82_FR_6564 82 FR 6552 - Privacy Act of 1974; Notice of a New System of Records

82 FR 6552 - Privacy Act of 1974; Notice of a New System of Records

GENERAL SERVICES ADMINISTRATION

Federal Register Volume 82, Issue 12 (January 19, 2017)

Page Range6552-6554
FR Document2017-01174

GSA proposes to establish a new system of records subject to the Privacy Act of 1974. The proposed system is a single sign-on platform to facilitate access to government services.

Federal Register, Volume 82 Issue 12 (Thursday, January 19, 2017)
[Federal Register Volume 82, Number 12 (Thursday, January 19, 2017)]
[Notices]
[Pages 6552-6554]
From the Federal Register Online  [www.thefederalregister.org]
[FR Doc No: 2017-01174]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

[Notice-ID-2016-03; Docket 2016-0002; Sequence No. 29]


Privacy Act of 1974; Notice of a New System of Records

AGENCY: General Services Administration (GSA).

ACTION: Notice of a new system of records.

-----------------------------------------------------------------------

SUMMARY: GSA proposes to establish a new system of records subject to 
the Privacy Act of 1974. The proposed system is a single sign-on 
platform to facilitate access to government services.

DATES: The system of records notice is effective upon its publication 
in today's Federal Register, with the exception of the routine uses 
which are effective February 21, 2017. Comments on the routine uses or 
other aspects of the system of records notice must be submitted by 
February 21, 2017.

ADDRESSES: Submit comments identified by ``Notice-ID-2016-03, Notice of 
New System of Records'' by any of the following methods:
     Regulations.gov: http://www.regulations.gov. Submit 
comments via the Federal eRulemaking portal by searching for Notice-ID-
2016-03, Notice of New System of Records. Select the link ``Comment 
Now'' that corresponds with ``Notice-ID-2016-03, Notice of New System 
of Records.'' Follow the instructions provided on the screen. Please 
include your name, company name (if any), and ``Notice-ID-2016-03, 
Notice of New System of Records'' on your attached document.
     Mail: General Services Administration, Regulatory 
Secretariat Division (MVCB), 1800 F Street NW., Washington, DC 20405. 
ATTN: Ms. Flowers/Notice-ID-2016-03, Notice of New System of Records.

FOR FURTHER INFORMATION CONTACT: Call the GSA Chief Privacy Officer at 
telephone 202-322-8246; or email [email protected].

SUPPLEMENTARY INFORMATION: GSA proposes to establish a new system of 
records subject to the Privacy Act of 1974, 5 U.S.C. 552a. The proposed 
system is a single sign-on platform to facilitate access to government 
services. The previously published notice, at 81 FR 57912, on August 
24, 2016, is being replaced. The system is a single, secure platform 
through which members of the public can log-in and access services from 
participating federal agencies (partner agencies). All federal agencies 
are eligible to participate, and those that do will be listed on the 
Login.gov information page. The platform will use information given by 
the user to identity proof them including email address, password, 
name, date of birth, address, phone number, and social security number.
    Identity proofing is the process of verifying that a person is who 
they say they are. Personally Identifiable Information (PII) must be 
collected from a Login.gov user to identity proof that user and then 
authenticate that user's identity at a Level of Assurance (LOA) 
required by a partner agency to grant access to its information, 
applications, programs, or records (for the purpose of this notice, 
``services''). Login.gov authenticates a user by validating that person 
is the owner of an account through a valid username, password, and the 
completion of the multi-factor authentication step, for example by 
providing the one-time password they receive by phone.
    Login.gov operates at two levels of assurance: Level of Assurance 1 
(LOA1) and Level of Assurance 3 (LOA3). A user will only be asked for 
information based on the LOA required by the partner agency to access a 
given service. For example, in order to access a service that requires 
LOA1, the user will only be asked to provide an email address, password 
and phone number, because that information suffices for LOA1. To access 
a service that requires LOA3, the user will be asked to provide the 
above information as well as full name, date of birth, home address and 
Social Security Number. These two sets of PII comprise the user's LOA1 
or LOA3 ``account information,'' respectively.
    Login.gov will collect and maintain a user's LOA1 account 
information, and if required, LOA3 account information. Login.gov will 
verify a user's identity at LOA3 by providing the user's LOA3 account 
information to a third party identity proofing service. Third party 
identity proofing services used by Login.gov may employ a variety of 
verification techniques, including, but not limited to, verifying a 
user's financial information or information from a user's government-
issued identification.
    The identity proofing process between Login.gov and a third party 
identity proofing service takes place within Login.gov after the user 
provides the information required by that third party identity proofing 
service. However, Login.gov does not retain a user's response(s) to any 
question(s) posed by a third party identity proofing service during the 
proofing process.
    Once a user is proofed at LOA1, that user's account information 
will be assigned a meaningless, but unique,

