Implementation of the Privacy Act of 1974, as Amended; New System of Records Notice, Digital Identity Access Management System

Federal Register, Volume 79 Issue 188 (Monday, September 29, 2014)

Federal Register Volume 79, Number 188 (Monday, September 29, 2014)

Notices

Pages 58372-58374

From the Federal Register Online via the Government Printing Office www.gpo.gov

FR Doc No: 2014-23117

-----------------------------------------------------------------------

DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

Docket No. FR-5763-N-09

Implementation of the Privacy Act of 1974, as Amended; New System of Records Notice, Digital Identity Access Management System

AGENCY: Office of the Chief Information Officer.

ACTION: Notification.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the Privacy Act of 1974 (U.S.C. 552a (e)(4)), as amended, and Office of Management and Budget (OMB), Circular No. A-130, notice is hereby given that the Department of Housing and Urban Development (HUD), Office of the Chief Information Officer (OCIO) proposes to establish a new system of records, the Digital Identity Access Management System (DIAMS). DIAMS will manage core digital identification, credential and access management (ICAM) data elements. The system will support the administration of the Homeland Security Presidential Directive 12 (HSPD-12) program that directs the use of a common identification credential for both logical and physical access to Federally controlled facilities and information systems. This system will enhance security, increase efficiency, protect personal privacy, and provide synchronization of core identity management data for Departmental systems.

DATES: Effective Date: This action shall be effective without further notice on October 29, 2014 unless comments are received that would result in a contrary determination.

Comments Due Date: October 29, 2014.

ADDRESSES: Interested persons are invited to submit comments regarding this notice to the Rules Docket Clerk, Office of the General Counsel, Department of Housing and Urban Development, 451 Seventh Street SW., Room 10276, Washington, DC 20410-0500. Communication should refer to the above docket number and title. A copy of each communication submitted will be available for public inspection and copying between 8:00 a.m. and 5:00 p.m. weekdays at the above address.

FOR FURTHER INFORMATION CONTACT: Donna Robinson-Staton, Chief Privacy Officer, 451 Seventh Street SW., Washington, DC 20410 (Attention: Capitol View Building, 4th Floor), telephone number: (202) 402-8073. The above telephone number is not a toll free number. A telecommunications device for hearing- and speech-impaired persons (TTY) is available by calling the Federal Information Relay Service's toll-free telephone number (800) 877-8339.

SUPPLEMENTARY INFORMATION: This system of records is maintained by HUD's Office of the Chief Information Officer, and includes users of HUD's information technology personally identifiable information that is retrieved by a name or unique identifier. The new system encompasses programs and services of the Department's data collection and management practices. Publication of this notice allows HUD to satisfy its reporting requirement and keep an up-to-date accounting of its system of records publication. The new system proposal will incorporate Federal privacy requirements and HUD policy requirements. The Privacy Act provides certain safeguards for an individual against an invasion of personal privacy by requiring Federal agencies to protect records contained in an agency system of records from unauthorized disclosure, by ensuring that information is current and collected only for its intended use, and by providing adequate safeguards to prevent misuse of such information. Additionally, this notice demonstrates the Department's focus on industry best practices in protecting the personal privacy of the individuals covered by each system notification. This notice states the name and location of the record system, the authority for and manner of its operations, the categories of individuals that it covers, the type of records that it contains, the sources of the information for those records, the routine uses made of the records, and the type of exemption in place for the records. In addition, this notice includes the business address of the HUD officials who will inform interested persons of the procedures whereby they may gain access to and/or request amendments to records pertaining to them.

This publication does meet the threshold requirements for a new system and a report was submitted to the Office of Management and Budget (OMB), the Senate Committee on Homeland Security and Governmental Affairs, and the House Committee on Government Reform as instructed by Paragraph 4c of Appendix l to OMB Circular No. A-130, ``Federal Agencies Responsibilities for Maintaining Records About Individuals,'' July 25, 1994 (59 FR 37914).

Authority: 5 U.S.C. 552a; 88 Stat. 1896; 42 U.S.C. 3535(d).

Dated: September 19, 2014.

Rafael C. Diaz,

Chief Information Officer.

