Privacy Impact Assessment 1660-0026

Privacy Impact Assessment
for the

Hazard Mitigation Grant Program (HMGP)
System
DHS/FEMA/PIA-025
June 28, 2012
Contact Point
R. Samuel Winningham
Federal Insurance and Mitigation Administration
Federal Emergency Management Agency
(202) 646-2631
Reviewing Official
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security
(703) 235-0780

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 1

Abstract
The Federal Emergency Management Agency’s (FEMA) Federal Insurance and
Mitigation Administration (FIMA) operates the Hazard Mitigation Grant Program (HMGP)
system. The HMGP system is a grant application and management system. This privacy impact
assessment (PIA) is being conducted because the FEMA FIMA HMGP system may collect, use,
maintain, retrieve, and disseminate personally identifiable information (PII) of grantees or subgrantees as well PII on individual property owners associated with the grants or sub-grants.

Overview
Pursuant to the Robert T. Stafford Disaster Relief and Emergency Assistance Act, 42
U.S.C. §§ 5133 and 5170c, and the National Flood Insurance Act, 42 U.S.C. § 4100, the FEMA
FIMA Risk Reduction Division administers several Hazard Mitigation Assistance (HMA) grant
programs, including the HMGP. The key purpose of HMGP is to ensure that critical mitigation
opportunities to reduce loss of life and property from future disasters are not lost during the
reconstruction process following a disaster. When authorized under a Presidential major disaster
declaration, HMGP provides grant funding to grantees (states and Indian tribal governments) and
sub-grantees (local governments and eligible private non-profit organizations) to assist in the
mitigation of natural and man-made disasters in the areas of the state requested by the governor.
The HMGP system processes and stores collected grantee and sub-grantee information,
including information about the proposed activity or activities to be completed under a grant.
Typically, grantees and sub-grantees collect property information directly from the individual
property owner using a state-owned and assigned paper application. Grant applicants can then
either mail or fax paper copies of their application to FEMA or use the HMGP system to apply
for an HMGP grant. The grant application consists of a completed and signed Standard Form
424 “Application for Federal Assistance” and supporting documentation, such as property and
individual property owner information. The grant applicant or FEMA staff then logs onto the
FEMA network and into the HMGP system. Based on the user’s role (grant applicant or FEMA
staff), the user selects the HMGP grant and then enters the property and individual property
owner information into the “Property” section of the HMGP grant application.
A grant application includes multiple properties and other local community and statespecific information. The grant applicant submits the application to FEMA for review and, if
approved, the grantee signs and accepts a grant award. All transactions are completed online and
information is secured on FEMA servers. FEMA staff may query by grant applicant, grant
applicant’s point of contact (POC), or individual property owner information to update grant
application records and determine eligibility for grant funding. FEMA staff manually compares
the individual property owner’s information within the HMGP system with National Flood
Insurance Program (NFIP) flood insurance policy records1 to prevent duplication of benefits and
1

These records are covered by DHS/FEMA-003, National Flood Insurance Program Files System of Records, 73

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 2

to ensure efficient use of FEMA funds. At the end of the NARA-approved retention period, the
applicant’s, grantee’s, and individual’s information is deleted, destroyed, or archived by FEMA
according to the records disposition schedule.
This PIA discusses HMGP’s collection of user information from grantees and subgrantees, as well as the collection of PII from individual property owners who voluntarily
participate in a grantee’s or sub-grantee’s grant application. Previously, the HMGP system fell
within the security authorization boundaries of the FEMA Legacy National Emergency
Management Information System (NEMIS), which was decommissioned and decoupled in July
2011. All systems previously within the NEMIS security authorization boundary have been
required to complete their own information system security package, including a PIA, if
applicable. FEMA has published two PIAs: NEMIS-MT eGrants PIA2 and Grants Management
Program PIA,3 which document the different FEMA grant programs and systems where the only
PII FEMA collects is from the point of contacts for the grant applicants. This new PIA is being
conducted because PII covering the individual property owners may be included in HMGP grant
applications. The HMGP system is currently an operational system.
HMGP does not use any sensitive PII such as biometrics or radio frequency identification
(RFID). During the HMGP system development and privacy review, FEMA addressed several
privacy risks associated with the system. Generally, there is a risk that individuals participating
in a HMGP grant application process may not be aware that their PII is being shared with
FEMA. Participating individuals may also not know how to correct any erroneous information
collected, used, maintained, retrieved, or disseminated by FEMA. FEMA mitigates these risks
by publishing this PIA, as well as the DHS/FEMA – 009 Hazard Mitigation Assistance Grant
Programs System of Records Notice, which is being published in the Federal Register.
Additionally, grantees and sub-grantees are instructed to provide notice to participating
individual property owners.

