Privacy Act of 1974; System of Records, 4961-4964 [2022-01062]

Download as PDF Federal Register / Vol. 87, No. 20 / Monday, January 31, 2022 / Notices (a) To appropriate agencies, entities, and persons when (1) the Postal Service suspects or has confirmed that there has been a breach of the system of records; (2) the Postal Service has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Postal Service (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Postal Service’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Automated database, computer storage media, and paper. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: 1. Records relating to third-parties are retrievable by name and email address. 2. Records relating to collaboration are retrievable by name, email address, and user ID. 3. Records relating to communication are retrievable by name, email address, and user ID. 4. Records pertaining to multimedia are retrievable by user name and media title. 5. Records relating to application development are retrievable by user ID and application name. 6. Records relating to limited use applications are retrievable by name, email address, and user ID. 7. Records relating to Unofficial Foreign Travel Monitoring for covered individuals are retrievable by name. 8. Records relating to Cloud-based storage are retrievable by name, email address, and user ID. 9. Records relating to Email Applications are retrievable by name, email address, and user ID. 10. Records relating to Web Browsers are retrievable by name, email address, and user ID. khammond on DSKJM1Z7X2PROD with NOTICES POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: 1. Records relating to third-parties are retained for twenty-four months. 2. Records relating to collaboration are retained for twenty-four months. 3. Records relating to communication are retained for twenty-four months. 4. Multimedia recordings are retained for twenty-four months. 5. Records relating to application development are retained for twentyfour months. VerDate Sep<11>2014 19:28 Jan 28, 2022 Jkt 256001 6. Records relating to limited use applications are retained for twenty-four months. 7. Records relating to Unofficial Foreign Travel Monitoring for covered individuals are retained for twenty-five years. 8. Records relating to Cloud-based storage are retained for twenty-four months. 9. Records relating to Email Applications are retained for twentyfour months. 10. Records relating to Web Browsers are retained for twenty-four months. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Paper records, computers, and computer storage media are located in controlled-access areas under supervision of program personnel. Computer access is limited to authorized personnel with a current security clearance, and physical access is limited to authorized personnel who must be identified with a badge. Access to records is limited to individuals whose official duties require such access. Contractors and licensees are subject to contract controls and unannounced on-site audits and inspections. Computers are protected by encryption, mechanical locks, card key systems, or other physical access control methods. The use of computer systems is regulated with installed security software, computer logon identifications, and operating system controls including access controls, terminal and transaction logging, and file management software. RECORD ACCESS PROCEDURES: Requests for access must be made in accordance with the Notification Procedure above and USPS Privacy Act regulations regarding access to records and verification of identity under 39 CFR 266.5. CONTESTING RECORD PROCEDURES: See Notification Procedure and Record Access Procedures above. NOTIFICATION PROCEDURES: Customers wanting to know if other information about them is maintained in this system of records must address inquiries in writing to the Chief Information Officer and Executive Vice President and include their name and address. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. PO 00000 Frm 00130 Fmt 4703 Sfmt 4703 4961 HISTORY: * May 11, 2021; 86 FR 25899. * * * * Joshua J. Hofer, Attorney, Ethics and Legal Compliance. [FR Doc. 2022–01063 Filed 1–28–22; 8:45 am] BILLING CODE 7710–12–P POSTAL SERVICE Privacy Act of 1974; System of Records Postal ServiceTM. ACTION: Notice of a modified system of records. AGENCY: The United States Postal ServiceTM (USPSTM) is proposing to modify a General Privacy Act System of Records to support the implementation of a suite of cloud-based workplace productivity software. DATES: These revisions will become effective without further notice on March 2, 2022, unless comments received on or before that date result in a contrary determination. ADDRESSES: Comments may be submitted via email to the Privacy and Records Management Office, United States Postal Service Headquarters (privacy@usps.gov). Arrangements to view copies of any written comments received, to facilitate public inspection, will be made upon request. FOR FURTHER INFORMATION CONTACT: Janine Castorina, Chief Privacy and Records Management Officer, Privacy and Records Management Office, 202– 268–3069 