SYSTEM OF RECORDS NOTICES (SORNs)
GOVERNMENT WIDE NOTICES
General Services Administration
Access Certificates for Electronic Services (ACES) (May 28, 1999, 64 FR 29032).
System records are maintained for the General Services Administration (GSA) by contractors at various physical locations. A complete list of locations is available from: Administrative Contracting Officer, FEDCAC, Federal Technology Service, General Services Administration, 7th and D Streets, SW, Room 5060, Washington, DC 20407; telephone (202) 708-6099.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Individuals covered are persons who have applied for the issuance of a digital signature certificate under the ACES program; have had their certificates amended, renewed, replaced, suspended, revoked, or denied; have used their certificates to electronically make contact with, retrieve information from, or submit information to an automated information system of a participating agency; have requested access to ACES records under the Freedom of Information Act (FOIA) or Privacy Act; and have corresponded with GSA or its ACES contractors concerning ACES services.
CATEGORIES OF RECORDS IN THE SYSTEM:
The system contains information needed to establish and verify the identity of ACES users, to maintain the system, and to establish accountability and audit controls. System records include:
- Applications for the issuance, amendment, renewal, replacement, or revocation of digital signature certificates under the ACES program, including evidence provided by applicants or proof of identity and authority, and sources used to verify an applicant's identify and authority.
- Certificates issued.
- Certificates denied, suspended, and revoked, including reasons for denial, suspension, and revocation.
- A list of currently valid certificates.
- A list of currently invalid certificates.
- A file of individuals requesting access and those granted access to ACES information under FOIA or the Privacy Act.
- A file of individuals requesting access and those granted access for reasons other than FOIA or the Privacy Act.
- A record of validation transactions attempted on digital signature certificates issued by the system.
- A record of validation transactions completed on digital signature certificates issued by the system.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
Section 5124(b) of the Clinger-Cohen Act of 1996, 40 U.S.C. 1424, which provides authority for GSA to develop and facilitate government-wide electronic commerce resources and services, and the Paperwork Reduction Act, 44 U.S.C. 3501, et seq., which provides authority for GSA to manage Federal information resources.
To establish and maintain an electronic system to facilitate secure, on-line communication between Federal automated information systems and the public, using digital signature technologies to authenticate and verify identity.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:
Information from this system may be disclosed as a routine use:
- To GSA ACES program contractors to compile and maintain documentation on applicants for proofing applicants' identity and their authority to access information system applications of participating agencies.
- To GSA ACES program contractors to establish and maintain documentation on information sources for verifying applicants' identities.
- To Federal agencies participating in the ACES program to determine the validity of applicants' digital signature certificates in an on-line, near real time environment.
- To GSA, participating Federal agencies, and ACES contractors, for ensuring proper management, ensuring data accuracy, and evaluation of the system.
- To Federal, State, local or foreign agencies responsible for investigating, prosecuting, enforcing, or carrying out a statute, rule, regulation, or order when GSA becomes aware of a violation or potential violation of civil or criminal law or regulation.
- To a member of Congress or to a congressional staff member in response to a request from the person who is the subject of the record.
- To an expert, consultant, or contractor of GSA in the performance of a Federal duty to which the information is relevant.
DISCLOSURE TO CONSUMER REPORTING AGENCIES
Disclosure of system records to consumer reporting systems is not permitted.
POLICIES AND PRACTICES FOR STORING, RETRIEVING, ACCESSING, RETAINING, AND DISPOSING OF RECORDS IN THE SYSTEM:
All records are stored by GSA ACES contractors or by GSA as hard copy documents and/or on electronic media.
Records are retrievable by a personal identifier or by other appropriate type of designation approved by GSA and made available to ACES participants at the time of their application for ACES services.
System records are safeguarded in accordance with the requirements of the Privacy Act, the Computer Security Act, and OMB Circular A-130, Appendices I and III. Technical, administrative, and personnel security measures are implemented to ensure confidentiality and integrity of the system data stored, processed, and transmitted. The ACES System Security Plan, approved by GSA for each ACES contractor, provides for inspections, testing, continuity of operations, and technical certification of security safeguards. GSA accredits and annually re-accredits each contractor system prior to its operation.
RETENTION AND DISPOSAL:
System records are retained and disposed of according to GSA records maintenance and disposition schedules and the requirements of the National Archives and Records Administration.
System Manager(s) and Address:
Administrative Contracting Officer, FEDCAC, Federal Technology Service, General Services Administration, Room 5060, 7th and D Streets, SW, Washington, DC 20407.
Inquiries from individuals should be addressed to the system manager. Applicants for digital signature certificates will be notified by the GSA ACES contractor which facilitates individual access to the relevant Federal agency database as follows:
- Each applicant will be provided, on a Government-approved form that can be retained by the individual applicant, the principal purposes of the ACES program; the authority for collecting the information; the fact that participation is voluntary; the fact that identity and authority information must be provided and verified before a certificate will be issued; the fact that the information provided is covered by the Privacy Act and the Computer Security Act; the routine uses that will be made of the information being provided; the limitations on the uses of the information being provided; the procedures to be followed for requesting access to the individual's own records; and the possible consequences of failing to provide all or part of the required information or intentionally providing false information.
- Written notification in response to an individual's request to be advised if the system contains a record pertaining to him/her.
- Written notification to an individual when any record on the individual is made available to any person under compulsory legal process when such process becomes a matter of public record.
- Written notification of the right to appeal to GSA by any individual on any dispute concerning the accuracy of his/her record.
Record Access Procedures:
GSA ACES contractors will provide notification of, access to, review of, or copies of an individual's record upon his/her request as required by the Privacy Act.
Contesting Record Procedures:
GSA ACES contractors will amend an individual's record upon his/her written request, as required by the Privacy Act and GSA's implementing regulations, 41 CFR part 105-64. If the ACES contractor determines that an amendment is inappropriate, the contractor shall submit the request to the System Manager for a determination by GSA whether to grant or deny the request for amendment and direct response to the requester.
Record Source Categories:
The sources for information in the system are the individuals who apply for digital signature certificates, GSA ACES contractors using independent sources to verify identities, and internal system transactions designed to gather and maintain data needed to manage and evaluate the ACES program.
Exemptions Claimed for the System: