Download:
pdf |
pdfPrivacy Impact Assessment
FEMA Hazard Mitigation Planning and Flood
Mapping Products and Services Support Systems
DHS/FEMA/PIA-045
June 26, 2017
Contact Point
Joanne Neukirchen
Risk Management Directorate
Federal Insurance and Mitigation Administration
Federal Emergency Management Agency
(202) 212-7709
Reviewing Official
Jonathan R. Cantor
Acting Chief Privacy Officer
Department of Homeland Security
(202) 343-1717
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 1
Abstract
The Department of Homeland Security (DHS), Federal Emergency Management Agency
(FEMA), Federal Insurance and Mitigation Administration (FIMA) provides various flood
mapping products and services to the public as required under the National Flood Insurance Act
of 1968, as amended (NFIA) (42 U.S.C. § 4001 et seq.). The Risk Management Directorate (RMD)
manages FIMA’s various flood mapping products and services. This includes the Map Service
Center (MSC) and the Mapping Information Platform (MIP) Information Technology (IT) support
systems. FEMA is updating and replacing the previously published DHS/FEMA/PIA-007 FEMA
NFIP MSC and DHS/FEMA/PIA-028 MIP, originally published April 30, 2013, to provide more
detail about the MIP process, describing additional collections, use of financial information, the
sharing of information with the Department of Treasury (Treasury), and the development of the
online Letter of Map Change (LOMC) application within MIP.
Overview
Federal Emergency Management Agency (FEMA) administers the National Flood
Insurance Program (NFIP). The NFIP aims to reduce the impact of flooding on private and public
structures. It does so by providing affordable insurance to property owners and by encouraging
communities to adopt and enforce floodplain management regulations. These efforts help mitigate
the effects of flooding on new and improved structures. Overall, the program reduces the socioeconomic impact of disasters by promoting the purchase and retention of general risk insurance,
but also specifically through the use of flood insurance. The Robert T. Stafford Disaster Relief and
Emergency Assistance Act, as amended by the Disaster Mitigation Act of 2000, provides the legal
basis for FEMA and other government agencies to undertake a risk-based approach to reducing
losses from natural hazards through mitigation planning. Federal Insurance and Mitigation
Administration’s (FIMA) Mitigation Planning Program oversees and provides guidance to state,
tribal, and local governments that are required to develop a FEMA-approved, risk-based hazard
mitigation plan. This plan is a pre-condition for receiving non-emergency disaster assistance from
the Federal Government, including funding for flood hazard mitigation projects. FEMA tracks
governments’ implementation of their hazard mitigation plans to help communities identify new
mitigation strategies, improve planned mitigation actions, and advance planned actions.
The National Flood Insurance Act of 1968, as amended (NFIA)1 establishes that FEMA
will provide flood insurance in communities that adopt and enforce floodplain management
1
42 U.S.C. § 4001 et seq.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 2
ordinances that meet the minimum NFIP requirements. The law requires FEMA to provide and
maintain flood maps to support floodplain management and insurance activities. FEMA’s
regulations implementing the NFIA, including the flood mapping program, are found in 44 C.F.R.
§§ 59-72.2
The NFIA requires insurance companies that write flood insurance policies on behalf of
the NFIP to use FEMA flood maps to determine insurance rates. Members of the public can
purchase and review these FEMA maps and related products to understand a property’s flood risk.
In addition, community officials must use these maps to manage development in flood-prone areas.
FEMA performs the following tasks in support of flood map productions:
1) Tracks requests for updates from community officials;
2) Schedules and tracks floodplain studies’ progress and quality;
3) Conducts community outreach and coordinates with communities and the public on the
floodplain study process;
4) Collects information from communities and organizations such as levee owners;
5) Provides public review of the proposed flood hazard data resulting from studies;
6) Adjudicates administrative appeals to the studies; and
7) Coordinates and tracks the request and processing of flood map revisions and updates.
The NFIA requires communities to adopt these maps as the basis of their land use regulations and
subsequently requires FEMA to provide due process to affected communities and property holders.
This process includes making available to the public the relevant data documenting the scientific
and technical basis of the maps, as well as documenting the community and public coordination
processes associated with the map development and publication.
FEMA flood maps are subject to revision through the Letters of Map Change (LOMC)
administrative process. LOMC are documents issued by FEMA that revise or amend the flood
hazard information shown on the Flood Insurance Rate Map (FIRM). LOMC include two types of
map changes: Letter of Map Amendment (LOMA) or Letter of Map Revision (LOMR). A LOMA
is a flood map change based only on the placement of the floodplain boundary relative to existing
ground elevations, usually for small areas. A LOMR is a change that often covers a larger area
based on improved scientific or technical data or changes to the floodplain, and may require a
flood map revision. For the purposes of this privacy impact assessment (PIA), FEMA uses the
term LOMC to mean all types of map amendments and revisions.
2
Available at https://www.gpo.gov/fdsys/pkg/CFR-2011-title44-vol1/pdf/CFR-2011-title44-vol1-chapI-subchapBsubjectgroup-id467.pdf.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 3
The Risk Management Directorate (RMD) provides high-quality flood maps, information,
and tools to better assess flood risk, and provides planning and outreach support to communities
to help them take action to reduce or mitigate this risk. RMD operates two major information
technology (IT) systems to support these functions: the Map Service Center (MSC) and the
Mapping Information Platform (MIP). These systems support the identification of hazards, assess
vulnerabilities, and develop strategies to manage the risks associated with natural hazards. The
MSC and MIP support the following RMD functions: 1) risk-based hazard mitigation planning;
and 2) public map and data distribution and customer service. The remainder of this overview
summarizes each IT system’s contribution to the RMD functions listed above, including typical
transactions that interface with these systems or their applications. These descriptions explain the
sensitive and personally identifiable information (PII) FEMA collects in the process of fulfilling
its statutory and regulatory responsibilities, and describes how FEMA compiles, stores, protects,
uses, and shares this data.
Risk-based Hazard Mitigation Planning
Mitigation planning identifies policies and actions that, when implemented over the longterm, reduce risk and future losses. The planning process creates a framework for risk-based
decision making to reduce damages to lives, property, and the economy. Hazard mitigation plans
form the foundation for a community’s long-term strategy to reduce disaster losses and break the
cycle that triggers disaster damage, reconstruction, and repetitive damage.
Through outreach, technical assistance, guidance, and training, RMD assists state, tribal,
and local governments in: (1) identifying the natural hazards that affect them; (2) determining the
actions and activities to reduce any losses from those hazards; and (3) establishing a coordinated
process to create and implement a plan to address and mitigate those hazards.
