Privacy Act of 1974; System of Records

Issuing agencies

Abstract

The NCSC is revising a system of records subject to the Privacy Act of 1974, as amended, 5 U.S.C. 552a, in order to (1) update the name to ODNI/NCSC--001, "Damage Assessment Records"; (2) update and modernize the administrative information; (3) clarify that the scope of the damage assessments is not limited to espionage or criminal violations but to actual or potential damage to national security resulting from the unauthorized disclosure or compromise of classified information; (4) clarify the categories of individuals covered by the system and records in the system to align with the lawful scope of damage assessments; and (5) clarify that portions of records, and not only final damage assessments, may be disclosed pursuant to the routine uses.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 148 (Tuesday, August 5, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 148 (Tuesday, August 5, 2025)]
[Notices]
[Pages 37571-37574]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-14825]


=======================================================================
-----------------------------------------------------------------------

OFFICE OF THE DIRECTOR OF NATIONAL INTELLIGENCE


Privacy Act of 1974; System of Records

AGENCY: National Counterintelligence and Security Center (NCSC), Office 
of the Director of National Intelligence (ODNI).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: The NCSC is revising a system of records subject to the 
Privacy Act of 1974, as amended, 5 U.S.C. 552a, in order to (1) update 
the name to ODNI/NCSC--001, ``Damage Assessment Records''; (2) update 
and modernize the administrative information; (3) clarify that the 
scope of the damage assessments is not limited to espionage or criminal 
violations but to actual or potential damage to national security 
resulting from the unauthorized disclosure or compromise of classified 
information; (4) clarify the categories of individuals covered by the 
system and records in the system to align with the lawful scope of 
damage assessments; and (5) clarify that portions of records, and not 
only final damage assessments, may be disclosed pursuant to the routine 
uses.

DATES: Comments on this proposed modified system of records must be 
submitted by September 4, 2025. This modified System of Records Notice 
will go into effect thirty days after the date of publication in the 
Federal Register, unless changes are required as a result of public 
comment, per OMB A-108, Section 6(e).

ADDRESSES: You may submit comments by any of the following methods:
    Federal eRulemaking Portal: <a href="http://www.regulations.gov">http://www.regulations.gov</a>.
    Email: <a href="/cdn-cgi/l/email-protection#f783859699848796859299948eb793999ed9909881"><span class="__cf_email__" data-cfemail="daaea8bbb4a9aabba8bfb4b9a39abeb4b3f4bdb5ac">[email&#160;protected]</span></a>.
    Mail: Director, Information Management Office, Chief Operating 
Officer, Office of the Director of National Intelligence (ODNI), 
Washington, DC 20511.

SUPPLEMENTARY INFORMATION: This SORN was originally published on 28 
December 2007, as ``Damage Assessment Records'' (ONCIX/ODNI-001) by the 
Office of the National Counterintelligence Executive (ONCIX). ONCIX was 
established by the President and later codified in statute by the 
Counterintelligence Enhancement Act of 2002. Under the Intelligence 
Reform and Terrorism Prevention Act (IRTPA) of 2004, ONCIX became a 
component of the ODNI. On 1 December 2014, consistent with the 
authority of the Director of National Intelligence (DNI) to establish 
national intelligence centers to address intelligence priorities, the 
DNI established the National Counterintelligence and Security Center 
(NCSC) to effectively integrate and align counterintelligence and 
security mission areas and allow the DNI to address counterintelligence 
and security responsibilities under a single organizational construct. 
Following a period where NCSC fulfilled ONCIX's counterintelligence 
responsibilities, NCSC superseded ONCIX in statute in 2017; the 
Director of NCSC similarly superseded the role of the National 
Counterintelligence Executive (NCIX).
    The Director of NCSC serves as the head of national 
counterintelligence for the U.S. Government and is the principal 
substantive advisor to the DNI on counterintelligence issues. NCSC 
oversees and coordinates the production of strategic analysis of 
counterintelligence matters, including in-depth damage assessments that 
evaluate the actual or potential damage to national security resulting 
from the unauthorized disclosure or compromise of classified 
information.
    The system of records published herewith contains information about 
unauthorized disclosures, including acts of espionage or other national 
security-related crimes. Accordingly, to protect classified and 
sensitive law enforcement information, and to prevent the compromise of 
sources and methods, ODNI has published a rule (73 FR 16539 (Mar. 28, 
2008)) to exempt this system of records from certain portions of the 
Privacy Act and those records for which the source agency claimed 
exemption.
    The NCSC is revising this SORN in order to (1) update the name to 
ODNI/NCSC--001, ``Damage Assessment Records''; (2) update and modernize 
the administrative information; (3) clarify that the scope of the 
damage assessments is not limited to espionage or criminal violations 
but to actual or potential damage to national security resulting from 
the unauthorized disclosure or compromise of classified information; 
(4) clarify the categories of individuals covered by the system and 
records in the system to align with the lawful scope of damage 
assessments; and (5) clarify that portions of records, and not only 
final damage assessments, may be disclosed pursuant to the routine 
uses.

