[Federal Register Volume 89, Number 20 (Tuesday, January 30, 2024)]
[Notices]
[Pages 5926-5928]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-01765]


-----------------------------------------------------------------------

DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

[Docket No. FR-7092-N-12]


Privacy Act of 1974; System of Records

AGENCY: Office of Chief Information Officer (OCIO) and Infrastructure 
and Operations (IOO), HUD.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, as 
amended, the Department of the Housing and Urban Development (HUD), 
Office of Chief Information Officer (OCIO) and Infrastructure and 
Operations (IOO) is issuing a public notice of its intent to create a 
Privacy Act System of Records titled ``Active Directory (a component of 
the Local Area Network (LAN) File Server system--LFS)''. The purpose of 
the LFS is to provide the infrastructure needed to support internal HUD 
systems locally at all HUD locations. This technology includes Active 
Directory. Active Directory (AD) stores information about objects on 
the network and makes this information easy for administrators and 
users to find and use. Active Directory uses a structured data store as 
the basis for a logical, hierarchical organization of directory 
information. The information in Active Directory originates from the 
Digital Identity and Access Management System (DIAMS).

DATES: Comments will be accepted on or before February 29, 2024. This 
proposed action will be effective on the date following the end of the 
comment period unless comments are received which result in a contrary 
determination.

ADDRESSES: You may submit comments, identified by docket number or by 
one of the following methods:
    Federal e-Rulemaking Portal: https://www.regulations.gov. Follow 
the instructions provided on that site to submit comments 
electronically.
    Fax: 202-619-8365.
    Email: [email protected].
    Mail: Attention: Privacy Office; LaDonne White, Chief Privacy 
Officer; Office of the Executive Secretariat; 451 Seventh Street SW, 
Room 10139; Washington, DC 20410-0001.
    Instructions: All submissions received must include the agency name 
and docket number for this rulemaking. All comments received will be 
posted without change to https://www.regulations.gov. including any 
personal information provided.
    Docket: For access to the docket to read background documents or 
comments received go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT: LaDonne White; 451 Seventh Street SW, 
Room 10139; Washington, DC 20410-0001; telephone number 202-708-3054 
(this is not a toll-free number). HUD welcomes and is prepared to 
receive calls from individuals who are deaf or hard of hearing, as well 
as individuals with speech or communication disabilities. To learn more 
about how to make an accessible telephone call, please visit https://www.fcc.gov/consumers/guides/telecommunications-relay-service-trs.

SUPPLEMENTARY INFORMATION:  HUD maintains the Active Directory (AD) 
system of records. Active Directory Domain Services (ADDS) are the 
foundation of every Windows domain network. It stores information about 
domain members, including devices and users, verifies their 
credentials, and defines their access rights. The server running this 
service is called a domain controller. A domain controller is contacted 
when a user logs into a device, accesses another device across the 
network, or runs a line-of-business Metro-style app sideloaded into a 
machine. Other Active Directory services and most Microsoft server 
technologies rely on or use Domain Services.

SYSTEM NAME AND NUMBER:
    Active Directory (a component of P209 LAN File Server) HUD/CIO-03.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Records are maintained at the U.S Housing of Urban and Development 
451 7th Street SW, Washington, DC 20410-1000. HUD Data Center locations 
include the Mid-Atlantic Data Center at 250 Burlington Drive, 
Clarksville Virginia, 23927 and and the Stennis Data Center at 9300 
Building Complex, Stennis, Mississippi 35929.