[[Page 6553]]

number (MBUN) to identify the user in Login.gov. The user's MBUN (and 
the minimum set of user account information needed to allow access to 
the partner agency's service) will be provided to the partner agency 
only after the user gives permission to send that information.
    The information in Login.gov is contributed voluntarily by the user 
and cannot be accessed, used, or disclosed by GSA without consent of 
the user, except as provided in this notice. A partner agency may add 
its own unique identifier to the user's Login.gov account information 
for the purpose of identifying the user on subsequent attempts to 
access that agency's services.
    Login.gov follows National Institute of Standards and Technology 
(NIST) Special Publication 800-63-2, ``Electronic Authentication 
Guideline'' and will employ third party identity proofing services, 
proofing using government data sources, including government-issued 
identification.

Richard Speidel,
Chief Privacy Officer, Office of the Deputy Chief Information Officer, 
General Services Administration.

SYSTEM NAME AND NUMBER:
    Login.gov, GSA/TTS-1.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The system is owned and maintained by GSA, housed in secure 
datacenters in continental United States. Contact the System Manager 
listed below for additional information.

SYSTEM MANAGER:
    Joel Minton, Director, Login.gov, General Services Administration, 
1800 F Street NW., Washington, DC 20405. https://www.Login.gov.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    E-Government Act of 2002 (Pub. L. 107-347, 44 U.S.C. 3501 note), 6 
U.S.C. 1523 (b)(1)(A)-(E), and 40 U.S.C. 501.

PURPOSE(S) OF THE SYSTEM:
    The purpose of the system is to provide a single, secure platform 
through which members of the public can log-in and access services from 
partner agencies, and to increase user security by facilitating 
identity proofing and authentication as necessary in order to access 
specific government services.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Anyone with an email account and access to a phone is able to 
create an account at any time. Individuals in this system of records 
are members of the public seeking electronic access to a service from a 
participating Federal agency (partner agency), including anyone 
attempting to authenticate and/or identity proof for the purpose of 
obtaining a credential to electronically access a partner agency's 
services. All federal agencies are eligible to participate, and those 
that do will be listed on the Login.gov information page.

CATEGORIES OF RECORDS IN THE SYSTEM:
    The information collected by Login.gov is necessary to perform 
identity proofing at the partner agency's required level of assurance 
(LOA). A user's account information is only retained as necessary to 
manage the user's credential. The only information a user must provide 
to identity proof at LOA1 is an email address, password and phone 
number. For LOA3 identity proofing, the above information is collected, 
as well as the user's name, address, birth date, Social Security 
number.
    If a third party identity proofing service is unable to proof the 
user based on the user's LOA3 account information, Login.gov may 
request additional information from the user. However, any additional 
questions from the third party identity proofing service and the user's 
responses will not be retained by Login.gov after the user logs off.
    Each third party identity proofing service will send information 
back to Login.gov about its attempt to identity proof the user 
including: Transaction ID; pass/fail indicator; date/time of 
transaction; and codes associated with the transaction data.
    Each partner agency whose services the user accesses via Login.gov 
may add its own unique identifier to that user's account information.

RECORD SOURCE CATEGORIES:
    The sources for information in the system are the individual 
Login.gov users. Each third party identity proofing service will 
provide transaction details about its attempt to identity proof a user 
and each partner agency whose services the user accesses via Login.gov 
may provide its own unique identifier to that user's account 
information.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed to authorized 
entities, as is determined to be relevant and necessary, outside GSA as 
a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    a. To the Department of Justice or other Federal agency conducting 
litigation or in proceedings before any court, adjudicative or 
administrative body, when: (a) GSA or any component thereof, or (b) any 
employee of GSA in his/her official capacity, or (c) any employee of 
GSA in his/her individual capacity where DOJ or GSA has agreed to 
represent the employee, or (d) the United States or any agency thereof, 
is a party to the litigation or has an interest in such litigation, and 
GSA determines that the records are both relevant and necessary to the 
litigation.
    b. To NIST-compliant third party identity proofing services, as 
necessary to identity proof an individual for access to a service at 
the required level of assurance.
    c. To an appropriate Federal, State, tribal, local, international, 
or foreign law enforcement agency or other appropriate authority 
charged with investigating or prosecuting a violation or enforcing or 
implementing a law, rule, regulation, or order, where a record, either 
on its face or in conjunction with other information, indicates a 
violation or potential violation of law, which includes criminal, 
civil, or regulatory violations and such disclosure is proper and 
consistent with the official duties of the person making the 
disclosure.
    d. To a Member of Congress or his or her staff in response to a 
request made on behalf of and at the request of the individual who is 
the subject of the record.
    e. To the Office of Management and Budget (OMB) and the Government 
Accountability Office (GAO) in accordance with their responsibilities 
for evaluation or oversight of Federal programs.
    f. To an expert, consultant, or contractor of GSA in the 
performance of a Federal duty to which the information is relevant.
    g. To the National Archives and Records Administration (NARA) for 
records management purposes.
    h. To appropriate agencies, entities, and persons when (1) GSA 
suspects or has confirmed that there has been a breach of the system of 
records; (2) GSA has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, GSA (including 
its information systems, programs and operations), the Federal 
Government, or national security; and (3) the disclosure made to such