SYSTEM NAME AND NUMBER:
    ODNI/NCSC--001, ``Damage Assessment Records.''

SECURITY CLASSIFICATION:
    The classification of records in this system can range from 
UNCLASSIFIED to TOP SECRET.

SYSTEM LOCATION:
    Office of the Director of National Intelligence (ODNI), National 
Counterintelligence and Security Center (NCSC), Washington, DC 20511.

[[Page 37572]]

SYSTEM MANAGER(S):
    Assistant Director, Mission Capabilities Directorate, ODNI/NCSC, 
Washington, DC 20511.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The Intelligence Reform and Terrorism Prevention Act of 2004, 
Public Law 108-458, 118 Stat. 3638; Consolidated Appropriations Act, 
2017, Public Law 115-31, 131 Stat. 817; The National Security Act of 
1947, 50 U.S.C. 3023 et seq., as amended; The Counterintelligence 
Enhancement Act of 2002, as amended; and Executive Order 12333, as 
amended.

PURPOSE(S) OF THE SYSTEM:
    The NCSC Damage Assessment Records System supports NCSC's 
responsibility to evaluate the actual or potential damage to national 
security resulting from an unauthorized disclosure of classified 
information.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals known or suspected to have committed an unauthorized 
disclosure or compromise of classified information, including those 
convicted of, or indicted for, espionage or other national security-
related crimes, and whose activities are the subject of an NCSC-led 
damage assessment; individuals whose identities and government 
affiliations are known or believed to have been compromised as a result 
of the unauthorized disclosure; individuals who are identified in 
records related to the unauthorized disclosure or compromise; 
individuals interviewed in association with the damage assessment, or 
individuals mentioned in such interviews, such as colleagues, friends, 
acquaintances, and family members of individuals known or suspected to 
have committed an unauthorized disclosure or compromise; and 
individuals who may have knowledge of facts surrounding the 
unauthorized disclosure or compromise.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Final and draft damage assessments; records about unauthorized 
disclosures or compromises of classified information and copies of 
records known or suspected of having been disclosed or compromised in 
an unauthorized manner, including law enforcement records (e.g., 
convictions, subpoenas, rap sheets); records of investigations 
conducted by the FBI or other law enforcement elements; records 
received in response to information requests to government agencies or 
entities pursuant to damage assessments; transcripts (including 
precursor records) of debriefings/interviews of individuals known or 
suspected to have committed an unauthorized disclosure or compromise, 
and with individuals who possess knowledge that may be relevant to the 
unauthorized disclosure or compromise; information about, and 
psychological assessment records/profiles and polygraph records of, 
individuals known or suspected to have committed an unauthorized 
disclosure or compromise; personal information and personally 
identifiable information (PII) (e.g., name, address, phone number, 
Social Security number (SSN), date of birth (DOB)) belonging to 
individuals known or suspected to have committed an unauthorized 
disclosure or compromise, or to other individuals interviewed in 
connection with an investigation of the disclosure/compromise or 
assessment of the damage.