or privacy@usps.gov. SUPPLEMENTARY INFORMATION: This notice is in accordance with the Privacy Act requirement that agencies publish their systems of records in the Federal Register when there is a revision, change, or addition, or when the agency establishes a new system of records. SUMMARY: I. Background The Postal Service is constantly seeking methods to improve employee productivity and efficiency. To that end, the Postal Service will implement a suite of cloud-based workplace productivity applications. These applications will expand employee access to various programs, allowing more employees to utilize resources to increase productivity and team collaboration. II. Rationale for Changes to USPS Privacy Act Systems of Records The Postal Service is proposing to modify USPS System of Records (SOR) 550.000 Commercial Information E:\FR\FM\31JAN1.SGM 31JAN1 4962 Federal Register / Vol. 87, No. 20 / Monday, January 31, 2022 / Notices Technology Resources—Infrastructure to support the implementation of a suite of cloud-based workplace productivity software. This system will be modified in conjunction with USPS 550.100 Commercial Information Technology Resources—Applications and USPS 550.200 Commercial Information Technology Resources—Administrative to reflect the full scope of application implementation. Revisions to these SORs will be submitted independent of this notice. More information on accompanying changes can be found within those SORs. This system specifically reflects data elements collected, gathered, or used to provide application access generally. Revisions to the existing SOR to support this implementation are documented as additions to existing categories of records Information System Account Access records beginning with ‘‘Last Sign-In Time’’ and Security Analytics records beginning with ‘‘Login IP Address.’’ III. Description of the Modified System of Records Pursuant to 5 U.S.C. 552a (e)(11), interested persons are invited to submit written data, views, or arguments on this proposal. A report of the proposed revisions has been sent to Congress and to the Office of Management and Budget for their evaluations. The Postal Service does not expect this amended system of records to have any adverse effect on individual privacy rights. The notice for USPS 550.000 Commercial Information Technology Resources—Infrastructure, provided below in its entirety, is as follows: SYSTEM NAME AND NUMBER: CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: 550.000 Commercial Information Technology Resources-Infrastructure. 1. Individuals with authorized access to USPS computers, information resources, and facilities, including employees, contractors, business partners, suppliers, and third parties. 2. Individuals participating in webbased meetings, web-based video conferencing, web-based communication applications, and webbased collaboration applications. SECURITY CLASSIFICATION: None. SYSTEM LOCATION: All USPS facilities and contractor sites. khammond on DSKJM1Z7X2PROD with NOTICES SYSTEM MANAGER(S): For records of computer access authorizations: Chief Information Officer and Executive Vice President, United States Postal Service, 475 L’Enfant Plaza SW, Washington, DC 20260. CATEGORIES OF RECORDS IN THE SYSTEM: AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 39 U.S.C. 401, 403, and 404. PURPOSE(S) OF THE SYSTEM: 1. To provide USPS employees, contractors, and other authorized individuals with hierarchical access to VerDate Sep<11>2014 17:38 Jan 28, 2022 Jkt 256001 and accounts for commercial information technology resources administered by the Postal Service and based on least privileged access. 2. To facilitate a cohesive software experience and simplify ease of use by sharing user and application data across participating IT programs. 3. To authenticate user identity for the purpose of accessing USPS information systems. 4. To assess user attributes and assign related access privileges. 5. To authenticate suppliers and contractors and facilitate further access to downstream Postal Service information systems. 6. To provide active and passive monitoring of information systems, applications, software, devices, and users for information security risks. 7. To review information systems, applications, software, devices, and users to ensure compliance with USPS regulations. 8. To facilitate and support cybersecurity investigations of detected or reported information security incidents. 9. To administer programs, processes, and procedures to assess information security risks and to detect information security threats and vulnerabilities. 10. To provide tools and analytics for USPS employees and contractors to measure work productivity and improve efficiency. 11. To improve manager-subordinate relationships within their formal reporting structure through data-based insights generated from their own email and related electronic communications with subordinates. 