Privacy Act System of Records Notice for ServiceNow Platform

Content

ACTION:

Notice of a new system of records.

SUMMARY:

Pursuant to the provisions of the Privacy Act of 1974, as amended, the Department of Housing and Urban Development (HUD),
Office of Chief Information Officer (OCIO) and Infrastructure and Operations (IOO) is issuing a public notice of its intent
to establish a Privacy Act System of Records Notice (SORN) titled “ServiceNow (SerNow).”

ServiceNow (SerNow) includes core components and related modules that work together to support key HUD operations. It facilitates
helpdesk operations, Information Technology (IT) management, software and asset tracking, facilities management operations,
Human Resources activities, and limited financial planning functions. HUD utilizes multiple ServiceNow instances, with distinct
environments tailored to specific purposes such as development, testing, and production, each of which maintains detailed
information regarding users and network objects. This structure makes it easier for employees to efficiently locate and utilize
required resources while ensuring system integrity across operations. ServiceNow collects and processes information from users
either through submitted forms, internal workflows, or integrated systems via structured data repositories. The information
maintained within ServiceNow is sourced from HUD systems such as Active Directory (AD)/LAN File Server (LFS), and Digital

     Identity and Access Management System (DIAMS).

DATES:

Comments will be accepted on or before May 6, 2026. This proposed action will be effective on the date following the end of
the comment period unless comments are received which result in a contrary determination.

ADDRESSES:

You may submit comments identified by docket number or by one of the following methods:

Federal e-Rulemaking Portal: http://www.regulations.gov. Follow the instructions provided on that site to submit comments electronically.

Fax: 202-619-8365.

Email: privacy@hud.gov.

Mail: Attention: Privacy Office; Shalanda Capehart, Acting Chief Privacy Officer; The Executive Secretariat; 451 7th Street SW,
Room 10139; Washington, DC 20410-0001.

Instructions: All submissions received must include the agency name and docket number for this rulemaking. All comments received will be
posted without change to http://www.regulations.gov including any personal information provided.

Docket: For access to the docket to read background documents or comments received go to http://www.regulations.gov.

FOR FURTHER INFORMATION CONTACT:

Shalanda Capehart; 451 7th Street SW, Room 10139; Washington, DC 20410-0001; telephone number (202) 402-5085 (this is not
a toll-free number). HUD welcomes and is prepared to receive calls from individuals who are deaf or hard of hearing, as well
as individuals with speech or communication disabilities. To learn more about how to make an accessible telephone call, please
visit https://www.fcc.gov/consumers/guides/telecommunications-relay-service-trs.

SUPPLEMENTARY INFORMATION:

The Department of Housing and Urban Development (HUD), Office of Chief Information Officer (OCIO), and Infrastructure and
Operations (IOO), uses the ServiceNow Software as a Service (SaaS) Platform to streamline operations and centralize data management.
ServiceNow helps HUD manage its data and services in one central system, and it's built around a tool called the Configuration
Management Database (CMDB). This database stores important records about users, facilities, and shared resources like meeting
rooms, servers, computers, printers, and accounts used to log in. The ServiceNow platform simplifies account management and
integrates with HUD's existing technology to allow secure sign-ins using Personal Identity Verification (PIV) cards. It follows
a clear management structure to help HUD keep track of network tools, protect user data, and keep systems working the same
way across the agency. All ServiceNow programs use the CMDB within HUD's core platform. The system also includes specialized
financial management tools, called Proven Optics, that help manage costs, optimize resources, and improve operational efficiency.
These tools run in a secure government community cloud environment (GCC) and meet strict federal rules for safety and privacy.
HUD's main goals in using ServiceNow are to reduce costs, eliminate manual processes, and improve productivity through automated
workflows.

SYSTEM NAME AND NUMBER:

ServiceNow (SerNow), HUD/OCIO-04.

SECURITY CLASSIFICATION:

Unclassified.

SYSTEM LOCATION:

Records are maintained at the following locations: HUD Headquarters, 451 7th Street SW, Washington, DC 20410-0001, and Bowhead
UIC Government Services, LLC, 6564 Loisdale Court, Suite 900 Springfield, VA 22150-1812.