RECORD SOURCE CATEGORIES:
    Records derived from human and record sources consulted in the 
course of investigating disclosure of classified information.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act of 1974, as amended, records or portions of 
records maintained in this system may be disclosed outside ODNI as a 
routine use pursuant to 5 U.S.C. 552a(b)(3) and in accordance with the 
following routine uses, including select routine uses published in the 
ODNI rule implementing the Privacy Act Subpart C of ODNI's Privacy Act 
Regulation published at 32 CFR part 1701 (73 FR 16531, 16541):
    (a) Except as noted on Standard Forms 85, 85P and 86 or the 
successor personnel vetting questionnaire and supplemental forms 
thereto (questionnaires for employment within the Federal government), 
a record that on its face or in conjunction with other information 
indicates or relates to a violation or potential violation of law, 
whether civil, criminal, administrative, or regulatory in nature, and 
whether arising by general statute, particular program statute, 
regulation, rule, or order issued pursuant thereto, may be disclosed as 
a routine use to an appropriate Federal, state, territorial, tribal, 
local law enforcement authority, foreign government, or international 
law enforcement authority, or to an appropriate regulatory body charged 
with investigating, enforcing, or prosecuting such violations.
    (b) A record from this system of records may be disclosed as a 
routine use, subject to appropriate protections for further disclosure, 
in the course of presenting information or evidence to an 
administrative law judge or to the presiding official of an 
administrative board, panel or other administrative body.
    (c) A record from this system of records may be disclosed as a 
routine use to representatives of the Department of Justice or any 
other entity responsible for representing the interests of ODNI in 
connection with potential or actual civil, criminal, administrative, 
judicial or legislative proceedings or hearings, for the purpose of 
representing or providing advice to: ODNI; any staff of ODNI in his or 
her official capacity; any staff of ODNI in his or her individual 
capacity where the staff has submitted a request for representation by 
the United States or for reimbursement of expenses associated with 
retaining counsel; or the United States or another Federal agency, when 
the United States or the agency is a party to such proceeding and the 
record is relevant and necessary to such proceeding.
    (d) A record from this system of records may be disclosed as a 
routine use in a proceeding before a court, magistrate, special master, 
or adjudicative body when any of the following is a party to litigation 
or has an interest in such litigation, and ODNI, Office of General 
Counsel, determines that use of such records is relevant and necessary 
to the litigation: ODNI; any staff of ODNI in his or her official 
capacity; any staff of ODNI in his or her individual capacity where the 
Department of Justice has agreed to represent the staff or has agreed 
to provide counsel at government expense; or the United States or 
another Department or agency (D/A), where ODNI, Office of General 
Counsel, determines that litigation is likely to affect ODNI.
    (e) A record from this system of records may be disclosed as a 
routine use to representatives of the Department of Justice and other 
U.S. Government entities, to the extent necessary to obtain advice on 
any matter within the official responsibilities of such representatives 
and the responsibilities of ODNI.
    (f) A record from this system of records may be disclosed as a 
routine use to a Federal, state or local agency or other appropriate 
entities or individuals from which/whom information may be sought 
relevant to: a decision concerning the hiring or retention of an