[[Page 6554]]

agencies, entities, and persons is reasonably necessary to assist in 
connection with GSA's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    i. To another Federal agency or Federal entity, when GSA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1) responding to a suspected 
or confirmed breach or (2) preventing, minimizing, or remedying the 
risk of harm to individuals, the recipient agency or entity (including 
its information systems, programs, and operations), the Federal 
Government, or national security, resulting from a suspected or 
confirmed breach.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    All records are stored electronically in a database. User account 
information is encrypted in transit and at rest.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    The user's email address and phone number, which are part of LOA1 
account information, can be retrieved using Login.gov developed 
software with system access. When the user provides their password or 
recovery code, the system retrieves that user's LOA1 account 
information (email, password, and phone number) or LOA3 account 
information (full name, date of birth, home address and Social Security 
Number) using a search of the email addresses in the system. However, 
each user's LOA3 account information is encrypted such that neither the 
system nor system operators can retrieve it without the user providing 
their password or recovery code.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    System records will be retained and disposed of in accordance with 
NARA's General Records Schedule (GRS) Transmittal 26, section 3.2 
``System access records'' covering user profiles, log-in files, 
password files, audit trail files and extracts, system usage files, and 
cost-back files used to assess charges for system use. The guidance 
instructs, ``Destroy 6 years after password is altered or user account 
is terminated, but longer retention is authorized if required for 
business use.''

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Records in the system are protected from unauthorized access and 
misuse through various administrative, technical and physical security 
measures. Technical security measures within GSA include restrictions 
on computer access to authorized individuals, required use of strong 
passwords that are frequently changed and regular review of security 
procedures and best practices to enhance security. Access to the 
Login.gov database is maintained behind an industry-standard firewall 
and information in the database is encrypted. As noted above, neither 
the system nor the system operators can retrieve the user's LOA3 
account information without the user supplying a password or recovery 
code.

RECORD ACCESS PROCEDURES:
    Individuals or users wishing to access their own records may do so 
by providing their email address, password, and a multi-factor 
authentication token (e.g. a one-time password or code sent to the 
user's phone) to Login.gov, or by contacting the system administrator 
at the above address.

CONTESTING RECORD PROCEDURES:
    Users can modify, or amend, any of their user account information 
by accessing it in their account. Users that want access to partner 
agency records, or to contest the contents of those records, need to 
make a request with that agency.

NOTIFICATION PROCEDURE:
    Users create their account information and, thereafter, access it 
by providing their email address, password, and a multi-factor 
authentication token (e.g. a one-time password or code sent to the 
user's phone). Inquiries can be made via the Web site at https://Login.gov/ or at the above address under `System Manager and Address'.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    This notice replaces the previously published notice at 81 FR 
57912, on August 24, 2016.

[FR Doc. 2017-01174 Filed 1-18-17; 8:45 am]
 BILLING CODE 6820-34-P



                                                  6552                         Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Notices

