[Federal Register Volume 84, Number 112 (Tuesday, June 11, 2019)]
[Notices]
[Pages 27109-27112]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2019-12300]


=======================================================================
-----------------------------------------------------------------------

ENVIRONMENTAL PROTECTION AGENCY

[FRL-9995-01-OMS]


Privacy Act of 1974; System of Records

AGENCY: Office of Mission Support, Environmental Protection Agency.

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: In accordance with the Privacy Act of 1974, as amended 
(Privacy Act), the U.S. Environmental Protection Agency (EPA) is 
providing notice of a new system of records, EPA ServiceNow (SNOW). 
SNOW is a Cloud-Based Software as a Service (SaaS) Information 
Technology Service Management platform used for agency incident and 
problem management.

DATES: Persons wishing to comment on this system of records notice must 
do so by July 11, 2019. New routine uses for this new system of records 
will be effective July 11, 2019.

ADDRESSES: Submit your comments, identified by Docket ID No. EPA-HQ-
OEI-2018-0218, by one of the following methods:
     Regulations.gov: www.regulations.gov Follow the online 
instructions for submitting comments.
     Email: oei.docket@epa.gov.
     Fax: 202-566-1752.
     Mail: OMS Docket, Environmental Protection Agency, Mail 
Code: 2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
     Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 
3334, 1301 Constitution Ave. NW, Washington, DC. Such deliveries are 
only accepted during the Docket's normal hours of operation, and 
special arrangements should be made for deliveries of boxed 
information.
    Instructions: Direct your comments to Docket ID No. EPA-HQ-OEI-
2018-0218. The EPA's policy is that all comments received will be 
included in the public docket without change and may be made available 
online at www.regulations.gov, including any personal information 
provided, unless the comment includes information claimed to be 
Controlled Unclassified Information (CUI) or other information for 
which disclosure is restricted by statute. Do not submit information 
that you consider to be CUI or otherwise protected through 
www.regulations.gov. The www.regulations.gov website is an ``anonymous 
access'' system for EPA, which means the EPA will not know your 
identity or contact information unless you provide it in the body of 
your comment. Each agency determines submission requirements within 
their own internal processes and standards. EPA has no requirement of 
personal information. If you send an email comment directly to the EPA 
without going through www.regulations.gov your email address will be 
automatically captured and included as part of the comment that is 
placed in the public docket and made available on the internet. If you 
submit an electronic comment, the EPA recommends that you include your 
name and other contact information in the body of your comment. If the 
EPA cannot read your comment due to technical difficulties and cannot 
contact you for clarification, the EPA may not be able to consider your 
comment. Electronic files should avoid the use of special characters, 
any form of encryption, and be free of any defects or viruses. For 
additional information about the EPA's public docket visit the EPA 
Docket Center homepage at http://www.epa.gov/epahome/dockets.htm.
    Docket: All documents in the docket are listed in the 
www.regulations.gov index. Although listed in the index, some 
information is not publicly available, e.g., CUI or other information 
for which disclosure is restricted by statute. Certain other material, 
such as copyrighted material, will be publicly available only in hard 
copy. Publicly available docket materials are available either 
electronically in www.regulations.gov or in hard copy at the OMS 
Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave. 
NW, Washington, DC. The Public Reading Room is open from 8:30 a.m. to 
4:30 p.m., Monday through Friday excluding legal holidays. The 
telephone number for the Public Reading Room is (202) 566-1744, and the 
telephone

[[Page 27110]]

number for the OMS Docket is (202) 566-1752.

FOR FURTHER INFORMATION CONTACT: Gloria Meriweather at 
meriweather.gloria@epa.gov, (202) 566-0652.

SUPPLEMENTARY INFORMATION: EPA ServiceNow is a FedRAMP approved 
(FedRAMP Package ID: F1305072116) Cloud Based Software as a Service 
(SaaS) incident and problem management solution that will be replacing 
the current EPA Remedy solution.

SYSTEM NAME AND NUMBER:
    EPA ServiceNow (SNOW), EPA-78.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    Office of Environmental Information, Environmental Protection 
Agency, 1301 Constitution Ave., Washington, DC 20460.
    SAIC Inc. 12010 Sunset Hills Road, Reston, VA 20190.

SYSTEM MANAGER(S):
    Willie J. Abney, Division Director of Desktop Support Services 
Division (DSSD), Office of Environmental Information, Office of 
Information Technology Operations, 1301 Constitution Ave., Washington, 
DC 20460 Email Address: Abney.Willie@epa.gov Phone Number: 202-566-
1366.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    5 U.S.C. 301 ``Departmental Regulations'', 8 U.S.C 1101, 1103, 
1104, 1201, 1255, 1305, 1360; 44 U.S.C. 3101 ``Records Management by 
Federal Agency Heads.''

