9500-01 OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE Privacy Act of 1974; System of Records AGENCY: Office of the Director of National Intelligence (ODNI), National Counterintelligence and Security Center (NCSC). ACTION: Notice of a modified system of records. SUMMARY: ODNI provides notice of a modified Privacy Act system of records at the NCSC. This notice modifies the system of records ODNI/NCSC-003, Continuous Evaluation Records. This modified notice is necessary to inform the public of revisions to the notice summary; supplementary information; system management; authority for maintenance of the system; purpose of the system; categories of individuals covered by the system; categories of records in the system; record source categories; routine uses of records maintained in the system; policies and practices for storage of records; policies and practices for retrieval of records; and policies and practices for retention and disposal of records. This modified notice for ODNI/NCSC-003, Continuous Evaluation Records, incorporates requirements established by Executive Order (EO) 13467, as amended. These updates to this notice complement efforts of Continuous Vetting (CV), a program under the EO which entails reviewing the background of a covered individual at any time to determine whether that individual continues to meet applicable requirements. Continuous Evaluation (CE) was developed to reduce risk by using automated records checks to generate alerts of potential security concerns on an individual between periodic reinvestigations. CV is a more robust approach that builds upon the automated records checks of CE and adds other agency-specific information and investigative activity as necessary. DATES: Comments on this proposed modified system of records must be submitted by July 25, 2024. This modified System of Records Notice will go into effect thirty days after the date of publication in the Federal Register, unless changes are required as a result of public comment, per OMB A-108, Section 6(e). ADDRESSES: You may submit comments by any of the following methods: Federal eRulemaking Portal: http://www.regulations.gov Mail: Director, Information Management Office, Chief Operating Officer, Office of the Director of National Intelligence (ODNI), Washington, DC 20511. FOR FURTHER INFORMATION CONTACT: Rebecca J. Richards, Civil Liberties Protection Officer, Office of the Director of National Intelligence, (301) 243-0210, at the addresses provided above. SUPPLEMENTARY INFORMATION: Updates to ODNI/NCSC-003, Continuous Evaluation Records, include 1) expanding the population of individuals covered by the system to encompass all covered individuals as defined by EO 13467, as amended; 2) adding personnel vetting surveys as a data source for enrollees; and 3) adding a new routine use for disclosure of records for oversight purposes to the Suitability and Credentialing Executive Agent programs, or successor programs, in the Office of Personnel Management. This SORN also includes select routine uses published in the ODNI rule implementing the Privacy Act subpart C of ODNI's Privacy Act Regulation published at 32 CFR part 1701 (73 FR 16531, 16541). EO 13467, as amended, requires all covered individuals to be subject to CV under standards as determined by the Security Executive Agent and the Suitability and Credentialing Executive Agent. The EO also requires alignment using consistent standards, to the extent possible, of executive branch vetting policies and procedures relating to (1) eligibility for access to classified information; (2) eligibility to hold a sensitive position; (3) suitability; (4) contractor or Federal employee fitness; and (5) authorization to be issued a Federal credential for access to federally controlled facilities and information systems. Previously, the categories of individuals covered by the system only included executive branch employees, detailees, contractors, and other sponsored individuals determined to be eligible for access to classified information; eligible to hold a sensitive position; and applicants seeking employment with the executive branch in a position that requires a determination of eligibility for access to classified information or to hold a sensitive position. Individuals who held or applied for non-sensitive positions in the executive branch completed an initial vetting process and were subject to periodic reinvestigations, where applicable, but did not undergo CV. With the issuance of this SORN revision, the category of individuals covered by ODNI/NCSC003, Continuous Evaluation Records, has been expanded to include individuals who hold or who applied for non-sensitive positions in the executive branch. EO 13467, as amended, defines covered individual as “a person who performs, or who seeks to perform, work for or on behalf of the executive branch (e.g., Federal employee, military member, or contractor), or otherwise interacts with the executive branch such that the individual must undergo vetting, but does not include: (i) the President or (except to the extent otherwise directed by the President) employees of the President under section 105 or 107 of Title 3, United States Code; or (ii) the Vice President or (except to the extent otherwise directed by the Vice President) employees of the Vice President under section 106 of Title 3 or annual legislative branch appropriations acts.