Attachment C: TSCA Confidential Business Information Security Manual

AttachC.pdf

Request for Contractor Access to TSCA Confidential Business Information (CBI)

Attachment C: TSCA Confidential Business Information Security Manual

OMB: 2070-0075

Document [pdf]
Download: pdf | pdf
TSCA CBI 

Protection Manual

United States
Environmental

Protection Agency

Office of Pollution Prevention and Toxics
(7407 M)
Washington, DC 20460

October 20,2003
7700Al

TSCA CBI PROTECTIONMANUAL 


This page intentionally left blank.

TSCA CBI PROTECTION

MANUAL 


Table of Contexts 

- Summary [See Detailed Contents below]
Page
PREFACE
GUIDING

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -xvPRINCIPLES

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -xvii-

CHAPTER

1


References
&J

ABBREVIATIONS
GLOSSARY

1.2

1.3

AND ACRONYMS

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . -l-

. . . . . . . . . . . . . . . . . . . . . . . ..*.........................

LIST OF APPENDICES

-3-


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -7-

CHAPTER

2


TSCA CBI Access
2.0

INTRODUCTION

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -9-

2.1

TSCA CBI ACCESS FOR FEDERAL EMPLOYEES:
CERTIFICATION,
MAINTENANCE,
SUSPENSION, AND TERMINATION
. . . . . . . . . . . . -lO-

2.2

TSCA CBI ACCESS FOR CONTRACTORS
AND CONTRACTOR
EMPLOYEES: CERTIFICATION,
MAINTENANCE,
TERMINATION
AND INDUSTRY NOTICE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -16-

2.3

TSCA CBI ACCESS CERTIFICATION
AGENCIES

FOR OTHER

FEDERAL

...................... ... ............... ......................

2.4

-25-

REQUESTS FROM CONGRESS OR THE GENERAL ACCOUNTING
OFFICE (GAO) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -2%

Table of Contents

-i-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


CHAPTER

3


TSCA CBI Responsibilities
3.0

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -31-


INTRODUCTION
3.1

EhwLOYEE

RESPONSIBILITIES

3.2

MANAGER

3.3

DC0

3.4

EAD AND IMD ANNUAL

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -31-

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -33-


RESPONSIBILITIES

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -34-


RESPONSIBILITIES

REVIEW

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -44-


CHAPTER

4


TSCA CBI Document Management
4.0

INTRODUCT
&J

RECEIPT

4.2

DOCUMENT

4.3

STORING

4.4

TSCA CBI DOCUMENTS

4.5

REPRODUCING

4,6

TRANSFERRING,
TRANSMITTING

OF TSCA CBI .......................................
TRACKiNG

SYSTEM

-47-


(DTS) REQUIREMENTS

......

TSCA CBI ...........................................

-6O-


....................................

-63-


TRANSFER RECORD- KEEPING,
TSCA CBI ....................................

USING AND HANDLING

4.f3

USING COMPUTERS

4.9

DESTRUCTION

TSCA CBI

TSCA CBI

OF TSCA CBI ..................................

-ii-

AND
-64-


.............................

TO WORK WITH

-5O-

-53-


.......................................

TSCA CBI

4.7

Table of Contents

-47-


ON . . . . . . . . . . . . . . . . . . . . . . ..*..........................

-71-


...............

-73-

-76-


October 20,2003

TSCA CBI PROTECTION

MANUAL 


CHAPTER

5

Procedures Violations, Missing Documents and Unauthorized
Disclosures
5.0

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -79-

INTRODUCTION
5.1

EMPLOYEE

5.2

REPORT

5.3

CORRZXTIVE

5.4

OPPT DIRECTOR

Table of Contents

REPORTING

OF’ VIOLATIONS
ACTION

PROCEDURES

. . . . . . . . . . . . . . . . . . . . . . -79-

TO TSS .............................
AND PENALTY

AS ARBITER

. ..
-ill-

GUlDELINFS

-SO...........

-82-

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -85

October 20,2003

TSCA CBI PROTECTION

MANUAL 


This page intentionally left blank.

Table of Contents

-iv-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


Table of Contents 

- Detailed -Page
PREFACE
GUIDING

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -xvPRINCIPLES

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -xvii-

CHAPTER

1


References
1.1

ABBREVIATIONS

AND ACRONYMS

1.2

GLOSSARY

1.3

LIST OF APPENDICES

.............................

....................................................
..........................................

CHAPTER

-l-

-3-

-7-


2


TSCA CBI Access
2.0

INTRODUCTION

&J

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -9-

TSCA CBI ACCESS FOR FEDERAL EMPLOYEES:
CERTIFICATION,
MAINTENANCE,
SUSPENSION, AND TERMINATION
. . . . . . . . . . . . -lO2.1.1

Re-Certification
For Federal Employees .....................
2.1.1.1 DocumentAudit
..................................
2.1.1.2 Time For Re-CertifiinR
.............................

-ll-

-ll-

-12-


2.1.2

Failure to Maintain Access Certification
.....................
2.1.2.1 Suspension and Termination ..........................

-12-

-12-


Table of Contents

-v-

October 20,2003

TSCA CBI PROTECTION

2.2

MANUAL

2.1.3

Suspension of Log-Out

Privileges..

2.1.4

EPA Employee Transfers
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -13-

2.1.4.1
Supervisors’ Responsibilities When Emplovee Transfers . . . -13-


2.1.5

TSCA CBI Access Termination for Federal Employees . . . . . . . . -13-

2.1.5.1 TSCA CBI Access Termination Procedures: Federal Emplovees 

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -14@J DC0 And Supervisor Responsibilities For Access Termination
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -15@ OPPT DC0 Responsibilities For Access Termination: . . -15-

2.1.6

Unaccounted

For Documents

. . . . . . . . . . . . . . . . . . . . . . . . . -13-


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -15 


TSCA CBI ACCESS FOR CONTRACTORS
AND CONTRACTOR 

EMPLOYEES:
CERTIFICATION,
MAINTENANCE,
TERMINATION
AND INDUSTRY NOTICE
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -162.2.1

Determination

of TSCA CBI Access for Contractors

2.2.2

Approval for TSCA CBI Access or Expedited Approval
Immediate Access. .......................................

...........
for 


- 17- 


2.2.3

Rules for Contractors

2.2.4

Notice to Affected Businesses Prior To Granting

2.2.5

Requirement

2.2.6

TSCA CBI Certification

2.2.7

Initial

2.2.8

National Agency Check & Inquiries

2.2.9

TSCA CBI Re-Certification
for Contractor Employees
2.2.9.1 DocumentAudit
....................................
2.2.9.2 Time for Re-Certifiing
.............................

........

Failure to Maintain

Employees 


2.2.10

....................................

for Contractor

Certification

DC0

Access

.......

..........................

for Contractor

for Contractor

-17-


Employees

...........

Employees ................
(NACI)

Access Certification

2.2.11

-18-

-19-


..................

for Contractor

-19-

-2O-

-21-

-21-

-21-


-22-


‘1q
TSCA CBI Access Termination:
Contractor Employees
. . . . . . . -23-

2.2.11.1
TSCA CBI Access Termination Procedures: Contractor 

Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -23-

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Table of Contents

-16-


-vi-

-L/L-

October 20,2003

TSCA CBI PROTECTION

MANUAL

2.2.11.2 Unaccounted For Documents
2.2.12

Change in Corporate

. . . . . . . . . . . . . . . . . . . . . . . . -25 


Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -25-


TSCA CBI ACCESS CERTIFICATION
FOR OTHER FEDERAL
AGENCIES
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -2.5

2,3

2.3.1
Procedures for Other Federal Agencies to Obtain TSCA CBI Access 

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -26-

2.4

2.3.2

Notice to Affected Businesses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -27-


2.3.3

Security Requirements

at Other Federal Agencies . . . . . . . . . . . . . -2% 


REQUESTS FROM CONGRESS OR THE GENERAL
OFFICE(GAO)................................................

CHAPTER

ACCOUNTING 

-2% 


3


TSCA CBI Responsibilities
3.0

INTRODUCTION

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -31-


EMPLOYEE

RESPONSIBILITIES

...............................

3.1.1

Personal Accountability

3.1.2

Assuring Adequate TSCA CBI Protection

3.1.3

Reporting

3.1.4

Document Accountability

3.1.5

TSCA CBI Procedure Accountability

3.1.6

Return TSCA CBI Document

3.1.7

Determination

Table of Contents

Procedural

...................................

Violations

...................

...........................

.................................
.......................

..............................

of TSCA CBI ...............................

-vii-

-3 l- 

-3 l- 

-3 l- 

-3 l- 

-32-

-32-

-32-

-32-


October 20,2003

TSCA CBI PROTECTION

3.1.8

3.2

MANUAL

Receipt of Possible CBI ...................................

MANAGER
3.2.1

3.3

RESPONSIBILITIES

-33-


...............................

-33-


Assigning DC0 and ADCO ................................

-33-


DCORESPONSIBILITIES

......................................

-34-


3.3.1

DCOs and Alternate DCOs ................................

3.3.2

Maintaining

3.3.3

Transfer

3.3.4

Receiving TSCA CBI .....................................

-35 


3.3.5

ProperStorageofTSCACBI

-35-


3.3.6

Records of Lock-Combinations

3.3.7

Conditions

3.3.8

Updating

3.3.9

Monitoring

3.3.10

Overdue

3.3.11

DC0 Guidance In Identifying

3.3.12

TSCA CBI Audits .......................................
3.3.12.1 Federal DCOs And The Confidential Business Information 

Center (CBIC) ...................................

a Document Tracking

of TSCA CBI

Table of Contents

-34-

-34 


..............................

And Controlling
Monitoring

-35 


...........................

The TSCA CBI Authorized

Materials:

.............

....................................

For Changing Lock Combinations

&J
(bJ
&
3.3.12.2

System (DTS)

-34-


................

Access List .............

-36-


Release of TSCA CBI ............

-36-


And Notification

............

Contractor DCOs ................................
Comprehensive Audits of Entire Collection
&)
(‘bJ Contract close-out Audits ....................

.. .

-37-


And Sanitizing CBI Documents

Comprehensive Audits of Entire Collection
Transaction Audits ........................
DC0 Transition Audits ......................

-VIII-

-36-


.....

. . -38-

-38-

-38-

-38-4O-

-41-


......

-42-

-42-43-


October 20,2003

TSCA CBI PROTECTION

MANUAL 


3.3.13
3.4

Termination

Of Employment

EAD AND IMD ANNUAL

REVIEW

CHAPTER

Or Status For DC0

. . . . . . . . . . . . -44-


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -44-


4


TSCA CBI Document Management
4.0

INTRODUCTION

RECEIPT

4.1

4.2

4.3

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -47-

OF TSCA CBI

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -47-


4.1.1

Incoming

4.1.2

Personal File Copies - New Chemicals Program

4.1.3

Supplemental

4.1.4

Processing Newly Received TSCA CBI . . . . . . . . . . . . . . . . . . . . . . -48-

4.1.4.1 CBI Fax Transmission From Industry . . . . . . . . . . . . . . . . . -49-


4.1.5

TSCA CBI Claims That Appear Unwarranted

DOCUMENT

TSCA CBI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -47-


Filings - New Chemicals Program

TRACKING

SYSTEM

(OPPT-CCD)
(OPPT-CCD)

4.2.1

Use of an Automated

4.2.2

Use of a Manual Document Tracking System (DTS)
4.2.2,1 Receipt Loa .....................................
4.2.2.2 Inventory Log .....................................

STORING
4.3.1

Table of Contents

. . -4% 


. . . . . . . . . . . . . . . . -5O-


(DTS) REQUIREMENTS

Document Tracking

. . . -4% 


System (DTS)

......
.......

...........

TSCA CBI ...........................................

Secure
4.3.1.1
4.3.1.2
4.3.1.3
4.3.1.4

-5O-

-51-

-52-

-52-


-53-


Storage Areas (SSAs) ..............................
Enter-inn An SSA With An Electronic Access Card (EAC) ...
Entering an SSA Without An Electronic Access Card ......
Entering An SSA With Expired Certification .............
Grantees And Interns In SSAs ........................
-ix-

-5O-


-53-

-54-

-54-

-54-

-54-


October 20,2003

TSCA CBI PROTECTION

MANUAL

4.3.1.5 Visitors In SSAs ...................................
4.3.1.6 Custodian. Maintenance and Deliver-v Persons in SSAs ....
4.3.1.7 DCOs And SSAs ...................................
4.3.1.8 Usinn TSCA CBI Outside An SSA .....................
Required

4.3.3

.....................
-56-

Storing TSCA CBI At Other Locations
-57-

4.3.3.1 Storing Of TSCA CBI While Traveling ..................
4.3.3.2 Storing and Workinn with TSCA CBI in a Personal Residence 

................................................
-57-

-6O-

Employee Absence and Storage of TSCA CBI ................

TSCA CBI DOCUMENTS

4.4

4.5

4.6

-6O-


.......................................

4.4.1

New CBI Documents

4.4.2

Working Papers ........................................
4.4.2.1 When Working Papers Become Subiect to Tracking .......
4.4.2.2 Destrovina Working Papers .........................

-6O-

-61-


4.4.3

When CBI Documents Are No Longer CBI

-61-


4.4.4

Aggregating

4.4.5

Declassifying

4.4.6

TSCA CBI Document Submitters:

CBI

-6O-


.....................................

..................

CBI Documents

a Claim

TSCA CBI

4.5.1

Managing

TSCA CBI Copies ..............................

4.5.2

Copying CBI Outside SSAs ................................

TRANSFERRING,
TRANSMITTING
4.6.1

-62-


..............................
Dropping

.........

-63-

-64-

AND 

-64-


Transferring
Hard Copy TSCA CBI .......................
4.4.1.1 Procedures For Sending Or Receiving TSCA CBI .......
4.6.1.2 Prenarinn CBI For Mailing .........................
4.6.1.3 Transfer-r-inn TSCA CBI to Another Facilitv .............
-X-

-63-


-63-


....................................

TRANSFER RECORD- KEEPING,
TSCA CBI ....................................

-61-


-62-


........................................

REPRODUCING

Table of Contents

-56-


..............................

4.3.2

4.3.4

Storage Containers

-5% 

-55 

-55-

-56 


-64-

-64-

-65-

-65-


October 20,2003

TSCA CBI PROTECTION

MANUAL

4.6.1.4

-66-


4.6.2

.............
-66-

Hard Copy TSCA CBI Transfer Record-Keeping
-66-

4.6.2.1 Record-Keevina For Permanent Transfer .............
4.4.2.2 Record-Keevina For Temvorarv Transfers Within A Facilitv -67-


4.6.3

Transmitting TSCA
4.6.3.1 Transmitting
4.6.3.2 Transmitting
4.6.3.3 Transmitting
4.6.3.4 Transmitting

4.7

USING AND HANDLING

4.8

USING COMPUTERS

4.9

TSCA CBI to Industrv ....................

Transferring

CBI Electronically
.....................
TSCA CBI Bv Telephone .................
TSCA CBI bv Fax ......................
TSCA CBI Bv E-mail ....................
TSCA CBZ Bv Tele-Video Conference

TSCA CBI

......

.............................

TO WORK WITH

TSCA CBI

-68-

-68-

-69-

-7O-

-7O-


-71-


...............

-73-

-73-


48.1

Prohibition

4.8.2

TSCA CBI Computers

4.8.3

Registration

4.8.4

Using Portable Computers

4.8.5

Disposing of Computers

4.8.6

Modems..

4.8.7

TSCA CBI Data Processed Only Within SSAs ................

-75-


4.8.8

Printing

-75-


4.8.9

Storing CBI on Magnetic Media ............................

-75-


4.8.10

Disposing of TSCA CBI Computer

-75-


4.8.11

Security for TSCA CBI Data Stored on Contractor’s
Computer ..............................................

DESTRUCTION

Table of Contents

.............................................
Must Be Separate From Public Networks

is Required

to Use CBI Computer

Systems

.......

(Laptops and Handheld Devices) .....

Formerly

Used for TSCA CBI

........

..............................................

CBI Information

-73-

-73-

-74-

-74-

-75-


.................................

Disks ....................
Off-site 


-76-


OF TSCA CBI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -76-


-xi-

October 20,2003

TSCA CBI PROTECTION

MANUAL

4.9.1

Procedures for Destroying

TSCA CBI .......................

4.9.2

Destruction

Methods

4.9.3

Destruction

Record-Keeping

4.9.4

Disposition

of CBI Cover Sheets ...........................

4.9.5

Contracts Involving

-76-

-77-


.....................................

-77-


..............................

-77-


TSCA CBI ............................

CHAPTER

-77-


5


Procedures Violations, Unaccounted For Documents and
Unauthorized Disclosures
5.0

INTRODUCTION

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -79-

EMPLOYEE

5.1

5.2

REPORTING

PROCEDURES

-79-


......................

5.1.1

Oral Report .............................................

-79-


5.1.2

Written Report

-8O-


REPORT

.........................................

OF VIOLATIONS

TO TSS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . - SO-


5.2.1

TSS Investigation

5.2.2

Oral Notice to Submitter

5.2.3

Report of Investigation

5.2.4

Company Notification

5.2.5

Company Notification of Documents Unaccounted for: EAD Director 

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -82-

5.2.6

Referral

5.2.7

Annual Security Report . . . . . . . . . . . . . . . . . . . . . . . . . . . . . D. . . . . -82-


Table of Contents

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -8O-

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -81-

(ROI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -81-

of Improper

Disclosure: EAD Director

. . . -81-


to the Inspector General . . . . . . . . . . . . . . . . . . . . . . . . . . . -82-


-xii-

October 20,2003

TSCA CBI PROTECTION

5.3

CORRECTIVE
5.3.1

5.4

Table of Contents

MANUAL

ACTION

AND PENALTY

GUIDELINES

Responsibility for Monitoring Compliance
.......................................................

5.3.2

Violations by Federal Employees

5.3.3

Violations

OPPT DIRECTOR

by Contractor

AS ARBITER.

. ..

-XIII-

- 82-


With Protection Manual

...........................

Employees

...........

.......................

-82-

-83-

-85-


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . -85-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


This page intentionally left blank

Table of Contents

-xiv-

October 20,2003

TSCA CBI PROTECTION

MANUAL

PREFACE 

This Manual applies to all federal employees, contractors, and contractor
employees with access to information claimed as Toxic Substances Control
Act (TSCA) Confidential Business Information (CBI) in connection with
either their official duties or with a TSCA-related government contract, as
stated in Section 14(a) of TSCA.
This Manual does not apply to other persons, including submitters to the
Agency of TSCA CBI, nor purport in any way to set rules regarding how
information must be submitted to the Agency or otherwise handled by
I
those persons.
The following

Steps necessary to become authorized for access to TSCA CBI.

l

l

general subjects correspond to the chapters in this Manuali

l

Relative roles and responsibilities regarding TSCA CBI.

l

Steps for use and protection of TSCA CBI.
Procedures in cases of lost or improperly disclosed TSCA CBI.