                                                  Act of 1956 (12 U.S.C. 1841 et seq.)                    GENERAL SERVICES                                       information page. The platform will use
                                                  (BHC Act), Regulation Y (12 CFR part                    ADMINISTRATION                                         information given by the user to identity
                                                  225), and all other applicable statutes                                                                        proof them including email address,
                                                                                                          [Notice-ID–2016–03; Docket 2016–0002;
                                                  and regulations to become a bank                                                                               password, name, date of birth, address,
                                                                                                          Sequence No. 29]
                                                  holding company and/or to acquire the                                                                          phone number, and social security
                                                  assets or the ownership of, control of, or              Privacy Act of 1974; Notice of a New                   number.
                                                  the power to vote shares of a bank or                   System of Records                                         Identity proofing is the process of
                                                  bank holding company and all of the                                                                            verifying that a person is who they say
                                                                                                          AGENCY:  General Services                              they are. Personally Identifiable
                                                  banks and nonbanking companies
                                                                                                          Administration (GSA).                                  Information (PII) must be collected from
                                                  owned by the bank holding company,
                                                                                                          ACTION: Notice of a new system of                      a Login.gov user to identity proof that
                                                  including the companies listed below.                                                                          user and then authenticate that user’s
                                                                                                          records.
                                                     The applications listed below, as well                                                                      identity at a Level of Assurance (LOA)
                                                  as other related filings required by the                SUMMARY:    GSA proposes to establish a                required by a partner agency to grant
                                                  Board, are available for immediate                      new system of records subject to the                   access to its information, applications,
                                                  inspection at the Federal Reserve Bank                  Privacy Act of 1974. The proposed                      programs, or records (for the purpose of
                                                  indicated. The applications will also be                system is a single sign-on platform to                 this notice, ‘‘services’’). Login.gov
                                                  available for inspection at the offices of              facilitate access to government services.              authenticates a user by validating that
                                                  the Board of Governors. Interested                      DATES: The system of records notice is                 person is the owner of an account
                                                  persons may express their views in                      effective upon its publication in today’s              through a valid username, password,
                                                  writing on the standards enumerated in                  Federal Register, with the exception of                and the completion of the multi-factor
                                                  the BHC Act (12 U.S.C. 1842(c)). If the                 the routine uses which are effective                   authentication step, for example by
                                                  proposal also involves the acquisition of               February 21, 2017. Comments on the                     providing the one-time password they
                                                                                                          routine uses or other aspects of the                   receive by phone.
                                                  a nonbanking company, the review also
                                                                                                          system of records notice must be                          Login.gov operates at two levels of
                                                  includes whether the acquisition of the                                                                        assurance: Level of Assurance 1 (LOA1)
                                                  nonbanking company complies with the                    submitted by February 21, 2017.
                                                                                                          ADDRESSES: Submit comments                             and Level of Assurance 3 (LOA3). A
                                                  standards in section 4 of the BHC Act                                                                          user will only be asked for information
                                                  (12 U.S.C. 1843). Unless otherwise                      identified by ‘‘Notice–ID–2016–03,
                                                                                                          Notice of New System of Records’’ by                   based on the LOA required by the
                                                  noted, nonbanking activities will be                                                                           partner agency to access a given service.
                                                  conducted throughout the United States.                 any of the following methods:
                                                                                                             • Regulations.gov: http://                          For example, in order to access a service
                                                     Unless otherwise noted, comments                     www.regulations.gov. Submit comments                   that requires LOA1, the user will only
                                                  regarding each of these applications                    via the Federal eRulemaking portal by                  be asked to provide an email address,
                                                  must be received at the Reserve Bank                    searching for Notice–ID–2016–03,                       password and phone number, because
                                                  indicated or the offices of the Board of                Notice of New System of Records. Select                that information suffices for LOA1. To
                                                  Governors not later than February 14,                   the link ‘‘Comment Now’’ that                          access a service that requires LOA3, the
                                                  2017.                                                   corresponds with ‘‘Notice-ID–2016–03,                  user will be asked to provide the above
                                                                                                          Notice of New System of Records.’’                     information as well as full name, date of
                                                     A. Federal Reserve Bank of                                                                                  birth, home address and Social Security
                                                  Minneapolis (Jacquelyn K. Brunmeier,                    Follow the instructions provided on the
                                                                                                                                                                 Number. These two sets of PII comprise
                                                  Assistant Vice President) 90 Hennepin                   screen. Please include your name,
                                                                                                                                                                 the user’s LOA1 or LOA3 ‘‘account
                                                  Avenue, Minneapolis, Minnesota                          company name (if any), and ‘‘Notice–
                                                                                                                                                                 information,’’ respectively.
                                                                                                          ID–2016–03, Notice of New System of                       Login.gov will collect and maintain a
                                                  55480–0291:
                                                                                                          Records’’ on your attached document.                   user’s LOA1 account information, and if
                                                     1. Hazen Bancorporation, Inc., Hazen,                   • Mail: General Services
                                                  North Dakota; to increase its ownership                                                                        required, LOA3 account information.
                                                                                                          Administration, Regulatory Secretariat
                                                  of North Star Holding Company, Inc.,                                                                           Login.gov will verify a user’s identity at
                                                                                                          Division (MVCB), 1800 F Street NW.,
                                                                                                                                                                 LOA3 by providing the user’s LOA3
                                                  Jamestown, North Dakota, as a result of                 Washington, DC 20405. ATTN: Ms.
                                                                                                                                                                 account information to a third party
                                                  a stock redemption of North Star                        Flowers/Notice–ID–2016–03, Notice of
                                                                                                                                                                 identity proofing service. Third party
                                                  Holding Company, and thereby                            New System of Records.
                                                                                                                                                                 identity proofing services used by
                                                  indirectly control Unison Bank,                         FOR FURTHER INFORMATION CONTACT: Call                  Login.gov may employ a variety of
                                                  Jamestown, North Dakota.                                the GSA Chief Privacy Officer at                       verification techniques, including, but
                                                     2. McIntosh County Bank Holding                      telephone 202–322–8246; or email                       not limited to, verifying a user’s
                                                  Company, Inc., Ashley, North Dakota; to                 gsa.privacyact@gsa.gov.                                financial information or information
                                                  increase its ownership of North Star                    SUPPLEMENTARY INFORMATION: GSA                         from a user’s government-issued
                                                  Holding Company, Inc., Jamestown,                       proposes to establish a new system of                  identification.
                                                  North Dakota, as a result of a stock                    records subject to the Privacy Act of                     The identity proofing process between
                                                  redemption of North Star Holding                        1974, 5 U.S.C. 552a. The proposed                      Login.gov and a third party identity
                                                  Company, and thereby indirectly                         system is a single sign-on platform to                 proofing service takes place within
                                                  acquire control Unison Bank,                            facilitate access to government services.              Login.gov after the user provides the
                                                  Jamestown, North Dakota.                                The previously published notice, at 81                 information required by that third party
                                                                                                          FR 57912, on August 24, 2016, is being                 identity proofing service. However,
mstockstill on DSK3G9T082PROD with NOTICES