†The inclusion of all covered individuals, as defined by EO 13467, as amended, in the category of individuals covered by ODNI/NCSC-003, Continuous Evaluation Records, permits the use of automated records checks available through the system to fulfill the requirements of CV established by the Federal Personnel Vetting Investigative Standards. Additionally, the inclusion of all covered individuals, as defined by EO 13467, as amended, in the category of individuals covered by the system enhances national security, promotes greater mobility amongst the trusted workforce, and ensures department and agency (D/A) compliance with applicable laws and vetting-related policies. ODNI/NCSC-003, Continuous Evaluation Records, retains the covered individual’s enrollment information, which includes personal identifiers provided by the subscribing agency to facilitate ongoing automated records checks for enrollees, as well as other personnel vetting status information, previous investigative products, and records documenting suitability evaluations and decisions. This revised notice adds as a records source personnel vetting surveys required by the Federal Personnel Vetting Investigative Standards. Applicants do not complete a personnel vetting survey. Personnel vetting surveys are periodic information collections from the covered individual and his/her supervisor(s) to inform ongoing consideration of potential risk, promote timely detection of behaviors of concern, and address potential issues or provide assistance before risks escalate. Employment applicants receive one-time checks of securityrelevant information, are not enrolled for ongoing record checks, and personal identifiers and records returned for applicants are retained in the system only for the duration of their initial vetting. Records of applicants who are not hired will not be kept beyond the initial vetting process. Records returned from checks for any enrollee will be retained in accordance with an approved record control schedule. Data necessary to implement business rules, to perform program assessments, and to satisfy auditing requirements will be retained. D/As using ODNI/NCSC-003, Continuous Evaluations Records, must adhere to the principles articulated in the Federal Personnel Vetting Guidelines, the Federal Personnel Vetting Investigative Standards, subsequent implementation guidance, Security Executive Agent Issuances (when applicable), and other policy issuances. The modified routine uses will be effective 30 days after publication, unless they need to be changed as a result of public comment, per OMB A-108, Section 6(e). The system provides the technical capability to conduct automated record checks pursuant to the National Security Act of 1947, as amended; The National Defense Authorization Act for Fiscal Year 2018, section 925, Public Law 115-91; 5 U.S.C. 11001 (Enhanced Personnel Security Programs); 5 U.S.C. 1104 (Delegation of Authority for Personnel Management); 5 U.S.C. 3301 (Civil Service; Generally); Executive Order 10577, as amended (Amending the Civil Service Rules and Authorizing a New Appointment System for the Competitive Service); Executive Order 12333, as amended (United States Intelligence Activities); Executive Order 12968, as amended (Access to Classified Information); Executive Order 13467, as amended, (Reforming Processes Related to Suitability for Government Employment, Fitness for Contractor Employees, and Eligibility for Access to Classified National Security Information); Executive Order 13764 (Amending the Civil Service Rules, Executive Order 13488, and Executive Order 13467 to Modernize the Executive Branch-Wide Governance Structure and Processes for Security Clearances, Suitability and Fitness for Employment, and Credentialing, and Related Matters); Executive Order 13488, as amended (Granting Reciprocity on Excepted Service and Federal Contractor Employee Fitness and Reinvestigating Individuals in Positions of Public Trust); and Executive Order 13869 (Transferring Responsibility for Background Investigations to the Department of Defense). To protect classified and sensitive personnel or law enforcement information covered by this system of records, the Director of National Intelligence (DNI) has exempted this system from certain requirements of the Privacy Act where necessary, as permitted by law. By previously established rule, the DNI may exempt records contained in this system of records from the requirements of subsections (c)(3), (d)(1), (d)(2), (d)(3), (d)(4), (e)(1), (e)(4)(G), (H), (I), and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(1), (k)(2) and (k)(5). Additionally, the DNI may exercise derivative exemption authority by preserving the exempt status of records received from providing agencies when the reason for exemption remains valid. See 32 CFR part 1701.20 (a)(2) (73 FR 16531, 16537). SYSTEM NAME AND NUMBER: ODNI/NCSC-003, Continuous Evaluation Records SECURITY CLASSIFICATION: The classification of records in this system ranges from UNCLASSIFIED to TOP SECRET. SYSTEM LOCATION: Office of the Director of National Intelligence (ODNI), National Counterintelligence and Security Center (NCSC), Washington, DC 20511. SYSTEM MANAGER(S): Assistant Director, Mission Capabilities Directorate, ODNI/NCSC, Washington, DC 20511. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: The Intelligence Reform and Terrorism Prevention Act of 2004, Public Law 108-458, 118 Stat. 3638; the National Security Act of 1947, 50 U.S.C. 3023 et seq., as amended; the Counterintelligence Enhancement Act of 2002, 50 U.S.C. 3382, as amended; 5 U.S.C. 1104; 5 U.S.C. 3301; 5 U.S.C 11001; The National Defense Authorization Act for Fiscal Year 2018, Section 925, Public Law 115-91; Executive Order 10577, as amended; Executive Order 12333, as amended; Executive Order 12968, as amended; Executive Order 13467, as amended; Executive Order 13549; Executive Order 13764; Executive Order 13488, as amended; and Executive Order 13869. PURPOSE(S) OF THE SYSTEM: Records in this system of records are collected for the purpose of performing initial vetting of applicants and continuous vetting of enrollees. Vetting is accomplished by electronically comparing an individual's identifying data against U.S. Government databases (e.g., financial, law enforcement, terrorism, foreign travel, and clearance status) and commercial public records databases (e.g., civil, criminal, and tax information), as well as reviewing credit bureau data (e.g., credit reports) and background investigative records collected as part of personnel vetting (e.g., personnel vetting surveys). These comparisons and reviews serve to identify personnel vetting-relevant conduct, practices, activities, or incidents that personnel vetting officials use to evaluate an employment applicant’s initial and an enrollee’s continued eligibility to perform work for or on behalf of the executive branch. Evaluations by personnel vetting officials include determinations of suitability for Federal government employment; eligibility for logical and physical access to facilities and networks; eligibility for access to classified information; eligibility to hold a sensitive position; and fitness to perform work for or on behalf of the Federal government as a contractor employee. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: Individuals covered by the system include “covered individuals†as defined in EO 13467, as amended. A covered individual is “a person who performs, or who seeks to perform, work for or on behalf of the executive branch (e.g., Federal employee, military member, or contractor), or otherwise interacts with the executive branch such that the individual must undergo vetting, but does not include: (i) the President or (except to the extent otherwise directed by the President) employees of the President under section 105 or 107 of Title 3, United States Code; or (ii) the Vice President or (except to the extent otherwise directed by the Vice President) employees of the Vice President under section 106 of Title 3 or annual legislative branch appropriations acts.†CATEGORIES OF RECORDS IN THE SYSTEM: This system maintains: (i) Biographic enrollment data including name, date and place of birth, Social Security number, gender, current address, other first or last names, prior address(es), personal email address(es), personal phone numbers, passport information, employment type (contractor/government) or other status, and; (ii) data returned from or about the automated record checks conducted against current clearance status information and against financial, law enforcement, credit, terrorism, foreign travel, and commercial databases; and (iii) personnel vetting surveys as required by CV. RECORD SOURCE CATEGORIES: Record source categories include department and agency enrollment information about covered individuals under EO 13467, as amended; government-owned databases; credit and commercial entities; and providers of aggregated public source data. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES: In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act of 1974, as amended, these records may specifically be disclosed outside ODNI as a routine use pursuant to 5 U.S.C. 552a(b)(3) and in accordance with the following routine uses, including select routine uses published in the ODNI rule implementing the Privacy Act Subpart C of ODNI's Privacy Act Regulation published at 32 CFR part 1701 (73 FR 16531, 16541): (a) Except as noted on Standard Forms 85, 85P and 86 or the successor personnel vetting questionnaire and supplemental forms thereto (questionnaires for employment within the Federal government), a record that on its face or in conjunction with other information indicates or relates to a violation or potential violation of law, whether civil, criminal, administrative, or regulatory in nature, and whether arising by general statute, particular program statute, regulation, rule, or order issued pursuant thereto, may be disclosed as a routine use to an appropriate