Identifying Mitigation Strategies and Improving Planned Mitigation Actions
To support the identification of mitigation strategies and to improve planned mitigation
actions, FEMA tracks the status of state, tribal, and local hazard mitigation plans and reviews them
to ensure compliance with 44 CFR Part 2013. FEMA uses the Mitigation Planning Portal (MPP),
which is an application of the MIP system, to document the status of a Hazard Mitigation Plan and
the progress of its review. MPP’s data collection and storage is largely statistical (e.g., Date
Review Started, Days in Review, Reviewer Name, Plan Status, Percent of Population Covered by
the Plan). All MPP users are FEMA personnel or contractors or state mitigation planners who must
log-in to use the MPP. State mitigation planners have read-only access through their regional
3
This regulation governs FEMA pre and post disaster hazard mitigation programs and activities. See 44 CFR Part
201, available at https://www.gpo.gov/fdsys/pkg/CFR-2011-title44-vol1/pdf/CFR-2011-title44-vol1-part201.pdf
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 4
mitigation planner. In the future, the MPP may be used to archive copies of FEMA-approved state,
tribal, and local Hazard Mitigation Plans.
FEMA also contributes to planned mitigation actions by encouraging the use of its multihazard modeling software, Hazards US – Multi Hazard (HAZUS-MH), which is available for
download on www.FEMA.gov. HAZUS-MH software uses geographic information systems (GIS)
technology to estimate physical, economic, and social impacts of disasters as a critical input to
Hazard Mitigation Plans. The MSC hosts a SharePoint collaborative portal that supports the
HAZUS-MH user community. The SharePoint portal is available to all members of the public. In
order to access the SharePoint portal, prospective users send an account request by email to
spadmin@riskmapcds.com. In the email, prospective users of the SharePoint collaborative portal
must provide a username, phone number, and email address for FEMA to create the user account.
FEMA uses the SharePoint application primarily to facilitate the dissemination and exchange of
information among authorized users. The SharePoint portal contains general information areas
open to all users and specific subject matter areas open to select users. There are dedicated
document libraries for both general information and specific subject-matter areas that offer
collaboration tools such as member directories, message boards, and shared spaces allowing
members to post comments, links, and documents relevant to the development of flood map
products. Username is the only PII visible to other members of the SharePoint portal.
Advance Planned Actions
MIP also hosts the Mitigation Action Tracker (MAT). MAT is a web-based tool for RMD
providers and state, local, and regional mitigation planners to document and report local mitigation
actions influenced by floodplain management processes. This data supports the measurement of
RMD action metric performance while also providing stakeholders valuable mitigation
information that affects future planning or other risk reduction efforts. The MAT is a valuable tool
for communities and counties, serving as a single source to capture and organize mitigation actions
at any stage from proposed actions to funded projects.
Community and county officials, such as the floodplain administrator, public works
director, utility director, land use planning director, and other community and county staff are
encouraged to register for access to MAT, record areas of mitigation concern, and identify
mitigation projects. Users can add new actions, remove old actions, or update the status of an
action as it changes over time. Examples of actions include local plans and regulations,
community-identified programs, or structure and infrastructure projects. Users identify both new
and existing actions for improvement through collaboration between communities, counties, the
state, and FEMA. In addition, users can identify funding and collaboration opportunities to
implement mitigation actions.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 5
Public Map, Data Distribution, and Customer Service
The Risk Management Directorate provides flood maps, information, and tools to better
assess the risk from flooding, and provides planning and outreach support to communities to help
them take action to reduce or mitigate flood risk. The MSC operates a public-facing website for
viewing and downloading flood maps and related products, assists the public by phone and online
chat via a call center, distributes flood maps and related materials to community officials, and
performs other functions related to public access to information about flood mapping. The MSC
website provides immediate access to flood map information for any area in the country and to
any individual needing this information. A system user may freely view the entire map online or
download the data.
To find flood maps and products for a geographic location, users can enter any address into
the MSC application. MSC sends the full address to the Environmental Systems Research Institute,
Inc. (ESRI) ArcGIS database.4 The ESRI converts the address to latitude and longitude, and ESRI
sends the latitude and longitude points to MSC, which uses the points to locate the address within
a FEMA map. The MSC does not retain the address from the user and it does not store latitude and
longitude information from ESRI.
The MSC distributes digital flood map products and limited paper products without charge
to local governments affected by map changes. Individuals can choose to either search the MSC
product catalog, as described above, or create a user account and register for an email subscription.
The user provides an email address and password to create a profile to subscribe to email
subscriptions. The subscription feature enables individuals to create and manage automated
notifications that alert them when certain products become available for download. Subscriptions
are free of charge and users can create, edit, or discontinue the email subscription.
The MSC also operates the FEMA Information Exchange’s (FMIX) online chat service.
The FMIX chat feature allows individuals to interact with a mapping specialist online and receive
assistance locating and acquiring flood map products. The FMIX maintains a record of this
interaction and stores the records on FEMA-managed servers. FMIX does not use a third-party
service provider. The record includes name, city, state, and chat subject from the chat user.
In addition to distributing paper and digital copies of flood map products to local
government officials, FEMA uses the MSC system to host a website (www.floodmaps.fema.gov)
upon which it posts Flood Hazard Determination Notices. FEMA publishes these notices in the
4
FEMA RMD makes extensive use of ESRI ArcGIS software. ESRI is the primary vendor for geospatial activities.
These include desktop uses such as spatial data management and spatial analysis, and server-side technologies based
on ArcGIS Server that power the web services used in geospatial applications. Additional information is accessible
at http://www.esri.com/software/arcgis.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 6
Federal Register. Flood Hazard Determinations Notices may include projections of flood
elevations (i.e., the addition or modification of any Base Flood Elevation (BFE) or Base Flood
Depths (BFD)) or designations of areas having special flood hazard areas (e.g., Special Flood
Hazard Area (SFHA)5 boundary or zone designation or regulatory floodway) on a community’s
FIRM. These notices contain the name and business contact information of an affected community
government’s executive. FEMA manually copies community officials’ contact information from
the NFIP Community Information System (CIS)6 and inserts it into the public notice of a Flood
Hazard Determination. In addition to this notice, FEMA notifies the local government and
publishes notification of flood elevation determinations and designations of areas having special
flood hazard areas in a prominent local newspaper at least twice. After the second newspaper
publication, a 90-day statutory appeal period begins. During the 90-day statutory appeal period,
any owner or lessee of real property within the community who believes that FEMA’s
determination has an adverse effect on his or her property rights may appeal such determination to
the local government. This program does not handle or store local government appeals. The public
may view notices for communities currently within the 90-day statutory appeal period and notices
that expired within the past three months. FEMA automatically removes notices from
www.floodmaps.fema.gov after 180 days.
Typical Map Product Request Transaction
On the MSC site, public users can find and download all maps, data, and other flood
mapping products without providing PII. Customers can choose to create email subscriptions on
the website to receive notifications of updates in flood mapping product categories and locations.
The user creates an account using his or her email address, supplying a password, and registering
for an email subscription. Subscriptions are free of charge and may be created, edited, or
discontinued at any time. Users must also provide an email address and create a password in order
to create a subscription account.
Typical Product Distribution to Local Government
After FEMA creates and approves the flood maps and related products for distribution, it
uses the NFIP CIS to identify community officials impacted by a FEMA flood map change. These
community officials will automatically receive copies of products distributed by the MSC related
to their jurisdiction or area of responsibility. A FEMA analyst logs into CIS and manually inserts
the current community official’s name and address on a digital FEMA letterhead. The FEMA
5
The land area covered by the floodwaters of the base flood is the Special Flood Hazard Area (SFHA) on FIRMs.
