Download:
pdf |
pdfPrivacy Impact Assessment
for the
Grants Management Modernization
(GMM)
DHS/FEMA/PIA-052
July 06, 2018
Contact Point:
Osman (Oz) Turan
Grants Management Modernization
Federal Emergency Management Agency
(202) 394-0652
Reviewing Official
Jonathan R. Cantor
Deputy Chief Privacy Officer
Department of Homeland Security
(202) 343-1717
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 2
Abstract
The Department of Homeland Security (DHS) Federal Emergency Management Agency
(FEMA) Grant Management Modernization (GMM) program owns and operates the GMM
Streamlined Platform for Agile Release and Transformation Acceleration (SPARTA) system.
Through the development and deployment of the GMM SPARTA system, GMM seeks to
streamline grants management across the Agency’s 40-plus grant programs through a usercentered, business-driven approach. The GMM SPARTA system will consolidate the
functionalities of FEMA’s ten legacy IT systems (listed in Appendix C) into a single grants
management IT platform. FEMA is publishing this Privacy Impact Assessment (PIA) because
GMM SPARTA collects, uses, maintains, retrieves, and disseminates personally identifiable
information (PII) of applicants, recipients, and sub-recipients for the purpose of executing FEMA
grants programs.
Overview
The primary mission of the Federal Emergency Management Agency (FEMA) is to
reduce the loss of life and property and protect the nation from all hazards, including natural
disasters, acts of terrorism, and other man-made disasters. This mission is accomplished by
leading and supporting the nation in a risk-based, comprehensive emergency management
system of preparedness, protection, response, recovery, and mitigation. In support of FEMA’s
mission, FEMA delivers numerous disaster and non-disaster financial assistance programs,
largely through grant agreements and cooperative agreements (herein collectively known as
grants). This accounts for a significant amount of federal funds for which FEMA is accountable.
For example, in fiscal year 2017, FEMA awarded over $2.6 billion in non-disaster assistance,
and $5.8 billion in disaster assistance. FEMA currently has PIAs published to cover the
administration of the disaster and non-disaster grants1 programs, as well as the Individual
Assistance program2. This PIA will not replace those documents as the overall processes,
collection, and use of associated PII remains the same, even with the deployment of GMM
SPARTA. This PIA covers the development and implementation of the GMM SPARTA system
and how it will be used to manage the grants programs.
FEMA’s grants support a broad scope of activities within emergency management. The
Agency manages 40-plus active grant programs (as of March 2018). These programs are
summarized in Appendix A.
Non-disaster and Disaster Grants
FEMA administers both non-disaster and disaster grants. Disaster grants are those awards
for public assistance, hazard mitigation, and other grants issued pursuant to a Presidentially1
2
See DHS/FEMA/PIA-013 Grant Management Programs available at www.dhs.gov/privacy.
See DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at www.dhs.gov/privacy.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 3
declared disaster or emergency. FEMA assists state, local, tribal, and territorial governments and
certain types of private, nonprofit organizations with facilitating response and recovery from the
devastating effects of disasters by providing technical assistance and financial disaster-related
grants and loans. Disaster grants are financial or direct assistance for debris removal; emergency
protective measures; the repair, replacement, or restoration of disaster-damaged, publicly-owned
facilities; or other recovery activities. FEMA disaster grants (including the Public Assistance
program) provide the most significant amount of federal funding and are the largest grant
programs in DHS. Disaster grants do not include recovery programs directed at individuals such
as the Individual Assistance program.
Non-disaster grants are not associated with a Presidential Declaration. They pertain to
homeland security, emergency management, fire fighter assistance, pre-disaster mitigation, and
related funding efforts. Non-disaster grants are directed at state, local, tribal, and territorial
governments, and certain types of private, nonprofit organizations. The grants aim to enhance
their preparedness capacity to prevent, respond to, and recover from an incident involving
chemical, biological, radiological, nuclear, explosive devices, or a cyber-attack. Applicants for
these grants are required to provide information to determine the eligibility of an activity
justifying grant funding.3
Individual Assistance Grants
Individual Assistance (IA)4 grants are authorized when a Governor or Tribal Chief
Executive requests federal assistance and the President of the United States declares a major
disaster or emergency.5 The IA Division’s mission is to ensure that disaster survivors have timely
access to a full range of programs and services to maximize their recovery. To support this
mission, the IA Division operates the IA programs, which include the Individual and Households
Program (IHP) and the Transitional Sheltering Assistance (TSA) program.6 The IHP provides
financial assistance and direct services to those who have necessary expenses and serious needs
as a direct result of a disaster and are unable to meet those needs through other means. The TSA
program provides survivors with lodging in hotels or motels that are paid directly by FEMA. The
provision of IHP and TSA requires FEMA to collect, use, maintain, and share PII and sensitive
PII (SPII)7 from applicants, and this is accomplished through various information technology
3
See DHS/FEMA/PIA-013 Grant Management Programs available at www.dhs.gov/privacy.
Individual Assistance refers to money or direct assistance to eligible individuals and households whose property
has been damaged or destroyed as a direct result of a major disaster or emergency and whose losses are not covered
by insurance or other means. See DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at
www.dhs.gov/privacy.
5
42 U.S.C. §§ 5121-5207.
6
42 U.S.C. § 5174(a)(1).
7
SPII refers to the use of the Social Security number, bank account information, and limited medical information.
For the purposes of this document, “PII” will be used to refer to both regular PII and SPII.
4
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 4
(IT) systems, applications, and forms.8
GMM SPARTA
FEMA has begun a multi-year effort to transform the way the Agency administers grants.
The Grants Management Modernization (GMM) program seeks to streamline grants
management across the Agency’s 40-plus grant programs through a user-centered, businessdriven approach. Currently, FEMA administers and manages the 40-plus grant programs by
using multiple, disparate IT systems. GMM will consolidate the functionalities of FEMA’s ten
legacy IT systems (listed in Appendix C) into a single grants management IT platform: the GMM
SPARTA system. GMM SPARTA will ingest grant application information from their various
collection points, and through the applications housed within the system, will manage the grant
through its lifecycle. GMM SPARTA will support the five sequential phases of the grants
management lifecycle – Pre-Award, Award, Post-Award, Closeout, and Post-Closeout – along
with the two-continuous phases – Grant Program Management and Business Intelligence – for
all grant programs. Having a consolidated system allows users, which includes DHS employees
administering the grants and the grant recipients and sub-grantees, to access a single system and
manage or participate in the grants process. The GMM program will also consolidate FEMA’s
grants operations, establishing a common grants management lifecycle and unifying business
processes across grant programs when possible. These changes will improve the efficiency and
effectiveness of FEMA’s grant operations, thereby strengthening the Agency’s ability to carry
out its mission.
The GMM SPARTA system is hosted in the Federal Risk and Authorization Management
Program (FedRAMP)-approved9 Amazon Web Services GovCloud (AWS). The GMM
SPARTA system is a cloud-based platform in which applications are deployed within its
boundaries. The GMM SPARTA platform is comprised of pre-production (Pre-PROD) and
production (PROD) environments as well as a management segment.
Applications for the GMM SPARTA platform are first developed in the SPARTAEngineering and Testing (SPARTA-ET) system, a separate IT system. FEMA will undergo Agile
development to incrementally develop and deploy specific applications and functionalities to the
GMM SPARTA platform. Agile development10 is an iterative approach to developing IT
capabilities when requirements and solutions evolve through collaboration between selforganizing and cross-functional teams. Agile development promotes continuous adaptive
planning, development, testing, and delivery/integration, and encourages rapid and flexible
response to change. Agile is not one specific methodology, but is a conceptual framework
8
For more information on Individual Assistance, please See DHS/FEMA/PIA-049 Individual Assistance (IA)
Program available at www.dhs.gov/privacy.
9
FedRAMP is a Government-wide program that provides a standardized approach to security assessment,
authorization, and continuous monitoring for cloud products and services.
10
For more information on Agile, please see: https://www.dhs.gov/sites/default/files/publications/Instruction_10201-004_Revision_00_Agile_Development_SIGNED_04-11-2016%281%29.pdf.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 5
implemented through various agile methods that promote delivering working, tested, deployable
IT solutions on an incremental basis to increase value, visibility, and adaptability, and to reduce
program/project risk. Once an application is developed in SPARTA-ET, it is tested and vetted
for application functionality and regulatory compliance. Once functionalities have been tested
and vetted, it is automatically transferred to the GMM SPARTA platform’s Pre-PROD
environment.
The GMM SPARTA Pre-PROD environment stores duplicate copies of PII that exists in
the production (i.e., live) environment for the purpose of testing the applications. The purpose of
the Pre-PROD is to simulate the production environment as closely as possible so the GMM team
can test applications in conjunction with other applications. Examples of such testing include
User Acceptance and Performance. User Acceptance testing ensures that the efforts made during
application development in SPARTA-ET were of value to the users. Performance testing must
be conducted with production-quality data to ensure that an application can optimally function
as expected within GMM SPARTA system. The Pre-PROD environment ensures that the
applications have been created, tested, and are ready for production deployment.
The GMM SPARTA PROD environment is the final deployment environment for
applications that have been fully vetted through scanning and testing. The PROD environment is
where recipients, applicants, managers, grant, and grant-support personnel will be able to
perform their grant-related duties. A list of PII data found in the PROD environment can be found
in Section 2.1 of this document. As of the writing of this PIA, there are no applications in the
production environment of the GMM SPARTA platform. Once operational, both federal and
public users of GMM SPARTA will access the subsystem grants applications through a publicly
accessible webpage. On the landing page, public users can request access to an application by
providing a verifiable email address. GMM SPARTA will email a temporary token to the email
address. Once the email address is verified by the user, an account is created. Federal users are
required to enter their Personal Identify Verification (PIV) card and Personal Identity Number
(PIN) in order to access GMM SPARTA.11
FEMA implements role-based access controls throughout the GMM SPARTA system to
ensure that data is visible to DHS personnel who have a germane business need. FEMA
granularly implements roles at the individual grant program level. This ensures that even those
personnel who are permitted access to SPARTA are only capable of viewing the data that is
associated with the specific grant program to which the user was assigned.
The GMM SPARTA platform’s management segment consists of software whose sole
purpose is to perform maintenance and recovery functions such as vulnerability scanning and
health and wellness checks of the platform. The management section employs tailored access
controls, which allow for bi-directional communication of health and performance alerts. It also
11
See DHS/ALL/PIA-014 Personal Identity Verification/Identity Management available at www.dhs.gov/privacy.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 6
employs command and control features driven to preserve the integrity, the confidentiality, and
the availability of the GMM SPARTA platform.
The GMM SPARTA system supports the following core functions:12
Pre-award grants management functionality, including program development,
application development, application reviews, and award determinations;
The awarding of grants, including funding obligation and award notifications;
Post-award grants management, including disbursement of funds, amendments,
reporting, and grant monitoring;
Grant closeout, including final reporting, final reports evaluation, final financial
reconciliation, and the closing of grant projects and awards;
Post-closeout grants management, including the tracking of post-closeout grant
requirements;
Grants program management functionality, including planning, audits, appeals,
user management, user support, and workflow management; and
Business intelligence, including data analytics, assessments, and trend analyses
of disaster, non-disaster, and IA grants.
GMM SPARTA supports the following high-level technical requirements:13
Providing a single platform that gives users the capability to perform the
following grants management business operations:
o Grant program planning and set-up;
o Grant application development and review;
o Processing grant awards and managing modifications to them;
o Processing financial transactions;
o Reporting and monitoring of award execution;
o Award closeout;
o Audits of compliance with policy and procedures;
o Maintenance of grant records; and
12
For more information on grant functions see DHS/FEMA/PIA-049 IA Program and DHS/FEMA/PIA-013 Grants
Management Programs available at www.dhs.gov/privacy.
13
See FEMA Grants Management Modernization Program, Concept of Operations, version 1-1-1, 2016.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 7
o Analysis of grant performance.
Providing role assignment, authorization, and permissions based on defined user
groups.
Providing users the capability to develop the following grants management
products:
o Grant program plans;
o Grant program announcements;
o Grant registrations and applications;
o Documentation of disaster damages;
o Application review records;
o Financial transaction records;
o Grant award packages;
o Amendments to grant awards;
o Reports on award execution;
o Results from grant award monitoring; and
o Grant closeout records.
Provide capability for users from different organizations to collaborate as they
execute grants management processes.
Providing recipient- or sub-recipient-centric grants case management capability.
Specific capability required includes:
o Tracking recipient/sub recipient data across grants programs;
o Identifying recipient/sub recipient relationships; and
o Tracking recipient/sub recipient progression through grants processes.
Providing automated workflow management for the following grants
management business processes:
o Grant program planning and set-up;
o Grant application development and review;
o Processing grant awards and managing modifications to them;
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 8
o Reporting and monitoring of award execution;
o Award closeout; and
o Maintenance of grant records.
Providing capability to support the following financial operations:
o Initiating financial transactions;
o Performing and reporting financial analyses;
o Enabling financial audits; and
o Providing controls on financial interactions.
Integrating and displaying the following information in customizable views:
o Program-level views of the workflow and financial status of multiple
awards under an individual grant program;
o Award-level views of the workflow and financial status and history of
individual grants; and
o Project-level views of the performance and financial status of multiple
projects within a grant.
Generating official grants files and records as users execute grants processes, and
providing access to grant files and records.
Providing capability for users to customize and perform the following analyses:
o Analyses of historical grant awards and projects across geographic areas,
recipients, grant programs, disasters, and years;
o Performance analyses of individual grant programs;
o Analysis of compliance with governing policies, standards, and
regulations; and
o Ad hoc data queries in support of custom analyses.
As stated above, FEMA is using the DHS Agile Development discipline during the
development of GMM SPARTA, meaning FEMA incrementally adds functionality and
applications to GMM SPARTA as part of the agile development process. FEMA will list all
applications within the GMM SPARTA system in an appendix to this as GMM SPARTA adds
new functionality that impacts PII. GMM will re-assess privacy implications of the system
through the submission of additional Privacy Threshold Analyses (PTA) for applications,
modules, proof of concepts, testing, and for operational uses of the GMM SPARTA solution that
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 9
do not fall under this PIA.14 FEMA will add these functions or applications to the appendix prior
to FEMA using the functions or applications to collect, retain, or disseminate PII. The GMM
SPARTA system resides within AWS facilities. AWS GovCloud, Contractor Owned, and
Contractor Operated facilities, provides a cloud-based solution that is FedRAMP-approved
through the General Services Administration’s (GSA) Joint Authorization Board (JAB) and
allows GMM SPARTA to have virtualized data assets that are Government-owned and
Government-operated.
The GMM SPARTA system uses PII to authenticate and authorize system users, determine
grant eligibility, determine which applications to award, process grant awards, process financial
transactions, and ensure that grant recipients comply with grant requirements, as described
above. For Individual Assistance programs, the GMM SPARTA system will use PII of disaster
survivors to determine their eligibility for assistance, determine the amount of assistance to
award them, provide hotel room lodging, process payments to them, allow them to check the
status of their awards, process appeals of FEMA’s determinations, verify their identities, refer
them to the U.S. Small Business Administration (SBA) to determine their eligibility for SBA
loans, determine their insurance holdings, and communicate with them.15
GMM SPARTA leverages the FEMA Enterprise Identity Management System (FEIMS)
for user authentication and registration of internal FEMA users. FEIMS is FEMA’s account
provisioning tool for those IT systems that do not support PIV card authentication. At present,
GMM SPARTA intends to register and manage external users (e.g., grant applicants and subrecipients) locally. This is subject to change as other grants information systems are currently
interfacing with the FEMA Account and Management System16 (FAMS) for external-user
account management. As functionality for other grant systems is developed and deployed, FAMS
integration may become a requirement. Both internal and external users have the ability to set up
notifications through email to ensure the appropriate users are being notified at different
milestones within the grants management lifecycle. The GMM SPARTA system collects PII
from points of contact at grantee organizations to grant access to the GMM SPARTA system as
well as for grant management purposes.
