[Federal Register Volume 84, Number 195 (Tuesday, October 8, 2019)]
[Notices]
[Pages 53728-53730]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-21885]


-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

[Notice-ID-2019-01; Docket No. 2019-0002; Sequence No. 27]


Privacy Act of 1974; System of Records

AGENCY: General Services Administration (GSA), Office of Government-
Wide Policy (OGP).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: GSA is publishing this system of records notice (SORN) as the 
new managing partner of the e-Rulemaking Program, effective October 1, 
2019. The e-Rulemaking Program includes the Federal Docket Management 
System (FDMS) and Regulations.gov. Regulations.gov allows the public to 
search, view, download, and comment on Federal agencies' rulemaking 
documents in one central location on-line. FDMS provides each 
participating Federal agency with the ability to electronically access 
and manage its own rulemaking dockets, or other dockets, including 
comments or supporting materials submitted by individuals or 
organizations. GSA is establishing the GSA/OGP-1, e-Rulemaking Program 
Administrative System to manage regulations.gov and partner agency 
access to the Federal Docket Management System (FDMS).

DATES: The System of Records Notice (SORN) is applicable on October 8, 
2019, with the exception of the routine uses. The routine uses will not 
be effective until November 7, 2019, pending public comment. Comments 
on the routine uses or other aspects of the SORN must be submitted by 
November 7, 2019.

ADDRESSES: Submit comments identified by ``Notice-ID-2019-01, Notice of 
a New System of Records'' by any of the following methods:
     Regulations.gov: https://www.regulations.gov. Submit 
comments via the Federal e-Rulemaking portal by searching for Notice-
ID-2019-01, Notice of New System of Records. Select the link ``Comment 
Now'' that corresponds with ``Notice-ID-2019-01, Notice of New System 
of Records.'' Follow the instructions provided on the screen. Please 
include your name, company name (if any), and ``Notice-ID-2019-01, 
Notice of New System of Records'' on your attached document.
     Mail: General Services Administration, Regulatory 
Secretariat Division (MVCB), 1800 F Street NW, Washington, DC 20405. 
ATTN: Ms. Mandell/Notice-ID-2019-01, Notice of New System of Records.

FOR FURTHER INFORMATION CONTACT: Call or email GSA's Chief Privacy 
Officer: telephone 202-322-8246, or email [email protected].

SUPPLEMENTARY INFORMATION: The e-Rulemaking Program has been managed by 
the Environmental Protection Agency (EPA). However, based on direction 
from the Office of Management and Budget (OMB), GSA will be the 
managing partner of the Program, effective October 1, 2019.
    GSA is assuming the role of managing partner and is establishing 
this system of records to support GSA's management of regulations.gov 
and partner agency access to FDMS. This notice describes how GSA, as 
managing partner, manages partner agencies' users' credentials. This 
system of records does not include records pertaining to agency 
rulemakings (e.g., comments received); partner agencies are responsible 
for any Privacy Act Notices relevant to their rulemaking materials.

Richard Speidel,
Chief Privacy Officer, Office of the Deputy Chief Information Officer, 
General Services Administration.

SYSTEM NAME AND NUMBER:
    GSA/OGP-1, e-Rulemaking Program Administrative System.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    National Computer Center in Research Triangle Park, North Carolina.

SYSTEM MANAGER(S):
    The system manager is the Associate Chief Information Officer of 
Corporate IT Services in GSA-IT. The business address is: General 
Services Administration--IC, 1800 F Street NW, Washington, DC 20405.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    e-Government Act of 2002, see 44 U.S.C. 3602(f)(6); see also id 
Sec.  3501, note.

[[Page 53729]]

PURPOSE(S) OF THE SYSTEM:
    The purpose of the e-Rulemaking Program Administrative System is to 
support GSA's management of regulations.gov and partner agency access 
to FDMS. FDMS is used by participating Federal agencies that conduct 
rulemakings and regulations.gov enables Federal agencies to accept 
public comments electronically. This system of records notice governs 
the records pertaining to GSA's issuance and management of user 
credentials to access FDMS.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Covered individuals are partner agency users who register to access 
FDMS including those agency users who serve as designated partner 
agency account managers.

CATEGORIES OF RECORDS IN THE SYSTEM:
    GSA maintains partner agencies' users' names, government issued 
email addresses, telephone numbers, and passwords as credentials. In 
addition, users provide their supervisor's name, telephone number, and 
government issued email address.