The SFHA is the area where the NFIP's floodplain management regulations must be enforced and the area where the
mandatory purchase of flood insurance applies. The SFHA includes Zones A, AO, AH, A1-30, AE, A99, AR,
AR/A1-30, AR/AE, AR/AO, AR/AH, AR/A, VO, V1-30, VE, and V.
6
The CIS system is included in DHS/FEMA/PIA-011 National Flood Insurance Program Information Technology
Systems (NFIP ITS), available at www.dhs.gov/privacy.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 7
analyst then stores the copies of products distribution in the MIP. The analyst downloads or prints
a copy of the letter and appends the letter to the paper and digital copies of flood mapping products
for distribution to community officials. The MIP stores the official letterhead, and the MSC
maintains a copy for the purposes of distribution of the product(s) to community officials. The
MIP and MSC retain a copy of the digital letterhead files in soft-copy format. In addition, FEMA
retains a record of which products were sent to which officials and when.
Typical Call Center and Help Desk Chat Transaction
An individual may contact the FMIX for assistance with the MSC by dialing the FMIX
toll-free telephone number or initiating an online chat session. A FEMA Map Specialist will greet
the individual and ask for the individual’s name, location, and reason for the inquiry. The Map
Specialist may request additional information about the call topic and products of interest to meet
the individual’s needs. The Map Specialist enters the following user-provided information into a
customer support application called PhaseWare: first name; last name; city; state; phone number;
email address; caller type (e.g., property owner, realtor); request type; and any additional
information pertinent to the call. The MSC hosts the PhaseWare application. If the individual
chooses to initiate an online chat session, FMIX prompts individuals to enter the same information
into an online form, which is part of the PhaseWare application. Once the individual completes
the form, a chat window will opens and the Map Specialist greets the individual who initiated the
chat session, and proceeds to address the individual’s needs.
The Map Specialist then guides the individual to resources that may help address his or her
needs either by phone or online chat. This may include providing website information (e.g., URL
and navigation features), mailing requested information, and providing other industry resources
and phone numbers, including the NFIP call center’s contact information. The Map Specialist
verifies with the individual that his or her needs are satisfied and determines whether a callback is
necessary. If the Map Specialist cannot address the individual’s needs because of the technical
nature of the request, the Map Specialist escalates the issue within the PhaseWare application to
other FEMA staff tasked with resolving MSC- and MIP-related customer issues. FMIX does not
record telephone conversations; however, FMIX maintains transcriptions of online chat sessions.
These chat sessions are available to the individual participating in the chat at the end of the session.
FEMA stores chat session transcriptions on FEMA secure servers.
Typical Flood Hazard Determination Notice Transaction
Typically, an individual goes to www.floodmaps.fema.gov and selects a state of interest
from a drop-down menu. The website presents a list of communities with an active or recently
expired Flood Hazard Determination Notice. The system user selects a community and can view
a list of Flood Hazard Determination Notices, the associated case number, the start and end date
for the appeal period, and a link to an electronic copy of the notice.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 8
FEMA Flood Studies, Map Revisions, and Public Documentation
FEMA uses the Coordinated Needs Management System (CNMS), an MSC application, to
track flood map update needs including needs submitted by state and local officials. This system
includes the officials’ names for the purposes of controlling access to the system and tracking who
submitted the requirements.
The MIP is a workflow-based system and web portal that contains a variety of information
(including both PII and non-PII) and tools used for the management, production, extraction, and
sharing of flood hazard data and supporting information.
FEMA processes LOMCs through both electronic-based and paper-based processes. The
online process uses two applications within the MIP to process LOMCs: (a) electronic Letter of
Map Amendment (eLOMA); and (2) Online LOMC. Only a certifier7 can initiate the eLOMA
process. An individual property owner or other representative of the property owner can initiate
the Online LOMC process. The paper-based process allows individuals to submit hard copy
LOMC applications to FEMA. Either a property owner or someone else working on his or her
behalf can initiate the paper-based process. Appendix A of this PIA lists the forms associated with
this process. These forms request PII of both the property owner and professional certifier.
The Online LOMC application integrates with the Department of Treasury’s (Treasury)
online payment system, Pay.gov,8 to allow users to pay fees and make electronic payments.
FEMA’s fee schedule for processing requests for map changes, flood insurance study backup data,
and NFIP map and insurance products9 governs all fees collected within the MIP. These fees are
associated with specific types of requests and orders for specific products. FEMA’s Online LOMC
application does not store the financial transaction information; rather, an end-to-end encrypted
channel directs the request to Pay.gov, which processes the payment on FEMA’s behalf. The MIP’s
Online LOMC application only stores the last four digits of the account number for credit card and
electronic check (eCheck) transactions. FEMA maintains the last four digits of the account number
as historical confirmation information for the transaction and for auditing purposes. Pay.gov returns
the payment approval or denial information and the Transaction ID to the Online LOMC
application over an encrypted web connection. FEMA sends a confirmation email to the user’s
email address with the result of the transaction.
Communities and members of the public may submit administrative appeals to proposed
map changes. To ensure review and response to these appeals, FEMA uses a SharePoint instance
7
A certifier may be a Registered Professional Engineer, Licensed Land Surveyor, or Certified Professional through
the National Flood Determination Association (NFDA) who is acting on behalf of a property owner.
8
See U.S. Department of Treasury Financial Management Services Pay.Gov Privacy Impact Assessment 2.0 (July 1,
2011), available at http://fms.treas.gov/pia/paygov_pia%20.pdf.
9
The schedule of flood map-related fees is accessible at http://www.fema.gov/forms-documents-and-software/floodmap-related-fees#1.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 9
known as the RMD portal, hosted on the MSC system, to track appeals. This system maintains
name and address to track information about the submitter of the appeal, certifiers providing data
in support of an appeal, and community officials involved in the appeal. Access to this tool is rolebased and uses FEMA’s instance of Active Directory.
FEMA accepts applications from levee owners and communities seeking Zone AR
designations, Zone A9910 designations, and recognition of accredited levee systems on FIRMs.11
FEMA uses the RMD (SharePoint) Portal hosted at MSC to review and respond to these
applications and to track the accreditation status of levee systems and mapping levees, including
designating AR and A99 Zones. This system may contain limited PII identifying the levee owner,
operator, or community contact.
To support a mapping project, levee owners and communities are responsible for providing
documentation that a levee system meets the requirements of 44 CFR 65.10 to have the levee
system shown as accredited (provide protection from the 1-percent-annual-chance flood), or meets
the mapping procedure(s) for non-accredited levee systems. FEMA uses the RMD SharePoint
portal to track the accreditation status of levee systems and mapping levees. The MSC hosts the
RMD SharePoint portal. SharePoint may contain limited PII identifying the levee owner, operator,
or community contact.
The MIP manages the supporting scientific and technical data developed during the
mapping study process and submitted through the LOMC processes. The law12 requires FEMA to
make this supporting scientific and technical data, and associated records of community and public
coordination during the mapping process, available to the public. The Flood Risk Study
Engineering Library application on the MIP provides the public with access to this information.
The data FEMA distributes includes limited PII primarily in the form of names and contact
information for certifiers, public officials, and others involved in the mapping update or revision
process, or for those who develop scientific and technical data.