The provisions in this Manual are designed to protect the confidential
information entrusted to the Federal Government, and to ensure that employees
and contractors are aware of the importance of adhering to the procedures of
handling TSCA CBI, their personal responsibilities in doing so, and the
consequences for failing to do so. When situations and circumstances not
specifically addressed in this Manual arise, the obligation to protect TSCA
CBI materials entrusted to EPA continues and must be ensured. For these
unspecified instances, additional protections may be recommended or required
at the appropriate time.
Most TSCA CBI is stored and handled at Environmental Protection Agency
(EPA) Headquarters in the TSCA Confidential Business Information Center
(CBIC). When necessary, EPA approves storing and handling of CBI at other
Headquarters locations as well as facilities such as EPA Regional Offices,
other federal agencies, and contractor facilities. Some differences in security
and control procedures may be necessary depending on local circumstances.
Any such differences, however, must be approved in writing by the Director
of the EPA’s Office of Pollution Prevention and Toxics (OPPT) Information
-xv-

October 20,2003

TSCA CBI PROTECTION

MANUAL

Management Division (IMD).
Information coming to the Agency pursuant to the Lead-Based Paint Real
Estate Notification and Disclosure Rule (40 C.F.R. Part 745, Subpart F) will
be exempted from the requirements of this Manual once a replacement security
plan has been developed and approved by the OPPT Director.
This
replacement security plan may be accessed by contacting the OPPT DCO. A
replacement security plan approved by the OPPT Director is binding upon
Federal and contractor employees handling Residential Lead Disclosure CBI.
Please be aware that approval of a replacement security plan does not exempt
this information from the requirements of EPA confidentiality regulations at
40 CFR Part 2, Subpart B.
The provisions of this Manual are intended to apply in all situations. From
time to time, however, extraordinary circumstances may arise presenting the
need for a change from a prescribed procedure. In such cases, the appropriate
divisional or other regional managers may apply directly in writing to the IMD
Director for an exception. In examining the justification for the requested
exception, the IMD Director will, in his/her judgment, decide whether to grant
the request, in full or in part, including any conditions deemed appropriate.
This Manual is a “living” document.
That is, its development and
interpretation is continuing in nature and will be amended as the need arises.
This Manual may not appear to fit some situations, or the provisions within it
may not seem to include every scenario, contingency, or specialized case. In
these situations, please call the OPPT DC0 or the OPPT IMD Attorney
Advisor for special guidance or clarification.

-xvi-

October20,2003

TSCA CBI PROTECTION

MANUAL

GUIDING

PRINCIPLES

You have a responsibility to protect the information claimed as TSCA CBI.
Any document that contains TSCA CBI which you receive, retain, create, or
give to another must be protected. This is integral to your work.
The Agency tracks all documents in its possession and you, as a TSCA CBI
cleared individual, are required to undergo an annual audit of all TSCA CBI
entrusted to you by the Agency. Working papers must be individually tracked
when not in direct possession of the creator and otherwise protected until
destroyed.
You can only discuss or disseminate TSCA CBI with persons you know are
authorized for access to TSCA CBI.
If you think you may have a TSCA CBI issue or problem, you should talk with
your manager about it immediately.
You must ensure through personal accountability that you will act consistently
with all guidelines established in this manual to protect TSCA CBI.

-xvii-

October20,2003

TSCA CBI PROTECTION

MANUAL 


This page intentionally

left blank

.. .
-XVIII-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


CHAPTER 1
Reference

1.1

ABBREVIATIONS
ACRONYMS

AND

Provided below is a list of abbreviations and acronyms used in this manual:
ADCO
CBIC
CBITS
CCD
CFR
DCN
DC0
DOPO
DTS
EAC
EAD
EC0
EETD
EPA
FMSD
FOIA
ID
IMD
IS0
LAN
NACI
NCIC
NOWCC
OAM
OARM
OGC
OPPT
OMB
PC
PMN

Alternate DC0
Confidential Business Information Center
Confidential Business Information Tracking System
Chemical Control Division, OPPT
Code of Federal Regulations
Document Control Number
Document Control Officer
Delivery Order Project Officer
Document Tracking System
Electronic Access Cards
Environmental Assistance Division, OPPT
Environmental Careers Organization
Economics, Exposure and Technology Division, OPPT
Environmental Protection Agency
Financial Management and Services Division
Freedom of Information Act
Identification
Information Management Division, OPPT
Information Security Officer
Local Area Network
National Agency Check and Inquiries
Non-Confidential Information Center
National Older Worker Career Center employee
Office of Acquisition Management
Office of Administration and Resources Management
Office of General Counsel
Office of Pollution Prevention and Toxics
Office of Management and Budget
Personal Computer
Premanufacture Notification

Chapter 1: Reference

-l-

October 20,2003

TSCA CBI PROTECTION

PO
RDMB
ROI
SEE
sow
SSA
TSCA
TSCA CBI
TSS
WAM

MANUAL

Project Officer
Records and Dockets Management Branch, IMD
Report of Investigation
Senior Environmental Employment Program
Contractor Statement of Work
Secure Storage Area
Toxic Substances Control Act
Information submitted in connection with TSCA and claimed
as confidential business information
TSCA Security Staff
Work Assignment Manager

Chapter 1: Reference

-2-

October 20,2003

TSCA CBI PROTECTION

12.

MANUAL

GLOSSARY

Agency
DC0

The lead document control officer for the
TSCA program at EPA (aka: OPPT DCO)

Alternate
Document
Control
Officer
(ADCO)

The OPPT DC0 and other DCOs can
nominate ADCOs to assist them in
performing document control functions.
ADCOs can perform all functions of a DCO.

Annual Audit
Certification Report

Employees complete these reports on an annual basis to
indicate the status of any TSCA CBI logged out in their
name.

Authorized Access List

A list of people who are authorized for access to TSCA
CBI.

Certification

The process whereby federal and contractor employees
acquire administrative access to TSCA CBI.

Contractor DC0

The document control officer designated by the Project
Officer for a TSCA CBI cleared contract.

Contractors and
Subcontractors

Persons, including individuals or business entities, who
perform work under a contract with the United States
Government or a subcontract with a contractor.

Document Control
Officer (DCO)

DCOs oversee the receipt, storage, transfer, use,
reproduction and destruction of TSCA CBI by employees.
DCOs are responsible for assisting employees in requesting
and renewing TSCA CBI access authorization, as well as
managing the manual or automated Document Tracking
System (DTS) for TSCA CBI in their facility or office.

Document Tracking
System (DTS)

A Document Tracking System is used to track receipt of
and activity involving TSCA CBI within a facility. The
system may be manual or automated (electronic).
Automated systems are recommended for high-volume
facilities.

Chapter 1: Reference

-3-

October 20,2003

TSCA CBI PROTECTION

MANUAL

Environmental
Assistance Division
WAD)

EAD is responsible for oversight of the TSCA Confidential
Business Information security function. This includes
enforcement of the procedures and provisions contained in
the TSCA CBI Protection Manual.

EPA Office

Organizational element of EPA, at any level or location.

EPA Project Officer
(also known outside this
Manual as “Contract
Level COK’)

The Contracting Officer’s primary representative on a basic
contract who oversees the delivery order, task order or
work assignment.

Facility

Any location where EPA, a government contractor or
another federal agency stores and uses TSCA CBI.
Specific procedures may vary from location to location, but
the general procedures in this Manual are in force at all
facilities.

Federal Employee

Generally, an employee of the federal government who has
a Standard Form (SF-52) on file with the Office of
Personnel Management (OPM).

Grantee

Person who performs work under a grant.
[Under TSCA, grantees are not authorized to handle TSCA
CBI. Contact the OPPT-DC0 for more information].

Hard-Copy

Data (e.g., submissions, printouts, photographs) received or
generated on paper. Also, Magnetic Media (e.g., diskette,
video tapes), and other “physical” things which can hold or
contain CBI.

Information
Management Division
(IMD) Director

Within the Office of Pollution Prevention and Toxics
(OPPT) the IMD director is responsible for the day-to-day
implementation of TSCA CBI and control programs,
including the development of policies for the use and
handling of TSCA CBI and operation of the EPA
headquarters-Confidential Business Information Center
(CBIC).

Office of Pollution
Prevention and Toxics
(OPPT) Director

The OPPT director has overall authority for managing
TSCA activities, including TSCA security programs.

Chapter 1: Reference

-4-

October 20,2003

TCf’h

f’RI

DDT\TCf’Tlnhl

MAhll

IA1

OPPT Confidential
Business Information
Center (CBIC)

The primary area for storing and using TSCA CBI is the
EPA CBIC at EPA headquarters in Washington, D.C. If
appropriate, EPA may authorize TSCA CBI access at other
facilities including EPA regional offices, other Federal
agency offices, and contractor facilities.

OPPT Document Control
Officer (OPPT DCO)

The OPPT DC0 provides day-to-day support to other
Federal and Contractor DCOs nationwide. This includes
issuing the TSCA CBI authorized access list and processing
forms and records pertaining to requests for TSCA CBI
access authority for organizations and individuals. The
OPPT DC0 manages the headquarters CBIC, oversees
other DCOs at headquarters, and provides training materials
and guidance to all DCOs on appropriate TSCA CBI
handling procedures.

Originator

An employee who is responsible for determining if
documents he/she creates contain CBI and stamping them
as such.

Requesting Official

This is (1) employee’s immediate supervisor or higher
authority who nominates a Federal employee for TSCA
CBI access or (2) the EPA project officer who nominates a
contractor employee for TSCA CBI access. Requesting
officials’ responsibilities include ensuring that their
employees renew their TSCA CBI access authority yearly,
determining when their employees no longer require access
authority, authorizing their employees to transfer TSCA
CBI using a courier or express mail, and initiating or
reviewing their employees’ reports of violation of this
manual’ s procedures.

Sanitize

To remove TSCA CBI from a document.

Secure Storage Area
WA)

An area that is secured from persons not authorized for
access to TSCA CBI. Secure storage areas house the bulk
of an organization or facility’s TSCA CBI records, or serve
as an organization or facility’s primary TSCA CBI work
area, or both.

Temporary Transfer

Relinquishing custody of TSCA CBI from one person to
another in the same facility on a temporary basis.

Chapter 1: Reference

-5-

October 20,2003

TSCA CBI PROTECTION

MANUAL

TSCA CBI

TSCA information claimed business-confidential under
EPA’s confidentiality regulations at 40 CF’R Part 2, Subpart
B.

TSCA CBI LAN

The physically isolated Local Area Network (LAN) located
at EPA Headquarters dedicated exclusively to TSCA CBI.

TSCA CBI Materials

Documents or any other information-bearing
contain TSCA CBI.

TSCA Security Staff

The TSCA security staff (of EAD) responsible for securityrelated activities, including reviewing security procedures,
performing facility site inspections, and investigating
violations of the procedures contained in this manual.

Unauthorized Access

Access to TSCA CBI by persons lacking administrative
clearance or whose clearance has expired.

Working Papers

Temporary work product documents produced by a federal
or contractor employee containing TSCA CBI, which are
subject to special handling procedures.

Chapter 1: Reference

-6-

media that

October 20,2003

TSCA CBI PROTECTION

MANUAL

LIST OF APPENDICES 


13.
Appendix

A

Appendix
Appendix
Appendix
Appendix

B
C
D
E

Appendix

F

Appendix
Appendix

G
H

Appendix

I

Appendix

J

Appendix

K

Appendix

L

Appendix
Appendix
Appendix
Appendix
Appendix
Appendix

M
N
0
P
Q
R

Appendix

S

Appendix
Appendix
Appendix
Appendix
Appendix
Appendix

T
U
V
W
X
Y

Appendix

Z

Chapter 1: Reference

Form 7740-6: TSCA CBI Access Request, Agreement, and
Approval
Form 7740-25: TSCA CBI ADP User Registration
Request for EPA Identification Badge
Request for Building Pass
Form 7740-28: United States Environmental Protection Agency
TSCA Confidential Business Information Document Reconciliation
Certificatiqn
Form 77 lo- 17: Confidentiality Agreement for United States
Employees Upon Relinquishing TSCA CBI Access Authority
Form 3110-l: Employee Separation or Transfer Checklist
Form 7740-17: Request for Approval of Contractor Access to TSCA
Confidential Business Information
EPAAR 1552.23578: Data Security for Toxic Substances Control
Act Confidential Business Information
EPAAR 1552.235-75: Access to Toxic Substances Control Act
Confidential Business Information
EPAAR 1552.235-76: Treatment of Confidential Business
Information (TSCA)
Form 7740-27: Contractor Information Sheet - Contractor TSCA
CBI Access/Transfer
Contractor Checklist For TSCA CBI Access
Contractor Employee Checklist For TSCA CBI Access
Form 86: Questionnaire for National Security Positions
Fingerprint Card “FD258 Application”
Procedures for Terminating Contractor Access to TSCA CBI
Form 7740-18: Confidentiality Agreement for Contractor Employees
Upon Relinquishing TSCA CBI Access Authority
Form 7740-24: Federal Agency, Congress, and Federal Court Sign
out Log
Stamp to use when Material contains TSCA CBI
Form 7740-9: Confidential Business Information Cover Sheet
Form 7740- 11: Inventory Log
Form 7740- 10: Receipt Log
Form 7740-13: TSCA CBI Visitors Log
Form 7740-26: Permanent Transfer Receipt for TSCA Confidential
Business Information
Form 7740- 12: Memorandum of TSCA CBI Telephone
Conversation
-7-

October 20,2003

TSCA CBI PROTECTION

MANUAL

Appendix AA

Form 7740- 14: Temporary Loan Receipt for TSCA Confidential
Business Inforrnation
Laptop Computer Agreement for the Confidential Business
Information Center (CBIC)
Amendment Through Voluntary Withdrawal
40 CFR 2.208, TSCA CBI substantive criteria for determining
confidentiality
Taking action on TSCA CBI claims that appear unwarranted

Appendix BB
Appendix CC
Appendix DD
Appendix EE

Chapter 1: Reference

-8-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


CHAPTER 2 

TSCA CBI Access
2.0

INTRODUCTION

This section identifies persons entitled to TSCA CBI access and addresses requirements that
must be met in order to obtain, maintain, or terminate certification to work with TSCA CBI.
Legal access to TSCA CBI is dependent on meeting the conditions found in Section 14 of
TSCA. For federal employees, qualification for access is contingent on having federal
employment and a job-related need for access to TSCA CBI. For contractor employees,
qualification for access is contingent on employment
with a TSCA-related federal
contractor, a job-related need for access to TSCA CBI, and maintaining up-to-date
administrative certification.
Federal and contractor employees who have an official job-related need for TSCA CBI
access are, however, required to complete an initial administrative certification when
receiving their new job assignment, prior to working with TSCA CBI. Moreover, these
employees are required to complete an annual re-certification process for each year thereafter
for as long as their jobs require access to TSCA CBI.
Administrative
TSCA CBI access, in every case, is granted solely to further the needs
and the mission of the Government.
Members of the following groups are not federal employees and, consequently, are not
eligible for TSCA CBI access:
l

l

l

Volunteers (unpaid staff)
Students (except those in the Student Temporary Employment Program (STEP) popularly known as Stay-In-Schools, who are federal employees)
Student Interns who are placed in EPA facilities by the Environmental Careers
Organization (ECO) and other recipients of EPA grants and cooperative agreements

l

Senior Environmental Employment (SEE) program enrollees

l

National Older Worker Career Center (NOWCC)

l

Grantees

Chapter 2: TSCA CBI Access

-9-

staff

October 20,2003

TSCA CBI PROTECTION

2.1

MANUAL

TSCA CBI ACCESS FOR FEDERAL
EMPLOYEES: CERTIFICATION,
MAINTENANCE,
SUSPENSION, AND 

TERMINATION

The following administrative procedures, which are necessary for access, apply to federal
employees who will work with TSCA CBI for the first time, or who have let their
certification lapse:
l

l

View the Security briefing: A federal employee’s immediate supervisor is responsible
for ensuring that the employee has read this manual and viewed the security briefing
on procedures for handling TSCA CBI. The briefing, either automated or on
videotape, is arranged by the OPPT Document Control Officer (DCO) or the
employee’s DCO.
Complete one or both of the following
needed) and submit them to the DCO:

forms (depending on the extent of access

1. Form 7740-6: TSCA CBI Access Request, Agreement, and Approval.
APPENDIX
A.]

[See

[Note: Notwithstanding the Privacy Act statement which appears in the 9-92
version of Form 7740-6, providing a Social Security Number is not required
under Section 14 of TSCA, and is not mandatory to obtain access to TSCA
CBI. Upon request at the time of initial access, an alternate generic number
may be assigned].
2. Form 7740-25: TSCA CBI Automated Data Processing (ADP) User Registration
Form (if online access to a TSCA CBI system or database is required). [See
APPENDIX
B.]
l

l

Employee’s immediate supervisor ensures that the employee has read this TSCA CBI
Protection Manual and viewed the security briefing.
Employee’s immediate supervisor signs line 20 of Form 7740-6 (general access
request form) to signify approval of TSCA CBI access and forwards it to the DCO,
or disapproves access.

Chapter 2: TSCA CBI Access

-lO-

October 20,2003

TSCA CBI PROTECTION

MANUAL

DC0 reviews forms for completeness and forwards them to the OPPT DCO. [In
general, the DC0 assists employees with obtaining and maintaining TSCA CBI
certi$cation.]

l

l

Subject to the oversight of the IMD Director, the OPPT DC0 reviews and approves
access and adds the employee’s name to the TSCA CBI Authorized Access List.
[The OPPT DC0 provides monthly updated lists to DCOs and can verify which
employees are on the latest list. The CBIC uses the list in conjunction with the
Confidential Business Information Tracking System (CBITS) to verify access.]

2.1.1

Re-Certification

For Federal Employees

The OPPT DC0 notifies DCOs of persons whose certifications are about to expire. Federal
employees who need TSCA CBI access in connection with their official duties must renew
their certification every year by:
1. Viewing the security briefing videos and
2. Completing the document audit procedure.

2.1.1.1

Document Audit

The following

steps must be taken:

1. Employee’s DC0 provides list of all documents logged out to the employee. The
federal employee’s immediate supervisor ensures the Document Audit is
completed.
2. Employee reconciles the document list by following
l

Verify that he/she has the listed documents in his or her possession, OR

l

Return logged-out documents which are overdue to the DCO, AND

l

l

the steps below:

Notify the DC0 of any unaccounted for documents, and report them on the
Document Reconciliation Certificate (see APPENDIX
E), OR
Indicate on the Document Reconciliation
logged out, AND

Chapter 2: TSCA CBI Access

-II-

Certificate that no documents are
October 20,2003

TSCA CBI PROTECTION

l

MANUAL

Sign the Document Reconciliation Certificate, to be placed in the employee’s
access file for future audit.

3. If the employee fails to locate any unaccounted for documents, he or she must
follow the procedures in CHAPTER 5 concerning unaccounted-for documents.
All returned documents must be re-entered into the collection of records.

Time For Re-Certifiing

2.1.1.2

The time for re-certifying access to TSCA CBI is no more than 30 days prior to an
employee’s anniversary date. Employees who re-certify within this period will retain
their anniversary dates. Re-certifying prior to the 30 day window or after the anniversary
date will result in a new corresponding anniversary date.

2.1.2

Failure

to Maintain

Access Certification

Federal employees who miss their annual deadline to re-certify under the TSCA CBI
protection program and who continue to have access to TSCA CBI as part of their official
responsibilities are in violation of these procedures and are subject to the corrective actions
and administrative penalties outlined in CHAPTER 5. [This violation of administrative
procedure is not, however, reportable to the information submitter a&an unauthorized
disclosure under Section 14 of TSCA].

2.1.2.1

SusDension and Termination

Employees who are 29 or few-days late in renewing their certification are suspended from
receiving access to TSCA CBI. Employees who are 30 days or more late in renewing their
certification are terminated from receiving access to TSCA CBI as part of their official
duties.
Employees who have had their access terminated must repeat initial certification, not simply
re-certification, in order to once again receive official access.

Chapter 2: TSCA CBI Access

-12-

October 20,2003

TSCA CBI PROTECTION

MANUAL

2.1.3 Suspension of Log-Out Privileges
If logged-out documents are overdue or are not returned or accounted for as required during
the annual Document Audit procedure (see Section 2.1.1), an employee’s privilege to log out
CBI documents from secured reference areas such as the CBIC may be suspended. Once the
documents at issue are returned or accounted for, borrowing privileges will be restored.

2.1.4 EPA Employee Transfers
The OPPT DC0 must be notified when an EPA employee officially transfers to another
branch, division, or office, if the new position requires TSCA CBI access. The employee
will be required to perform a document reconciliation and return all CBI documents to the
CBIC prior to receiving access for the new position. Upon completion of these two
requirements, complete access to CBI materials will be available.

2.1.4.1

Supervisors ’ Responsibilities
Employee Tranxfers

When

It is the responsibility of the employee’s former supervisor or DC0 to notify the OPPT DC0
of the transfer. In addition, the new supervisor or DC0 must submit a new Form 7740-6
(Appendix A) for the employee.