1. Information System Account Access records: Records relating to the access or use of an information system, application, or piece of software, including; Name, User ID, Email Address, User Type, User Role, Job Title, Department, Manager, Company, Street Address, State Or Province, Country Or Region, Work Phone Number(S), Employee Identification Number (EIN), Advanced Computing PO 00000 Frm 00131 Fmt 4703 Sfmt 4703 Environment (ACE) ID, License Information, Action Initiated, Datetime, User Principle Name, Usage Location, Alternate Email Address, Proxy Address, Age Group, IP Address, MAC Address, Password, Multi-Factor Authentication Credentials, Security Questions, Security Answers, Passcode, Geolocation Data, User Profile Picture, Picture Metadata, Information Technology Account Administration User Configuration Status, Supplier Credentials, Supplier Company Codes, Conditional Access Attributes, Last Sign-In Time, User Account Status, User Admin Status, Password Length Compliance, Password Strength, Number Of Installed External Apps, Less Secure Apps Access, AdminDefined Name, Profile Name Status, Photo Storage Space Used, Total Storage Space Used, Storage Usage Percentage, Total Emails Sent, Total Emails Received, Total Emails Sent And Received, Email Server Last Usage Time, Device Application Change, Device Privilege Changed, Device Policy Changed, Device Action Reported, Device Compliance Status, Device Operating System Updated, Device Ownership Updated, Device Settings Changed, Device Status Changed Through Apple Device Enrollment, Device Account Synced, Device Risk Signal Updated, Device Work Profile Submitted. 2. Security Analytics records: Records relating to the gathering, analysis, review, monitoring, and investigation of information system security risks, including; User Investigation Priority Score, User Identity Risk Level, User Lateral Movement Paths, User Devices Numbers, User Account Numbers, User Resources Numbers, User Locations Numbers, User Matches Files Numbers, User Locations, Apps Used By User, User Groups, User Last Seen Date, User Affiliation, User Domain, App Instance, Organizational Groups, User Account Status, Activity ID, Activity Objects, Activity Type, Administrative Activity, Alert ID, Applied Action, Activity Date, Device Tag, Activity Files And Folders, Impersonated Activities, App Instance Activity, App Location Activity, Activity Matched Policy, Activity Registered ISP, Activity Source, Activity User, Activity User Agent, Activity User Agent Tag, Application Risk Score, Application Activity, User Software Deactivation, User Software Installation, User Software Removal, Last Date Of Software Execution, internet Application Transaction Counts, Data Volume Upload, Data Volume Download, Data Sensitivity Classification, internet Protocol, internet E:\FR\FM\31JAN1.SGM 31JAN1 khammond on DSKJM1Z7X2PROD with NOTICES Federal Register / Vol. 87, No. 20 / Monday, January 31, 2022 / Notices Port, And internet Access History, Login IP Address, Login Type, Login Failed, Login Successful, Number Of Times A User Was Suspended, Number Of Times A User Was Suspended Due To Spam Relay, Number Of Times A User Was Suspended Due To Spam, Number Of Times A User Was Suspended Due To Suspicious Activity, Device Name, Device Operating System, Days Since First Sync, Days Since Last Sync, Device Status, Device Type, Device Model, Device Account Registration Changed, Device Action Event, Device Compliance Status, Device Compromise Status, Device Ownership Change, Device Operating System Updated, Device Settings Changed, Device Failed Screen Unlock Attempts, Device Status Changed On Apple Portal, Device User Signed Out, Device Suspicious Activity Detected, Device Work Profile Supported, Two-Factor Authentication Disabled, Two-Factor Authentication Enrolled, Account Password Changed, Account Recovery Email Changed, Account Recovery Phone Number Changed, Account Recovery Secret Question Changed, Account Recovery Secret Answer Changed, Account Password Leak Suspected, Account Suspicious Login Blocked, Account Suspicious Login From Less Secure App Blocked, Suspicious Programmatic Login Blocked, User Suspended, User Suspended (Spam Through Relay), User Suspended (Spam), User Suspended (Suspicious Activity), Account Enrolled In Advanced Protection, Account Unenrolled In Advanced Protection, Account Targeted By GovernmentBacked Attack, Out Of Domain Email Forwarding Enabled, Login Challenge Question Presented, Login Verification Presented, Log Out, Secure Shell Public Key Added, Secure Shell Public Key Deleted, Secure Shell Public Key Retrieved, Secure Shell Public Key Updated, Login Profile Retrieved, POSIX Account Deleted, Application Method Called, Application Access Authorized, Application Access Revoked, Device Compromised, Failed Password Attempts On User Device, Device Property Changed. 