  Notes or recordings.  The meeting chairperson must  remind
those  in attendance of  their duty  to  treat  as  confidential  any
notes  or recordings taken at the meeting until  the CBI  status of
the materials can  be  determined pursuant to the  procedures  in
subsection E above.

       Pursuant  to  the personal working papers  policy  described  in
subsection E, notes taken during a meeting  that  contain TSCA CBI
must be protected  as  CBI but need  not be logged  into  the  Document
Tracking System if they are retained  by the note-taker.   However,
if the note-taker  wishes to transfer  possession  of the  notes to
someone else, the  notes must first be assigned  a document control
number and be logged  into the Document Tracking  System.

       Meetings  may be tape recorded only with  the permission of
the chairperson.   Such  recordings may contain  CBI and must  be
treated like any other CBI materials.
4.  Meeting defined.   For purposes ot  this  subsection, meetings
are scheduled gatherings of  two or more people  at  which TSCA  CBI
is discussed.  This does not  include informal discussions  during
which CBI  is mentioned, such  as between a supervisor  and an
employee or between two employees working on a  matter concerning
that CBI.  However, if CBI  is to be discussed,  use of these
procedures is encouraged no matter how informal the discussion.
                               -19-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


      I.  Traveling with TSCA CBI.

1.  In general.  Federal employees who are authorized for TSCA
CBI access may travel with CBI materials in their possession.  In
Addition, with the permission of their immediate supervisor,
employees travelling with TSCA CBI may take CBI materials home
with them prior to or after a trip only if it would be
impractical to return to work to pick up the materials before
departure or to drop them off after return.


2.  CBI handling procedures.  It a traveller intends to transfer
possession of the TSCA CBI materials which he or she is carrying,
before the trip the CBI materials must be double-wrapped by the
employee's DCO, in the manner described in subsection D above,
and logged out to the traveller from the Document Tracking
System.  The materials should not be unwrapped until the
traveler's destination is reached, at which time they must
immediately be taken to the DCO and logged into that location's
Document Tracking System it the materials are being transferred
to someone at that location.  If the employee does not transfer
possession of the CBI materials, for example if theya re being
brought for use in a meeting, they need not be double-wrapped.
However, the traveller must maintain the materials within his or
her constant possession or control.

      Even it the traveler does not intend to transfer possession
ot the CBI materials, he or she may temporarily store the
materials with the DCO at the location he or she is visiting.


3.  Control and storage of CBI.  While traveling by plane or
other public conveyance, employees must keep the TSCA CBI
materials in their possession, and they may not check them with
their luggage.

      When employees travel with CBI materials (including
chemical samples) and are unable to deliver or ship the CBI
materials to a facility authorized for TSCA CBI access, they may
store the materials tor short periods, but never overnight,
inside a locked trunk of a motor vehicle.  TSCA CBI materials may
be stored overnight in hotel safes, if a receipt is obtained from
the hotel management, or otherwise must be kept in the possession
ot the traveler.
      j.  Telephone Calls During Which TSCA CBI is Discussed.

1.  Calls with other individuals authorized for TSCA CBI
access.  Federal employees with TSCA CBI access authority may
discuss CBI on the telephone with other individuals (Federal
employees or employees of Contractors) who are authorized for
access to that type ot TSCA CBI.  Both parties to a telephone
call are responsible for verifying, by using the TSCA CBI
                               -20-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85
Authorized Access List if needed, that the other is authorized
tor access to such TSCA CBI.  The individual who initiates a
discussion that includes TSCA CBI must indicate that the
conversation involves CBI.
2.  Calls with submitters.  With the permission of the submitter,
Federal employees who are authorized tor TSCA CBI access may
discuss CBI on the telephone with a submitter.  The Federal
employee must:

      o   verify the  identity of the submitter employee to whom
          he or she is speaking;

      o   inform the  submitter  that the telephone lines are not
          secured;

      o   assure the  submitter  that discussion of CBI with a
          Federal employee on the telephone does not constitute  a
          waiver of any claim of confidentiality; and

      o   inform the  submitter  that any further information
          provided in the telephone conversation can be claimed
          as confidential.

Care must be taken to discuss CBI from a submission only with
submitter employees named in the submission or others identified
by  the submission's signatory.


3.  Telephone logs.   Employees  must keep telephone logs of all
telephone calls with  individuals located outside their facilities
during which TSCA CBI is discussed  (Appendix  11).  Telephone logs
must be logged into the Document Tracking  System.  All
Headquarters telephone logs relating to individual TSCA section  5
notices must be filed in the CBIC's official  file for those
not ices.
      K.   Computer  Security.

 1.   In general.   Mainframe  computers  used  for  processing  TSCA CBI
 must be dedicated solely  to TSCA CBI  data.   Passwords  or  other
 security devices  may not  be relied  on  to segregate  the system
 into confidential and  non-confidential portions.

      In addition,  mainframe computers may  be  used  tor processing
 TSCA CBI only  if  their  specifications  are  reviewed  and the
 computer site  is  inspected  by  the TSCA Security Staff  and
 approved by  the IMP Director.   Requests for approval must be  made
 in writing to  the IMD  Director.

      Federal  employees may use TSCA  CBI on a  personal computer
 (PC), subject  to  the restrictions in  part  K.2  of  this
                               -21-

-------
TSCA CBI Security Manual                                7700
                                                        11/1/85


subsection.  Employees need not obtain TSCA CBI Computer access
authorization to use CBI on a PC.  TSCA CBI Computer access
authorization (see Section II) is required only by employees
needing on-line access to a dedicated CBI mainframe computer.
On-line access is access that gives the individual the  ability to
read, change, manipulate, or obtain data from the CBI data base
or program a computer that houses TSCA CBI.

      All Federal employees who are authorized for access to TSCA
CBI may use printouts from a CBI computer and may view  a computer
screen that contains CBI.  Procedures for obtaining printouts and
determining whether they contain CBI are described in subsection
K.3.
2.   Safeguarding TSCA CBI during PC use.

      a.  In general.  While using TSCA CBI on a PC in an
unsecured area, the PC operator must retain exclusive control
over the operation of the computer and printer and must ensure
that only individuals authorized for access to that type of TSCA
CBI can view the PC's screen.  If the PC operator must leave the
PC  for any reason, the computer session must be terminated.

      b.  PC storage media.  TSCA CBI data used on a PC can be
stored on either floppy disks or detachable hard disks. Floppy
disks are preferable.  Green floppy disks for CBI storage can be
obtained from IMD's Data Management Branch.  Floppy disks and
detachable hard disks containing TSCA CBI must be removed from
the PC after each session, unless the PC is located in a secured
storage area, and stored like any other CBI materials (see
storage procedures in subsection C above).

      Disks which are no longer needed or which are damaged must
be  transferred by a PC operator to his or her DCO for destruction
(see destruction procedures in subsection G above).

