SUPPLEMENTARY INFORMATION:

In accordance with the Privacy Act of 1974, 5 U.S.C. 552a, the Commodity Futures Trading Commission (CFTC or Commission) is establishing a new system of records titled “CFTC-59, Insider Risk Program Records.” The Commission recently established an Insider Risk Program responsible for detecting insider risks; preventing insider risks by establishing a secure operating environment that protects individuals, facilities, information, equipment, networks, and information systems; responding to insider risks; and implementing response measures. An Insider is any person who has or had authorized access to or knowledge of the CFTC's resources, including employees, facilities, information, equipment, networks, and systems. An Insider Risk is a risk that an insider will use their authorized access, wittingly or unwittingly, to harm the security of organizational operations and assets, individuals, other organizations, or the Nation. This risk or threat can include damage through espionage, terrorism, unauthorized disclosure, or through the loss or degradation of organizational resources or capabilities. An Insider Risk may be identified through examination of network activity or other logs that reveal an individual's access to information the individual does not have a need-to-know; access to physical spaces or the network at hours outside of normal work habits/hours; out-of-the-ordinary downloading, printing, or emailing of large volumes of materials; or other identified anomalies in an individual's workplace behavior.

The Commission's Insider Risk Program is made up of an Insider Risk Response Team within the CFTC's Cyber and Physical Security Branch and an Insider Risk Working Group, which includes representatives from a small number of CFTC stakeholder offices, that reviews and approves the activities of the Insider Risk Response Team. The Insider Risk Program collects information about individuals who pose a potential or actual Insider Risk in the course of investigating and mitigating that risk. This includes information from a variety of sources, including via the use of network monitoring tools, from CFTC employees who report suspected or potential insider risk activity, and from various records maintained by the Commission or by others, such as personnel records, incident reports, disciplinary records, access and print logs, and physical security records. The Insider Risk Program records are generally not intended to be disclosed outside of the Commission and, therefore, the routine uses in the SORN are limited to those instances where disclosure is necessary for, e.g., litigation, law enforcement, breach response, obtaining information relevant to an insider risk investigation, and to meet audit and records requirements.

This newly established system of records will be included in CFTC's inventory of record systems. In accordance with 5 U.S.C. 552a(r), the CFTC has provided a report of this system of records to the Office of Management and Budget and to Congress. In addition, the CFTC is issuing a Notice of Proposed Rulemaking to exempt this system of records from certain provisions of the Privacy Act elsewhere in the Federal Register .

SYSTEM NAME AND NUMBER:

Insider Risk Program Records, CFTC-59.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

The Cyber Security Section, Cyber and Physical Security Branch, Division of Administration in the CFTC office at Three Lafayette Centre, 1155 21st Street NW, Washington, DC, is responsible for the collection and maintenance of the records in this system of records.

SYSTEM MANAGER(S):

Deputy Chief Information Security Officer, Cybersecurity Section, Cyber and Physical Security Branch, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

Authority for the maintenance of this system of records is derived from Executive Order 13587, Structural Reforms to Improve the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information, from 15 U.S.C 278g-3, Computer standards program, and from threat- and risk-related procedural requirements indicated in National Institute of Standards and Technology Special Publication 800-53, Rev. 5, Security and Privacy Controls for Information Systems and Organizations.

PURPOSE(S) OF THE SYSTEM:

The purpose of this system of records is to detect, deter, and mitigate insider risks and to protect individuals, facilities, information, equipment, networks, and systems from insider risks. The records in this system of records will be used to manage insider risk inquiries and complaints; identify and track potential insider risks to the CFTC; manage referrals of potential insider risks to and from external partners; facilitate the creation of statistical reports and meet any insider risk reporting requirements; and support the identification of systemic insider risk issues and challenges to develop solutions for detecting, deterring, and mitigating those challenges.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

CFTC employees, contractors, and any other individuals who have or had been granted access to CFTC facilities and networks.

CATEGORIES OF RECORDS IN THE SYSTEM:

The records in this system of records include all information collected in the context of investigating a potential or actual insider risk. That information may include:

• Name, including alias(es) and former names.
• Physical mailing addresses.
• Email addresses.
• Phone numbers.
• Sex.
• Height and weight.
• Hair and eye color.
• Biometric data (e.g., fingerprints, iris scans).
• Other distinguishing physical attributes.
• Race, national origin, and ethnicity.
• Citizenship.
• Date and place of birth.
• Social Security number.
• Driver license number(s).
• Vehicle Identification Number(s).
• License plate number(s).
• Passport number(s).
• Personal Identity Verification (PIV) information.
• Other unique identifiers.
• Education history.
• Work history.
• Performance information and evaluations.
• Background investigation reports and supporting documentation.
• Briefing and debriefing statements for special programs and sensitive positions.
• Courier authorization requests.
• Current and former clearance status(s).
• Document control registries. ( printed page 24527)
• Facility access records.
• CCTV footage.
• Nondisclosure agreements.
• Records reflecting personal and official foreign travel.
• Requests for access to proprietary, sensitive, or Controlled Unclassified Information (CUI).
• Time and attendance information.
• Drug test results.
• Incident reports.
• Individuals' statements or affidavits and correspondence.
• Investigative records of a criminal, civil, or administrative nature.
• Letters, emails, memoranda, and reports.
• Records obtained from the Intelligence Community, law enforcement partners, or from other agencies or organizations as collaborators.
• User Activity Monitoring records.
• Financial records obtained from Financial Crimes Enforcement Network.