GMM SPARTA interfaces with DHS systems, external grants-related systems, and other
FEMA systems to leverage shared services, when possible. For example, GMM SPARTA will
interface with Authentication and Provisioning Services (APS),17 to leverage PIV-based
14
More information regarding the PTA process is available at https://www.dhs.gov/compliance.
See DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at www.dhs.gov/privacy.
16
FAMS provides authentication services for FEMA. FAMS services both internal users (authorized FEMA
employees and contractors) and external users (state, local, tribal, and territorial governments). Generally, FEMA
uses this system for external user account management. See DHS/FEMA/PIA-031 Authentication and Provisioning
Services (APS) available at www.dhs.gov/privacy.
17
For more information, see DHS/FEMA/PIA-031 Authentication and Provisioning Services (APS) available at
www.dhs.gov/privacy.
15
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 10
authentication and support automation through cryptographic logon. GMM SPARTA will also
interface with non-DHS external systems such as the Department of Human Health Services’
grants.gov to facilitate the initial grant application process.18 Appendix E lists the interfaces for
the GMM SPARTA system. GMM SPARTA interfaces with these systems through secure means
at the level of security that is commensurate with the sensitivity of information being ingested
by GMM SPARTA. The GMM SPARTA system will meet all applicable federal, department,
and agency financial (OMB Circular A-12719) and security regulations and guidelines (DHS
4300 A Sensitive Systems Handbook20) regarding auditability, compliance, privacy, and
security. Examples of security implementation strategies include layered encryption and integrity
schemes at the message, transport, application, and database levels.
The GMM SPARTA system will be fully operational by January 2020. FEMA will
continue to use the ten legacy systems during the GMM SPARTA development. FEMA will
regularly update this PIA as GMM SPARTA adds new functionality that impacts PII.
Typical Transactions with Non-Disaster and Disaster Grants
For non-disaster and disaster grants, the GMM SPARTA system will be used by grant
recipients, grant sub-recipients, and FEMA grant administrators throughout the grants
management lifecycle. During the Pre-Award and Award lifecycle phases, FEMA will typically
use the system to set up new funding opportunities by specifying their requirements. Recipients
will then use the system to discover the funding opportunities and apply for them—FEMA will
collect information from the recipients regarding their organization and the work they propose
under the grant. Sub-recipients may contribute to the application for some grant programs.
FEMA will use the system to review applications, make award recommendations and
determinations, and develop and communicate the grant award. Recipients will use the system
to accept the award.
During the Post-Award phase, FEMA and recipients will use the system to manage grant
activities. Recipients will use the system to request payments or request changes to the grant
(e.g., amendments to the scope, extensions of deadlines). Recipients will also report on their
expenditures and their progress in performing the work under the grant, in accordance with
grant program requirements. The system will collect information on the recipient, grant
expenditures, grant activities, and change requests. FEMA will use the system to review and
18
For more information about the HHS Grants Management System please visit the grants.gov website, available at
http://www.grants.gov and the 06.3 HHS PIA for Grants.gov System, available at
http://www.hhs.gov/pia/os_pia_summaries_fy12_q2.pdf.
19
OMB Circular A-127 prescribes policies and standards for executive departments and agencies to follow when
managing their financial management systems. For more information see
https://obamawhitehouse.archives.gov/omb/circulars_a127/.
20
The DHS 4300A Sensitive Systems Handbook provides techniques and procedures for implementing the
requirements of the DHS Information Security Program for DHS sensitive systems and systems that process
sensitive information for DHS. For more information see https://www.dhs.gov/publication/dhs-4300a-sensitivesystems-handbook.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 11
adjudicate change requests and to monitor the grant.
During Closeout, recipients will use the system to develop closeout reports, in accordance
with grant program requirements. The system will collect information on the recipient, grant
expenditures, and grant activities. Recipients may also request final payments at closeouts.
FEMA will use the system to review closeout reports, reconcile grant finances, and close the
grant. After closeout, recipients will report on their compliance with continuing grant
requirements, and FEMA will use the system to monitor compliance with those requirements.
After closeout of an award, additional maintenance and monitoring, including unforeseen
financial adjustments, recoupments, and property management (e.g., equipment
decommissioning), may occur based on grant program requirements. Maintenance and
monitoring should be consistent with the applicable statutes, regulations, and policies per the
various program office requirements.
In addition, FEMA and recipients may use the system at any point in the grants lifecycle
to generate business intelligence reports and analysis products; upload and view appeal
determinations and appeals adjudications; request and provide user support; support grant
audits; manage documentation; and track and manage workflows. The system may collect
information from recipients regarding their organization, their grant activities, and appeals of
FEMA determinations.
Typical Transactions for Individual Assistance Grants
For IA grants, recipients will not use the SPARTA system directly. Individuals will register
for IA via the DisasterAssistance.gov website, or other mechanisms such as telephone or inperson registrations via Disaster Assistance Improvement Program21 (DAIP) system, and the
GMM SPARTA system will receive these registrations via a system interface. The system will
collect information on individuals’ identities, their addresses, their insurance status, how they
were impacted by disasters, and other information needed to determine grant eligibility.22 FEMA
grants administrators will use the GMM SPARTA system to process IA registrations, including
determining eligibility, making awards, and scheduling grant payments. FEMA will also use the
system to track communications with individual grant applicants and recipients, appeals of
determinations, and other grants management functions.
21
For more information on the Disaster Assistance Improvement Program, see DHS/FEMA/PIA-049 Individual
Assistance (IA) Program available at www.dhs.gov/privacy
22
Id.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 12
Section 1.0 Authorities and Other Requirements
1.1
What specific legal authorities and/or agreements permit
and define the collection of information by the project in
question?
Impact and associations of legal authorities can be found detailed in Appendix F.
Homeland Security Act of 2002, Pub. L. No. 107-296 (codified as amended in 6
U.S.C. §§ 101-629)
Implementing Recommendations of the 9/11 Commission Act of 2007 (9/11 Act),
Pub. L. No. 110-53, 121 Stat. 266
Department of Defense Authorization Act, 1986, Pub. L. No. 99-145 (codified as
amended in various titles of the U.S. Code)
McKinney-Vento Homeless Assistance Act of 1987, Pub. L. No. 100-77 (codified as
amended in Titles 7 and 42 of the U.S. Code)
Federal Fire Prevention and Control Act of 1974, Pub. L. No. 93-498 (codified as
amended at 15 U.S.C. §§ 2201-2234)
Annual Department of Homeland Security Appropriations Acts of 2016 and 2017
Sandy Recovery Improvement Act of 2013
American Recovery and Reinvestment Act of 2009
Post-Katrina Emergency Management Reform Act of 2006, Pub. L. No. 109-295,
120 Stat. 1394, as amended
Section 102 of the Maritime Transportation Security Act of 2002, Pub. L. No. 107295 (codified as amended at 46 U.S.C. § 70107)
Federal Financial Assistance Management Improvement Act of 1999
Robert T. Stafford Disaster Relief and Emergency Assistance Act;
Sections 203, 403, 404, 406, 407, and 417 of the Robert T. Stafford Disaster
Relief and Emergency Assistance Act, as amended
National Historic Preservation Act of 1966, as amended, Pub.L. 89- 665, § 102,
16 U.S.C. § 470
Clinger Cohen Act23
23
Clinger-Cohen Act available at https://www.gpo.gov/fdsys/pkg/PLAW-104publ106/html/PLAW-104publ106.htm
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 13
Section 401 of the Personal Responsibility and Work Opportunity
Reconciliation Act of 1996
The Debt Collection Improvement Act of 1996
The Economy Act
Section 4 of the Government Performance and Results Act of 2010
Executive Order 12862, “Setting Customer Service Standards,”
Executive Order 13411, “Improving Assistance for Disaster Victims,”
5 U.S.C. § 301
Reorganization Plan No. 2 of 1970
Executive Order 9397 “Numbering System for Federal Accounts Relating to
Individual Persons,” as amended by Executive Order 13478 “Amendments to
Executive Order 9397 Relating to Federal Agency Use of Social Security
Numbers.”
44 U.S.C. § 3534 Federal Agency Responsibilities
National Flood Insurance Act, 42 U.S.C. § 4100, as amended by the BunningBereuter-Blumenauer Flood Insurance Reform Act of 2004, 42 U.S.C. § 4001,
et seq.
Single Audit Act of 1984, Pub. L. No. 98-502
Federal Financial Assistance Management Improvement Act, Pub. L. No. 106107 (1999)
Improper Payments Information Act of 2002 (IPIA), Pub. L. No. 107-300
Improper Payments Elimination and Recovery Act of 2010, Pub. L. No. 111204
Improper Payments Elimination and Recovery Improvement Act of 2012, Pub
L. No. 112-248 (2013)
Federal Funding Accountability and Transparency Act of 2006, Pub. L. No.
109-282
Digital Accountability and Transparency Act of 2014, Pub. L. No. 113-101
Grants Oversight and New Efficiency Act, Pub. L. No. 114-117 (2016)
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 14
1.2
What Privacy Act System of Records Notice(s) (SORN(s))
apply to the information?
The following SORNs apply to grant management programs processed by the project:
24
DHS/FEMA-004 Non-Disaster Grant Management Information Files System of
Records,24 which covers non-disaster grant information;
DHS/FEMA-009 Hazard Mitigation Disaster Public Assistance and Disaster Loan
Programs System of Records,25 which covers disaster-related grants and loans;
DHS/ALL-004 General Information Technology Access Account Records System
(GITAARS) System of Records,26 which covers the user information collected to
grant access to the corresponding IT systems supporting FEMA’s disaster and nondisaster grant programs.
DHS/ALL-026 DHS Personal Identity Verification Management System SORN,27
which covers the collection, use, and maintenance of personally identifiable
information for the purpose of issuing credentials such as identification badges;
DHS/FEMA-008 Disaster Recovery Assistance (DRA) Files SORN,28 which covers
IA disaster survivor information;
DHS/ALL-021 Department of Homeland Security Contractors and Consultants
SORN,29 which covers the collection and maintenance of DHS Contractor and
Consultants records; and
DHS/ALL-023 Department of Homeland Security Personnel Security Management
SORN,30 which covers the contact and background information of DHS contractors
and consultants contained in the Virginia Systems Repository IT system, which
supports the IA program.
DHS/FEMA-004 Non-Disaster Grant Management Information Files, 80 FR 13404 (March 13, 2015) available at
https://www.gpo.gov/fdsys/pkg/FR-2015-03-13/html/2015-05799.htm.
25
DHS/FEMA-009 Hazard Mitigation Disaster Public Assistance and Disaster Loan Programs System of Records,
79 FR 16015 (March 24, 2014), available at https://www.gpo.gov/fdsys/pkg/FR-2014-03-24/html/2014-06361.htm .
26
DHS/ALL-004 General Information Technology Access Account Records System (GITAARS), 77 FR 70792
(November 27, 2012), available at http://www.gpo.gov/fdsys/pkg/FR-2012-11-27/html/2012-28675.htm.
27
DHS/All-026 DHS Personal Identity Verification Management System System of Records, 47 FR 30301 (June 25,
2009), available at https://www.gpo.gov/fdsys/pkg/FR-2009-06-25/html/E9-14905.htm.
28
DHS/FEMA-008 Disaster Recovery Assistance Files, 78 FR 25282 (April 30, 2013) available at
https://www.gpo.gov/fdsys/pkg/FR-2013-04-30/html/2013-10173.htm.
29
DHS/ALL-021 Department of Homeland Security Contractors and Consultants 73 FR 63179 (October 23, 2008)
available at https://www.gpo.gov/fdsys/pkg/FR-2008-10-23/html/E8-25205.htm.
30
DHS/ALL-023 Department of Homeland Security Personnel Security Management 75 FR 8088 (February 23,
2010) available at https://www.gpo.gov/fdsys/pkg/FR-2010-02-23/html/2010-3362.htm.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 15
1.3
Has a system security plan been completed for the
information system(s) supporting the project?
A System Security Plan (SSP) for the Grants Management Modernization – Streamlined
Platform for Agile Release and Transformation Acceleration (GMM-SPARTA) is currently in
development, and FEMA is working towards an Authority to Operate (ATO). The anticipated
date of an ATO for the GMM SPARTA system is July 9, 2018. GMM SPARTA is participating
in a DHS Agile ATO process that will allow the GMM team to add functionality to the system
without having to through the standard DHS/FEMA waterfall method.31
1.4
Does a records retention schedule approved by the
National Archives and Records Administration (NARA)
exist?
Yes. GMM SPARTA inherits the records retention schedules currently used for the
disaster, non-disaster, and IA grants programs.
31
Under GRS 1.2, Item 010, grant and cooperative agreement program management
records, records related to the coordination, implementation, execution, monitoring,
and completion of grant and cooperative agreement programs, are temporary. These
records should be destroyed six years after final action is taken on the file, but longer
retention is authorized if required for business use.
Under GRS-3.2, Item 010, Test files and data in the Pre-Prod environment are
temporary and should be destroyed one year after the system is superseded by a new
iteration or when no longer needed by the Agency/IT administrative purposes to
ensure a continuity of security controls throughout the life of the system.
Under GRS-5.4, Item 080, Housing Rental and Lease Records are temporary and
should be destroyed three years after lease termination, lapse, reassignment, rejection
of application, cancellation of lease, or conclusion of litigation, as applicable.
Under GRS-5.5, Item 020, mail, printing, and telecommunication control records are
temporary and should be destroyed when one year old or when superseded or obsolete,
whichever is applicable, but longer retention is authorized, if required for business
use.
DAA-0563-2012-0002-0007 provides that all mission activities photographs that
provide adequate and proper documentation of mission activities are permanent. They
Waterfall development methodology is a highly structured development process where all stages must be
conducted sequentially until all requirements are fulfilled in a complete system.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 16
must be cut off at the end of the calendar year in which they were created. FEMA
must transfer to NARA in three year blocks at the end of the last year of the block,
along with any related documentation and external finding aids in hard copy or
electronic form.
Under N1-311-86-001, Item 4C6b, any correspondence with insurance carriers that
hold policies on disaster applicants’ residences are temporary. These files must be
consolidated at the appropriate regional office upon termination of the disaster (when
all families have been relocated to permanent housing; the audit, if one is made, has
been accepted by both FEMA and the state; and all monies due have been received).
These records should be retired to a Federal Records Center (FRC) one year after
termination, and they should be destroyed three years after termination.
Under N1-311-86-001, Item 4C6c, correspondence files associated with the
duplication of benefits are temporary. These files should be consolidated at the
appropriate regional office upon closeout of Disaster Field Operations. They should
be retired to an FRC one year after closeout, and destroyed three years after closeout.
Under N1-311-86-001, Item 4C10a, all IA program files, except those relating to
temporary housing and Individual and Family Grant programs, which include other
programs such as Disaster Unemployment Assistance, Crisis Counseling and
Training, Legal Services, Superfund, Flood Plain Management, Duplication of
Benefits, and the Cora Brown Fund, are temporary. They must be retired to inactive
storage when two years old, and destroyed when six years, three months old.
Under N1-311-86-001, Item 4C10b, Temporary Housing Files, including copies of
computer printouts scoreboards, Federal Coordinating Officer’s digests,
correspondence, and related records are temporary. They must be destroyed when
database elements have been established and defined.
Under N1-311-86-001, Item 4C10c, records relating to mobile home and travel trailer
program files, including copies of correspondence and procedures, are temporary.
These records should be cut off at the end of the calendar year, and destroyed six years
and three months after cutoff.
Under N1-311-86-001, Item 4C10d, files relating to permanent relocations under the
Superfund and purchases of properties under the National Flood Insurance Act of
1968, as amended, 42 U.S.C. 4001, et seq., which include headquarters files relating
to individual property owners, background data, addresses, value of property,
negotiation records, and related records, are permanent. These records should be cut
off at the conclusion of the project, retired to an FRC 3 years after cutoff, and then
transferred to the National Archives in 5-year blocks 20 years after cutoff.
N1-311-00-001, Item 1 provides that customer services satisfaction surveys that have
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 17
been filled out and returned by disaster applicants are temporary. They should be
destroyed upon the transmission of the final report.