                                                    Board of Governors of the Federal Reserve             replaced. The system is a single, secure               Login.gov does not retain a user’s
                                                  System, January 13, 2017.                               platform through which members of the                  response(s) to any question(s) posed by
                                                  Yao-Chin Chao,                                          public can log-in and access services                  a third party identity proofing service
                                                  Assistant Secretary of the Board.                       from participating federal agencies                    during the proofing process.
                                                  [FR Doc. 2017–01200 Filed 1–18–17; 8:45 am]             (partner agencies). All federal agencies                  Once a user is proofed at LOA1, that
                                                  BILLING CODE 6210–01–P
                                                                                                          are eligible to participate, and those that            user’s account information will be
                                                                                                          do will be listed on the Login.gov                     assigned a meaningless, but unique,


                                             VerDate Sep<11>2014   21:20 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00071   Fmt 4703   Sfmt 4703   E:\FR\FM\19JAN1.SGM   19JAN1


                                                                               Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Notices                                              6553

                                                  number (MBUN) to identify the user in                   account at any time. Individuals in this               contained in this system may be
                                                  Login.gov. The user’s MBUN (and the                     system of records are members of the                   disclosed to authorized entities, as is
                                                  minimum set of user account                             public seeking electronic access to a                  determined to be relevant and
                                                  information needed to allow access to                   service from a participating Federal                   necessary, outside GSA as a routine use
                                                  the partner agency’s service) will be                   agency (partner agency), including                     pursuant to 5 U.S.C. 552a(b)(3) as
                                                  provided to the partner agency only                     anyone attempting to authenticate and/                 follows:
                                                  after the user gives permission to send                 or identity proof for the purpose of                      a. To the Department of Justice or
                                                  that information.                                       obtaining a credential to electronically               other Federal agency conducting
                                                     The information in Login.gov is                      access a partner agency’s services. All                litigation or in proceedings before any
                                                  contributed voluntarily by the user and                 federal agencies are eligible to                       court, adjudicative or administrative
                                                  cannot be accessed, used, or disclosed                  participate, and those that do will be                 body, when: (a) GSA or any component
                                                  by GSA without consent of the user,                     listed on the Login.gov information                    thereof, or (b) any employee of GSA in
                                                  except as provided in this notice. A                    page.                                                  his/her official capacity, or (c) any
                                                  partner agency may add its own unique                                                                          employee of GSA in his/her individual
                                                                                                          CATEGORIES OF RECORDS IN THE SYSTEM:                   capacity where DOJ or GSA has agreed
                                                  identifier to the user’s Login.gov account
                                                  information for the purpose of                             The information collected by                        to represent the employee, or (d) the
                                                  identifying the user on subsequent                      Login.gov is necessary to perform                      United States or any agency thereof, is
                                                  attempts to access that agency’s                        identity proofing at the partner agency’s              a party to the litigation or has an interest
                                                  services.                                               required level of assurance (LOA). A                   in such litigation, and GSA determines
                                                     Login.gov follows National Institute of              user’s account information is only                     that the records are both relevant and
                                                  Standards and Technology (NIST)                         retained as necessary to manage the                    necessary to the litigation.
                                                  Special Publication 800–63–2,                           user’s credential. The only information                   b. To NIST-compliant third party
                                                  ‘‘Electronic Authentication Guideline’’                 a user must provide to identity proof at               identity proofing services, as necessary
                                                  and will employ third party identity                    LOA1 is an email address, password                     to identity proof an individual for
                                                  proofing services, proofing using                       and phone number. For LOA3 identity                    access to a service at the required level
                                                  government data sources, including                      proofing, the above information is                     of assurance.
                                                  government-issued identification.                       collected, as well as the user’s name,                    c. To an appropriate Federal, State,
                                                                                                          address, birth date, Social Security                   tribal, local, international, or foreign law
                                                  Richard Speidel,                                        number.                                                enforcement agency or other appropriate
                                                  Chief Privacy Officer, Office of the Deputy                If a third party identity proofing                  authority charged with investigating or
                                                  Chief Information Officer, General Services             service is unable to proof the user based              prosecuting a violation or enforcing or
                                                  Administration.                                                                                                implementing a law, rule, regulation, or
                                                                                                          on the user’s LOA3 account
                                                  SYSTEM NAME AND NUMBER:                                 information, Login.gov may request                     order, where a record, either on its face
                                                     Login.gov, GSA/TTS–1.                                additional information from the user.                  or in conjunction with other
                                                                                                          However, any additional questions from                 information, indicates a violation or
                                                  SECURITY CLASSIFICATION:                                the third party identity proofing service              potential violation of law, which
                                                     Unclassified.                                        and the user’s responses will not be                   includes criminal, civil, or regulatory
                                                                                                          retained by Login.gov after the user logs              violations and such disclosure is proper
                                                  SYSTEM LOCATION:
                                                                                                          off.                                                   and consistent with the official duties of
                                                    The system is owned and maintained                       Each third party identity proofing                  the person making the disclosure.
                                                  by GSA, housed in secure datacenters in                 service will send information back to                     d. To a Member of Congress or his or
                                                  continental United States. Contact the                  Login.gov about its attempt to identity                her staff in response to a request made
                                                  System Manager listed below for                         proof the user including: Transaction                  on behalf of and at the request of the
                                                  additional information.                                 ID; pass/fail indicator; date/time of                  individual who is the subject of the
                                                                                                          transaction; and codes associated with                 record.
                                                  SYSTEM MANAGER:
                                                                                                          the transaction data.                                     e. To the Office of Management and
                                                    Joel Minton, Director, Login.gov,                                                                            Budget (OMB) and the Government
                                                  General Services Administration, 1800 F                    Each partner agency whose services
                                                                                                          the user accesses via Login.gov may add                Accountability Office (GAO) in
                                                  Street NW., Washington, DC 20405.                                                                              accordance with their responsibilities
                                                  https://www.Login.gov.                                  its own unique identifier to that user’s
                                                                                                          account information.                                   for evaluation or oversight of Federal
                                                  AUTHORITY FOR MAINTENANCE OF THE SYSTEM:                                                                       programs.
                                                                                                          RECORD SOURCE CATEGORIES:                                 f. To an expert, consultant, or
                                                    E-Government Act of 2002 (Pub. L.
                                                                                                            The sources for information in the                   contractor of GSA in the performance of
                                                  107–347, 44 U.S.C. 3501 note), 6 U.S.C.
                                                                                                          system are the individual Login.gov                    a Federal duty to which the information
                                                  1523 (b)(1)(A)–(E), and 40 U.S.C. 501.
                                                                                                          users. Each third party identity proofing              is relevant.
                                                  PURPOSE(S) OF THE SYSTEM:                               service will provide transaction details                  g. To the National Archives and
                                                    The purpose of the system is to                       about its attempt to identity proof a user             Records Administration (NARA) for
                                                  provide a single, secure platform                       and each partner agency whose services                 records management purposes.
                                                  through which members of the public                     the user accesses via Login.gov may                       h. To appropriate agencies, entities,
                                                  can log-in and access services from                     provide its own unique identifier to that              and persons when (1) GSA suspects or
                                                  partner agencies, and to increase user                  user’s account information.                            has confirmed that there has been a
                                                                                                                                                                 breach of the system of records; (2) GSA
mstockstill on DSK3G9T082PROD with NOTICES




