Privacy Act of 1974; System of Records, 4961-4964 [2022-01062]
Download as PDF
<![CDATA[
Federal Register / Vol. 87, No. 20 / Monday, January 31, 2022 / Notices
(a) To appropriate agencies, entities,
and persons when (1) the Postal Service
suspects or has confirmed that there has
been a breach of the system of records;
(2) the Postal Service has determined
that as a result of the suspected or
confirmed breach there is a risk of harm
to individuals, the Postal Service
(including its information systems,
programs, and operations), the Federal
Government, or national security; and
(3) the disclosure made to such
agencies, entities, and persons is
reasonably necessary to assist in
connection with the Postal Service’s
efforts to respond to the suspected or
confirmed breach or to prevent,
minimize, or remedy such harm.
POLICIES AND PRACTICES FOR STORAGE OF
RECORDS:
Automated database, computer
storage media, and paper.
POLICIES AND PRACTICES FOR RETRIEVAL OF
RECORDS:
1. Records relating to third-parties are
retrievable by name and email address.
2. Records relating to collaboration
are retrievable by name, email address,
and user ID.
3. Records relating to communication
are retrievable by name, email address,
and user ID.
4. Records pertaining to multimedia
are retrievable by user name and media
title.
5. Records relating to application
development are retrievable by user ID
and application name.
6. Records relating to limited use
applications are retrievable by name,
email address, and user ID.
7. Records relating to Unofficial
Foreign Travel Monitoring for covered
individuals are retrievable by name.
8. Records relating to Cloud-based
storage are retrievable by name, email
address, and user ID.
9. Records relating to Email
Applications are retrievable by name,
email address, and user ID.
10. Records relating to Web Browsers
are retrievable by name, email address,
and user ID.
khammond on DSKJM1Z7X2PROD with NOTICES
POLICIES AND PRACTICES FOR RETENTION AND
DISPOSAL OF RECORDS:
1. Records relating to third-parties are
retained for twenty-four months.
2. Records relating to collaboration
are retained for twenty-four months.
3. Records relating to communication
are retained for twenty-four months.
4. Multimedia recordings are retained
for twenty-four months.
5. Records relating to application
development are retained for twentyfour months.
VerDate Sep<11>2014
19:28 Jan 28, 2022
Jkt 256001
6. Records relating to limited use
applications are retained for twenty-four
months.
7. Records relating to Unofficial
Foreign Travel Monitoring for covered
individuals are retained for twenty-five
years.
8. Records relating to Cloud-based
storage are retained for twenty-four
months.
9. Records relating to Email
Applications are retained for twentyfour months.
10. Records relating to Web Browsers
are retained for twenty-four months.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL
SAFEGUARDS:
Paper records, computers, and
computer storage media are located in
controlled-access areas under
supervision of program personnel.
Computer access is limited to
authorized personnel with a current
security clearance, and physical access
is limited to authorized personnel who
must be identified with a badge.
Access to records is limited to
individuals whose official duties require
such access. Contractors and licensees
are subject to contract controls and
unannounced on-site audits and
inspections.
Computers are protected by
encryption, mechanical locks, card key
systems, or other physical access control
methods. The use of computer systems
is regulated with installed security
software, computer logon
identifications, and operating system
controls including access controls,
terminal and transaction logging, and
file management software.
RECORD ACCESS PROCEDURES:
Requests for access must be made in
accordance with the Notification
Procedure above and USPS Privacy Act
regulations regarding access to records
and verification of identity under 39
CFR 266.5.
CONTESTING RECORD PROCEDURES:
See Notification Procedure and
Record Access Procedures above.
NOTIFICATION PROCEDURES:
Customers wanting to know if other
information about them is maintained in
this system of records must address
inquiries in writing to the Chief
Information Officer and Executive Vice
President and include their name and
address.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
PO 00000
Frm 00130
Fmt 4703
Sfmt 4703
4961
HISTORY:
*
May 11, 2021; 86 FR 25899.
*
*
*
*
Joshua J. Hofer,
Attorney, Ethics and Legal Compliance.
[FR Doc. 2022–01063 Filed 1–28–22; 8:45 am]
BILLING CODE 7710–12–P
POSTAL SERVICE
Privacy Act of 1974; System of
Records
Postal ServiceTM.
ACTION: Notice of a modified system of
records.
AGENCY:
The United States Postal
ServiceTM (USPSTM) is proposing to
modify a General Privacy Act System of
Records to support the implementation
of a suite of cloud-based workplace
productivity software.
DATES: These revisions will become
effective without further notice on
March 2, 2022, unless comments
received on or before that date result in
a contrary determination.
ADDRESSES: Comments may be
submitted via email to the Privacy and
Records Management Office, United
States Postal Service Headquarters
(privacy@usps.gov). Arrangements to
view copies of any written comments
received, to facilitate public inspection,
will be made upon request.