10
Zone AR is the base floodplain that results from the decertification of a previously accredited flood protection
system that is in the process of being restored to provide a 100-year or greater level of flood protection. Zone A99
are areas subject to inundation by the 1-percent-annual-chance flood event, but which will ultimately be protected
upon completion of an under-construction federal flood protection system such as dikes, dams, and levees. These are
areas of special flood hazard where enough progress has been made on the construction of a protection system to
consider it complete for insurance rating purposes. Zone A99 may only be used when the flood protection system
has reached specified statutory progress toward completion. No Base Flood Elevations (BFE) or depths are shown.
Mandatory flood insurance purchase requirements and floodplain management standards apply.
11
Additional information on FIRM zones is accessible at https://www.fema.gov/media-library-data/20130726-153520490-4172/unit3.pdf
12
See 44 C.F.R. part 66.3.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 10
Typical CNMS Transaction
Flood map updates may be necessary because of changes to the physical environment,
climatological data, or scientific methodologies, as well as other factors. Any public user may
identify these necessary updates at any time, even if FEMA is not performing a floodplain study.
Users would go to the CNMS application to notify FEMA of a suggestion for an update to a map.
All CNMS users must authenticate and submit the following information: first name, last name,
phone number, email address, role in CNMS workflow, FEMA region, and company/entity. Users
can then log in to the CNMS system and enter information about the issue. CNMS maintains a
record of the logged issue and the contact information of the submitter.
Typical Transaction for Planning and Tracking the Status of Mapping Study Projects
FEMA initiates a large volume of projects that produce flood mapping products and
services. The project planning process begins with the definition of work packages or tasks, which
FEMA purchases and funds over a multi-year period. FEMA staff enter data about these work
packages (e.g., preliminary project scope, anticipated costs) into an application called Project
Planning and Purchasing Portal (P4), which the MSC system hosts. The P4 helps FEMA sequence
work effectively and determine which combination of work packages and tasks best advance the
program’s mission given a limited amount of funds.
Once FEMA has established project funding, FEMA staff documents each project’s
planned scope, schedule, and cost in the MIP, and enters information into the system to track
progress against the plan. Select FEMA personnel have user accounts for the P4 and the MIP. To
use these systems, FEMA personnel must log-in. These user accounts gather limited demographic
information, as well as name, email address, and risk mapping role. FEMA assigns system
permissions based on the individual’s roles and responsibilities.
Typical RMD SharePoint Program Management Portal Transaction
FEMA uses the RMD SharePoint portal, hosted by the MSC, to manage the production of
flood mapping products and services. The RMD SharePoint Portal, unlike the HAZUS-MH
SharePoint Portal, is only available to FEMA employees, FEMA contractors, and Cooperating
Technical Partners (CTP); other federal, state, tribal, and local entities also have access. A person
seeking to become a member of a FIMA-supported flood mapping SharePoint portal enters limited
PII into a SharePoint account creation request form, which he or she emails to the site
administrator. This PII includes first name, last name, phone number, email address,
company/organization/agency affiliation, and FEMA region affiliation. The SharePoint site
administrator forwards the request form to a FEMA reviewer who grants the person permission to
join the SharePoint portal. Once FEMA confirms the applicant’s membership eligibility, the site
administrator sends the new user a system-generated confirmation with his or her username and a
separate email containing a temporary password. The site users may then voluntarily exchange
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 11
information and collaborate with other users using the tools provided by the SharePoint
application. Portal administrators may remove any inappropriate postings. Additionally, every six
months the portal administrator reviews member accounts for activity and disables user accounts
that have been inactive for more than two years.
Typical Letter of Map Change (LOMC) Transactions
The amendments and revisions workflow applications, hosted by the MIP, accomplishes
the paper-based process for producing a LOMC. Paper application forms (MT-1, MT-2, or MTEZ), which include PII such as name, address, and contact information, are voluntarily completed
by homeowners, lessees, or registered professional engineers or land surveyors and submitted
directly to FEMA for entry into the MIP. FEMA uses this information if it becomes necessary to
contact the homeowners, registered professional engineers, or land surveyors to obtain clarification
on engineering and other data, or to mail correspondence. The homeowner, lessee, or certifier may
also provide additional information that may contain limited PII, such as engineering data (e.g.,
topographic and flood elevations), tax assessors’ maps, and letters from the community, among
other items. The public has access to this data as documentation of the basis for the flood maps.
Additionally, FEMA shares this PII (name and address) with the Microsoft Azure LOMA-LOGIC
tool that FEMA uses to process simple LOMC, which maximizes efficiencies through the
automation of historically manual tasks, using an all-digital process and incorporating spatial
cloud-based data.
FEMA employees or contractors, such as Mapping Review Partners (MRP), enter all
paper-based LOMC into the MIP (see Appendix B for a listing of FEMA’s MRPs).13 FEMA then
reviews the engineering data and other information to determine whether it warrants an amendment
or revision to a flood map. If warranted, FEMA issues a LOMC. The MIP generates the LOMC
determination document, and FEMA mails it to the LOMC requester. If the situation does not
warrant a LOMC, the MIP generates a letter stating the situation does not warrant a LOMC, and
FEMA mails the letter to the LOMC requester. FEMA performs random audits of these records to
verify the results and to ensure adherence to applicable FEMA and other federal standards and
requirements.
13
FEMA allows qualifying state and local governments to act on FEMA’s behalf to perform the engineering review
on data submitted by certifiers and property owners in support of LOMCs. These entities are MRPs. Each year
MRPs sign agreements with FEMA to allow them to continue to serve in this capacity on behalf of FEMA (see
Appendix B for a listing of FEMA’s MRPs). MRPs have the same access to the MIP granted to FEMA staff to
conduct the engineering review of the LOMC request. This information includes the paper LOMC application forms
(i.e., FEMA MT-1, MT-2, and/or MT-EZ) and engineering and other supporting data (e.g., topographic information,
tax assessors’ map). The MRPs only complete LOMC requests for areas located within their governmental
jurisdictions. FEMA grants access to MIP via a secure web interface requiring user authentication. MRPs also have
access to scanned images of paper data submitted in support of the request.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 12
An individual is required to register online for the Online LOMC application. The
registration process collects the individual user’s name and email address. Once the user submits
his or her registration information, the Online LOMC application sends an activation code to the
email address provided. The user can then sign in to the Online LOMC application using the
activation code. The user then enters the same information as mentioned above for the paper
process and uploads all required artifacts (e.g., property deeds, maps) online. This Online LOMC
application is only accessible through Hyper Text Transfer Protocol Secure (HTTPS) encrypted
connection.
The certifier initiates the electronic application process through the eLOMA application
hosted on the MIP. The certifier provides his or her PII either through a paper process or the
eLOMA Helpdesk. To register, all certifiers must provide a licensed engineer certification number
or a licensed surveyor certification number, which establishes their credentials to update flood
maps. FEMA then creates an account for the certifier and provides the certifier with login
information. Once registered, the certifier may enter engineering data and other information, such
as information from FEMA’s MT-EZ or MT-1 paper application forms, which may be necessary
to support a LOMC request.14 FEMA or an MRP reviews the engineering data and other
information (e.g., a copy of the recorded deed or plat for the property or structure) as entered and
makes the determination as to whether or not to issue a LOMC. If FEMA or a MRP warrants a
LOMC, the MIP generates the final LOMC determination, and FEMA mails it to the LOMC
requester. If FEMA or a MRP does not warrant a LOMC, the MIP generates a letter stating such,
and FEMA mails it to the LOMC requester.