Docket No. FR-5763-N-09

SYSTEM OF RECORDS NO.:

OCIO/QN.01

SYSTEM NAME:

Digital Identity Access Management System (DIAMS)--P281

SYSTEM LOCATION:

U.S. Department of Housing and Urban Development, 451 Seventh Street SW., Washington DC 20410; Hewlett-Packard Enterprise Services, Building 6000, 2020 Union Carbide Drive, South Charleston, WV 25303. Backup, recovery, and archived digital media is stored in secure facilities located with Iron Mountain, 1545 Hansford St., Charleston, WV 25311. The DIAMS is accessible from all systems connected to the HUD Intranet nationwide at HUD Field and Regional offices. \1\

---------------------------------------------------------------------------

\1\ http://portal.hud.gov/hudportal/HUD?src=/localoffices

---------------------------------------------------------------------------

SECURITY CLASSIFICATION:

Most identity records are not classified. However, in some cases, records of a few individuals, or portions of some records, may potentially be classified in the interest of national security.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The following are covered by the DIAMS: all users of HUD information technology systems including HUD employees and supporting contractors, students, interns, volunteers; affiliates of, and users from, State and local governments, non-profit organizations, academia, and third party business partners. The system does not apply to occasional visitors or short-term guests to whom HUD will issue temporary identification and credentials.

CATEGORIES OF RECORDS IN THE SYSTEM:

DIAMS will collect and store the First Name, Last Name, Address, City, State, Country, Date of Birth, Social Security Number, Agency Rank, Agency, U.S. Citizen Status, User Principal Name (UPN), AD Identifier, Distinguished Name, Common Name, Display Name, User Password, Email Address and Unique User ID (e.g., H or C ID numbers).

Page 58373

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The authority for maintenance of the system and authorizes the collection of information is the Federal Information Processing Standards, 201 Personal Identity Verification (PIV) of Federal Employees and Contractors (44 U.S.C. 3542(b)(2)). Other governing laws and regulations for managing and processing Federal credentials are as follows: 5 U.S.C. 301; Federal Information Security Act (P.L.104-106, sec. 5113); Electronic Government Act (P.L. 104-347, sec. 203); Paperwork Reduction Act of 1995 (44 U.S.C. 3501); Government Paperwork Elimination Act (P.L. 105-277, 44 U.S.C. 3504); Homeland Security Presidential Directive 12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004; and Federal Property and Administrative Act of 1949, as amended OMB Circular No. A-130, Management of Federal Information Resources (11/28/

2000) and Federal Agency Responsibilities for Maintaining Records about Individuals, dated June 25, 1993 (58 FR 36075, July 2, 1993); OMB Memo M-05-24, Federal Information Systems Management Act of 2002; and Executive Order--Improving Critical Infrastructure Cyber Security (February 12, 2013).

PURPOSE(S):

DIAMS will provide centralized, automated functionality to manage the many digital identities that interact with HUD's information technology environment. DIAMS will provide a central repository and web-based portal that stores and allows central management of core digital identification, credential and access management (ICAM) data elements. DIAMS captures and stores information about persons and non-

person entities that are granted access into HUD's business applications. DIAMS also provides HUD with a platform to centrally and actively manage the identity life-cycle of persons and non-person entities from account creation through account removal. DIAMS will integrate with HUD's authoritative data sources including HUD's human resource management system, physical access control system including USAccess operated by the General Services Administration, personnel clearance system, and multiple internal Directory Services to ensure synchronization of identities across HUD's digital landscape. DIAMS will use batch files and IdM's (Identity Management's) connector to synchronize data from and to authorized data sources. The connection pipe will be secured with Public Key Infrastructure exchange. A feed from HUD's Human Resource (HR) system for employees and Sponsor initiation of Contractors in IdM will start the on-boarding process for a HUD Identity. The on-boarding process will require notifications to the responsible manager or sponsor during all stages of the workflow. During employment, application access will be requested through the IdM application provisioning and de-provisioning functions by authorized HUD personnel. When personnel are off-boarded, HR and Sponsors will initiate off-boarding disabling accounts and removing privileges.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES:

In addition to those disclosures generally permitted under 5 U.S.C. Section 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed outside HUD as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:

1. To HUD contractors, grantees, or volunteers who have been engaged to assist the agency in the performance of a contract service, grant, cooperative agreement with HUD, when necessary to accomplish an agency function or other activity related to this system of records, limited to only those data elements considered relevant to accomplishing an agency function. Individuals provided information under this routine use is subject to the same Privacy Act requirements and limitations on disclosure as are applicable to HUD officers and employees;

2. To appropriate agencies, entities, and persons to the extent such disclosures are compatible with the purpose for which the records in this system were collected, as set forth by Appendix I \2\--HUD's Library of Routine Uses published in the Federal Register on (77 FR 41996, July 17, 2012);

   ---------------------------------------------------------------------------

   \2\ http://portal.hud.gov/hudportal/documents/huddoc?id=append1.pdf

   ---------------------------------------------------------------------------

3. To USAccess operated by the General Services Administration, personnel clearance system, and multiple internal Directory Services to ensure synchronization of identities across HUD's digital landscape. DIAMS will share UPN and Email with USAccess;