2.1.5 TSCA CBI Access Termination
Employees

for Federal

TSCA CBI access terminates when the official need for access terminates, as in the following
examples:
l

When a federal employee leaves federal service

l

When a federal employee transfers to a new federal position

l

When a federal employee receives an administrative penalty, suspending employment
or reassigning the employee to another federal position that does not require official
need for TSCA CBI

When a federal employee’s duties change, and no longer require TSCA CBI access
Chapter 2: TSCA CBI Access
-13October 20,2003
l

TSCA CBI PROTECTION

l

MANUAL

When a federal employee fails within 30 days from the anniversary date to reconcile
the document audit report and attend the annual security briefing

2.1.5.1

TSCA CBI Access Termination
Federal Enployees

Procedures:

To terminate TSCA CBI access, an employee must follow the Document Audit procedure
The employee receives a list of all their logged out
described in the steps below.
documents from the DCO. From that list, the terminating employee must reconcile all
documents in his/her possession by doing the following:
(Both the employee’s supervisor and DC0 are responsible for ensuring that these steps
are taken)
l

Either:
1. Return logged-out documents and magnetic media to the DC0 (see
APPENDIX
E), notify the DC0 of any unaccounted for documents, and
report them on the Document Reconciliation Certificate, OR
2. Indicate on the Document Reconciliation
logged out.

l

Certificate that no documents are

In addition, sign the Document Reconciliation
employee’s access file for future audit.

Certificate, to be placed in the

(If the employee fails to locate unaccountedfor documents within 5 business days
of the issuance to the employee of the list of items logged out to him/her, he/she
must follow the procedures in CHAPTER
5 concerning unaccounted-for
documents.)
l

l

Receive from the DC0 a copy of the Confidentiality Agreement the employee
signed when first assigned or hired to work with TSCA CBI. Sign and receive a
copy of a receipt for the form entitled, “Confidentiality Agreement for United
States Employees Upon Relinquishing TSCA CBI Access Authority.”
[See
APPENDIX
F],
Complete EPA Form 77 10-17: “Conjidentiality Agreement for United States
Employees upon Relinquishing TSCA CBI Access Authority. ” [See APPENDIX

Fl.
Chapter 2: TSCA CBI Access

-14-

October 20,2003

TSCA CBI PROTECTION

MANUAL

2.1.5.1(a)

DC0 And Supervisor
Access Termination

Responsibilities

For

The DC0 will take action on unaccounted for documents. In the case of a dispute
between the employee and DC0 about whether a document is logged out, the
document will be considered possibly unaccounted for, and will be reported as such
in accordance with the Manual Procedures in CHAPTER 5.
The DC0 must change the lock combinations for storage containers to which the
employee had access and remove any CBI from the employee’s desk area before any
new staff arrive.

2.1.5.1(b)
l

l

l

OPPT DC0
Termination:

Responsibilities

For Access

Upon notice from the employee’s DCO, remove the employee’s name from the
TSCA CBI Authorized Access List.
Arrange with IMD to invalidate the employee’s TSCA CBI computer user IDS and
passwords for all TSCA CBI-related computer systems. IMD is responsible for
notifying the OPPT DC0 in writing when the employee’s passwords are
invalidated.
Make immediate arrangements to invalidate the employee’s electronic entry ID
card for TSCA CBI Secure Storage Areas (SSA’s).

2.1.6

Unaccounted

For Documents

The Facility DC0 must assume that a TSCA CBI document is unaccounted for if it is not
received within 5 business days of issuing the employee the list of items logged out to
him/her and report the document as unaccounted for according to the procedures in

CHAPTER5

Chapter 2: TSCA CBI Access

-15-

October 20,2003

TSCA CBI PROTECTION

2.2

MANUAL

TSCA CBI ACCESS FOR CONTRACTORS
AND CONTRACTOR
EMPLOYEES:
CERTIFICATION,
MAINTENANCE,
TERMINATION
AND INDUSTRY NOTICE

The EPA Project Officer (PO) determines if, under TSCA Section 14(a), a contractor
requires access to TSCA CBI.

2.2.1

Determination
Contractors

of TSCA CBI Access for

To establish access for a contractor the PO submits Form 7740- 17: Request for Approval of
Contractor Access to TSCA CBI (APPENDIX
H) to the appropriate division director (or
equivalent supervisor) for signature, then forwards it to the IMD Director who issues final
approval in the form of a notice (as described in Section 2.2.4.).
For new contracts (or to modify an existing contract) Form 7740-17 must be submitted to the
IMD Director 20 business days before access is to begin. Form 7740-17 is submitted to the
IMD Director prior to the modification request.
The PO also must complete the following:
l

Notify EPA’s Office of Acquisition Management (OAM) contracting officer of
required TSCA CBI language, including the following contract clauses from the EPA
Acquisition Regulation 1901 (9/l 2/2000):
-

l

l

Data Security for TSCA CBI (EPAAR 1552.23578) (see APPENDIX
Access to TSCA CBI (EPAAR 1552.235-75) (see APPENDIX
J)
Treatment of CBI (EPAAR 1552.235-76) (see APPENDIX
K);

I)

Forward Form 7740-17 to OAM after the IMD Director has signed it; and
At least 60 days prior to the date access is to begin complete a Contractor Information
Sheet, Form 7740-27 (see APPENDIX
L) and forward it to the OPPT DCO.

Chapter 2: TSCA CBI Access

-16-

October 20,2003

TSCA CBI PROTECTION

2.2.2

MANUAL

Approval
Approval

for TSCA CBI Access or Expedited
for Immediate Access.

The OPPT DC0 will add a contractor’s name to the TSCA CBI Authorized Access List when
the contractor is approved for CBI access. For contractor employees, the OPPT DC0 will
notify the contractor DC0 of the approval of an employee by sending the contractor DC0
the TSCA CBI Authorized Access List.
When a programmatic need can be demonstrated, expedited approval may be granted by the
IMD Director which will allow a contractor and/or contractor employee access to TSCA CBI
without having to wait 60 days after Form 7740-27 is submitted to&he OPPT DCO.
Expedited approval does not waive the requirement for the advance notice provided in
Section 2.2.4.
See APPENDIX

2.2.3

M for a Contractor Checklist for TSCA CBI Access.

Rules for Contractors

Contractors who receive TSCA CBI must:
l

l

l

Adhere to the terms of their contracts regarding site requirements for receiving and
maintaining TSCA CBI.
Maintain TSCA CBI in a secure environment that meets or exceeds the requirements
in CHAPTER
4.
Maintain the “two-barrier” system described below for establishing any TSCA CBI
storage site not located at a federal agency facility:
Barrier

1:

-

Perimeter walls must be constructed “slab to slab,” and must not have false
ceilings that would permit entry into the contractor’s workspace from over a
corridor wall.

-

Entry and exit doors must have pin-tumbler deadbolt locks or equivalents
installed (unless the door is for emergency exit in which case it must have a
crash bar with an audible alarm).

Chapter 2: TSCA CBI Access

-17-

October 20,2003

TSCA CBI PROTECTION

-

MANUAL

Entry and exit doors must have exposed hinge pins that are pinned or
otherwise constructed to prevent removal of the pins.
Barrier 2:

l

Must have approved storage containers as described in Section 4.3.3.

Arrange for a site inspection by TSS. TSCA CBI access will not be authorized at the
contractor’s site without TSS approval. TSS will communicate its approval to the
OPPT DCO. (Contractors should contact TSS if they have any questions about
establishing or maintaining TSCA CBI security.)

2.2.4

Notice to Affected Businesses Prior To Granting
Access

1) HOW
IMD will notify affected businesses in one of the following
CBI access to contractors:

ways prior to granting TSCA

l

Publishing a notice in the Federal Register

l

Sending an individual Notice by certified mail-return receipt requested

l

Sending an individual Notice by telegram

l

Using any other means to give actual notice, and documenting the fact that such
notice was received.

The Notice process:
l

OPPT DC0 uses the Contractor Information Sheet from the PO to prepare the Notice

l

IMD Director signs the Notice, authorizing access for the contractor.

2) WHEN
IMD must wait at least 5 business days following receipt or publication of the Notice before
granting access in order to allow the affected business an opportunity to comment.

Chapter 2: TSCA CBI Access

-18-

October 20,2003

TSCA CBI PROTECTION

MANUAL

3) WHAT
The Notice must include the following:
Contractor company’s identity
Contract number
Explanation
contract

of why TSCA CBI access is necessary for the performance of the

Where access is authorized (on EPA premises and/or at the contractor’s facility)
Types of information to be disclosed
Period of time for which TSCA CBI access is authorized

2.2.5

Requirement

for Contractor

DC0

Each contractor with TSCA CBI access at either the contractor’s facility or an EPA facility
must have a contractor DC0 who must be designated before the contractor is allowed access
to TSCA CBI.
The contractor must nominate one DC0 and one Alternate DCO, and notify the EPA PO of
their names. The EPA PO nominates the employees and forwards their names, telephone and
fax numbers and e-mail and mailing addresses to the OPPT DCO. [See 3.2.11

2.2.6

TSCA CBI Certification
Employees

for Contractor

Following certification of TSCA CBI access for contractor companies, contractor employees
must obtain individual access certification. All certification forms are available through the
OPPT DCO. See APPENDIX
N for a Contractor Employee Checklist for TSCA CBI
Access.
After completing the above requirements (sections 2.2.1,2.2.2,2.2.3,2.2.4.2.2.5),
the EPA
PO, EPA Delivery Order Project Officer (DOPO), or the EPA WAM confers with contractor
officials to determine which contractor employees require TSCA CBI access certification.
The EPA PO will request access certification for these individuals.
After contractor employees are certified for TSCA CBI access, they are listed on the TSCA
Chapter 2: TSCA CBI Access

-19-

October 20,2003

TSCA CBI PROTECTION

MANUAL

CBI Authorized Access List. The list provides the names of people cleared for TSCA CBI
access, including TSCA CBI computer access, and the date on which their access expires.
The OPPT DC0 provides monthly copies of the updated list to DCOs. If after consulting the
list questions remain about a person’s TSCA CBI certification, consult the OPPT DCO.

2.2.7 Initial Certification

for Contractor

Employees

Contractor employees acquire initial certification according to the process described below:
l

l

The employee views the security briefing on procedures for handling TSCA CBI. The
contractor DC0 is responsible for ensuring that contractor employees read this
Manual and view the security briefing. The briefing is arranged by the OPPT DC0
or any DCO.
The employee completes the following
DCO:
-

forms and submits them to the contractor

7740-6: TSCA CBI Access Request, Agreement, and Approval
APPENDIX
A].

Form

[see

[Note: Notwithstanding the Privacy Act statement which appears in the 9-92
version of Form 7740-6, providing a Social Security Number is not required
under Section 14 of TSCA, and is not mandatory to obtain access to TSCA CBI.
Upon request at the time of initial access, an alternate generic number may be
assigned].
- Form 86: Questionnaire for National Security Positions (see APPENDIX

l

l

l

0).

-

F’D-258: Fingerprint card (two originals) (see APPENDIX

-

Form 7740-25: TSCA CBI ADP User Registration Form (for online accessto a TSCA
CBI system or database) (see APPENDIX B).

P).

The contractor DC0 reviews forms for completeness and forwards them to the EPA PO.
The EPA PO either signs line 20 of the general accessrequest form, indicating approval, or
disapproves access.
The EPA PO submits the approved forms to the OPPT DC0 for review and approval on that
level.

[See APPENDIX

N for a Contractor Employee Checklist for TSCA CBI Access.]

Chapter 2: TSCA CBI Access

-2o-

October 20,2003

TSCA CBI PROTECTION

2.2.8

MANUAL

National

Agency Check & Inquiries

(NACI)

All contractor employees who are granted access to TSCA CBI must successfully pass a
NACI background check to maintain TSCA CBI clearance. NACI investigations are
conducted by the U.S. Office of Personnel Management at the request of the EPA Office of
Administration and Resource Management, usually several weeks following the contractor
employee’s grant of access. The EPA PO or WAM must ensure the NACI investigation
requirement is placed in the official Statement Of Work (SOW).

2.2.9

TSCA CBI Re-Certification
Employees

for Contractor

The OPPT DC0 notifies DCOs of persons whose certifications are about to expire.
Contractor employees who continue to require TSCA CBI access in connection with their
job-related duties must renew their certification every year by:
1. Viewing the security briefing videos, and
2. Completing the document audit procedure below.

Document Audit

2.2.9.1
The following

steps must be taken:

1. The Contractor DC0 provides a list of all documents logged out to the contractor
employee.
2. The Contractor employee reconciles the DC0 document list by following
procedures below:
l

l

l

l

the

Return logged-out documents listed on the Document Reconciliation Certificate
to the Facility DC0 (see APPENDIX E), AND
Notify the DC0 of any unaccounted for documents, and report them on the
Document Reconciliation Certificate, OR
Indicate on the Document Reconciliation Certificate that no documents are logged
out.
Sign the Document Reconciliation Certificate, to be placed in the contractor
employee’s access file for future audit.

Chapter 2: TSCA CBI Access

-21-

October 20,2003

TSCA CBI PROTECTION

MANUAL

3. If the employee fails to locate the documents, he/she must follow the procedures in
CHAPTER 5 concerning unaccounted for documents.
All returned documents must be re-entered into the collection of records.

2.2.9.2

Time for Re- Certi fiing

The time for re-certifying TSCA CBI is no more than 30 days prior to an employee’s
anniversary date. If an employee re-certifies within this period$he employee will retain
the same anniversary date. Re-certifying either prior to the 30 day window or following
the anniversary date will result in a new corresponding anniversary date.

2.2.10 Failure to Maintain Access Certification
Contractor Employees

for

Contractor employees who miss their annualdeadlines to re-certify under the TSCA CBI
security program and who continue to have access to TSCA CBI are in violation of these
procedures, and subject themselves to disciplinary or corrective action by their contractor
employer.
Contractor employees who have not re-certified for TSCA CBI access within the past year
must pass initial certification, not re-certification.
EPA may suspend the access of any
contractor employee if in the Agency’s judgment doing so is necessary to protect TSCA CBI
against some credible threat of loss or wrongful disclosure. For contractor employees a lapse
in certification access may result in an unauthorized disclosure reportable to the submitter
as describedin CHAPTER5
There is no need, however, to obtain a new NACI or to be re-fingerprinted, if the employee
never left the contractor’s employment. This provision applies when both of the following
conditions are true:
l

The contractor continues to hold a TSCA-related contract.

l

The contractor employee’s job requires access to TSCA CBI.

Chapter 2: TSCA CBI Access

-22-

October 20,2003

TSCA CBI PROTECTION

2.2.11

MANUAL

TSCA CBI Access Termination:
Employees

Contractor

TSCA CBI access terminates for a contractor employee under various conditions.
example:
l

When the contract ends.

l

When a contractor employee leaves the contractor’s employ.
l

For

When a contractor employee transfers to a new position which does not require TSCA
CBI access.
When a contractor employee receives an administrative penalty from the contractor
suspending employment or the contractor employee is reassigned within the company
to another position which does not require TSCA CBI access.

l

l

l

l

When a contractor employee’s job duties change and he/she no longer requires TSCA
CBI access.
When EPA suspends TSCA CBI access for a contractor employee under CHAPTER
5 of this Manual.
When a contractor no longer needs access for the successful completion of an Agency
Task.

2.2.11.1

TSCA CBI Access Termination Procedures:
Contractor Enwlovees

To terminate access to TSCA CBI, the contractor employee must follow the Document
Q for a Checklist of
Audit procedure described in the steps below. See APPENDIX
Procedures for Terminating Contractor Access to TSCA CBI.
l

The contractor DC0 provides a list of all documents logged out to the contractor
employee. From that list, the contractor employee must reconcile all documents in
his/her possession by doing the following:
-

Either return logged-out documents listed on the Document Reconciliation
Certificate to the contractor DC0 (see APPENDIX
E), notifying the contractor
DC0 of any unaccounted for documents, and report them on the Document

Chapter 2: TSCA CBI Access

-23-

October 20,2003

TSCA CBI PROTECTION

MANUAL

Reconciliation

Certificate, OR

-

Indicate on the Document Reconciliation Certificate that no documents are logged
out.

-

In addition, sign the Document Reconciliation Certificate, to be placed in the
contractor employee’s access file for future audit.

If the contractor employee fails to locate any of the listed documents within 5 business
days of the issuance to the employee of the list of items logged out to him/her, he/she must
follow procedures for reporting lost documents in CHAPTER 5. Both the contractor
employer and the contractor DC0 are responsible under the terms of the contract for
assuring this procedure is completed. In addition, Prior to termination of the TSCA
contract, contractor DCOs are resuonsible for reconciling TSCA CBI 14 calendar davs
before the termination date.
The Contractor DC0 mustkdso:
l

l

l

l

Request that the OPPT DC0 remove the contractor employee’s name from the
TSCA CBI Authorized Access List.
Make immediate arrangements to invalidate the contractor employee’s electronic
entry ID card for TSCA CBI.
Change the combinations to locks for any TSCA CBI storage containers to which
the contractor employee had access.
Provide contractor employee with copy of Confidentiality Agreement (Form 77406) signed at the inception of assignment and obtain the contractor employee’s
signature on the “Confidentiality Agreement for Contractor Employees Upon
Relinquishing TSCA CBI Access Authority” Form 7740- 18. (See APPENDIX

R.)
l

Remove any CBI from the contractor employee’s desk area before new staff
occupies the desk.

The OPPT DC0 must arrange with IMD to invalidate the contractor employee’s TSCA
CBI computer user ID code and passwords for all TSCA CBI-related computer systems
to which the contractor employee had access. IMD is responsible for notifying the OPPT.
DC0 in writing when the contractor employee’s passwords are invalidated.

Chapter 2: TSCA CBI Access

-24-

October 20,2003

TSCA CBI PROTECTION

2.2.1 I.2

MANUAL

Unaccounted For Documents

The contractor DC0 must assume that a TSCA CBI document is unaccounted for when
it is not received within 5 business days of issuing the contractor employee the list of
items logged out to him/her, and report this fact under the procedures in CHAPTER 5.

2.2.12

Change In Corporate Status

When a contractor or subcontractor with access to TSCA CBI is acquired by or merged into
another company (or otherwise alters its corporate status by associating in some way with
another company) it shall provide notice to EPA prior to the transaction. EPA will allow the
contractor or subcontractor 30 days from the time of notice to complete the corporate and
employee TSCA CBI clearance procedures discussed in this section 2.2 above. If the
required notice is not given within 90 days of the transaction, then access during that time
will be considered unauthorized, and the Agency will follow the unauthorized disclosure
procedures in Chapter 5.

23.

TSCA CBI
ACCESS CERTIFICATION
FOR OTHER FEDERAL AGENCIES 


Access to TSCA CBI data may be granted to other federal agencies under the following
circumstances:
.

When TSCA CBI data is required to perform work for EPA.

.

When TSCA CBI data is required to perform the other agency’s legal duties
to protect health or the environment.

.

When TSCA CBI data is required for specific law enforcement purposes.

All persons contemplating disclosure of TSCA CBI to other federal agencies should review
the regulations at 40 CFR Sections 2.209(c) and 2.306.

Chapter 2: TSCA CBI Access

-25-

October 20,2003

TSCA CBI PROTECTION

2.3.1

MANUAL

Procedures for Other Federal Agencies to
obtain TSCA CBI Access

Other federal agencies may obtain access to TSCA CBI by following the applicable
requirements outlined in 40 CFR 2.209(c), and including taking the following steps:
An authorized agency representative must submit a written request to the IMD Director
preferably at least one month before access is to begin. The request must specify the
following:
.

Information to which access is requested.

.

Reason(s) why access is necessary (including the official purpose).

.

Supporting details.

The request must be signed by an agency official whose authority is at least equivalent to that
of an EPA division director.
The IMD Director reviews the TSCA CBI access request and notifies the agency’s requesting
official of his/her decision. If access is approved, the IMD Director informs the agency of
the following stipulations:
.

TSCA CBI is being disclosed under TSCA authority

.

Unauthorized disclosure of the information may subject the agency’s
employees to criminal penalties in Section 14(d) of TSCA (see CHAPTER 5)

.

The agency seeking TSCA CBI access must provide written agreement that it
will not disclose TSCA CBI, except in any one of the following situations:

(0

The agency has statutory authority both to compel production of
the information and to make the proposed disclosure, and it has
furnished affected businesses with at least the same notice that
EPA would provide under EPA regulations.

(ii)

The agency has obtained the consent of each affected business
prior to the proposed disclosure.

Chapter 2: TSCA CBI Access

-26-

October 20,2003

TSCA CBI PROTECTION

MANUAL

The agency has obtained a written statement from the EPA
general counsel, or an EPA regional counsel, that disclosure of
the information is authorized under EPA regulations.

(iii)

[Note: If the other federal agency is obtaining access to TSCA CBI for purposes not on
behalf of EPA, notice must first be provided to affected businesses as provided in Section
2.3.2 just below].
Once access has been granted, designated employees of the other federal agency can obtain
access to specified TSCA CBI on EPA premises. The procedures for individual employees
to obtain certification for TSCA CBI access are explained in Section 2.1 of this Manual.
Employees of other federal agencies are not allowed to remove from EPA premises any
documents, notes, or correspondence containing TSCA CBI and must not discuss TSCA CBI
with unauthorized individuals. Only a DC0 may remove TSCA CBI from EPA premises.
TSCA CBI must therefore be transferred from an EPA DC0 to a Facility Agency DCO.
When a programmatic need can be demonstrated (and when the other federal agency needs
TSCA CBI access to perform a function on behalf of EPA) expedited approval may be
granted by the IMD Director which will allow a federal agency access to TSCA CBI before
receiving final approval from the OPPT DCO.

2.3.2

Notice to Affected Businesses

Before granting TSCA CBI access to another agency, in order to do work not on behalf of
EPA, IMD provides written Notice to affected businesses. The Notice must be given at least
10 calendar days before access can be granted via publication in the Federal Register,
telegram, or certified mail (return receipt requested). No Notice to affected businesses is
required however, when EPA discloses TSCA CBI to another agency to perform work for
EPA (as described in 40 CFR Sections 2.209(c) and 2.306(h)).
IMD will prepare the Notice, which must include the following:
l

Identity of the agency to which TSCA CBI access is granted.

0

Official purpose for the access.

.

If access is authorized on EPA premises or at the other agency’s facilities (see
Section 2.3.3).

0

Types of information to be disclosed.

.

Period of time for which access to TSCA CBI is authorized.

Chapter 2: TSCA CBI Access

-27-

October 20,2003

TSCA CBI PROTECTION

2.3.3

MANUAL

Security Requirements
Agencies

at Other Federal

In order for the other agency to obtain access to TSCA CBI on its own premises, the
requesting official to whom TSCA CBI is to be transferred, must nominate at least two
people as a DC0 and an Alternate DC0 (ADCO). The nomination, submitted in writing to
the OPPT DC0 for approval, must include the names, telephone and fax numbers, and e-mail
and mailing addresses of the nominees. The requesting official or the DC0 can also
nominate ADCOs to assist the DC0 in day-to-day operations. ADCOs can perform the same
duties as DCOs (including signing EPA Form 7740-28).
The following

are required for TSCA CBI access on the other agency’s premises:

0

Agency security procedures and standards that equal or surpass those set forth
in this manual. The requesting official must provide to TSS a written
statement of the agency’s security procedures for handling TSCA CBI. The
statement should state that the security procedures in this Manual have been
adopted, or how the security procedures used by the agency differ from those
in this Manual.

.

EPA TSS inspection and approval of the agency’s TSCA CBI storage
facilities. The inspection is to be arranged by the requesting official.

[NOTE: TSS will not be required to inspect facilities in other federal agencies where CBI
is stored in approved storage containers as referenced in Section 4.3.3.1

24.

REQUESTS FROM CONGRESS OR THE 

GENERAL ACCOUNTING OFFICE (GAO)

EPA, federal, and contractor employees must notify the IMD Director immediately when
they receive a request from Congress or the GAO for information that requires access to
TSCA CBI. Pursuant to 40 CFR 2.209, TSCA CBI access is allowed only when the request
is made by the Speaker of the House of Representatives, the President of the Senate, a
chairman of a Congressional committee or subcommittee, or the Comptroller General. All
document access will be provided by the OPPT DCO, who will record all transactions on the
Federal Agency, Congress, and Federal Court Sign-Out Log, Form 7740-24 (see
APPENDIX
S).
0

When EPA allows access to TSCA CBI by Congress or the GAO, EPA must
provide written notice to affected businesses at least 10 calendar days prior to
disclosure unless Congress or GAO directs otherwise or does not give

Chapter 2: TSCA CBI Access

-28-

October 20,2003

TSCA CBI PROTECTION

MANUAL

sufficient time. In the latter case, notice shall be given as promptly as possible
[see 40 CFR 2.209(b)(2)]. Such notice may be given via publication of a
Notice in the Federal Register, or via telegram or certified mail (return receipt
requested). IMD will prepare the Notice, which must include:
Whether access is authorized on EPA premises or at the other agency’s
facilities
Type of information to be disclosed
Period of time for which need for access to TSCA CBI is expected.

-29-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


This page intentionally

-3o-

left blank

October 20,2003

TSCA CBI PROTECTION

MANUAL 


CHAPTER 3 

TSCA CBI Responsibilities
INTRODUCTION

30.

Proper protective controls must be followed by employees of EPA, other federal agencies,
and contractors with access to TSCA CBI who handle, store, or transfer any TSCA CBI.

31.

EMPLOYEE
3.1.1

RESPONSIBILITIES

Personal Accountability

EPA holds every employee with access to TSCA CBI access personally responsible for
adhering to the handling and security procedures in this Manual.

3.1.2

Assuring

Adequate

TSCA CBI Protection

Each employee with TSCA CBI access is required to inform management immediately if
he/she discovers that any procedure in this manual does not provide adequate protection for
TSCA CBI. In addition, those employees are encouraged to suggest changes to improve
protection.

3.1.3

Reporting

Procedural

Violations

Each employee who has access to TSCA CBI is required to report immediately in writing any
potential violations of these procedures to his/her immediate supervisor, and if applicable,
the Contractor PO (see Section 5.1).

Chapter 3: TSCA CBI Responsibilities

-31-

October 20,2003

TSCA CBI PROTECTION

3.1.4

MANUAL

Document Accountability

Employees are accountable for all TSCA CBI received from a DC0 or other TSCA
CBI-authorized employee, printed from the TSCA CBI LAN, or recorded on magnetic,
optical, or other storage medium.

3.1.5

TSCA CBI Procedure Accountability

Employees are required to adhere to the procedures established by management and their
DC0 for protecting and handling TSCA CBI to prevent disclosure to anyone not authorized
under TSCA Section 14 for access to CBI.

3.1.6

Return TSCA CBI Document

Employees are permitted to log out TSCA CBI documents from their DC0 and to keep the
documents in an approved storage container as defined in Section 4.3.3, or approved SSA
as defined in Section 4.3.1, for up to a year. Employees must return TSCA CBI to the DC0
as soon as the material is no longer needed.
Any material kept longer than a year is considered overdue; the DC0 will notify the
employee responsible. Materials that are not returned to the DC0 within 14 days of
notification are presumed to be unaccounted for. The DC0 must notify his/her division
director of unaccounted for materials, pursuant to the procedures in CHAPTER 5. If the
employee does not return overdue materials to the DC0 within 14 days of notification, the
employee’s access to TSCA CBI may be suspended. Once the documents at issue are
returned or accounted for, CBI access will be restored.

3.1.7

Determination

of TSCA CBI

It is an employee’s responsibility to decide if an existing document submitted to the Agency,
or a document newly created by the employee, contains TSCA CBI. An employee who is
unable to determine if a document is CBI should consult with his/her supervisor or DCO.
If the issue remains unresolved, the employee should consult the chief of the IMD Records
and Dockets Management Branch (RDMB), or equivalent.

Chapter 3: TSCA CBI Responsibilities

-32-

October 20,2003

TSCA CBI PROTECTION

3.1.8

MANUAL

Receipt of Possible CBI

If an employee receives materials (labeled or unlabeled CBI) via mail or other means which
appear to be TSCA CBI, he/she must immediately take those materials to the DC0 for
assessment and, if warranted, entry into the Document Tracking System (DTS). [See Section
4.1.11.

32.

MANAGER

RESPONSIBILITIES

Program and office managers must continually ensure the following:
0

Adequate personnel are available to carry out the DC0
responsibilities under the manager’s supervision

and ADCO

0

Proper physical control measures are implemented in areas where TSCA CBI
is maintained and tracked

.

Subordinate POs, DOPOs, and WAMs follow TSCA CBI security procedures
while administering contracts

l

Quarterly meetings are held with contractor POs to ensure that contractor
employees are following TSCA CBI security procedures

0

Employees under their supervision who require TSCA CBI access maintain
current certification.

3.2.1

Assigning a DC0 and ADCO

The EPA manager (or Project Officer for the contractor DC0 - see 2.2.5), is responsible for
nominating two employees to act as the DC0 and alternate DCO, respectively. The manager
(or Project Officer) must submit this nomination to the OPPT DCO. The nomination,
submitted in writing, must include each nominee’s name, telephone number, e-mail address,
fax number, and mailing address. The contractor DC0 must be in place before the contractor
is allowed access to TSCA CBI.

Chapter 3: TSCA CBI Responsibilities

-33-

October 20,2003

TSCA CBI PROTECTION

33.

MANUAL

DC0 RESPONSIBILITIES

DCOs manage their facilities’ Document Tracking Systems (DTS) and oversee the receipt,
storage, transfer, and use of TSCA CBI by employees in their facilities.

3.3.1

DCOs and Alternate

DCOs

All facilities authorized for TSCA CBI access must have at least one DC0 and an ADCO;
other ADCOs may be assigned.
DCOs and Alternate DCOs must be approved by the OPPT DC0 before transfer of CBI to
any facility. In addition, the OPPT DC0 is responsible for providing guidance to all DCOs
and ADCOs on appropriate document handling procedures.

3.3.2

Maintaining
mm

a Document

Tracking

System

The DC0 is responsible for implementing and maintaining a Document Tracking System
for his/her respective facility, to track the receipt, use, and transfer of TSCA CBI. All TSCA
CBI submitted to EPA, and any produced by federal and contractor employees (except as
described in Section 4.4), are monitored through a facility DTS (See Section 4.2 on the
requirements for a DTS).

3.3.3

Transfer

of TSCA CBI

A DC0 must approve the transfer of TSCA CBI to a federal or contractor facility according
to procedures in CHAPTER 4. In order to transfer a copy of a TSCA CBI submission to a
requesting submitter, the submitter must provide to EPA a letter on corporate stationery
which is signed by a designated corporate official indicating the person authorized to receive
the copy (unless a designated representative is already on file). This letter should be
submitted to the OPPT DCO.
The DC0 may send TSCA CBI by courier or certified mail (with return receipt) in
accordance with procedures in CHAPTER 4 of this manual. The DC0 must notify the
receiving DC0 before sending the TSCA CBI.

Chapter 3: TSCA CBI Responsibilities

-34-

October 20,2003

TSCA Cl31 PROTECTION

3.3.4

MANUAL

Receiving TSCA CBI

The receiving DC0 must review incoming TSCA CBI for completeness. If the documents
appear incomplete, the DC0 must immediately contact the submitter to determine if there
was an omission. If the materials appear to be complete, the DC0 will do the following:
1.

Stamp the document as TSCA CBI (see APPENDIX T). The stamp is applied
to the front page, and the blank back page (if not blank, the blank back cover).

2.

Assign a DCN, if one has not already been assigned.

3.

Attach a TSCA CBI cover sheet (see APPENDIX
U) to the front of the
document. The DC0 must write the DCN on the cover sheet and first page of
the document unless the document is transferred to the CBIC.

3.3.5

Proper Storage of TSCA CBI

DCOs are responsible for ensuring that employees at their facilities are storing documents
properly. [Procedures on storing TSCA CBI can be found in Section a.
If an employee who works in an SSA will be out of the office for more than 7 calendar days,
all TSCA CBI in his/her possession must be locked away in an approved TSCA CBI storage
container. If the employee is unable to do this due to illness or other reason, the employee’s
supervisor or DC0 will ensure the materials are stored in accordance with procedure. [See,
specifically, Section 4.3.4, Employee Absence and Storage of TSCA CBZand Section 4.3.1.8,
Using TSCA CBZ outside an SSA].
The DC0 supervises the storage of TSCA CBI in secure storage containers or in a
centralized secure TSCA CBI storage area (Section 4.3). The responsibilities of the DC0
and employee apply to CBI stored on paper or in digital form on magnetic disks, optical
disks, or other medium. One exception to this requirement is when an employee’s duties
require that he/she be assigned individual responsibility for a specific secure storage
container within an office (such as a Mosler safe or bar lock cabinet).

3.3.6

Records of Lock-Combinations

DCOs and other designated persons have the following responsibilities in maintaining
records of lock combinations for rooms and containers in which TSCA CBI is stored:
.

DCOs must maintain a list of combinations for TSCA CBI storage containers
and rooms controlled by a particular division, facility, program, or office
Chapter 3: TSCA CBI Responsibilities
-35
October 20,2003

TSCA CBI PROTECTION

MANUAL

.

The OPPT DC0 must maintain a list of combinations for containers and rooms
assigned to IMD, and for all containers and rooms in OPPT not under any
specific division’s control

.

Facilities Management Services Division must maintain a master list of
combinations for all TSCA CBI locks at EPA Headquarters.

Conditions

3.3.7

For Changing

Lock Combinations

The DC0 is required to change lock combinations annually or if any of the following occurs:
.

Each time a person who knows a combination relinquishes his/her TSCA CBI
access authority

.

When

.

If there is a known or possible compromise of TSCA CBI data in the storage
container.

a storage container is put into, or taken out of operation

If any of the above three events occur, DCOs at EPA Headquarters must notify FMSD, which
is responsible for changing the lock combinations.

3.3.8

Updating The TSCA CBI Authorized
Access List

Each DC0 bears responsibility for keeping the TSCA CBI Authorized Access List current.
By the 15th of each month DCOs must notify the OPPT DC0 of any for whom they are
responsible who should be added to or deleted from the list.

3.3.9

Monitoring
And Controlling
TSCA CBI

Release of

DC0 steps for providing TSCA CBI are described below:
.

The DC0 receives a request from an employee for a specific TSCA CBI
document.

.

The DC0 locates the document and notifies the requesting employee.

Chapter 3: TSCA CBI Responsibilities

-36-

October 20,2003

TSCA CBI PROTECTION

MANUAL

.

When the employee is ready to receive the document, the DC0 verifies the
requesting employee’s TSCA CBI certification by checking the TSCA CBI
Authorized Access List.

.

The DC0 logs the document out to the employee using an automated or
manual document Inventory Log. See APPENDIX V.

3.3.10

Overdue Materials:
Notification

Monitoring

And

The DC0 monitors TSCA CBI, and notifies employees and supervisors when it becomes
overdue. DCOs must monitor the Inventory Log for TSCA CBI materials which have not
been returned within the required one-year period. The DC0 will notify employees and
their supervisors of overdue materials by distributing to each a list of all TSCA CBI
documents logged out to the employee before the annual security briefing and TSCA CBI recertification are accomplished. Any material kept longer than a year is considered overdue;
the DC0 will notify the employee responsible. Materials that are not returned to the DC0
within 5 days of notification are presumed unaccounted for. The DC0 must notify his/her
division director of unaccounted-for materials pursuant to the procedures in CJ3APTER 5.
If the employee does not return overdue materials to the DC0 within 14 days of notification,
the employee’s access to TSCA CBI may be suspended. Once the documents at issue are
returned or accounted for, CBI access will be restored. [See also sections 3.1.6 Return 7’SCA
CBI Documents, and 2.1.3 Suspension of Log-out Privileges].
In general, TSCA CBI may not be logged out from a centralized TSCA CBI storage facility
for more than one year without renewal. Exceptions to this rule include the following:
.

Regional DCOs may receive documents as permanent log-outs

.

Contractor DCOs may receive documents as permanent logouts through the
end of their contract

.

The OPPT DC0 in certain circumstances may grant permanent log-out status
to other DC0 collections on an as-needed basis.

Chapter 3: TSCA CBI Responsibilities

-37-

October 20,2003

TSCA CBI PROTECTION

3.3.11

MANUAL

DC0 Guidance In Identifying
Sanitizing CBI Documents

And

The DC0 assists employees in determining whether documents contain TSCA CBI and in
sanitizing documents for public disclosure.
The responsibility for determining whether documents contain TSCA CBI rests with the
document’s originator (see Section 4.1). Employees who are unable to determine if
something is confidential should consult with their supervisor or DCO. If the issue remains
unresolved, the employee should consult the chief of IMD RDMB. The DC0 also instructs
document originators on how to sanitize a TSCA CBI document if the document is going to
be released to the public.
The DC0 controls and documents the reproduction and destruction of TSCA CBI. TSCA
CBI (except for working papers as discussed in CHAPTER 4) are reproduced or destroyed
only by a DC0 or ADCO. Specific procedures for reproduction and destruction are set forth
in CHAPTER 4.

3.3.12

TSCA CBI Audits

The following section describes the requirements to audit TSCA CBI for federal and
contractor entities:

3.3.12.1

Federal DCOs And The Cortfidential
&formation Center (CBIC,

Business

[NOTE: This section applies to all Federal TSCA CBI collections and the CBIC, which is managed
under contract by the OPPT DCO.]

3.3.12.1(a)

Comprehensive Audits of Entire
Collection

By April 1,2004, each DC0 must conduct an audit of all TSCA CBI in the
DCO’s collection as of December 3 1, 2003. This step must be performed
every fourth year subsequent to the completion of the first comprehensive
audit. For the intervening years, an annual transaction audit shall be conducted
as outlined in Section 3.3.12.1(b). As an example, the next comprehensive
audit would be conducted by April 1, 2007 for all TSCA CBI in the DCO’s
Chapter 3: TSCA CBI Responsibilities

-38-

October 20,2003

TSCA CBI PROTECTION

MANUAL

collection as of December 31,2006.
Each DC0 must take the following
CBI audit:

steps in performing the comprehensive

1)

Audit all CBI documents in the Receipt Log or equivalent automated
tracking system, comparing the physical document collection with the
information in the log or tracking system.

2)

Reconcile the TSCA CBI documents in the Receipt Log with the
transactions listed in the Inventory Log (e.g., shred, transferred, logged
out, declassified) .

3)

Locate any documents logged out for more than 1 year.

4)

Verify the status of documents indicated in the Inventory Log or
tracking system as having been shredded. The TSCA CBI cover sheet
must be used to verify that CBI documents have been destroyed.
[NOTE: TSCA CBI cover sheets must be retained until the next
comprehensive audit cycle is complete.]

5)

Certify that the tracking system has been updated to reflect the results
of the audit.

Prior to April 1,2004, and for every fourth year thereafter, the DC0 must
submit a final report to his/her supervisor or contract manager. This report
must contain, at a minimum:
.

Description of the audit methodology

.

Total number of documents audited

.

Description of any documents not located

.

The tracking number (document control number) of any documents not
located

The final audit report will be forwarded by the supervisor or contract manager
to the OPPT DC0 and TSS. If any TSCA CBI documents cannot be located
during the audit, the DC0 must follow the procedures outlined in CHAPTER
3 for reporting potential violations.

Chapter 3: TSCA CBI Responsibilities

-39-

October 20,2003

TSCA CBI PROTECTION

MANUAL

3.3.12. I(b)

Transaction Audits

Before April 1 of each year for which a comprehensive audit (as described in
m
is not required, each DC0 must conduct an annual audit of TSCA
CBI in the DCO’s collection that consists of:

1)

All documents initially received by the DC0 between January 1 and
December 31 of the previous calendar year.

2)

All documents that were logged out and then returned to the DC0
between January 1 and December 31 of the previous calendar year.

Each DC0 must also:
3)

Locate any documents logged out for more than 1 year

4)

Verify the status of documents indicated in the tracking system or
Inventory Log as shredded. The TSCA CBI cover sheet must be used
to verify that CBI documents have been destroyed. [NOTE: TSCA CBI
cover sheets must be retained until the next comprehensive audit cycle
is complete.]