N1-311-00-001, Item 2 requires that statistical and analytical reports that are based on
survey responses and document trends and recommend programmatic changes to
disaster assistance are temporary. They should be cut off at the close of the report,
retired to an FRC 3 years after cutoff, and destroyed 20 years after cutoff.
N1-311-00-001, Item 3 requires that a composite of survey results per disaster are
maintained in an agency-standard database. These records are temporary and should
be destroyed when no longer needed for analytical purposes.
N1-311-86-001, Item 4B6b requires that documents created in developing protection
criteria for shelters in private homes, including drawings, specifications, home
protection surveys, and other records on required protection for individual families in
their homes are temporary. They should be cut off at completion of the contract and
destroyed 3 years after cutoff.
Per N1-311-04-05, Item 1, all records categories associated with September 11, 2001,
and Hurricane Katrina are permanent, per the FEMA records disposition manual. This
disposition instruction is applicable to records, both paper and electronic, regardless
of format or media. These records are permanent, and they should be cut off when all
activity has ceased for the particular operations after. They should be transferred to an
FRC 1 year after cutoff and transferred to the National Archives 20 years after cutoff.
Per N1-311-04-05, Item 2, all records relating to Hurricane Katrina and September
11, 2001, which have temporary dispositions in the FEMA records disposition manual
are temporary. Cutoff occurs when all activity has ceased for the particular operations
area. They should be transferred to an FRC 1 year after cutoff and destroyed 75 years
after cutoff.
Per N1-311-04-05, Item 3, all records associated with a domestic catastrophic event,
to include September 11, 2001, and Hurricane Katrina are permanent, and should be
cut off when all activity has ceased for the particular operations area. The records
should be transferred to an FRC 1 year after cutoff, and transferred to the National
Archives 20 years after cutoff. This category includes, but is not limited to, records
relating to pre-response operations; the Presidential Declaration; Emergency
Coordination (EC); Emergency Support (ES); Urban Search and Rescue response
(US&R); Public Assistance (PA), including, but not limited to, project applications,
original damage survey report, mission assignments, funding documents, project time
extensions, applicant appeals, eligibility determinations, and documents on insurance
requirement, policies, procedures; Individual Assistance (IA) records including, but
not limited to, mission assignments, specific IA policies, and guidance/standard
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 18
operating procedures(s) and correspondence with state and local officials; and
Mitigation. This disposition instruction is applicable to records, both paper and
electronic, regardless of format or media.
N1-311-86-1, Item 4C8b(1), provides that master occupant/applicant files, containing
all original occupant-related documents, such as site requests, mobile home sales
documents, leases, or contracts, are temporary. These records should be consolidated
at the appropriate regional office at the end of Phase II, when applicants in shelters
are moved to permanent housing, retired to an FRC one year after the files are
consolidated, and destroyed six years three months after the files are consolidated.
Per N1-311-86-1, Item 4C8b (2), provides that working field applicant and occupant
files are temporary. They should be reviewed at the end of Phase I operations (when
all qualified applicants have received temporary housing) to ensure all occupantrelated original documents are in the master occupant/applicant files or Mobile Home
Storage Program files, as appropriate. These files should be destroyed when FEMA
stops providing services to the occupant.
Under N1-311-86-1, Item 4C8b (4), control records and logs relating to temporary
assistance program files are temporary. These records should be forwarded to the
appropriate regional office at the end of Phase II, retired to an FRC one year after the
end of Phase II, and destroyed six years and three months after the end of Phase II.
Under N1-311-95-001, Item 1, U.S. Fire Administration (USFA) grant project files,
containing correspondence, memoranda and letters, study reports, and other
unsolicited items received for consideration for a grant or cooperative agreement that
is later approved, are temporary. These records should be retired to the FRC at the end
of the fiscal year when the grant or agreement is finalized, and destroyed three years
after the cutoff or when no longer needed, whichever is sooner.
Under N1-311-95-001, Item 2, USFA grant and cooperative agreement case files,
containing approved applications, copies of financial records, supporting documents,
statistical information, and related records pertaining to the award, administration,
receipt, inspection, and payments of grants and cooperative agreements, are
temporary. These records should be retired to the FRC at the end of the fiscal year
when the grant or agreement is completed or closed, and destroyed six years and three
months after cutoff.
Under N1-311-95-001, Item 3, USFA final grant report, files containing the original
grant report or equivalent document, including appendices or attachments, for the
grant or cooperative agreement, are permanent. These records should be cut off at the
end of the fiscal year, transferred to the FRC 2 years after cutoff, and transferred to
National Archives 20 years after cutoff.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 19
1.5
If the information is covered by the Paperwork Reduction Act
(PRA), provide the OMB Control number and the agency
number for the collection. If there are multiple forms, include a
list in an appendix.
The information FEMA collects for its grant programs is covered by the PRA and
collected through Information Collection Requests (ICRs) listed in Appendix B. ICRs stored in
SPARTA that were originally supported by legacy grant management systems are as follows:
Disaster and Non-Disaster ICRs:
Emergency Preparedness and Response Directorate Grants Administration Forms
(Office of Management and Budget (OMB) 1660-0025);
Assistance to Firefighters Grant Program-Grant Application Supplemental
Information (OMB 1660-0054);
Fire Management Assistance Grant Program (OMB 1660-0058);
National Urban Search and Rescue Grant (OMB 1660-0073);
Urban Areas Security Initiative (UASI) Non Profit Security Grant Program
(NSGP) (OMB 1660-0110);
Transit Security Grant Program (TSGP) (OMB 1660-0112);
Tribal Homeland Security Grant Program (THSGP) (OMB 1660-0113);
Port Security Grant Program (PSGP) (OMB 1660-0114);
FEMA’s Grants Reporting Tool (GRT) (OMB 1660-0117);
FEMA Homeland Security Grant Program (HSGP) and Operation Stonegarden
(OPSG) Grant Program (OMB 1660-0119);
Regional Catastrophic Preparedness Grant Program (RCPGP) (OMB 16600123);
Homeland Security Grant Program (HSGP) (OMB 1660-0125); and
Emergency Management Performance Grant Program (OMB 1660-0126).
Public Assistance Progress Report and Program Forms (OMB 1660-0017).
Application for Community Disaster Loan Cancellation (OMB 1660-0082);
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 20
Community Disaster Loan Program (OMB 1660-0083).
Individual Assistance ICRs:
Disaster Assistance Registration (OMB 1660-0002);
Federal Assistance to Individuals and Households Program (OMB 1660-0061);
Manufactured Housing Operations Forms (OMB 1660-0030);
Direct Housing Program (OMB 1660-0138);
Debt Collection Financial Statement (OMB 1660-0011); and
Applicant Sheltering Assessment Tool (OMB 1660-0042)
Section 2.0 Characterization of the Information
2.1
Identify the information the project collects, uses, disseminates,
or maintains.
FEMA will not collect any new types of PII through the deployment of GMM SPARTA
that was not collected in the legacy systems. FEMA will continue to collect the following PII to
administer its grants programs:
Disaster and Non-disaster grants:
32
Name of Organization’s Designated Point of Contact (POC);
POC Title;
POC’s office mailing address;
POC’s office phone number;
POC’s office cellphone number;
POC’s office fax number;
POC’s work e-mail address;
Organization Name;
Organization’s Federal Employer Identification Number (EIN);
Organization’s Dun & Bradstreet (D&B) Data Universal Numbering System
(DUNS) Number;32
User ID;
Password;
The Data Universal Number System is a proprietary system developed and regulated by Dun & Bradstreet that
assigns a unique numberic identifier to a sigle business entity.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 21
Organization’s Bank Routing Number;
Organization’s Bank Account Number; and
FEMA Disaster Number;33
Individual Assistance grants:
Registration and Assistance Records:
FEMA Registration ID;
Applicant/Co-Applicant Information:
o Full Name;
o Social Security number (SSN) or Alien Registration Number (ANumber);
o Signature;
o Date of Birth;
o Phone numbers;
o Email addresses;
o Position Title;
o Employer Name;
o Language(s) spoken;
o Number of Dependents Claimed;
o User ID;
o Password;
o Personal Identification Number (PIN);
Witness Signature;
Damaged Dwelling:
o Addresses of the damaged dwelling and the applicant’s current location
(if other than the damaged dwelling);
o County;
o Geospatial location of dwelling; and
o
33
Information related to residence (type, own/rent, damage sustained).
Disaster-Related Expenses;
Emergency Needs (Food, Clothing, Shelter);
Special Needs (Mobility, Mental, Hearing, Vision, Other Care);
The FEMA Disaster Number is a unique identifier assigned to each Presidentially-declared disaster. It is not PII.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 22
Occupant and Household Information (for all occupants at the time of disaster):
o
Name (First Name, Middle Initial, Last Name);
o
Age;
o
Relationship to Applicant;
o
Dependent? (Yes/No);
o
Sex; and
o
Pre and Post-Disaster Income Information of Those Occupants 18 Years
of Age or Older.
Business Damage:
o
Self-Employment is Primary Income? (Yes/No); and
o
Business or Rental Property Affected? (Yes/No).
Authorization for Electronic Funds Transfer of Benefits:
o
Institution Name;
o
Account Type;
o
Account Number and Routing Number; and
o
Average Balance.
Comments and Correspondence from the Applicant;
Supporting documents to show proof of occupancy or ownership and verify
identity;
Public Records Information for Identity Verification;
Pre-registration Questionnaire Information;
Disaster Loan Status (Rejected, Approved, Declined, Verified, Cancelled);
Travel and accommodations-related information (e.g., flight information, travel
assistance needs, companion information);
Information related to determining eligibility for assistance: date of the disaster,
application status, insurance information, types and amount of damage to the
dwelling, results of the home inspection (including inspector’s notes and
determination);
Landowner’s Information (in cases in which FEMA is placing a manufactured
housing unit on the landowner’s land);
o
Name;
o
Address;
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 23
o
Phone number; and
o
Signature.
Correspondence and documentation related to determining eligibility and
appropriate housing unit size, type, and location for temporary housing
assistance including: general correspondence; complaints, recoupment, appeals,
oral hearings, and resolutions; requests for disbursement of payments; inquiries
from tenants and landlords; information related to household access and
functional needs; general administrative and fiscal information; payment
schedules and forms; termination notices; information shared with the temporary
housing program staff from other agencies to prevent the duplication of benefits;
leases; contracts; specifications for repair of disaster damaged residences;
reasons for revocation or denial of aid; sales information related to occupant
purchase of housing units; and the status or disposition of housing applications.
DAIP information supplied by partner agencies:
Change of Address Status Code (from Social Security Administration);
Disaster Loan Event Status Code (Rejected, Approved, Declined, Verified,
Cancelled) (from Small Business Administration);
Pre-registration Questionnaire Information (from the U.S. Department of Labor);
Pre-registration Questionnaire Session ID (from the U.S. Department of Labor);
Food for Florida Pre-registration ID and Application Status (from the State of
Florida); and
U.S. Department of Housing and Urban Development (HUD) Household Data
(from HUD).
Information provided by third parties:
“Pass/Fail” flag (for identify verification provided by third-party identity
verification service);
Public records information for Identity Provider (IdP); and
Contracted database that is used to validate and standardize the applicant’s
address.
Information generated by IA during processing and returned to the DAIP IT system:
FEMA Disaster Number;
Application Status (“In-Process,” “Submitted,” “Approved,” or “Denied”);
Housing Inspection Required (Y/N);
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 24
Priority of Assistance;
Type of Assistance being considered; and
Time Stamps.
Information collected in order to generate a www.disasterassistance.gov account:
User ID;
Password; and
Personal identification number (PIN).
Information collected by FEIMS to grant all personnel access to Automated
Construction Estimator 34(ACE) and DAIP:35
User ID; and
Password.
IT System Special Needs Option Information; and Specific Security Information
Collected from POCs:
Role Assignment and User Permissions;
Unique username;
Password; and
Security Question, which is one of the following:
1. What is your first pet’s name?
2. What is your father’s middle name?
3. What is your high school mascot?
4. Who is your childhood best friend?
Post-Award Reporting:
34
For most grant programs, recipients are required to report to FEMA on the
activities they perform under the grant, the financial status of the grant, and their
compliance with grant terms and conditions. Reporting can take place both
periodically throughout the grant’s period of performance and at closeout.
FEMA uses a number of standard forms for post-award reporting, and these
forms are listed in Appendix D. Information collected through these forms
For more information on Automated Construction Estimator, see DHS/FEMA/PIA-049 Individual Assistance (IA)
Program available at www.dhs.gov/privacy.
35
For more information on DAIP, see DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at
www.dhs.gov/privacy.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 25
includes:
o Name of reporting entity
o Address of reporting entity
o Congressional district of reporting entity
o Name of lobbying registrant
o Address of lobbying registrant
o Signature of certifying official
o Title of certifying official
o Telephone number of certifying official
o Email address of certifying official
o Recipient organization name
o Recipient organization address
o Recipient organization DUNS number
o Recipient organization employer identification number
o Recipient account number or identifying number
o Name of certifying official
o Address of certifying official
o Federal grant number
o Recipient account number
o Financial assistance identification number
o Name of payee
o Address of payee
o Name of report contact person
o Address of report contact person
o Email address of report contact person
o Phone number of report contact person
o Fax number of report contact person
o Description of real property
o Address of real property
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 26
o GPS coordinates of real property
o Real property ownership types
2.2
What are the sources of the information and how is
the information collected for the project?
The primary information sources for GMM SPARTA are the U.S. Department Health
and Human Services’ Grants.gov and the FEMA DAIP/DAC system.
For disaster and non-disaster grants, as identified in section 2.1, FEMA collects
information from officials and representatives (POCs) of states, local governments, territories,
and tribal entities; port authorities; transit agencies; non-profit organizations; inter-city passenger
rail systems; and (in rare instances) private companies from Grants.gov.
The primary source of information for IA grant programs originate from the DAIP/DAC
system. The DAIP/DAC system directly collects information from the subject individual when
he or she applies for disaster assistance.36 For identity verification purposes, FEMA has
contracted with an IdP authentication service to ensure that IA grant applicants are who they say
they are. The identity verification process takes place in the DAIP/DAC system. FEMA may also
receive applicant data from SBA or HUD, in the event that an applicant applies with either
agency first. The data elements that FEMA receives are defined in the HUD-DHS/FEMA CMA37
and the SBA-DHS/FEMA CMA.38
2.3
Does the project use information from commercial sources
or publicly available data? If so, explain why and how this
information is used.
Yes, pursuant to the Office of Management and Budget (OMB) policy on the Use of a
Universal Identifier by Grant Applicants,39 GMM SPARTA is required to maintain the DUNS
number for all disaster and non-disaster grant applicants. FEMA uses the DUNS number for
tracking purposes and to validate address and POC information for grantees and sub-grantees.
For IA grants, FEMA contracts with a third-party IdP service for identity verification
purposes. FEMA’s DAIP/DAC system collects applicants’ name, address, SSN, and date of birth
36
For more information on DAIP, see DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at
www.dhs.gov/privacy.
37
The SBA-FEMA CMA is currently being renewed. See Computer Matching Program between SBA and
DHS/FEMA, 80 FR 57902 (September 25, 2015) available at https://www.gpo.gov/fdsys/pkg/FR-2015-0925/html/2015-24477.htm.
38
The HUD-FEMA CMA is currently being renewed. See Computer Matching Program between HUD and
DHS/FEMA, 81 FR 63195 (September 14, 2016) available at https://www.gpo.gov/fdsys/pkg/FR-2016-0914/pdf/2016-22006.pdf.
39
See Use of a Universal Identifier by Grant Applicants, 68 FR 38402 (June 27, 2003) available at
https://obamawhitehouse.archives.gov/sites/default/files/omb/assets/omb/fedreg/062703_grant_identifier.pdf.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 27
and sends the data to the third-party IdP services to verify that a person with these attributes
exists and the SSN is valid. The IdP then returns a “pass/fail” flag, based on a series of questions,
to the DAIP/DAC system. The DAIP/DAC shares this indicator with GMM SPARTA as
described in the IA PIA.40
2.4
Discuss how accuracy of the data is ensured.