SYSTEM MANAGER(S):

George Hurley, Infrastructure and Operations (IOO), HUD HQ, 451 7th Street SW, Washington, DC 20410-0001; telephone (202)
475-8662.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:

The Information Technology Management Reform Act of 1996 (Pub. L. 104-106, 40 U.S.C. 11101 et seq.); E-Government Act (Pub. L. 107-347, sec. 203, 44 U.S.C. 3501 note); Federal Information Security Management Act, as amended
(Pub. L. 107-347, 44 U.S.C. 3554); Paperwork Reduction Act of 1995 (Pub. L. 104-13, 44 U.S.C. 3501 et seq.); Government Paperwork Elimination Act (Pub. L. 105-277, Title XVII, 44 U.S.C. 3504); Homeland Security Presidential Directive
12 (HSPD-12), Policy for a Common Identification Standard for Federal Employees and Contractors, August 27, 2004; OMB Circular
No. A-130, Managing Information as a Strategic Resource (7/28/2016); OMB Memo M-05-24, and Executive Order 13636—Improving
Critical Infrastructure Cyber Security (February 12, 2013); Department of Housing and Urban Development Act of 1965, Section
7(d) (Pub. L. 89-174, 42 U.S.C. 3535(d)—“Administrative provisions”); and 5 U.S.C. 3301—“Civil service; generally”.

PURPOSES OF THE SYSTEM:

The purpose of ServiceNow is to help HUD employees efficiently track and manage all service requests for help from start to
finish. The system serves as the central repository for HUD policies, procedures, and frequently asked questions (FAQs), empowering
employees to quickly find answers independently. It also provides a digital foundation that supports HUD's internal systems
across the agency, streamlining operations through automated workflows and replacing manual processes. ServiceNow's functions
as a centralized platform for managing HUD assets, giving administrators and employees easy access to critical tools and information,
reducing mistakes, and enhancing productivity.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:

Current HUD employees and contractors.

CATEGORIES OF RECORDS IN THE SYSTEM:

Full Name, Phone Number, Email address, User Verification PIN, Device Identifier, internet Protocol (IP)/Media Access Control
(MAC) Address of assigned Device Identifier (if applicable), Work Address, Home Address, Employee Identification Number and
Employment Status/History.

RECORD SOURCE CATEGORIES:

Individuals, Digital Identity and Access Management System (DIAMS), and Active Directory (AD)/LAN File Server (LFS).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:

(1) To a congressional office from the record of an individual in response to an inquiry from the congressional office made
at the request of that individual.

(2) To contractors, grantees, experts, consultants, and their agents, or others performing or working under a contract, service,
grant, cooperative agreement, or other agreement with HUD or under contract to another agency when necessary to accomplish
an agency function related to a system of records. Disclosure requirements are limited to only those data elements considered
relevant to accomplishing an agency function.

(3) To appropriate agencies, entities, and persons when: (1) HUD suspects or has confirmed that there has been a

  breach of the system of records; (2) HUD has determined that as a result of the suspected or confirmed breach there is a risk
  of harm to individuals, HUD (including its information systems, programs, and operations), the Federal Government, or national
  security; and (3) The disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection
  with HUD's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.

(4) To another Federal agency or Federal entity, when HUD determines that information from this system of records is reasonably
necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing,
minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems,
programs and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.

(5) To appropriate Federal, State, local, tribal, or governmental agencies or multilateral governmental organizations responsible
for investigating or prosecuting the violations of, or for enforcing or implementing, a statute, rule, regulation, order,
or license where HUD determines that the information would assist in the enforcement of civil or criminal laws and when such
records, either alone or in conjunction with other information, indicate a violation or potential violation of law.

(6) To a court, magistrate, administrative tribunal, or arbitrator while presenting evidence, including disclosures to opposing
counsel or witnesses during civil discovery, litigation, mediation, or settlement negotiations; or in connection with criminal
law proceedings; when HUD determines that use of such records is relevant and necessary to the litigation and when any of
the following is a party to the litigation or have an interest in such litigation: (1) HUD, or any component thereof; or (2)
any HUD employee in his or her official capacity; or (3) any HUD employee in his or her individual capacity where HUD has
agreed to represent the employee; or (4) the United States, or any agency thereof, where HUD determines that litigation is
likely to affect HUD or any of its components.

(7) To any component of the Department of Justice or other Federal agency conducting litigation or in proceedings before any
court, adjudicative, or administrative body, when HUD determines that the use of such records is relevant and necessary to
the litigation and when any of the following is a party to the litigation or have an interest in such litigation: (1) HUD,
or any component thereof; or (2) any HUD employee in his or her official capacity; or (3) any HUD employee in his or her individual
capacity where the Department of Justice or agency conducting the litigation has agreed to represent the employee; or (4)
the United States, or any agency thereof, where HUD determines that litigation is likely to affect HUD or any of its components.

(8) To officials of labor organizations recognized under the Civil Service Reform Act when relevant and necessary to their
duties of exclusive representation concerning personnel policies, practices, and matters affecting work conditions.