Section 1.0 Authorities and Other Requirements
1.1

What specific legal authorities and/or agreements permit and
define the collection of information by the project in question?

The HMGP collection of information is necessary for FEMA to determine eligibility and
allocate FEMA disaster funds for cost-effective mitigation activities in accordance with the
following legal authorities:

Fed. Reg. 77747 (Dec. 19, 2008).
2
DHS/FEMA/PIA-006 NEMIS-MT eGrants PIA available at,
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_fema_egrants.pdf.
3
DHS/FEMA/PIA-013 Grants Management Program PIA available at,
http://www.dhs.gov/xlibrary/assets/privacy/privacy_pia_fema_grants_management.pdf.

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 3

Robert T. Stafford Disaster Relief and Emergency Assistance Act, as amended, 42
U.S.C. §§ 5133 and 5170c.
National Flood Insurance Act, 42 U.S.C. § 4100, as amended by the BunningBereuter-Blumenauer Flood Insurance Reform Act of 2004, 42 U.S.C. § 4001, et seq.

1.2

What Privacy Act System of Records Notice(s) (SORN(s)) apply
to the information?

DHS/FEMA-2006-0002, National Emergency Management Information System
(NEMIS)-Mitigation (MT) Electronic Grants Management System of Records, 69 FR 75079
(Dec. 15, 2004), provides current notice and coverage for the HMGP program’s information
collection. FEMA is updating, reissuing, and renaming the above referenced SORN as
DHS/FEMA – 009 Hazard Mitigation Assistance Grant Programs System of Records Notice,
which is being published in the Federal Register. The SORN provides more transparent notice
and clearer coverage for the HMGP system’s collection, use, maintenance, retrieval, and
dissemination of PII outlined in this PIA.

1.3

Has a system security plan been completed for the information
system(s) supporting the project?

A System Security Plan (SSP) has been completed for the HMGP system and an
Authority to Operate (ATO) was granted for the system on March 2, 2012. The system is fully
compliant with DHS Sensitive System Security Policy Directive 4300A and is categorized as
“moderate” under National Institutes of Standards and Technology (NIST) Federal Information
Processing Standards (FIPS) 199.

1.4

Does a records retention schedule approved by the National
Archives and Records Administration (NARA) exist?

Yes, the records retention schedules for the HMGP program and the HMGP system have
been approved by the FEMA Records Officer and NARA and are General Records Schedule
(GRS) 3, Items 13 and 14; N1-311-95-1, Items 1, 2, and 3; N1-311-01-8, Item 1; and N1-31104-1, Item 1.

1.5

If the information is covered by the Paperwork Reduction Act
(PRA), provide the OMB Control number and the agency number
for the collection. If there are multiple forms, include a list in an
appendix.

Information collected, used, maintained, retrieved, and disseminated by HMGP and the
HMGP system is covered by OMB Collections 1660-0025, 1660-0026, and 1660-0076. There

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 4

are no forms associated with the collections except for Standard Form 424 “Application for
Federal Assistance” in OMB Collection 1660-0025.

Section 2.0 Characterization of the Information
2.1

Identify the information the project collects, uses, disseminates, or
maintains.

HMGP collects, uses, maintains, retrieves, and disseminates the following information:
Grantee and Sub-grantee Point of Contact Information:
Name;
Work address;
Work phone number; and
Work email address.
Grantee and Sub-grantee Information:
Organization name;
Proposed activities descriptions; and
Dun and Bradstreet Data Universal Numbering System (DUNS).
Individual Property Owners Participating in Grant Application:
Name (first, middle initial, last);
Home phone number;
Business/Office phone number;
Mobile phone number;
Damaged property address;
Mailing address;
Flood insurance status;
Flood insurance policy number;
Flood insurance policy provider (Write Your Own Company or Insurance Agent);
and
Grant funding eligibility status.

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 5

2.2

What are the sources of the information and how is the
information collected for the project?