The certifier is responsible for distributing the LOMC determination or letter to the
property owner. If a certifier determines not to issue a LOMC, there is no change to his or her
specific area within FEMA’s flood maps. FEMA performs random audits of these records to verify
the results and to ensure adherence to applicable FEMA and other federal standards and
requirements.
Typical Transactions for Payments Associated with LOMC Fees
If the type of LOMC requested by an applicant requires a fee, the user pays the fee by credit
card or eCheck. The Online LOMC application prompts the user to enter either credit card or
eCheck information. Once the user clicks the ‘Submit’ option, Pay.gov receives this information
by way of a secure HTTPS-encrypted session. Pay.gov forwards the information to the appropriate
financial institution or credit card provider. When Pay.gov finishes processing the payment, it sends
a status of either a successful or unsuccessful payment attempt back to the Online LOMC
The term “Letter of Map Amendment” is a specific type of map change used as a generic term encompassing all
types of MT-1 map changes. For the sake of clarity, this PIA uses the term “Letter of Map Change” as the general
term covering all types of map amendments and revisions.
14
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 13
application. The HTTPS session then closes and the transaction is complete. For paper-based
transactions, property owners provide payment information such as project identifier, type of
mapping service, type of fee, payment type, and credit card account information using the FEMA
Payment Information Form (FEMA Form (FF) 81-107). FEMA submits the financial information
provided by the individual to Pay.gov. Once the Department of Treasury processes the transaction,
FEMA receives successful or unsuccessful payment confirmation information for the transaction.
FEMA then sends a confirmation email to the user with the result of the transaction.
If the payment is successful, the Online LOMC application initiates the LOMC process
requested by the user. FEMA conducts the appropriate analysis to determine if the property is in
an SFHA. If the payment is unsuccessful, the user has the option of resubmitting his or her financial
information to complete the order. The LOMC application file only maintains confirmation of
payment and the last four numbers of the credit card or bank account number. FEMA deletes the
last four digits of the credit card or bank account number after two years.
Typical Floodplain Study Engineering Library Request
FEMA establishes and maintains a Flood Elevation Determination Docket (FEDD) for all
matters pertaining to flood hazard determinations. FEMA establishes and maintains a community
case file, with a community elevation study consultation docket to document, among other things:
all correspondence, consultations, and meetings with officials in a community; relevant
publications; a copy of the completed flood study; and a copy of FEMA’s final determination.
FEMA maintains the community case file indefinitely. FEMA stores hard copy files at the FEMA
Engineering Library and stores electronic copies on the Engineering Library’s Secure Area
Network (SAN) or within MIP. FEMA makes the reports and other information it uses to establish
flood elevations and areas having special flood hazards available for public inspection. FEMA
requires contractors and Mapping Review Partners working on floodplain studies or LOMC on
FEMA’s behalf to provide to FEMA complete documentation of the scientific and technical basis
of the map changes and documentation of the community and public coordination. Under the
NFIA, as amended, in establishing projected flood elevations and designating areas having special
flood hazards, FEMA proposes such determinations and designations by publication for comment
in the Federal Register, by direct notification to the Chief Executive Officer of the community,
and by publication in a prominent local newspaper. FEMA provides public access to all of the
project documentation, which may contain limited PII in the form of names and contact
information for professionals who provide or certify scientific and technical data, community
officials, state officials, levee owners and operators, or others who participated in the floodplain
study or LOMC process. The Engineering Library redacts any PII in documents before submission
to the public. If an entity requests a document as part of the Freedom of Information Act (FOIA),
the FOIA branch redacts the PII consistent with FOIA standards. Interested members of the public
can submit a request by mail or fax to the Engineering Library; in the future they will be able to
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 14
access a library search page through an application of the MIP. Based on the requirements specified
in the request, the requestor will receive copies of the relevant scientific, technical, and
administrative records.
Typical Transaction for Customer Satisfaction and Experience Surveys
FEMA provides the public and other stakeholders with an opportunity to voluntarily
provide survey feedback regarding their experience with flood risks and FIMA’s Mitigation
programs. The purpose of the surveys is to identify areas of improvement within FIMA, and
individuals can opt-out or refuse to initiate the survey. Non-participation in a survey, or responses
provided in a survey, will not negatively affect an individual’s or organization’s requests for flood
mapping products or services.
Surveys are either paper-based or electronic forms and are generally anonymous. FEMA
surveys to community officials may not be anonymous as surveys may be for specific areas or
community official’s awareness of FEMA flood map products and services as well as his or her
experience with FEMA. In such cases, community officials may opt to provide their PII such as
names or business addresses in their official capacity for FEMA to conduct educational outreach
or address areas of concerns or deficiencies, and such information will remain confidential. FEMA
may also use focus groups to conduct the surveys. Such sessions may be video recorded; however
FEMA anonymizes video records that contain PII.
FEMA may directly conduct the surveys or use contractors, such as market research
companies, to conduct the surveys. Participants in the surveys are the general public, purchasers
of FEMA flood mapping products and services, and community officials. These surveys are not
directed to flood insurance policy holders. FEMA may contact community officials or purchasers
of FEMA flood mapping products and services to access their satisfaction with FEMA’s flood
mapping products and service programs or how FEMA can provide assistance to state and local
communities to program awareness or customer service. In such cases, FEMA is directly
conducting the survey and uses contact information from existing FEMA resources such as the
NFIP CIS to facilitate and conduct the surveys. FEMA may use a contractor to reach out to the
general public or a certain demographic to help access the general public’s awareness of FEMA
flood mapping products and services. This helps evaluate the effectiveness of FEMA flood
mapping programs awareness efforts. If FEMA uses a contractor, FEMA will identify the survey
scope and criteria and provide it to the contractors. Typically, this includes FEMA identifying the
group of individuals to be contacted based on the purpose and scope of the survey. The contractors
will then use their own databases to contact individuals about the surveys. FEMA does not own or
direct the collection of information within the contractor databases; individuals within the
contractor database have agreements with the contractor to be contacted for various survey
purposes. Typically, the contractor will offer incentives to participate in surveys or focus groups.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 15
FEMA or the contractor contacts the participants to complete the survey. FEMA or the
contractor provide written or verbal notice to the participants at the time of the survey, informing
them of the uses of the responses and information they provide. The participants answer several
questions concerning flooding, flood risks, or flood mitigation procedures, with a focus on the
respondent’s interaction and experiences with FEMA. Responses collected by the contractor are
provided to FEMA. FEMA stores responses in a need to know only environment and does not
release the responses/records to any unauthorized individuals. FEMA maintains the responses in
accordance with the FEMA Records Officer and National Archives and Records Administration’s
(NARA)-approved records retention schedule.