[[Page 37573]]

employee or other personnel action; the issuing or retention of a 
security clearance or special access, contract, grant, license, or 
other benefit; or the conduct of an authorized investigation or 
inquiry, to the extent necessary to identify the individual, inform the 
source of the nature and purpose of the inquiry, and identify the type 
of information requested.
    (g) A record from this system of records may be disclosed as a 
routine use to any Federal, state, local, tribal or other public 
authority, or to a legitimate agency of a foreign government or 
international authority to the extent the record is relevant and 
necessary to the other entity's decision regarding the hiring or 
retention of an employee or other personnel action; the issuing or 
retention of a security clearance or special access, contract, grant, 
license, or other benefit; or the conduct of an authorized 
investigation or inquiry, to the extent necessary to identify the 
individual, inform the source of the nature and purpose of the inquiry, 
and identify the type of information requested.
    (h) A record from this system of records may be disclosed as a 
routine use to any agency, organization, or individual for authorized 
audit operations, and for meeting related reporting requirements, 
including disclosure to the National Archives and Records 
Administration for records management inspections and such other 
purposes conducted under the authority of 44 U.S.C. 2904 and 2906, or 
successor provisions.
    (i) A record from this system of records may be disclosed as a 
routine use pursuant to Executive Order to the President's Foreign 
Intelligence Advisory Board, the President's Intelligence Oversight 
Board, to any successor organizations, and to any intelligence 
oversight entity established by the President, when the Office of the 
General Counsel or the Office of the Inspector General determines that 
disclosure will assist such entities in performing their oversight 
functions and that such disclosure is otherwise lawful.
    (j) A record from this system of records may be disclosed as a 
routine use to contractors, grantees, experts, consultants, or others 
when access to the record is necessary to perform the function or 
service for which they have been engaged by ODNI.
    (k) A record from this system of records may be disclosed as a 
routine use to any Federal D/A when documents or other information 
obtained from that D/A are used in compiling the record and the record 
is relevant to the official responsibilities of that D/A, provided that 
disclosure of the recompiled or enhanced record to the source agency is 
otherwise authorized and lawful.
    (l) A record from this system of records may be disclosed as a 
routine use for the purpose of conducting or supporting authorized 
``counterintelligence'' activities as defined by section 3(3) of the 
National Security Act of 1947, as amended, to elements of the 
``intelligence community'' as defined by section 3(4) of the National 
Security Act of 1947, as amended [definitions codified at 50 U.S.C. 
3003]; to the head of any Federal D/A; and to selected 
counterintelligence officers within the Federal government.
    (m) A record from this system of records may be disclosed as a 
routine use to a Federal, state, local, tribal, territorial, foreign, 
or multinational government agency or entity, or to other authorized 
entities or individuals, but only if such disclosure is undertaken in 
furtherance of responsibilities conferred by, and in a manner 
consistent with, the National Security Act of 1947, as amended; the 
Counterintelligence Enhancement Act of 2002, as amended; Executive 
Order 12333, as amended, or any successor order together with its 
implementing procedures approved by the Attorney General; and other 
provisions of law, including Executive Orders or directives relating to 
national intelligence or otherwise applicable to ODNI. This routine use 
is not intended to supplant the other routine uses published by ODNI.
    (n) A record from this system of records may be disclosed as a 
routine use to appropriate agencies, entities, and persons when: (1) 
ODNI suspects or has confirmed that there has been a breach of the 
system of records; (2) ODNI has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
ODNI (including its information systems, programs, and operations), the 
Federal government, or national security, and; (3) the disclosure made 
to such agencies, entities, and persons is reasonably necessary to 
assist in connection with ODNI's efforts to respond to the suspected or 
confirmed breach or to prevent, minimize, or remedy such harm.
    (o) A record from this system of records may be disclosed as a 
routine use to another Federal agency or Federal entity, when ODNI 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Electronic records are stored in secure fileservers located in 
government-managed facilities on secure, private cloud-based systems 
that are connected only to a government network. Paper records are 
stored in secured areas of facilities within the control of the Federal 
government.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    The records in this system are retrieved by name, Social Security 
number, or other unique identifier. Information may be retrieved from 
this system of records by automated capabilities used in the normal 
course of business. All searches of this system of records are 
performed by authorized executive branch personnel.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Pursuant to 44 U.S.C. 3303a(d) and 36 CFR Chapter 12, Subchapter B, 
Part 1228-Disposition of Federal Records, records will not be disposed 
of until such time as the National Archives and Records Administration 
(NARA) approves an applicable ODNI Records Control Schedule.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Information in this system is safeguarded in accordance with 
recommended and/or prescribed administrative, physical, and technical 
safeguards. Records are maintained in secure government-managed 
facilities with access limited to authorized personnel. Physical 
security protections include guards and locked facilities requiring 
badges and passwords for access.
    Records are accessed only by current government-authorized 
personnel whose official duties require access to the records. 
Electronic authorization and authentication of users is required at all 
points before any system information can be accessed. Communications 
are encrypted where required and other safeguards are in place to 
monitor and audit access, and to detect intrusions. System backup is 
maintained separately.