Principal sources of the information are state emergency management agencies or other
state offices with emergency management responsibility, including all fifty states, the District of
Columbia, the U.S. Virgin Islands, the Commonwealth of Puerto Rico, Guam, American Samoa,
and the Commonwealth of the Northern Mariana Islands. Additional sources of information
include federally-recognized Indian tribal governments, local governments, and private nonprofit organizations. Property information in support of a grant application can voluntarily be
provided by individual property owners to the grantee or sub-grantee. Local communities to
which a sub-grant is awarded are accountable to the state for the use of the funds provided.
The information collected by HMGP from the sources outlined above includes
information about the proposed activity or activities to be completed under a grant. All grantees
and sub-grantees must complete and sign Standard Form 424 “Application for Federal
Assistance” Sub-grantees may mail or fax paper-based applications to HMGP. Grantees and
sub-grantees applying electronically for HMGP grants using the HMGP system must attach a
copy of the signed Standard Form 424 “Application for Federal Assistance” as a scanned
attachment. HMGP does not collect information directly from individual property owners except
if corrections are needed for individual property owner information after original submission by
the grantee or sub-grantee.

2.3

Does the project use information from commercial sources or
publicly available data? If so, explain why and how this
information is used.

Yes, pursuant to Office of Management and Budget (OMB) policy on Use of a Universal
Identifier by Grant Applicants,4 the HMGP system requires and maintains the Duns and
Bradstreet Number (DUNS) of grant applicants. HMGP uses the DUNS number for tracking
purposes and to validate address and point of contact information for grantees and sub-grantees.

2.4

Discuss how accuracy of the data is ensured.

Trained FEMA staff manually checks information submitted by eligible grantees for
accuracy. FEMA staff also manually verify information about the grantee, including the name of
the point of contact for the application, work address, work phone number, and work email
address, to determine grant eligibility. Prior to award of any HMGP funds, trained FEMA staff
manually verify individual property owner’s information included in a grant application against
NFIP data for flood insurance status and/or damage history. Additionally, all grant application
information is reviewed for accuracy throughout the lifecycle of the grant application by
4

Office of Management and Budget, Use of a Universal Identifier by Grant Applicants, 68 Fed. Reg. 38402 (June
27, 2003).

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 6

comparing information regularly submitted by grantees and sub-grantees with programmatic and
financial reports generated and reviewed by FEMA staff on a quarterly basis.

2.5

Privacy Impact Analysis: Related to Characterization of the
Information

Privacy Risk: There is a privacy risk that FEMA may collect more information than is
needed to award a HMGP grant.
Mitigation: This privacy risk is mitigated by only collecting information authorized by
federal statute. Additionally, the information is collected only for the purposes of determining
eligibility for grant funds and contacting organizations regarding grant status.

Section 3.0 Uses of the Information
3.1

Describe how and why the project uses the information.

The information is used to evaluate and determine the eligibility of states and local
communities and the proposed activities (specifically those that mitigate individual property
loss) for HMGP grant funding. Some applications by grantees and sub-grantees propose
activities that would impact properties privately owned by individuals, such as acquisition of a
property that has been repeatedly flooded. The information provided in the grant application is
necessary to verify whether a property is eligible for HMGP grant funds.

3.2

Does the project use technology to conduct electronic searches,
queries, or analyses in an electronic database to discover or locate
a predictive pattern or an anomaly? If so, state how DHS plans to
use such results.

The system uses a technological search mechanism that enables FEMA to gather
individual addresses contained in an application so that FEMA can verify against records in the
NFIP system to protect against individual property owners receiving duplication of benefits for
property.

3.3

Are there other components with assigned roles and
responsibilities within the system?

No other component within DHS has assigned roles and responsibilities within the
HMGP system. Only FEMA staff and grant applicants have roles and responsibilities within the
system.

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 7

3.4

Privacy Impact Analysis: Related to the Uses of Information

Privacy Risk: There is a privacy risk that information collected and maintained by
FEMA may be used for purposes other than those for which the information was originally
collected.
Mitigation: This privacy risk is mitigated by only allowing FEMA staff with a
documented “need to know” to access the information contained in the HMGP system. FEMA
provides training to all users on how to operate the HMGP system. All users must initially and
then during regular 90 day inverbals sign a code of behavior statement and complete information
security training before accessing the system.

Section 4.0 Notice
4.1

How does the project provide individuals notice prior to the
collection of information? If notice is not provided, explain why
not.