SYSTEM MANAGER(S):
    Jacquelyn Rosales, Network Services Branch Chief, Unified 
Communication Services Division, 451 7th Street SW, Washington DC, 
20410-1000.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The Information Technology Management Reform Act of 1996 (Pub. L. 
104-106, 40 U.S.C. 11101 et seq.), E-Government Act (Pub. L. 107-347, 
sec. 203, 44 U.S.C. 3501 note), Federal Information Security Management 
Act, as amended (Pub. L. 107-347, 44 U.S.C. 3554), Paperwork Reduction 
Act of 1995

[[Page 5927]]

(Pub. L. 104-13, 44 U.S.C. 3501 et seq.), Government Paperwork 
Elimination Act (Pub. L. 105-277, Title XVII, 44 U.S.C. 3504), Homeland 
Security Presidential Directive 12 (HSPD-12), Policy for a Common 
Identification Standard for Federal Employees and Contractors, August 
27, 2004, OMB Circular No. A-130, Managing Information as a Strategic 
Resource (7/28/2016) OMB Memo M-05-24, and Executive Order 13636--
Improving Critical Infrastructure Cyber Security (February 12, 2013).

PURPOSE(S) OF THE SYSTEM:
    The purpose of the LAN File Server (LFS) is to provide the 
infrastructure needed to support internal HUD systems locally at all 
HUD locations. This technology includes Active Directory. Active 
Directory stores information about objects on the network and makes 
this information easy for administrators and users to find and use. 
Active Directory uses a structured data store as the basis for a 
logical, hierarchical organization of directory information. This data 
store, also known as the directory, contains information about Active 
Directory objects. These objects typically include shared resources 
such as servers, volumes, printers, and the network user and computer 
accounts.
    A. Supports the provision of user accounts and authenticates users 
to HUD enterprise Web applications for non-dual personal personnel with 
HUD's Personal Identity Verification (PIV)--Authentication (Auth) 
certificate.
    B. Provides an Enterprise-wide hierarchical directory structure 
designed to employ greater centralization and standardization of 
network management for user data, security, and distributed resources 
and services across the HUD Enterprise; and
    C. Synchronizes with HUD's Azure Active Directory instance for the 
purpose of Microsoft Azure Cloud Service collaboration, wherein HUD 
employees and contractors use cloud applications available in the 
Microsoft 365 application suite.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Current HUD employees and contractors.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Full Name, Work Phone Number, Work Email Address, and Unique User 
ID (e.g., H or C ID number), Device Identifier, and internet Protocol 
(IP)/Media Access Control (MAC) Address of assigned Device Identifier 
(if applicable).

RECORD SOURCE CATEGORIES:
    The information originates from the Digital Identity and Access 
Management System (DIAMS) managed by HUD.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    1. To contractors, grantees, experts, consultants and their agents, 
or others performing or working under a contract, service, grant, 
cooperative agreement, or other agreement with HUD, when necessary to 
accomplish an agency function related to this system of record. 
Disclosure requirements are limited to only those data elements 
considered relevant to accomplishing an agency function.
    2. To contractors, experts and consultants with whom HUD has a 
contract, service agreement, assignment, or other agreement of the 
Department, when necessary to utilize relevant data for the purpose of 
testing new technology and systems designed to enhance program 
operations and performance.
    3. To appropriate agencies, entities, and persons when: (1) HUD 
suspects or has confirmed that there has been a breach of the system of 
records; (2) HUD has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, HUD (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with HUD's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    4. To another Federal agency or Federal entity, when HUD determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to suspected or 
confirmed breach, or (2) preventing, minimizing, or remedying the risk 
of harm to individuals, the recipient agency or entity (including its 
information systems, programs, and operations), the Federal Government, 
or national security, resulting from a suspected or confirmed breach.
    5. To appropriate Federal, State, local, tribal, or other 
governmental agencies or multilateral governmental organizations 
responsible for investigating or prosecuting the violations of, or for 
enforcing or implementing, a statute, rule, regulation, order, or 
license, where HUD determines that the information would assist in the 
enforcement of civil or criminal laws and when such records, either 
alone or in conjunction with other information, indicate a violation or 
potential violation of law.
    6. To a court, magistrate, administrative tribunal, or arbitrator 
in the course of presenting evidence, including disclosures to opposing 
counsel or witnesses in the course of civil discovery, litigation, 
mediation, or settlement negotiations, or in connection with criminal 
law proceedings; when HUD determines that use of such records is 
relevant and necessary to the litigation and when any of the following 
is a party to the litigation or have an interest in such litigation: 
(1) HUD, or any component thereof; or (2) any HUD employee in his or 
her official capacity; or (3) any HUD employee in his or her individual 
capacity where HUD has agreed to represent the employee; or (4) the 
United States, or any agency thereof, where HUD determines that 
litigation is likely to affect HUD or any of its components.
    7. To the National Archives and Records Administration, Office of 
Government Information Services (OGIS), to the extent necessary to 
fulfill its responsibilities in 5 U.S.C. 552(h), to review 
administrative agency policies, procedures, and compliance with the 
Freedom of Information Act (FOIA), and to facilitate OGIS' offering of 
mediation services to resolve disputes between persons making FOIA 
requests and administrative agencies.
    8. To a congressional office from the record of an individual, in 
response to an inquiry from the congressional office made at the 
request of that individual.8. To any component of the Department of 
Justice or other Federal agency conducting litigation or in proceedings 
before any court, adjudicative, or administrative body, when HUD 
determines that the use of such records is relevant and necessary to 
the litigation and when any of the following is a party to the 
litigation or have an interest in such litigation: (1) HUD, or any 
component thereof; or (2) any HUD employee in his or her official 
capacity; or (3) any HUD employee in his or her individual capacity 
where the Department of Justice or agency conducting the litigation has 
agreed to represent the employee; or (4) the United States, or any 
agency thereof, where HUD determines that litigation is likely to 
affect HUD or any of its components.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Electronic Records.