3. Productivity Analytics records: Records relating to the gathering, analysis, review, and investigation of information system utilization, including; Calendar Appointments, Email Read Rate, Email Response Rate, Operating System Activity History, Email Timestamp, Statements Made In Email Body, Email Sender, Email Recipient, Email Subject Line, Calendar Event Type, Calendar Event Status, Calendar Event Category, Calendar Event Subject, Calendar Event Duration, VerDate Sep<11>2014 17:38 Jan 28, 2022 Jkt 256001 Calendar Event Attendees, Meeting Organizer, Meeting Invitees, Meeting Subject Line, Meeting Scheduled Time, Meeting Attendee Status, Meeting Scheduled Location, Web Call Organizer, Web Call Invitees, Web Call Scheduled Time, Web Call Joined Time, Web Call Duration, Web Call Status, Web Call Join Status, Number Of Collaborative Audio Calls Made, Number Of Collaborative Video Calls Made, Chat Initiator, Chat Recipient, Chat IM Sent Time, Number Of CloudBased Personal Storage Documents Worked On, Number Of Cloud-Based Enterprise Storage Documents Worked On, Device Name. RECORD SOURCE CATEGORIES: Employees; contractors; customers. ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND THE PURPOSES OF SUCH USES: Standard routine uses 1. through 9. apply. In addition: (a) To appropriate agencies, entities, and persons when (1) the Postal Service suspects or has confirmed that there has been a breach of the system of records; (2) the Postal Service has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, the Postal Service (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with the Postal Service’s efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm. POLICIES AND PRACTICES FOR STORAGE OF RECORDS: Automated database, computer storage media, and paper. POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS: 1. Records relating to information system access are retrievable by name, email address, username, geolocation data, and ACE ID. 2. Records relating to security analysis are retrievable by name, unique user ID, email address, geolocation data, IP address and computer name. 3. Records relating to productivity are retrievable by name, email address, and ACE ID. 4. Records relating to third-parties are retrievable by name, email address, user name, and IP address. PO 00000 Frm 00132 Fmt 4703 Sfmt 4703 4963 POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS: 1. Records relating to information system access are retained twenty-four months after last access. 2. Records relating to security analysis are retained for twenty-four months. 3. Records relating to productivity are retained for twenty-four months. 4. Records relating to third-parties are retained for twenty-four months. ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS: Paper records, computers, and computer storage media are located in controlled-access areas under supervision of program personnel. Computer access is limited to authorized personnel with a current security clearance, and physical access is limited to authorized personnel who must be identified with a badge. Access to records is limited to individuals whose official duties require such access. Contractors and licensees are subject to contract controls and unannounced on-site audits and inspections. Computers are protected by encryption, mechanical locks, card key systems, or other physical access control methods. The use of computer systems is regulated with installed security software, computer logon identifications, and operating system controls including access controls, terminal and transaction logging, and file management software. RECORD ACCESS PROCEDURES: Requests for access must be made in accordance with the Notification Procedure above and USPS Privacy Act regulations regarding access to records and verification of identity under 39 CFR 266.5. CONTESTING RECORD PROCEDURES: See Notification Procedure and Record Access Procedures above. NOTIFICATION PROCEDURES: Customers wanting to know if other information about them is maintained in this system of records must address inquiries in writing to the Chief Information Officer and Executive Vice President and include their name and address. EXEMPTIONS PROMULGATED FOR THE SYSTEM: None. E:\FR\FM\31JAN1.SGM 31JAN1 4964 Federal Register / Vol. 87, No. 20 / Monday, January 31, 2022 / Notices HISTORY: May 10th, 2021; 86 FR 24907. * * * * * Joshua J. Hofer, Attorney, Ethics and Legal Compliance. [FR Doc. 2022–01062 Filed 1–28–22; 8:45 am] BILLING CODE 7710–12–P POSTAL SERVICE Privacy Act of 1974; System of Records Postal ServiceTM. Notice of a modified system of AGENCY: ACTION: records. The United States Postal ServiceTM (USPSTM) is proposing to modify a General Privacy Act System of Records to support the implementation of a suite of cloud-based workplace productivity software. DATES: These revisions will become effective without further notice on March 2, 2022, unless comments received on or before that date result in a contrary determination. ADDRESSES: Comments may be submitted via email to the Privacy and Records Management Office, United States Postal Service Headquarters (privacy@usps.gov). Arrangements to view copies of any written comments received, to facilitate public inspection, will be made upon request. FOR FURTHER INFORMATION CONTACT: Janine Castorina, Chief Privacy and Records Management Officer, Privacy and Records Management Office, 202– 268–3069 or privacy@usps.gov. SUPPLEMENTARY INFORMATION: This notice is in accordance with the Privacy Act requirement that agencies publish their systems of records in the Federal Register when there is a revision, change, or