RECORD SOURCE CATEGORIES:
    The information in the system may be submitted by users and then 
approved by partner agencies' designated account manager or directly 
submitted and approved by a partner agency's designated account manager 
on behalf of a user.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or portions of the records or 
information contained in this system may be disclosed to authorized 
entities on a need to know basis outside GSA as a routine use pursuant 
to 5 U.S.C. 552a(b)(3) as follows:
    a. To an appropriate Federal, State, tribal, local, international, 
or foreign law enforcement agency or other appropriate authority 
charged with investigating or prosecuting a violation or enforcing or 
implementing a law, rule, regulation, or order, where a record, either 
on its face or in conjunction with other information, indicates a 
violation or potential violation of law, which includes criminal, 
civil, or regulatory violations.
    b. To the Office of Personnel Management (OPM), OMB, and the 
Government Accountability Office (GAO) in accordance with their 
responsibilities for evaluating Federal programs.
    c. To a Member of Congress or his or her staff in response to a 
request made on behalf of and at the request of the individual who is 
the subject of the record.
    d. To the Department of Justice or other Federal agency conducting 
litigation or in proceedings before any court, adjudicative or 
administrative body, when: (a) GSA or any component thereof, or (b) any 
employee of GSA in his/her official capacity, or (c) any employee of 
GSA in his/her individual capacity where DOJ or GSA has agreed to 
represent the employee, or (d) the United States or any agency thereof, 
is a party to the litigation or has an interest in such litigation, and 
GSA determines that the records are both relevant and necessary to the 
litigation.
    e. To the National Archives and Records Administration (NARA) for 
records management purposes.
    f. To an expert, consultant, or contractor of GSA in the 
performance of a Federal duty to which the information is relevant.
    g. In connection with any litigation or settlement discussions 
regarding claims by or against the GSA, including public filing with a 
court, to the extent that GSA determines the disclosure of the 
information is relevant and necessary to the litigation or discussions.
    h. To an appeal or grievance examiner, formal complaints examiner, 
equal opportunity investigator, arbitrator, or other authorized 
official engaged in investigation or settlement of matters and 
investigations involving the Merit Systems Protection Board or the 
Office of Special Counsel.
    i. To appropriate agencies, entities, and persons when (1) GSA 
suspects or has confirmed that there has been a breach of the system of 
records, (2) GSA has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, GSA (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with GSA's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    j. To another Federal agency or Federal entity, when GSA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.
    k. To a partner agency when GSA determines that information from 
this system of records is reasonably necessary to assist the recipient 
agency in managing its access to the system.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    User credentials and associated documentation are stored on secure 
servers approved by GSA Office of the Chief Information Security 
Officer (OCISO) and accessed only by authorized personnel.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    The e-Rulemaking Program Administrative System retrieves partner 
agency user credentials using the government-issued email addresses.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records relating to user credentials are subject to GSA's Records 
Management Program and NARA-approved retention and disposal procedures. 
When a user account is terminated, records pertaining to that account 
are maintained for a period of 6 years before disposal.

ADMINISTRATIVE, TECHNICAL AND PHYSICAL SAFEGUARDS:
    The e-Rulemaking Program Administrative System is in a facility 
protected by physical walls, security guards, and requiring 
identification badges. Rooms housing the system infrastructure are 
locked, as are the individual server racks. All security controls are 
reviewed on a periodic basis by external assessors. The controls 
themselves include measures for access control, security awareness 
training, audits, configuration management, contingency planning, 
incident response, and maintenance.
    There are a limited number of GSA system administrator accounts for 
the e-Rulemaking Program Administrative System that allow GSA to manage 
regulations.gov and partner agency access to FDMS. Partner agency 
access to FDMS is managed through designated partner agency account 
managers, who in turn have access to the system to manage their own 
agency's user accounts within FDMS.
    Each designated partner agency account manager has access to FDMS. 
This level of access enables them to

[[Page 53730]]

establish, manage, and terminate user accounts limited to their own 
agency.
    The GSA system administrator accounts are an additional level of 
security and management in that they oversee all partner agency 
accounts, including both designated partner agency account managers and 
agency users. The GSA system administrator accounts require additional 
tokens that meet multi-factor authentication standards in accordance 
with National Institute of Standards and Technology (NIST) standards. 
The controls assist in restricting access to authorized users who 
require it for official business purposes. Records in FDMS are 
maintained in a secure, password protected electronic system that 
utilizes security hardware and software to include multiple firewalls, 
active intrusion detection, encryption, identification and 
authentication of users.

RECORD ACCESS PROCEDURES:
    Partner agency users can access and manage their user credentials 
through their designated partner agency account manager. If an access 
inquiry is not resolved by the designated partner agency account 
manager, the partner agency user may contact the GSA system manager 
listed above. Procedures for requesting access from GSA can be found at 
41 CFR part 105-64.4.

CONTESTING RECORD PROCEDURES:
    If partner agency users have questions or concerns about their 
account records, they can contact their designated partner agency 
account manager. If a question or concern is not resolved by the 
designated partner agency account manager, a partner agency user may 
contact the GSA system manager listed above. Procedures for contesting 
records stored by GSA can be found at 41 CFR part 105-64.4.

NOTIFICATION PROCEDURES:
    If partner agency users wish to receive notice about their account 
records, they can contact their designated partner agency account 
manager. If not resolved by the designated partner agency account 
manager, the partner agency user may contact the GSA system manager 
listed above. Procedures for requesting notice of records stored by GSA 
can be found at 41 CFR part 105-64.4.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    N/A.

[FR Doc. 2019-21885 Filed 10-7-19; 8:45 am]
BILLING CODE 6820-34-P