FEMA provides notice of HMGP and the HMGP system collection of information
through the publishing of this PIA and DHS/FEMA – 009, Hazard Mitigation Assistance Grant
Programs System of Records Notice, which is being published in the Federal Register. FEMA
also provides notification using Privacy Act Statements on all forms (both electronic and paperbased) collecting information from the public and a Privacy Policy link on the online grant
application website.
Additionally, pursuant to the National Flood Insurance Act, 42 U.S.C. §4102(f)(3),
implementing regulations, 44 CFR 79.7(a), and both NFIP and HMA guidance, grantees and
sub-grantees are required to consult with individuals and obtain their voluntary consent to
participate in the program. Grantees and sub-grantees are also required to provide notice that
individuals’ information will be shared with FEMA as part of the grant application, award, and
management process. FEMA provides a sample notice for states to provide to participating
individual property owners.

4.2

What opportunities are available for individuals to consent to
uses, decline to provide information, or opt out of the project?

Grantees and sub-grantees applying for the grant on behalf of the individual property
owner, whose property will be affected by the grant program, have the option to voluntarily opt
in or opt out of the grant programs. Participation in the program requires individual property
owners to provide information to support eligibility for grant funding. By providing the
information, individuals consent to FEMA’s use of their information for the sole purpose of
determining eligibility for grant funding. If sub-grantees contact the grantee, they can remove

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 8

their address as part of the grant application. The state will then convey any changes to FEMA
and FEMA will make any necessary grant application adjustments. If a sub-grantee either opts
out of the program, does not provide the necessary information needed to determine eligibility,
or requests to no longer participate in the grant program, then FEMA may not be able to provide
the specific grant funding for the property.
Notice of HMGP and the HMGP system’s collection, use, maintenance, retrieval, and
dissemination of grant information is provided in this PIA and in DHS/FEMA-009, Hazard
Mitigation Assistance Grant Programs System of Records Notice, which is being published in
the Federal Register. Notice is also provided through the grant application process. Prior to the
grantee submitting its grant application, it receives requests from sub-grantees who wish to be
part of the grant. The grantee notifies the sub-grantee that the property is part of the application
submission. The information submitted by the grantee is only used to ascertain eligibility for the
grant program.

4.3

Privacy Impact Analysis: Related to Notice

Privacy Risk: There is a privacy risk that individuals providing information to a grantee
or sub-grantee may not be aware that their information is being provided to FEMA for grant
eligibility purposes.
Mitigation: This privacy risk is mitigated by requiring the grantee and sub-grantee to
provide additional notice to individuals and their consent to inclusion in the HMGP grant
application. Additionally, notice is provided through this PIA and DHS/FEMA – 009, Hazard
Mitigation Assistance Grant Programs System of Records Notice, which is being published in
the Federal Register.

Section 5.0 Data Retention by the project
5.1

Explain how long and for what reason the information is retained.

In accordance with Government Records Schedule (GRS) 3, Item 14, grant
administrative records and hard copies of unsuccessful grant applications files are destroyed by
FEMA when two years old. In accordance with GRS 3, Item 13, electronically received and
processed copies of unsuccessful grant application files will be stored by FEMA or FEMA
control for 3 years from the date of denial, and then deleted. In accordance with FEMA Records
Schedule N1-311-95-1, Item 1, grant project records are maintained for three years after the end
of the fiscal year that the grant or agreement is finalized or when no longer needed, whichever is
sooner. In accordance with FEMA Records Schedule N1-311-95-1, Item 3, grant final reports
are retired to the Federal Records Center three years after cutoff, and then transferred to NARA
20 years after cutoff.
In accordance with FEMA Records Schedule N1–311-95-1, Item 2; N1-311-01-8, Item

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 9

1; and N1-311-04-1, Item 1, all other grant (both disaster and non-disaster) records will be stored
for 6 years and 3 months from the date of closeout (which is the date FEMA closes the grant in
its financial system) and final audit and appeals are resolved and then deleted. Records of real
properties (property acquisition agreements and lists of acquired properties) acquired with
FEMA funds for the purpose of maintenance, in accordance with agreement terms of the grant,
cannot be destroyed until agreement with locality is no longer viable.

5.2

Privacy Impact Analysis: Related to Retention

Privacy Risk: There is a privacy risk that FEMA may keep information longer than the
time period approved by NARA.
Mitigation: This privacy risk is mitigated by using advanced records management
training, additional training offered by DHS and NARA, and advanced technology resources to
improve records management practices and functionality.

