Billing Code: 3410

DEPARTMENT OF AGRICULTURE

Office of the Chief Information Officer

AGENCY: Office of the Chief Information Officer, USDA

ACTION: Notice of proposed new system of records; request for comments.

SUMMARY: Notice is hereby given that the United States Department of Agriculture (USDA) proposes to create a new Privacy Act system of records, entitled “USDA eAuthentication Service”.  The system is owned, administered, and secured by the Office of the Chief Information Officer (OCIO), a USDA staff office.  The primary purpose of the eAuthentication Service is to provide verification of customer identity, authorization, and electronic signatures for USDA application and service transactions. 

EFFECTIVE DATE: This notice will be adopted without further publication on [Insert date 30 days after publication in the Federal Register] unless modified by a subsequent notice to incorporate comments received from the public.  USDA invites comments on all portions of this notice.  Comments must be received by the contact listed on or before [Insert date 30 days after publication in the Federal Register].

FOR FURTHER INFORMATION CONTACT:  Owen Unangst, Program Manager, Office of the Chief Information Officer, United States Department of Agriculture, NRCS Information Technology Center, 2150 Centre Avenue Building A, Fort Collins CO 80526-1891 or via email at owen.unangst@ftc.usda.gov.

SUPPLEMENTARY INFORMATION:  
The Privacy Act (5 U.S.C. 552a(e)(4)) requires the Department to publish in the Federal Register this notice of new or revised systems of records managed by the Department.  Pursuant to the Government Paperwork Elimination Act (GPEA, Pub. L. 105-277), the Freedom to E-File Act (Pub. L. 106-222), the Electronic Signatures in Global and National Commerce Act (E-SIGN, Pub. L. 106-229), and the eGovernment Act of 2002 (H.R. 2458), USDA is creating a new system of records entitled “USDA eAuthentication Service” to be managed by the USDA Office of the Chief Information Officer (OCIO).

GPEA requires that Federal agencies provide citizens with secure electronic options for forms, filings, and other transactions needed to conduct official business with the government.  The eAuthentication Service provides a trusted and secure infrastructure, which is primary to the delivery of eGovernment services in a GPEA compliant manner.  eAuthentication supports citizens’ capabilities to conduct transactions with USDA by providing single sign-on capability to access USDA applications and services via the Internet, management of user credentials, and verification of identity, authorization, and electronic signatures with USDA, its agencies, and partners.  Benefits to citizens and USDA include a secure, consistent method of electronic authentication, a reduction in the cost to maintain redundant registration information, and reduced authentication system development and acquisition costs.

USDA eAuthentication collects information from citizens in order to provide accounts that facilitate the electronic authentication and authorization.  The credentials and permissions associated with an account are what authenticates and authorizes a user to access a requested USDA resource.  USDA obtains customer information through an electronic self-registration process provided through the eAuthentication Web site.  The collected information will be secured in two ways:  appropriate technical security will be in place both during storage and transit; the physical security of the system will be provided by the hosting facility which restricts access to authorized personnel. 

USDA customers can self-register for a Level 1 or Level 2 Access account. A Level 1 Access account provides users with limited access to USDA Web site portals and applications that have minimal security requirements.  A Level 2 Access account enables users to conduct official electronic business transactions via the Internet, enter into a contract with USDA, and submit information electronically via the Internet to USDA Agencies.  Due to the increased customer access associated with a Level 2 Access account, customers must be authenticated in person at a USDA Office by a local registration authority, in addition to an electronic self-registration.  Once an account is activated, customers may use the associated user ID and password that they created to access USDA resources that are protected by the eAuthentication Service.


System of Records

System Name:  
      USDA eAuthentication Service

Security Classification:  
      None

System Location:  
      USDA-NRCS Information Technology Center, 2150 Centre Avenue Building A, Fort Collins, CO 80526-1891; USDA-Rural Development, 1520 Market Street, St. Louis MO 63103.

Categories of Individuals Covered by the System:
	This system contains records and related correspondence on individuals who can access USDA applications and services that are protected by eAuthentication.  This includes members of the public and USDA employees.

Categories of Records in the System:
	The eAuthentication system will collect the following information from individuals when transacting electronically with USDA: name, address, country of residence, telephone, email address, date of birth, and mother’s maiden name.  The system will also require users to create a user ID and password.