                                                  security by facilitating identity proofing
                                                  and authentication as necessary in order                ROUTINE USES OF RECORDS MAINTAINED IN THE              has determined that as a result of the
                                                  to access specific government services.
                                                                                                          SYSTEM, INCLUDING CATEGORIES OF USERS AND              suspected or confirmed breach there is
                                                                                                          PURPOSES OF SUCH USES:                                 a risk of harm to individuals, GSA
                                                  CATEGORIES OF INDIVIDUALS COVERED BY THE                  In addition to those disclosures                     (including its information systems,
                                                  SYSTEM:                                                 generally permitted under 5 U.S.C.                     programs and operations), the Federal
                                                    Anyone with an email account and                      552a(b) of the Privacy Act, all or a                   Government, or national security; and
                                                  access to a phone is able to create an                  portion of the records or information                  (3) the disclosure made to such


                                             VerDate Sep<11>2014   21:20 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00072   Fmt 4703   Sfmt 4703   E:\FR\FM\19JAN1.SGM   19JAN1


                                                  6554                         Federal Register / Vol. 82, No. 12 / Thursday, January 19, 2017 / Notices

                                                  agencies, entities, and persons is                      measures. Technical security measures                  DEPARTMENT OF HEALTH AND
                                                  reasonably necessary to assist in                       within GSA include restrictions on                     HUMAN SERVICES
                                                  connection with GSA’s efforts to                        computer access to authorized
                                                  respond to the suspected or confirmed                   individuals, required use of strong                    Centers for Disease Control and
                                                  breach or to prevent, minimize, or                      passwords that are frequently changed                  Prevention
                                                  remedy such harm.                                       and regular review of security                         [60Day–17–0739; Docket No. CDC–2016–
                                                    i. To another Federal agency or                       procedures and best practices to                       0114]
                                                  Federal entity, when GSA determines                     enhance security. Access to the
                                                  that information from this system of                    Login.gov database is maintained behind                Proposed Data Collection Submitted
                                                  records is reasonably necessary to assist               an industry-standard firewall and                      for Public Comment and
                                                  the recipient agency or entity in (1)                                                                          Recommendations
                                                                                                          information in the database is
                                                  responding to a suspected or confirmed
                                                                                                          encrypted. As noted above, neither the                 AGENCY: Centers for Disease Control and
                                                  breach or (2) preventing, minimizing, or
                                                  remedying the risk of harm to                           system nor the system operators can                    Prevention (CDC), Department of Health
                                                  individuals, the recipient agency or                    retrieve the user’s LOA3 account                       and Human Services (HHS).
                                                  entity (including its information                       information without the user supplying                 ACTION: Notice with comment period.
                                                  systems, programs, and operations), the                 a password or recovery code.
                                                  Federal Government, or national                                                                                SUMMARY:   The Centers for Disease
                                                  security, resulting from a suspected or                 RECORD ACCESS PROCEDURES:                              Control and Prevention (CDC), as part of
                                                  confirmed breach.                                                                                              its continuing efforts to reduce public
                                                                                                            Individuals or users wishing to access
                                                                                                                                                                 burden and maximize the utility of
                                                  POLICIES AND PRACTICES FOR STORAGE OF
                                                                                                          their own records may do so by                         government information, invites the
                                                  RECORDS:                                                providing their email address,                         general public and other Federal
                                                    All records are stored electronically in              password, and a multi-factor                           agencies to take this opportunity to
                                                  a database. User account information is                 authentication token (e.g. a one-time                  comment on proposed and/or
                                                  encrypted in transit and at rest.                       password or code sent to the user’s                    continuous information collection, as
                                                                                                          phone) to Login.gov, or by contacting                  required by the Paperwork Reduction
                                                  POLICIES AND PRACTICES FOR RETRIEVAL OF                 the system administrator at the above
                                                  RECORDS:
                                                                                                                                                                 Act of 1995. This notice invites
                                                                                                          address.                                               comments on the CDC Chronic Disease
