DEPARTMENT OF TRANSPORTATION
Federal Aviation Administration
PRIVACY IMPACT ASSESSMENT
Aeronautical Center Security Management System (ACSMS)
May 10, 2010
Overview of the ACSMS
The Federal Aviation Act of 1958 gives the Federal Aviation Administration (FAA) the responsibility to carry out safety programs to ensure the safest, most efficient aerospace system in the world. The FAA is responsible for:
- Regulating civil aviation to promote safety;
- Encouraging and developing civil aeronautics, including new aviation technology;
- Developing and operating a system of air traffic control and navigation for both civil and military aircraft;
- Developing and carrying out programs to control aircraft noise and other environmental effects of civil aviation; and
- Regulating United States (U.S.) commercial space transportation.
One of the programs that helps the FAA fulfill these responsibilities is the Aeronautical Center Security Management System (ACSMS), which is used by security forces to authenticate individuals attempting to access the Aeronautical Center. The business functions provided by this Information System are:
- Temporary Access Badge creation. The system creates temporary access badges for federal personnel upon hire.
- Key inventory. The system maintains an inventory of magnetic and metal keys issued to personnel for access to varying parts of the facility.
- Parking Permit Tracking. The system tracks vehicle information associated with parking permits issued to federal employees and contractors.
- Visitor and vehicles not covered by permit tracking.
This system relates to the mission of the FAA by providing the Mike Monroney Aeronautical Center (MMAC) security forces the ability to verify the identity of individuals entering the facility which ensures that only authorized personnel are admitted.
Information, Including Personally Identifiable Information, in ACSMS
ACSMS collects information about federal employees and contractors who work or attend classes at the MMAC. This information system collects the following information:
- Social Security Number
- Legal Name (First, Middle, Last, Suffix)
- Date of Birth (DoB)
- Vehicle Information (e.g. License Plate Number, Make, Model, Color, etc.)
The PII source is the individual. Individuals fill out our documentation provided by MMAC [Spell out] Human Resources (HR) and/or MMAC [Spell out] Office of Security and Hazardous Materials (ASH) (AMC-700). This documentation is provided to the MMAC Security Forces for data entry into ACSMS.
Why ACSMS Collects PII Information
The FAA requires this information be stored in order to provide access to the MMAC campus by individuals. Parking permits are necessary to gain entry to the facility.
Key tracking is essential to ensure that only authorized personnel obtain keys to access buildings, etc., on the campus.
Legal Authority for Information Collection
The information is collected under the following:
5 U.S.C. 301
49 U.S.C. 322
How ACSMS Uses Information
The information collected by the system is used to create photo ID and issue and return parking permits and keys. It provides a ready concentration of employee personal data to facilitate issuance, accountability, and recovery of required identification media issued to employees and contractors.
An individual's information would be made unavailable in the event a record is archived due to specific events (e.g. retirement, termination, resignation) which would negate the need for identification media to access the facility. In the event a record is archived, it could be reconstituted from backup media. This activity would be prompted by the request of the Information System Owner (ISO) as the result of a request from AMC -700.
This Information System complies with the following System Of Record Notices:
- DoT/ALL 9 Identification Media Record System
- DoT/OST 035 Personnel Security Record System
How ACSMS Shares Information
PII contained in ACSMS is shared with the MMAC Security and Investigations Division (AMC-700 (ASH)) and Mike Monroney Aeronautical Center (MMAC) Security Forces members.
This information is utilized by AMC-700 to perform investigations, support litigation and validate personnel identity. Security Forces utilize the system to validate personnel identity, track parking stickers and access key cards.
Both entities access the application via workstation through the FAA intranet.
The PII information collected by this system is not shared with any other system.
How ACSMS Provides Notice and Consent 1
For an individual's PII to be included in the ACSMS, that individual must have interest in working at the MMAC campus.
Applicants are required to populate the DoT Form 1681, Identification Card/Credential Application as stated within the Privacy Act Notice section: The information on this form is requested under authority of Titles 5 and 49, USC; Title 32, CFR; and Title 40 USC 486c. Submission of all data is mandatory in order to receive DOT identification media.