FOR FURTHER INFORMATION CONTACT:
Janine Castorina, Chief Privacy and
Records Management Officer, Privacy
and Records Management Office, 202–
268–3069 or privacy@usps.gov.
SUPPLEMENTARY INFORMATION: This
notice is in accordance with the Privacy
Act requirement that agencies publish
their systems of records in the Federal
Register when there is a revision,
change, or addition, or when the agency
establishes a new system of records.
SUMMARY:
I. Background
The Postal Service is constantly
seeking methods to improve employee
productivity and efficiency. To that end,
the Postal Service will implement a
suite of cloud-based workplace
productivity applications. These
applications will expand employee
access to various programs, allowing
more employees to utilize resources to
increase productivity and team
collaboration.
II. Rationale for Changes to USPS
Privacy Act Systems of Records
The Postal Service is proposing to
modify USPS System of Records (SOR)
550.000 Commercial Information
E:\FR\FM\31JAN1.SGM
31JAN1
4962
Federal Register / Vol. 87, No. 20 / Monday, January 31, 2022 / Notices
Technology Resources—Infrastructure
to support the implementation of a suite
of cloud-based workplace productivity
software. This system will be modified
in conjunction with USPS 550.100
Commercial Information Technology
Resources—Applications and USPS
550.200 Commercial Information
Technology Resources—Administrative
to reflect the full scope of application
implementation. Revisions to these
SORs will be submitted independent of
this notice. More information on
accompanying changes can be found
within those SORs.
This system specifically reflects data
elements collected, gathered, or used to
provide application access generally.
Revisions to the existing SOR to support
this implementation are documented as
additions to existing categories of
records Information System Account
Access records beginning with ‘‘Last
Sign-In Time’’ and Security Analytics
records beginning with ‘‘Login IP
Address.’’
III. Description of the Modified System
of Records
Pursuant to 5 U.S.C. 552a (e)(11),
interested persons are invited to submit
written data, views, or arguments on
this proposal. A report of the proposed
revisions has been sent to Congress and
to the Office of Management and Budget
for their evaluations. The Postal Service
does not expect this amended system of
records to have any adverse effect on
individual privacy rights. The notice for
USPS 550.000 Commercial Information
Technology Resources—Infrastructure,
provided below in its entirety, is as
follows:
SYSTEM NAME AND NUMBER:
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
550.000 Commercial Information
Technology Resources-Infrastructure.
1. Individuals with authorized access
to USPS computers, information
resources, and facilities, including
employees, contractors, business
partners, suppliers, and third parties.
2. Individuals participating in webbased meetings, web-based video
conferencing, web-based
communication applications, and webbased collaboration applications.
SECURITY CLASSIFICATION:
None.
SYSTEM LOCATION:
All USPS facilities and contractor
sites.
khammond on DSKJM1Z7X2PROD with NOTICES
SYSTEM MANAGER(S):
For records of computer access
authorizations: Chief Information
Officer and Executive Vice President,
United States Postal Service, 475
L’Enfant Plaza SW, Washington, DC
20260.
CATEGORIES OF RECORDS IN THE SYSTEM:
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
39 U.S.C. 401, 403, and 404.
PURPOSE(S) OF THE SYSTEM:
1. To provide USPS employees,
contractors, and other authorized
individuals with hierarchical access to
VerDate Sep<11>2014
17:38 Jan 28, 2022
Jkt 256001
and accounts for commercial
information technology resources
administered by the Postal Service and
based on least privileged access.
2. To facilitate a cohesive software
experience and simplify ease of use by
sharing user and application data across
participating IT programs.
3. To authenticate user identity for the
purpose of accessing USPS information
systems.
4. To assess user attributes and assign
related access privileges.
5. To authenticate suppliers and
contractors and facilitate further access
to downstream Postal Service
information systems.
6. To provide active and passive
monitoring of information systems,
applications, software, devices, and
users for information security risks.
7. To review information systems,
applications, software, devices, and
users to ensure compliance with USPS
regulations.
8. To facilitate and support
cybersecurity investigations of detected
or reported information security
incidents.
9. To administer programs, processes,
and procedures to assess information
security risks and to detect information
security threats and vulnerabilities.
10. To provide tools and analytics for
USPS employees and contractors to
measure work productivity and improve
efficiency.
11. To improve manager-subordinate
relationships within their formal
reporting structure through data-based
insights generated from their own email
and related electronic communications
with subordinates.
