Privacy Act of 1974; System of Records

AGENCY:

Office of Mission Support, Environmental Protection Agency.

ACTION:

Notice of a new system of records.

SUMMARY:

In accordance with the Privacy Act of 1974, as amended (Privacy Act), the U.S. Environmental Protection Agency (EPA) is providing notice of a new system of records, EPA ServiceNow (SNOW). SNOW is a Cloud-Based Software as a Service (SaaS) Information Technology Service Management platform used for agency incident and problem management.

DATES:

Persons wishing to comment on this system of records notice must do so by July 11, 2019. New routine uses for this new system of records will be effective July 11, 2019.

ADDRESSES:

Submit your comments, identified by Docket ID No. EPA-HQ-OEI-2018-0218, by one of the following methods:

• Regulations.gov: www.regulations.gov Follow the online instructions for submitting comments.
• Email: oei.docket@epa.gov.
• Fax: 202-566-1752.
• Mail: OMS Docket, Environmental Protection Agency, Mail Code: 2822T, 1200 Pennsylvania Ave. NW, Washington, DC 20460.
• Hand Delivery: OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave. NW, Washington, DC. Such deliveries are only accepted during the Docket's normal hours of operation, and special arrangements should be made for deliveries of boxed information.

Instructions: Direct your comments to Docket ID No. EPA-HQ-OEI-2018-0218. The EPA's policy is that all comments received will be included in the public docket without change and may be made available online at www.regulations.gov,, including any personal information provided, unless the comment includes information claimed to be Controlled Unclassified Information (CUI) or other information for which disclosure is restricted by statute. Do not submit information that you consider to be CUI or otherwise protected through www.regulations.gov. The www.regulations.gov website is an “anonymous access” system for EPA, which means the EPA will not know your identity or contact information unless you provide it in the body of your comment. Each agency determines submission requirements within their own internal processes and standards. EPA has no requirement of personal information. If you send an email comment directly to the EPA without going through www.regulations.gov your email address will be automatically captured and included as part of the comment that is placed in the public docket and made available on the internet. If you submit an electronic comment, the EPA recommends that you include your name and other contact information in the body of your comment. If the EPA cannot read your comment due to technical difficulties and cannot contact you for clarification, the EPA may not be able to consider your comment. Electronic files should avoid the use of special characters, any form of encryption, and be free of any defects or viruses. For additional information about the EPA's public docket visit the EPA Docket Center homepage at http://www.epa.gov/epahome/dockets.htm.

Docket: All documents in the docket are listed in the www.regulations.gov index. Although listed in the index, some information is not publicly available, e.g., CUI or other information for which disclosure is restricted by statute. Certain other material, such as copyrighted material, will be publicly available only in hard copy. Publicly available docket materials are available either electronically in www.regulations.gov or in hard copy at the OMS Docket, EPA/DC, WJC West Building, Room 3334, 1301 Constitution Ave. NW, Washington, DC. The Public Reading Room is open from 8:30 a.m. to 4:30 p.m., Monday through Friday excluding legal holidays. The telephone number for the Public Reading Room is (202) 566-1744, and the telephone number for the OMS Docket is (202) 566-1752.

FOR FURTHER INFORMATION CONTACT:

Gloria Meriweather at meriweather.gloria@epa.gov, (202) 566-0652.

SUPPLEMENTARY INFORMATION:

EPA ServiceNow is a FedRAMP approved (FedRAMP Package ID: F1305072116) Cloud Based Software as a Service (SaaS) incident and problem management solution that will be replacing the current EPA Remedy solution.

SYSTEM NAME AND NUMBER:

EPA ServiceNow (SNOW), EPA-78.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Office of Environmental Information, Environmental Protection Agency, 1301 Constitution Ave., Washington, DC 20460.

SAIC Inc. 12010 Sunset Hills Road, Reston, VA 20190.

SYSTEM MANAGER(S):

Willie J. Abney, Division Director of Desktop Support Services Division (DSSD), Office of Environmental Information, Office of Information Technology Operations, 1301 Constitution Ave., Washington, DC 20460 Email Address: Abney.Willie@epa.gov Phone Number: 202-566-1366.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

5 U.S.C. 301 “Departmental Regulations”, 8 U.S.C 1101, 1103, 1104, 1201, 1255, 1305, 1360; 44 U.S.C. 3101 “Records Management by Federal Agency Heads.”