PURPOSE(S) OF THE SYSTEM:
    This system will collect limited personally identifiable 
information (PII) from requestors (i.e., EPA employees, EPA 
contractors, non-EPA government personnel, state and local government 
personnel and/or private citizens), such as first and last name, that 
will help EPA technical support teams provide individualized support 
and other service-oriented activities in support of both internal 
(i.e., EPA employees, EPA contractors) and external (i.e., non-EPA 
government personnel, state and local government personnel and/or 
private citizens) requestors. EPA technical support teams will also use 
the information to provide support for EPA information technology (IT) 
systems, assets, and other service-oriented activities including the 
following:
     Managing service request tickets
     Retrieving incident information;
     Troubleshooting issues
     Managing IT assets
     Conveying outage information across the enterprise
    All PII associated with the activities listed are only available 
and presented to internal (i.e., EPA employees, EPA contractors) 
stakeholders who have a valid need-to-know. PII captured from external 
requestors (i.e., non-EPA government personnel, state and local 
government personnel and/or private citizens) is required and only used 
for opening a trouble ticket on their behalf.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Categories of individuals covered by this system include EPA 
employees, EPA contractors, non-EPA government personnel, state and 
local government personnel and/or private citizens (i.e., requestors) 
who request technical support by directly contacting the EPA Enterprise 
IT Service Desk or EPA employees and contractors requesting support 
using ServiceNow's self-help portal for opening support tickets, 
external requestors requesting trouble tickets be opened for externally 
facing EPA applications, EPA Enterprise IT Service Desk personnel or 
EPA IT System Administrators (SA) working trouble or incident tickets, 
and ServiceNow Administrators.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Information collected in system are First and Last Name; Work/
Business Address; Date; Work Number; Work Email Address; External Email 
Address (for non-EPA government personnel including state and local 
government personnel and/or private citizens); Employee LAN ID; 
Employee Number.

RECORD SOURCE CATEGORIES:
    Information contained in this system is obtained from data provided 
directly from EPA employees and contractors via the EPA ServiceNow 
self-help portal, from Enterprise IT Service Desk personnel who have 
received technical support calls from requestors or pre-populated 
fields captured from EPA Active Directory.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    The following new routine uses apply to this system because the use 
of the record is necessary for the efficient conduct of government. The 
routine uses are related to and compatible with the original purpose 
for which the information was collected. The last two routine uses are 
required under OMB M-17-12. Records in this system may be disclosed to 
the following entities:
     Disclosure for Law Enforcement Purposes.
    Information may be disclosed to the appropriate Federal, State, 
local, tribal, or foreign agency responsible for investigating, 
prosecuting, enforcing, or implementing a statute, rule, regulation, or 
order, if the information is relevant to a violation or potential 
violation of civil or criminal law or regulation within the 
jurisdiction of the receiving entity.
     Disclosure Incident to Requesting Information.
    Information may be disclosed to any source from which additional 
information is requested (to the extent necessary to identify the 
individual, inform the source of the purpose of the request, and to 
identify the type of information requested,) when necessary to obtain 
information relevant to an agency decision concerning retention of an 
employee or other personnel action (other than hiring,) retention of a 
security clearance, the letting of a contract, or the issuance or 
retention of a grant, or other benefit.
     Disclosure to Congressional Offices.
    Information may be disclosed to a congressional office from the 
record of an individual in response to an inquiry from the 
congressional office made at the request of the individual.
     Disclosure to Department of Justice.
    Information may be disclosed to the Department of Justice, or in a 
proceeding before a court, adjudicative body, or other administrative 
body before which the Agency is authorized to appear, when:
    [check] The Agency, or any component thereof;
    [check] Any employee of the Agency in his or her official capacity;
    [check] Any employee of the Agency in his or her individual 
capacity where the Department of Justice or the Agency have agreed to 
represent the employee; or
    [check] The United States, if the Agency determines that litigation 
is likely to affect the Agency or any of its components, is a party to 
litigation or has an interest in such litigation, and the use of such 
records by the Department of Justice or the Agency is deemed by the 
Agency to be relevant and necessary to the litigation provided, 
however, that in each case it has been determined that the disclosure 
is compatible with the purpose for which the records were collected.
     Disclosure to the National Archives.
    Information may be disclosed to the National Archives and Records 
Administration in records management inspections.

[[Page 27111]]

