SUPPLEMENTARY INFORMATION:

The Department of Housing and Urban Development (HUD), Office of Chief Information Officer (OCIO), maintains the “Sumo Logic” system of records. This system enhances enterprise-wide cybersecurity monitoring and incident response. By consolidating log data from HUD systems and platforms, Sumo Logic supports real-time threat detection, reporting and compliance with federal information security standards.

SYSTEM NAME AND NUMBER:

Sumo Logic, HUD/OCIO-05.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

HUD Headquarters, 451 7th Street SW, Washington, DC 20410-0001.

SYSTEM MANAGER(S):

Thomas Zeppa, Acting Director, Office of Chief Information Officer (OCIO), Cyber Security Operations Center, 451 7th Street SW, Washington, DC 20410-0001; Telephone (202) 227-5276.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The Federal Information System Modernization Act of 2014 (FISMA), Public Law 113-283, 44 U.S.C. 3554; Executive Order 14028, Improving the Nation's Cybersecurity (May 12, 2021); and OMB Memorandum 21-31, Improving the Federal Government's Investigative and Remediation Capabilities Related to Cybersecurity Incidents (August 27, 2021).

PURPOSE(S) OF THE SYSTEM:

Sumo Logic supports HUD's cybersecurity operations by enabling centralized system monitoring, threat detection, event correlation and incident investigation.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

The system covers federal employees, contractors, detail personnel, and other personnel who access, administrate, or use agency information systems. As well as individuals whose accounts, credentials, or devices interact with HUD networks, applications, or services, such as vendors, partners or members of the public.

CATEGORIES OF RECORDS IN THE SYSTEM:

Device identifiers, email addresses, full names, geolocation information, phone numbers, user IDs, and web uniform resource locator(s).

RECORD SOURCE CATEGORIES:

Amazon Web Services Cloud Computing, and Mainframe (IBM) systems.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

(1) To a congressional office from the record of an individual, in response to an inquiry from the congressional office made at the request of that individual.

(2) To contractors, grantees, experts, consultants, Federal agencies, and non-Federal entities, including, but not limited to, State and local governments and other research institutions or their parties, and entities and their agents with whom HUD has a contract, service agreement, grant, cooperative agreement, or other agreement, for the purposes of statistical analysis and research in support of program operations, management, performance monitoring, evaluation, risk management, and policy development, to otherwise support the Department's mission, for other research and statistical purposes not otherwise prohibited by law or regulation. Records under this routine use may not be used in whole or in part to make decisions that affect the rights, benefits, or privileges of specific individuals. The entity receiving information under this routine use may not further disclose the records in an identifiable form.

(3) To contractors, grantees, experts, consultants and their agents, or others performing or working under a contract, service, grant, cooperative agreement, or other agreement, with HUD, when necessary to accomplish an agency function related to this system of records. Disclosure requirements are limited to only those data elements considered relevant to accomplishing an agency function.

(4) To contractors, experts and consultants with whom HUD has a contract, service agreement, or other assignment of the Department, when necessary to utilize relevant data for the purpose of testing new technology and systems designed to enhance program operations and performance.

(5) To appropriate agencies, entities, and persons when: (1) HUD suspects or has confirmed that there has been a breach of the system of records; (2) HUD has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, HUD (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with HUD's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

(6) To another Federal agency or Federal entity, when HUD determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

(7) To appropriate Federal, State, local, tribal, or governmental agencies or multilateral governmental organizations responsible for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order, or license, where ( printed page 35250) HUD determines that the information would assist in the enforcement of civil or criminal laws and when such records, either alone or in conjunction with other information, indicate a violation or potential violation of law.

(8) To a court, magistrate, administrative tribunal, or arbitrator in the course of presenting evidence, including disclosures to opposing counsel or witnesses or jurors in the course of civil discovery, litigation, mediation, or settlement negotiations, or in connection with criminal law proceedings; when HUD determines that use of such records is relevant and necessary to the litigation and when any of the following is a party to the litigation or have an interest in such litigation: (1) HUD, or any component thereof; or (2) any HUD employee in his or her official capacity; or (3) any HUD employee in his or her individual capacity where HUD has agreed to represent the employee; or (4) the United States, or any agency thereof, where HUD determines that litigation is likely to affect HUD or any of its components.

(9) To any component of the Department of Justice or other Federal agency conducting litigation or in proceedings before any court, adjudicative, or administrative body, when HUD determines that the use of such records is relevant and necessary to the litigation and when any of the following is a party to the litigation or have an interest in such litigation: (1) HUD, or any component thereof; or (2) any HUD employee in his or her official capacity; or (3) any HUD employee in his or her individual capacity where the Department of Justice or agency conducting the litigation has agreed to represent the employee; or (4) the United States, or any agency thereof, where HUD determines that litigation is likely to affect HUD or any of its components.

(10) To the National Archives and Records Administration, Office of Government Information Services (OGIS), to the extent necessary to fulfill its responsibilities in 5 U.S.C. 552(h), to review administrative agency policies, procedures and compliance with the Freedom of Information Act (FOIA), and to facilitate OGIS' offering of mediation services to resolve disputes between persons making FOIA requests and administrative agencies.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Records are stored electronically within the FedRAMP-authorized Sumo Logic Cloud SIEM platform.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Records from this system may be retrieved by Full name, user IDs and email address.

POLICIES AND PRACTICIES FOR RETENTION AND DISPOSAL OF RECORDS:

Records are managed in accordance with the General Records Schedule (GRS) 3.2, System Access Records, items 036, which covers Cybersecurity logging records. These records are temporary and can be destroyed when 30 months old, although longer retention is authorized for business use. Disposition Authority: DAA-GRS 2022-0005-0002.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

For Electronic Records: Records are maintained and stored in the Sumo Logic environment, which operates within HUD's infrastructure. Access is restricted based on the user's roles and system privileges. Records reside in an encrypted database, and the environment complies with security and privacy controls outlined in the Federal Information Security Management Act (FISMA), National Institute of Standards and Technology (NIST) Special Publications, and Federal; Information Processing Standards (FIPS). Access requires a valid HSPD-12 ID credential, connection to HUD's Local Area Network (LAN), a valid User ID, Password and Personalized Identification Number (PIN). Records are accessible only to individuals who require access to perform official duties.

For Electronic Records (cloud based): Records are secured and maintained on a cloud-based server and operating system hosted in a Federal Risk and Authorization Management Program (FedRAMP) authorized, and FISMA Moderate environment. All data is protected by firewalls and encrypted both at rest and in transit, in accordance with HUD encryption standards.

RECORD ACCESS PROCEDURES:

Individuals seeking to determine whether this System of Records contains information on themselves should address written inquiries to the Department of Housing and Urban Development 451 7th Street SW, Washington, DC 20410-0001.

For verification, individuals should provide their full name, current address, and telephone number. In addition, the requester must provide either a notarized statement or an unsworn declaration made under 24 CFR 16.4.

CONTESTING RECORD PROCEDURES:

The HUD rule for accessing, contesting, and appealing agency determinations by the individual concerned are published in 24 CFR part 16.8 or may be obtained from the system manager.

NOTIFICATION PROCEDURES:

Individuals requesting notification of records of themselves should address written inquiries to the Department of Housing and Urban Development, 451 7th Street SW, Washington, DC 20410-0001. For verification purposes, individuals should provide their full name, office or organization where assigned, if applicable, and current address and telephone number. In addition, the requester must provide either a notarized statement, or an unsworn declaration made under 24 CFR 16.4.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.

91 FR 35248