[[Page 5928]]

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Full Name and HUD Network ID (H or C ID).

POLICIES AND PRACTICIES FOR RETENTION AND DISPOSAL OF RECORDS:
    Under General Records Schedule 3.2, System Access Records, items 
030 and 031. Item 030 applies to systems not requiring special 
accountability for access. Item 030 records can be destroyed when the 
business use cases. Item 031 applies to systems requiring special 
accountability for access. Item 031 requires records to be destroyed/
deleted 6 years after the user account is terminated or password is 
altered, or when no longer required for business us, whichever is 
later. Backup and Recovery digital media will be destroyed or otherwise 
rendered irrecoverable per NIST SP 800-88, Rev. 1 ``Guidelines for 
Media Sanitization'' (December 2014).

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    PII is secured in cipher locks, combination locks, key cards, 
security guards, closed circuit TV and safes. Identification badges are 
required to ensure the records are not accessed and strict access 
controls are governed for electronic records using a user ID and 
password that require authentication before access is granted to Active 
Directory.

RECORD ACCESS PROCEDURES:
    Individuals requesting records of themselves should address written 
inquiries to the Department of Housing Urban and Development 451 7th 
Street SW, Washington, DC 20410-0001. For verification, individuals 
should provide their full name, current address, and telephone number. 
In addition, the requester must provide either a notarized statement or 
an unsworn declaration made under 24 CFR 16.4.

CONTESTING RECORD PROCEDURES:
    The HUD rule for contesting the content of any record pertaining to 
the individual by the individual concerned is published in 24 CFR 16.8 
or may be obtained from the system manager.

NOTIFICATION PROCEDURES:
    Individuals requesting notification of records of themselves should 
address written inquiries to the Department of Housing Urban 
Development, 451 7th street SW, Washington, DC 20410-0001. For 
verification purposes, individuals should provide their full name, 
office or organization where assigned, if applicable, and current 
address and telephone number. In addition, the requester must provide 
either a notarized statement or an unsworn declaration made under 24 
CFR 16.4.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    N/A

HISTORY:
    N/A.

LaDonne White,
Chief Privacy Officer, Office of Administration.
[FR Doc. 2024-01765 Filed 1-29-24; 8:45 am]
BILLING CODE 4210-67-P