                                                    The user’s email address and phone
                                                                                                                                                                 Management Information System
                                                  number, which are part of LOA1                          CONTESTING RECORD PROCEDURES:                          (CDMIS). The Management Information
                                                  account information, can be retrieved
                                                                                                            Users can modify, or amend, any of                   System is a central repository for the
                                                  using Login.gov developed software
                                                                                                          their user account information by                      work plans of state oral health
                                                  with system access. When the user
                                                                                                          accessing it in their account. Users that              programs. This includes their goals,
                                                  provides their password or recovery
                                                                                                          want access to partner agency records,                 objectives, performance milestones,
                                                  code, the system retrieves that user’s
                                                                                                                                                                 indicators, oral health program
                                                  LOA1 account information (email,                        or to contest the contents of those
                                                                                                                                                                 performance activities and budget
                                                  password, and phone number) or LOA3                     records, need to make a request with
                                                                                                                                                                 information.
                                                  account information (full name, date of                 that agency.
                                                  birth, home address and Social Security                                                                        DATES:  Written comments must be
                                                  Number) using a search of the email                     NOTIFICATION PROCEDURE:                                received on or before March 20, 2017.
                                                  addresses in the system. However, each                    Users create their account information               ADDRESSES: You may submit comments,
                                                  user’s LOA3 account information is                                                                             identified by Docket No. CDC–2016–
                                                                                                          and, thereafter, access it by providing
                                                  encrypted such that neither the system                                                                         0114 by any of the following methods:
                                                                                                          their email address, password, and a
                                                  nor system operators can retrieve it                                                                             • Federal eRulemaking Portal:
                                                  without the user providing their                        multi-factor authentication token (e.g. a              Regulations.gov. Follow the instructions
                                                  password or recovery code.                              one-time password or code sent to the                  for submitting comments.
                                                                                                          user’s phone). Inquiries can be made via                 • Mail: Leroy A. Richardson,
                                                  POLICIES AND PRACTICES FOR RETENTION AND                the Web site at https://Login.gov/ or at               Information Collection Review Office,
                                                  DISPOSAL OF RECORDS:                                    the above address under ‘System                        Centers for Disease Control and
                                                     System records will be retained and                  Manager and Address’.                                  Prevention, 1600 Clifton Road NE., MS–
                                                  disposed of in accordance with NARA’s                                                                          D74, Atlanta, Georgia 30329.
                                                  General Records Schedule (GRS)                          EXEMPTIONS PROMULGATED FOR THE SYSTEM:                   Instructions: All submissions received
                                                  Transmittal 26, section 3.2 ‘‘System                                                                           must include the agency name and
                                                  access records’’ covering user profiles,                  None.
                                                                                                                                                                 Docket Number. All relevant comments
                                                  log-in files, password files, audit trail                                                                      received will be posted without change
                                                                                                          HISTORY:
                                                  files and extracts, system usage files,                                                                        to Regulations.gov, including any
                                                  and cost-back files used to assess                        This notice replaces the previously                  personal information provided. For
                                                  charges for system use. The guidance                    published notice at 81 FR 57912, on                    access to the docket to read background
                                                  instructs, ‘‘Destroy 6 years after                      August 24, 2016.                                       documents or comments received, go to
                                                  password is altered or user account is                  [FR Doc. 2017–01174 Filed 1–18–17; 8:45 am]            Regulations.gov.
                                                  terminated, but longer retention is                                                                              Please note: All public comments
mstockstill on DSK3G9T082PROD with NOTICES




