[Federal Register Volume 84, Number 112 (Tuesday, June 11, 2019)]
[Notices]
[Pages 27109-27112]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-12300]
=======================================================================
-----------------------------------------------------------------------
ENVIRONMENTAL PROTECTION AGENCY
[FRL-9995-01-OMS]
Privacy Act of 1974; System of Records
AGENCY: Office of Mission Support, Environmental Protection Agency.
ACTION: Notice of a new system of records.
-----------------------------------------------------------------------
SUMMARY: In accordance with the Privacy Act of 1974, as amended
(Privacy Act), the U.S. Environmental Protection Agency (EPA) is
providing notice of a new system of records, EPA ServiceNow (SNOW).
SNOW is a Cloud-Based Software as a Service (SaaS) Information
Technology Service Management platform used for agency incident and
problem management.
DATES: Persons wishing to comment on this system of records notice must
do so by July 11, 2019. New routine uses for this new system of records
will be effective July 11, 2019.
ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OEI-2018-0218, by one of the following methods:
Regulations.gov: www.regulations.gov Follow the online
instructions for submitting comments.
Email: [email protected].
Fax: 202-566-1752.
Mail: OMS Docket, Environmental Protection Agency, Mail
Code: 2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room
3334, 1301 Constitution Ave. NW, Washington, DC. Such deliveries are
only accepted during the Docket's normal hours of operation, and
special arrangements should be made for deliveries of boxed
information.
Instructions: Direct your comments to Docket ID No. EPA-HQ-OEI-
2018-0218. The EPA's policy is that all comments received will be
included in the public docket without change and may be made available
online at www.regulations.gov, including any personal information
provided, unless the comment includes information claimed to be
Controlled Unclassified Information (CUI) or other information for
which disclosure is restricted by statute. Do not submit information
that you consider to be CUI or otherwise protected through
www.regulations.gov. The www.regulations.gov website is an ``anonymous
access'' system for EPA, which means the EPA will not know your
identity or contact information unless you provide it in the body of
your comment. Each agency determines submission requirements within
their own internal processes and standards. EPA has no requirement of
personal information. If you send an email comment directly to the EPA
without going through www.regulations.gov your email address will be
automatically captured and included as part of the comment that is
placed in the public docket and made available on the internet. If you
submit an electronic comment, the EPA recommends that you include your
name and other contact information in the body of your comment. If the
EPA cannot read your comment due to technical difficulties and cannot
contact you for clarification, the EPA may not be able to consider your
comment. Electronic files should avoid the use of special characters,
any form of encryption, and be free of any defects or viruses. For
additional information about the EPA's public docket visit the EPA
Docket Center homepage at http://www.epa.gov/epahome/dockets.htm.
Docket: All documents in the docket are listed in the
www.regulations.gov index. Although listed in the index, some
information is not publicly available, e.g., CUI or other information
for which disclosure is restricted by statute. Certain other material,
such as copyrighted material, will be publicly available only in hard
copy. Publicly available docket materials are available either
electronically in www.regulations.gov or in hard copy at the OMS
Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave.
NW, Washington, DC. The Public Reading Room is open from 8:30 a.m. to
4:30 p.m., Monday through Friday excluding legal holidays. The
telephone number for the Public Reading Room is (202) 566-1744, and the
telephone
[[Page 27110]]
number for the OMS Docket is (202) 566-1752.
FOR FURTHER INFORMATION CONTACT: Gloria Meriweather at
[email protected], (202) 566-0652.
SUPPLEMENTARY INFORMATION: EPA ServiceNow is a FedRAMP approved
(FedRAMP Package ID: F1305072116) Cloud Based Software as a Service
(SaaS) incident and problem management solution that will be replacing
the current EPA Remedy solution.
SYSTEM NAME AND NUMBER:
EPA ServiceNow (SNOW), EPA-78.
SECURITY CLASSIFICATION:
Unclassified.
SYSTEM LOCATION:
Office of Environmental Information, Environmental Protection
Agency, 1301 Constitution Ave., Washington, DC 20460.
SAIC Inc. 12010 Sunset Hills Road, Reston, VA 20190.
SYSTEM MANAGER(S):
Willie J. Abney, Division Director of Desktop Support Services
Division (DSSD), Office of Environmental Information, Office of
Information Technology Operations, 1301 Constitution Ave., Washington,
DC 20460 Email Address: [email protected] Phone Number: 202-566-
1366.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
5 U.S.C. 301 ``Departmental Regulations'', 8 U.S.C 1101, 1103,
1104, 1201, 1255, 1305, 1360; 44 U.S.C. 3101 ``Records Management by
Federal Agency Heads.''
