90 FR 97 pgs. 21815-21817 - Privacy Act of 1974; Systems of Records
Type: NOTICEVolume: 90Number: 97Pages: 21815 - 21817
Pages: 21815, 21816, 21817FR document: [FR Doc. 2025-09116 Filed 5-20-25; 8:45 am]
Agency: Small Business Administration
Official PDF Version: PDF Version
[top]
SMALL BUSINESS ADMINISTRATION
Privacy Act of 1974; Systems of Records
AGENCY:
U.S. Small Business Administration.
ACTION:
Notice of a Modified System of Records.
SUMMARY:
The U.S. Small Business Administration (SBA) proposes a modified system of records, Personnel Security Files (SBA 24), to update its inventory of records systems subject to the Privacy Act of 1974, as amended. Publication of this notice complies with the Privacy Act and the Office of Management and Budget (OMB) Circular A-108 and Circular A-130. Personnel Security Files (SBA 24) serves as a centralized repository for active and inactive personnel security files to include information from authorized background investigations which supports the SBA's clearance process. The changes include updating the format, updating the system of records name/title, changing the designation of the system manager, and updating information concerning the location of the system of records, referencing the authority for maintaining the records, modifying routine use (M), adding two new routine uses (N) and (O), respectively, and making certain clerical and clarifying revisions.
DATES:
Submit written comments on or before June 20, 2025. This revised system will be effective upon publication. Routine uses will become effective on the date following the end of the comment period unless comments are received which result in a contrary determination.
ADDRESSES:
You may submit comment on this notice, identified by [SBA-2024-0012], by any of the following methods.
Federal e-Rulemaking Portal : http://www.regulations.gov: Follow the instructions for submitting comments. Mail/Hand Delivery/Courier: Submit written comments to: Zina Hardy, Deputy Director, Office of Personnel Security Office, U.S. Small Business Administration, 409 3rd Street SW, Washington, DC 20416.
FOR FURTHER INFORMATION CONTACT:
General or security questions please contact Joseph L. Eitel, Director, Personnel Security, Small Business Administration, 721 19th Street, Room 392, Denver, CO 80202, via email Joseph.Eitel@sba.gov, telephone 303-844-7750 or Cybersecurity inquiries, Michael Post, (Acting) Chief Information Security Officer, Office of the Chief Information Officer, U.S. Small Business Administration, 4089 3rd Street SW, Suite 4000, Washington, DC 20416, email address Michael.Post@sba.gov, telephone 202-205-3645. For Privacy related matters, contact LaWanda Burnette, Chief Privacy Officer, Office of the Chief Information Officer, or via email to PrivacyOfficer@sba.gov.
SUPPLEMENTARY INFORMATION:
The Privacy Act of 1974 (5 U.S.C. 552a), as amended, embodies fair information practice principles in a statutory framework governing how federal agencies collect, maintain, use, and disseminate individuals' personal information. The Privacy Act applies to records about individuals that are maintained in a "system of records." A system of records is any group of records under the control of a federal agency from which information is retrieved by the name of an individual or by a number, symbol or any other identifier assigned to the individual. The Privacy Act requires each federal agency to publish a system of records notice (SORN) in the Federal Register identifying and describing: (1) each system of record the agency maintains, (2) the purpose for which the agency uses personally identifiable information (PII) in the system, (3) the routine uses for which the agency discloses such information outside the agency, and (4) how individuals can exercise their rights related to their PII information.
The SBA is required to complete background investigations for suitability and security clearance determinations to ensure individuals supporting the Agency are deemed reliable, trustworthy, and suitable for the role they will fulfill. The Agency's Office of Personnel Security utilizes the Automated Background Investigation System (ABIS), a commercial off the shelf (COTS) web-based system, to support the collection of data that is used by the Bureau to initiate background investigations.
This system of records is comprised of electronic documents managed by the Office of Personnel Security and the Office of the Chief Information Officer.
SYSTEM NAME AND NUMBER:
Automated Background Investigation System Personnel Security Files (SBA ABIS PSF 24).