5)

Certify that the tracking system has been updated to reflect the results
of the audit.

Prior to April 1, the DC0 must submit a final report to his/her supervisor or
contract manager. This report must contain, at minimum:
.

Description of the audit methodology

.

Total number of documents audited

.

Description of any documents not located

.

The tracking number (document control number) of any documents not
located

The final audit report will be forwarded by the supervisor or contract manager
to the OPPT DC0 and TSS. If any TSCA CBI documents cannot be located
during the audit, the DC0 must follow the procedures outlined in CHAPTER
5 for reporting potential violations.

Chapter 3: TSCA CBI Responsibilities

-4o-

October 20,2003

TSCA CBI PROTECTION

MANUAL

3.3.12.1 (c)

DC0 Transition Audits

This procedure must be followed when DCOs terminate their employment or
relinquish DC0 responsibilities.
The outgoing DC0 must perform the
following steps prior to transferring any TSCA CBI to a new DCO:

1)

Audit all CBI documents in the Receipt Log or equivalent automated
tracking system, comparing the physical document collection with the
information in the log or tracking system.

2)

Reconcile the TSCA CBI documents in the Receipt Log with the
transactions listed in the Inventory Log (e.g., shredded, transferred,
logged out, declassified).

3)

Locate any documents logged out for more than 1 year.

4)

Verify the status of documents indicated in the Inventory Log or
tracking system as shredded. The TSCA CBI cover sheet must be used
to verify that CBI records have been destroyed. [NOTE: TSCA CBI
cover sheets must be retained until the next comprehensive audit cycle
is complete.]

5)

Certify that the tracking system has been updated to reflect the results
of the audit.

Prior to transferring the collection to the incoming DCO, the outgoing
DC0 must submit a final report to his/her supervisor or contract manager.
This report must contain, at a minimum:
.

Description of the audit methodology

.

Total number of documents audited

.

Description of any documents not located

.

The tracking number (document control number) of any documents not
located

The final audit report will be forwarded by the supervisor or contract manager
to the OPPT DC0 and TSS. If any TSCA CBI documents cannot be located
during the audit, the incoming DC0 must follow the procedures outlined in
CHAPTER 5 for reporting potential violations.
Chapter 3: TSCA CBI Responsibilities

-41-

October 20,2003

TSCA CBI PROTECTION

MANUAL

3.3.12.2 Contractor DCOs
[NOTE: This section applies to all contractor TSCA CBI collections.]

3.3.12.2(a)

Comprehensive Audits of Entire
Collection

By April 1,2004, each contractor DC0 must conduct an audit of all TSCA
CBI in the DCO’s collection a’s of December 31,2003. This comprehensive
audit shall be conducted for each year thereafter for all TSCA CBI in the
DCO’s collection as of December 31 of the previous year.
The DC0 must take the following

steps in performing the CBI audit:

1)

Audit all CBI documents in the Receipt Log or equivalent tracking
system, comparing the physical document collection with the
information in the log or tracking system.

2)

Reconcile the TSCA CBI documents in the Receipt Log with the
transactions listed in the Inventory Log (e.g., shredded, transferred,
logged out, declassified).

3)

Locate any documents logged out for more than 1 year.

4)

Verify the status of documents indicated in the Inventory Log or
tracking system as shred. The TSCA CBI cover sheet must be used to
verify that CBI documents have been destroyed. [NOTE: TSCA CBI
cover sheets must be retained until the next comprehensive audit cycle
is complete.]

5)

Certify that the tracking system has been updated to reflect the results
of the audit.

Prior to April 1, the DC0 must submit a final report to his/her supervisor or
contract manager. This report must contain, at a minimum:
.

Description of the audit methodology

.

Total number of documents audited

.

Description of any documents not located

Chapter 3: TSCA CBI Responsibilities

-42-

October 20,2003

TSCA CBI PROTECTION
.

MANUAL

The tracking number (document control number) of any documents not
located

The final audit report will be forwarded by the supervisor or contract manager
to the OPPT DC0 and TSS. If any TSCA CBI documents cannot be located
during the audit, the incoming DC0 must follow the procedures outlined in
CHAPTER 5 for reporting potential violations.

3.3.12.2(b)

Contract closeout Audits

Prior to contract closeout, the contractor DC0 must perform a comprehensive
audit of all TSCA CBI in the DCO’s collection. The contractor DC0 must
take the following steps in performing the CBI Audit:

1)

Audit all CBI documents in the Receipt Log or equivalent tracking
system, comparing the physical document collection with the
information in the log or tracking system.

2.

Reconcile the TSCA CBI documents in the Receipt Log with the
transactions listed in the Inventory Log (e.g., shredded, transferred,
logged out, declassified).

3)

Locate any documents logged out for more than 1 year.

4)

Verify the status of documents indicated in the Inventory Log or
tracking system as ‘shredded’. The TSCA CBI cover sheet must be
used to verify that CBI documents have been destroyed.
[NOTE: TSCA CBI cover sheets must be retained until the next
comprehensive audit cycle is complete.]

5)

Certify that the tracking system has been updated to reflect the results
of the audit.

Two weeks prior to contract closeout, the DC0 must submit a final report
to his/her supervisor or contract manager. This report must contain, at a
minimum:

Chapter 3: TSCA CBI Responsibilities

-43-

October 20,2003

TSCA CBI PROTECTION

MANUAL

.

Description of the audit methodology

.

Total number of documents audited

.

Description of any documents not located

.

The tracking number (document control number) of any documents not
located

The final audit report will be forwarded by the supervisor or contract manager
to the OPPT DC0 and TSS. If any TSCA CBI documents cannot be located
during the audit, the DC0 must follow the procedures outlined in CHAPTER
5 for reporting potential violations.

3.3.13

Termination
DC0

Of Employment

Or Status For

The following procedures must be followed when a DC0 terminates his/her employment, or
relinquishes DC0 responsibilities. They are the same for those of a DC0 at EPA
Headquarters, regional offices, other federal agencies, and contractor facilities.
At termination of employment or DC0 status, TSCA CBI under a DCO’s authority must be
inventoried. The outgoing DC0 and the incoming DC0 must jointly perform an inventory
of TSCA CBI in the outgoing DCO’s collection of records. Both parties must confirm the
inventory before the outgoing DC0 departs. The incoming DC0 should retain a copy of the
inventory for audit purposes and forward a copy to the OPPT DCO.
NOTE:

34.

The CBIC DC0 is not required to perform a collection audit if the
contractor operating the Center does not change.

EAD AND IMD ANNUAL

REVIEW

On an annual basis, the Office of Pollution Prevention and Toxics Information Management
Division (IMD) and the Environmental Assistance Division (EAD) will report on state of the
security of TSCA CBI.
The report will summarize security activities, training, and issues that may have arisen over
the preceding twelve months, including violations and vulnerabilities.

Consistent with EAD’s TSCA Security Staff (TSS) charge, the EAD portion will summarize
Chapter 3: TSCA CBI Responsibilities

-44

October 20,2003

TSCA CBI PROTECTION

MANUAL

violations, the overall state of security procedures and practices, vulnerabilities, and security
activities. IMD will describe policy issues, training, future needs and other related matters.
This report will be sent to the director of OPPT by January 31st of each calendar year. To
create this report, in addition to reviewing reports and other generated materials, IMD and
EAD will interview representatives of the major users of TSCA CBI for information on the
state of TSCA security, policy and procedural issues (including opportunities for security
improvements).

Chapter 3: TSCA CBI Responsibilities

-45

October 20,2003

TSCA CBI PROTECTION

MANUAL 


This page intentionally

Chapter 3: TSCA CBI Responsibilities

-46-

left blank

October 20,2003

TSCA CBI PROTECTION

MANUAL 


CHAPTER 4 

TSCA CBI Document Management
INTRODUCTION

40.

DCOs are vital to the effective management of TSCA CBI documents. DCOs manage their
facilities’ DTSs (Document Tracking Systems) and oversee the receipt, storage, transfer, and
use of TSCA CBI by employees in their facilities.

RECEIPT

41.

OF TSCA CBI

TSCA CBI submitters should be directed to send incoming TSCA CBI to a DC0 only.
TSCA CBI sent between organizations must be sent from one DC0 to another DCO.

4.1.1

Incoming

TSCA CBI

While TSCA CBI sent to OPPT (e.g., by U.S. mail, courier, or fax transmission) may be
addressed to either an EPA or contractor DCO, preferably it would be addressed to the
Confidential Business Information Center (CBIC). In either case, TSCA CBI must be
received in accordance with the requirements of this Manual. TSCA CBI sent or otherwise
misdirected to other Agency personnel should be taken immediately, to the extent
practicable, to a DC0 for tracking. Practical reasons may extend the time for delivering the
misdirected item to the CBIC for up to 3 business days. However, the documents must be
provided to the CBIC as soon as possible for incorporation into the Agency’s official file.
In the case of TSCA CBI mailed from one DC0 to another, a receipt must be sent back to
the sending DC0 identifying the contents of the package. The recipient DC0 must sign the
receipt of contents and return the original to the sender within 5 business days and maintain
a copy of the receipt for his/her files. The receipt of contents must include the following
information:
.
DCN
Description of the CBI
.
Name and signature of the sending DC0 and the date sent.
.
Name and signature of the receiving DC0 and the date received.
l

Chapter 4: TSCA CBI Document Management

-47-

October 20,2003

TSCA CBI PROTECTION

4.1.2

MANUAL

Personal File Copies - New Chemicals
Program (OPPT-CCD)

New Chemicals Program (NCP) staff in the OPPT Chemical Control Division (CCD) may
make and keep personal file copies of documents sent by submitters to the CCD DC0 before
the documents go to the CBIC. The CCD DC0 will maintain a log which will track all
copies made and distributed with an assigned number for each copy. When each copy is no
longer needed, the document will be shred under the supervision of the CCD DCO, who will
ensure proper logging of the shredded data.

4.1.3

Supplemental Filings - New Chemicals
Program (OPPT-CCD)

NCP staff in OPPT CCD may scan supplemental documents sent by submitters to the CCD
DCO, and place them on the TSCA CBI LAN for distribution in ‘read-only’ format before
the documents go to the CBIC within the timeframe specified in section 4.1.1 above. When
review is complete, the CCD DC0 will ensure the scanned documents are deleted from the
TSCA CBI LAN.
(NOTE: As indicated, the paragraph above refers only to supplemental information
submissions. Initial filings are not to be directed to the CCD DCO, but rather processed
through the CBIC. }

4.1.4

Processing Newly Received TSCA CBI
(applies to all DCOs and the CBIC)

The procedure below must be followed when receiving TSCA CBI [see also, generally,
Section 4.6.1on transferring TSCA CBI]:
.

The receiving DC0 should be notified in advance of what CBI is being sent.

.

Review and Acceptance:
Upon receipt of a document, the receiving DC0 must complete the following
steps:

(9
(ii)

Review any Transfer Slip to ensure that all listed information is
included.
Log the document into the Receipt Log. See APPENDIX
W.

Chapter 4: TSCA CBI Document Management

-48-

October 20,2003

TSCA CBI PROTECTION
.

MANUAL

stamp:
A federal or contractor employee who creates a documen&s responsible for
stamping the document as TSCA CBI (when the document contains
information claimed as TSCA CBI)!&
non-CBI (as appropriate)${(see
APPENDIX
T for examples of each type of stamp). The stamp is applied to
the front page and the blank back page (if there is no blank page, then a blank
back cover). If a document appears as though it may contain CBI, treat it as
CBI until its status can be verified with the author.

.

Cover Sheets:
All TSCA CBI documents must have a cover sheet, Form 7740-9 (see
APPENDIX
U), that adheres to the following guidelines:

0)

The cover sheet must be green, clearly signifying that the
attached document contains TSCA CBI, and be attached to the
front of the document.

(ii)

The DCN (written or bar code) and the date must appear on both
the cover sheet and the first page of the document.

(iii)
.

The originator’s DC0 must complete the cover sheet.

DCN Assignment:
The Headquarters DCN should be used (or cross-referenced to any regional
DCN assigned).

.

Notification:
Notify the OPPT DCO, or other TSCA CBI cleared addressee(s), of the TSCA
CBI submission’s availability for review and/or pickup.

4.1.4.1

CBI Fax Transmission From Industry

When an external submitter wants to send TSCA CBI via fax transmission, he/she
must be notified that EPA cannot guarantee the confidentiality of the transmission.
The recipient of the transmission must:
.

Notify the sender that EPA’s transmission lines are not secure and that no
encryption equipment will be used to scramble the transmission.

Chapter 4: TSCA CBI Document Management

-49-

October 20,2003

TSCA CBI PROTECTION

MANUAL

.

Remain by the fax machine until the transmission is complete, if the receiving
fax machine is outside an SSA.

.

Notify the sender of a successful fax transmission.

.

Provide the fax to the DC0 for entry into the tracking system immediately
upon receipt.

4.1.5

TSCA CBI Claims:iThat Appear
Unwarranted

Any employee who discovers a TSCA CBI claim which appears@mwarranted~ may exercise
independent discretion in choosing whether to refer the matter to IMD, or take any action at
all (including contacting the submitter directly). Employees should follow the guidance in
Appendix EE.

42.

DOCUMENT
TRACKING
(DTS) REQUIREMENTS

DCOs must ensure the following

SYSTEM 


regarding use of a Document Tracking System (DTS):

.

All manual or automated document logs are properly maintained, updated, and
stored securely

.

DCNs or unique alphanumeric identifiers are assigned to documents

.

Proper procedures are followed when accessing TSCA CBI.

4.2.1

Use of an Automated
System (DTS)

Document Tracking

Use of a DTS is mandatory. The IMD Director has approved several automated DTSs.
Contact the OPPT DC0 for additional information about these DTSs.
EPA strongly recommends an automated DTS for a DC0 who oversees a high volume of
documents and transactions. An automated DTS allows the DC0 to track a document’s
movement from the time it is assigned a DCN, or is received at EPA, until the time it is
destroyed or transferred to another TSCA CBI-cleared facility.
Chapter 4: TSCA CBI Document Management

-5O-

October 20,2003

TSCA CBI PROTECTION

MANUAL

At EPA Headquarters, the OPPT DC0 uses CBITS, an automated DTS, to track TSCA CBI
documents. An automated DTS has the following required and optional characteristics:
.

.

.

.

4.2.2

Required:
Backup of automated DTSs: When an automated DTS is used, the DC0 must
back up the TSCA CBI on the DTS at the end of each day, if data are added
or deleted. The backup media contain TSCA CBI data and must be protected
as such.
Record maintenance: Any manual document logs that are converted by an
automated DTS must be retained until an audit by TSS verifies the accuracy
of the conversion.
Optional:
Machine-readable bar codes: CBITS uses machine-readable barcodes to track
TSCA CBI documents. The bar code is affixed to each TSCA CBI document
controlled through the CBIC. Bar codes are also affixed to the electronic entry
ID cards of employees using TSCA CBI. The OPPT DC0 uses these bar
codes to verify, through CBITS, that employees are on the TSCA CBI
Authorized Access List. The OPPT DC0 also uses these bar codes to produce
Annual Audit Certification Reports for employees’ completion.
Secure off-site duplicate records: EPA also recommends securing a duplicate
set of media DTS off-site to allow for recovery of documents logged out, in
the event that a natural disaster such as a flood or fire occurs. Contact the
OPPT DC0 and TSS for assistance in establishing a disaster recovery program
for your records.

Use of a Manual
System (DTS)

Document

Tracking

Manual systems may be used to record CBI transactions for small CBI collections. However,
automated databases allow a greater degree of flexibility and search capabilities. The
following forms establish the tracking and control requirements for TSCA CBI:
.

EPA Form
Information.

.

EPA Form 7740-l 1: Inventory
Information.

7740-10:

Chapter 4: TSCA CBI Document Management

Receipt Log for TSCA

-51-

Log for TSCA

Confidential

Business

Confidential

Business

October 20,2003

TSCA CBI PROTECTION
.

MANUAL

EPA Form 7740.24: Federal Agency, Congress, and Federal Court Sign-Out
Log.

[See APPENDIX

4.2.2.1

W, V, and S, respectively for copies of these forms.]

Receipt Log

A Receipt Log is used to record the receipt of all incoming CBI documents into the
DCO’s domain.
Each document received by a DC0 must be recorded in an automated or manual
receipt log (APPENDIX
W). The DC0 must record the following information in the
Receipt Log:
.

DCN; if a DCN has not been assigned, the copy number assigned by the
DC0 should be recorded.

.

Date on which the document was received by the DCO.

.

Submitter’s name (if the document was received directly from the
submitter), the author’s name (if the document was generated by a
federal or contractor employee), or the facility DCO’s name (if the
document was received from another facility authorized for TSCA CBI
access).

.

Number of pages contained in the document.

.

Brief description of the document. For example, “an engineering report
on PMN-Y,” or “letter from company X on PMN-W”).

4.2.2.2

Inventory Log

An Inventory Log is used to log documents in or out to employees or contractors of
EPA. It is the official record of all in/out transactions of CBI documents in the
DCO’s jurisdiction and is used to record the final disposition of these documents (e.g.,
permanent transfer, shredding).
DCOs may develop their own tracking and logging forms as long as they contain, at
a minimum, the information outlined in Section 4.2.2 above.
Each DC0 must maintain an inventory log, Form 7740- 11 (see APPENDIX
Chapter 4: TSCA CBI Document Management

-52-

V), for

October 20,2003

TSCA CBI PROTECTION

MANUAL 


TSCA CBI transactions at his/her facility.
following information:

43.

The inventory log must contain the

.

DCN.

.

Dates on which a document is logged out from, and returned to, the
DCO.

.

Identity of the individual logging out the document.

.

If the document is to be destroyed, the entry in the disposition block of
the log must include the date of destruction and the identity of the
person who will destroy it.

.

If the requesting employee plans to transfer the document outside the
DCO’s jurisdiction, the disposition block of the log must include the
date and destination of the transfer.

STORING TSCA CBI
4.3.1

Secure Storage Areas (SSAs)

Secure Storage Areas (SSAs) are spaces that meet the security requirements identified below
and are used as TSCA CBI work and storage areas. Division directors can request that SSAs
be designated; the SSAs must be approved by the IMD Director. After approval, the IMD
Director will request that TSS inspect the SSAs for adherence to the following security
requirements:
.

Pin-tumbler door lock or equivalent

.

A monitored intrusion alarm, OR

.

Either an electronic entry ID card system or a changeable push-button door
lock.

Chapter 4: TSCA CBI Document Management

-53-

October 20,2003

TSCA CBI PROTECTION

4.3.1.1

MANUAL

Entering An SSA With An Electronic Access
Card (EAC)

Electronic ID card holders are required to present their cards to the reader the first
time they enter a specific SSA each day, even if entering with a group of card holders.
Thereafter, they would not need to use their card (for example, when leaving and reentering the SSA to use the restroom, go to lunch, etc.) if they should re-enter the SSA
with another person who opens the door.
Employees are not permitted to loan their entry cards to other employees.

4.3.1.2

Entering an SSA Without An Electronic
Access Card

Federal and contractor employees entering an SSA who do not have their entry cards
are required to sign a Visitor’s Log, Form 7740-13(see APPENDIX
X), upon initial
entry. Employees may obtain a temporary card from their DCO. If the card has been
lost, the loss must be reported to the OPPT DC0 who will provide paperwork for the
re-issuance of a new card and the deactivation of the lost card.

4.3.1.3

Entering An SSA With Suspended or
Terminated Cert@cation

A federal employee whose certification has been suspended, yet who still has an
official need for access to TSCA CBI, may continue to enter SSAs and view TSCA
CBI but will be prohibited from logging out documents until certification has been
renewed. A federal employee whose certification has been terminated may not enter
an SSA, and must again pass initial certification, not recertification, in order to again
enter an SSA and view TSCA CBI. [See X1.2.11

4.3.1.4

Grantees And Interns In SSAs

At EPA Headquarters, certain persons, such as grantees (e.g., NOWCC employees)
and some interns, may work within SSAs but are prohibited from having access to
TSCA CBI. They must, nevertheless, complete the certification process.
Grantees and approved interns must be “supervised’ or “monitored” within an SSA
by following these guidelines:
Chapter 4: TSCA CBI Document Management

-54-

October 20,2003

TSCA CBI PROTECTION

MANUAL

A grantee or intern:
.