                                                                                                          BILLING CODE 6820–34–P
                                                  authorized if required for business use.’’                                                                     should be submitted through the
                                                  ADMINISTRATIVE, TECHNICAL, AND PHYSICAL                                                                        Federal eRulemaking portal
                                                  SAFEGUARDS:                                                                                                    (Regulations.gov) or by U.S. mail to the
                                                     Records in the system are protected                                                                         address listed above.
                                                  from unauthorized access and misuse                                                                            FOR FURTHER INFORMATION CONTACT: To
                                                  through various administrative,                                                                                request more information on the
                                                  technical and physical security                                                                                proposed project or to obtain a copy of


                                             VerDate Sep<11>2014   21:20 Jan 18, 2017   Jkt 241001   PO 00000   Frm 00073   Fmt 4703   Sfmt 4703   E:\FR\FM\19JAN1.SGM   19JAN1



Document Created: 2018-02-01 15:15:51
Document Modified: 2018-02-01 15:15:51
CategoryRegulatory Information
CollectionFederal Register
sudoc ClassAE 2.7:
GS 4.107:
AE 2.106:
PublisherOffice of the Federal Register, National Archives and Records Administration
SectionNotices
ActionNotice of a new system of records.
DatesThe system of records notice is effective upon its publication in today's Federal Register, with the exception of the routine uses which are effective February 21, 2017. Comments on the routine uses or other aspects of the system of records notice must be submitted by February 21, 2017.
ContactCall the GSA Chief Privacy Officer at telephone 202-322-8246; or email [email protected]
FR Citation82 FR 6552 

2025 Federal Register | Disclaimer | Privacy Policy
USC | CFR | eCFR