RECORD SOURCE CATEGORIES:

Records in this system of records are obtained from a variety of sources, to include software that monitors users' activity on the CFTC computer network; individuals or their employers; CFTC offices and divisions; public open-source platforms; and other federal, state, or local government or private sector entities. Records in this system of records may also be obtained from individuals who report insider risks to the Insider Risk Program.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside of the Commission as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

a. To the Department of Justice when:

(i) the Commission, or any component thereof; or

(ii) any employee of the Commission in their official capacity; or

(iii) any employee of the Commission in their individual capacity where the Department of Justice has agreed to represent the employee; or

(iv) the United States, where the Commission determines that litigation is likely to affect the Commission or any of its components,

is a party to litigation or has an interest in such litigation, and the use of such records by the Department of Justice is deemed by the Commission to be relevant and necessary to the litigation.

b. In a proceeding before a court or adjudicative body before which the Commission is authorized to appear, during a proceeding before that court or adjudicative body, when:

(i) the Commission, or any component thereof; or

(ii) any employee of the Commission in his or her official capacity; or

(iii) any employee of the Commission in his or her individual capacity where the Commission has agreed to represent the employee; or

(iv) the United States, where the Commission determines that litigation is likely to affect the Commission or any of its components,

is a party to litigation or has an interest in such litigation, and the Commission determines that use of such records is relevant and necessary to the litigation.

c. To the appropriate federal, state, local, territorial, tribal, or foreign law enforcement authority or other appropriate entity, when a record, either alone or in conjunction with other information, indicates a violation or potential violation of law—whether criminal, civil, or regulatory in nature—and the authority or entity to whom the record is disclosed is charged with the responsibility for investigating or prosecuting such violation or is charged with enforcing or implementing such law.

d. To the National Archives and Records Administration (NARA) for records management inspections being conducted under the authority of 44 U.S.C. 2904 and 2906.

e. To contractors, grantees, experts, consultants, or volunteers performing or working on a contract, service, grant, cooperative agreement, or other assignment for the Commission when necessary to accomplish a Commission function related to this system of records.

f. To a member of Congress from the record of an individual in response to an inquiry made at the request of the individual to whom the record pertains, but only to the extent that the record would be legally accessible to that individual.

g. To appropriate agencies, entities, and persons when (1) the Commission suspects or has confirmed that there has been a breach of the system of records, (2) the Commission has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Commission (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Commission's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

h. To another Federal agency or Federal entity, when the Commission determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

i. To any third party when the Commission determines that the third party has or potentially has relevant information about the subject of an insider risk investigation, but only those records necessary to identify the individual and obtain information pertinent to the investigation.

j. To the National Insider Threat Task Force (NITF) for the purpose of conducting an audit of the Insider Risk Program pursuant to Executive Order 13587, Sections 6.3(f) and 7(d), but only to the extent necessary to meet the parameters of the audit.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

The records in this system are maintained electronically or on paper in secure facilities and available only to those with a business need to know. Electronic records are stored on the Commission's secure network and access is controlled via role-based permissions.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

The records in this system are retrieved by an individual's name or associated case file number, email address, computer assigned identification number, business affiliation, event name, or other personal identifier.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

The records in this system are maintained and disposed of in accordance with the National Archives and Records Administration (NARA) General Records Schedule GRS 5.6 Security Management Records. Specifically, items 210 Insider threat administrative and operations records, 220 Insider threat inquiry records, and 230 Insider threat information. All electronic records, files, and data are destroyed either by physical destruction of the electronic storage media or by ( printed page 24528) erasure of the data. Any paper records are disposed of by shredding.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

Records are protected from unauthorized access and improper use and disclosure through administrative, technical, and physical security measures employed by the CFTC. Administrative safeguards include maintenance of written policies, standards, and procedures reinforced by training and periodic auditing. Technical security safeguards include restrictions on computer access to authorized individuals who have a legitimate need to know the information, required use of strong passwords that are frequently changed, multi-factor authentication for remote access and access to many network components, use of encryption for certain data types and transfers, and firewalls and intrusion detection applications. Physical safeguards include restrictions on building access to authorized individuals, use of security guard services, and video surveillance.

RECORD ACCESS PROCEDURES:

The Commission has exempted this system of records from the access provisions of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2) and subject to the limitations and requirements therein. However, the Commission will consider individual requests for access and determine on a case-by-case basis whether the records may be released. Individuals seeking access to records about themselves in this system should address written inquiries to the Office of the General Counsel, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. See17 CFR 146.3 for full details on what to include in a Privacy Act access request.

CONTESTING RECORD PROCEDURES:

The Commission has exempted this system of records from the notification, access, and amendment provisions of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2) and subject to the limitations and requirements therein. Individuals contesting the content of records about themselves contained in this system should address written inquiries to the Office of the General Counsel, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. See17 CFR 146.8 for full details on what to include in a Privacy Act amendment request. The Commission will determine on a case-by-case basis whether to accept such a request.

NOTIFICATION PROCEDURES:

The Commission has exempted this system of records from the notification, access, and amendment provisions of the Privacy Act pursuant to 5 U.S.C. 552a(k)(2) and subject to the limitations and requirements therein. However, the Commission will consider individual requests for notification and determine on a case-by-case basis whether to provide the requested notification. Individuals seeking notification of any records pertaining to themselves contained in this system should address written inquiries to the Office of the General Counsel, Commodity Futures Trading Commission, Three Lafayette Centre, 1155 21st Street NW, Washington, DC 20581. See17 CFR 146.3 for full details on what to include in a Privacy Act notification request.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

The Commission, pursuant to 5 U.S.C. 552a(k)(2) and subject to the limitations and requirements set forth therein, has exempted this system of records from the following provisions of the Privacy Act: (c)(3); (d); (e)(1); (e)(4)(G), (H), and (I); and (f). To the extent a record contains information from other systems of records to which additional exemptions apply, the Commission will also recognize and apply those exemptions.

HISTORY:

None.

91 FR 24525