PURPOSE(S) OF THE SYSTEM:

This system will collect limited personally identifiable information (PII) from requestors (i.e., EPA employees, EPA contractors, non-EPA government personnel, state and local government personnel and/or private citizens), such as first and last name, that will help EPA technical support teams provide individualized support and other service-oriented activities in support of both internal (i.e., EPA employees, EPA contractors) and external (i.e., non-EPA government personnel, state and local government personnel and/or private citizens) requestors. EPA technical support teams will also use the information to provide support for EPA information technology (IT) systems, assets, and other service-oriented activities including the following:

• Managing service request tickets
• Retrieving incident information;
• Troubleshooting issues
• Managing IT assets
• Conveying outage information across the enterprise

All PII associated with the activities listed are only available and presented to internal (i.e., EPA employees, EPA contractors) stakeholders who have a valid need-to-know. PII captured from external requestors (i.e., non-EPA government personnel, state and local government personnel and/or private citizens) is required and only used for opening a trouble ticket on their behalf.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Categories of individuals covered by this system include EPA employees, EPA contractors, non-EPA government personnel, state and local government personnel and/or private citizens (i.e., requestors) who request technical support by directly contacting the EPA Enterprise IT Service Desk or EPA employees and contractors requesting support using ServiceNow's self-help portal for opening support tickets, external requestors requesting trouble tickets be opened for externally facing EPA applications, EPA Enterprise IT Service Desk personnel or EPA IT System Administrators (SA) working trouble or incident tickets, and ServiceNow Administrators.

CATEGORIES OF RECORDS IN THE SYSTEM:

Information collected in system are First and Last Name; Work/Business Address; Date; Work Number; Work Email Address; External Email Address (for non-EPA government personnel including state and local government personnel and/or private citizens); Employee LAN ID; Employee Number.

RECORD SOURCE CATEGORIES:

Information contained in this system is obtained from data provided directly from EPA employees and contractors via the EPA ServiceNow self-help portal, from Enterprise IT Service Desk personnel who have received technical support calls from requestors or pre-populated fields captured from EPA Active Directory.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

The following new routine uses apply to this system because the use of the record is necessary for the efficient conduct of government. The routine uses are related to and compatible with the original purpose for which the information was collected. The last two routine uses are required under OMB M-17-12. Records in this system may be disclosed to the following entities:

• Disclosure for Law Enforcement Purposes.

Information may be disclosed to the appropriate Federal, State, local, tribal, or foreign agency responsible for investigating, prosecuting, enforcing, or implementing a statute, rule, regulation, or order, if the information is relevant to a violation or potential violation of civil or criminal law or regulation within the jurisdiction of the receiving entity.

• Disclosure Incident to Requesting Information.

Information may be disclosed to any source from which additional information is requested (to the extent necessary to identify the individual, inform the source of the purpose of the request, and to identify the type of information requested,) when necessary to obtain information relevant to an agency decision concerning retention of an employee or other personnel action (other than hiring,) retention of a security clearance, the letting of a contract, or the issuance or retention of a grant, or other benefit.

• Disclosure to Congressional Offices.

Information may be disclosed to a congressional office from the record of an individual in response to an inquiry from the congressional office made at the request of the individual.

• Disclosure to Department of Justice.

Information may be disclosed to the Department of Justice, or in a proceeding before a court, adjudicative body, or other administrative body before which the Agency is authorized to appear, when:

✓ The Agency, or any component thereof;

✓ Any employee of the Agency in his or her official capacity;

✓ Any employee of the Agency in his or her individual capacity where the Department of Justice or the Agency have agreed to represent the employee; or

✓ The United States, if the Agency determines that litigation is likely to affect the Agency or any of its components, is a party to litigation or has an interest in such litigation, and the use of such records by the Department of Justice or the Agency is deemed by the Agency to be relevant and necessary to the litigation provided, however, that in each case it has been determined that the disclosure is compatible with the purpose for which the records were collected.

• Disclosure to the National Archives.

Information may be disclosed to the National Archives and Records Administration in records management inspections.

• Disclosure to Contractors, Grantees, and Others.

Information may be disclosed to contractors, grantees, consultants, or volunteers performing or working on a contract, service, grant, cooperative agreement, job, or other activity for the Agency and who have a need to have access to the information in the performance of their duties or activities for the Agency.

• Disclosures for Administrative Claims, Complaints and Appeals.