      The use of a fixed hard disk in a PC for processing of TSCA
CBI is not recommended unless the PC is located in a secured
storage area.  However, if one must be used in an unsecured area,
it  must be erased with a utility program disk at the end of each
session, and the erasure must be verified by the PC operator.

      c.  Terminating a CBI PC session.  Proper termination of a
PC  session involving TSCA CBI consists of the following steps:

      o   transferring and verifying the transfer of the CBI data
          to the storage medium (floppy or detachable hard disk);

      o   removing the storage medium from the PC;
                               -22-

-------
TSCA CBI Security Manual                                7700
                                                        11/1/85


      o   erasing the PC's internal memory with a utility program
          disk; and

      o   turning off the PC.

      d.  Use of a PC printer.  If TSCA CBI is printed  on a PC
printer, the printed material and the printer's ribbon  must be
treated as TSCA CBI and stored in an approved CBI storage
container when not in use (see subsection C above).
3.    Obtaining and Using Computer Printouts.  Information  from
the EPA Headquarters TSCA CBI computer can be requested and
obtained from the CBIC, which is supervised by the OTS DCO.  CBI
computer printers (except PC printers) at other locations must be
supervised by the facility's DCO.  All printouts and any
information obtained from a computer screen and written down must
be logged out through the facility's DCO.

      All printouts from a TSCA CBI mainframe computer or CBI
printouts from a PC must be printed on TSCA CBI computer paper,
obtainable from IMD's Data Management Branch.

      Because not all data on a CBI computer  is CBI, an employee
who obtains a printout from the TSCA CBI computer must first
determine, in the DCO's presence, whether the printout contains
CBI.  Printout from a CBI computer must be assumed to be CBI
unless they are determined not to be.

      o   If a printout contains CBI, it must be immediately
          logged by the DCO into the Document Tracking System,
          stamped as TSCA CBI, assigned a document control
          number, covered with a TSCA CBI cover sheet, and  be
          treated like any other CBI document.

      o   If a printout contains no CBI, the  employee must
          certify that fact by signing and dating the front page
          of the printout and must notify the DCO of that fact.

      o   If a printout is initially thought  by the employee to
          contain CBI and is logged into the  Document Tracking
          System, but is later determined not to contain CBI,  the
          employee must sign and date the front page of the
          printout, initial and remove the TSCA CBI cover sheet
          (noting on it that the printout is  being declassified),
          and notify the DCO and return the cover sheet thereto,
          so that the Document Tracking System can be updated.


      L.  Violations of Procedures, Lost Documents, and
          Unauthorized Disclosures.

1.  In General.  The procedures described in  this manual are
designed to secure TSCA CBI from unauthorized public


                               -23-

-------
TSCA CBI Security Manual                                7700
                                                        11/1/85


disclosure.  Therefore, it is imperative that the IMP Director be
notified any time these procedures may have been breached.  The
IMD Director must notify a business whenever he or she:

      o   cannot account for materials submitted by that business
          which have been claimed as CBI under TSCA; or

      o   has reason to believe that information claimed as CBI
          by the business has been disclosed to individuals not
          authorized for access to it.

In addition, the IMD Director will enforce the procedures in this
manual by employing the administrative penalties set forth in
Appendix 12 when necessary, even if a breach of procedures does
not result in the loss or unauthorized disclosure of TSCA CBI
materials.

      All employees who are authorized for TSCA CBI access are
responsible for reporting (1) possible violations, (2) the loss
of TSCA CBI materials, or (3) any unauthorized disclosure of CBI
materials to their Division Director, who will notify the IMD
Director.  The IMD Director is responsible for investigating the
report and determining the appropriate action to take.

      This section describes procedures for notifying the IMD
Director when a possible breach of procedures, loss of CBI, or
unauthorized disclosure of CBI has occurred and outlines the
actions to be taken by the IMD Director when he or she is so
notified.

      The procedures in this section apply to all TSCA CBI
materials, including personal working papers (see subsection E.2
above).
2.    Notifying the IMD Director.  Employees who believe that:

      o   a possible violation of the procedures set forth in
          this manual or an EPA^approved contractor security plan
          has occurred,

      o   TSCA CBI materials have been lost or misplaced, or

      o   someone not authorized access to TSCA CBI has had
          access to such CBI

must provide oral notice to their Division Director or supervisor
of equivalent authority within one working day of the discovery,
followed by a written report no later than the end of the second
working day.

      The written report must describe the possible violation of
procedures or unauthorized disclosure of CBI or identify the
materials believed lost or misplaced.  It must also include a


                               -24-

-------
TSCA CBI Security Manual

                                                       11/1/85

description of any relevant circumstances known by the employee.

      The employee or his or her supervisor may examine files and
discuss the matter with other individuals to try to determine
what occurred.  However, detailed investigations, including
interviews and reviews of logs, are to be performed only by the
TSCA Security Staff after receiving an investigation request from
the IMD Director.  If the TSCA Security Staff's investigation
reveals any evidence of a knowing and willful unauthorized
disclosure of TSCA CBI, the matter must be immediately
transferred to the EPA Office of Inspector General.

      Unless he or she concludes that the report is incorrect and
that no violation of procedures, loss of CBI, or unauthorized
disclosure took place, the Division Director must forward the
written report, within two working days of receiving it, to the
IMD Director, together with any relevant additional comments or
information.  The IMD Director will review the matter and may
request the TSCA Security Staff to investigate it.


3.  Unaccounted for CBI Materials.  If a CBI document reported as
lost or misplaced in the written report cannot be accounted for
by the IMD Director and the TSCA Security Staff within four
working days after the IMD Director receives the written report
described in subsection L.2 above, the IMD Director must give the
affected business written notice that identifies the lost or
misplaced document and states the date it was discovered to be
lost or misplaced.


4.  Unauthorized disclosure of CBI materials.  After investigat-
ing a written report under subsection L.2 above to determine
whether an unauthorized disclosure (i.e., a disclosure of CBI to
someone not authorized for access to it) has taken place, the IMD
Director will either:

      o   conclude that it is unlikely that any disclosure took
          place and give the affected business no notice; or

      o   determine that an unauthorized disclosure may have
          taken place, upon which determination the IMD Director
          must provide the affected business written notice
          within two working days of making that determination,
          but no later than four days after receiving the written
          report described in subsection L.2.

Written notice to the affected business must contain a
description of the TSCA CBI that may have been disclosed and the
date of the disclosure.


5.  Violations of this manual's procedures.  The IMD Director
will investigate any alleged violation of this manual's


                               -25-

-------
TSCA CBI Security Manual
                                                        7700
                                                        11/1/85

procedures, even if  there  is  no evidence  in  a  written  report,
under subsection L.2, of a  lost document  or  unauthorized
disclosure.  The IMD Director will  (1) direct  the  TSCA Security
Staff to investigate the reported violation,  (2) determine what
administrative penalties,  if  any, are appropriate  (see guidelines
in Appendix 12), and (3) notify the supervisors of affected
employees of recommended sanctions.  Supervisors are responsible
for imposing sanctions.  The  IMD Director will also confer with
supervisors to identify document handling or CBI use or storage
procedures that can  be implemented to prevent  the  recurrence of
violations.
IV.  Document Control Officer Responsibilities.