GMM SPARTA assumes the information it receives from DAIP/DAC and Grants.gov is
accurate. Though information maintained within GMM SPARTA is not collected directly from
grantees, the accuracy of the data within GMM SPARTA is ensured through the means described
below.
For disaster and non-disaster grants, FEMA grant specialists verify information about
the grantee including the name of the POC for the application, work address, work phone
number, and work email address with the applicant organization. All grant application
information is reviewed for accuracy throughout the lifecycle of the grant application by
comparing information regularly submitted by grantees with programmatic and financial
reports generated and reviewed by FEMA staff on a quarterly basis. POCs may also directly
input the data into GMM SPARTA and have the opportunity to review grant application
information for accuracy at any point in the grant lifecycle.
Since IA grant applicants personally complete their registrations either online through
DAIP/DAC system or by hardcopy and then transferred as-is to GMM, the information is
presumed to be accurate. IA grant applicants who opt to use the telephone registration process
provide their information to the National Processing Service Center (NPSC) representative, who
enters the data into the system. Survivors receive a hard-copy printout of their registration via
a mail-out package and therefore are aware of their own registration information and informed
that they can correct errors and update information either through the online portal at
www.disasterassisitance.gov or by calling the NPSC.
Regardless of the manner of registration, all applicants must pass the IdP in order to
verify their identity.
2.5
Privacy Impact Analysis: Related to Characterization of
the Information
Privacy Risk: There is a risk that more information is collected from grant applicants
than is necessary.
Mitigation: This risk is mitigated because FEMA is required to follow already
established, specific guidelines regarding the scope of information collected. Information
required from grant applications collected is in accordance with FEMA policies and standard
40
Id.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 28
operating procedures. FEMA grant programs only collect information that is necessary to assess
grant applications to determine award eligibility; the deployment of GMM SPARTA does not
change the amount of PII collected.
Privacy Risk: There is a risk that GMM SPARTA could maintain inaccurate
information concerning grant applicants that may impact their eligibility because the data are
not collected directly from applicants.
Mitigation: This privacy risk is mitigated as FEMA provides opportunities for
individuals to access and correct their information. Disaster and non-disaster grant applicants
are able to review their applications prior to submission. Additionally, grant specialists check
information submitted by grantees for accuracy and verify information about the grant
applicant or grantee. The grant applicant is able to view and correct identified information
before final submission in GMM SPARTA. Grant applicants may contact system administrators
for the various grant management systems to request correction of information they have
submitted at any stage of the application process. Grant applicants are provided notice of
information correction procedures at the initial stage of the application process.
For IA grant applicants, FEMA mitigates this risk by sending each applicant a hard copy
printout of his/her application, thus providing the applicant with knowledge of any errors that
may exist within it. In addition, FEMA offers applicants multiple methods of correcting any
discrepancy in their data so that GMM SPARTA will properly process their applications, such
as making edits to their data via www.disasterassistance.gov, FEMA’s mobile website
http://m.fema.gov/, or contacting a NPSC representative via FEMA’s toll-free assistance
hotline. Moreover, GMM SPARTA and DAIP/DAC will share registrant’s data virtually in realtime, so whenever an applicant updates his/her information through one of the above methods,
the information is updated in GMM-SPARTA immediately thereafter. Lastly, FEMA verifies
any IA grant applicant data received from other federal agencies against the applicant’s SSN,
and if inaccuracies are found in the received data, FEMA supplies the correct data from the
applicant’s FEMA file, which will automatically update HUD and SBA’s files via the CMAs.
Section 3.0 Uses of the Information
3.1
Describe how and why the project uses the information.
GMM SPARTA imports information for its non-disaster and disaster grants through the
Grants.gov system. FEMA collects, reviews, and evaluates grant applicants’ supporting
information to determine grant eligibility, facilitate communication through the grant lifecycle,
and facilitate the award of grant funds. FEMA uses this information to generate reports
summarizing grant activity. These reports are used to assist in the management and reporting of
grant programs including: overall grant management; program specific progress; functions and
monitoring; financial management; management of the grantee and sub-grantee (if available);
and system administration. FEMA uses information collected post-award to enforce compliance;
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 29
assess progress; and review costs, financial reports, performance reports, and audits.
GMM SPARTA imports IA grant applicant information from the DAIP/DAC system.
FEMA uses the IA grant applicant information collected for inspection management, which
verifies IA grant applicant damage claims and assesses repair or replacement costs. IA grant
applicants are required to submit supporting documents such as a driver’s license or a
government-issued picture ID, property title, tax bill, or utility bill for proof of occupancy. FEMA
also uses subsets of applicants’ PII for administrative purposes including: budgeting, sheltering,
prioritizing assistance, and administering the appeals process. Further, FEMA shares IA grant
applicant PII with participating partner agencies, SBA and HUD, which then use the information
to contact applicants about additional assistance that may be available through a participating
partner agency when the applicant does not choose to register for such assistance electronically.41
FEMA uses the IA grant applicant/co-applicant’s SSN both as proof that the individuals
are who they are representing themselves to be by verifying their identity through the IdP, as
well as to ensure that the SSNs that were used as part of the application package do not receive
duplicate benefits from FEMA or other sources.
FEMA uses data in pre-production testing predominantly for significant application
releases to ensure the application’s efficacy and the health of the application as a whole (e.g.,
Modifying the data of a legacy grant system).The Pre-PROD environment is a logically isolated,
scaled-down version of production used solely for integration, acceptance, and performance
testing where data must be as production-like as possible to ensure lowest level of discrepancies
before production deployment. This environment is not used at the release of every feature, as
most features are insignificant related to the scope of the application. Data used in the pre-PROD
environment consists of snapshots of production data, is not updated, is isolated from the
production environment, and is never used operationally. Data used in Pre-PROD is destroyed
immediately after testing is finalized.
3.2
Does the project use technology to conduct electronic searches,
queries, or analyses in an electronic database to discover or
locate a predictive pattern or an anomaly? If so, state how DHS
plans to use such results.
No.
3.3
Are there other components with assigned roles and
responsibilities within the system?
During major disasters, FEMA may use support personnel from other federal agencies,
such as the Internal Revenue Service (IRS), or from other DHS components as surge capacity
41
See DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at www.dhs.gov/privacy.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 30
force. As such, these personnel may be granted access to GMM SPARTA if they are supporting
the IA grant application process. Grants personnel at DHS headquarters are also granted access
to the GMM SPARTA system.
3.4
Privacy Impact Analysis: Related to the Uses of Information
Privacy Risk: Personnel could use the information in the GMM SPARTA system for
purposes other than those for which it was originally collected.
Mitigation: FEMA mitigates this privacy risk in several ways. First, FEMA limits its
data collection from GMM SPARTA users to only data that is required to process their respective
applications. Second, datasets from GMM SPARTA are minimized to reduce the amount of PII
that transverses FEMA IT systems and to ensure that only those FEMA programs and personnel
with a need to know are able to access this PII. Third, FEMA also limits GMM SPARTA access
to authorized users. Access is based on an individual’s roles and responsibilities, and all users
are required to sign a Rules of Behavior Agreement in order to access any FEMA system. Any
individual, including IRS agents, discovered to have inappropriately accessed the GMM
SPARTA system will face disciplinary action up to and including loss of security clearance
and/or termination of employment. Lastly, the Information System Security Officer (ISSO) for
GMM performs periodic system access reviews.
Privacy Risk: There is a risk that Amazon Web Services (AWS) may wish to use data
hosted within the cloud computing environment for their own purposes.
Mitigation: This risk is mitigated. AWS is committed, through the contracting process,
to abide by all DHS security and privacy requirements. AWS performs due diligence on its
employees during the hiring process. AWS also trains its employees on data responsibility as
well as audits their activities. Additionally, due to the encryption key management service within
the AWS Cloud architecture, AWS personnel are incapable of using or redistributing any FEMA
data processed and stored within AWS unless they are required to do so to comply with federal
law, or with a valid and binding order of a governmental or regulatory body. These encryption
keys are generated and maintained by the customer (FEMA).
Privacy Risk: There is a risk that using live data for pre-production testing will allow
personnel with no business need to access applicant PII.
Mitigation: This risk is mitigated. The Pre-PROD environment is one of three
environments in the GMM SPARTA system. All three environments have the same security
controls. The Pre-PROD environment uses production data that is captured at a moment in time.
The data does not update. When the GMM developers make a copy of the production data, it
does not leave the boundaries of the GMM SPARTA system. Only application developers and
system administrators have access to the Pre-PROD environment and only for the applications
they are responsible for developing. Pre-PROD data is destroyed immediately after an
application is tested.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 31
Section 4.0 Notice
4.1
How does the project provide individuals notice prior to the
collection of information? If notice is not provided, explain
why not.
Notice is provided by way of this PIA and the SORNs listed in 1.2. FEMA also provides
grant applicants a notice as required by the Privacy Act, 5 U.S.C. § 552a(e)(3). The Privacy Act
notice is provided in both paper and electronic versions of the grant application. The notice states
the reasons for collecting information, the consequences of failing to provide the requested
information, and explains how the information is used. Additionally, a Privacy Notice is provided
in hardcopy, electronic form, or verbally by NPSC staff to IA grant applicants requesting
assistance.
4.2 What opportunities are available for individuals to consent
to uses, decline to provide information, or opt out of the project?
During the registration process, prior to entering any PII, FEMA informs IA grant
applicants, through the Privacy Notice, that all information provided is completely voluntary,
however, failure to submit the necessary PII may result in the denial of disaster assistance. An
IA grant applicant can also exit the registration process at any time prior to submitting the
application, and his or her PII will be deleted.
For disaster and non-disaster grant applicants, individuals voluntarily submit information
to FEMA for their organization’s disaster or non-disaster grant application. The organizations
can choose not to submit the information, but failure to do so prevents FEMA from considering
their grant application.
For all grants, individuals are notified of the uses of their information prior to collection.
All applicants give consent to the uses of their information by providing information on the grant
application. FEMA does not use the information outside of the uses or scope outlined in this PIA,
the applicable SORNs, and the notice provided on the relevant applications or systems. The PIA,
SORNs, and Privacy Notices will be updated if FEMA anticipates a need for a new use for the
information.
4.3
Privacy Impact Analysis: Related to Notice
Privacy Risk: Applicants or survivors may be unaware that their data is being used to
test GMM SPARTA applications.
Mitigation: This risk is partially mitigated. This PIA serves as the only explicit notice
that Applicant or survivor information will be used to test and develop GMM SPARTA
applications; however, FEMA will only use data to test applications that support the program
for which the information was initially collected. Additionally, only those with an authorized
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 32
need to know – i.e., those directly involved in the research, development, testing, and
experimentation process – will have access to the data. Lastly, no operational decisions are
made based on test results.
Privacy Risk: Applicants may be unaware of the collection and uses of their PII.
Mitigation: This risk is mitigated because notice is provided to applicants through the
Privacy Notices on all the forms that applicants complete, including the online forms in the GMM
SPARTA system, as well as verbally by the NPSC representative during a phone interview, this
PIA, and by the applicable SORNs listed in 1.2.
Privacy Risk: The individuals applying for FEMA’s grant assistance might not receive
a Privacy Notice informing them about what PII is collected and how it is used at the time their
information is collected.
Mitigation: This risk is mitigated because FEMA provides notice of its information
collection to facilitate the provision of its grant assistance in several ways. Methods include
Privacy Notices on paper forms, web and mobile sites, and a verbal privacy notice provided by
FEMA’s NPSC staff who provide telephone assistance to applicants. Lastly, this document and
the applicable SORNs listed in 1.2 provide notice of FEMA’s collection of information for grant
assistance programs.
Section 5.0 Data Retention by the project
5.1
Explain how long and for what reason the information is
retained.
Live data is duplicated and transferred to the Pre-PROD environment for testing
purposes. Data in the Pre-PROD environment is immediately deleted at the end of testing.
Under GRS-3.2, Item 010, Test files and data in the Pre-Prod environment are
temporary and should be destroyed one year after the system is superseded by a new
iteration or when no longer needed by the Agency/IT administrative purposes to
ensure a continuity of security controls throughout the life of the system.
Disaster and non-disaster grant application information is retained for audit, oversight
operations, and appeal purposes.
FEMA destroys grant administrative records and hard copies of unsuccessful grant
applications files after two years in accordance with General Records Schedule (GRS)
3, Item 14.
FEMA stores electronically received and processed copies of unsuccessful grant
application files for three years from the date of denial and then deleted in
accordance with GRS 3, Item 13.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 33
FEMA maintains grant project records for three years after the end of the fiscal
year that the grant or agreement is finalized or when no longer needed, whichever
is sooner, in accordance with National Archives and Records Administration
(NARA) Authority N1-311-95-001, Item 1.
FEMA retires grant final reports to the Federal Records Center (FRC) three years
after cutoff and transfers them to NARA 20 years after cutoff in accordance with
NARA Authority N1-311-95-001, Item 3.
FEMA stores all other grant records for six years and three months from the date of
closeout (when closeout is the date FEMA closes the grant in its financial system)
and final audit and appeals are resolved then deleted in accordance with NARA
Authority N1-311-95-001, Item 2; N1-311-01-008, Item 1; and N1- 311-04-001,
Item 1.
IA grant data is retained according to the records schedules defined in section 1.4,
depending upon the type of record and the schedule which it belongs to.
Under GRS 1.2, Item 010, grant and cooperative agreement program management
records, recordes related to the coordination, implementation, execution,
monitoring, and completion of grant and cooperative agreement programs, are
temporary. These records should be destroyed six years after final action is take on
the file, but longer retention is authorized if required for business use.
Under GRS-5.4, Item 080, Housing Rental and Lease Records are temporary and
should be destroyed three years after lease termination, lapse, reassignment, rejection
of application, cancellation of lease, or conclusion of litigation, as applicable.
Under GRS-5.5, Item 020, mail, printing, and telecommunication control records are
temporary and should be destroyed when one year old or when superseded or
obsolete, whichever is applicable, but longer retention is authorized, if required for
business use.
DAA-0563-2012-0002-0007 provides that all mission activities photographs that
provide adequate and proper documentation of mission activities are permanent. They
must be cut off at the end of the calendar year in which they were created. FEMA
must transfer to NARA in three year blocks at the end of the last year of the block,
along with any related documentation and external finding aids in hard copy or
electronic form.
Under N1-311-86-001, Item 4C6b, any correspondence with insurance carriers that
hold policies on disaster applicants’ residences are temporary. These files must be
consolidated at the appropriate regional office upon termination of the disaster (when
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 34
all families have been relocated to permanent housing; the audit, if one is made, has
been accepted by both FEMA and the state; and all monies due have been received).
These records should be retired to a Federal Records Center (FRC) one year after
termination, and they should be destroyed three years after termination.
Under N1-311-86-001, Item 4C6c, correspondence files associated with the
duplication of benefits are temporary. These files should be consolidated at the
appropriate regional office upon closeout of Disaster Field Operations. They should
be retired to an FRC 1 year after closeout, and destroyed three years after closeout.
Under N1-311-86-001, Item 4C10a, all IA program files, except those relating to
temporary housing and Individual and Family Grant programs, which include other
programs such as Disaster Unemployment Assistance, Crisis Counseling and
Training, Legal Services, Superfund, Flood Plain Management, Duplication of
Benefits, and the Cora Brown Fund, are temporary. They must be retired to inactive
storage when 2 years old, and destroyed when six years, three months old.
Under N1-311-86-001, Item 4C10b, Temporary Housing Files, including copies of
computer printouts scoreboards, Federal Coordinating Officer’s digests,
correspondence, and related records are temporary. They must be destroyed when
database elements have been established and defined.
Under N1-311-86-001, Item 4C10c, records relating to mobile home and travel trailer
program files, including copies of correspondence and procedures, e.g., acquisitions,
technical standards, and guides; specimen contracts and procurement documents; data
on mobile home programs at disaster sites; and working papers on manuals,
instructions, and other issuances are temporary. These records should be cut off at the
end of the calendar year, and destroyed six years and three months after cutoff.