addition, or when the agency establishes a new system of records. khammond on DSKJM1Z7X2PROD with NOTICES SUMMARY: I. Background The Postal Service is constantly seeking methods to improve employee productivity and efficiency. To that end, the Postal Service will implement a suite of cloud-based workplace productivity applications. These applications will expand employee access to various programs, allowing more employees to utilize resources to increase productivity and team collaboration. II. Rationale for Changes to USPS Privacy Act Systems of Records The Postal Service is proposing to modify USPS System of Records (SOR) 550.200 Commercial Information VerDate Sep<11>2014 17:38 Jan 28, 2022 Jkt 256001 Technology Resources—Administrative to support the implementation of a suite of cloud-based workplace productivity software. This system will be modified in conjunction with USPS 550.000 Commercial Information Technology Resources—Infrastructure and USPS 550.100 Commercial Information Technology Resources—Applications to reflect the full scope of application implementation. Revisions to these SORs will be submitted independent of this notice. More information on accompanying changes can be found within those SORs. This system specifically reflects data elements created from a user or application’s interactions with other applications. Revisions to the existing SOR to support this implementation are documented as additions to existing category of records Video Platform Activities beginning with ‘‘Video Platform Event Date,’’ and further as new categories of records 80 through 102. III. Description of the Modified System of Records Pursuant to 5 U.S.C. 552a(e)(11), interested persons are invited to submit written data, views, or arguments on this proposal. A report of the proposed revisions has been sent to Congress and to the Office of Management and Budget for their evaluations. The Postal Service does not expect this amended system of records to have any adverse effect on individual privacy rights. The notice for 550.200 Commercial Information Technology Resources—Administrative, provided below in its entirety, is as follows: SYSTEM NAME AND NUMBER: 550.200 Commercial Information Technology Resources—Administrative. SECURITY CLASSIFICATION: None. SYSTEM LOCATION: All USPS facilities and contractor sites. SYSTEM MANAGER(S): For records of computer access authorizations: Chief Information Officer and Executive Vice President, United States Postal Service, 475 L’Enfant Plaza SW, Washington, DC 20260. AUTHORITY FOR MAINTENANCE OF THE SYSTEM: 39 U.S.C. 401, 403, and 404. PURPOSE(S) OF THE SYSTEM: 1. To provide active and passive monitoring and review of information system applications and user activities. PO 00000 Frm 00133 Fmt 4703 Sfmt 4703 2. To generate logs and reports of information system application and user activities. 3. To provide a means of auditing commercial information system activities across applications and users. CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM: 1. Individuals with authorized access to USPS computers, information resources, and facilities, including employees, contractors, business partners, suppliers, and third parties. 2. Individuals participating in webbased meetings, web-based video conferencing, web-based communication applications, and webbased collaboration applications. CATEGORIES OF RECORDS IN THE SYSTEM: 1. General Audit Log activities: DateTime, IP Address, User Activity, User Item Accessed, Activity Detail, Object ID, Record Type, Client IP Address, CorrelationID, CreationTime, EventData, EventSource, ItemType, OrganizationID, UserAgent, USerKEy, UserType, Version, Workload. 2. File and page activities: Accessed file, Change retention label for a file, Deleted file marked as a record, Checked in file, Changed record status to locked, Changed record status to unlocked, Checked out file, Copied file, Discarded file checkout, Deleted file, Deleted file from recycle bin, Deleted file from second-stage recycle bin, Detected document sensitivity mismatch, Detected malware in file, Deleted file marked as a record, Downloaded file, Modified file, Moved file, Recycled all minor versions of file, Recycled all versions of file, Recycled version of file, Renamed file, Restored file, Uploaded file, Viewed page, View signaled by client, Performed search query. 3. Folder activities: Copied folder, Created folder, Deleted folder, Deleted folder from recycle bin, Deleted folder from second-stage recycle bin, Modified folder, Moved folder, Renamed folder, Restored folder. 4. Cloud-based Enterprise Storage activities: Created list, Created list column, Created list content type, Created list item, Created site column, Created site content type, Deleted list, Deleted list column, Deleted list content type, Deleted list item, Deleted site column, Deleted site content type, Recycled list item, Restored list, Restored list item, Updated list, Updated list column, Updated list content type, Updated list item, Updated site column, Updated site content type. 5. Sharing and access request activities: Added permission level to E:\FR\FM\31JAN1.SGM 31JAN1