      A.  In General.  Document Control Officers  (DCOs) manage
their facilities' Document Tracking Systems and oversee the
receipt, storage, and use of TSCA CBI by employees  in their
facilities.  This section outlines the responsibilities of
DCOs.  All facilities that are authorized for access to TSCA CBI
are required to have a DCO (see Section V).


      B.  Assigning DCOs.  DCOs must be nominated,  in writing, by
either an authorizing official or the individual  in charge of the
facility to which TSCA CBI is to be transferred.  The nomination
must be approved by the IMD Director.

      All facilities that are authorized to receive TSCA CBI must
have an approved and trained DCO before TSCA CBI  can be
transferred to that facility.  The OTS DCO is responsible for
providing training materials and guidance on appropriate document
handling procedures to all DCOs.


      C.  When DCOs Relinquish DCO Responsibilities.  Whenever
DCOs at Regional EPA offices or at other agencies terminate their
employment or relinquish their DCO responsibilities, an inventory
of CBI materials within the departing DCO's jurisdiction must be
performed, pursuant to the guidelines outlined in subsection E
below, and the results must be forwarded to the TSCA Security
Staff within thirty days of the DCO's departure.  The procedures
of Section III.L must be followed if there are any TSCA CBI
materials that cannot be accounted for.
      D.  Document Tracking Systems.

1.  In general.  The Document Tracking System is the system which
is used to record and monitor the location of TSCA CBI
materials.  As the official assigned to oversee the operation of
                               -26-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85
his or her facility's Document Tracking System, the DCO must
ensure that:

      o   all manual or automated logs are properly maintained
          and updated and stored securely;

      o   document control numbers are assigned to those
          documents requiring them; and

      o   the proper procedures for the use of CBI materials are
          closely followed.

Other DCO responsibilities are described below.

2.  Receipt of CBI materials.  All TSCA CBI materials sent
through the mail or by courier must be addressed to and received
by the DCO.  CBI materials hand carried to a facility or
generated by employees at the facility must be taken immediately
to the DCO (except in Section III.E above).  The DCO should
maintain a manual or automated Receipt Log (Appendix 13) that
records:

      o   the document's document control number or copy number
          assigned by an EPA, Contractor, or other Federal agency
          DCO (if a document has already been assigned a document
          control number, that number should be used);

      o   the date on which  the document was received or
          generated;

      o   the source of the  document  (e.g., submitter's name if
          received directly  from the  submitter, the author's name
          it it  is a document generated by a Federal or
          Contractor employee, or the sending DCO's name it it is
          a document received from another facility authorized
          tor CBI access); and

      o   a brief description of the  document  (e.g., "an
          engineering report on PMN-Y" or "letter from company X
          on PMN-W").

Before logging new CBI materials into the Receipt Log, the DCO
must review all  such materials received to determine whether they
appear complete:

      o   If they do not appear complete, the DCO should
          immediately contact the submitter to determine whether
          there  is an omission.

      o   If the materials do appear  to be complete, the DCO must
          stamp  the document as TSCA CBI (Appendix 1) on at least
          the first page and the back of the last page, assign it
          a document control number, complete a TSCA CBI cover
          sheet  (Appendix 2), and attach it to the front of the
                               -27-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


          document.  The DCO must write the document control
          number on both the cover sheet and the first page of
          the document.

Users of the document must sign and date the cover sheet the
first time they have access to the document.


3.  Storage of CBI materials.  DCOs are responsible for
monitoring the implementation of the document storage procedures
of Section III.C by employees at their facilities.

      CBI materials at a facility are kept in storage containers
or in a centralized secure storage area (e.g., the CBIC at EPA
Headquarters) under the supervision of the DCO, except where
necessity requires the assignment of secure storage containers to
individual employees.

      The DCO must maintain a record of all combinations used for
locks for rooms and containers in which TSCA CBI materials are
stored at the DCO's facility.  The DCO must change the
combinations annually or any time a person who knows a
combination relinquishes his or her TSCA CBI access authority.


4.  Use of CBI materials.

      a.  Providing CBI to Federal employees.  TSCA CBI materials
are obtained by a Federal employee from his or her DCO as
follows:

      o   the employee will request a specific document;

      o   the DCO will locate it in the DCO's CBI storage files
          or obtain it from another Federal agency DCO or
          employee, a contractor, or a submitter; and

      o   after verifying that the requesting employee is
          authorized for access to the document, the DCO will log
          the document out to the employee using an automated or
          manual Inventory Log (Appendix 14).

      b. The Inventory Log.  The Inventory Log is the record of
all transactions involving TSCA CBI documents that are logged
into the Document Tracking System.  The Inventory Log contains
entries for:

      o   the document control number;

      o   the dates on which it is being checked out from the DCO
          and returned;

      o   the identity of the individual checking it out; and
                               -28-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


      o   the disposition of the document, whether it is being
          transferred outside the DCO's jurisdiction or
          destroyed.

      If the document is being transferred outside the DCO's
jurisdiction by the requesting employee, the Inventory Log
disposition book entry must include the date and destination of
the transfer.

      If the document is being destroyed, the entry  in the
disposition block of the log must include the date of destruction
and the identity of the individual destroying it.

      When a manual logging system is used, the document log-in
and log-out dates must also be marked on the appropriate lines on
the TSCA CBI cover sheet.  This will assist the DCO  in locating
the correct entry in the Inventory Log.  Each time a document  is
logged out or in, new dates should be placed by the  DCO on  the
line below the previous "out" and "in" entries on the cover
sheet.

      c.  Checking out CBI documents from the DCO.   TSCA CBI
materials may not be checked out from a centralized  CBI storage
facility for more than 90 days, unless the DCO in charge of the
storage facility grants an extensions at the end of  the initial
90-day period.

      DCOs in charge of centralized storage facilities must
periodically monitor the Inventory log to identify any CBI
materials not subject to an extension that have not  been returned
within the 90-day period.  The DCO is responsible for identifying
materials that are overdue and for notifying the responsible
employees and their supervisors by circulating a weekly list  of
overdue materials.

      Employees are responsible for returning the overdue
materials to the DCO.  If materials on the weekly list have not
been returned to the DCO within 30 days after they first appear
on the list, the materials will be presumed to have  been lost  or
misplaced and the DCO must notify his or her Division Director,
pursuant to the procedures in Section III.L.

      d.  Determining whether documents contain CBI.  DCOs  assist
employees in determining whether documents contain CBI and  in
sanitizing CBI documents by deleting CBI from them when a
document is needed for public disclosure.  Although  the ultimate
responsibility for determining whether documents contain CBI
rests with the document's author (see Section III.E), DCOs  should
assist document authors in making the determination  and instruct
them on the mechanics of creating a sanitized version of a  CBI
document.  Employees who are unable to determine whether
something is confidential should first consult with  their
supervisor and, if the issue cannot be resolved by their
supervisor, with the IMD Director.
                               -29-

-------
TSCA CBI Security Manual                                7700
                                                        11/1/85
5.  Reproduction and destruction of CBI materials.   The  DCO  is
responsible for controlling and documenting the reproduction  and
destruction of CBI materials.  Specific procedures  for
reproduction and destruction are set forth in Sections III.F  and
III.G.  Copies of documents must be (1) assigned  unique  document
control numbers, (2) logged into the Receipt Log, and  (3) checked
out using the Inventory Log (unless the copies are  personal
working papers, pursuant to Section III.E).