     Disclosure to Contractors, Grantees, and Others.
    Information may be disclosed to contractors, grantees, consultants, 
or volunteers performing or working on a contract, service, grant, 
cooperative agreement, job, or other activity for the Agency and who 
have a need to have access to the information in the performance of 
their duties or activities for the Agency.
     Disclosures for Administrative Claims, Complaints and 
Appeals.
    Information from this system of records may be disclosed to an 
authorized appeal grievance examiner, formal complaints examiner, equal 
employment opportunity investigator, arbitrator or other person 
properly engaged in investigation or settlement of an administrative 
grievance, complaint, claim, or appeal filed by an employee, but only 
to the extent that the information is relevant and necessary to the 
proceeding. Agencies that may obtain information under this routine use 
include, but are not limited to, the Office of Personnel Management, 
Office of Special Counsel, Merit Systems Protection Board, Federal 
Labor Relations Authority, Equal Employment Opportunity Commission, and 
Office of Government Ethics.
     Disclosure in Connection With Litigation.
    Information from this system of records may be disclosed in 
connection with litigation or settlement discussions regarding claims 
by or against the EPA, including public filing with a court, to the 
extent that disclosure of the information is relevant and necessary to 
the litigation or discussions and except where court orders are 
otherwise required under section (b)(11) of the Privacy Act of 1974, 5 
U.S.C. 552a(b)(11).
     Disclosure to Persons or Entities in Response to an actual 
of Suspected Breach of Personally Identifiable Information.
    To appropriate agencies, entities, and persons when (1) the Agency 
suspects or has confirmed that there has been a breach of the system of 
records, (2) the Agency has determined that as a result of the 
suspected or confirmed breach there is a risk of harm to individuals, 
the Agency (including its information systems, programs, and 
operations), the Federal Government, or national security; and (3) the 
disclosure made to such agencies, entities, and persons is reasonably 
necessary to assist in connection with the Agency's efforts to respond 
to the suspected or confirmed breach or to prevent, minimize, or remedy 
such harm.
     Disclosure to Assist Another Agency in its Efforts to 
Respond to a Breach
    To another Federal agency or Federal entity, when the Agency 
determines that information from this system of records is reasonably 
necessary to assist the recipient agency or entity in (1) responding to 
a suspected or confirmed breach or (2) preventing, minimizing, or 
remedying the risk of harm to individuals, the recipient agency or 
entity (including its information systems, programs, and operations), 
the Federal Government, or national security, resulting from a 
suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    SNOW records are stored in a controlled access facility, inside of 
a controlled area, using self-encrypting hard drives. ServiceNow, Inc. 
has deployed a High-Availability architecture to ensure continuous 
business operations for the ServiceNow platform. There are two data 
centers supporting Government customers with one configured as the 
active and the other as the standby. The active and standby facilities 
are mirrored, which enables the standby to become the active site in 
the event of a disaster. Both data centers are mirrors of each other, 
and therefore they act as both an active and a standby facility. In 
addition to the mirror backup between the two instances, a local backup 
is kept at each site. Each local backup acts as the offsite backup for 
their counterpart dedicated data center cage. Backups are performed on 
disk through network-attached storage and are never written to tape. In 
addition to backups within each dedicated data center cage facility, a 
backup of each internal production instance is copied over to the 
standby site (Disaster Recovery site).

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Records for EPA ServiceNow will be retrieved by customer first and 
last name, email address or by ticket reference number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    SNOW follows the EPA Records Policy for retention and disposal, per 
schedule 1012 (Information and Technology Management) and schedule 1049 
(Information Access and Protection Records). https://www.epa.gov/records/epa-records-policy-and-guidance

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    ServiceNow is a Cloud-Based Software as a Service (SaaS) solution 
designed to be accessed over the internet. As such, all remote 
communication must be encrypted, use for non-business purposes is 
prohibited and all users are required to be authorized. To verify that 
a user is authorized, EPA ServiceNow customers and staff must have a 
current valid EPA Active Directory account. External requestors (i.e. 
non-EPA government personnel, state and local government personnel and/
or private citizens) will not have access to, as they are not 
authorized, nor will be granted access to EPA ServiceNow. The records 
in EPA ServiceNow are maintained in a secure, password-protected 
computer system behind a network firewall. This system is located in a 
controlled facility that requires the ServiceNow cloud providers to 
have an authorized badge and biometrics prior to accessing the data 
centers. ServiceNow users must log in with an authorized user ID and 
password or Personal Identity Verification (PIV) card to access the 
system. Group or shared accounts are not used by EPA ServiceNow 
customers and support personnel. EPA ServiceNow customers and personnel 
are prohibited from sharing accounts. Each user has a unique identifier 
within Active Directory used for authentication. In addition to the 
lock screen setting enforced by EPA on the desktop, EPA ServiceNow 
implements session timeout period after 30 minutes of user inactivity.

RECORD ACCESS PROCEDURES:
    Individuals seeking access to information in this system of records 
about themselves should make a written request to the Agency Privacy 
Officer, 1200 Pennsylvania Ave., Mailcode 2831T, Washington, DC 20460. 
Requesters are required to provide adequate identification (e.g., 
driver's license, military identification card, employee badge or 
identification card). Additional identity verification procedures may 
be required, as warranted. Requests must meet the requirements of EPA 
regulations that implement the Privacy Act of 1974, at 40 CFR part 16.

CONTESTING RECORD PROCEDURES:
    Requests for correction or amendment must identify the record to be 
changed and the corrective action sought to the Agency Privacy Officer, 
1200 Pennsylvania Ave., Mailcode 2831T, Washington, DC 20460; 
privacy@epa.gov. Complete EPA Privacy Act

[[Page 27112]]

procedures are set out in EPA's Privacy Act regulations at 40 CFR part 
16.

NOTIFICATION PROCEDURE:
    Any individual who wants to know whether this system of records 
contains a record about themselves should submit a request to the 
Agency Privacy Officer, MC 2831T, 1200 Pennsylvania Avenue NW, 
Washington, DC 20460 or privacy@epa.gov.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    None.

    Dated: April 12, 2019.
Vaughn Noga,
Senior Agency Official for Privacy.
[FR Doc. 2019-12300 Filed 6-10-19; 8:45 am]
 BILLING CODE 6560-50-P