Section 1.0 Authorities and Other Requirements
1.1
What specific legal authorities and/or agreements permit and
define the collection of information by the project in question?
Under the National Flood Insurance Act of 1968, as amended,15 flood insurance under the
NFIP is available only in communities that adopt and enforce adequate floodplain management
regulations consistent with the minimum floodplain management criteria in FEMA’s regulations.16
As part of the NFIP, FEMA produces flood maps that may identify flood elevations (the BFE or
BFD and areas having SFHA boundaries or zones or regulatory floodways). The MSC and MIP
maintain or administer the maps that define the statutory zones discussed above.
Under the NFIA, 42 U.S.C. §§ 4101 and 4020, and FEMA’s regulations, 44 C.F.R. Parts
65 and 72, FEMA provides public access and dissemination of all flood insurance rate maps and
letters of map revision. Additionally, this regulation requires FEMA to provide administrative
procedures for communities or any owner or lessee of real property within the community who
believes his or her property has been inadvertently included in a SFHA to appeal the boundaries
of the SFHA.
The Disaster Mitigation Act of 2000 (DMA 2000)17 provides the legal basis for FEMA
mitigation planning requirements for state, local and tribal governments as a condition of
mitigation grant assistance. DMA 2000 amends the Robert T. Stafford Disaster Relief and
Emergency Assistance Act18 by repealing the previous mitigation planning provisions and
15
42 U.S.C. § 4001 et seq.
44 C.F.R. §§ 59-72.
17
Disaster Mitigation Act of 2000, Pub. L. No 106-390, 114 Stat. 1552 (2000).
18
Robert T. Stafford Disaster Relief and Emergency Assistance Act, as amended, 42 U.S.C. §§ 5121-5207.
16
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 16
replacing them with a new set of requirements that emphasize the need for close coordination
amongst state, local, and tribal governments for mitigation planning and implementation efforts.
Department of Homeland Security Appropriations Act of 2009 (Pub. L. 110-32919)
appropriates funds for FEMA’s flood map modernization efforts across fiscal years.
Additionally, 42 U.S.C. § 4020 directs FEMA to take any action needed to make flood
insurance information and data available to the public and to any State or local agency or official.
FEMA contractors answer questions for citizens concerned about flood risk, flood risk maps, flood
insurance, or letters of map changes by way of call center and chat functions.
1.2
What Privacy Act System of Records Notice(s) (SORN(s)) applies
to the information?
The DHS/FEMA/NFIP/LOMA-001 National Flood Insurance Program Letter of Map
Amendment System of Records Notice (SORN), 71 Fed. Reg. 7,990 (February 15, 2006) covers
information provided by members of the public in connection with LOMCs. FEMA is retiring this
SORN and replacing it with a new SORN, Flood Mapping Products and Services System of
Records, that will reflect changes to NFIP’s Flood Insurance Rate Maps and clarify FEMA’s
collection of credit card information and sharing of payment information with Treasury.
Other applicable SORNs include:
DHS/FEMA-003 National Flood Insurance Program, 79 Fed. Reg. 28,747 (May 19,
2014) applies to information connected to map services and products.
DHS/ALL-004 General Information Technology Access Account Records System
(GITAARS), 77 Fed. Reg. 70,792 (November 27, 2012) applies to user account
creation and access.
Treasury-009 Financial Management, 75 Fed. Reg. 54,423 (September 7, 2010) applies
to payment information an individual provides to Treasury through Pay.gov.
1.3
Has a system security plan been completed for the information
system(s) supporting the project?
Yes. The flood mapping products and services support systems have a System Security
Plan (SSP). The MSC received an Authority to Operate (ATO) on July 10, 2015. The MSC ATO
also covered the previous MSC customer service application with customer and payment
information gathering functionality. The MIP received an ATO on August 25, 2015. The LOMA-
19
See Department of Homeland Security Appropriations Act, 2009, Pub. L. 110-329, 122 Stat. 3652 (2008).
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 17
LOGIC is utilizing the Federal Risk and Authorization Management Program (FedRAMP) ATO
that Microsoft Azure holds.
1.4
Does a records retention schedule approved by the National
Archives and Records Administration (NARA) exist?
Yes. The records retention policy in effect for the MIP is records schedule N1-311-86-1
2A2c. The records retention policy in effect for the MSC is records schedule N1-311-86-1, Items
2A3 and 2A4. FEMA is currently working with the FEMA Records Officer and NARA for a more
appropriate records retention schedule for financial information stored in the MIP and MSC.
Additionally, FEMA is working with the FEMA Office of the Chief Information Officer (OCIO),
Records Management Division, and NARA to develop the appropriate records retention
schedule(s) for FEMA’s records created during online chat sessions. The LOMA-LOGIC aligns
to the MIP records retention schedule N1-311-86-1 2A2c.
1.5
If the Paperwork Reduction Act (PRA) covers the information,
provide the OMB Control number and the agency number for the
collection. If there are multiple forms, include a list in an
appendix.
The PRA covers information that FEMA collects and maintains to process FEMA’s flood
map products and services. Appendix A of this PIA lists the appropriate Office of Management
and Budget (OMB) Information Collection and Resource (ICR) numbers and forms.
Section 2.0 Characterization of the Information
2.1
Identify the information the project collects, uses, disseminates, or
maintains.
From Certifiers (e.g., Registered Professional Engineers and Licensed Land Surveyors)
and MRPs (e.g., state or local government officials with authority over a community’s floodplain
management activities), FEMA collects:
MIP:
Full name;
Position or Title;
Mailing address;
Company or Community name;
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 18
Six-Digit NFIP Community Number;
Telephone number;
Fax number;
Professional License Number;
Professional License expiration date;
Signature;
Signature date;
Fill20 placement and date;
Type of construction;
Elevation data; and
Base Flood Elevation (BFE) data.
FEMA stopped collecting items marked with an asterisk (*) when enhancements to the MSC were
deployed in August 2014. From individuals (e.g., homeowners, investors, and property
developers), FEMA collects:
MIP:
Full name;*
Mailing address*;
Email address (for email alerts/notifications);
Telephone number*;
Credit card information (entered into Online LOMC and then transmitted to Pay.gov)*:
o Credit card type*;
o Credit card number*;
20
Earthen fill is sometimes placed in a Special Flood Hazard Area (SFHA) to reduce flood risk to the filled area.
The placement of fill is considered development and will require a permit under applicable federal, state, and local
laws, ordinances, and regulations. Fill is prohibited within the floodway unless it has been demonstrated that it will
not result in any increase in flood levels. A Letter of Map Revision Based on Fill (LOMR-F) is FEMA’s
modification of the SFHA shown on the FIRM based on the placement of fill outside the existing regulatory
floodway. This Fill Placement and Date is information that is required to process the LOMR. Because a LOMR
officially revises the effective NFIP map, it is a public record that the community must maintain. Any LOMR should
be noted on the community’s master flood map and filed by panel number in an accessible location. See
https://www.fema.gov/fill to learn more.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 19
o Expiration date*; and
o Billing address*.
Property address;
Electronic check and payment information (entered into Online LOMC and then
transmitted to Pay.gov):
o Bank account type*;
o Bank Routing Number*; and
o Bank Account Number*.