      Destruction of a CBI document must be recorded by  the  DCO
on the appropriate entry of the Inventory Log, on the document's
TSCA CBI cover sheet, and in the DCO's CBI Destruction Log
(Appendix 9).  The DCO must remove the TSCA CBI cover sheet  from
the document, mark it with the destruction date and  his  or her
name, and store it with related materials, such as  a PMN file at
EPA Headquarters.

      TSCA CBI materials can be reproduced or destroyed  only  by
the DCO or someone assigned to the task and supervised by the
DCO.  Except when deemed necessary by the DCO, TSCA  CBI materials
may be reproduced only with photocopying machines located in  CBI
secure areas or in locations approved by the TSCA Security Staff
for duplicating TSCA CBI (see section III.F).  Hardcopy  TSCA  CBI
materials must be shredded.  Other forms of TSCA CBI materials
must be burned (see section III.G).
6.  Transfer of CBI materials outside a DCO's facility.  TSCA CBI
materials transferred to individuals outside a DCO's facility
must be transferred through the DCO.

      If the document being sent is an existing CBI document
already recorded in the Document Tracking System and is in the
possession of an employee, the document must first be returned to
the DCO.  The DCO must mark the return date on the cover sheet
and fill in the disposition box in the appropriate entry in the
Inventory Log with the date the document is being sent and the
identity of the recipient.

      If a new CBI document not yet recorded in the Document
Tracking System is being transferred to someone outside the
author's facility, the author must first stamp it as CBI and
cover it with a TSCA CBI Cover Sheet.  The author must then take
it to his or her DCO who must (1) log it into the Receipt Log,
(2) assign it a document control number, and (3) log it out to
the DCO at the facility where the document is being sent by
marking in the Inventory Log's disposition box the date the
document is sent and the identity of the recipient DCO.

      As specified in Section III.D, TSCA CBI materials must be
double-wrapped when taken or transferred outside the DCO's
facilities.  TSCA CBI materials may be  (1) sent by registered


                               -30-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


mail, return receipt requested, (2) hand-carried by an individual
authorized for CBI access, or, (3) if approved by the transferor
employee's authorizing official, sent by a private courier or the
U.S. Postal Service's Express Mail.  TSCA CBI materials must
always be sent or taken directly to the recipient's DCO and must
contain a return receipt to be filled out by the receiving DCO
and mailed back to the sending DCO.


      E.  Inventory of CBI Documents.  Before July 31 of each
year, each DCO must perform an inventory of all hard copy TSCA
CBI materials controlled in the DCO's Document Tracking System.
This involves determining the location or status of all CBI
materials in the System and is done by comparing the CBI
documents listed by document control number in the Receipt Log
with the list of transactions in the Inventory Log.

      Materials listed in the Receipt Log, but not in the
Inventory Log should be in the DCO's possession and must be
inventoried.  The status (e.g., destroyed or transferred outside
the DCO's facility) or location (e.g., checked out to an
employee) of materials listed in the Inventory Log must be
reviewed and any documents checked out for over 90 days to
employees in the DCO's facility must be located by the DCO.   The
status of documents indicated in the Inventory Log as having  been
destroyed must be reviewed in conjunction with the Destruction
Log.

      Upon completing the inventory, the DCO must provide  a
written report through his or her  supervisor to the TSCA Security
Staff by October 1.  The procedures  in Section III.L must  be
followed if there are any TSCA CBI materials which cannot  be
located.
V.    AUTHORIZING OTHER AGENCIES FOR ACCESS TO TSCA CBI

      A.  In General.  EPA's regulations  (40 CFR  Part  2)  allow
disclosure of TSCA CBI to another Federal agency  in either of two
circumstances:

      o   when the official purpose for which the  information is
          needed by the other agency is in connection  with its
          duties under any law for protection of  health or the
          environment or for specific law enforcement  purposes;
          or

      o   when disclosure is necessary to enable  the other agency
          to perform a function on behalf of EPA.

In either circumstance, the procedures described  below must be
followed before TSCA CBI may be disclosed to the  other agency.
These procedures do not apply to disclosure of TSCA CBI to


                              -31-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


individual employees of other agencies performing functions on
behalt of EPA where access is confined to EPA premises  (see
section II for procedures to be used in such situations).


      B.  Procedures tor Authorizing Another Federal Agency for
          Access to TSCA CBI.

1.   Upon request of the other agency.

      a.  The written request.  EPA may disclose TSCA CBI to
another Federal agency upon the written request of that agency.
Because of the time needed for processing, the written  request
should be directed to the IMD Director at least one month prior
to the time access is needed.  The request must be signed by an
official of the other agency who is at least equivalent in
authority to an EPA Division Director.  It should state with
specificity the information to which access is requested and the
official purpose for which the TSCA CBI is needed.  That official
purpose, which should be set forth in detail, must be either
(1) in connection with the agency's duties under a law  for the
protection of health or the environment or (2) tor a specific law
enforcement purpose.

      In addition, preferably as part of its written request, the
other agency must agree in writing not to disclose any  further
information designated as confidential unless (1) it has
statutory authority both to compel production of the information
and to make the proposed disclosure and, prior to the disclosure,
it has furnished affected businesses with at least the  same
notice that EPA would provide under its regulations; or (2) it
has obtained the consent of each affected business to the
proposed disclosure; or (3) it has obtained a written statement
trom the EPA General Counsel or an EPA Regional Counsel that
disclosure of the information would be proper under EPA's
regulations.

      b.  Notice to affected businesses.  When disclosure is upon
request of another agency, EPA must give affected businesses at
least ten calendar days notice before access by the other agency
to TSCA CBI may take place.  Notice may be given by FEDERAL
REGISTER notice, certified mail (return receipt requested), or
telegram.  The notice generally will be prepared by IMD and must
include:

      o   the identify of the agency to which TSCA CBI  is to be
          disclosed;

      o   the official purpose for the access;

      o   whether access is authorized only on EPA premises or
          also at the other agency's facilities (see subsection C
          of this section);
                               -32-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


      o   the type of information to be disclosed; and

      o   the period of time for which access to TSCA CBI is
          authorized.

      c.  Approval by EPA.  If the IMD Director approves the
request tor access, he or she will forward it to the OTS Director
for his or her approval.  It approval is granted by the OTS
Director, the IMD Director will notify the requesting official of
the other agency and will issue the required notice to affected
businesses (the IMD Director will also notify the requesting
official from the other agency if approval is not granted).

      Before TSCA CBI may be disclosed, the IMD Director must
notify the other agency that (1) the information being disclosed
is CBI and was acquired under authority ot TSCA and (2) any
unauthorized disclosure of the information may subject employees
of the other agency to the criminal penalties in section 14(d) of
TSCA.