federal, state, territorial, tribal, local law enforcement authority, foreign government, or international law enforcement authority, or to an appropriate regulatory body charged with investigating, enforcing, or prosecuting such violations. (b) A record from a system of records maintained by ODNI may be disclosed as a routine use, subject to appropriate protections for further disclosure, in the course of presenting information or evidence to an administrative law judge or to the presiding official of an administrative board, panel or other administrative body. (c) A record from a system of records maintained by ODNI may be disclosed as a routine use to representatives of the Department of Justice or any other entity responsible for representing the interests of ODNI in connection with potential or actual civil, criminal, administrative, judicial or legislative proceedings or hearings, for the purpose of representing or providing advice to: (1) ODNI, or any component thereof; (2) any employee of ODNI in his or her official capacity; (3) any employee of ODNI in his or her individual capacity where the employee has submitted a request for representation by the United States or for reimbursement of expenses associated with retaining counsel, or; (4) the United States or another Federal agency, when the United States or the agency is a party to such proceeding and the record is relevant and necessary to such proceeding; provided, however, that in each case, the agency determines that disclosure of the records to the Department of Justice is a use of the information contained in the records that is compatible with the purpose for which the records were collected. (d) A record from this system of records may be disclosed as a routine use in a proceeding before a court, magistrate, special master, or adjudicative body when any of the following is a party to litigation or has an interest in such litigation, and ODNI, Office of General Counsel, determines that use of such records is relevant and necessary to the litigation: ODNI; any staff of ODNI in his or her official capacity; any staff of ODNI in his or her individual capacity where the Department of Justice has agreed to represent the staff or has agreed to provide counsel at government expense; or the United States or another D/A, where ODNI, Office of General Counsel, determines that litigation is likely to affect ODNI. (e) A record from this system of records may be disclosed as a routine use to representatives of the Department of Justice and other U.S. Government entities, to the extent necessary to obtain advice on any matter within the official responsibilities of such representatives and the responsibilities of ODNI. (f) A record from this system of records may be disclosed as a routine use to a Federal, state or local agency or other appropriate entities or individuals from which/whom information may be sought relevant to: a decision concerning the hiring or retention of an employee or other personnel action; the issuing or retention of a security clearance or special access, contract, grant, license, or other benefit; or the conduct of an authorized investigation or inquiry, to the extent necessary to identify the individual, inform the source of the nature and purpose of the inquiry, and identify the type of information requested. (g) A record from this system of records may be disclosed as a routine use to any Federal, state, local, tribal or other public authority, or to a legitimate agency of a foreign government or international authority to the extent the record is relevant and necessary to the other entity's decision regarding the hiring or retention of an employee or other personnel action; the issuing or retention of a security clearance or special access, contract, grant, license, or other benefit; or the conduct of an authorized inquiry or investigation. (h) A record from this system of records may be disclosed to the Office of Management and Budget in connection with the review of private relief legislation, as set forth in Office of Management and Budget Circular No. A-19, at any stage of the legislative coordination and clearance process as set forth in the Circular. (i) A record from this system of records may be disclosed as a routine use to any agency, organization, or individual for authorized audit operations, and for meeting related reporting requirements, including disclosure to the National Archives and Records Administration for records management inspections and such other purposes conducted under the authority of 44 U.S.C. 2904 and 2906, or successor provisions. (j) A record from this system of records may be disclosed as a routine use pursuant to Executive Order to the President's Foreign Intelligence Advisory Board, the President's Intelligence Oversight Board, to any successor organizations, and to any intelligence oversight entity established by the President, when the Office of the General Counsel or the Office of the Inspector General determines that disclosure will assist such entities in performing their oversight functions and that such disclosure is otherwise lawful. (k) A record from this