RECORD ACCESS PROCEDURES:
    As specified below, records in this system have been exempted from

[[Page 37574]]

certain notification, access, and amendment procedures. A request for 
access to non-exempt records shall be made in writing by email to 
<a href="/cdn-cgi/l/email-protection#b3fcf7fdfaecf5fcfaf2f3dcd7ddda9dd4dcc5"><span class="__cf_email__" data-cfemail="3f707b7176607970767e7f505b515611585049">[email&#160;protected]</span></a> or with the envelope and letter clearly marked 
``Privacy Act Request.'' Requesters shall provide their full name and 
complete address. The requester must sign the request and have it 
verified by a notary public or submit under 28 U.S.C. 1746, certifying 
the requester's identity and understanding that obtaining a record 
under false pretenses constitutes a criminal offense. Requests for 
access to information must be addressed to the Director, Information 
Management Office, Office of the Director of National Intelligence, 
Washington, DC 20511. Regulations governing access to one's records or 
for appealing an initial determination concerning access to records are 
contained in the ODNI regulation implementing the Privacy Act, 32 CFR 
part 1701 (73 FR 16531).

CONTESTING RECORDS PROCEDURES:
    As specified below, records in this system have been exempted from 
certain notification, access and amendment procedures. Individuals 
seeking to correct or amend non-exempt records should address their 
requests at the address and according to the requirements set forth 
above under the heading ``Record Access Procedures.'' Regulations 
regarding requests to amend, for disputing the contents of one's record 
or for appealing initial determinations concerning these matters are 
contained in the ODNI regulation implementing the Privacy Act, 32 CFR 
part 1701 (73 FR 16531).

NOTIFICATION PROCEDURES:
    As specified below, records in this system are exempt from certain 
notification, access, and amendment procedures. Individuals seeking to 
learn whether this system contains non- exempt information about them 
should address inquiries to ODNI at the address and according to the 
requirements set forth above under the heading ``Record Access 
Procedures.''

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    Records contained within this System of Records may be exempted 
from the requirements of subsections (c)(3); (d)(1),(2),(3),(4); (e)(1) 
and (e)(4),(G),(H),(I); and (f) of the Privacy Act pursuant to 5 U.S.C. 
552a(k)(1), and (k)(2). Records may be exempted from these subsections 
or, additionally, from the requirements of subsections (c)(4); 
(e)(2),(3),(5),(8)(12); and (g) of the Privacy Act consistent with any 
exemptions claimed under 5 U.S.C. 552a(j) or (k) by the originator of 
the record, provided the reason for protecting the record from 
disclosure remains valid and necessary.

HISTORY:
    This is a revision to an existing ODNI/NCSC system of records, 
ONCIX/NCSC-001, Damage Assessment Records, 72 FR 73898 (Dec. 28, 2007). 
In accordance with 5 U.S.C. 552(r), ODNI has provided a report of this 
revision to the Office of Management and Budget and to Congress.

    Dated: July 10, 2025.
Rebecca J. Richards,
Civil Liberties Protection Officer, Office of the Director of National 
Intelligence.
[FR Doc. 2025-14825 Filed 8-4-25; 8:45 am]
BILLING CODE 9500-01-P-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>