Under N1-311-86-001, Item 4C10d, files relating to permanent relocations under the
Superfund and purchases of properties under Section 1362, which include
headquarters files relating to individual property owners, background data, addresses,
value of property, negotiation records, and related records, are permanent. These
records should be cut off at the conclusion of the project, retired to an FRC three years
after cutoff, and then transferred to the National Archives in 5-year blocks 20 years
after cutoff.
N1-311-00-001, Item 1 provides that customer services satisfaction surveys that have
been filled out and returned by disaster applicants are temporary. They should be
destroyed upon the transmission of the final report.
N1-311-00-001, Item 2 requires that statistical and analytical reports that are based
on survey responses and document trends and recommend programmatic changes to
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 35
disaster assistance are temporary. They should be cut off at the close of the report,
retired to an FRC three years after cutoff, and destroyed 20 years after cutoff.
N1-311-00-001, Item 3 requires that a composite of survey results per disaster are
maintained in an agency-standard database. These records are temporary and should
be destroyed when no longer needed for analytical purposes.
N1-311-86-001, Item 4B6b requires that documents created in developing protection
criteria for shelters in private homes, including drawings, specifications, home
protection surveys, and other records on required protection for individual families in
their homes are temporary. They should be cut off at completion of the contract and
destroyed three years after cutoff.
Per N1-311-04-5, Item 1, records pertaining to September 11, 2001, and Hurricane
Katrina and all records categories associated with these events are permanent, per the
FEMA records disposition manual. This disposition instruction is applicable to
records, both paper and electronic, regardless of format or media. These records are
permanent, and they should be cut off when all activity has ceased for the particular
operations after. They should be transferred to an FRC one year after cutoff and
transferred to the National Archives 20 years after cutoff.
Per N1-311-04-5, Item 2, all records relating to Hurricane Katrina and September 11,
2001, which have temporary dispositions in the FEMA records disposition manual
are temporary. Cutoff occurs when all activity has ceased for the particular operations
area. They should be transferred to an FRC one year after cutoff and destroyed 75
years after cutoff.
Per N1-311-04-5, Item 3, all records associated with a domestic catastrophic event,
to include September 11, 2001, and Hurricane Katrina are permanent, and should be
cut off when all activity has ceased for the particular operations area. The records
should be transferred to an FRC 1 year after cutoff, and transferred to the National
Archives 20 years after cutoff. This category includes, but is not limited to, records
relating to pre-response operations; the Presidential Declaration; Emergency
Coordination (EC); Emergency Support (ES); Urban Search and Rescue response
(US&R); Public Assistance (PA), including, but not limited to, project applications,
original damage survey report, mission assignments, funding documents, project time
extensions, applicant appeals, eligibility determinations, and documents on insurance
requirement, policies, procedures; Individual Assistance (IA) records including, but
not limited to, mission assignments, specific IA policies, and guidance/standard
operating procedures(s) and correspondence with state and local officials; and
Mitigation. This disposition instruction is applicable to records, both paper and
electronic, regardless of format or media.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 36
N1-311-86-1, Item 4C8b(1), provides that master occupant/applicant files, containing
all original occupant-related documents, such as site requests, mobile home sales
documents, leases, or contracts, are temporary. These records should be consolidated
at the appropriate regional office at the end of Phase II (when all sheltered individuals
and families have been moved to permanent housing), retired to an FRC one year
after the files are consolidated, and destroyed six years three months after the files are
consolidated.
Per N1-311-86-1, Item 4C8b (2), provides that working field applicant and occupant
files are temporary. They should be reviewed at the end of Phase I operations (when
all qualified applicants have received temporary housing) to ensure all occupantrelated original documents are in the master occupant/applicant files or Mobile Home
Storage Program files, as appropriate. These files should be destroyed when FEMA
stops providing services to the occupant.
Under N1-311-86-1, Item 4C8b (4), control records and logs relating to temporary
assistance program files are temporary. These records should be forwarded to the
appropriate regional office at the end of Phase II, retired to an FRC one year after the
end of Phase II, and destroyed six years and three months after the end of Phase II.
Under N1-311-95-001, Item 1, USFA grant project files, containing correspondence,
memoranda and letters, study reports, and other unsolicited items received for
consideration for a grant or cooperative agreement that is later approved, are
temporary. These records should be retired to the FRC at the end of the fiscal year
when the grant or agreement is finalized, and destroyed three years after the cutoff
or when no longer needed, whichever is sooner.
Under N1-311-95-001, Item 2, USFA grant and cooperative agreement case files,
containing approved applications, copies of financial records, supporting
documents, statistical information, and related records pertaining to the award,
administration, receipt, inspection, and payments of grants and cooperative
agreements, are temporary. These records should be retired to the FRC at the end of
the fiscal year when the grant or agreement is completed or closed, and destroyed
six years and three months after cutoff.
Under N1-311-95-001, Item 3, USFA final grant report, files containing the original
grant report or equivalent document, including appendices or attachments, for the
grant or cooperative agreement, are permanent. These records should be transferred
to the FRC two years after cutoff, and transferred to National Archives 20 years after
cutoff.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 37
5.2
Privacy Impact Analysis: Related to Retention
Privacy Risk: There is risk that FEMA will retain information longer than necessary.
Mitigation: FEMA only retains the information in accordance with the established
retention schedules above. System Administrators for each of the grant management systems and
grant management specialists are responsible for paper applications and for deleting or archiving
information in accordance with the retention schedules. An automated annual audit process exists
for grant management systems. This risk is mitigated because FEMA follows all pertinent records
schedules discussed in sections 1.4 and 5.1. In addition, the FEMA Records Branch provides
trainings to inform FEMA programs of proper record retention, disposition requirements, records
inventory training, file plan training, and file structure training to ensure that FEMA personnel are
aware of the National Archives’ requirements.
Privacy Risk: Due to the storage of data on a commercial platform, AWS, there could be
a failure to adhere to FEMA retention guidelines and schedules.
Mitigation: This risk is mitigated. Due to the encryption key management service within
the AWS Cloud architecture, AWS personnel are incapable of using or redistributing any FEMA
data processed and stored within AWS unless they are required to do so to comply with federal
law, or with a valid and binding order of a governmental or regulatory body. In the rare instances
when AWS personnel have access to FEMA data because of a law enforcement requirement or
court order, AWS is committed, through the contracting process, to abide by all FEMA record
retention schedules and security requirements. These requirements are a mandatory part of all
FEMA Statements of Work.
FEMA has access to AWS’s cloud hosting environment and will periodically audit the
vendor to ensure information is retained per the applicable retention schedules. Additionally, AWS
is contractually obligated to allow the DHS Office of Inspector General to conduct periodic
reviews to ensure that security and privacy requirements are being implemented and enforced.
Section 6.0 Information Sharing
6.1
Is information shared outside of DHS as part of the normal
agency operations? If so, identify the organization(s) and how
the information is accessed and how it is to be used.
Disaster and Non-disaster Grants
FEMA does not routinely share disaster and non-disaster grant information outside of
DHS as part of normal agency operations.
Individual Assistance Grants
FEMA routinely shares IA grant information outside of DHS with federal, state, tribal,
local, international, private sector, and voluntary entities, as defined in the Disaster Recovery
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 38
Assistance SORN,42 for the purposes of providing disaster assistance, meeting survivor needs, and
preventing the duplication of benefits. FEMA’s interagency partners are granted limited access to
information as it relates to their programs, and applicants are automatically routed to SBA or HUD
to determine their eligibility for benefits under their programs, depending on their income. In all
cases, access to the data is limited and is granted based on a demonstrated need-to-know basis.
Formalized Computer Matching Agreements (CMAs) are in place with SBA43 and HUD44 to
prevent a duplication of benefits. Each CMA requires that FEMA and HUD, and FEMA and SBA,
compare registration data to ensure that applicants are not receiving duplicate benefits. To do so,
each agency compares its records to those of its partner by using the SSN and FEMA Registration
ID as each applicant’s unique identifier. However, when a match is found, an applicant’s benefits
are not automatically denied or reduced. FEMA personnel (or HUD or SBA) conduct a manual
review of the match to ensure that the match is accurate. If and when this occurs, the agency that
has awarded benefits may reduce or deny additional benefits.
Additionally, FEMA shares IA grant information with other external partners for various
reasons. FEMA has partnered with the Social Security Administration to enable disaster applicants
who are currently receiving Social Security benefits to automatically change their address at SSA
within their www.disasterassistance.gov account to ensure continued receipt of benefits. FEMA
may also share information provided by disaster survivors with the Food for Florida Program
(FFF), which shares survivor data with the Florida Department of Children and Families (FDCF)
and the Florida Northwood Shared Resource Center (FNSRC) to prequalify and preregister
individuals for additional assistance. Lastly, FEMA may share IA grant information with a thirdparty identity service to verify the identity of FEMA applicants.45
6.2
Describe how the external sharing noted in 6.1 is compatible
with the SORN noted in 1.2.
As per 6.1 above, FEMA does not routinely share grant application information outside
of DHS for disaster and non-disaster grants.
The external sharing of IA grant information discussed in 6.1 is done under Routine Uses
F, H, and I of the Disaster Recovery Assistance SORN.46 Routine Use F allows FEMA to share
with its contractors when necessary for the purpose of providing disaster assistance. This routine
42
See DHS/FEMA-008 Disaster Recovery Assistance Files, 78 FR 25282 (April 30, 2013).
The SBA-FEMA CMA is currently being renewed. See Computer Matching Program between SBA and
DHS/FEMA, 80 FR 57902 (September 25, 2015). Available at https://www.gpo.gov/fdsys/pkg/FR-2015-0925/html/2015-24477.htm.
44
The HUD-FEMA CMA is currently being renewed. See Computer Matching Program between HUD and
DHS/FEMA, 81 FR 63195 (September 14, 2016). Available at https://www.gpo.gov/fdsys/pkg/FR-2016-0914/pdf/2016-22006.pdf.
45
See DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at www.dhs.gov/privacy.; DHS/FEMA008 Disaster Recovery Assistance Files, 78 FR 25282 (April 30, 2013).
46
See DHS/FEMA-008 Disaster Recovery Assistance Files, 78 FR 25282 (April 30, 2013).
43
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 39
use allows FEMA to share information with the text messaging service that is used to supply
survivors with registration status change notifications. Routine Use H allows FEMA to share
applicant information to prevent a duplication of benefits or to address the unmet needs of eligible,
ineligible, or partially eligible FEMA applicants. This sharing is compatible with the original
purpose of collection because FEMA conducts these information sharing activities in order to
prevent a duplication of benefits and to assist in addressing applicants’ unmet needs. Routine Use
I allows FEMA to share with federal, state, tribal, or local government agencies; voluntary
organizations; insurance companies; employers; any public or private entities; banks and financial
institutions when an applicant’s eligibility, in whole or in part, for IA benefits depends upon
financial benefits already received or available from that source for similar purposes as necessary
to determine benefits; and to prevent duplication of disaster assistance benefits. FEMA shares
information with these entities to prevent a duplication of benefits, as well as to determine IA
eligibility.
Additionally, FEMA memorializes external information sharing through a number of
documents, including CMAs, Information Sharing Access Agreements (ISAA), FEMA-State
Agreements, and Routine Use letters for ad hoc sharing. In this documentation, FEMA provides
the receiving entity with the security requirements to ensure that the data is protected from thirdparty disclosure, and that survivor PII is protected according to industry-standard security
practices.
Lastly, FEMA does not currently share user account information, but may in the future in
accordance with the DHS/ALL- 004 General Information Technology Access Account Records
System (GITAARS) SORN. FEMA will ensure any sharing is compatible with the original
collection of information, the purpose of which is to provide authorized individuals access to, or
allow them to interact with DHS information technology resources.
6.3
Does the project place limitations on re-dissemination?
Yes; FEMA places restrictions on re-dissemination. Contracts, MOUs, ISAAs, FEMAState Agreements, and CMAs between FEMA and each participating entity cover security
requirements for transmission of data, as well as the limitations on re-disseminating the data.
Additionally, Service Level Agreements (SLA), and Interconnection Security Agreements
(ISA) are in place with sharing partners detailing technical requirements for transmission and
security of data between FEMA, partner agencies, and FEMA’s contractors.
6.4
Describe how the project maintains a record of any
disclosures outside of the Department.
The GMM team maintains audits logs of access of information within the GMM
SPARTA system. All disclosure of records from GMM SPARTA are in accordance with
DHS/FEMA-004 Non-Disaster Grant Management Information Files SORN; the DHS/FEMA008 Disaster Recovery Assistance Files SORN; the DHS/FEMA-009 Hazard Mitigation
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 40
Disaster Public Assistance and Disaster Loan Programs SORN; and the DHS/ALL- 004 General
Information Technology Access Account Records System (GITAARS) SORN. These
disclosures are memorialized through various documents, including CMAs, ISAAs, FEMAState Agreements, and Routine Use letters, which are maintained by appropriate program
offices.
When an applicant or grantee makes a Freedom of Information Act (FOIA) request or a
request under the Privacy Act and records are disclosed, such disclosures are recorded through
the Information Management Division/Disclosure Branch’s standard practices, consistent with
the DHS Freedom of Information Act and Privacy Act Record Program SORN.47
6.5
Privacy Impact Analysis: Related to Information Sharing
Privacy Risk: The information in the GMM SPARTA system could be erroneously
disclosed.
Mitigation: FEMA mitigates the risk of unauthorized disclosure of GMM SPARTA
information because external sharing is limited to requests in writing, pursuant to the routine
uses in the respective SORNs and only for the minimum amount of data required to achieve a
documented business purpose. Robust technical, management, and operational controls are
implemented and sharing protocols are in place to confirm access to grant management systems.
These access procedures limit access to individuals with a valid “need-to-know,” which is also
the case for paper applications. Additionally, grant management programs audit disclosures of
grant applicant information.
Section 7.0 Redress
7.1
What are the procedures that allow individuals to access
their information?
Applicants can contact the grant program office or project that initially collected the
information or systems administrators for the various grant management systems where they
originally applied. Users can also access their information by logging into the GMM SPARTA
system. Grant applicants may consult the SORNs for additional information regarding how to
access their information via Privacy Act or Freedom of Information Act (FOIA) request
submitted to the FEMA Disclosure Office. Such requests should be sent to:
FEMA Information Management Division
Chief, Disclosure Branch
500 C Street, S.W., Mailstop 3172
Washington, D.C. 20472.
47
See DHS/ALL/PIA-028 DHS FOIA and Privacy Act Records Program available at www.dhs.gov/privacy.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 41
Individual Assistance grant applicants can access their information in several ways, as
described in the IA Program PIA.48 For example, if an applicant created an online account at
www.disasterassistance.gov, the applicant may access his or her information by logging into the
account using the User ID, password, and PIN that the applicant established when he or she
created the account, or applicants may call the published disaster assistance toll-free number to
check on the status of their application or access their records after providing registration ID.49
7.2
What procedures are in place to allow the subject individual
to correct inaccurate or erroneous information?
Applicants can correct inaccurate or erroneous information through the access methods
identified in section 7.1.
7.3
How does the project notify individuals about the procedures
for correcting their information?
GMM SPARTA users are notified of the procedures for correcting information prior to
the collection of information through applicable SORNs, the Individuals and Household Program
Unified Guidance,50 the www.disasterassistance.gov portal, and this PIA.
Moreover, redress is provided to IA grant applicants requesting assistance through an
appeals process. In addition, after registration through the DAIP system, each IA grant applicant
receives a mail-out package, which includes an application guide with directions for redress in a
section entitled, “I Want to Have My Case Reviewed Again (Appeal).”
7.4
Privacy Impact Analysis: Related to Redress
Privacy Risk: There is a risk that the GMM SPARTA system users are not able to correct
erroneous information.