Cannot deliver, locate, file, copy, type or otherwise handle or view TSCA CBI.

.

Cannot be the first employee to arrive or the last employee to leave an SSA
and must never be the only person in an SSA.

.

Cannot have any conversations with company representatives
information that has been claimed, or may be claimed, TSCA CBI.

about

Visitors In SSAs
Visitors to SSAs who do not have TSCA CBI certification must sign the Visitor’s Log
the first time each day they enter and re-enter the SSA and must be escorted while
they are within the area.

Custodian, Maintenance
Persons in SSAs

and Delivery

Custodial, maintenance, mail, and other delivery personnel who routinely and
frequently enter an SSA, and who are known generally to EPA staff, may be
supervised while conducting their regular business. Such persons who are not known
to EPA staff, however, must be escorted.

4.3.1.7

DCOs And SSAs

In general, DCOs are responsible for monitoring activities within SSAs and ensuring
adherence of requirements set forth in this manual. DCOs have the following
responsibilities:
.

Maintain Visitor’s Log entries for one year

.

Safeguard lock combinations and disclose combinations only to authorized
individuals

.

Ensure that lock combinations are changed annually, or whenever anyone
possessing a combination terminates her/his access, or the combination is
otherwise compromised. At EPA Headquarters, DCOs should request a
combination change from the FMSD in the Office of Administration and
Resources Management (OARM).

Chapter 4: TSCA CBI Document Management

-55-

October 20,2003

TSCA CBI PROTECTION

4.3.1.8

MANUAL

Using TSCA CBI outside an SSA

Employees who are using TSCA CBI documents outside SSAs must retain possession
of them, and never leave the documents anywhere that unauthorized persons may gain
access to them. When a TSCA CBI document is not in use it must be locked up by
the employee in an approved storage container.

4.3.2
The following

Required

Storage Containers

are approved storage containers for TSCA CBI:

.

Metal file cabinets with locking bars and three-way changeable combination
locks

.

GSA-approved Class 6 security containers (safes), or

.

Other secure storage containers, as approved by the IMD
consultation with TSS, on a case-by-case basis.

Director in

A storage container may be used by more than one person to store TSCA CBI, provided each
person is certified for access to TSCA CBI and has separately labeled his/her respective
space within the container. The employee must affix a magnetic “Open”/“Close” sign to
each container so that the status of the security container is visible at all times.

4.3.3

Storing TSCA CBI At Other Locations

TSCA CBI may be stored at locations other than an SSA with certain restrictions:
.

Contractor sites must be inspected and approved by TSS before TSCA CBI
may be transferred to the site (see Section 2.2.1).

.

If traveling with TSCA CBI, it must be kept in the employee’s possession, in
a hotel safe, or with the host DCO. TSCA CBI may be stored at home, if TSS
has approved the employee’s plan for using TSCA CBI at his/her personal
residence.

Chapter 4: TSCA CBI Document Management

-56-

October 20,2003

TSCA CBI PROTECTION

4.3.3.1

MANUAL

Storing TSCA CBI While Traveling

It is sometimes necessary for a federal or contractor employee authorized for TSCA
CBI access to carry TSCA CBI while traveling on official business. If it is
impractical to return to work to pick up the materials before departure or to drop them
off after returning, the employee may obtain permission from his/her supervisor to
take the materials home for a defined, limited period and protect them in a reasonable
manner under the circumstances. This permission is related only to the storage of CBI
at home when traveling - not for permission to use CBI at home under such
circumstances as flexiplace, etc.
While traveling by plane or other public conveyance, employees must keep TSCA
CBI in their possession and may not check it with their luggage. The following
security measures apply:
.

Car trunk storage. If the employee is traveling by car, he/she should store
TSCA CBI locked in the trunk while en route. TSCA CBI must never be left
in a car overnight.

.

Hotel safe storage. TSCA CBI may be stored overnight in hotel safes, if a
receipt is obtained from the hotel management. If no receipt is available, the
employee must keep the TSCA CBI in his/her possession.

.

Host DC0 storage. Even if the traveler does not intend to transfer possession
of the TSCA CBI, he/she may temporarily store the materials with the DC0
at the location he/she is visiting.

4.3.3.2

Storing and Working with TSCA CBI in a
Personal Residence

Normally, employees are not permitted to take TSCA CBI to their homes. Under
special circumstances, such as recuperation from a long-term illness or under an
approved flexiplace work arrangement, the IMD Director may grant permission for
an EPA employee to use TSCA CBI at home.
Excentional Circumstances: Home use of TSCA CBI is an exception and should be
permitted only on a case-by-case basis when circumstances warrant, and when doing
so serves the best interests of the Agency and promotes its mission. These criteria are
developed as interim requirements to be adhered to in those exceptional situations
when TSCA CBI may be brought to, worked on and kept at the private residence of
an EPA employee.
Chapter 4: TSCA CBI Document Management

-57-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


IMD Director Approval: In every case where home use is requested, the IMD
Director or designee must first review the circumstances and the employee’s plan for
home use of TSCA CBI before approving the arrangement.
Adherence to all Requirements: The procedures and requirements listed in this TSCA
CBI Protection Manual must be followed prior to the transfer of any TSCA@BI to
an employee’s residence.
These procedures and requirements include:
a. Review and approval of a plan for keeping and protecting TSCA CBI;
b. Provision of an approved TSCA CBI container (see below); and
c. Completion of a satisfactory site inspection by the TSCA Security Staff
(TSS).
Use Of TSCA CBI at Home Only When Necessarv: An employee being granted
permission to use and maintain TSCA CBI at home may only do so when it is
absolutely necessary for the satisfactory performance of his/her job. Stay at home or
flexiplace employees granted this permission are strongly encouraged to the greatest
extent feasible to make maximum use of sanitized, or non-TSCA CBI, documents.
In addition, employees should refrain from unnecessary long term home storage of
large volumes of TSCA CBI documents; and instead should work with smaller
manageable amounts of TSCA CBI on a revolving basis where possible.
TSCA CBI Protection Manual: Any employee with permission to use and maintain
TSCA CBI at home must continue to adhere to all applicable portions of the TSCA
CBI Protection Manual.
Ouestions Regarding Home Use: Any question relating to home use and maintenance
of TSCA CBI should be addressed to the OPPT DCO.

MANDATORY

CRITERIA

FOR HOME USE:

The following are criteria for assessing the adequacy of any plan for home use of
TSCA CBI. In addition, the TSS site inspection will use these criteria in evaluating
the adequacy of the employee’s home for the use and maintenance of TSCA CBI.
1.

Employees who are using TSCA CBI in a personal residence must
never leave the documents where unauthorized persons might gain
access to or view TSCA CBI. When a TSCA CBI document in a
personal residence is not in use, the employee must place the document
in an approved storage container.

Chapter 4: TSCA CBI Document Management

-58-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


a. The following

storage containers are approved for TSCA CBI storage:

.

Metal file cabinets with locking
combination locks

.

GSA-approved Class 6 security containers (safes), or

.

Other secure storage containers, as approved by the IMD Director in
consultation with TSS, on a case by case basis.

bars and three-way changeable

b. Home use employees must affix a magnetic open/close sign to each container
so the status of the security container is visible at all times.
If the container has multiple drawers with separate combinations, each drawer
must have an open/close sign affixed to it to show the individual condition of
each drawer.
c. For each type of approved container which may be used at an employee’s
residence the combination or a spare key must be kept by each of the
employees’s Document Control Officers (DCOs).
d. The approved container used for storing TSCA CBI must be kept in a room in
the house or apartment which has a locking door and locking windows.
2. TSCA CBI may never be processed, created, or stored on computers connected to
- or capable of being connected to - the Internet, nor to any LAN not cleared for
CBI, nor on portable computers of any kind except as approved by the IMD
Director.
3. If persons not authorized for access to TSCA CBI must enter the approved room
in an employee’s house for any reason while TSCA CBI is out while being worked
on, they must be accompanied at all times by the TSCA CBI approved employee.

OPTIONAL

CRITERIA:

1. Maintaining
workroom.

an alarm system in the house and/or designated TSCA CBI

2. Keeping the approved container in a locked closet within the locked room
designated for use and storage of TSCA CBI.
3. All work on TSCA CBI performed in a room in the house or apartment which has
a locked door and locking windows.
Chapter 4: TSCA CBI Document Management

-59-

October 20,2003

TSCA CBI PROTECTION

4.3.4

MANUAL

Employee

Absence and Storage of TSCA CBI

If an employee who works in a Secure Storage Area will be out of the workplace for more
than one week (seven calendar days), all TSCA CBI materials in his/her possession must be
locked away in an approved TSCA CBI storage container. If the employee is unable to do
this due to illness or other reason, the employee’s supervisor or DC0 will ensure the
materials are stored according to procedure. Division Directors may waive this requirement
in exceptional circumstances where not practical.

4.4

TSCA CBI DOCUMENTS

Federal employees using TSCA CBI documents and other materials frequently produce new
TSCA CBI from these sources (in the form of such documents as notes, outlines, and drafts)
or from documents printed from the TSCA CBI LAN. These works-in-progress are internal
documents that exist in paper or electronic form.

4.4.1

New CBI Documents

Except as provided in Section 4.4.2 below, newly created hardcopy CBI must be logged and
tracked by the originator, by following these steps:
l

l

l

Stamp the document as “TSCA CBI”.

(See APPENDIX

T)

Cover the document with a TSCA CBI Green Cover Sheet, and include the
originator’s name, phone number, and the date. (See APPENDIX
U)
Submit the document to the DC0 for tracking.

4.4.2

Working

Papers

New TSCA CBI documents which are “working papers” are exempt from logging procedures
as long as they remain in the possession and/or control of the originator, or in the possession
of a TSCA CBI-certified federal or contractor employee who works in an SSA or has an
approved storage container for storing the TSCA CBI when not in use.
Federal and contractor employees may make multiple copies of a working paper (the copies
themselves then being “working papers”) to distribute simultaneously to the members of a
review group, who will then comment and return the copies to the issuer. Staff must track
any transfers of these multiple copies of working papers using their own personal tracking
system.
Chapter 4: TSCA CBI Document Management

-6O-

October 20,2003

TSCA CBI PROTECTION

MANUAL

Working papers or other such works-in-progress must be protected from unauthorized
disclosure and handled like any other TSCA CBI document. Though working papers
generated by federal employees and contractors are exempt from logging, an employee who
generates them is responsible and accountable for safeguarding those copies, and is subject
to the administrative and civil penalties described in CHAPTER 5. A green cover sheet
must be applied to every working paper if the working paper is one sheet or multiple sheets
that are clipped or stapled. (Green cover sheets may be obtained from the DC0 or
photocopied or printed on blank green paper.)

When Working Papers Become Subject to
Tracking

4.4.2.1

When a working paper becomes a final document (i.e. work on the document has been
completed or stopped) it must be taken to the DCO. The DC0 must log it into the DTS
and assign it a DCN. At Headquarters, this final document must be taken to the CBIC
for incorporation into the official record.
When a working paper is sent to another facility, it must be tracked, assigned a DCN, and
transferred in accordance with the procedures for transferring TSCA CBI.

4.4.2.2

Destroying Workina Pa7uers

The originator of a working paper or the individual who prints the document from the
CBI LAN may destroy that working paper and any copies made, preferably by
shredding. (See also Section 4.9 on DESTRUCTION OF TSCA CBI).

4.4.3

When TSCAECBI
TSCA CBI

Documents

Are No Longer

TSCA CBI documents are no longer TSCA CBI under any of the following
TSCA$BI

is not included in a new document

l

TSCACBI

is deleted (sanitized) from an existing document

l

The TSCACBI

.

The data are derived from TSCACBI

l

The TSCAFCBI claim is dropped by the submitter

l

l

circumstances:

that is used is masked or aggregated
data but are not themselves TSCA’CBI

EPA formally determines that the claim is not valid in accordance with procedures in
40 CFR part 2 subpart B.

Chapter 4: TSCA CBI Document Management

-61-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


4.4.4 Aggregating

72

TSCAXBI

IMD must be consulted in advance by any program office or enforc
staff who wish to
produce a non-confidential document by aggregating CBI in a new manner. IMD must
review and approve all new applications of aggregating techniques to ensure that appropriate
TSCA CBI protection has been maintained.

4.4.5 Declassifying CBI Documents
Employees may determine that materials are no longer confidential, but the declassification
may only be performed by a DCO. To declassify a TSCA CBI document:
l

l

l

l

l

The employee must take the document to a DCO. If the document has been assigned
a DCN by CBITS, it must be taken to the OPPT DCO. Documents tracked using
other systems may be taken to the Facility DC0 for declassification.
Evidence must be presented to the DC0 proving that the material no longer contains
any CBI. (See Section 4.1)
The DC0 must cross out all CBI markings on the document and remove the cover
sheet.
The DC0 must inscribe both the document and cover sheet with the statement
“Contains no TSCA CBI,” and sign and date both the document and cover sheet.
The OPPT DC0 must change the document’s status in the tracking system.

NOTE:

A DOCUMENT
MAY ONLY BE DECLASSIFIED
IF ALL TSCA CBI
CLAIMS
ASSOCIATED
WITH
THE RECORD
ARE EITHER
WITHDRAWN BY THE SUBMITTER OR FINALLYDETERMINED
BY
THE OFFICE OF GENERAL COUNSEL TO NOT CONSTITUTE TSCA
CBI. ;*k
ml

Chapter 4: TSCA CBI Document Management

-62-

October 20,2003

TSCA CBI PROTECTION

MANUAL

4.4.6 TSCA CBI Document Submitters:
Claim

Dropping

a

A submitter can drop one or more claims of confidentiality for a document. To do so, an
authorized representative of the submitter must send a letter on company letterhead to the
OPPT DC0 to drop the CBI claim. There may be other means of securing clear notice of a
submitter’s withdrawal of a CBI claim as well. For further information contact the branch
chief of the TSCA Records and Dockets Management Branch, IMD. The steps outlined
above for declassification must then be followed.

4.5

REPRODUCING

TSCA CBI

This section applies to all TSCA CBI except working papers.
Reproducing TSCA CBI should be limited to as few copies as possible. TSCA CBI must
be reproduced only at copying machines located in SSAs unless otherwise approved by the
OPPT DCO. With the exception of working papers, only DCOs and ADCOs are permitted
to photocopy TSCA CBI documents or print multiple copies from the CBI LAN.

4.5.1 Managing
The following
l

l

l

TSCA CBI Copies

rules apply to management of TSCA CBI copies:

The cover sheet on the original document must not be copied. A new cover sheet
must be used for each document copy.
Copies must be logged into the DTS and must be assigned unique DCNs/copy
numbers by the DCO.
The originator may loan the copies to other employees and obtain signed transfer
receipts indicating that the transfers were completed. These transfer receipts must be
retained until the documents are returned. If a document is transferred and no transfer
receipt is obtained, the originator of the document will be held accountable for the
document.

Chapter 4: TSCA CBI Document Management

-63-

October 20,2003

TSCA CBI PROTECTION

MANUAL

Copying

4.5.2

CBI Outside SSAs

Copying machines outside SSAs may be used if all other machines in locations approved for
copying CBI are inoperable or unavailable, and as long as alternate machines or their use are
approved by the OPPT DCO. A non-secured machine must be dedicated to the task and
located in a manner that makes copying activity secure from observation to the extent
practicable. After copying is finished, at least three blank copies must be passed through the
machine to ensure that any impressions on the image surfaces of the machine have been
erased.
In case of equipment failure, the operator must ensure that all CBI is removed from the
photocopy equipment before leaving the area.

TRANSFER RECORDTRANSFERRING,
KEEPING,
AND TRANSMITTING
TSCA
CBI

4.6

4.6.1

Transferring

Hard Copy TSCA CBI

Except for working papers (Section 4.4.2), TSCA CBI can only be transferred from one
employee to another through their respective DCOs (as long as the receiving employee has
been approved for TSCA CBI access). Transfers of TSCA CBI must be conducted through
DCOs in accordance with the procedures set forth in this manual. [See 3.3.3 and 3.3.41
[In addition,

see Section

4.6.1. I

4.1.4 on processing

newly

received

TSCA CBI]

Procedures For Sending Or Receiving
TSCA CBI

An employee who requires TSCA CBI material to be mailed to a federal employee, a
contractor cleared for CBI access, or to a TSCA submitter must provide the material to
his/her DCO. All TSCA CBI which is being sent by OPPT to locations outside the
building must be mailed or shipped by the OPPT DCO, who has the option to
delegate mailouts to the CCD and EETD DCOs.

Chapter 4: TSCA CBI Document Management

-64-

October 20,2003

TSCA CBI PROTECTION

4.6.1.2

MANUAL

PreDarina CBI For Mailing

The DC0 must double wrap TSCA CBI. The DC0 must label the inner wrapping with
the recipient DCO’s name and the statement,“TSCA Confidential Business Information
-- To Be Opened by Addressee Only.”
The DC0 must label the outer wrapper with the name and address of the recipient and a
return address. The outer wrapper must be free of any indications that the package
contains TSCA CBI. (The materials may be prepared for mailing by the originator, but
the package must be left open for the DCOs review.)

Transferring
Facili@

TSCA CBI to Another

Before any TSCA CBI may be transferred to another facility, the sending DC0 should notify
the receiving DC0 by email and by telephone that the materials will be sent. (See also Section
4.6.2 below relating to CBI Transfer Record-keeping, and Section 4.1.4 on processing newly
received TSCA CBI.)
TSCA CBI may be transferred to an individual
the following ways:
l

at another federal or contractor facility in one of

DC0 can send the materials certified mail through the U.S. Postal Service - “return
receipt requested”, or by Federal Express or other commercial and approved overnight
delivery services which maintain routine tracking and receipt signature services. The
DC0 may also use a private messenger or courier service provided they are pre-approved
by the IMD Director. Regular first class mail must never be used to transfer TSCA CBI.

DC0 can appoint a cleared employee to deliver the materials directly to another DCO.

l

l

DC0 can transfer the materials via fax. (See Section 4.6.3.2)
1) When sending TSCA CBI to another facility, the DC0 must include a receipt identifying
the contents of the package inside the inner envelope. (See APPENDIX Y, Form 7740-26
“Permanent Transfer Receiptfor TSCA CM.“) When used properly, the transfer receipt
will not contain TSCA CBI information; therefore, the DC0 has the option of either
placing the form on the outside of the inner envelope or in it. (This form can also be
used as a temporary transfer receipt for multiple documents; line out the word
“permanent” and write “temporary” in its place.) The receiving DC0 must sign the
receipt of contents and return it to the sender within 5 business days. This form is not
used when sending CBI to a TSCA submitter (see Section 4.6.1.4).

Chapter 4: TSCA CBI Document Management

-65-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


Tramferrina

4.6.1.4

TSCA CBI to Industry

There may be occasions when a submitter will request a copy of its submission to the
Agency that contains TSCA CBI. Such a request must be in writing. However, in order
to receive a copy, the company”. must provide a letter on corporate stationery which is
signed by a designated corporate official indicating the person is authorized to receive the
copy (unless a designated representative is already on file). This letter should be
submitted to the OPPT DC0 or in the case of a Region to the Regional DCO.
The TSCA ‘CBI must be double-wrapped as described above and sent certified mail via
the U.S. Postal Service, (indicating the person to receive the information) return receipt
required. Couriers and private mail delivery systems may also be used. The tracking
numbers used by these private mail delivery system must be recorded in the appropriate
log.
The Agency may also initiate correspondence with industry which includes TSCA CBI.
In this case the same procedures are followed except for the requirement of a notarized
letter.

4.6.2

Hard Copy TSCA CBI Transfer
Keeping

All permanent transfers must be made through a DCO.