Payment Confirmation Number (From the Department of Treasury (Pay.gov))*;
Fax number;
Fill placement and date;
Type of construction;
Legal property description;
Signature;
Date of signature;
User account creation and access information:
o Full name*;
o Email address;
o Username;
o Activation code;
o Password;
MSC:
First name*;
Last name*;
Title*;
Company*;
Address*;
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 20
City*;
State*;
Zip*;
County*;
FEMA region*;
Phone number*;
Email;
Live Chat (Help Desk) Information:
o First name;
o Last name;
o City;
o State;
o Chat subject; and
o Chat subject category (created and logged by FEMA staff).
MPP and MAT:
First name;
Last name;
Email; and
Organization/Agency.
MPP Only:
MPP role (read/write);
Challenge question number; and
Challenge answer.
MAT Only:
Job title;
Region; and
Permission.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 21
LOMA-LOGIC:
Full name;
Property address;
Legal property description;
Fill placement and date; and
Six-Digit NFIP Community Number.
Generally, FEMA may collect, use, or maintain the following information from potential
participants for customer satisfaction/experience surveys:
Name;
Mailing address;
Telephone numbers;
Email addresses;
Yes/no responses to questions; and
Comments.
2.2
What are the sources of the information and how is the
information collected for the project?
The following are the six sources of information within FEMA’s flood mapping products
and services support systems:
1) LOMC Certifiers (e.g., Registered Professional Engineers and Licensed Land
Surveyors);
2) State or local government officials with authority over a community’s floodplain
management activities, including MRPs;
3) Individuals (e.g., homeowners, investors, and property developers);
4) FEMA staff and stakeholders registered to use SharePoint information and
collaboration portals;
5) The CIS system; and
6) The cloud-based LOMA-LOGIC tool.
LOMC Certifiers enter the PII directly into the eLOMA application. LOMC Certifiers and
individual property owners also enter PII directly into the Online LOMC application. FEMA
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 22
Analysts and Map Specialists enter community official’s information from CIS into the MSC and
MIP.
The sources of information for the LOMC paper-based process are: 1) LOMC Certifiers,
2) individuals, and 3) MRPs. These sources voluntarily submit to FEMA via FEMA’s MT-EZ,
MT-1, MT-2, and FF 81-107 paper application forms to request and support a LOMC request.
FEMA staff enter the data from these paper forms directly into the MIP.
Individuals enter payment information directly into the MIP. The source of payment
confirmation information in the MIP is from Treasury’s Pay.gov system. Pay.gov sends a payment
confirmation number and the last four digits of the account number used for payment to the Online
LOMC applications. FEMA uses the Trusted Collection Services (TCS) Single Service 21 by
opening a secure HTTPS session with Pay.gov. When Pay.gov finishes settlement processing, it
sends the results of the collection back to the applications. The HTTPS session is subsequently
closed and the transaction is complete.
FEMA receives LOMA-LOGIC information automatically via a secure web application
using SSL.
2.3
Does the project use information from commercial sources or
publicly available data? If so, explain why and how this
information is used.
Yes. FEMA flood map products and services uses latitude and longitude points provided
by ESRI when users opt to enter an address into the MSC application to find the flood map for a
specific location. FEMA uses this information within GPS software to more accurately locate
property or an area to identify the flood zone designation for the address, or any LOMCs affecting
the address or area. Additionally, FEMA may use the name and contact information of survey
participants from research marketing firms to assist in conducting focused surveys from the public.
FEMA will contract with a marketing research company to conduct surveys and focus groups.
These market research firms have databases with individuals who have either agreed to or search
for opportunities to participate in various surveys. The marketing firms use the information to
contact the potential survey participant to participate in a FEMA sponsored survey. FEMA does
not maintain the PII or associated response to surveys with individuals.
2.4
Discuss how accuracy of the data is ensured.
FEMA assumes the voluntarily-submitted data is accurate when it is submitted either by
the MSC and MIP customer, FMIX chat user or caller, LOMC Certifier, individual property owner,
21
Trusted Collection Services (TCS) Single Service allows the Online LOMC application to send a single noninteractive collection to Pay.gov for immediate processing.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 23
state and local officials, CIS, or Treasury. FEMA encourages the entry of correct and up-to-date
information by alerting MSC and MIP system users that false statements provided to FEMA may
be punishable pursuant to 18 U.S.C. § 1001. Additionally, the LOMC Certifier, individual property
owner, or MRP who provides the data to FEMA must sign the MT-1, MT-EZ, or MT-2 paper
application forms to attest to the accuracy of the information provided. The signature also
acknowledges that false statements provided to FEMA may be punishable pursuant to 18 U.S.C.
§ 1001. The LOMA-LOGIC relies on the accuracy of the data in the MSC and MIP since those
applications service the data to it.
For the paper-based LOMC process, FEMA staff, including MRPs, enter the data into the
MIP and perform an engineering review of the data. If FEMA finds errors with the data provided,
FEMA staff will contact the LOMC Certifier, individual property owner, or MRP to determine the
nature of the error. The LOMC Certifier, individual property owner, or MRP may correct
inaccurate information by submitting corrected information to FEMA, along with an explanation
as to the cause of the error. FEMA staff also performs periodic audit reviews of MIP data to ensure
its accuracy. FEMA staff corrects any data entry errors identified during the audit.
For the eLOMA and Online LOMC processes, FEMA staff perform random audits of the
data entered by the user to ensure its accuracy. The audit schedule is a 100 percent review for the
first record entered by a new user, then a randomly conducted review after the first successful pass
of a FEMA audit review. If FEMA finds errors with the data entered by a user, FEMA will continue
to subject that user to a 100 percent record review until he or she can pass a FEMA audit without
errors.
In addition, FEMA audits at least 10 percent of all work performed by the MRP to ensure
he or she is adhering to FEMA’s policies and standards, such as FEMA Policy (FP) No. FP 204078-1: Standards for Flood Risk Analysis and Mapping.22
For credit card and electronic check submissions, the individual enters information directly
into the Online LOMC application. FEMA assumes this type of voluntary financial information is
correct.
2.5
Privacy Impact Analysis: Related to Characterization of the
Information
Privacy Risk: There is a risk that FEMA could collect more information than is necessary
for processing surveys, LOMCs, or other flood mapping products and service orders.
Mitigation: FEMA mitigates this privacy risk by performing reviews of the data collection
requirements for LOMCs at least every other year to ensure FEMA collects only the data necessary
22
Accessible at https://www.fema.gov/vi/media-library/assets/documents/35313.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 24
to process a LOMC. These reviews result in updates to the MT-1, MT-EZ, and/or MT-2 forms. In
addition, FEMA performs regular privacy reviews of flood mapping products and services support
systems using the DHS Privacy Threshold Analysis (PTA) development and review process.
For example, a specific concern for FEMA is the collection of payment information. Due
to individuals requesting digital maps and the decreased cost to provide these products, FEMA has
reduced the amount of information it collects by eliminating payment for MSC orders and no
longer collects credit card information within MSC.
Privacy Risk: There is a risk that FEMA flood mapping systems may contain inaccurate
or erroneous information about individuals or property.