system of records may be disclosed as a routine use to contractors, grantees, experts, consultants, or others when access to the record is necessary to perform the function or service for which they have been engaged by ODNI. (l) A record from this system of records may be disclosed as a routine use to legitimate foreign, international, or multinational security, investigatory, law enforcement or administrative authorities in order to comply with requirements imposed by, or to claim rights conferred in, formal agreements and arrangements to include those regulating the stationing and status in foreign countries of Department of Defense military and civilian personnel. (m) A record from this system of records may be disclosed as a routine use to any Federal D/A when documents or other information obtained from that D/A are used in compiling the record and the record is relevant to the official responsibilities of that D/A, provided that disclosure of the recompiled or enhanced record to the source agency is otherwise authorized and lawful. (n) A record from this system of records may be disclosed as a routine use to appropriate agencies, entities, and persons when: the security or confidentiality of information in the system of records has or may have been compromised; and the comprise may result in economic or material harmto individuals (e.g., identify theft or fraud) or harm to the security or integrity of the affected information or information technology systemsor programs(whether or not belonging to ODNI) they rely upon the compromised information; and disclosure is necessary to enable ODNI to address te cause(s) of the compromise and to prevent, minimize, or remedy potential harm resulting from the compromise. (o) A record from this system of records may be disclosed as a routine use for the purpose of conducting or supporting authorized counterintelligence activities as defined by section 3003(3) of the National Security Act of 1947, as amended, to elements of the Intelligence Community, as defined by section 3003(4) of the National Security Act of 1947, as amended; to the head of any Federal D/A; and to selected counterintelligence officers within the Federal government. (p) A record from this system of records may be disclosed as a routine use to a Federal, state, local, tribal, territorial, foreign, or multinational government agency or entity, or to other authorized entities or individuals, but only if such disclosure is undertaken in furtherance of responsibilities conferred by, and in a manner consistent with, the National Security Act of 1947, as amended; the Counterintelligence Enhancement Act of 2002, as amended; Executive Order 12333 or any successor order together with its implementing procedures approved by the Attorney General; and other provisions of law, Executive Order or directive relating to national intelligence or otherwise applicable to ODNI. This routine use is not intended to supplant the other routine uses published by ODNI. (q) A record from this system of records may be disclosed as a routine use to any Federal D/A that has provided enrollment data for employees or applicants to ODNI for purposes of conducting personnel vetting when records obtained by ODNI are relevant to the subscribing D/A's adjudication of the covered individual’s eligibility to perform work for or on behalf of the executive branch. (r) A record from this system of records may be disclosed as a routine use to appropriate agencies, entities, and persons when: (1) ODNI suspects or has confirmed that there has been a breach of the system of records; (2) ODNI has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, ODNI (including its information systems, programs, and operations), the federal government, or national security, and; (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Department's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. (s) A record from this system of records may be disclosed as a routine use to another Federal agency or Federal entity, when ODNI determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk ofharm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach. (t) A record from this system of records may be disclosed for oversight purposes as a routine use to the Suitability and Credentialing Executive Agent programs, or successor programs, in the Office of Personnel Management. Records disclosed pursuant to this routine use must be narrowly focused to encompass only information pertaining to automated records checks in support of authorized Investigative Service Providers conducting personnel vetting activities. POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Electronic records are stored in secure fileservers located in government-managed facilities on secure private cloudbased systems that are connected only to a government network. Paper records are stored in secured areas of facilities within the control of the federal government. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: The records in this system are retrieved by name, Social Security number, or other unique identifier. Information may be retrieved from this system of records by automated capabilities used in the normal course of business. All searches of this system of records are performed by authorized executive branch vetting personnel. POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: Pursuant to 44 U.S.C. 3303a(d) and 36 CFR chapter 12, subchapter B—Records Management, records in ODNI/NCSC-003, Continuous Evaluation Records are covered by the National Archives and Records Administration (NARA) General Records Schedule (GRS) 5.6, Security Records. All records in ODNI/NCSC-003, Continuous Evaluation Records will be retained and disposed of according to the applicable NARA GRS provisions. Personal identifiers and records returned for applicants are retained in the system for the duration of their initial vetting. Biographic data and data about protecting and accessing information will be retained consistent with the Privacy Act of 1974, 5 U.S.C. 552a, and GRS 4.2, Information Access and Protection Records. Records about security data and information systems are listed in GRS 3.2, Information Systems Security Records. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Information in this system is safeguarded in accordance with recommended and/or prescribed administrative, physical, and technical safeguards. Records are maintained in secure government-managed facilities with access limited to authorized personnel. Physical security protections include guards and locked facilities requiring badges and passwords for access. Records are accessed only by current government-authorized personnel whose official duties require access to the records. Electronic authorization and authentication of users is required at all points before any system information can be accessed. Communications are encrypted where required and other safeguards are in place to monitor and audit access, and to detect intrusions. System backup is maintained separately. RECORD ACCESS PROCEDURES: As specified below, records in this system have been exempted from certain notification, access, and amendment procedures. A request for access shall be made in writing with the envelope and letter clearly marked “Privacy Act Request.†Requesters shall provide their full name and complete address. The requester must sign the request and have it verified by a notary public. Alternately, the request may be submitted under 28 U.S.C. 1746, certifying the requester's identity and understanding that obtaining a record under false pretenses constitutes a criminal offense. Requests for access to information must be addressed to the Director, Information Management Office, Chief Operating Officer, Office of the Director of National Intelligence, Washington, DC 20511. Regulations governing access to one's records or for appealing an initial determination concerning access to records are contained in the ODNI regulation implementing the Privacy Act, 32 CFR part 1701 (73 FR 16531). CONTESTING RECORD PROCEDURES: As specified below, records in this system are exempt from certain notification, access, and amendment procedures. Individuals seeking to correct or amend non-exempt records should address their requests to ODNI at the address and according to the requirements set forth above under the heading “Record Access Procedures.†Regulations governing access to and amendment of one's records or for appealing an initial determination concerning access or amendment of records are contained in the ODNI regulation implementing the Privacy Act, 32 CFR part 1701 (73 FR 16531). NOTIFICATION PROCEDURES: As specified below, records in this system are exempt from certain notification, access, and amendment procedures. Individuals seeking to learn whether this system contains non- exempt information about them should address inquiries to ODNI at the address and according to the requirements set forth above under the heading “Record Access Procedures.†EXEMPTIONS PROMULGATED FOR THE SYSTEM: The Privacy Act authorizes ODNI to exempt records contained in this system of records from the requirements of subsections (c)(3), (d)(1), (d)(2), (d)(3), (d)(4), (e)(1), (e)(4)(G), (H), (I), and (f) of the Privacy Act pursuant to 5 U.S.C. 552a(k)(1), (k)(2) and (k)(5). In addition, pursuant to published rule, ODNI may derivatively exempt records from other agencies in this system from the requirements of the subsections listed above, as well as subsections (c)(4), (e)(2), (e)(3), (e)(5), (e)(8), (e)(12), and (g) of the Privacy Act consistent with any exemptions claimed under 5 U.S.C. 552a(j) or (k) by the originator of the record, provided the reason for the exemption remains valid and necessary. HISTORY: This is a revision to an existing ODNI/NCSC system of records, ODNI/NCSC-003, Continuous Evaluation Records, 86 FR 61325 (Nov. 05, 2021). In accordance with 5 U.S.C. 552(r), ODNI has provided a report of this revision to the Office of Management and Budget and to Congress. Dated: June 24, 2024. Rebecca (“Beckyâ€) Richards, Civil Liberties Protection Officer, Office of the Director of National Intelligence. BILLING CODE 9500-01-P-P [FR Doc. 2024-14297 Filed: 6/27/2024 8:45 am; Publication Date: 6/28/2024]