      Once approval for access has been granted, designated
employees ot the other agency may be given access to the
specified TSCA CBI on EPA premises after the notice period has
run and in accordance with the procedures set forth in section II
ot this Manual.
2.  To perform a function on behalf of EPA.  EPA also may
disclose TSCA CBI to another Federal agency to perform a function
on behalf of EPA.  Usually, such disclosure will be upon the
initiative ot EPA.  The EPA office needing to make the disclosure
should contact the IMD Director to begin the approval process.

      Before TSCA CBI may be disclosed, the IMD Director must
notify the other agency that (1) the information being disclosed
is CBI and was acquired under the authority ot TSCA and (2) any
unauthorized disclosure ot the  information may subject employees
ot the other agency to the criminal penalties in section 14(d) of
TSCA.

      In addition, the other agency must agree in writing  not  to
disclose further any information designated as confidential
unless (1) it has statutory authority both to compel production
ot the information and to make the proposed disclosure and, prior
to the disclosure, it has furnished each affected business with
at least the same notice that EPA would provide under its
regulations; or (2) it has obtained the consent ot each affected
business prior to the proposed disclosure; or (3) it has obtained
a written statement from the EPA General Counsel or an EPA
Regional Counsel that disclosure ot the information would  be
proper under EPA's regulations.
                               -33-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


      When disclosure  is authorized  to allow another  agency  to
pertorm a function on  behalf of EPA, no notice  to  affected
businesses need be made.

      If the IMD Director approves the EPA office's request  that
another agency be granted access, he or she will forward the
request to the OTS Director for his  or her approval.   The IMD
Director will notify the office making the request that access
has been approved or disapproved.

      It approval for  access is granted, designated employees of
the other agency may be given access to specified TSCA CBI on EPA
premises in accordance with the procedures set  forth  in Section
II of this manual.
      C.  Access to TSCA CBI at Facilities Outside of OTS.  EPA
will encourage other agencies to restrict their access to TSCA
CBI to EPA premises.  However, where this is not practical, the
provisions of this subsection must be followed before access is
granted at the other agency's premises.  Other Federal agencies
requiring access to TSCA CBI on their premises must have security
procedures and standards in place which equal or surpass those
set forth in this manual.  Also, each such facility must be
inspected and approved by the TSCA Security Staff and a DCO for
the facility must be appointed, pursuant to the procedures in
Section IV, before CBI can be transferred there.  In addition,
all facilities approved tor TSCA CBI access must be inspected by
the TSCA Security Staff on an annual basis.

      The official requesting CBI access authority for his or her
agency is responsible for preparing and forwarding to the TSCA
Security Staff a written statement of the agency's security
procedures for handling TSCA CBI if they differ from those set
forth in this manual.  It the procedures in this manual are
adopted by the agency without change, the requesting official
must notify the TSCA Security Staff by letter.  The official must
also arrange the initial and yearly inspections by the TSCA
Security Staff of his or her agency's CBI use and storage
facilities.

      Employees of another agency may be authorized for TSCA CBI
access at OTS' Headquarters facilities even it the other agency's
or office's facilities are not approved for CBI access.  However,
the employees will not be allowed to remove from EPA premises any
documents, notes, or correspondence containing TSCA CBI and must
not discuss CBI with individuals not authorized for TSCA CBI
access.
                               -34-

-------
TSCA CBI Security Manual                               7700
                                                       11/1/85


VI.   CONGRESSIONAL ACCESS TO TSCA CBI.

      The IMD Director must be immediately notified if a
Congressional request is received tor documents or information
that would require access to TSCA CBI by Congress or the General
Accounting Office.  Pursuant to 40 CFR 2.209, access may be
allowed only if the request is made by the Speaker of  the House,
the President of the Senate, a chairman of a committee or
subcommittee, or the Comptroller General.  Access must be
recorded on a Congressional Access Log (Appendix 15).  Generally,
the requestor will be asked whether access can be limited to EPA
premises.  Any notice to affected businesses of such access must
identify the requestor, the type of information to be  disclosed,
whether access will occur only on EPA premises, and the period of
time during which access will take place.  The notice  generally
will be prepared by IMD.
                              -35-

-------
TSCA CBI Security Manual
                                                         7700
                                                         11/1/85
                              INDEX
Access to CBI by other agencies
    approval by IMD Director
    notice to affected businesses

Access to CBI outside of OTS

Authorized Access list
    use at meetings

Authorizing officials
    access list
    approving use of couriers
    assigning DCOs
    ovedue documents
    quarterly briefing
    requesting access approval for
      employees
    when employees relinquish access

CBIC

    DAPSS
    printouts
    telephone logs

Computer security
    PCs
    printouts
    storage media

Confidential Data Branch

Congressional access
    Congressional Access Log

Contractor Security Manual

Copy numbers
    personal working papers
    Receipt Log

Creating new CBI documents

Creating non-CBI documents
    final confidentiality determination
    masking or aggregating
    submitter drops claim
3, 31-34
32-34
32-33

34

2, 5-7, 12, 19
19

2, 4-7, 9, 13, 27
5
13
26
9
7

4-5
6

1-2,  5, 8-10, 18-19,
21, 23, 28
8
23
21

21-23
21-23
22-23
22

16

3, 35
35
15, 17, 27
15
27

14

15-16
15-16
15
16
                               -36-

-------
TSCA CBI Security Manual
            7700
            11/1/85
Criminal penalties

DAPSS

Data Management Branch
    obtaining PC floppy disks
    relinquishing computer access

Destruction of CBI
    hardcopy CBI
    ribbons and microfiche

Destruction Log
    annual inventory

Director, Office of Toxic Substances

Division Director
    overdue documents
    secure storage areas
    reporting violations

Document control numbers

    copies
    Inventory Log
    new documents
    printouts
    Receipt Log

Document Control Officers (DCOs)

    Authorized Access List
    access outside OTS
    assigning DCOs
    broken reproduction machines
    computer access
    declassifying CBI materials
    destruction of CBI materials
    Document Tracking System
    double-wrapping CBI materials
    initial security briefing
    inventory
    Inventory Log
    maintaining access authorization
    new CBI documents
    obtaining CBI from DCOs
    OTS DCO
    OTS Division DCOs
    receipt of CBI materials
    relinquishing CBI access
8

6, 22
22
6

14, 18, 30
18
18

18, 30-31
31
3-4, 10, 24-26, 29
29
10
24-26

3, 8, 14, 17, 23,
27-30
17
28
14
23
27

2-14, 16-18, 20,
22-23, 26-31, 34
5
34
26, 34
17-18
22-23
16
18, 29-30
7, 26-31
13, 20
4-5
26,
28
7
14
8,
2,
2,
27
6
 31
29
13,
13,
26
14
                               -37-

-------
TSCA CBI Security Manual
            7700
            11/1/85
    reproduction of CBI materials
    secure storage areas
    transfer of CBI through mail,
      courier, and express mail

Document Tracking System

    Authorized Access List
    automated tracking systems
    copies
    DAPSS
    Destruction Log
    destruction of CBI materials
    inventory
    Inventory Log
    meeting notes and recordings
    new documents
    overdue documents
    personal working papers
    printouts
    Receipt Log
    telephone logs
    transfer of CBI materials for
      typing
    traveling with CBI materials