Mitigation: This risk is mitigated in several ways. For IA grant applicants, FEMA
provides several means of redress and notice of procedures to applicants who wish to amend
their registration information. FEMA provides applicants with a direct notice of redress in the
mail-out packages sent to each applicant, as noted in Section 7.1 above.
For disaster and non-disaster grants, applicants can correct their information by
contacting the grant program office, the project that initially collects the information, or systems
administrators for the GMM SPARTA system. Additionally, FEMA manages this risk by
informing grant applicants of procedures for correcting their policy information through this PIA
48
See DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at www.dhs.gov/privacy.
For comprehensive list, see DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at
www.dhs.gov/privacy.
50
For more information on the Individuals and Households Unified Guidance, see DHS/FEMA/PIA-049 Individual
Assistance (IA) Program available at www.dhs.gov/privacy.
49
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 42
and the SORNs listed in Section 1.2.
Section 8.0 Auditing and Accountability
8.1
How does the project ensure that the information is used
in accordance with stated practices in this PIA?
FEMA ensures the practices stated in this PIA by leveraging standard operating
procedures (SOP), orientation and training, policies, rules of behavior, and annual user account
auditing. The GMM SPARTA system uses role based access controls ensuring access to grant
applicant information is both restricted and controlled. IT contractors handling the operations
and maintenance of the system have limited access to the system to support the troubleshooting
of technical system issues encountered on a day-to-day basis. FEIMS implements security access
controls and administers users’ roles and permissions based on organizational positions.
Positions are assigned and approved by the employees’ supervisors.
The GMM SPARTA system, and the FEMA systems it interfaces with, log all user
activities and can be monitored or audited at any time. Users are warned that their activities are
monitored and that they have no expectation of privacy in their use of the system. FEMA IT
security teams routinely conduct audits to ensure that there is no misuse of data and that users
are acting in accordance with FEMA’s rules of behavior. FEMA also encrypts all applicant data
while in transit and at rest.
8.2
Describe what privacy training is provided to users either
generally or specifically relevant to the project.
All FEMA employees and contractors are required to complete FEMA Office of
Cybersecurity Security Awareness Training and Privacy Awareness Training on an annual basis.
FEMA requires that all contracts contain cyber hygiene and privacy clauses, which require that
contract employees adhere to the requirements of the Privacy Act and other federal guidelines
that mandate privacy controls. Supplementary security and privacy training is provided for those
with additional security-related responsibilities.
8.3
What procedures are in place to determine which users may
access the information and how does the project determine
who has access?
Authorized FEMA personnel or contractors who handle the operations and maintenance
of the grant management systems have position-specific access to the system to support the
primary system function and troubleshoot technical system issues encountered on a day-to-day
basis. The GMM SPARTA system uses role-based access controls to control user rights to both
data and functionality. Permissions for access to data and functions used to manipulate the data
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 43
are defined for each FEMA position. Access permissions are based on the principles of separation
of duties and least privilege.
All assigned FEMA employees and contractor staff receive appropriate privacy and
security training and have necessary background investigations or security clearances for access
to sensitive, private, or classified information. Robust SOPs and system user manuals describe
user roles, responsibilities, and access privileges.
8.4
How does the project review and approve information sharing
agreements, MOUs, new uses of the information, new access to
the system by organizations within DHS and outside?
All external information sharing is memorialized via CMAs, ISAAs, ISAs, FEMA-State
Agreements, or Routine Use letters. CMAs are reviewed by FEMA’s Office of Chief Counsel,
FEMA’s Information Management Division (including the Privacy Branch), the Deputy
Administrator of FEMA, and the DHS Data Integrity Board. All other contractually-based
information sharing endeavors outside of FEMA are reviewed by the Office of Chief Counsel
(by each party to the agreement), the Office of the Chief Information Officer, and the FEMA
Privacy Branch for consistency with the SORNs listed in 2.1.
8.5
Privacy Impact Analysis: Related to the Accountability and
Integrity of the Information.
Privacy Risk: A privacy risk exists that the volume and sensitivity of the data makes it a
target of potentially malicious actors.
Mitigation: This risk has been mitigated by the implementation of encryption, auditing
protections, and the adherence to federal cyber security requirements. FEMA uses industrystandard cybersecurity practices, including encryption of applicant data both in transit and at rest.
Additionally, FEMA restricts access to applicant data to only those individuals with a
demonstrated need to know in order to perform their official job functions.
Privacy Risk: The data maintained by Amazon Web Services (AWS) for the purposes of
cloud hosting may be vulnerable to breach because security controls may not meet system security
levels required by DHS.
Mitigation: This risk is mitigated. FEMA is responsible for all PII associated with the
GMM SPARTA system, whether on a FEMA infrastructure or on a vendor’s infrastructure, and
it therefore imposes strict requirements on vendors for safeguarding PII data. This includes
adherence to the DHS 4300A Sensitive Systems Handbook, which provides implementation
criteria for the rigorous requirements mandated by DHS’s Information Security Program.51
51
See https://www.dhs.gov/publication/dhs-4300a-sensitive-systems-handbook.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 44
The privacy of grant applicants is further protected by contractual language written in the AWS
contract requiring the safeguarding of FEMA PII data.
Responsible Officials
William H. Holzerland
Senior Director for Information Management
Federal Emergency Management Agency
Department of Homeland Security
Approval Signature
Original, signed copy on file with the DHS Privacy Office
Origin
Jonathan R. Cantor
Deputy Chief Privacy Officer
Department of Homeland Security
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 45
Appendix A: FEMA Grant Programs52
Program
Purpose
GRANT CATEGORY 1. Mitigation: Hazards
Hazard Mitigation
Helps communities implement hazard mitigation measures following
Grant Program (HMGP) a Presidential major disaster declaration
Assists states, territories, tribes, and local communities in
Pre-Disaster Mitigation
implementing a sustained pre-disaster natural hazard mitigation
(PDM)
program
Flood Mitigation
Reduces or eliminates claims under the National Flood Insurance
Assistance (FMA)
Program
GRANT CATEGORY 2. Mitigation: Risk Management
Cooperating Technical
Enhances collaboration in maintaining up-to-date flood hazard maps
Partners (CTP)
and other flood hazard information
Encourages the establishment and maintenance of effective state
National Dam Safety
programs intended to ensure dam safety, to protect human life and
Program (NDSP)
property, and to improve state dam safety programs
GRANT CATEGORY 3. Mitigation: Community Assistance
Community Assistance
Provides technical assistance to communities in the National Flood
Program - State
Insurance Program (NFIP) and evaluate community performance in
Support Services
implementing NFIP floodplain management activities
Element (CAP-SSSE)
GRANT CATEGORY 4. Mitigation: Earthquake
National Earthquake
Reduces the risks of life and property from future earthquakes in the
Hazard Reduction
United States through the establishment and maintenance of an
Program (NEHRP)
effective earthquake risk reduction program
GRANT CATEGORY 5. Fire Preparedness
Assistance to
Meets the firefighting and emergency response needs of fire
Firefighters Grants
departments and nonaffiliated emergency medical service
(AFG)
organizations
Staffing for Adequate
Helps fire departments and volunteer firefighter interest
Fire & Emergency
organizations increase or maintain the number of trained, "front line"
Response Grants
firefighters available in their communities
(SAFER)
Enhances the safety of the public and firefighters with respect to fire
Fire Prevention &
and fire-related hazards by assisting fire prevention programs and
Safety Grants (FP&S)
supporting firefighter health and safety research and development
GRANT CATEGORY 6. Preparedness: Homeland Security
Emergency
Management
Assists state, local, territorial, and tribal governments in preparing for
Performance Grants
all hazards
(EMPG)
Supports enhanced cooperation and coordination among law
Operation Stonegarden
enforcement agencies in a joint mission to secure the United States’
Grant Program (OPSG)
borders along routes of ingress
52
Sources: Catalog of Federal Domestic Assistance, grant program literature, grant program Notices of Funding
Opportunity. Purpose statements were simplified and validated by the GMM Integrated Project Team (IPT).
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 46
State Homeland
Security Program
(SHSP)
Tribal Homeland
Security Grant Program
(THSGP)
Urban Areas Security
Initiative (UASI)
UASI Nonprofit Security
Grant Program (NSGP)
Intercity Bus Security
Grant Program (IBS)
Intercity Passenger Rail
Program (IPR)
Port Security Grant
Program (PSGP)
Transit Security Grant
Program (TSGP)
Countering Violent
Extremism (CVE)
Complex Coordinated
Terrorist Attacks
Program (CCTA)
Chemical Stockpile
Emergency
Preparedness Program
(CSEPP)
Supports the implementation of State Homeland Security Strategies
Strengthens the Nation against risks associated with potential
terrorist attacks
Addresses the unique planning, organization, equipment, training,
and exercise needs of high-threat, high-density Urban Areas
Supports physical security enhancements to non-profit organizations
that are at high risk of a terrorist attack and located within an Urban
Area Security Initiative (UASI)-eligible Urban Areas
Supports the creation of a sustainable program for the protection of
intercity bus systems and the traveling public from terrorism
Protects critical surface transportation infrastructure and the
traveling public from acts of terrorism and increase the resilience of
the Amtrak rail system
Supports maritime transportation infrastructure security activities
Supports transportation infrastructure security activities
Develops new efforts and expand existing efforts at the community
level to counter violent extremist recruitment and radicalization to
violence
Builds and sustains capabilities of local, state, tribal, and territorial
jurisdictions to enhance their preparedness for complex coordinated
terrorist attacks
GRANT CATEGORY 7. Preparedness: Chemical
Assists States and Local communities in efforts to improve their
capacity to plan for and respond to accidents associated with the
storage and ultimate disposal of chemical warfare materials
GRANT CATEGORY 8. Preparedness: Training
Homeland Security
Preparedness
Technical Assistance
Program (HSPTAP)
Emergency
Management Institute
(EMI) Training
Assistance
National Fire Academy
(NFA) Training
Assistance
Homeland Security
National Training
Program/National
Domestic
Preparedness
Consortium
(HSNTP/NDPC)
Builds State, Local, Tribal and Territorial (SLTT) capabilities to
prevent, protect against, respond to, and recover from major events
Defrays travel and per diem expenses of emergency management
personnel who attend training courses conducted by the Emergency
Management Institute
Provides travel stipends to first responders and emergency managers
attending Academy courses
Supports nationwide training initiatives and further the mission of
FEMA
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 47
Homeland Security
National Training
Program/Continuing
Training Grant
(HSNTP/CTG)
Develops and delivers innovative training programs that are national
in scope and have an important role in the implementation of the
National Preparedness System by supporting the building,
sustainment, and delivery of core capabilities essential to achieving
the National Preparedness Goal
Strengthens the State’s abilities to meet individual training mandates
State Fire Training
and bridge the gaps in their training programs with delivery of NFA
System Grant (SFTS)
courses and programs
GRANT CATEGORY 9. Preparedness: Standards
Emergency
Supports the development of standards for emergency preparedness
Management Baseline and response as well as a related assessment methodology for the
Assessments Grant
evaluation of State, local and territorial emergency management
(EMBAG)
organizations
National Incident
Develops and deploys consistent systems for the request, dispatch,
Management System
use, and return of resources needed to support local capabilities, and
(NIMS)
change outcomes for survivors
GRANT CATEGORY 10. Response: Search and Rescue
Urban Search &
Develops and maintains a national urban search and rescue
Rescue (US&R)
capability among the 28 task forces within the National Urban Search
Readiness Cooperative
and Rescue Response System
Agreements
Urban Search &
Rescue (US&R)
Pays for the Urban Search and Rescue Task Forces when they are
Response Cooperative activated for a disaster
Agreements
GRANT CAEGORY 11. Recovery (Organizational/Government Assistance)
Provides assistance to state, tribal and local governments, and
certain types of Private Nonprofit organizations so that communities
Public Assistance (PA)
can quickly respond to and recover from major disasters or
emergencies declared by the President
Fire Management
Mitigates, manages, and controls fire burning on publicly (nonAssistance Grant
federal) or privately owned forest or grassland that threatens such
(FMAG)
destruction as would constitute a major disaster
GRANT CATEGORY 12. Recovery (Individual Assistance)
Provides financial assistance to individuals and households directly
affected by a Presidentially declared disaster or emergency by
Housing Assistance
providing the financial means or direct services for temporary
housing, repair assistance, replacement assistance, or permanent or
semi-permanent housing construction
Provides financial assistance to individuals and households directly
affected by a Presidentially declared disaster or emergency, who
Other Needs
have other uninsured or under-insured, necessary expenses and
Assistance (ONA)
serious needs and are unable to meet such expenses or needs
through other means.