1. Information System Account
Access records: Records relating to the
access or use of an information system,
application, or piece of software,
including; Name, User ID, Email
Address, User Type, User Role, Job
Title, Department, Manager, Company,
Street Address, State Or Province,
Country Or Region, Work Phone
Number(S), Employee Identification
Number (EIN), Advanced Computing
PO 00000
Frm 00131
Fmt 4703
Sfmt 4703
Environment (ACE) ID, License
Information, Action Initiated, Datetime,
User Principle Name, Usage Location,
Alternate Email Address, Proxy
Address, Age Group, IP Address, MAC
Address, Password, Multi-Factor
Authentication Credentials, Security
Questions, Security Answers, Passcode,
Geolocation Data, User Profile Picture,
Picture Metadata, Information
Technology Account Administration
User Configuration Status, Supplier
Credentials, Supplier Company Codes,
Conditional Access Attributes, Last
Sign-In Time, User Account Status, User
Admin Status, Password Length
Compliance, Password Strength,
Number Of Installed External Apps,
Less Secure Apps Access, AdminDefined Name, Profile Name Status,
Photo Storage Space Used, Total Storage
Space Used, Storage Usage Percentage,
Total Emails Sent, Total Emails
Received, Total Emails Sent And
Received, Email Server Last Usage
Time, Device Application Change,
Device Privilege Changed, Device Policy
Changed, Device Action Reported,
Device Compliance Status, Device
Operating System Updated, Device
Ownership Updated, Device Settings
Changed, Device Status Changed
Through Apple Device Enrollment,
Device Account Synced, Device Risk
Signal Updated, Device Work Profile
Submitted.
2. Security Analytics records: Records
relating to the gathering, analysis,
review, monitoring, and investigation of
information system security risks,
including; User Investigation Priority
Score, User Identity Risk Level, User
Lateral Movement Paths, User Devices
Numbers, User Account Numbers, User
Resources Numbers, User Locations
Numbers, User Matches Files Numbers,
User Locations, Apps Used By User,
User Groups, User Last Seen Date, User
Affiliation, User Domain, App Instance,
Organizational Groups, User Account
Status, Activity ID, Activity Objects,
Activity Type, Administrative Activity,
Alert ID, Applied Action, Activity Date,
Device Tag, Activity Files And Folders,
Impersonated Activities, App Instance
Activity, App Location Activity,
Activity Matched Policy, Activity
Registered ISP, Activity Source, Activity
User, Activity User Agent, Activity User
Agent Tag, Application Risk Score,
Application Activity, User Software
Deactivation, User Software Installation,
User Software Removal, Last Date Of
Software Execution, internet
Application Transaction Counts, Data
Volume Upload, Data Volume
Download, Data Sensitivity
Classification, internet Protocol, internet
E:\FR\FM\31JAN1.SGM
31JAN1
khammond on DSKJM1Z7X2PROD with NOTICES
Federal Register / Vol. 87, No. 20 / Monday, January 31, 2022 / Notices
Port, And internet Access History, Login
IP Address, Login Type, Login Failed,
Login Successful, Number Of Times A
User Was Suspended, Number Of Times
A User Was Suspended Due To Spam
Relay, Number Of Times A User Was
Suspended Due To Spam, Number Of
Times A User Was Suspended Due To
Suspicious Activity, Device Name,
Device Operating System, Days Since
First Sync, Days Since Last Sync, Device
Status, Device Type, Device Model,
Device Account Registration Changed,
Device Action Event, Device
Compliance Status, Device Compromise
Status, Device Ownership Change,
Device Operating System Updated,
Device Settings Changed, Device Failed
Screen Unlock Attempts, Device Status
Changed On Apple Portal, Device User
Signed Out, Device Suspicious Activity
Detected, Device Work Profile
Supported, Two-Factor Authentication
Disabled, Two-Factor Authentication
Enrolled, Account Password Changed,
Account Recovery Email Changed,
Account Recovery Phone Number
Changed, Account Recovery Secret
Question Changed, Account Recovery
Secret Answer Changed, Account
Password Leak Suspected, Account
Suspicious Login Blocked, Account
Suspicious Login From Less Secure App
Blocked, Suspicious Programmatic
Login Blocked, User Suspended, User
Suspended (Spam Through Relay), User
Suspended (Spam), User Suspended
(Suspicious Activity), Account Enrolled
In Advanced Protection, Account
Unenrolled In Advanced Protection,
Account Targeted By GovernmentBacked Attack, Out Of Domain Email
Forwarding Enabled, Login Challenge
Question Presented, Login Verification
Presented, Log Out, Secure Shell Public
Key Added, Secure Shell Public Key
Deleted, Secure Shell Public Key
Retrieved, Secure Shell Public Key
Updated, Login Profile Retrieved,
POSIX Account Deleted, Application
Method Called, Application Access
Authorized, Application Access
Revoked, Device Compromised, Failed
Password Attempts On User Device,
Device Property Changed.