Electronic entry cards
    bar codes
    secure storage areas

Individual CBI storage containers
    safe/cabinet security check
      sheet

IMD Director

    access by other agencies
    approval of requests for access
    assigning DCOs
    computer security
    Congressional access
    secure storage areas
    violations, lost documents,
      and unauthorized disclosures

Inventory
    DCO relinquishes responsibilities
    annual

Inventory Log
    copies
17, 29-30
10-11, 28

12-13, 30

2-3, 5, 7-8, 11-21,
23, 26-31
5
7-8
17
8
18, 30-31
18, 29-30
26, 31
28-31
19
14
9
14-15
23
27, 29, 31
21

16
20

6, 8, 10-11
8
10

9-10, 28

10

2, 4, 10, 21, 23-26,
32-35
32-34
4
26
21
35
10

23-26

26, 31
26
31

28-31
30
                               -38-

-------
TSCA CBI Security Manual
            7700
            11/1/85
    Inventory

Lock combinations

Lost Documents

Meetings
    chairperson
    notes and recordings
    personal working papers
    sign-in sheet

Personal working papers
    copy numbers
    meetings
    storing

Quarterly briefings

Receipt Log
    reproduction of CBI materials
    inventory

Receipt of CBI in mail

Relinquishing access authority
    failure to attend annual briefing
    form

Reproduction of CBI materials
    broken reproduction machines
    personal working papers

Request for CBI access authority
    form

Request for CBI computer access
    authority
    form

Secure storage areas
    reproduction of CBI materials
    requirements

Security briefing
    annual briefing
    location
    test and slideshow

Storage of CBI materials

    personal working papers

Transferring custody of CBI materials
31

11, 28

9, 23-25

14-15, 18-19
18-19
19
14-15
18-19

14-15, 24, 30
15
14-15
15
27, 29, 31
29
31
5-7
7
6

14-15, 18-19, 29-30
17-18
14-15

3-4
3
3-4, 21
3

2, 9-12, 16, 28-29
16
10

4-5, 7
7
4,7
4,7

2, 9-11, 14-16,
28-29
14-15

12-13, 17, 19-20, 30
                               -39-

-------
TSCA CBI Security Manual                                7700
                                                        11/1/85

    by hand delivery                        12-13, 20
    by registered mail, courier, or
      express mail                          13
    double-wrapping CBI materials           13, 20, 30
    loan receipts                           12, 17
    return receipts                         13
    transfer of CBI through a DCO           12, 27-30
    transfer of CBI to individuals
      at other facilities                   13, 30

Traveling with CBI materials                20
    taking CBI home                         20
    double-wrapping CBI materials           13, 30

TSCA CBI Cover Sheets                       3-4, 8-9, 14, 17-18
                                            23, 27, 30
    copies                                  17
    destruction of CBI materials            18
    new documents                           14
    printouts                               23

TSCA CBI Stamp                              3, 8, 14, 17, 23, 27,
                                            30
    copies                                  17
    new documents                           14
    printouts.                               23

TSCA Security Staff                         2-7, 11, 16, 21,
                                            24-25, 34
    access to CBI outside of OTS            34
    Authorized Access List                  5
    computer access                         21
    maintaining CBI access authority        7
    relinquishing CBI access authority      6
    reproduction of CBI materials           16
    requesting CBI access authority         3-4
    secure storage areas                    11
    security briefing                       4-5, 7
    violations                              24-25

Typing CBI materials                        15

Unauthorized disclosure of CBI materials    1, 23-25

Violations of this manual's procedures      23-25

Visitors Log                                12
                               -40-

-------
TSCA CBI Security Manual                               7700
                                                       1I/I/O 3



                   APPENDIX 1
                      TSCA  CONFIDENTIAL

                    BUSINESS INFORMATION
                   DOES NOT CONTAIN NATIONAL
                 SECURITY INFORMATION (E.O.  1206B)

-------
TSCA CBI Security Manual
                            APPENDIX  2
                                                       7700
                                                       11/1/85
       SEPA
                    United States Environmental Protection Agency
                           Washington. DC 20460

           TSCA Confidential Business Information
                    Does Not Contain National Security Information (E.O. 12065)
      Document Control Officer
                                                              Date
       )ocument Description
                                                              Document Control Number
           Each person who has access to this document must fill in the information below
           the first time that he/she has access.
           The attached document contains Confidential Business Information obtained
           under the Toxic Substances Control Act (TSCA 15 U.S.C. 2601 et seq.)TSCA
           Confidential Business Information may not be disclosed further or copied by you
           except as authorized in the procedures set forth in the TSCA Confidential Busi-
           ness Information Security Manual.
           If you willfully disclose TSCA Confidential Business Information to any person
           not authorized to receive it, you may be liable under section 14(d) of TSCA (15
           U.S.C. 2613(d)> for a possible fine up to $5,000 and/or imprisonment for up to
           one year. In addition, disclosure of TSCA Confidential Business Information or
           violation of the procedures cited above may subject you to disciplinary action
           with penalties ranging up to and including dismissal.
                                                                 DCO must fill in
                                                                 blanks below if a
                                                                 manual  loggin;
                                                                 system is used.
                                                                  Date
                                                                 Logged
                                                                   In
 Date
Logged
 Out
               Print Last Name
                                             Signature
                                                                 EPA ID Number
                                                                                   Date
                                       Do Not Detach
      6PA Form 7740-9 (10-851 Replaces EPA Form 7710-6, which is obsolete
rw-y nu-851 Replaces EPA Form 771O-6, which is obsolete.	   	
MIMMIIMIIIIMIIIMIIIIIIMMIII

-------
    TSCA  CBI  Security  Manual
                                  APPENDIX 3
                                      Please read Privacy Act Statement on Reverse.
                                                          7700

                                                          11/1/85
1. Federal Employee Request for TSCA CBI Access
1. Name (L**t first. M.I.I

4. Position Title
7. Requester (Offica/ 'Division/ 'Branch)
9. TSCA CBI Security Briefing Attendance Date

2. Social Security No.
5. Room No.
3. Access Required
Dr— 1 Computer
Document I— I (Attach EPA
Form 7740-7;
6. Telephone Number
8. Document Control Officer or Assistant and Telephone Number
10. Previous CSI Access
D FIFRA O RCRA D TSCA ('Daw;
                                      United States Environmental Protection Agency
&EPA
                           Washington, DC 20460
TSCA CBI Access Request, Agreement, and Approval
11. Indicate TSCA CBI to which access is requested by checking the specf ic sections of TSCA.