(9) To the Office of Personnel Management (OPM), the Merit Systems Protection Board (and its office of the Special Counsel),
the Federal Labor Relations Authority (and its General Counsel), or the Equal Employment Opportunity Commission when requested
in performance of their authorized duties of exclusive representation concerning personnel policies, practices, and matters
affecting work conditions.

(10) To the National Archives and Records Administration, Office of Government Information Services (OGIS), to the extent
necessary to fulfill its responsibilities in 5 U.S.C. 552(h), to review administrative agency policies, procedures and compliance
with the Freedom of Information Act (FOIA), and to facilitate OGIS' offering of mediation services to resolve disputes between
persons making FOIA requests and administrative agencies.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:

Electronic.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:

Full Name, Email Address, and Employee Identification Number.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:

Under General Records Schedule 3.2, System Access Records, items 030 and 031. Item 030 applies to systems not requiring special
accountability for access. Item 030 records can be destroyed when the business use ceases. Item 031 applies to systems requiring
special accountability for access. Item 031 requires records to be destroyed/deleted 6 years after the user account is terminated
or password is altered, or when no longer required for business us, whichever is later. Backup and Recovery digital media
will be destroyed or otherwise rendered irrecoverable per NIST SP 800-88, Rev. 1 “Guidelines for Media Sanitization” (December
2014). The records used within the budgeting application are “temporary” and their destroy clauses are listed in the following
disposition instructions: General Record Schedule (GRS) 1.3: Budgeting Records. The records used for facilities management
are “temporary” and their destroy clauses are listed in the following disposition instructions: General Record Schedule (GRS)
5.4 Facility, Equipment, Vehicle, Property, and Supply Records. The records for the IT Service Desk and IT Asset Management
modules are “temporary” and their destroy clauses are listed in the following disposition instructions: General Record Schedule
(GRS) 3.1 General Technology Management Records and General Record Schedule (GRS) 5.8 Administrative Help Desk Records.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:

For Electronic Records: Comprehensive electronic records are maintained and stored in an electronic encryption database system. These records can
only be accessed based on the user's rights and privileges to the system. Electronic records are stored in the “ServiceNow
Enterprise” environment on the department's network (HUD). This environment complies with the security and privacy controls
and procedures as described in the Federal Information Security Management Act (FISMA), National Institute of Standards and
Technology (NIST) Special Publications, and Federal Information Processing Standards (FIPS). A valid HSPD-12 ID Credential,
access to HUD's LAN, a valid User ID and Password, and a Personalized Identification Number (PIN) are required to access the
HR Service Delivery, ServiceNow system. These records are restricted to only those stakeholders needing to access the system
to perform their official duties.

For Electronic Records (cloud-based): Comprehensive electronic records are secured and maintained on a cloud-based software server and operating system that resides
in the Federal Risk and Authorization Management Program (FedRAMP) and Federal Information Security Management Act (FISMA)
Moderate dedicated hosting environment. All data in the cloud-based server is firewalled and encrypted at rest and in transit.
PII is secured in cipher locks, combination locks, key cards, security guards, closed circuit TV

  and safes. Identification badges are required to ensure the records are not accessed and strict access controls are governed
  for electronic records using a user ID and password that require multi-factor authentication before access is granted to ServiceNow.
  The security mechanisms for handing data at rest and in transit are in accordance with HUD encryption standards.

RECORD ACCESS PROCEDURES:

Individuals requesting records of themselves should address written inquiries to the Department of Housing Urban and Development
451 7th Street SW, Washington, DC 20410-0001. For verification, individuals should provide their full name, current address,
and telephone number. In addition, the requester must provide either a notarized statement or an unsworn declaration made
under 24 CFR 16.4.

CONTESTING RECORD PROCEDURES:

The HUD rule for contesting the content of any record pertaining to the individual by the individual concerned is published
in 24 CFR 16.8 or may be obtained from the system manager.

NOTIFICATION PROCEDURES:

Individuals requesting notification of records of themselves should address written inquiries to the Department of Housing
Urban Development, 451 7th Street SW, Washington, DC 20410-0001. For verification purposes, individuals should provide their
full name, office or organization where assigned, if applicable, and current address and telephone number. In addition, the
requester must provide either a notarized statement, or an unsworn declaration made under 24 CFR 16.4.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:

None.

HISTORY:

None.

Shalanda Capehart, Acting Chief Privacy Officer, Office of Administration. [FR Doc. 2026-06607 Filed 4-3-26; 8:45 am] BILLING CODE 4210-67-P

Download File

Download