Assists individuals and communities in recovering from the
Crisis Counseling
challenging effects of natural and human-caused disasters through
Program (CCP)
the provision of community-based outreach and psycho-educational
services
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 48
Disaster Legal Services
(DLS)
Disaster
Unemployment
Assistance (DUA)
Disaster Housing
Operations for
Individuals and
Households (DHOPS)
Cora Brown Fund
Disaster Case
Management Grants
(DCM)
Emergency Food and
Shelter National Board
Program
Provides legal assistance to low-income individuals who, prior to or as
a result of a Presidentially declared disaster, are unable to secure
legal services adequate to meet their disaster-related needs
Provides temporary benefits to individuals whose employment or selfemployment has been lost or interrupted as a direct result of a major
disaster and who are not eligible for regular unemployment insurance
Addresses disaster-related housing needs of individuals and
households suffering hardship within an area that by Presidential
declaration has been designated as a disaster area
Supports disaster recovery for those survivors with unmet needs that
cannot be addressed through other forms of assistance
Provides a case manager as a single point of contact for a disaster
survivor to develop and carry out a Disaster Recovery Plan
Provides emergency economic assistance that keeps people off the
streets, from being evicted from their homes, or with groceries to
prevent hunger
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 49
Appendix B: OMB Forms
The following forms are used to collect applicant PII in order to provide disaster assistance:
OMB Control Number
FEMA Form Number
Form Title
1660-0002
Disaster Assistance Registration
009-0-1 (English)
Application/Registration for Disaster
Assistance
009-0-2 (Spanish)
Solicitud en Papel/Registro Para
Asistencia De Desastre
009-0-1T (English)
Tele-Registration Application for
Disaster Assistance
009-0-1Int (English)
Internet Application/Registration for
Disaster Assistance
009-0-2Int (Spanish) Internet, Registro Para Asistencia De
Desastre
009-0-1S (English)
Smartphone Application for Disaster
Assistance
009-0-2S (Spanish)
Smartphone, Registro Para Asistencia
De Desastre
009-0-3 (English)
Declaration and Release Form
009-0-4 (Spanish)
Declaración Y Autorización
009-0-5 (English)
Temporary Housing Program- Receipt for
Government Property
009-0-6 (Spanish)
Recibo de la Propiedad del Gobierno
1660-0011
Debt Collection Financial
Statement
127-0-1
Debt Financial Statement
1660-0017
Public Assistance Progress Report
and Program Forms
90-49
90-91
Request for Public Assistance
Project Worksheet (PW)
90-91A
Project Worksheet—Damage Description
and Scope of Work Continuation Sheet
90-91B
Project Worksheet—Cost Estimate
Continuation Sheet
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 50
90-91C
90-91D
90-120
121
90-123
90-124
90-125
90-126
90-127
90-128
1660-0025
Emergency Preparedness and
Response Directorate Grants
Administration Forms
1660-0030
Manufactured Housing Operations
1660-0054
Assistance to Firefighters Grant
Program-Grant Application
Supplemental Information
20-15
20-16, A, B, C
Project Worksheet—Maps and Sketches
Sheet
Project Worksheet—Photo Sheet
Special Considerations Questions
PNP Facility Questionnaire
Force Account Labor Summary Record
Materials Summary Record
Rented Equipment Summary Record
Contract Work Summary Record
Force Account Equipment Summary
Record
Applicant’s Benefits Calculation
Worksheet
Budget Information—Construction
Summary Sheet for Assurances and
Certifications
20-17
Outlay Report and Request for
Reimbursement for Construction
Program
20-18
20-19
Report of Government Property
Reconciliation of Grants and
Cooperative Agreements
20-20
76-10
089-9
Budget Information—Non-construction
Obligating Document for
Award/Amendment
Detailed Budget Worksheet
Request for Site Inspection
010-0-9
010-0-10
Landowner’s Authorization IngressEgress Agreement
009-0-130
Manufactured Housing Unit
Maintenance Work Order
009-0-136
Manufactured Housing Unit (MHU)
Installation Work Order
009-0-138
Manufactured Housing Unit Inspection
Report
080-0-2
Assistance to Firefighters Grants (AFG)
Application (General Questions and
Narrative)
080-0-2a
Activity Specific Questions for AFG
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 51
Vehicle Applicants
080-0-2b
Activity Specific Questions for AFG
Operations and Safety Applications
080-0-3
Activity Specific Questions for Fire
Prevention and Safety (FP&S)
Applicants
080-0-3a
Fire Prevention and Safety
080-0-3b
1660-0058
078-0-1 (previously
Fire Management Assistance Grant FEMA Form 90-58)
Program
089-0-24 (previously
FEMA Form 90-133)
1660-0061
Federal Assistance to
Individuals and Households Program
078-0-2 (previously
FEMA Form 90-32)
010-0-11
Research and Development
Request for Fire Management
Assistance Declaration
Request for Fire Management Sub-grant
Principal Advisor’s Report
Administrative Option Selection
010-0-12
Application for Continued Temporary
Housing Assistance
010-0-12S (Spanish) Programa de Individuos y Familias
Solicitud para Continuar la Asistencia de
Vivienda Temporera
1660-0073
089-10
National Urban Search and Rescue 089-11
Grant
089-12
089-13
089-14
089-15
1660-0082
90-5
Application for Community Disaster
Loan Cancellation
1660-0083
090-0-1
Community Disaster Loan Program
Narrative Statement
Performance Reports
Extensions/Budget Changes
Memorandum of Agreement Revisions
Self Evaluations
Task Force Deployment Data
Application for Loan Cancellation
Certification of Eligibility for Community
Disaster Loans
116-0-1
085-0-1
Promissory Note;
Local Government Resolution—Collateral
Security
090-0-2
Application for Community Disaster
Loan
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 52
1660-0110
089-25
Urban Areas Security Initiative (UASI)
Non Profit Security Grant Program 089-24
(NSGP)
1660-0112
089-4
Transit Security Grant Program
(TSGP)
089-4A
089-4B
1660-0113
089-22
Tribal Homeland Security Grant
Program (THSGP)
1660-0114
089-5
Port Security Grant Program (PSGP)
1660-0117
None
FEMA's Grants Reporting Tool (GRT)
1660-0119
089-16
FEMA Homeland Security Grant
089-20
Program (HSGP) and Operation
Stonegarden (OPSG) Grant Program
1660-0123
089-19
Regional Catastrophic Preparedness 089-17
Grant Program (RCPGP)
089-26
1660-0125
Homeland Security Grant Program
(HSGP)
089-1
1660-0126
Emergency Management
Performance Grant Program
1660-0138
Direct Housing Program
None
089-16
089-20
089-0-27
010-0-9
009-0-131
NSGP Prioritization of the Investment
Justifications
TSGP Investment Justification
TSGP Investment Justification
Background Document
TSGP Five-Year Security Capital and
Operational Sustainment Plan
THSGP—Tribal Investment Justification
Template
PSGP Investment Justification
None
OPSG Operations Order Report
Operations Order Prioritization
RCPGP Investment Justification
Template
RCPT Membership List
RCGCP (Sample) Detailed Project Plan
Template
HSGP Investment Justification (SHSP
and UASI)
OPSG Operations Order Report
OPSG Inventory of Operation Orders
Operation Stonegarden Daily Activity
Report (DAR)
None
009-0-129
Request for Site Inspection
Manufactured Housing Unit Sales
Calculator
Recertification Worksheet
Temporary Housing Agreement
Unit Pad Requirements Information
Checklist
Ready for Occupancy Status
009-0-42
Applicant Sheltering Assessment Tool
009-0-134
009-0-135
009-0-137
1660-0142
Applicant Sheltering Assessment
NGSP Investment Justification Template
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 53
Appendix C: Legacy Grants Management Systems
Grant System
Emergency Management
Mission Integrated
Environment (EMMIE)
National Emergency
Management Information
System (NEMIS)-Public
Assistance (PA)
Individual Assistance (IA)
(formerly NEMIS-IA)
NEMIS-Hazard Mitigation
Grant Program (NEMISHMGP)
Mitigation eGrants
Environmental and Historic
Preservation Management
Information System (EMIS)
Assistance Fire Grants (AFG)
eGrant portal
Non-Disaster Grants (ND
Grants)
Grants Supported
Public Assistance (PA)
Fire Management Assistance Grant (FMAG)
Public Assistance (PA)
Housing Assistance (HA)
Other Needs Assistance (ONA)
Disaster Housing Operations for Individuals and Households
(DHOPS)
Cora Brown Fund
Hazard Mitigation Grant Program (HMGP)
Pre-Disaster Mitigation Grants (PDM)
Flood Mitigation Assistance (FMA)
All grants programs where environmental and historic
preservation (EHP) compliance is an issue.
Assistance to Firefighters Grants (AFG)
Staffing for Adequate Fire & Emergency Response Grants
(SAFER)
Fire Prevention & Safety Grants (FP&S)
Cooperating Technical Partners (CTP)
National Earthquake Hazard Reduction Program (NEHRP)
National Dam Safety Program (NDSP)
Emergency Food and Shelter National Board Program (EFSNBP)
National Incident Management System (NIMS)
Emergency Management Baseline Assessments Grant (EMBAG)
Emergency Management Performance Grants (EMPG)
State Homeland Security Program (SHSP)
Urban Areas Security Initiative (UASI)
UASI Nonprofit Security Grant Program (NSGP)
Operation Stonegarden Grant Program (OPSG)
Tribal Homeland Security Grant Program (THSGP)
Intercity Bus Security Grant Program (IBSGP)
Intercity Passenger Rail Program (IPR)
Port Security Grant Program (PSGP)
Transit Security Grant Program (TSGP)
Countering Violent Extremism (CVE)
Homeland Security National Training Program (HSNTP)
Continuing Training Grant (CTG)
Homeland Security National Training Program (HSNTP) National
Domestic Preparedness Consortium (NDPC)
Homeland Security Preparedness Technical Assistance Program
(HSPTAP)
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 54
Grants Reporting Tool (GRT)
FEMA Applicant Case Tracker
(FAC-TRAX)
State Fire Training System (SFTS)
Countering Violent Extremism (CVE)
Complex Coordinated Terrorist Attacks (CCTA)
Urban Search & Rescue Readiness Cooperative Agreements
(US&R Readiness)
State Homeland Security Program (SHSP)
Urban Areas Security Initiative (UASI)
UASI Nonprofit Security Grant Program (NSGP)
Operation Stonegarden Grant Program (OPSG)
Tribal Homeland Security Grant Program (THSGP)
Public Assistance (PA)
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 55
Appendix D: Post-Award Reporting Forms
Form Name
OMB Number
Disclosure of Lobbying Activities (SF-LLL)
Federal Financial Report (SF-425)
Federal Financial Report (SF-425)
Federal Financial Report Attachment (SF-425A)
INSTRUCTIONS FOR THE SF-429 Real Property Status Report
SF-270 Request for Advance or Reimbursement
SF-271 Outlay Report and Request for Reimbursement for
Construction Programs
SF-429 Real Property Status Report (Cover Page)
SF-429-A Real Property Status Report ATTACHMENT A (General
Reporting)
SF-429-B Real Property Status Report ATTACHMENT B (Request to
Acquire, Improve or Furnish)
SF-429-C Real Property Status Report ATTACHMENT C (Disposition or
Encumbrance Request)
Tangible Personal Property Report - Annual Report - SF-428-A
Tangible Personal Property Report - Disposition Request/Report - SF428-C
Tangible Personal Property Report - Final Report - SF-428-B
Tangible Personal Property Report - SF-428
Tangible Personal Property Report - Supplemental Sheet - SF-428-S
4040-0013
4040-0014
4040-0014
4040-0014
4040-0016
4040-0012
4040-0011
OMB
Expiration
1/31/2019
1/31/2019
1/31/2019
1/31/2019
1/31/2019
1/31/2019
1/31/2019
4040-0016
4040-0016
1/31/2019
1/31/2019
4040-0016
1/31/2019
4040-0016
1/31/2019
4040-0018
4040-0018
6/30/2020
6/30/2020
4040-0018
4040-0018
4040-0018
6/30/2020
6/30/2020
6/30/2020
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 56
Appendix E: Interfaces for the SPARTA system
Name of
Application
Flood and
parcel
information
service53
Hotel lodging
application54
Disaster
Assistance
Improvement
Program55
(DAIP)
Data Lake56
(currently the
EDW)
Disaster
Emergency
Coordination57
(DEC)
53
Description of
Application
Commercial web
service which
provides access to
address correction,
national flood layer,
and parcel
information services
Commercial hotel
lodging application
that allows FEMA to
book hotel rooms
Disaster Assistance
Improvement
Program (DAIP) is an
application that
includes the Disaster
Assistance Center
(DAC) and allows
individuals to register
for FEMA grants
The Data Lake is
central location
where enterprise data
is consolidated for
cross-program
reporting
Interface Details
SPARTA will need to
interact with the service
for address correction,
national flood layer, and
parcel information
services of disaster
survivors.
Direction of
Data Exchange
Data
Exchanged
Inbound (to
GMM)
Address,
Floodplain
Mapping, and
Parcel Data (to
GMM)
SPARTA will need to
interface with the
application to book hotel Bi-directional
rooms for disaster
survivors.
Send: Eligible
registrant
lodging
information
Receive:
Registrant
billing
information (to
GMM)
SPARTA must interface
with DAIP to receive
individual registrations.
Bi-directional
Send: IA
disaster
configuration
Receive:
registration
intake
(applications)
Bi-directional
Send/receive
grants
information
Inbound (to
GMM)
Receive
disaster
information
SPARTA must interface
directly with the Data
Lake so that grant
information data is
available upon need
throughout FEMA.
DEC is where disaster SPARTA will need to
information is created interact with DEC for
and maintained
disaster information.
For more information, see DHS/FEMA/PIA-045 Hazard Mitigation Planning and Flood Mapping Products and
Services Support Systems available at www.dhs.gov/privacy.
54
For more information, see DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at
www.dhs.gov/privacy.
55
Id.
56
For more information, see DHS/FEMA/PIA-026 Operational Data Sore and Enterprise Data Warehouse available
at www.dhs.gov/privacy.
57
For more information, see DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at
www.dhs.gov/privacy.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 57
Document
Management58
Financial
management
solution59
Grants.gov60
Housing and
Urban
Development61
(HUD)
58
SPARTA must interface
Document
directly with the
Management system
Document Management Bi-directional
will be the document
system for access to
repository
documentation.
Send:
documents
Receive:
documents
SPARTA must interface
FEMA’s financial
directly with financial
Bi-directional
management solution management solution for
financial data.
Send: financial
transaction
requests
Receive:
financial
transaction
confirmations,
Vendor Data,
Commitment
Data,
ACCS Codes
All grant applications
are submitted
through Grants.gov, a
central grants
application
submission point for
everyone applying for
federal grants. Once
the grants application
is submitted through
grants.gov, it then
gets downloaded to
the associated
application
HUD provides Fair
Market Rental (FMR)
information to FEMA
to determine how
much money
registrants in
different areas should
receive for Rental
Assistance
SPARTA will need to
interact with Grants.gov
for grant information.
Bi-directional
SPARTA must interact
with HUD to determine
Inbound (to
the appropriate funds for
GMM)
housing Rental
Assistance.
Send:
published
solicitation
Push delivery
application
confirmation
Receive:
download
application
and the list of
available
applications
Receives: Fair
Market Rental
(FMR) data
from HUD.
In development
For more information, see DHS/FEMA/PIA-020 Wev Integrated Financial Management Information (WebIFMIS) available at www.dhs.gov/privacy.
60
For more information, see DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at
www.dhs.gov/privacy.
61
Id.
59
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 58
Incident
Management
Coordination
Assessment
and
Determination
(IMCAD)
The IMCAD System
provides emergency
coordination
information
SPARTA will need to
interact with IMCAD to
pull in relevant incident
and disaster data.
FEMA
Enterprise
Identity
Management
System62
(FEIMS)
The ISAAC System
provides a framework
to uniformly apply
security and access
controls for critical
mission application
SPARTA will need to
interact with ISAAC to
determine if a specific
user account has the
rights required to
complete an action.
Identification
verification
service63
Inbound (to
GMM)
Receive:
Incident
And
Disaster
Data
Bi-directional
Send:
Approvals (for
subgrantees)
Receive: user
credentials,
redirect and
organizations
Commercial
identification
verification service
SPARTA will interface
Bi-directional
that provides legal,
with the service for
professional, and risk identification verification.
solutions (to include
fraud detection)
Send:
validation of
verification of
the user
Receive:
validations
Receive: Flood
insurance
information,
Modernized
insurance
system64
Provides insurance
data
SPARTA must interface
with modernized
insurance solution to
obtain insurance data.
NEMIS65
(reference
tables)
NEMIS provides
standard tables, that
includes information
on FEMA divisions,
program offices, etc
SPARTA must interface
with the NEMIS
reference tables to
obtain standard FEMA
data.
62
Bi-directional
Bi-directional
Send: recipient
information,
property
information,
grant
information
Receive:
Reference
Data
(FIPS Places),
Environmental
Laws
Send: FIPS
Subdivisions
For more information, see DHS/FEMA/PIA-031 Authentication and Provisioning Services (APS) available at
www.dhs.gov/privacy.
63
For more information, see DHS/FEMA/PIA-049 Individual Assistance (IA) Program available at
www.dhs.gov/privacy.
64
To be developed.
65
Id.
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 59
Recipient
Grants
Management
System66
Recipient Grants
Management
Systems provide
recipient grants data
SPARTA will need to
interface with Recipient
Grants Management
Systems for recipient
grant information.
Small Business SBA provides loans to SPARTA will need to
Administration67 registrants who are
interface with the SBA
(SBA)
not eligible for IA
for loan information.
66
67
To be developed.
Id.
Bi-directional
Send/receive:
Grants
information
Bi-directional
Send: Loan
Referral
Receive: Loan
Decision
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 60
Appendix F: Authorities and Impacts
Authority
Robert T. Stafford
Disaster Relief
and Emergency
Assistance Act
Impact
Impacted Grant
Programs
Authorizes the President to contribute up to 75 percent
of the cost of hazard mitigation measures that the
President has determined are cost effective and that
substantially reduce the risk of future damage,
hardship, loss, or suffering in any area affected by a
major disaster (Sec 404)
HMGP
Authorizes the President to provide technical and
financial assistance to the State or local government
principally to implement predisaster hazard mitigation
measures that are cost-effective
PDM
Authorizes the Administrator to conduct or arrange, by
contract or otherwise, for training programs for the
instruction of emergency preparedness officials and
other persons in the organization, operation, and
techniques of emergency preparedness
EMI Training
Assistance
Authorizes the President to make contributions to a
state or local government for the repair, restoration,
reconstruction, or replacement of a public facility
damaged or destroyed by a major disaster and for
associated expenses incurred by the government
PA
Authorizes the President to provide assistance,
including grants, equipment, supplies, and personnel,
to any state or local government for the mitigation,
management, and control of any fire on public or
private forest land or grassland that threatens such
destruction as would constitute a major disaster
FMAG
Authorizes the President to establish a program of
disaster preparedness
EMPG
Authorizes the President to provide financial or other
assistance to individuals and households to respond to
the disaster-related housing needs of individuals and
households who are displaced from their predisaster
primary residences or whose predisaster primary
residences are rendered uninhabitable, or with respect
to individuals with disabilities, rendered inaccessible or
uninhabitable, as a result of damage caused by a major
disaster
HA
Authorizes the President to provide financial
assistance, and, if necessary, direct services, to
individuals and households who, as a direct result of a
major disaster, have necessary expenses and serious
ONA
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 61
needs in cases in which the individuals and households
are unable to meet such expenses or needs through
other means
National Flood
Insurance Act, 42
U.S.C. § 4100, as
amended by the
Bunning-BereuterBlumenauer
Flood Insurance
Reform Act of
2004, 42 U.S.C. §
4001, et seq.