  DA   D 5   D  6  'D 8  D 13   D Other (Specify)
Describe how the performance of the employee's duties will require such access by section. Be specific and complete.
12. Signature and Title of Requesting Official (Division Director or above/
                                                         13. Date
                                     II. Confidentiality Agreement
       I understand that I will have access to certain Confidential Business Information submitted
       under the Toxic Substances Control Act (JSCA, 15 USC 2601 et seq.). This access has been
       granted  in accordance with my official  duties relating to the Environmental  Protection
       Agency programs.
       I understand that TSCA CBI may be used only in connection with my official duties and may
       not be disclosed  except as authorized by TSCA and Agency regulations. I  have read and
       understand the procedures set forth in the TSCA Confidential Business Information Security
       Manual. I agree that I will treat any TSCA CBI furnished to me as confidential and that I will
       follow these procedures.
       I understand that undersection 14
-------
TbUA ^ov./ «**«„.*,«
1. Request for TSCA
1 . Name (Last, first. Ml.)
3. Privileges Requested
D R/W D R DA U Other (Specify)
CBI Computer Access
2. Requester (0/fice/Division/Branch)
4. Holds Current TSCA CBI Access
D Yes D No
5. System and Database To Be Accessed
6. Describe fully the duties to be performed which require access to each system
7. Indicate TSCA C8I to which access is requested by checking the specific sections of TSCA
D 4 D 5 D 6 Da Dl2 D All Sections D Other (Specify)
8. Signature of Requesting Official (Division Director or above)
9. Date
II. OTS Security Approval
1 . Date Received
2. Approved
LJ Yes LJ Ho (£xplain)
3. Signature of Security Official
4. Date
III. Account Registration
1 . Date Received
2. Signature of ADP Coordinator
EPA Form 7740-7 (Rev. 10-85) Previous edition is obsolete.

-------
TSCA  CBI Security Manual                                      //oc
                                                              1l/I/ob
                         APPENDIX 5


       Confidentiality Agreement for United States Employees
           Upon Relinquishing TSCA CBI Access Authority
    In accordance with my official duties as an employee of the United States, I have
    had access to Confidential Business Information under the Toxic Substances
    Control Act (TSCA, 15 U.S.C. 2601 et seq.). I understand that TSCA Confidential
    Business Information may not be disclosed except as  authorized by TSCA or
    Agency regulations.
    I certify that I have returned all copies of any materials containing TSCA
    Confidential Business Information in my possession to the appropriate docu-
    ment control officer specified in the procedures set forth in the TSCA Con-
    fidential Business Information Security Manual.
    I agree  that I will  not  remove any copies of  materials containing TSCA
    Confidential Business Information from the premises of the Agency upon my
    termination or transfer. I further  agree that I will not disclose any TSCA
    Confidential Business Information  to any  person  after my termination or
    transfer.
    I understand that as an employee of the United States who has had access to
    TSCA Confidential Business Information, under section 14(d)ofTSCA(15U.S.C.
    2613(d)) I am liable for a possible fine of up to $5,000 and/or imprisonment for
    up to one year if I willfully disclose TSCA Confidential Business Information to
    any person.
    If I am still employed by the United States, I also understand that I may be subject
    to disciplinary action for violation of this agreement.
    I am aware that I may be subject to criminal penalties under 18 U.S.C. 1001 if I
    have made any statement of material facts knowing that such statement is false
    or if I willfully conceal any material fact.
Name (Please type or print)
Signature
EPA ID Number
Date
     EPA Form 7740-16 (10-85) Replaces EPA Form 7710-17, which is obsolete.

-------
TSCA CBI Security Manual
7700
11/1/85
U.S. ENVIRONMENTAL PROTECTION AGENCY
SAFE/CABINET SECURITY CHECK SHEET
AFFIX A COPY OF THIS FORM TO EACH CABINET CONTAINING CLASSIFIED MATERIAL OR CONFIDENTIAL BUSINESS INFORMATION
TO LOCK SAFES AND BARRED FILE CABINETS: (a) ROTATE COMBINATION DIAL AT LEAST FOUR («) COMPLETE REVOLUTIONS.
(b) CHECK EACH DRAWER BY DEPRESSING THE THUMB LATCH AND SHAKING THE DRAWER.
MONTH
DATE
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
OPENED BY
INI Tl ALS































TIME































OFFICE CODE
ROOM NUMBER
LOCKED BY
INI Tl ALS































TIME































CONTAINER NUMBER
CHECKED BY
INITIALS































TIME































FORWARD COMPLETED FORM TO LOCAL EPA SECURITY OFFICER
GUARD
INITIALS
































CHECK
TIME
































EPA Form 1480-12 (Rev. 3-80) PREVIOUS EDITION MAY BE USED UNTIL SUPPLY'IS EXHAUSTED

-------
  TSCA CBI  Security  Manual

                      APPENDIX 7
7700
11/1/85
United States Environmental Protection Agency
A _ Washington, DC 20460
V> E PA TSCA CBI Visitors Loa
Individual's Name


















Organization


















Date


















Time


















Purpose of Visit


















EPA Form 7740-13 (10-85)

-------
TSCA  CBI Security Manual

                     APPENDIX 8
7700
11/1/85
United States Environmental Protection Agency
Washington, DC 20460
Ap PA TemPorary Loan Receipt for TSCA
Confidential Business Information
1 acknowledge receipt of the following documents containing
TSCA Confidential Business Information.
1. DCN/Copy Number
2. DCN/Copy Number
3. DCN/Copy Number
4. DCN/Copy Number
5. DCN/Copy Number
6. DCN/Copy Number
7. DCN/Copy Number
Date Loaned
Name of Recipient
Description
Description
Description
Description
Description
Description
Description
Name of Lender
Signature of Recipient
Instructions
1 . To be used only for temporary transfer of TSCA
CBI. Transfers for more than thirty (30) days must
be made through a DCO.
2. The lender must keep.the original of this form
after it has been completed and signed by the recip-
ient, and give the copy to the recipient.
3. The lender must give his or her copy of this form
to the recipient when the recipient returns the doc-
ument(s) to the lender. The recipient should destroy
both copies.
            EPA Form 7740-14 (10-85)

-------
TSCA CBI Security  Manual
7700
11/1/85
                    APPENDIX 9

T
*•«€•
oco/oc
DATE
Dt
5TROVEC
















US. ENVIRONMENTAL PROTECTION AGENCV OOfS NOT CONTAIN
«C* Cii DiSTMUCTION LOG >»T!ON*i $ICU«ITY

-------
  TSCA CBI Security  Manual

                          APPENDIX 10
7700
11/1/85
United States Environmental Protection Agency
fl _ Washington, DC 20460
OEPA TSCA CBI Meeting Siqn-in Sheet
Chairperson
Meeting Place (Room. Building, City, State)
Date
Time
Subject of Meeting
Name (Print)




















Signature




















Office. Division, Branch




















EPA ID Number




















This Sign-in Sheet Must Be Given to the Appropriate DCO
EPA Form 7740-1 5 (10-85) Replaces EPA Form 7710-44. which is obsolete.

-------
TSCA  CBI  Security Manual


                        APPENDIX 11
                                                      7700
                                                      11/1/85
                                United States Environmental Protection Agency
                                       Washington. DC 20460
               Memorandum of TSCA CBI Telephone Conversation
                                     I. EPA Employee Identification
  Name of Employee
                                                                          Date
  Organization
                                                                          Time
                                     II. Second Party Identification
   )all Is:

    QTo
                    Name
  Number
Organization
  III. Concerning what TSCA CBI?
  IV. Content of Conversation:
  EPA Form 7740-12 (10-85)

-------
 TSCA CBI Security Manual                               7700
                                                        11/1/85
                           APPENDIX 12
            Guidelines for Determining Penalties for

             Violations of This  Manual's  Procedures




     A. In General.  Section ITI.L of this manual describes
procedures for notifying the IMD Director whenever it appears
that this manual's procedures have been violated.  The IMD
Director is responsible for reviewing reports of alleged
violations and determining whether to recommend administrative
penalties or other corrective actions.  The IMD Director will
notify the affected employee's Division Director of recommended
actions.  Responsibility for implementing recommendations rests
with the employee's Division Director.