3. Productivity Analytics records:
Records relating to the gathering,
analysis, review, and investigation of
information system utilization,
including; Calendar Appointments,
Email Read Rate, Email Response Rate,
Operating System Activity History,
Email Timestamp, Statements Made In
Email Body, Email Sender, Email
Recipient, Email Subject Line, Calendar
Event Type, Calendar Event Status,
Calendar Event Category, Calendar
Event Subject, Calendar Event Duration,
VerDate Sep<11>2014
17:38 Jan 28, 2022
Jkt 256001
Calendar Event Attendees, Meeting
Organizer, Meeting Invitees, Meeting
Subject Line, Meeting Scheduled Time,
Meeting Attendee Status, Meeting
Scheduled Location, Web Call
Organizer, Web Call Invitees, Web Call
Scheduled Time, Web Call Joined Time,
Web Call Duration, Web Call Status,
Web Call Join Status, Number Of
Collaborative Audio Calls Made,
Number Of Collaborative Video Calls
Made, Chat Initiator, Chat Recipient,
Chat IM Sent Time, Number Of CloudBased Personal Storage Documents
Worked On, Number Of Cloud-Based
Enterprise Storage Documents Worked
On, Device Name.
RECORD SOURCE CATEGORIES:
Employees; contractors; customers.
ROUTINE USES OF RECORDS MAINTAINED IN THE
SYSTEM, INCLUDING CATEGORIES OF USERS AND
THE PURPOSES OF SUCH USES:
Standard routine uses 1. through 9.
apply. In addition:
(a) To appropriate agencies, entities,
and persons when (1) the Postal Service
suspects or has confirmed that there has
been a breach of the system of records;
(2) the Postal Service has determined
that as a result of the suspected or
confirmed breach there is a risk of harm
to individuals, the Postal Service
(including its information systems,
programs, and operations), the Federal
Government, or national security; and
(3) the disclosure made to such
agencies, entities, and persons is
reasonably necessary to assist in
connection with the Postal Service’s
efforts to respond to the suspected or
confirmed breach or to prevent,
minimize, or remedy such harm.
POLICIES AND PRACTICES FOR STORAGE OF
RECORDS:
Automated database, computer
storage media, and paper.
POLICIES AND PRACTICES FOR RETRIEVAL OF
RECORDS:
1. Records relating to information
system access are retrievable by name,
email address, username, geolocation
data, and ACE ID.
2. Records relating to security analysis
are retrievable by name, unique user ID,
email address, geolocation data, IP
address and computer name.
3. Records relating to productivity are
retrievable by name, email address, and
ACE ID.
4. Records relating to third-parties are
retrievable by name, email address, user
name, and IP address.
PO 00000
Frm 00132
Fmt 4703
Sfmt 4703
4963
POLICIES AND PRACTICES FOR RETENTION AND
DISPOSAL OF RECORDS:
1. Records relating to information
system access are retained twenty-four
months after last access.
2. Records relating to security analysis
are retained for twenty-four months.
3. Records relating to productivity are
retained for twenty-four months.
4. Records relating to third-parties are
retained for twenty-four months.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL
SAFEGUARDS:
Paper records, computers, and
computer storage media are located in
controlled-access areas under
supervision of program personnel.
Computer access is limited to
authorized personnel with a current
security clearance, and physical access
is limited to authorized personnel who
must be identified with a badge.
Access to records is limited to
individuals whose official duties require
such access. Contractors and licensees
are subject to contract controls and
unannounced on-site audits and
inspections.
Computers are protected by
encryption, mechanical locks, card key
systems, or other physical access control
methods. The use of computer systems
is regulated with installed security
software, computer logon
identifications, and operating system
controls including access controls,
terminal and transaction logging, and
file management software.
RECORD ACCESS PROCEDURES:
Requests for access must be made in
accordance with the Notification
Procedure above and USPS Privacy Act
regulations regarding access to records
and verification of identity under 39
CFR 266.5.
CONTESTING RECORD PROCEDURES:
See Notification Procedure and
Record Access Procedures above.
NOTIFICATION PROCEDURES:
Customers wanting to know if other
information about them is maintained in
this system of records must address
inquiries in writing to the Chief
Information Officer and Executive Vice
President and include their name and
address.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
E:\FR\FM\31JAN1.SGM
31JAN1
4964
Federal Register / Vol. 87, No. 20 / Monday, January 31, 2022 / Notices
HISTORY:
May 10th, 2021; 86 FR 24907.
*
*
*
*
*
Joshua J. Hofer,
Attorney, Ethics and Legal Compliance.
[FR Doc. 2022–01062 Filed 1–28–22; 8:45 am]
BILLING CODE 7710–12–P
POSTAL SERVICE
Privacy Act of 1974; System of
Records
Postal ServiceTM.