Notice and consent for collection of the information is documented within the hard-copy form that both contractors and employees populate (Privacy Notice section of DoT 1681 (ID and Credential Application)). In the future, an electronic form DoT 1681 will be utilized. Users have the option of taking a 3-minute training which will include the Privacy Notice. Consent will be acknowledged by the applicant completing the electronic form. Also, there are two poster size statements posted in the area where the applicants complete the form. Only security forces members and AMC-700 (ASH) personnel have access to the system.
The full DoT form 1681 can be found at: https://employees.faa.gov/org/centers/mmac/documents/DOT_Form_1681.doc
How ACSMS Ensures Data Accuracy
All information input into the system is done manually by Security Forces members. The system utilizes data validation to ensure accuracy of data entered from the documentation. There are no other validation processes involved.
How ACSMS Provides Redress
Under the provisions of the Privacy Act, individuals may request searches of the ACSMS file to determine if any records have been added that may pertain to them. This is accomplished by contacting AMC-700. At the time of the contact, AMC-700 will determine what information or other procedures the individual will undergo to facilitate the search.
The system defines consumers as users in AMC-700 and Security Forces (FAA Contractors).
In the event the consumer has reason to believe there is a privacy-related issue, the consumer can contact the (Region and Center Operations) ARC Helpdesk who will, in turn, contact the application administrator. The application administrator will evaluate the issue and begin the process of notifying the ISO, Information Systems Security Officer (SSO) and AMC-700. Ultimately, this group will work together to redress any issues related to this system.
The consumers access the application through the FAA intranet at https:\\acsms.amc.faa.gov. Any personal information in the system can only be changed by specific user groups (see table in the How ACSMS Secures PII Information section of this document). Updates to the information are only performed in the event users change information requiring a new ID card for access to the campus.
In the event there is an issue with accessing the system, users can contact the ARC Help desk via telephone at 405.954.3000 (Option 3). The ARC helpdesk will contact the application administrator (or designated representative) who, in turn will work with the consumer to resolve the issue.
The FOIA representative for the ACSMS system is:
Brenda Bandy (MMAC Privacy Officer)
How ACSMS Secures PII Information
ACSMS takes appropriate security measures to safeguard PII and other sensitive data. The system is housed within the System Management Facility located at the MMAC. This location physically protects the system from access by unauthorized individuals through access via ID media to enter the campus and a man trap controlled by an access token provided only to personnel authorized access. The system resides on the FAA network and is only accessible by the intranet. All communications with the system are performed through an SSL connection. By virtue of residing on the network, the system is protected by MMAC IAP's firewalls and CSMC's owned and managed Intrusion Detection System (IDS). Additionally, the system is protected with localized, FAA approved anti-virus and spyware software. The application protects itself from threats, such as SQL Injection, through coding methods built in by the developers. For further information on how the system is secured, please refer to the C&A package. Remote access is only allowed from within the trusted network environment, utilizing Remote Desktop (RDP) and MMAC's internet access point (IAP) controlled Virtual Private Network (VPN).
In addition, ACSMS limits access to PII according to job function
How Long ACSMS Retains PII
Data in ACSMS is currently maintained under GRS 1, Item 37. All donation-related data is purged one year after the case closes.
ACSMS System of Records Notice (SORN)
ACSMS is a system of records subject to the Privacy Act as it is searched by Name and SSN.
The SORNs applicable to ACSMS are as follows:
DOT 11, Integrated Personnel and Payroll Systems, IPPS
DOT 19, Federal Personnel and Payroll Systems (FPPS)
OPM GOVT 10, Employee Medical File System Records
1- According to the Privacy Act of 1974, 5 U.S.C. 552a(b), "No agency shall disclose any record which is contained in a system of records by any means of communication to any person, or to another agency, except pursuant to a written request by, or with the prior written consent of, the individual to whom the record pertains [subject to 12 exceptions listed under subsection (b)(112)]."