PURPOSE(S) OF THE SYSTEM:
This system will collect limited personally identifiable
information (PII) from requestors (i.e., EPA employees, EPA
contractors, non-EPA government personnel, state and local government
personnel and/or private citizens), such as first and last name, that
will help EPA technical support teams provide individualized support
and other service-oriented activities in support of both internal
(i.e., EPA employees, EPA contractors) and external (i.e., non-EPA
government personnel, state and local government personnel and/or
private citizens) requestors. EPA technical support teams will also use
the information to provide support for EPA information technology (IT)
systems, assets, and other service-oriented activities including the
following:
Managing service request tickets
Retrieving incident information;
Troubleshooting issues
Managing IT assets
Conveying outage information across the enterprise
All PII associated with the activities listed are only available
and presented to internal (i.e., EPA employees, EPA contractors)
stakeholders who have a valid need-to-know. PII captured from external
requestors (i.e., non-EPA government personnel, state and local
government personnel and/or private citizens) is required and only used
for opening a trouble ticket on their behalf.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
Categories of individuals covered by this system include EPA
employees, EPA contractors, non-EPA government personnel, state and
local government personnel and/or private citizens (i.e., requestors)
who request technical support by directly contacting the EPA Enterprise
IT Service Desk or EPA employees and contractors requesting support
using ServiceNow's self-help portal for opening support tickets,
external requestors requesting trouble tickets be opened for externally
facing EPA applications, EPA Enterprise IT Service Desk personnel or
EPA IT System Administrators (SA) working trouble or incident tickets,
and ServiceNow Administrators.
CATEGORIES OF RECORDS IN THE SYSTEM:
Information collected in system are First and Last Name; Work/
Business Address; Date; Work Number; Work Email Address; External Email
Address (for non-EPA government personnel including state and local
government personnel and/or private citizens); Employee LAN ID;
Employee Number.
RECORD SOURCE CATEGORIES:
Information contained in this system is obtained from data provided
directly from EPA employees and contractors via the EPA ServiceNow
self-help portal, from Enterprise IT Service Desk personnel who have
received technical support calls from requestors or pre-populated
fields captured from EPA Active Directory.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND PURPOSES OF SUCH USES:
The following new routine uses apply to this system because the use
of the record is necessary for the efficient conduct of government. The
routine uses are related to and compatible with the original purpose
for which the information was collected. The last two routine uses are
required under OMB M-17-12. Records in this system may be disclosed to
the following entities:
Disclosure for Law Enforcement Purposes.
Information may be disclosed to the appropriate Federal, State,
local, tribal, or foreign agency responsible for investigating,
prosecuting, enforcing, or implementing a statute, rule, regulation, or
order, if the information is relevant to a violation or potential
violation of civil or criminal law or regulation within the
jurisdiction of the receiving entity.
Disclosure Incident to Requesting Information.
Information may be disclosed to any source from which additional
information is requested (to the extent necessary to identify the
individual, inform the source of the purpose of the request, and to
identify the type of information requested,) when necessary to obtain
information relevant to an agency decision concerning retention of an
employee or other personnel action (other than hiring,) retention of a
security clearance, the letting of a contract, or the issuance or
retention of a grant, or other benefit.
Disclosure to Congressional Offices.
Information may be disclosed to a congressional office from the
record of an individual in response to an inquiry from the
congressional office made at the request of the individual.
Disclosure to Department of Justice.
Information may be disclosed to the Department of Justice, or in a
proceeding before a court, adjudicative body, or other administrative
body before which the Agency is authorized to appear, when:
[check] The Agency, or any component thereof;
[check] Any employee of the Agency in his or her official capacity;
[check] Any employee of the Agency in his or her individual
capacity where the Department of Justice or the Agency have agreed to
represent the employee; or
[check] The United States, if the Agency determines that litigation
is likely to affect the Agency or any of its components, is a party to
litigation or has an interest in such litigation, and the use of such
records by the Department of Justice or the Agency is deemed by the
Agency to be relevant and necessary to the litigation provided,
however, that in each case it has been determined that the disclosure
is compatible with the purpose for which the records were collected.
Disclosure to the National Archives.
Information may be disclosed to the National Archives and Records
Administration in records management inspections.
[[Page 27111]]
Disclosure to Contractors, Grantees, and Others.
Information may be disclosed to contractors, grantees, consultants,
or volunteers performing or working on a contract, service, grant,
cooperative agreement, job, or other activity for the Agency and who
have a need to have access to the information in the performance of
their duties or activities for the Agency.
Disclosures for Administrative Claims, Complaints and
Appeals.
Information from this system of records may be disclosed to an
authorized appeal grievance examiner, formal complaints examiner, equal
employment opportunity investigator, arbitrator or other person
properly engaged in investigation or settlement of an administrative
grievance, complaint, claim, or appeal filed by an employee, but only
to the extent that the information is relevant and necessary to the
proceeding. Agencies that may obtain information under this routine use
include, but are not limited to, the Office of Personnel Management,
Office of Special Counsel, Merit Systems Protection Board, Federal
Labor Relations Authority, Equal Employment Opportunity Commission, and
Office of Government Ethics.
Disclosure in Connection With Litigation.