SECURITY CLASSIFICATION:
Controlled Unclassified Information.
SYSTEM LOCATION:
SBA Headquarters, 409 3rd Street SW, Washington, DC.
SYSTEM MANAGER(S):
Joseph L. Eitel, Director, Personnel Security, SBA, 721 19th Street, Room 392, Denver, CO 80202.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
15 U.S.C. Chapters 14A and 14B; 44 U.S.C. 3101, Executive Order 12968, 5 CFR 731, Executive Order 10450, as amended.
PURPOSE(S) OF THE SYSTEM:
In accordance with E.O. 10450 and E.O. 12968 and 5 CFR 731, the system is used receive requests for background investigations, pre-screen applicants and contractors (granting them approval to enter on duty), forward investigative requests to DCSA for processing, adjudicate completed investigations, grant or deny national security clearances, make final determinations, provide due process, and report the adjudication results.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Active, inactive, and former SBA employees.
CATEGORIES OF RECORDS IN THE SYSTEM:
[top] Personnel security files for persons covered by this system, including names, both former and aliases, date and place of birth, contact information, addresses, employment and education history, financial information, health records, personnel actions, Office of Personnel Management (OPM), and/or
RECORD SOURCE CATEGORIES:
SBA active, inactive, and former employees, Office of Human Resources Solutions, Office of Personnel Security, Office of the Administrator-Chief Operating Officer, witnesses, and OPM.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:
A. To the federal, state, local or foreign agency or professional organization which investigates, prosecutes, or enforces violations, statutes, rules, regulations, or orders issued when the Agency identifies a violation or potential violation of law whether arising by general or program statute, or by regulation, rule, or order.
B. To other federal agencies, upon request, that are conducting background checks.
C. To a grand jury, court, magistrate, administrative tribunal, or to opposing counsel in the course of hearings, trials, or settlement negotiations.
D. To a congressional office in response to an inquiry on an individual's record, when that office is inquiring at the request of, and on behalf of, the individual, when the congressional member's access rights are no greater than the individual's.
E. To SBA volunteers, contractors, interns, grantees, experts and who have been engaged by SBA to assist in the performance of a service related to this system of records and who need access to the records in order to perform this activity. Recipients of these records shall be required to comply with the requirements of the Privacy Act of 1974, as amended, 5 U.S.C. 552a.
F. To OPM in accordance with that agency's authority to evaluate federal personnel management.
G. To the Merit Systems Protection Board in connection with its consideration of appeals of personnel actions.
H. To any federal, state, local, foreign, or international agency, in connection with their assignment, hiring or retention of an individual, issuance of a security clearance, reporting of an investigation of an individual, letting of a contract or issuance of a license, grant or other benefit, to the extent the information is relevant to their decision on the matter.
I. To a grand jury agent pursuant either to a federal or state grand jury subpoena or to a prosecution request that record be released for introduction to a grand jury.
J. To the Office of Government Ethics for any purpose consistent with their mission.
K. To the Department of Justice (DOJ) when any of the following is a party to litigation or has an interest in such litigation, and the use of such records by DOJ is deemed by SBA to be relevant and necessary to the litigation, provided, however, that in each case, SBA determines the disclosure of the records to DOJ is a use of the information contained in the records that is compatible with the purpose for which the records were collected: SBA, or any component thereof; any SBA employee in their official capacity; any SBA employee in their individual capacity where DOJ has agreed to represent the employee; or The United States Government, where SBA determines that litigation is likely to affect SBA or any of its components.
L. In a proceeding before a court, or adjudicative body, or a dispute resolution body before which SBA is authorized to appear or before which any of the following is a party to litigation or has an interest in litigation, provided, however, that SBA determines that the use of such records is relevant and necessary to the litigation, and that, in each case, SBA determines that disclosure of the records to a court or other adjudicative body is a use of the information contained in the records that is a compatible purpose for which the records were collected: SBA, or any SBA component; any SBA employee in their official capacity; any SBA employee in their individual capacity where DOJ has agreed to represent the employee; or The United States Government, where SBA determines that litigation is likely to affect SBA or any of its components.