Agencies

[Federal Register Volume 87, Number 20 (Monday, January 31, 2022)]
[Notices]
[Pages 4961-4964]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2022-01062]


-----------------------------------------------------------------------

POSTAL SERVICE


Privacy Act of 1974; System of Records

AGENCY: Postal ServiceTM.

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: The United States Postal ServiceTM 
(USPSTM) is proposing to modify a General Privacy Act System 
of Records to support the implementation of a suite of cloud-based 
workplace productivity software.

DATES: These revisions will become effective without further notice on 
March 2, 2022, unless comments received on or before that date result 
in a contrary determination.

ADDRESSES: Comments may be submitted via email to the Privacy and 
Records Management Office, United States Postal Service Headquarters 
([email protected]). Arrangements to view copies of any written comments 
received, to facilitate public inspection, will be made upon request.

FOR FURTHER INFORMATION CONTACT: Janine Castorina, Chief Privacy and 
Records Management Officer, Privacy and Records Management Office, 202-
268-3069 or [email protected].

SUPPLEMENTARY INFORMATION: This notice is in accordance with the 
Privacy Act requirement that agencies publish their systems of records 
in the Federal Register when there is a revision, change, or addition, 
or when the agency establishes a new system of records.

I. Background

    The Postal Service is constantly seeking methods to improve 
employee productivity and efficiency. To that end, the Postal Service 
will implement a suite of cloud-based workplace productivity 
applications. These applications will expand employee access to various 
programs, allowing more employees to utilize resources to increase 
productivity and team collaboration.

II. Rationale for Changes to USPS Privacy Act Systems of Records

    The Postal Service is proposing to modify USPS System of Records 
(SOR) 550.000 Commercial Information

[[Page 4962]]

Technology Resources--Infrastructure to support the implementation of a 
suite of cloud-based workplace productivity software. This system will 
be modified in conjunction with USPS 550.100 Commercial Information 
Technology Resources--Applications and USPS 550.200 Commercial 
Information Technology Resources--Administrative to reflect the full 
scope of application implementation. Revisions to these SORs will be 
submitted independent of this notice. More information on accompanying 
changes can be found within those SORs.
    This system specifically reflects data elements collected, 
gathered, or used to provide application access generally. Revisions to 
the existing SOR to support this implementation are documented as 
additions to existing categories of records Information System Account 
Access records beginning with ``Last Sign-In Time'' and Security 
Analytics records beginning with ``Login IP Address.''

III. Description of the Modified System of Records

    Pursuant to 5 U.S.C. 552a (e)(11), interested persons are invited 
to submit written data, views, or arguments on this proposal. A report 
of the proposed revisions has been sent to Congress and to the Office 
of Management and Budget for their evaluations. The Postal Service does 
not expect this amended system of records to have any adverse effect on 
individual privacy rights. The notice for USPS 550.000 Commercial 
Information Technology Resources--Infrastructure, provided below in its 
entirety, is as follows:

SYSTEM NAME AND NUMBER:
    550.000 Commercial Information Technology Resources-Infrastructure.

SECURITY CLASSIFICATION:
    None.

SYSTEM LOCATION:
    All USPS facilities and contractor sites.

SYSTEM MANAGER(S):
    For records of computer access authorizations: Chief Information 
Officer and Executive Vice President, United States Postal Service, 475 
L'Enfant Plaza SW, Washington, DC 20260.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    39 U.S.C. 401, 403, and 404.

PURPOSE(S) OF THE SYSTEM:
    1. To provide USPS employees, contractors, and other authorized 
individuals with hierarchical access to and accounts for commercial 
information technology resources administered by the Postal Service and 
based on least privileged access.
    2. To facilitate a cohesive software experience and simplify ease 
of use by sharing user and application data across participating IT 
programs.
    3. To authenticate user identity for the purpose of accessing USPS 
information systems.
    4. To assess user attributes and assign related access privileges.
    5. To authenticate suppliers and contractors and facilitate further 
access to downstream Postal Service information systems.
    6. To provide active and passive monitoring of information systems, 
applications, software, devices, and users for information security 
risks.
    7. To review information systems, applications, software, devices, 
and users to ensure compliance with USPS regulations.
    8. To facilitate and support cybersecurity investigations of 
detected or reported information security incidents.
    9. To administer programs, processes, and procedures to assess 
information security risks and to detect information security threats 
and vulnerabilities.
    10. To provide tools and analytics for USPS employees and 
contractors to measure work productivity and improve efficiency.
    11. To improve manager-subordinate relationships within their 
formal reporting structure through data-based insights generated from 
their own email and related electronic communications with 
subordinates.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    1. Individuals with authorized access to USPS computers, 
information resources, and facilities, including employees, 
contractors, business partners, suppliers, and third parties.
    2. Individuals participating in web-based meetings, web-based video 
conferencing, web-based communication applications, and web-based 
collaboration applications.