Authority for Maintenance on the System:
	Government Paperwork Elimination Act (GPEA, Pub. L. 105-277) of 1998; Freedom to E-File Act (Pub. L. 106-222) of 2000; Electronic Signatures in Global and National Commerce Act (E-SIGN, Pub. L. 106-229) of 2000; eGovernment Act of 2002 (H.R. 2458).

Purpose(s):
	The records in this system are used to electronically authenticate and authorize users accessing protected USDA applications and services.

Routine Uses of Records Maintained in the System, Including Categories of Users and the Purposes of Such Uses:
1. Disclosure to USDA applications protected by eAuthentication, as a user requests access to individual applications. 
2. Disclosure to external web applications integrated with the government’s federated architecture for authentication.  Under this architecture, the user will request access to an external application with their USDA credential prior to any disclosure of information.  All external applications will have undergone rigorous testing before joining the architecture.
3. Referral to the appropriate agency, whether Federal, State, local, or foreign, charged with the responsibility of investigating or prosecuting violation of law, or of enforcing or implementing a statute, rule, regulation, or order issued pursuant thereto, of any record within this system when information available indicates a violation or potential violation of law, whether civil, criminal, or regulatory in nature. 
4. Disclosure to a court, magistrate, or administrative tribunal, or to opposing counsel in a proceeding before a court, magistrate, or administrative tribunal, of any record within the system that constitutes evidence in that proceeding, or which is sought in the course of discovery, to the extent that USDA determines that the records sought are relevant to the proceeding. 
5. Disclosure to a congressional office from the record of an individual in response to any inquiry from the congressional office made at the request of that individual. 
6. Disclosure at the individuals’ request to any Federal department, State or local agencies, or USDA partner utilizing or interfacing with eAuthentication to provide electronic authentication for electronic transactions.  The disclosure of this information is required to securely provide, monitor, and analyze the requested program, service, registration, or other transaction. 
7. Disclosure to USDA employees or contractors, partner agency employees or contractors, or private industry employed to identify patterns, trends, and anomalies indicative of fraud, waste, or abuse. 
8. Disclosure to determine compliance with program requirements.

Policies and Practices for Storing, Retrieving, Accessing, Retaining, and Disposing of Records in the System:

Storage:
	Records are stored and maintained electronically on USDA owned and operated systems in St. Louis, MO and Fort Collins CO. 

Retrievably:
	Records can be retrieved by name, username, or system ID. 

Safeguards:  
	Records are accessible only to authorized personnel.  Protection of the records is ensured by appropriate technical controls.  The physical security of the system is provided by restricted building access.  In addition, increased security is provided by encryption of data when transmitted.  The system has undergone a Certification and Accreditation.

Retention and Disposal:
	Since records are maintained electronically, they will be retained indefinitely. 

System Manager and Address:
	Owen Unangst, NRCS Information Technology Center, 2150 Centre Avenue Building A, Fort Collins  CO 80526-1891.
 
Notification Procedure:  
	An individual may request information regarding this system of records or information as to whether the system contains records pertaining to such individual from the Fort Collins office.  The request for information should contain the individual’s name, username, address, and email address. Before information of any record is released, the system manager may require the individual to provide proof of identity or require the requester to furnish authorization from the individual to permit release of information. 

Record Access Procedures:
	An individual may obtain information as to the procedures for gaining access to a record in the system, which pertains to such individual, by submitting a request to the Privacy Act Officer, 1400 Independence Avenue SW, South Building, Washington, DC 20250-3700.  The envelope and letters should be marked “Privacy Act Request.”  A request for information should contain name, address, username, name of system of records, year of records in question, and any other pertinent information to help identify the file. 

Contesting Record Procedures:
	Procedures for contesting records are the same as procedures for record access.  Include the reason for contesting the record and the proposed amendment to the information with supporting documentation to show how the record is inaccurate. 

Record Source Categories:  
	Information from the system will be submitted by the user.  When a user wishes to transact with USDA or its partner organizations electronically, the user must enter name, address, country of residence, telephone, date of birth, mother’s maiden name, username, and password.  As the USDA eAuthentication Service is integrated with other government or private sector authentication systems, data may be obtained from those systems to facilitate single-sign on capabilities. 







Exemptions Claimed for this System:
	None.


Dated:  




_________________________________   
Mike Johanns
Secretary