4.6.2. I

The following

For Permanent

rules also apply:

Traqfer

Keep records on transfer. If the transfer was made through a DCO, the DC0 will
record the transfer in the Document Tracking System (DTS)

l

l

l

Record-Keeping

Record-

Document Transfers. Transfers between DCOs can be documented on a TSCA CBI
Transfer Receipt, Form7740-26 (see APPENDIX Y). Both the sending and receiving
DC0 should retain receipts for audit purposes. Contractor DCOs should maintain
transfer receipts until the contract ends and all TSCA CBI is accounted for.
Obtain a receiptfor returned documents. When returning TSCA CBI documents, an
employee should prepare a receipt for the DC0 to sign and return to the employee or
the employee’s designee.

Chapter 4: TSCA CBI Document Management

-66-

October 20,2003

TSCA CBI PROTECTION

MANUAL

Record-Keeping For Temporary Transfers
Within A Facility
The following
l

l

l

l

l

l

standards apply:

Transferring Custody - Custody of CBI may be transferred from one employee
approved for TSCA CBI access to another within the same facility.
Recording; the Transaction - There must be a record indicating that the transfer
was completed.
Obtaining Record Of Transfer - Transferors may use the Temporary Loan Receipt
for TSCA CBI, Form 7740-14 (see APPENDIX AA), or any other form that
records the transfer.
Using Receint Form - Hand delivery with a TSCA CBI Receipt form may be used
only for short-term TSCA CBI transfers.
Delivering Bv Hand - If hand delivery is used, the TSCA CBI must be given
directly to the recipient or a TSCA CBI cleared employee.
Monitoring Overdue TSCA CBI - TSCA CBI may not be logged out from a
centralized TSCA CBI storage facility for more than one year. DCOs must
monitor the DTS for TSCA CBI that have not been returned within one-year. The
DC0 is responsible for notifying employees and their supervisor of overdue
materials.

If a transfer is made by hand delivery to another person within the same facility,
owner or originator of the transferred document may choose to obtain a signed
receipt indicating that the document has been loaned. If a document is transferred
no loan receipt is obtained, the owner or originator of the document will be
responsible for any loss or unauthorized disclosure of the document.

Chapter 4: TSCA CBI Document Management

-67-

the
loan
and
held

October 20,2003

TSCA CBI PROTECTION

MANUAL

4.6.3 Transmitting
4.6.3.1

TSCA CBI Electronically
Transmitting

TSCA CBI Bv Telephone

CBI may be transmitted orally during telephone conversations.

NOTE:

VOICEMAIL
IS NOT SECURE.
IN A PERSON’S VOICEMAIL.

TSCA CBI MUST NEVER BE LEFT

[However, Case Numbers and PMN
numbers may be left on a submitter’s voicemail if they have not first raised an
objection to EPA following receipt of an acknowledgment letter informing
them of this practice and their right to object.]

Authorized employees are allowed to discuss TSCA CBI on the telephone with other
authorized federal or contractor employees with TSCA CBI access. Both parties to a
telephone call are responsible for verifying that the other is authorized for TSCA CBI
access. To do so, the employees should consult the TSCA CBI Approved Access List
upon initial contact.
The individual who initiates a discussion that includes TSCA CBI must indicate that the
conversation involves TSCA CBI.
Authorized employees are allowed to discuss TSCA CBI on the telephone with an
authorized representative of the submitter when all of the following conditions are met:
l

l

l

The employee must verify that the person to whom he/she is speaking has been
previously identified by the company as an authorized contact to discuss TSCA
CBI. The authorized individual is normally the technical contact for the subject
submission. (In cases where the technical contact or other authorized
representative cannot be obtained from the document submitted to the Agency, the
employee should consult the OPPT DCO.)
The employee must verify that all federal and contractor employees on the line are
cleared for TSCA CBI access and relay that information to the submitter.
The employee must inform the submitter that any further information provided in
the telephone conversation can be claimed as confidential.

Authorized contractors may also discuss TSCA CBI on thel$elephone; with submitters.
The contractor must begin the conversation by identifying that they are an EPA
contractor. The same procedures identified above for employees must be followed. EPA
Chapter 4: TSCA CBI Document Management

-68-

October 20,2003

TSCA CBI PROTECTION

MANUAL

recommends that employees keep telephone logs of all calls with individuals located
outside their organization during which TSCA CBI is discussed.
A telephone log should contain the following:
l

Date and time of the call.

l

Employee name and office.

l

Name, number, and organization of the other party.

l

Who initiated the call.

l

Content of the conversation.

Telephone logs of conversations with TSCA CBI submitters should be kept when the call
results in changing the status of information in an industry submission: for example,
when information is requested from the submitter, when clarifications are provided to the
submitter of a substantive nature, etc. Telephone logs must be provided to the DC0 for
incorporation into the DTS and to the CBIC if relevant to a TSCA submission, Form
7740-12 (See APPENDIX
Z.)

4.6.3.2

Transmitting

TSCA CBI by Fax

EPA and contractor DCOs may transfer and receive TSCA CBI materials via facsimile.
Faxing of TSCA CBI should be limited to situations where timely delivery would be
compromised by using other means (e.g., mail delivery, courier service).
The following
by fax:
l

security provisions must be followed when transmitting any TSCA CBI

Verify receiver. Before sending a fax containing TSCA CBI to an authorized
government or contractor recipient, the sender must verify that the recipient has
been certified for access to TSCA CBI by consulting the TSCA CBI Authorized
Access List. In addition, prior to sending a fax containing TSCA CBI to a
submitter of the information, the sender must verify that the recipient has been
identified as the company’s authorized representative on the original submission
to EPA. Alternatively, the Agency must be in possession of a letter on corporate
stationery signed by a designated company official authorizing the transmission
to this recipient. Similarly, when a submitter requests that EPA fax its TSCA CBI
to a third party (e.g., lab director or attorney), the Agency must be in possession
of a letter on corporate stationery signed by a designated company official
authorizing the transmission to the specified third party.

Chapter 4: TSCA CBI Document Management

-69-

October 20,2003

TSCA CBI PROTECTION

l

l

l

l

MANUAL 


Control the fax equipment. During transmission of TSCA CBI by employees and
Agency contractors, the DCOs sending and receiving the document must
completely control the fax machines. They must ensure that anyone not cleared
for TSCA CBI does not view the document being sent.
Select the fax machine. Fax machines located inside SSAs are recommended.
Fax machines used outside SSAs may be used, but only with the utmost care.
Verifv the phone number. The employee sending the fax is responsible for
ensuring that the number dialed is correct by verifying the number on the fax
transmission confirmation receipt. Use extreme caution when dialing the number
to ensure that the correct number is entered. (If TSCA CBI is accidentally
transferred to a wrong number, TSS must be immediately notified.)
Retain the receipt. The DC0 must attach the fax transmission confirmation
receipt to the document that was faxed and place the document in the official
document file if applicable.

Authorization from the submitter to fax documents to third parties (e.g., lab directors)
must be obtained in writing and maintained in the DCO’s files.

4.6.3.3

Transmitting

TSCA CBI By E-mail

TSCA CBI cannot be transmitted via e-mail except on approved Local Area Networks
(LANs). (See Section 4.8 on using computers to work with TSCA CBI.) In the event
TSCA CBI is released on any other LAN or the internet, you must imrnediately report this
to your Office Information Security Officer (ISO) and immediate supervisor. For further
information, contact your ISO.

4.6.3.4

Transmitting
Coqference

TSCA CBI By Tele-Video

TSCA CBI may be displayed and discussed during tele-video conferences conducted
between EPA Headquarters and EPA regional offices. Employees who arrange or
schedule a tele-video conference are responsible for ensuring that all TSCA CBI security
procedures are followed. These procedures include the following:
l

Verify that everyone who attends the tele-video conference is cleared for TSCA
CBI.

Chapter 4: TSCA CBI Document Management

-7o-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


Ensure that both conference rooms are secured to prevent unauthorized persons
from entering the conference rooms during the tele-video conference.

l

Arrange for use of compressed video encryption during transmission, if available.
For information about tele-video encryption, contact the EPA Security Officer in
Research Triangle Park, at (919) 541-4013.

l

4.7

USING AND HANDLING

Use TSCA CBI according to the following

TSCA CBI

guidelines:

1) Employee Responsibilities
Employees using TSCA CBI are responsible for ensuring that no unauthorized disclosure
of that information occurs. If employees take TSCA CBI outside the SSAs, they must do
one or more of the following:
l

Maintain constant control over the TSCA CBI documents in their possession

l

Return the TSCA CBI documents to the DCO.

l

Store the documents in a TSCA CBI-approved storage container.

2) Obtaining

TSCA CBI

Except as provided in Section 4.4.2 (Working papers) and in Section 4.6.2.2 (RecordKeeping For Temporary Transfers Within a Facility), to obtain TSCA CBI documents
follow the steps below:

l

The employee requests a specific TSCA CBI document from his or her DCO.
The DC0 verifies that the employee is approved for access to the document.

l

l

The DC0 logs the document out to the employee.

3) Using or discussing TSCA CBI in meetings
To discuss TSCA CBI at meetings (scheduled gatherings), follow the steps below:
a. An employee may circulate personal working papers or other materials logged
out to that employee at a meeting if the following conditions are met:
Chapter 4: TSCA CBI Document Management

-71-

October 20,2003

TSCA CBI PROTECTION

MANUAL

The employee to whom the document belongs attends the meeting and is
present when the document is discussed.

l

The owner employee collects all copies of the document at the end of the
meeting.

l

The owner employee numbers the copies (“1 of 6”, “2 of 6”, and so forth)
before distributing them and checks to make sure that all copies are returned
at the end of the meeting.

l

The owner employee destroys all copies of the document after the meeting.

l

b. To discuss TSCA CBI during meetings, a chairperson
beforehand.
1. The chairperson is responsible for
TSCA CBI access are in the room
The chairperson must also secure
cleaning all chalkboards, removing

must be identijed

ensuring that only people approved for
during discussion involving TSCA CBI.
the room at the end of the meeting (by
all TSCA CBI, etc.).

c. The chairperson must remind meeting attendees that they must treat as
con$idential any notes taken at the meeting.
l

Notes taken at the meeting
at contain TSCA CBI!$re considered to be
personal working papers. To tape record a meeting, permission from the
chairperson must be obtained. Such recordings may contain TSCA CBI and
must be treated as TSCA CBI.

4) Developing

TSCA CBI photographic

materials

When photographs are claimed as TSCA CBI material, the Facility DC0 must ship the
film to the Regional or OPPT DC0 (as appropriate) for processing and development.
Processing or development by a private or commercial laboratory is prohibited unless
expressly approved by the IMD Director in consultation with TSS.

5) Claiming a videotape as TSCA CBI
If an EPA employee utilizes video equipment during an inspection or plant visit, and the
company wishes to claim the tape as TSCA CBI, the tape must be handled and controlled
like any other TSCA CBI material.

Chapter 4: TSCA CBI Document Management

-72-

October 20,2003

TSCA CBI PROTECTION

4.8

MANUAL

USING COMPUTERS
TSCA CBI

4.8.1

TO WORK

WITH 


Prohibition

TSCA CR1 may stut be processed, created, or stored on computers comected to the
lizternet or to any LAN not ~ppruved.for
CBI, mr on portable computers of any
kilzd, except as approved by IMD afier consultation with the TSCA Security Staff (TSS).
In the event TSCA CBI is released onany other!LAN or#heInternet, you must immediately
report this to your Office Information Security Officer (ISO) and immediate supervisor. For
further information, contact your ISO.

4.8.2

TSCA CBI Computers
Public Networks

Must Be Separate From

TSCA CBI may be created, processed, and stored ONLY:
l

on computers which are permanently connected to a self-contained Local Area
Network (LAN) approved for TSCA CBIiand not connected to the Internet

OR,
.

on computers which are permanently disconnected from any network, Internet access,
or other technology which can pass data to another computer.

4.8.3

Registration
Systems

is Required

to Use CBI Computer

Employees who require access to TSCA CBI computer systems must complete the “TSCA
CBI ADP User Registration Form” and submit it to the OPPT DCO. IMD will provide the
employee with a user ID and password to access the TSCA CBI network. (See APPENDIX
B, EPA Form Number 7740-25).

Chapter 4: TSCA CBI Document Management

-73-

October 20,2003

TSCA CBI PROTECTION

MANUAL

4.8.4 Using Portable Computers (Laptops and
Handheld Devices)
Laptop computers may not be used to process TSCA CBI data unless they are approved by

IMD in consultation with TSS. To obtain approval, the DC0 must prepare a security plan.
TSCA CBI use of laptops will be approved on a case-by-case basis by IMD to ensure that
proper procedures will be followed regarding their use. (See APPENDIX BB for an
example of the Laptop Computer User Agreement for the CBIC form.)
Handheld

devices (such as Personal Digital Assistants) may not be used to process, create,

or store TSCA CBI.
Once a portable computer has been approved for TSCA CBI use,
It must be conspicuously labeled as a TSCA CBI computer with distinctive
markings that are not visible when the computer is not in use. This can include
operating system and application software backgrounds, login screens, and other
reminders that the user is using a TSCA CBI-cleared computer.

l

l

l

Any modem, network card, wireless port, or other computer-to-computer
comtnunications device must be removed.
The user is responsible for preventing the data from being disclosed to any
unauthorized person while traveling outside the Secure Storage Area in which the
portable computer is normally stored while not in use.

4.8.5 Disposing of Computers Formerly
TSCA CBI

Used for

If a computer which has been used to store or process TSCA CBI data is to be connected
to the administrative LAN and/or the Internet, or is to be discarded, its hard drive must be
destroyed or thoroughly erased by appropriate software. IMD must certify a computer as
having been cleaned of TSCA CBI immediately after the computer has been disconnected
from the TSCA CBI LAN or after its retirement from use as a TSCA CBI standalone
computer.

Chapter 4: TSCA CBI Document Management

-74-

October 20,2003

TSCA CBI PROTECTION

MANUAL

4.8.6 Modems
OPPT prohibits both internal and external modems on all computers used for TSCA CBI.
Any exception to this general prohibition must be approved by IMD.

4.8.7 TSCA CBI Data Processed Only Within SSAs
TSCA CBI may be processed only on computers located within TSCA CBI approved Secure
Storage Areas, unless other arrangements are approved by TSS in consultation with the
OPPT ISO.

4.8.8 Printing

TSCA CBI Information

Authorized employees are permitted to print out one copy of their working papers from the
TSCA CBI LAN for individual use. Multiple copies may be made only by the DCO/DCA.
[See Section 4.42 of this Manual for special requirements concerning personal working
papers].
All printouts from the TSCA CBI LAN are assumed to contain TSCA CBI unless the user
indicates otherwise in writing on the first page of the printout, with signature and date.
Printouts from the TSCA CBI LAN must be treated like any other TSCA CBI document and
protected accordingly.
The employee should promptly remove copies from the printer to reduce the likelihood that
the TSCA CBI information will be viewed by visitors. Once a session ends, the computer
must be re-booted or turned off.

4.8.9 Storing TSCA CBI on Magnetic Media
The procedures for storing TSCA CBI hard-copy materials apply equally to magnetic media
(diskettes, hard disks, magnetic tapes and data cartridges), optical disks, memory cards, and
to any other storage devices.

4.8.10 Disposing of TSCA CBI Computer Disks
When disks are no longer needed or are damaged, they should be destroyed in a manner
approved by IMD, in consultation with TSS, or sent to IMD for destruction. At EPA
headquarters they may be given to IMD for destruction.
Chapter 4: TSCA CBI Document Management

-75-

October 20,2003

TSCA CBI PROTECTION

MANUAL

4.8.11 Security for TSCA CBI Data Stored on
Contractor’s
Off-site Computers
A contractor’s site must be inspected and approved before any TSCA CBI may be
transferred, processed, or stored there (See Section 2.2.2). EPA contractors may not place
TSCA CBI on any computer system without written authorization from EPA.
Authorized EPA contractors who use TSCA CBI must follow all computer security
requirements established for EPA Contractors. Contractors are permitted to use
standalone PCs and laptops for processing TSCA CBI by adhering to the procedures
contained in this manual.

4.9

DESTRUCTION

OF TSCA CBI

Only DCOs are permitted to destroy TSCA CBI (except working papers, as discussed in
Section 4.4.2.2). Federal employees wishing to have TSCA CBI destroyed must take
these materials to their DCO. Contractor DCOs must obtain written permission from the
OPPT DC0 before destroying TSCA CBI. CBITS-tracked documents may only be
destroyed with the approval of the OPPT DCO; however permanently logged-out
documents may be destroyed by a DCO.
Contractor DCOs may not destroy CBITS-tracked documents. These documents must be
returned to the Project Officer at the end of the contract. The PO must ensure the return
of the documents to the CBIC for proper destruction.

4.9.1

Procedures

for Destroying

TSCA CBI

The procedures for destroying TSCA CBI apply to all media containing TSCA CBI
except working papers. (See Section 4.4.2 on working papers.)
[NOTE: This section, as written,
because of its unique function.]

Chapter 4: TSCA CBI Document Management

does not apply in the special case of the CBIC

-76-

October 20,2003

TSCA CBI PROTECTION

MANUAL

4.9.2 Destruction Methods
TSCA CBI such as papers, documents, or printouts must be shredded. Materials such as
microfiche, typewriter ribbons, and magnetic media must be burned, degaussed, or
chemically destroyed.

4.9.3 Destruction Record-Keeping
The destruction of a TSCA CBI document that has been entered into the DTS must be
recorded. The DC0 must enter information about the destruction of the document into
both the Receipt Log, Form 7740-10 (see APPENDIX
W), and the Inventory Log, Form
7740- 11 (see APPENDIX
V).

4.9.4 Disposition of CBI Cover Sheets
CBI cover sheets (see APPENDIX
U) must be completed by the DC0 with destruction
date, location where the document was destroyed, and DCO’s name.
The TSCA CBI cover sheets must then be placed in the appropriate file for storage (e.g.,
at EPA Headquarters, a cover sheet would be placed in the CBIC file for that document).
Green cover sheets must be maintained for at least one complete audit cycle (see
Section 3.3.12.1(a)).

4.9.5

Contracts Involving

TSCA CBI

The PO and DC0 for the contract are responsible for ensuring that all TSCA CBI is
properly disposed of and accounted for at contract close-out. All logs and records used to
track and dispose of TSCA CBI must be submitted as part of the contract close-out. Any
unaccounted-for documents must be reported as required in CHAPTER 5.

Chapter 4: TSCA CBI Document Management

-77-

October 20,2003

TSCA CBI PROTECTION

MANUAL 


This page intentionally left blank

Chapter 4: TSCA CBI Document Management

-78-

October 20,2003

TSCA Cl31 PROTECTION

MANUAL

CHAPTER 5 

Procedures Violations, Unaccounted For Documents,
And Unauthorized Disclosures
5.0

INTRODUCTION

This Chapter details the reporting and investigative actions to be followed by TSCA CBI
authorized persons in the event of any possible violation of the requirements outlined in
this manual. Examples of such violations include cases of unaccounted for TSCA CBI
documents, as well as any disclosure of TSCA CBI to a person not authorized to receive it
under Section 14 of TSCA.
The protection procedures detailed in this Manual are enforceable by both the
administrative penalties and corrective actions set forth below. On policy issues, the IMD
Director should be consulted.

5.1

EMPLOYEE

5.1.1

REPORTING

PROCEDURES

Oral Report

Any TSCA CBI-cleared employee of EPA or another Federal agency must provide oral
notice to his or her immediate supervisor within one working day if he or she thinks it is
possible that
l

A TSCA CBI protection procedure has been violated.

l

TSCA CBI is unaccounted for.

l

TSCA CBI may have been disclosed to a person not authorized to receive it under
Section 14 of TSCA.

Contractor employees on the TSCA CBI Authorized Access List must provide oral notice
to their EPA Project Officer or PO designee within 1 business day if any of the above
situations occur. The EPA PO or PO designee must then report to the Division Director
(or equivalent manager in their organization).