Section 6.0 Information Sharing
6.1

Is information shared outside of DHS as part of the normal
agency operations? If so, identify the organization(s) and how the
information is accessed and how it is to be used.

FEMA does not routinely share HMGP and HMGP system grant information outside of
FEMA as part of the normal course of operations. However, FEMA may share HMGP
information with the relevant grantee or sub-grantee that has applied for assistance.
Additionally, information may be shared with other federal, state, or local government agencies
charged with administering federal mitigation or disaster relief programs on a case-by-case basis
to prevent duplication of benefits and/or efforts consistent with applicable requirements of the a
Privacy Act.

6.2

Describe how the external sharing noted in 6.1 is compatible with
the SORN noted in 1.2.

DHS/FEMA-009, Hazard Mitigation Assistance Grant Programs System of Records
Notice, which is being published in the Federal Register, provides:
Routine use H allows DHS/FEMA to share HMGP and HMGP system grant program
information with federal, state, or local government agencies charged with administering
federal mitigation or disaster relief programs. This is compatible with the purpose of the
original collection to prevent duplication of benefits and efforts to ensure efficient use of
FEMA funds.

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 10

Routine use I allows DHS/FEMA to share HMGP and HMGP system grant application
and award information with federal agencies, state agencies, local agencies, and private
Non-profits. This is compatible with the purpose of the original collection to determine
eligibility for grant assistance.

6.3

Does the project place limitations on re-dissemination?

FEMA does not routinely share information with external entities. However, any nonroutine sharing of information compatible with the SORN mentioned in Section 6.2 includes
notification that receipt of such information is protected by the Privacy Act and shall not be
further disclosed.

6.4

Describe how the project maintains a record of any disclosures
outside of the Department.

The HMGP system allows for an input section that lists the date and recipient of all
disclosures made. Additionally, as identified in DHS/FEMA – 009, Hazard Mitigation
Assistance Grant Programs System of Records Notice, which is being published in the Federal
Register, requests for information within the HMGP system are made to the FEMA Disclosure
Office, which maintains the accounting of what records were disclosed and to whom under the
Privacy Act and Freedom of Information Act.

6.5

Privacy Impact Analysis: Related to Information Sharing

Privacy Risk: There is a privacy risk that a individual property owner’s information
may be used by other external organizations for purposes other than for grant funding eligibility.
Mitigation: This privacy risk is mitigated by limiting external sharing of information to
only the relevant grantee or sub-grantee that submitted and/or was awarded grant funding by the
HMA grant program, unless otherwise required by federal statute.

Section 7.0 Redress
7.1

What are the procedures that allow individuals to access their
information?

Individual property owners can make requests directly to FEMA property by following
the procedures outlined in this PIA, DHS/FEMA – 009, Hazard Mitigation Assistance Grant
Programs System of Records Notice, which is being published in the Federal Register, and DHS
Privacy Act regulations, 44 CFR Part 6 and 6 CFR Part 5. Requests for Privacy Act information
must be in writing and be clearly marked “Privacy Act Request.” The name of the requester, the
nature of the record sought, and the required verification of identify must be clearly indicated.

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 11

Requests should be sent to: FOIA Officer, Records Management Division, Federal Emergency
Management Agency, Department of Homeland Security, 500 C Street, SW, Washington, D.C.
20472. Additionally, individual property owners can access their records through the grantee or
sub-grantee that has applied for the grant.

7.2

What procedures are in place to allow the subject individual to
correct inaccurate or erroneous information?

Individual property owners can correct their information by directly contacting the
grantee or sub-grantee that has applied for the grant. Grantees can amend sub-grantee and their
own application information in the HMGP system by accessing the applicable grant application.
Also, grantees and sub-grantees may send a paper copy of the Standard Form 424 “Application
for Federal Assistance” with the appropriate box checked for change or correction of application
with the corrected individual property owner information attached. It is the responsibility of the
grantee or sub-grantee to notify FEMA of correction of any information related to their grant
application, including individual property owner information. FEMA staff review application
information throughout the grant lifecycle by comparing information regularly submitted by
Grantee and sub-grantees with programmatic and financial reports generated and reviewed by
FEMA staff on a quarterly basis.
Additionally, individual property owners seeking access to their records contained in
DHS/FEMA – 009, Hazard Mitigation Assistance Grant Programs System of Records Notice,
which is being published in the Federal Register, or seeking to contest its content, may submit a
request in writing to FEMA's FOIA Officer, Records Management Division, Federal Emergency
Management Agency, Department of Homeland Security, 500 C Street, SW, Washington, D.C.
20472.