Authorizes the President to provide professional
counseling services, including financial assistance to
State or local agencies or private mental health
organizations to provide such services or training of
disaster workers, to victims of major disasters in order
to relieve mental health problems caused or
aggravated by such major disaster or its aftermath
CCP
Requires the President to assure that programs
authorized by the Stafford Act are conducted with the
advice and assistance of appropriate federal agencies
and state and local bar associations whenever the
President determines that low-income individuals are
unable to secure legal services adequate to meet their
needs as a consequence of a major disaster
DLS
Authorizes the President to provide case management
services, including financial assistance, to state or local
government agencies or qualified private organizations
to provide such services, to victims of major disasters
to identify and address unmet needs
DCM
Authorizes the President to provide to any individual
unemployed as a result of a major disaster such
benefit assistance as the president deems appropriate
while such individual is unemployed for the weeks of
such unemployment with respect to which the
individual is not entitled to any other unemployment
compensation
DUA
Requires the Administrator of FEMA to carry out a
program to provide financial assistance to States and
communities, using amounts made available from the
National Flood Mitigation Fund, for planning and
carrying out activities designed to reduce the risk of
flood damage to structures covered under contracts for
flood insurance
FMA
Authorizes the Administator of FEMA to consult with,
receive information from, and enter into any
agreements or other arrangements with the head of
any state or local agency, or to enter into contracts with
any persons or private firms, in order that he or she
may (1) identify and publish information with respect to
all flood plain areas, including coastal areas located in
the United States, that has special flood hazards, and
(2) establish or update flood-risk zone data in all such
areas, and make estimates with respect to the rates of
CTP
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 62
probable flood-caused loss for the various flood risk
zones for each of these areas
Authorizes the Administrator of FEMA to make grants,
provide technical assistance, and enter into contracts,
cooperative agreements, or other transactions, on such
terms as he or may deem appropriate to accelerate the
identification of risk zones within flood-prone and
mudslide-prone areas
CAP-SSSE
Biggert-Waters
Flood Insurance
Reform Act of
2012
Requires the FEMA Administrator, in coordination with
the Technical Mapping Advisory Council, to establish an
ongoing program under which the Administrator shall
review, update, and maintain National Flood Insurance
Program rate maps
CTP
National Flood
Insurance Reform
Act of 1994
Requires the Administrator of FEMA to revise and
update floodplain areas and flood risk zones
CTP
Stewart B.
McKinney
Homeless
Assistance Act of
1987
Requires the Administrator of FEMA to award a grant to
the Emergency Food and Shelter National Board for the
purpose of providing emergency food and shelter to
needy individuals through private nonprofit
organizations and local governments
EFSNBP
National Dam
Safety Program
Act
Requires the FEMA Administrator to provide assistance
to assist States in establishing, maintaining, and
improving dam safety programs
NDSP
National
Earthquake
Hazards
Reduction Act of
2004
Establishes the National Earthquake Hazards
Reduction Program to promote the adoption of
earthquake hazards reduction measures by federal,
state, and local governments, national standards and
model code organizations, architects and engineers,
building owners, and others with a role in planning and
constructing buildings, structures, and lifelines through
grants, contracts, cooperative agreements, and
technical assistance;
NEHRP
Requires the FEMA Administrator to operate a program
of grants and assistance to enable states to develop
mitigation, preparedness, and response plans, prepare
inventories and conduct seismic safety inspections of
critical structures and lifelines, update building and
zoning codes and ordinances to enhance seismic
safety, increase earthquake awareness and education,
and encourage the development of multi-state groups
for such purposes
EMPG
Authorizes the Administrator of FEMA to award
assistance to firefighters grants
AFG
Federal Fire
Prevention and
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 63
Control Act of
1974
Authorizes the Administrator of FEMA to award fire
prevention and safety grants
FP&S
Requires the Administrator of FEMA to make grants
directly to career fire departments, combination fire
departments, and volunteer fire departments, in
consultation with the chief executive of the state in
which the applicant is located, for the purpose of
increasing the number of firefighters to help
communities meet industry minimum standards and
attain 24-hour staffing to provide adequate protection
from fire and fire-related hazards, and to fulfill
traditional missions of fire departments that antedate
the creation of the Department of Homeland Security.
SAFER
Authorizes the establishment and operation of the
National Academy for Fire Prevention and Control,
including developing curricula, training programs, and
other educational materials.
State Fire
Training
Systems Grant,
NFA Training
Assistance
Post-Katrina
Emergency
Management
Reform Act of
2006 (PKEMRA)
Appropriates funding for the Emergency Management
Performance Grant program
EMPG
Authorizes the FEMA Administrator to make grants to
administer the Emergency Management Assistance
Compact consented to by the Joint Resolution entitled
“Joint Resolution granting the consent of Congress to
the Emergency Management Assistance Compact”
EMAC-NIMS
Homeland
Security Act of
2002
Office for Domestic Preparedness shall have the
primary responsibility within the Executive Branch of
Government for the preparedness of the United States
for acts of terrorism, including directing and supervising
terrorism preparedness grant programs of the Federal
Government for all emergency response providers
OPSG, SHSP,
THSGP
Authorizes federal, state, and local entities to share
homeland security information to the maximum extent
practicable, with special emphasis on hard-to-reach
urban and rural communities
UASI
Authorizes the Secretary evaluate the effectiveness of
measures deployed to enhance the security of
institutions, facilities, and infrastructure that may be
terrorist targets
NSGP
Authorizes coordination of preparedness efforts at the
federal level, and working with all state, local, tribal,
parish, and private sector emergency response
providers on matters pertaining to combating terrorism,
including training, exercises, and equipment support
HSPTAP, NFATA
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 64
9/11 Commission
Act of 2007
Sandy Recovery
Improvement Act
of 2013
Requires the Secretary of DHS to establish and
promote a program to encourage technological
innovation in facilitating the mission of the Department
by encouraging and supporting innovative solutions to
enhance homeland security, to include the
establishment of a centralized federal clearinghouse
for information relating to technologies that would
further the mission of the Department for
dissemination, as appropriate, to federal, state, and
local government and private sector entities for
additional review, purchase, or use; and the provision
of guidance, recommendations, and technical
assistance, as appropriate, to assist federal, state, and
local government and private sector efforts to evaluate
and implement the use of technologies
EMBAG, EMACNIMS, US&R
Response
System
Authorizes the Secretary to evaluate the security of
intercity passenger bus and railroad stations, trains,
and infrastructure, including security capital
improvement projects that the Secretary determines
enhance bus and railroad station security
IBSGP, IPR,
TSGP
Authorizes the Secretary to establish a program for
making grants to eligible public transportation agencies
for security improvements
TSGP
Authorizes the Secretary to establish, operate, and
maintain a National Domestic Preparedness
Consortium within the Department
HSNTP/NDPC,
HSNTP/CTG
Establishes permanent work alternative procedures,
debris removal alternative procedures, and a dispute
resolution pilot program with associated changes to the
appeals process. Required FEMA to coordinate with
Federal Transit Administration on repairing and
restoring public transportation systems. Required the
FEMA Administrator to complete an analysis to
determine whether an increase in the Public Assistance
grant program small project threshold is appropriate.
Authorized rulemaking to address reimbursement of
straight-time force account labor costs for state, tribal,
and local government employees performing
emergency protective measures. Required FEMA to
publish public assistance grants in excess of $1 million
on the internet within 24 hours of award. Requires the
recipient/sub-recipient expenditure of obligated grant
funds within 24 months or funds be returned to the
agency. Directed the President to establish an
expedited and unified environmental and historic
preservation (EHP) process for disaster recovery
actions.
PA
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 65
Requires FEMA to provide monthly reports to Congress
and on the internet regarding DRF spending. Required
FEMA to make recommendations for the development
of a national strategy to reduce costs on future
disasters. Provided federally-recognized Indian tribal
governments the option to make their own request for
a Presidential emergency or major disaster declaration
independently of a state or to seek assistance under a
declaration for a state.
All disaster
grants
Directs FEMA to provide more objective criteria for
evaluating the need for assistance to individuals, to
clarify the threshold for eligibility, and to speed a
declaration of a major disaster or emergency under the
Stafford Act. Affirmed FEMA’s authority to lease
multifamily rental units and provide them to individuals
or households for use as direct temporary housing
when cost effective
IA
Provides FEMA the specific authority to pay for “child
care” expenses as disaster assistance under the Other
Needs Assistance (ONA) provision of the Individuals
and Households Program in addition to funeral,
medical, and dental expenses
ONA
Directs FEMA to streamline HMGP activities and to
adopt measures to expedite implementation of the
program. Allowed FEMA to provide up to 25 percent of
the estimated costs for eligible hazard mitigation
measures to a state or tribal grantee before eligible
costs are incurred. Allowed FEMA to implement, on a
pilot basis, HMGP Administration by states.
HMGP
Maritime
Transportation
Security Act of
2002
Authorizes the Secretary to establish a grant program
for making a fair and equitable allocation among port
authorities, facility operators, and state and local
agencies required to provide security services of funds
to implement Area Maritime Transportation Security
Plans and facility security plans.
PSGP
Department of
Defense
Authorization Act
of 1986
Authorizes the Secretary provision eliminating aging
stockpiles of Chemical Agents and Munitions stored
within the United States.
CSEPP
DHS
Appropriations Act
of 2016
Authorizes funds to combat emergent threats from
violent extremism and from complex, coordinated
terrorist attacks.
CVE, CCTA
Department of
Homeland
Security
Appropriates funding for Operation Stonegarden
OPSG
Appropriates funding for State Homeland Security
SHSP
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 66
Appropriations Act
of 2017
Program
American
Recovery and
Reinvestment Act
of 2009
Authorizes and appropriates funds for the ARRA Transit
Security Grant Program (TSGP), ARRA Port Security
Grant Program (PSGP), ARRA Fire Station Construction
Grants (SCG)
TSGP, PSGP,
SCD
National Historic
Preservation Act
of 1966
Requires that, before approving or carrying out a
federal, federally assisted, or federally licensed
undertaking, federal agencies to take into
consideration the impact that the action may have on
historic properties
All
Clinger-Cohen Act
Makes the Director of the Office of Management and
Budget responsible for improving the acquisition, use,
and disposal of information technology by the Federal
Government to improve the productivity, efficiency, and
effectiveness of federal programs, including through
dissemination of public information and the reduction
of information collection burdens on the public.
Requires the Director to oversee the development and
implementation of standards and guidelines pertaining
to Federal computer systems.
All
Personal
Responsibility and
Work Opportunity
Reconciliation Act
of 1996
Requires that an alien who is not a qualified alien is not
eligible for any federal public benefit
All
Debt Collection
Improvement Act
of 1996
Establishes procedures to maximize collections of
delinquent debts owed to the Government by ensuring
quick action to enforce recovery of debts and the use of
all appropriate collection tools; to minimize the costs of
debt collection by consolidating related functions and
activities and utilizing interagency teams; and to reduce
losses arising from debt management activities by
requiring proper screening of potential borrowers,
aggressive monitoring of all accounts, and sharing of
information within and among federal agencies.
All
Economy Act
Authorizes agencies to enter into agreements to obtain
supplies or services from another agency
All
Government
Performance and
Results Act of
2010
Requires the head of each agency shall make available
on a public website of the agency and to the Office of
Management and Budget an update on agency
performance
All
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 67
Executive Order
12862, “Setting
Customer Service
Standards”
Directs all executive departments and agencies that
provide significant services directly to the public shall
provide those services in a manner that seeks to meet
a customer service standard
All
Executive Order
13411,
“Improving
Assistance for
Disaster Victims,”
Establishes the policy of the Federal Government to
ensure that individuals who are victims of a terrorist
attack, natural disaster, or other incident that is the
subject of an emergency or major disaster declaration
under the Stafford Act, and who are thereby eligible for
financial or other assistance delivered by any
department or agency of the Executive Branch (federal
disaster assistance) have prompt and efficient access
to federal disaster assistance, as well as information
regarding assistance available from state and local
government and private sector sources
All disaster
grants
5 U.S.C. § 301
Authorizes the head of an Executive department or
military department to prescribe regulations for the
government of his department, the conduct of its
employees, the distribution and performance of its
business, and the custody, use, and preservation of its
records, papers, and property
All
Reorganization
Plan No. 2 of
1970
Establishes Domestic Council and Office of
Management and Budget
All
Executive Order
9397 “Numbering
System for
Federal Accounts
Relating to
Individual
Persons” as
amended by
Executive Order
13478
“Amendments to
Executive Order
9397 Relating to
Federal Agency
Use of Social
Security
Numbers”
Permits the use of social security numbers for accounts
pertaining to individual persons
All Individual
Assistance
grants
44 U.S.C. § 3534
Federal Agency
Responsibilities
Establishes federal agency responsibilities for
information security
All
Single Audit Act of
1984
Establishes uniform audit requirements for state and
local governments receiving federal financial
All grants made
to state and
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 68
assistance
local
governments
Federal Financial
Assistance
Management
Improvement Act
Establishes responsibilities for improving the
effectiveness and performance of federal financial
assistance programs; simplifying federal financial
assistance application and reporting requirements;
improving the delivery of services to the public; and
facilitating greater coordination among those
responsible for delivering such services
All
Improper
Payments
Information Act of
2002
Requires the head of each agency to, in accordance
with guidance prescribed by the Director of the Office of
Management and Budget, annually review all programs
and activities that it administers and identify all such
programs and activities that may be susceptible to
significant improper payments
All
Improper
Payments
Elimination and
Recovery Act of
2010
Amends the Improper Payments Information Act of
2002 in order to prevent the loss of billions in taxpayer
dollars
All
Improper
Payments
Elimination and
Recovery
Improvement Act
of 2012
Intensifies efforts to identify, prevent, and recover
payment error, waste, fraud, and abuse within federal
spending
All
Federal Funding
Accountability
and Transparency
Act of 2006
Requires the Office of Management and Budget to
ensure the existence and operation of a single
searchable website, accessible by the public at no cost
to access, that includes information for each federal
award
All
Digital
Accountability
and Transparency
Act of 2014
Establishes requirements for expanding the Federal
Funding Accountability and Transparency Act of 2006
by disclosing direct federal agency expenditures and
linking federal contract, loan, and grant spending
information to programs of federal agencies to enable
taxpayers and policy makers to track federal spending
more effectively; establishing Government-wide data
standards for financial data and providing consistent,
reliable, and searchable Government-wide spending
data that is displayed accurately for taxpayers and
policy makers on USASpending.gov; simplifying
reporting for entities receiving federal funds by
streamlining reporting requirements and reducing
compliance costs while improving transparency;
improving the quality of data submitted to
All
�Privacy Impact Assessment
DHS/FEMA/PIA-052 GMM SPARTA
Page 69
USASpending.gov by holding federal agencies
accountable for the completeness and accuracy of the
data submitted; and applying approaches developed by
the Recovery Accountability and Transparency Board to
spending across the Federal Government.
Grants Oversight
and New
Efficiency Act
Requires the Office of Management and Budget to
instruct each agency to submit to Congress and HHS a
report that lists each federal grant award held by such
agency; provides the total number of federal grant
awards, including the number of grants by time period
of expiration, the number with zero dollar balances,
and the number with undisbursed balances; describes
the challenges leading to delays in grant closeout; and
explains, for the 30 oldest federal grant awards, why
each has not been closed out
All
�
| File Type | application/pdf |
| File Title | DHS/FEMA/PIA-052 Grants Management Modernization (GMM) |
| Author | U.S. Department of Homeland Security Privacy Office |
| File Modified | 2018-07-06 |
| File Created | 2018-07-06 |