Notice of a modified system of
AGENCY:
ACTION:
records.
The United States Postal
ServiceTM (USPSTM) is proposing to
modify a General Privacy Act System of
Records to support the implementation
of a suite of cloud-based workplace
productivity software.
DATES: These revisions will become
effective without further notice on
March 2, 2022, unless comments
received on or before that date result in
a contrary determination.
ADDRESSES: Comments may be
submitted via email to the Privacy and
Records Management Office, United
States Postal Service Headquarters
(privacy@usps.gov). Arrangements to
view copies of any written comments
received, to facilitate public inspection,
will be made upon request.
FOR FURTHER INFORMATION CONTACT:
Janine Castorina, Chief Privacy and
Records Management Officer, Privacy
and Records Management Office, 202–
268–3069 or privacy@usps.gov.
SUPPLEMENTARY INFORMATION: This
notice is in accordance with the Privacy
Act requirement that agencies publish
their systems of records in the Federal
Register when there is a revision,
change, or addition, or when the agency
establishes a new system of records.
khammond on DSKJM1Z7X2PROD with NOTICES
SUMMARY:
I. Background
The Postal Service is constantly
seeking methods to improve employee
productivity and efficiency. To that end,
the Postal Service will implement a
suite of cloud-based workplace
productivity applications. These
applications will expand employee
access to various programs, allowing
more employees to utilize resources to
increase productivity and team
collaboration.
II. Rationale for Changes to USPS
Privacy Act Systems of Records
The Postal Service is proposing to
modify USPS System of Records (SOR)
550.200 Commercial Information
VerDate Sep<11>2014
17:38 Jan 28, 2022
Jkt 256001
Technology Resources—Administrative
to support the implementation of a suite
of cloud-based workplace productivity
software. This system will be modified
in conjunction with USPS 550.000
Commercial Information Technology
Resources—Infrastructure and USPS
550.100 Commercial Information
Technology Resources—Applications to
reflect the full scope of application
implementation. Revisions to these
SORs will be submitted independent of
this notice. More information on
accompanying changes can be found
within those SORs.
This system specifically reflects data
elements created from a user or
application’s interactions with other
applications. Revisions to the existing
SOR to support this implementation are
documented as additions to existing
category of records Video Platform
Activities beginning with ‘‘Video
Platform Event Date,’’ and further as
new categories of records 80 through
102.
III. Description of the Modified System
of Records
Pursuant to 5 U.S.C. 552a(e)(11),
interested persons are invited to submit
written data, views, or arguments on
this proposal. A report of the proposed
revisions has been sent to Congress and
to the Office of Management and Budget
for their evaluations. The Postal Service
does not expect this amended system of
records to have any adverse effect on
individual privacy rights. The notice for
550.200 Commercial Information
Technology Resources—Administrative,
provided below in its entirety, is as
follows:
SYSTEM NAME AND NUMBER:
550.200 Commercial Information
Technology Resources—Administrative.
SECURITY CLASSIFICATION:
None.
SYSTEM LOCATION:
All USPS facilities and contractor
sites.
SYSTEM MANAGER(S):
For records of computer access
authorizations: Chief Information
Officer and Executive Vice President,
United States Postal Service, 475
L’Enfant Plaza SW, Washington, DC
20260.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
39 U.S.C. 401, 403, and 404.
PURPOSE(S) OF THE SYSTEM:
1. To provide active and passive
monitoring and review of information
system applications and user activities.
PO 00000
Frm 00133
Fmt 4703
Sfmt 4703
2. To generate logs and reports of
information system application and user
activities.
3. To provide a means of auditing
commercial information system
activities across applications and users.
CATEGORIES OF INDIVIDUALS COVERED BY THE
SYSTEM:
1. Individuals with authorized access
to USPS computers, information
resources, and facilities, including
employees, contractors, business
partners, suppliers, and third parties.
2. Individuals participating in webbased meetings, web-based video
conferencing, web-based
communication applications, and webbased collaboration applications.
CATEGORIES OF RECORDS IN THE SYSTEM:
1. General Audit Log activities:
DateTime, IP Address, User Activity,
User Item Accessed, Activity Detail,
Object ID, Record Type, Client IP
Address, CorrelationID, CreationTime,
EventData, EventSource, ItemType,
OrganizationID, UserAgent, USerKEy,
UserType, Version, Workload.
2. File and page activities: Accessed
file, Change retention label for a file,
Deleted file marked as a record,
Checked in file, Changed record status
to locked, Changed record status to
unlocked, Checked out file, Copied file,
Discarded file checkout, Deleted file,
Deleted file from recycle bin, Deleted
file from second-stage recycle bin,
Detected document sensitivity
mismatch, Detected malware in file,
Deleted file marked as a record,
Downloaded file, Modified file, Moved
file, Recycled all minor versions of file,
Recycled all versions of file, Recycled
version of file, Renamed file, Restored
file, Uploaded file, Viewed page, View
signaled by client, Performed search
query.