7.3

How does the project notify individuals about the procedures for
correcting their information?

Individual property owners receive notification from the specific grantee or sub-grantee
with whom they have volunteered to participate in the HMGP grant application process. In
addition, this PIA and DHS/FEMA – 009, Hazard Mitigation Assistance Grant Programs System
of Records Notice, which is being published in the Federal Register, provide notification to
individuals regarding procedures for correcting their information.

7.4

Privacy Impact Analysis: Related to Redress

Privacy Risk: There is a privacy risk that individual property owners participating in a
HMGP grant process may be unable to correct information once it is provided to FEMA.
Mitigation: Individual property owners can request and correct information through the
grantee or sub-grantee that has applied for the grant and by following the procedures outlined in

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 12

this PIA, DHS/FEMA – 009, Hazard Mitigation Assistance Grant Programs System of Records
Notice, which is being published in the Federal Register, and the DHS Privacy Act Regulations,
44 CFR Part 6 and 6 CFR Part 5.

Section 8.0 Auditing and Accountability
8.1

How does the project ensure that the information is used in
accordance with stated practices in this PIA?

Individual property owners’ records are accessed only by FEMA staff members with a
“need to know.” Also, FEMA limits access to the HMGP and HMGP system to those users with
valid, active accounts, with a user ID, and a password that conforms to DHS password
complexity rules. Users must update their passwords every 90 days. The HMGP system
employs access controls that suspend access rights for a user’s ID after three unsuccessful login
attempts within an hour.
The HMGP system records user activity in a log file. FEMA periodically reviews these
log files to safeguard against misuse of such systems. The technical safeguards include a rolebased access to these log files that restricts users whose access is administrative in nature from
altering or auditing the log files.
Management controls include the periodic auditing of systems in accordance with DHS
SSP Directive 4300A, as well as current FEMA policies and procedures. Local system
administrators govern the roles and rules established within their applications and the auditing of
user accounts are within the IT system requirements as per the DHS SSP Directive 4300A.
Additionally, all FEMA systems are subject to a Privacy Compliance Review by the DHS
and FEMA Privacy Offices to ensure compliance with this PIA and other supporting
documentation.

8.2

Describe what privacy training is provided to users either
generally or specifically relevant to the project.

FEMA employees and contractors are required to receive initial and annual standard
privacy training. Additionally, FEMA information technology system users are required to take
initial and annual security training to ensure their understanding of proper handling and securing
of sensitive information.

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 13

8.3

What procedures are in place to determine which users may
access the information and how does the project determine who
has access?

FEMA employees located in the regions can only access grant information for grantees
and sub-grantees in that particular region. Within the regions, FEMA utilizes role-based “needto-know” access controls to ensure that users of HMGP and the HMGP system have an
appropriate level of access to the information contained therein. An individual’s job title, role,
and reason for requesting access, which FEMA verifies prior to granting system access,
determine the level of access the individual receives to the HMGP and HMGP system. FEMA
uses the NEMIS Access Control System (NACS) to allocate identifications and passwords for
use in the HMGP system to access information.
Contractor staff may provide system management, operations and maintenance,
application development, security monitoring, and Information System Security Officer (ISSO)
duties. All contractors are subject to the vetting requirements for suitability and a background
investigation in accordance with the DHS SSP Directive 4300A and contractors have signed
appropriate non-disclosure agreements and agreed to handle the information in accordance with
the privacy framework. Only those contractors with a verified need to know and approved
vetting are granted access to HMGP and the HMGP system.

Privacy Impact Assessment
Hazard Mitigation Grant Program System
Federal Emergency Management Agency
Page 14

8.4

How does the project review and approve information sharing
agreements, MOUs, new uses of the information, new access to the
system by organizations within DHS and outside?

Any HMGP system interface or information data sharing within DHS or other outside
organizations will require an MOU and/or ISA reviewed by the system steward, and will be fully
vetted through the FEMA IT Security Branch, FEMA Privacy Officer, and FEMA Office of
Chief Counsel prior to sending to DHS for a formal review and approval.

Responsible Officials
Eric M. Leckey
Privacy Officer
Federal Emergency Management Agency
Department of Homeland Security

Approval Signature
Original signed and on file with the DHS Privacy Office

________________________________
Mary Ellen Callahan
Chief Privacy Officer
Department of Homeland Security