Information from this system of records may be disclosed to an authorized appeal grievance examiner, formal complaints examiner, equal employment opportunity investigator, arbitrator or other person properly engaged in investigation or settlement of an administrative grievance, complaint, claim, or appeal filed by an employee, but only to the extent that the information is relevant and necessary to the proceeding. Agencies that may obtain information under this routine use include, but are not limited to, the Office of Personnel Management, Office of Special Counsel, Merit Systems Protection Board, Federal Labor Relations Authority, Equal Employment Opportunity Commission, and Office of Government Ethics.

• Disclosure in Connection With Litigation.

Information from this system of records may be disclosed in connection with litigation or settlement discussions regarding claims by or against the EPA, including public filing with a court, to the extent that disclosure of the information is relevant and necessary to the litigation or discussions and except where court orders are otherwise required under section (b)(11) of the Privacy Act of 1974, 5 U.S.C. 552a(b)(11).

• Disclosure to Persons or Entities in Response to an actual of Suspected Breach of Personally Identifiable Information.

To appropriate agencies, entities, and persons when (1) the Agency suspects or has confirmed that there has been a breach of the system of records, (2) the Agency has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Agency (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Agency's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

• Disclosure to Assist Another Agency in its Efforts to Respond to a Breach

To another Federal agency or Federal entity, when the Agency determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

SNOW records are stored in a controlled access facility, inside of a controlled area, using self-encrypting hard drives. ServiceNow, Inc. has deployed a High-Availability architecture to ensure continuous business operations for the ServiceNow platform. There are two data centers supporting Government customers with one configured as the active and the other as the standby. The active and standby facilities are mirrored, which enables the standby to become the active site in the event of a disaster. Both data centers are mirrors of each other, and therefore they act as both an active and a standby facility. In addition to the mirror backup between the two instances, a local backup is kept at each site. Each local backup acts as the offsite backup for their counterpart dedicated data center cage. Backups are performed on disk through network-attached storage and are never written to tape. In addition to backups within each dedicated data center cage facility, a backup of each internal production instance is copied over to the standby site (Disaster Recovery site).

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records for EPA ServiceNow will be retrieved by customer first and last name, email address or by ticket reference number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

SNOW follows the EPA Records Policy for retention and disposal, per schedule 1012 (Information and Technology Management) and schedule 1049 (Information Access and Protection Records). https://www.epa.gov/records/epa-records-policy-and-guidance

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

ServiceNow is a Cloud-Based Software as a Service (SaaS) solution designed to be accessed over the internet. As such, all remote communication must be encrypted, use for non-business purposes is prohibited and all users are required to be authorized. To verify that a user is authorized, EPA ServiceNow customers and staff must have a current valid EPA Active Directory account. External requestors (i.e. non-EPA government personnel, state and local government personnel and/or private citizens) will not have access to, as they are not authorized, nor will be granted access to EPA ServiceNow. The records in EPA ServiceNow are maintained in a secure, password-protected computer system behind a network firewall. This system is located in a controlled facility that requires the ServiceNow cloud providers to have an authorized badge and biometrics prior to accessing the data centers. ServiceNow users must log in with an authorized user ID and password or Personal Identity Verification (PIV) card to access the system. Group or shared accounts are not used by EPA ServiceNow customers and support personnel. EPA ServiceNow customers and personnel are prohibited from sharing accounts. Each user has a unique identifier within Active Directory used for authentication. In addition to the lock screen setting enforced by EPA on the desktop, EPA ServiceNow implements session timeout period after 30 minutes of user inactivity.

RECORD ACCESS PROCEDURES:

Individuals seeking access to information in this system of records about themselves should make a written request to the Agency Privacy Officer, 1200 Pennsylvania Ave., Mailcode 2831T, Washington, DC 20460. Requesters are required to provide adequate identification (e.g., driver's license, military identification card, employee badge or identification card). Additional identity verification procedures may be required, as warranted. Requests must meet the requirements of EPA regulations that implement the Privacy Act of 1974, at 40 CFR part 16.

CONTESTING RECORD PROCEDURES:

Requests for correction or amendment must identify the record to be changed and the corrective action sought to the Agency Privacy Officer, 1200 Pennsylvania Ave., Mailcode 2831T, Washington, DC 20460; privacy@epa.gov. Complete EPA Privacy Act procedures are set out in EPA's Privacy Act regulations at 40 CFR part 16.

NOTIFICATION PROCEDURE:

Any individual who wants to know whether this system of records contains a record about themselves should submit a request to the Agency Privacy Officer, MC 2831T, 1200 Pennsylvania Avenue NW, Washington, DC 20460 or privacy@epa.gov.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.