4. To appropriate agencies, entities, and persons when: a) HUD suspects or has confirmed that the security or confidentiality of information in a system of records has been compromised; b) HUD has determined that as a result of the suspected or confirmed compromise there is a risk of harm to economic or property interests, identity theft or fraud, or harm to the security or integrity of systems or programs (whether maintained by HUD or another agency or entity) that rely upon the compromised information; and c) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HUD's efforts to respond to the suspected or confirmed compromise and prevent, minimize, or remedy such harm for purposes of facilitating responses and remediation efforts in the event of a data breach;

5. To the National Archives and Records Administration (NARA) or to the General Services Administration for records management inspections conducted under 44 U.S.C. 2904 and 2906; and

6. To other agencies to notify them when a PIV Card is no longer valid. The full system of records notice covering categories of DIAMS with complete description of other routine uses was published in the Federal Register: GSA GOVT-7, Federal Personal Identity Verification Identity Management System (PIV IDMS), 71 FR 56983 (September 28, 2006).

   STORAGE:

   All data are stored at a secured data center on the production DIAMS database servers. Backup, recovery and archived digital media is stored in secure facilities located with Iron Mountain. There are no hardcopy records produced that require additional storage.

   RETRIEVABILITY:

   Personnel information within the system is retrieved based on Name, Date of Birth and Social Security Numbers (SSNs), HUD Network ID, Home Address, U.S. Citizenship. There are no hardcopy records produced that require additional retrieval.

   SAFEGUARDS:

   The data in DIAMs records are backed up regularly in accordance with HUD policy 4.3.9 as documented in HUD Handbook 2400.25 Rev.3, August 2013. Strict access controls are governed for electronic records by the use of a user ID and password that require authentication before access is granted to DIAMS. Multi-factor authentication, once implementation is completed will require the use of PIV cards to access the system. Personnel who have access to the data are vetted by Personnel Security Division prior to being granted

   Page 58374

   access to systems where sensitive Personally Identifiable Information (PII) resides, are provided PII training, and have access to all policies regarding PII and its safeguarding requirements. All database systems are housed in a secure data center that is protected by security personnel. Accessing computer systems within the data center requires appropriate credentials to physically enter the facility and access the systems. All data is protected via encryption both at rest and in motion. There are no hardcopy records produced that require additional protections.

   RETENTION AND DISPOSAL:

   Records retention and disposal are per Policy in HUD Handbook 2225.6 Rev 1 HUD Records Disposition Schedules Handbook (2225.6) Under General Records Schedule 24, Information Technology Operations and Management Records, Section 6--User Identification, Profiles, Authorizations, and Password Files. Section 6 requires that files be destroyed/deleted 6 years after the user account is terminated or password is altered, or when no longer needed for investigative or security purposes, whichever is later. Backup and Recovery digital media will be destroyed or otherwise rendered irrecoverable per NIST SP 800-88 ``Guidelines for Media Sanitization'' (September 2006). This complies with all Federal regulations. There are no hardcopy records produced that require additional archival.

   SYSTEM MANAGER(s) AND ADDRESS:

   Joseph Milazzo, Deputy Chief Information Officer for IT Operations, Department of Housing and Urban Development, 451 Seventh Street SW., Room 4178, Washington, DC 20410.

   NOTIFICATION AND RECORD ACCESS PROCEDURES:

   For Information, assistance, or inquiries about the existence of records, contact the Donna Robinson-Staton, Chief Privacy Officer, 451 Seventh Street SW. Washington, DC 20410 (Attention: Capitol View Building, 4th Floor), telephone number: (202) 402-8073. Verification of your identity must include original signature and be notarized. Written request must include the full name, Social Security Number, date of birth, current address, and telephone number of the individual making the request.

   CONTESTING RECORD PROCEDURES

   The Department's rules for contesting contents of records and appealing initial denials appear in 24 CFR Part 16. Additional assistance may be obtained by contacting: U.S. Department of Housing and Urban Development, Chief Privacy Officer, 451 Seventh Street SW., Washington, DC 20410 or the HUD Departmental Privacy Appeals Officers, Office of General Counsel, Department of Housing and Urban Development, 451 Seventh Street SW., Washington DC 20410.

   RECORD SOURCE CATEGORIES

   The source of DIAMS records are Internal and External both. Internally sourced records come from HUD's Human Resource Systems, HUD's Physical Access Control System commonly referred to as Hirsch Velocity, HUD's systems maintaining personnel security records, and HUD's multiple Directory Services including Active Directory. Externally sourced records are from the General Service Administration's USAccess system.

   SYSTEMS EXEMPTED FROM CERTAIN PROVIOSIONS OF THE ACT

   None.

   FR Doc. 2014-23117 Filed 9-26-14; 8:45 a.m.

   BILLING CODE 4210-67-P