3. Folder activities: Copied folder,
Created folder, Deleted folder, Deleted
folder from recycle bin, Deleted folder
from second-stage recycle bin, Modified
folder, Moved folder, Renamed folder,
Restored folder.
4. Cloud-based Enterprise Storage
activities: Created list, Created list
column, Created list content type,
Created list item, Created site column,
Created site content type, Deleted list,
Deleted list column, Deleted list content
type, Deleted list item, Deleted site
column, Deleted site content type,
Recycled list item, Restored list,
Restored list item, Updated list,
Updated list column, Updated list
content type, Updated list item,
Updated site column, Updated site
content type.
5. Sharing and access request
activities: Added permission level to
E:\FR\FM\31JAN1.SGM
31JAN1
]]>Agencies
[Federal Register Volume 87, Number 20 (Monday, January 31, 2022)]
[Notices]
[Pages 4961-4964]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-01062]
-----------------------------------------------------------------------
POSTAL SERVICE
Privacy Act of 1974; System of Records
AGENCY: Postal ServiceTM.
ACTION: Notice of a modified system of records.
-----------------------------------------------------------------------
SUMMARY: The United States Postal ServiceTM
(USPSTM) is proposing to modify a General Privacy Act System
of Records to support the implementation of a suite of cloud-based
workplace productivity software.
DATES: These revisions will become effective without further notice on
March 2, 2022, unless comments received on or before that date result
in a contrary determination.
ADDRESSES: Comments may be submitted via email to the Privacy and
Records Management Office, United States Postal Service Headquarters
([email protected]). Arrangements to view copies of any written comments
received, to facilitate public inspection, will be made upon request.
FOR FURTHER INFORMATION CONTACT: Janine Castorina, Chief Privacy and
Records Management Officer, Privacy and Records Management Office, 202-
268-3069 or [email protected].
SUPPLEMENTARY INFORMATION: This notice is in accordance with the
Privacy Act requirement that agencies publish their systems of records
in the Federal Register when there is a revision, change, or addition,
or when the agency establishes a new system of records.
I. Background
The Postal Service is constantly seeking methods to improve
employee productivity and efficiency. To that end, the Postal Service
will implement a suite of cloud-based workplace productivity
applications. These applications will expand employee access to various
programs, allowing more employees to utilize resources to increase
productivity and team collaboration.
II. Rationale for Changes to USPS Privacy Act Systems of Records
The Postal Service is proposing to modify USPS System of Records
(SOR) 550.000 Commercial Information
[[Page 4962]]
Technology Resources--Infrastructure to support the implementation of a
suite of cloud-based workplace productivity software. This system will
be modified in conjunction with USPS 550.100 Commercial Information
Technology Resources--Applications and USPS 550.200 Commercial
Information Technology Resources--Administrative to reflect the full
scope of application implementation. Revisions to these SORs will be
submitted independent of this notice. More information on accompanying
changes can be found within those SORs.
This system specifically reflects data elements collected,
gathered, or used to provide application access generally. Revisions to
the existing SOR to support this implementation are documented as
additions to existing categories of records Information System Account
Access records beginning with ``Last Sign-In Time'' and Security
Analytics records beginning with ``Login IP Address.''
III. Description of the Modified System of Records
Pursuant to 5 U.S.C. 552a (e)(11), interested persons are invited
to submit written data, views, or arguments on this proposal. A report
of the proposed revisions has been sent to Congress and to the Office
of Management and Budget for their evaluations. The Postal Service does
not expect this amended system of records to have any adverse effect on
individual privacy rights. The notice for USPS 550.000 Commercial
Information Technology Resources--Infrastructure, provided below in its
entirety, is as follows:
SYSTEM NAME AND NUMBER:
550.000 Commercial Information Technology Resources-Infrastructure.
SECURITY CLASSIFICATION:
None.
SYSTEM LOCATION:
All USPS facilities and contractor sites.
SYSTEM MANAGER(S):
For records of computer access authorizations: Chief Information
Officer and Executive Vice President, United States Postal Service, 475
L'Enfant Plaza SW, Washington, DC 20260.
AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
39 U.S.C. 401, 403, and 404.
PURPOSE(S) OF THE SYSTEM:
1. To provide USPS employees, contractors, and other authorized
individuals with hierarchical access to and accounts for commercial
information technology resources administered by the Postal Service and
based on least privileged access.
2. To facilitate a cohesive software experience and simplify ease
of use by sharing user and application data across participating IT
programs.
3. To authenticate user identity for the purpose of accessing USPS
information systems.