Information from this system of records may be disclosed in
connection with litigation or settlement discussions regarding claims
by or against the EPA, including public filing with a court, to the
extent that disclosure of the information is relevant and necessary to
the litigation or discussions and except where court orders are
otherwise required under section (b)(11) of the Privacy Act of 1974, 5
U.S.C. 552a(b)(11).
Disclosure to Persons or Entities in Response to an actual
of Suspected Breach of Personally Identifiable Information.
To appropriate agencies, entities, and persons when (1) the Agency
suspects or has confirmed that there has been a breach of the system of
records, (2) the Agency has determined that as a result of the
suspected or confirmed breach there is a risk of harm to individuals,
the Agency (including its information systems, programs, and
operations), the Federal Government, or national security; and (3) the
disclosure made to such agencies, entities, and persons is reasonably
necessary to assist in connection with the Agency's efforts to respond
to the suspected or confirmed breach or to prevent, minimize, or remedy
such harm.
Disclosure to Assist Another Agency in its Efforts to
Respond to a Breach
To another Federal agency or Federal entity, when the Agency
determines that information from this system of records is reasonably
necessary to assist the recipient agency or entity in (1) responding to
a suspected or confirmed breach or (2) preventing, minimizing, or
remedying the risk of harm to individuals, the recipient agency or
entity (including its information systems, programs, and operations),
the Federal Government, or national security, resulting from a
suspected or confirmed breach.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
SNOW records are stored in a controlled access facility, inside of
a controlled area, using self-encrypting hard drives. ServiceNow, Inc.
has deployed a High-Availability architecture to ensure continuous
business operations for the ServiceNow platform. There are two data
centers supporting Government customers with one configured as the
active and the other as the standby. The active and standby facilities
are mirrored, which enables the standby to become the active site in
the event of a disaster. Both data centers are mirrors of each other,
and therefore they act as both an active and a standby facility. In
addition to the mirror backup between the two instances, a local backup
is kept at each site. Each local backup acts as the offsite backup for
their counterpart dedicated data center cage. Backups are performed on
disk through network-attached storage and are never written to tape. In
addition to backups within each dedicated data center cage facility, a
backup of each internal production instance is copied over to the
standby site (Disaster Recovery site).
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
Records for EPA ServiceNow will be retrieved by customer first and
last name, email address or by ticket reference number.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
SNOW follows the EPA Records Policy for retention and disposal, per
schedule 1012 (Information and Technology Management) and schedule 1049
(Information Access and Protection Records). https://www.epa.gov/records/epa-records-policy-and-guidance
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
ServiceNow is a Cloud-Based Software as a Service (SaaS) solution
designed to be accessed over the internet. As such, all remote
communication must be encrypted, use for non-business purposes is
prohibited and all users are required to be authorized. To verify that
a user is authorized, EPA ServiceNow customers and staff must have a
current valid EPA Active Directory account. External requestors (i.e.
non-EPA government personnel, state and local government personnel and/
or private citizens) will not have access to, as they are not
authorized, nor will be granted access to EPA ServiceNow. The records
in EPA ServiceNow are maintained in a secure, password-protected
computer system behind a network firewall. This system is located in a
controlled facility that requires the ServiceNow cloud providers to
have an authorized badge and biometrics prior to accessing the data
centers. ServiceNow users must log in with an authorized user ID and
password or Personal Identity Verification (PIV) card to access the
system. Group or shared accounts are not used by EPA ServiceNow
customers and support personnel. EPA ServiceNow customers and personnel
are prohibited from sharing accounts. Each user has a unique identifier
within Active Directory used for authentication. In addition to the
lock screen setting enforced by EPA on the desktop, EPA ServiceNow
implements session timeout period after 30 minutes of user inactivity.
RECORD ACCESS PROCEDURES:
Individuals seeking access to information in this system of records
about themselves should make a written request to the Agency Privacy
Officer, 1200 Pennsylvania Ave., Mailcode 2831T, Washington, DC 20460.
Requesters are required to provide adequate identification (e.g.,
driver's license, military identification card, employee badge or
identification card). Additional identity verification procedures may
be required, as warranted. Requests must meet the requirements of EPA
regulations that implement the Privacy Act of 1974, at 40 CFR part 16.
CONTESTING RECORD PROCEDURES:
Requests for correction or amendment must identify the record to be
changed and the corrective action sought to the Agency Privacy Officer,
1200 Pennsylvania Ave., Mailcode 2831T, Washington, DC 20460;
[email protected]. Complete EPA Privacy Act
[[Page 27112]]
procedures are set out in EPA's Privacy Act regulations at 40 CFR part
16.
NOTIFICATION PROCEDURE:
Any individual who wants to know whether this system of records
contains a record about themselves should submit a request to the
Agency Privacy Officer, MC 2831T, 1200 Pennsylvania Avenue NW,
Washington, DC 20460 or [email protected].
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
HISTORY:
None.
Dated: April 12, 2019.
Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2019-12300 Filed 6-10-19; 8:45 am]
BILLING CODE 6560-50-P