CATEGORIES OF RECORDS IN THE SYSTEM:
    1. Information System Account Access records: Records relating to 
the access or use of an information system, application, or piece of 
software, including; Name, User ID, Email Address, User Type, User 
Role, Job Title, Department, Manager, Company, Street Address, State Or 
Province, Country Or Region, Work Phone Number(S), Employee 
Identification Number (EIN), Advanced Computing Environment (ACE) ID, 
License Information, Action Initiated, Datetime, User Principle Name, 
Usage Location, Alternate Email Address, Proxy Address, Age Group, IP 
Address, MAC Address, Password, Multi-Factor Authentication 
Credentials, Security Questions, Security Answers, Passcode, 
Geolocation Data, User Profile Picture, Picture Metadata, Information 
Technology Account Administration User Configuration Status, Supplier 
Credentials, Supplier Company Codes, Conditional Access Attributes, 
Last Sign-In Time, User Account Status, User Admin Status, Password 
Length Compliance, Password Strength, Number Of Installed External 
Apps, Less Secure Apps Access, Admin-Defined Name, Profile Name Status, 
Photo Storage Space Used, Total Storage Space Used, Storage Usage 
Percentage, Total Emails Sent, Total Emails Received, Total Emails Sent 
And Received, Email Server Last Usage Time, Device Application Change, 
Device Privilege Changed, Device Policy Changed, Device Action 
Reported, Device Compliance Status, Device Operating System Updated, 
Device Ownership Updated, Device Settings Changed, Device Status 
Changed Through Apple Device Enrollment, Device Account Synced, Device 
Risk Signal Updated, Device Work Profile Submitted.
    2. Security Analytics records: Records relating to the gathering, 
analysis, review, monitoring, and investigation of information system 
security risks, including; User Investigation Priority Score, User 
Identity Risk Level, User Lateral Movement Paths, User Devices Numbers, 
User Account Numbers, User Resources Numbers, User Locations Numbers, 
User Matches Files Numbers, User Locations, Apps Used By User, User 
Groups, User Last Seen Date, User Affiliation, User Domain, App 
Instance, Organizational Groups, User Account Status, Activity ID, 
Activity Objects, Activity Type, Administrative Activity, Alert ID, 
Applied Action, Activity Date, Device Tag, Activity Files And Folders, 
Impersonated Activities, App Instance Activity, App Location Activity, 
Activity Matched Policy, Activity Registered ISP, Activity Source, 
Activity User, Activity User Agent, Activity User Agent Tag, 
Application Risk Score, Application Activity, User Software 
Deactivation, User Software Installation, User Software Removal, Last 
Date Of Software Execution, internet Application Transaction Counts, 
Data Volume Upload, Data Volume Download, Data Sensitivity 
Classification, internet Protocol, internet

[[Page 4963]]