4. To assess user attributes and assign related access privileges.
5. To authenticate suppliers and contractors and facilitate further
access to downstream Postal Service information systems.
6. To provide active and passive monitoring of information systems,
applications, software, devices, and users for information security
risks.
7. To review information systems, applications, software, devices,
and users to ensure compliance with USPS regulations.
8. To facilitate and support cybersecurity investigations of
detected or reported information security incidents.
9. To administer programs, processes, and procedures to assess
information security risks and to detect information security threats
and vulnerabilities.
10. To provide tools and analytics for USPS employees and
contractors to measure work productivity and improve efficiency.
11. To improve manager-subordinate relationships within their
formal reporting structure through data-based insights generated from
their own email and related electronic communications with
subordinates.
CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
1. Individuals with authorized access to USPS computers,
information resources, and facilities, including employees,
contractors, business partners, suppliers, and third parties.
2. Individuals participating in web-based meetings, web-based video
conferencing, web-based communication applications, and web-based
collaboration applications.
CATEGORIES OF RECORDS IN THE SYSTEM:
1. Information System Account Access records: Records relating to
the access or use of an information system, application, or piece of
software, including; Name, User ID, Email Address, User Type, User
Role, Job Title, Department, Manager, Company, Street Address, State Or
Province, Country Or Region, Work Phone Number(S), Employee
Identification Number (EIN), Advanced Computing Environment (ACE) ID,
License Information, Action Initiated, Datetime, User Principle Name,
Usage Location, Alternate Email Address, Proxy Address, Age Group, IP
Address, MAC Address, Password, Multi-Factor Authentication
Credentials, Security Questions, Security Answers, Passcode,
Geolocation Data, User Profile Picture, Picture Metadata, Information
Technology Account Administration User Configuration Status, Supplier
Credentials, Supplier Company Codes, Conditional Access Attributes,
Last Sign-In Time, User Account Status, User Admin Status, Password
Length Compliance, Password Strength, Number Of Installed External
Apps, Less Secure Apps Access, Admin-Defined Name, Profile Name Status,
Photo Storage Space Used, Total Storage Space Used, Storage Usage
Percentage, Total Emails Sent, Total Emails Received, Total Emails Sent
And Received, Email Server Last Usage Time, Device Application Change,
Device Privilege Changed, Device Policy Changed, Device Action
Reported, Device Compliance Status, Device Operating System Updated,
Device Ownership Updated, Device Settings Changed, Device Status
Changed Through Apple Device Enrollment, Device Account Synced, Device
Risk Signal Updated, Device Work Profile Submitted.
2. Security Analytics records: Records relating to the gathering,
analysis, review, monitoring, and investigation of information system
security risks, including; User Investigation Priority Score, User
Identity Risk Level, User Lateral Movement Paths, User Devices Numbers,
User Account Numbers, User Resources Numbers, User Locations Numbers,
User Matches Files Numbers, User Locations, Apps Used By User, User
Groups, User Last Seen Date, User Affiliation, User Domain, App
Instance, Organizational Groups, User Account Status, Activity ID,
Activity Objects, Activity Type, Administrative Activity, Alert ID,
Applied Action, Activity Date, Device Tag, Activity Files And Folders,
Impersonated Activities, App Instance Activity, App Location Activity,
Activity Matched Policy, Activity Registered ISP, Activity Source,
Activity User, Activity User Agent, Activity User Agent Tag,
Application Risk Score, Application Activity, User Software
Deactivation, User Software Installation, User Software Removal, Last
Date Of Software Execution, internet Application Transaction Counts,
Data Volume Upload, Data Volume Download, Data Sensitivity
Classification, internet Protocol, internet
[[Page 4963]]
Port, And internet Access History, Login IP Address, Login Type, Login
Failed, Login Successful, Number Of Times A User Was Suspended, Number
Of Times A User Was Suspended Due To Spam Relay, Number Of Times A User
Was Suspended Due To Spam, Number Of Times A User Was Suspended Due To
Suspicious Activity, Device Name, Device Operating System, Days Since
First Sync, Days Since Last Sync, Device Status, Device Type, Device
Model, Device Account Registration Changed, Device Action Event, Device
Compliance Status, Device Compromise Status, Device Ownership Change,
Device Operating System Updated, Device Settings Changed, Device Failed
Screen Unlock Attempts, Device Status Changed On Apple Portal, Device
User Signed Out, Device Suspicious Activity Detected, Device Work
Profile Supported, Two-Factor Authentication Disabled, Two-Factor
Authentication Enrolled, Account Password Changed, Account Recovery
Email Changed, Account Recovery Phone Number Changed, Account Recovery
Secret Question Changed, Account Recovery Secret Answer Changed,
Account Password Leak Suspected, Account Suspicious Login Blocked,
Account Suspicious Login From Less Secure App Blocked, Suspicious
Programmatic Login Blocked, User Suspended, User Suspended (Spam
Through Relay), User Suspended (Spam), User Suspended (Suspicious
Activity), Account Enrolled In Advanced Protection, Account Unenrolled
In Advanced Protection, Account Targeted By Government-Backed Attack,
Out Of Domain Email Forwarding Enabled, Login Challenge Question
Presented, Login Verification Presented, Log Out, Secure Shell Public
Key Added, Secure Shell Public Key Deleted, Secure Shell Public Key
Retrieved, Secure Shell Public Key Updated, Login Profile Retrieved,
POSIX Account Deleted, Application Method Called, Application Access
Authorized, Application Access Revoked, Device Compromised, Failed
Password Attempts On User Device, Device Property Changed.