     This appendix provides guidelines for determining
appropriate penalties and corrective actions.  The guidelines are
based on those set forth in the EPA Conduct and Discipline Order.

     B. Using These Guidelines.
1. In general.  The purpose of the actions described in these
guidelines is to prevent or discourage the reoccurrance of
violations.  Penalties imposed or actions taken must be fair,
consistent, and well-reasoned.  After receiving a report of an
alleged violation, the IMD Director must first determine whether
an individual's actions constitute a violation of this manual's
procedures.  This determination is based on a review of the
initial written report and the TSCA Security Staff's
investigation report.

     After determining that a violation has occurred, the IMD
Director must identify and recommend to the individual's
supervisor an appropriate course of action.  Possible courses of
action described in these guidelines are broken into three
categories: (1) administrative penalties, (2) corrective actions,
and (3) no action.  In addition,  a remedy that includes both
administrative penalties and corrective actions can be
recommended if the situation warrants.

-------
TSCA CBI Security Manual                                7700
                                                        11/1/85
                               -2-


2.  Determining an appropriate remedy.  To determine an
appropriate remedy the IMD Director must weigh the  following
factors:

    o  the seriousness of the violation and the potential for
       unauthorized disclosure of TSCA CBI because  of the
       violation;

    o  the degree of the employee's negligence;

    o  whether the individual has previously committed a similar
       violation;

    o  whether the individual has previously committed any other
       violation of this manual's procedures; and

    o  the frequency with which the individual uses or handles
       TSCA CBI in the course of fulfilling his or  her duties.

     If the violation is serious, the individual is grossly
negligent, or the violatipn,  even if not a serious  one, is a
repetition of a similar violation, the IMD Director should
recommend an administrative penalty.

     Corrective actions should be recommended whenever the IMD
Director determines that (1)  an administrative penalty would be
too severe a remedy and (2) the corrective action is likely to
prevent or discourage future violations either by the individual
or by other individuals.  The IMD Director should recommend that
no action be taken if either fault cannot be ascribed to any
individual or a modification of CBI handling procedures would
yield no greater level of protection to TSCA CBI.

     The guidelines in the previous paragraph can be modified in
a number of ways.  Unless the violation resulted from the
individual's gross negligence, the IMD Director should consider
reducing the severity of the recommended penalty or action if the
employee handles CBI frequently.  Similarly, the IMD Director can
reduce the severity of the recommended penalty or action if the
violation is serious, but the individual's negligence is
slight.  However, the IMD Director should increase  the severity
of a recommended penalty or action if the individual has
committed a previous violation or violations of other procedures
of this manual.

-------
 TSCA CBI Security Manual
                                    7700
                                    11/1/85
3.  Administrative penalties.  Administrative penalties dictated
by the EPA Conduct and Discipline Order are described below:
Nature of Offense   1st Offense
                2nd Offense
3rd Offense
CBI is not compro-
mised and breach
is unintentional
oral reprimand  written repri-  5-day
or written      mand to 1-day   suspension
reprimand       suspension      to removal
CBI is compromised
but breach is
unintentional
written repri-  1-day to
mand to 5-day   14-day
suspension      suspension
 5-day suspen-
 sion to
 removal
Deliberate
procedural
violation i
30-day suspen-  removal
sion to removal
* This category covers only deliberate procedural violations that
do not result in the unauthorized disclosure of TSCA CBI.  If
IMD's investigation reveals any evidence of the knowing and
wilfull unauthorized disclosure of TSCA CBI, the matter will be
immediately referred to the EPA Office of Inspector General.
4.  Corrective Actions.  Corrective actions recommended by the
IMD Director should fit the individual characteristics of each
violation.  This category includes actions ranging from
corrective training and revision of work procedures to removal
the individual's name from the TSCA CBI Authorized Access List,
The purpose of corrective actions is to prevent or discourage
future violations.  Therefore corrective actions may be
procedural, instructional, or disciplinary in nature.
                                           of

-------
US Environmental Protection Agency
tr'artA TSCACBI n _•_* • ^_ Does not contain National
^BVtr'/A When Filled In H 608101 LOQ Security Information fE.O. 120651
*~ ' ** TSCA Confidential Business Information
Date
Received










Document
Control Number










Number
of Pages










Received From
(Enter company, city, and State)










Description










Audit










                                                                                                                                                                        TJ
                                                                                                                                                                        ^
                                                                                                                                                                        PI
                                                                                                                                                                        Z
                                                                                                                                                                        o
                                                                                                                                                                               H
                                                                                                                                                                               CO
                                                                                                                                                                               O
                                                                                                                                                                               o
                                                                                                                                                                               DO
                                                                                                                                                                               CO
                                                                                                                                                                               CO
                                                                                                                                                                               o
0)
3

0)
                                                                                                                                                                           \ o
                                                                                                                                                                           I-1 O
                                                                                                                                                                           00
EPA Form 7740-10 (10-85) Replaces EPA Form 7710-10. which is obsolete.

-------
US Environmental Protection Agency
SJ' EPA When Filled In InVePtOfy LOQ Sec^,tyMo^lfo"(EaO°"2065)
TSCA Confidential Business Information
Date
Checked
Out










Document
Control Number/
Copy Number










User Information
EPA ID Number










User's Name





/!




Date
Returned










DCO
Initial










Disnosition










Audit










                                                                                                                                                                           Cfl
                                                                                                                                                                           o
                                                                                                                                                                           o
                                                                                                                                                                           03
                                                                                                                                                                           CD
                                                                                                                                                                           O
                                                                                                                                                                        PI C



                                                                                                                                                                        X

                                                                                                                                                                        h-
                                                                                                                                                                        4>
                                                                                                                                                                         *— -J
                                                                                                                                                                         I— -J
                                                                                                                                                                         \ O
                                                                                                                                                                         t-> O
                                                                                                                                                                         \
                                                                                                                                                                         00
                                                                                                                                                                         Ul
EPA Form 7740-11 (10-86) Replaces EPA Form 7710-11, which is obsolete.

-------
TSCA CBI  Security  Manual
7700
11/1/85
                           APPENDIX 15
•^"'D ,N ««*«*•. ™&-^i&t^%tttss?!s?M OUT LOG «"""< *.***«» « 9 ,».,.
DATE OUT













[» DOCUMENT CON
TBOL NO 'CO'» NO













NO
'AGES













DESCRIPTION


























FEDERAL ACENCV.
CONGRESS. COURT


























RECIPIENT


























OCO
INITIAL













"ECEiPT













DATE
RETURNED













lK.i1
INITIAL













   EPA Form 7710-13 (Rev. 9-811 Previous edition it obsolete.

-------