Port, And internet Access History, Login IP Address, Login Type, Login 
Failed, Login Successful, Number Of Times A User Was Suspended, Number 
Of Times A User Was Suspended Due To Spam Relay, Number Of Times A User 
Was Suspended Due To Spam, Number Of Times A User Was Suspended Due To 
Suspicious Activity, Device Name, Device Operating System, Days Since 
First Sync, Days Since Last Sync, Device Status, Device Type, Device 
Model, Device Account Registration Changed, Device Action Event, Device 
Compliance Status, Device Compromise Status, Device Ownership Change, 
Device Operating System Updated, Device Settings Changed, Device Failed 
Screen Unlock Attempts, Device Status Changed On Apple Portal, Device 
User Signed Out, Device Suspicious Activity Detected, Device Work 
Profile Supported, Two-Factor Authentication Disabled, Two-Factor 
Authentication Enrolled, Account Password Changed, Account Recovery 
Email Changed, Account Recovery Phone Number Changed, Account Recovery 
Secret Question Changed, Account Recovery Secret Answer Changed, 
Account Password Leak Suspected, Account Suspicious Login Blocked, 
Account Suspicious Login From Less Secure App Blocked, Suspicious 
Programmatic Login Blocked, User Suspended, User Suspended (Spam 
Through Relay), User Suspended (Spam), User Suspended (Suspicious 
Activity), Account Enrolled In Advanced Protection, Account Unenrolled 
In Advanced Protection, Account Targeted By Government-Backed Attack, 
Out Of Domain Email Forwarding Enabled, Login Challenge Question 
Presented, Login Verification Presented, Log Out, Secure Shell Public 
Key Added, Secure Shell Public Key Deleted, Secure Shell Public Key 
Retrieved, Secure Shell Public Key Updated, Login Profile Retrieved, 
POSIX Account Deleted, Application Method Called, Application Access 
Authorized, Application Access Revoked, Device Compromised, Failed 
Password Attempts On User Device, Device Property Changed.
    3. Productivity Analytics records: Records relating to the 
gathering, analysis, review, and investigation of information system 
utilization, including; Calendar Appointments, Email Read Rate, Email 
Response Rate, Operating System Activity History, Email Timestamp, 
Statements Made In Email Body, Email Sender, Email Recipient, Email 
Subject Line, Calendar Event Type, Calendar Event Status, Calendar 
Event Category, Calendar Event Subject, Calendar Event Duration, 
Calendar Event Attendees, Meeting Organizer, Meeting Invitees, Meeting 
Subject Line, Meeting Scheduled Time, Meeting Attendee Status, Meeting 
Scheduled Location, Web Call Organizer, Web Call Invitees, Web Call 
Scheduled Time, Web Call Joined Time, Web Call Duration, Web Call 
Status, Web Call Join Status, Number Of Collaborative Audio Calls Made, 
Number Of Collaborative Video Calls Made, Chat Initiator, Chat 
Recipient, Chat IM Sent Time, Number Of Cloud-Based Personal Storage 
Documents Worked On, Number Of Cloud-Based Enterprise Storage Documents 
Worked On, Device Name.

RECORD SOURCE CATEGORIES:
    Employees; contractors; customers.

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND THE PURPOSES OF SUCH USES:
    Standard routine uses 1. through 9. apply. In addition:
    (a) To appropriate agencies, entities, and persons when (1) the 
Postal Service suspects or has confirmed that there has been a breach 
of the system of records; (2) the Postal Service has determined that as 
a result of the suspected or confirmed breach there is a risk of harm 
to individuals, the Postal Service (including its information systems, 
programs, and operations), the Federal Government, or national 
security; and (3) the disclosure made to such agencies, entities, and 
persons is reasonably necessary to assist in connection with the Postal 
Service's efforts to respond to the suspected or confirmed breach or to 
prevent, minimize, or remedy such harm.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    Automated database, computer storage media, and paper.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    1. Records relating to information system access are retrievable by 
name, email address, username, geolocation data, and ACE ID.
    2. Records relating to security analysis are retrievable by name, 
unique user ID, email address, geolocation data, IP address and 
computer name.
    3. Records relating to productivity are retrievable by name, email 
address, and ACE ID.
    4. Records relating to third-parties are retrievable by name, email 
address, user name, and IP address.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    1. Records relating to information system access are retained 
twenty-four months after last access.
    2. Records relating to security analysis are retained for twenty-
four months.
    3. Records relating to productivity are retained for twenty-four 
months.
    4. Records relating to third-parties are retained for twenty-four 
months.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Paper records, computers, and computer storage media are located in 
controlled-access areas under supervision of program personnel. 
Computer access is limited to authorized personnel with a current 
security clearance, and physical access is limited to authorized 
personnel who must be identified with a badge.
    Access to records is limited to individuals whose official duties 
require such access. Contractors and licensees are subject to contract 
controls and unannounced on-site audits and inspections.
    Computers are protected by encryption, mechanical locks, card key 
systems, or other physical access control methods. The use of computer 
systems is regulated with installed security software, computer logon 
identifications, and operating system controls including access 
controls, terminal and transaction logging, and file management 
software.

RECORD ACCESS PROCEDURES:
    Requests for access must be made in accordance with the 
Notification Procedure above and USPS Privacy Act regulations regarding 
access to records and verification of identity under 39 CFR 266.5.

CONTESTING RECORD PROCEDURES:
    See Notification Procedure and Record Access Procedures above.

NOTIFICATION PROCEDURES:
    Customers wanting to know if other information about them is 
maintained in this system of records must address inquiries in writing 
to the Chief Information Officer and Executive Vice President and 
include their name and address.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

[[Page 4964]]

HISTORY:
    May 10th, 2021; 86 FR 24907.
* * * * *

Joshua J. Hofer,
Attorney, Ethics and Legal Compliance.
[FR Doc. 2022-01062 Filed 1-28-22; 8:45 am]
BILLING CODE 7710-12-P