Chapter 5: Procedures Violations

-79-

October 20,2003

TSCA CBI PROTECTION

MANUAL

5.1.2 Written Report
Federal and contractor employees must file a written report within 2 business days in any
of the same situations identified in Section 51.1 above (unless otherwise relieved of the
requirement by their management representative who is authorized to receive the report).
EPA and other federal employees must provide this written report to their Division
Director (or equivalent manager in their organization). Contractor employees must
provide the written report to their PO or PO designee.
The written report must include any relevant circumstances or facts known by the
employee, and describe any of the following:
l

Possible violation of procedures.

l

Possible unauthorized disclosure of TSCA CBI.

l

Materials possibly unaccounted for.

To investigate what occurred, the employee and/or the employee’s supervisor should
examine files and discuss the matter with other individuals who may have first-hand
knowledge of the facts.
The employee’s division director (or equivalent) must review the employee’s report and
provide any additional comments or information. Within 2 business days of receiving the
report, the Division Director must refer the report to TSS. If the Division Director
reviews the employee’s report and determines there was no violation of procedures, loss
of TSCA CBI, or unauthorized disclosure, the report need not be referred.

5.2

REPORT OF VIOLATIONS

TO TSS

This section applies in the case of a report referred to TSS by an employee’s supervisor
alleging a possible violation of the procedures contained in this manual, possible
unaccounted for TSCA CBI documents, or possible disclosure of TSCA CBI to a person
not authorized to receive it under Section 14 of TSCA.

5.2.1 TSS Investigation
Following review of the written report referred to TSS in the situations identified above,
TSS will conduct an investigation if it determines one is necessary. If, after reviewing the
written report, TSS determines that the facts do not warrant an investigation, TSS will
notify the employee’s Division Director in writing of this finding.
Chapter 5: Procedures Violations

-8O-

October 20,2003

TSCA CBI PROTECTION

MANUAL

5.2.2 Oral Notice to Submitter
If TSS conducts an investigation and determines the likelihood of either an improper
disclosure of TSCA CBI under Section 14 of TSCA or the loss of a submitter’s TSCA
CBI, with the approval of the EAD Director TSS will notify the submitter by telephone
within 2 working days.

5.2.3 Report of Investigation

(ROI)

Once the investigation is complete, TSS will provide the EAD Director with an ROI,
which will contain the following:
l

A recitation of the factual circumstances of the violation.

l

Conclusions, including :
-

Probability that an improper violation occurred.

-

Nature and degree of any violation.

-

Recommendations for remedial action or mitigation, including a report
forwarded to the affected employee and supervisor identifying procedures for
handling, using, and storing TSCA CBI.

The length and detail of this report is determined by the nature, degree and circumstances
of the alleged violation.

5.2.4 Company Notification
EAD Director

of Improper

Disclosure:

After receiving an ROI, the EAD Director will authorize issuance of a written notice to
the affected company within 4 business daysunless the EAD Director believes that the
reported disclosure did not occur. If it is determined that an improper disclosure probably
did occur, the written notice must identify the improperly disclosed document and the
date upon which such disclosure was deemed to have occurred.;i’ The EAD Director will
ensure that the submitter is contacted in writing and advised of the fact that it is unlikely
that the reported disclosure occurred, and take no further action.

Chapter 5: Procedures Violations

-81-

October 20,2003

TSCA CBI PROTECTION

5.2.5

MANUAL

Company Notification
of Documents
Unaccounted for: EAD Director

Following receipt of an ROI notifying the EAD Director of an unaccounted for CBI
document, the EAD Director will issue a written notice to the affected company within 4
business days if the document is not accounted for in that time. The written notice must
identify the lost or misplaced document and state the date on which it was deemed lost or
misplaced. If the EAD Director believes that the document in question is not
unaccounted for, she/he will ensure that the submitter is contacted in writing and advised
of this fact and take no further action.

5.2.6

Referral

to the Inspector

General

Upon consideration of the ROI, if there is any substantial evidence of a knowing or
willful disclosure of TSCA CBI, the EAD Director will immediately refer the matter to
the EPA Office of Inspector General.

5.2.7

Annual

Security Report

On a fiscal year basis, TSS will provide a report to be distributed to the OPPT Director,
the EAD Director, the OPPT DCO, and others upon request, identifying the previous
year’s security violations by type and discussing trends, recognized vulnerabilities, and
other matters that may be of interest.

5.3

CORRECTIVE
GUIDELINES

ACTION

AND PENALTY

The corrective actions and penalties described in the Chapter are intended to prevent or
discourage violations of this manual, and thereby better protect TSCA CBI. Penalties
imposed or actions taken must be fair, consistent, and well-reasoned.

5.3.1

Responsibility
for Monitoring
Protection Manual

Compliance

With

The responsibility for monitoring compliance with the procedures in this manual belongs
to the EAD Director. The Director will review the facts in a given case and, where
appropriate, recommend specific action, including the imposition of corrective actions,
administrative penalties or referral for criminal charges. Responsibility for implementing
Chapter 5: Procedures Violations

-82-

October 20,2003

TSCA CBI PROTECTION

MANUAL

the EAD Director’s recommended action, or devising and implementing an alternative
action, rests with the Division Director (or equivalent) of the EPA or federal employee
involved.
Nothing in this section should be construed to limit the Agency’s ability to end an
individual’s access to TSCA CBI any time it is viewed as necessary to protect
confidential data entrusted to the Agency or TSCA CBI access is viewed as no longer
necessary for the satisfactory performance of the person’s assigned duties.

5.3.2

Violations

by Federal Employees

After a finding of a likely violation of the rules in this manual, the EAD Director will
notify the EPA or federal employee’s Division Director (or equivalent) and discuss the
structure of any administrative penalties and corrective actions. The EAD Director may
recommend that the employee’s Division Director select and impose an appropriate
penalty chosen from the ones identified in this section after weighing the totality of
circumstances in each case (see Firrure 5-l). In consultation with the EAD Director, the
employee’s Division Director must consider the following:

l

Seriousness of the violation.

l

Potential for unauthorized disclosure of TSCA CBI because of the violation.

l

Nature of the employee’s error (e.g., accidental, willful,

l

If the employee has previously committed any other TSCA CBI violation.

l

or grossly negligent).

How often the employee uses or handles TSCA CBI while performing his/her
official duties.

Corrective actions may be procedural,:lor instructional, and may include training, revision
of work procedures, removal of the individual’s name from the TSCA CBI Authorized
Access List, and other options.
The employee’s Division Director (or other appropriate authority in the employee’s
organization)‘should select, upon the EAD Director’s recommendation, an administrative
penalty when the employee was grossly negligent or previously incurred a prior violation,
even if the violation were not serious. A table of suggested administrative penalties
appears below.
Chapter 5: Procedures Violations

-83-

October 20,2003

TSCA CBI PROTECTION

NOTE:

MANUAL

The Terms “SUSPENSION”
and “REMOVAL”
in the table below relate
only to TSCA CBI access, and not to federal employment.
Nothing in this Section prevents the employee’s supervisor from imposing
other penalties in addition to those discussed in the table below.

Figure 5-1. IADMINISTRATIVE

PENALTIES

l-day suspension to

Oral or written

7-day suspension to

Removal.

l

These penalties cover only deliberate procedural violations that do not result in the
unauthorized disclosure of TSCA CBI. If EAD’s investigation reveals any
evidence of the knowing and willful unauthorized disclosure of TSCA CBI, the
matter will be immediately referred to the EPA Office of Inspector General. The
suggested penalties in the above table do not replace or supersede the existing
authority of the IMD Director to suspend the TSCA CBI access of any employee
for the purpose of protecting TSCA CBI.

A federal employee who has been found to have willfully disclosed TSCA CBI to a
person not authorized under Section 14 of TSCA may be liable under Section 14(d) of the
Act, 15 U.S.C. 2613(d), for a fine of up to $5,000 and/or imprisonment for up to one year.
The EAD Director has the option of recommending that no action, or a different action,
Chapter 5: Procedures Violations

-84-

October 20,2003

TSCA CBI PROTECTION

MANUAL

be taken if, for example,
l

l

fault cannot be ascribed to any individual or
a modification of TSCA CBI handling procedures would yield no greater level of
protection to TSCA CBI.

5.3.3 Violations by Contractor

Employees

contractor imposes corrective or disciplinary measures on its employees. &though the
particular~disciplinary action a contractor chooses to impose is a matter for the contractor
to decide, a failure on the part of a contractor employee to follow the procedures in this
manual may be considered a material breach of the contract if the contractor does not take
adequate and appropriate disciplinary and corrective actions.

A

The IMD Director may suspend the TSCA CBI access of a contractor employee to protect
against imminent threat to TSCA CBI security. The IMD Director maintains the right to
suspend the TSCA CBI access of any contractor employee without consultation with the
contractor or going through the contract administrative process if there is imminent cause
for doing so which relates directly to the government’s mandate of protecting TSCA CBI.
A contractor employee who is found to have willfully disclosed TSCA CBI to a person
not authorized under Section 14 of TSCA may be liable under Section 14(d) of the Act,
15 U.S.C. 2613(d), for a fine of up to $5,000 and/or imprisonment for up to one year.

5.4

OPPT DIRECTOR

AS ARBITER

Where disagreements arise between Headquarters divisions, or between Headquarters
divisions and Regional offices, regarding objective assessments of violations, the OPPT
Director will arbitrate all time-sensitive matters within 24 hours of referral. Other matters
not facing legal time limits will be arbitrated within a reasonable time.

Chapter 5: Procedures Violations

-85-

October 20,2003

Appendix A

Please read Privacy Act Statement and instructions on reverse before completing this form.
United States Environmental Protection Agency
Washington, DC 20460

TSCA CBI Access Request, Agreement, and Approval
Section I. – Access Request
1. Name (Last, First, MI)

2. 9-Digit ID Number (e.g., SSN)

3. Telephone Number

4. Requestor (Agency/Office/Division/Branch)

5. Document Control Officer (DCO)

6. DCO Telephone Number

7.TSCA Sections for which access is
required. Check all that apply. Use blank

_____

ALL

4 ___ 5 ___ 6 ___ 8 ___ 12 ___ 13 ___ 21 ___ _________

- OR­

space to request other sections not listed.
8. Justification for TSCA CBI access.

Other

Select appropriate code from instructions on
reverse side. (Check one for all that apply).

List Justification on reverse side
______

A

B

______

C

______

Section II. – Contract Information
9. Employer’s Name

10a. Employer’s Address

11. Contract Number

12. EPA Project Officer

D

-

______

Contractor Employees Only
10b. City

10c. ST

10d. Zipcode

13. EPA Project Officer Telephone

Section III. – OPPT Secure Storage Area Access – HQ Federal and HQ Contractor Employees Only
14. Check if EPA ID Badge. Badge is required.
Yes (New)

Need Replacement

No (List Present EPA ID Badge Number ___________________________)

15. List OPPT Restricted areas by Division to which physical access is required.
Home Division (24 hour access)

Other Divisions (6A.M. – 6P.M. only)

Access to CBIC Only

IMD (DCO and IMD Computer Rms.)

16. List OPPT areas by Division and Room Number for which Alarm Activation/Deactivation Authority is requested.

Section IV. – Confidentiality Agreement
I understand that I will have access to certain Confidential Business Information submitted under the Toxic Substances Control Act (TSCA, 15 USC 2601 et seq.). This access has been granted in accordance with
my official duties relating to Environmental Protection Agency programs.
I understand that TSCA CBI may be used only in connection with my official duties and may not be disclosed except as authorized by TSCA and Agency regulations. I have received a copy of, and understand the
procedures set forth in, the TSCA CBI Protection Manual. I agree that I will treat any TSCA CBI furnished to me as confidential and that I will follow these procedures.
I understand that under section 14(d) of TSCA (15 USC 2513(d)), I am liable for a possible fine of up to $5,000 and/or imprisonment for up to one year if I willfully disclose TSCA CBI to any person not authorized to
receive it. In addition, I understand that I may be subject to disciplinary action for violation of this agreement with penalties ranging up to and including dismissal.
I understand that my obligation to protect TSCA CBI, which has been disclosed to me as part of my official job duties, continues after either termination of my assignment or termination of my employment.
I certify that the statements I have made on this form and all attachments thereto are true, accurate, and complete. I acknowledge that any knowingly false or misleading statement may be punishable by fine or
imprisonment or both under applicable law.
17. Signature of Employee

18. Date

Section V. – Requesting Official Approval
19. TSCA CBI Security Briefing Date

20. Name and Signature of Requesting Official. (Immediate Supervisor – EPA Project Officer for Contractors) As the
immediate supervisor of (or the EPA Project Officer for) the above mentioned employee, I certify he/she has successfully
completed a TSCA CBI Security Briefing on the date shown.
Name

22. Date Received
DCO Code

Signature

23. Approved (TSCA Security Official Signature)
Barcode

Status Code

21. Date
24. Approval Date

Alarm Zones

Data Entry Date and Initials
1.

EPA Form 7740-6 (Rev. 10-03). Replaces previous version of 7740-6 and 7740-6A.

2.

Paperwork Reduction Act Notice
The public reporting burden for the collection of information is estimated to average .84 hours per response. This estimate includes time for
reviewing instructions, gathering and maintaining the needed data, and completing and reviewing the collection of information. Send comments
regarding the burden estimate or any other aspect of this collection of information to the Director, Collection Strategies Division, US Environmental
Protection Agency (2822T), 1200 Pennsylvania Ave., NW, Washington DC 20460, and to the Office of Information and Regulatory Affairs, Office of
Management and Budget, Washington, DC 20503, marked ATTENTION: Desk Officer for EPA. Include the OMB No. identified on page 1 in any
correspondence. Do not send the completed form to this address. Submit the form in accordance with the instructions in the CBI Manual.

Privacy Act Statement
Furnishing your Social Security Number is voluntary, but encouraged. The information on this form is used by EPA to maintain a record of
those persons cleared for access to TSCA Confidential Business Information (CBI) and to maintain the security of TSCA CBI.
Disclosure of information from this form may be made to the Office of Pollution Prevention and Toxics (OPPT) contractors in order to carry out
functions for EPA compatible with the purpose for which this information is collected; to other Federal agencies when they possess TSCA CBI and
need to verify clearance to EPA and EPA contractor employees for access; to the Department of Justice when related to litigation or anticipated
litigation involving the records or the subject matter of the records; to the appropriate Federal, State or local agency charged with enforcing a statute or
regulation, violation of which is indicated by a record in this system; where necessary, to a State, Federal or local agency maintaining information
pertinent to hiring, retention, or clearance of an employee, letting of a contract, or issuance of a grant or other magistrate or administrative tribunal; in
the course of litigation under TSCA; and to a member of Congress acting on behalf of an individual to whom records in this system pertain.

Instructions for Form Completion
Section I – To be completed by all
Section III – To be completed by HQ Federal
and HQ Contractor employees only
1. List Full Name
2. List 9-Digit ID (e.g., SSN)
3. List Telephone number of person in item 1
4. List Full Acronym of Requesting Office (i.e. EPA Office in which the
individual works or for contractor employees, the EPA Office with whom
the contract is with)
5. List the immediate Document Control Officer for the office in which the
individual works
6. List the telephone number of the Document Control Officer
7. Check the TSCA Sections for which access is requested or check ALL
if applicable
8. Circle the appropriate Access Justification Code
A. Employee is an EPA employee or EPA contractor employee whose
work assignments involve the New and/or Existing Chemical Programs of
TSCA. Hence access to the TSCA sections listed in item 7 of this form is
required in performance of his/her duties .
B. Employee is an EPA employee or EPA contractor employee whose
work entails the administration of computer systems housing TSCA CBI.
Hence access to the TSCA sections listed in
item 7 of this form is required.
C. Employee is an EPA employee or EPA contractor employee whose
work entails physical security or maintenance for TSCA CBI secure
storage areas. Although employee will not actually
work with any TSCA CBI materials, access to the TSCA sections listed in
item 7 of this form is required.
D. List Justification here

NOTE: These procedures apply only to employees requiring access to
OPPT Secure Storage areas. All others follow standard Agency
procedures.
14. Check either box a, b, c or (c&d) f or EPA ID badge or Contractor
Building Pass. If box c is checked, write in badge number.
a. Yes - Check if new employee getting first EPA ID Badge. (New
programmed badge and barcode)
b. Need Replacement - Check if replacement ID Badge is needed
(replacement badge and barcode)
c. No - Existing badge needs programming. List ID Badge no.
15. Check and list OPPT secured areas for which access (via “RUSCO”
electronic door control system) is required. List Division acronyms for the
requested areas.
Home Division - List Division in which employee works
Other Divisions - List other OPPT Divisions for which unrestricted
daytime access is requested
CBIC Only - To be checked for those who only need to access the
Confidential Business Information Center.
IMD Areas - Employees who need to regularly access the IMD Document
Control Office Suite should circle DC0 in the fourth block. Only IMD staff
and contractors who work in IMD computer rooms should circle IMD
Computer Rooms.
16. List OPPT areas by Division and Room numbers for which Alarm
Activation/Deactivation authority is requested. Generally, this is
employees home Division only.

Section II – To be completed by Contractor
Employees only

Section IV – To be completed by all

9. List Employer’s name
10a-d. List Employer’s address
11. List Contract number
12. List EPA Project Officer’s name
13. List EPA Project Officer’s telephone number

17. Employee Signature (must be original)
18. Signature Date

Section V – To be completed by all
19. Enter date employee attended TSCA CBI Security Briefing
20. Immediate Supervisor/EPA Project Officers name and sign.
21. Date of signature

Section VI – To be completed by OPPT Security

TSCA CBI Protection Manual

Appendix B

TSCA CBI Protection Manual

Appendix C

TSCA CBI Protecton Manual

Appendix D

Appendix E

EPA Form 7740-28 (rev. 10-03)

TSCA CBI Protection Manual

TSCA CBI Protection Manual

Appendix F

TSCA CBI Protection Manual

Appendix G

TSCA CBI Protection Manual

Appendix H

TSCA CBI Protection Manual

Appendix I

TSCA CBI Protection Manual

Appendix J

TSCA CBI Protection Manual

Appendix K

TSCA CBI Protection Manual

Appendix L

TSCA CBI Protection Manual

Appendix O

TSCA CBI Protection Manual

Appendix P

TSCA CBI Protection Manual

Appendix Q

TSCA CBI Protection Manual

Appendix R

TSCA CBI Protection Manual

Appendix S

TSCA CBI Protection Manual

Appendix T

Stamp to Use when Material
contains TSCA CBI

Stamp to Use when Material
conains No TSCA CBI

TSCA CBI Protection Manual

Appendix U
Enter Document Control Number or
Bar Code

United States Environmental Protection Agency
Washington, D.C. 20460

Document Description

Date

CONFIDENTIAL
TOXIC SUBSTANCES CONTROL ACT
CONFIDENTIAL BUSINESS INFORMATION
Does not contain National Security Information (E.O. 12065)

The attached document contains Confidential Business Information
obtained under the Toxic Substances Control Act (TSCA 15 U.S.C.
2601 et seq.) TSCA Confidential Business Information may not be
disclosed further or copied by you except as authorized in the
procedures set forth in the TSCA Confidential Business Information
Protection Manual.
If you willfully disclose TSCA Confidential Business Information to
any person not authorized to receive it, you may be liable under
section 14(d) of TSCA (15 U.S.C. 2613(d) for a possible fine up to
$5,000 and/or imprisonment for up to one year. In addition,
disclosure of TSCA Confidential Business Information or violation
of the procedures cited above may subject you to disciplinary action
with penalties ranging up to and including dismissal.
If you are not authorized for TSCA confidential business information
(CBI) access, do not look at this document. If you find this document,
place it in a sealed envelope or other secure container and immediately
give it to your supervisor or a TSCA CBI Document Control Officer
for safekeeping and safe return.

EPA Form 7740-9 (rev. 10-03) Previous edition is obsolete

TSCA CBI Protection Manual

Appendix V

TSCA CBI Protection Manual

Appendix W

TSCA CBI Protection Manual

Appendix X

TSCA CBI Protection Manual

Appendix Y

TSCA CBI Protection Manual

Appendix Z

TSCA CBI Protection Manual

Appendix AA

TSCA CBI Protection Manual

Appendix BB


File Typeapplication/pdf
File Modified2004-06-24
File Created2004-04-26

© 2024 OMB.report | Privacy Policy