M. To appropriate agencies, entities, and persons when (1) SBA suspects or has confirmed that there has been a breach of the system of records,· (2) the SBA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, SBA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with SBA's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
N. To another federal agency or federal entity, when SBA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
O. To Department of Defense the adjudication of investigative files and verification of all National Security clearance holders.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Compliance with federal laws, executive orders, SBA policies and procedures, and other applicable guidelines. Records in this system are stored in a locked, controlled access room and restricted access electronic data systems. OPM National Agency checks that are not immediately referred to OPM are maintained in a physically locked controlled access room with restricted access electronic data systems.
POLICIES AND PRACITICES FOR RETRIEVAL OF RECORDS:
Records are retrieved by employee's full name, social security number.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
Compliance with federal laws, (Federal Records Act), executive orders, SBA policies and procedures (SOP 90-47 and SOP 00-41 latest editions, and other applicable guidelines.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Administrative controls include all users must take Cybersecurity Awareness Training which includes a Privacy module and Rules of Behavior annually and prior to using the system. User access is provided based upon approval of the system administrator.
Technical controls include multi factor authentication, least privilege, encryption in transit and at rest, event logging and monitoring, dynamic IP, Discretionary Access Control Lists (DACLs) and Role Based permissions. ABIS generates event logs that record all activity in the system, including successful and unsuccessful login attempts, the user that attempted the action, the IP address the action originated from, records that were accessed and any additional information about the requests. These requests are monitored routinely.
[top] Servers are protected within a controlled and secure room in SBA headquarters. Computers are accessed
RECORDS ACCESS PROCEDURES:
Individuals wishing to request access to records about them should submit a Privacy Act request to the SBA Chief, Freedom of Information and Privacy Act Office, U.S. Small Business Administration, 409 Third St. SW, Eighth Floor, Washington, DC 20416 or FOIA@sba.gov. Individuals must provide their full name, mailing address, personal email address, telephone number, and a detailed description of the records being requested. Individuals requesting access must also follow SBA's Privacy Act regulations regarding verification of identity and access to records (13 CFR part 102 subpart B). The section of this notice titled EXEMPTIONS PROMULGATED FOR THE SYSTEM indicates the kinds of material exempted and the authority for exempting them from access. Individuals wishing to request access to their records which may fall under exemptions or are uncertain of the request, should contact the Director, Office of Personnel Security, 721 19th Street, Rm. 392, Denver, CO 80202.
CONTESTING RECORD PROCEDURES:
Notify system manager, Joseph L. Eitel, Director, Personnel Security, SBA, 721 19th Street, Room 392, Denver, CO 80202, and state reason(s) for contesting and the proposed amendment(s) sought.
NOTIFICATION PROCEDURES:
Individuals may make record inquiries in writing to the system manager, Joseph L. Eitel, Director, Personnel Security, SBA, 721 19th Street, Room 392, Denver, CO 80202.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
Pursuant to 5 U.S.C. 552a(k)(5), all investigatory material in the record compiled for law enforcement purposes or for the purpose of determining suitability, eligibility, or qualifications for federal civilian employment, federal contracts, or access to classified information is exempt from the notification, access and contest requirements under 5 U.S.C. 552a(c)(3), (d), (e)(1), (e)(4)(G), (H), and (I) and (f) of the Privacy Act of 1974. This exemption is necessary in order to fulfill commitments made to protect the confidentiality of sources and to maintain access to sources necessary in making determinations of suitability for employment.
Small Business Administration Record Rules: 72 FR 17367 (April 9, 2007) and 82 FR 46369 (October 5, 2017).
HISTORY:
[FR Doc. 2009-14896, Vol. 74, No. 61] and [FR Doc. 2004-58598, Vol. 69, No. 189].
Joseph L. Eitel,
Executive Director (Acting), Office of Executive Management, Installation and Support Services, U.S. Small Business Administration.
[FR Doc. 2025-09116 Filed 5-20-25; 8:45 am]
BILLING CODE 8025-09-P