3. Productivity Analytics records: Records relating to the
gathering, analysis, review, and investigation of information system
utilization, including; Calendar Appointments, Email Read Rate, Email
Response Rate, Operating System Activity History, Email Timestamp,
Statements Made In Email Body, Email Sender, Email Recipient, Email
Subject Line, Calendar Event Type, Calendar Event Status, Calendar
Event Category, Calendar Event Subject, Calendar Event Duration,
Calendar Event Attendees, Meeting Organizer, Meeting Invitees, Meeting
Subject Line, Meeting Scheduled Time, Meeting Attendee Status, Meeting
Scheduled Location, Web Call Organizer, Web Call Invitees, Web Call
Scheduled Time, Web Call Joined Time, Web Call Duration, Web Call
Status, Web Call Join Status, Number Of Collaborative Audio Calls Made,
Number Of Collaborative Video Calls Made, Chat Initiator, Chat
Recipient, Chat IM Sent Time, Number Of Cloud-Based Personal Storage
Documents Worked On, Number Of Cloud-Based Enterprise Storage Documents
Worked On, Device Name.
RECORD SOURCE CATEGORIES:
Employees; contractors; customers.
ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES
OF USERS AND THE PURPOSES OF SUCH USES:
Standard routine uses 1. through 9. apply. In addition:
(a) To appropriate agencies, entities, and persons when (1) the
Postal Service suspects or has confirmed that there has been a breach
of the system of records; (2) the Postal Service has determined that as
a result of the suspected or confirmed breach there is a risk of harm
to individuals, the Postal Service (including its information systems,
programs, and operations), the Federal Government, or national
security; and (3) the disclosure made to such agencies, entities, and
persons is reasonably necessary to assist in connection with the Postal
Service's efforts to respond to the suspected or confirmed breach or to
prevent, minimize, or remedy such harm.
POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
Automated database, computer storage media, and paper.
POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
1. Records relating to information system access are retrievable by
name, email address, username, geolocation data, and ACE ID.
2. Records relating to security analysis are retrievable by name,
unique user ID, email address, geolocation data, IP address and
computer name.
3. Records relating to productivity are retrievable by name, email
address, and ACE ID.
4. Records relating to third-parties are retrievable by name, email
address, user name, and IP address.
POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
1. Records relating to information system access are retained
twenty-four months after last access.
2. Records relating to security analysis are retained for twenty-
four months.
3. Records relating to productivity are retained for twenty-four
months.
4. Records relating to third-parties are retained for twenty-four
months.
ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
Paper records, computers, and computer storage media are located in
controlled-access areas under supervision of program personnel.
Computer access is limited to authorized personnel with a current
security clearance, and physical access is limited to authorized
personnel who must be identified with a badge.
Access to records is limited to individuals whose official duties
require such access. Contractors and licensees are subject to contract
controls and unannounced on-site audits and inspections.
Computers are protected by encryption, mechanical locks, card key
systems, or other physical access control methods. The use of computer
systems is regulated with installed security software, computer logon
identifications, and operating system controls including access
controls, terminal and transaction logging, and file management
software.
RECORD ACCESS PROCEDURES:
Requests for access must be made in accordance with the
Notification Procedure above and USPS Privacy Act regulations regarding
access to records and verification of identity under 39 CFR 266.5.
CONTESTING RECORD PROCEDURES:
See Notification Procedure and Record Access Procedures above.
NOTIFICATION PROCEDURES:
Customers wanting to know if other information about them is
maintained in this system of records must address inquiries in writing
to the Chief Information Officer and Executive Vice President and
include their name and address.
EXEMPTIONS PROMULGATED FOR THE SYSTEM:
None.
[[Page 4964]]
HISTORY:
May 10th, 2021; 86 FR 24907.
* * * * *
Joshua J. Hofer,
Attorney, Ethics and Legal Compliance.
[FR Doc. 2022-01062 Filed 1-28-22; 8:45 am]
BILLING CODE 7710-12-P