Mitigation: FEMA mitigation efforts for this privacy risk include collecting information
directly from the public when possible, reviewing all data collected, and conducting engineering
reviews to ensure the accuracy of provided data. Because some data is provided on behalf of other
persons, there is a residual risk of inaccurate information.
Privacy Risk: There is a risk that FEMA’s collection of PII from a commercial source for
surveys may be unnecessary or excessive.
Mitigation: FEMA partially mitigates this privacy risk by only using PII of individuals
who have consented to participating in surveys or focus groups. The PII is only used to distribute
surveys or initiate focus groups. FEMA does not share the PII of potential participants nor does
FEMA track responses on an individual basis.
Section 3.0 Uses of the Information
3.1
Describe how and why the project uses the information.
FEMA uses PII from individuals who contact the help desk, whether by phone or online
chat service to update the PhaseWare application that tracks flood mapping products and services
customer service and interaction with the public. FEMA needs this information in order to access
maps and send correspondence to individuals contacting FEMA to address their particular need or
request.
FEMA uses additional information collected during the chat session such as specific
LOMC request information to access account information with MSC or MIP. This information is
needed to access specific records and to respond to the customer by searching for and
understanding prior customer history, reviewing MT case submittals, reviewing community map
status, and other related responses the customer may seek.
FEMA uses name, email, organization/agency information, MPP role (read/write), and
security questions to create IT system access account, establish access controls, to authenticate
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 25
identity, and to track mitigation plan applications and that plan’s status with respect to the plan
review cycle. For the MAT, the data displays in a geospatial format and reporting functions use
the data.
To process online payments for LOMCs, FEMA transmits credit card or bank account
information to Pay.gov. An Agency Participation Agreement (APA) between FEMA and the
Treasury Financial Management Service (FMS), which operates the Pay.gov transaction engine,
governs these transactions. FEMA needs to use this information to process payments in accordance
with federal statutes and regulations.
FEMA uses a community member’s name, position/title, and mailing address to create
mailings to deliver products to the community officials as new final mapping products become
available. FEMA requires this information to ensure community officials are aware of LOMCs
that may impact their respective jurisdictions.
FEMA uses name, company name, mailing address, professional license number,
professional license expiration date, signature, and date of signature to update eLOMA for system
account creation, as well as for access control purposes. FEMA requires this information to
establish a licensed professional as a registered user of the eLOMA system, which enables the
licensed professional to process a LOMA request in the eLOMA system.
FEMA uses full name, email address, username, activation code, and password to update
the Online LOMC application system, and facilitate account creation and access controls. FEMA
requires this information to establish an individual as a registered user of the Online LOMC
application, which enables property owners to process a LOMC request.
FEMA uses the 6-digit NFIP community number, property address, and legal property
description to search and identify property relevant to a LOMC request within a mapping products
and service support system. FEMA requires this to determine whether a structure is in the
floodplain. In addition, FEMA requires data describing the home, including how it was built (often
foundation type information), whether the ground was changed during or after construction
(commonly referred to as the placement of fill), and the elevation of the structure. A registered
surveyor provides much of this information through the community in which the home is located.
FEMA uses the legal property description to associate the LOMC to a specific
property/structure(s). LOMA-LOGIC uses the same information to identify the property relevant
to an MT-1 request.
FEMA uses name, position or title, company or community name, mailing address,
telephone number, email address, and fax number to search flood mapping products and services
systems to identify an individual or certifier requesting a LOMC. FEMA requires this to obtain
clarification about the request or to send him or her correspondence.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 26
3.2
Does the project use technology to conduct electronic searches,
queries, or analyses in an electronic database to discover or locate
a predictive pattern or an anomaly? If so, state how DHS plans to
use such results.
No. FEMA’s mapping products and services support systems do not use technology to
conduct electronic searches, queries, or analyses to discover or locate a predictive pattern or an
anomaly.
3.3
Are there other components with assigned roles and
responsibilities within the system?
No. FEMA does not assign roles and responsibilities to other DHS components within
FEMA’s mapping product and services support systems. Individual states will have accounts
groups, which they can register and use. These accounts are “read only” and individual states have
access only to the state’s hazard mitigation plans; states are restricted from seeing any other states’
plans, even within their respective region.
3.4
Privacy Impact Analysis: Related to the Uses of Information
Privacy Risk: There is a risk that unauthorized users without a need to know the
information could access and use information stored in FEMA’s mapping product and services
support systems for purposes other than mapping products or services support. For instance,
another component of DHS or other federal agency may request access to the mapping information
for current addresses of individuals within their database.
Mitigation: FEMA mitigates this risk by using access controls. FEMA limits access to
MSC and MIP information to FEMA staff with a valid need-to-know. FEMA also mandates annual
privacy awareness training for all administrative users, which includes a discussion about PII and
the responsibilities that each administrative user bears in protecting and using that data. A log-in
banner cautions end users about appropriate use. The MSC collects only the information necessary
to deliver newly available mapping products to local officials. The MSC website collects only the
information necessary to email subscribers when new products of interest are available.
Additionally, the MIP collects only the information necessary to process a map change or
amendment and to provide copies of such changes. Prior to using MAT, administrators must
approve a potential user’s access.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 27
Section 4.0 Notice
4.1
How does the project provide individuals notice prior to the
collection of information? If notice is not provided, explain why
not.
FEMA provides notice to individuals in several ways prior to collecting their information.
Individuals who contact the FMIX, via phone, receive notification that the interaction is subject to
monitoring for quality purposes. Individuals who use the online chat service to contact the FMIX
have the option of following a link to FEMA’s Privacy Policy on www.FEMA.gov before
choosing to open a chat window. At the point of collection, individuals accessing the MIP payment
screen see a notice that FEMA will send their financial payment information to Treasury’s Pay.gov
for payment processing. In addition, FEMA posts a link to its Privacy Policy on FEMA’s mapping
product and services support systems websites, which are available at any time. Additionally,
FEMA posts a Privacy Notice online before any of the flood mapping products and services
support systems registration processes, and is available from within the application at any time.
The Privacy Notice is also included on the paper forms identified in Appendix A. In addition,
FEMA provides notice through its privacy compliance documentation for the application,
specifically this PIA and the SORN(s) listed in Section 1.2. For information that is collected by
the MPP and MAT, users enter their own personal information directly into the data repositories,
which indicates personal data collection. Finally, for CIS information, FEMA provides a notice to
community officials, as described in the DHS/FEMA/PIA-011 NFIP ITS PIA23 and the PIA’s
related SORN, DHS/FEMA-003 National Flood Insurance Program Files24.
4.2
What opportunities are available for individuals to consent to
uses, decline to provide information, or opt out of the project?
Subscribing to MSC website notifications is a voluntary process. The information collected
is necessary only for sending email notifications. Community officials can contact FEMA to optout from receiving the newly available mapping products from the MSC at any time.
The LOMC process is voluntary; eLOMA, the online LOMC application, and the paperbased LOMC process only use the information collected to fulfill the purposes in Section 3. If the
individual chooses not to provide information, he or she cannot request a LOMC.
23
See DHS/FEMA/PIA-011 National Flood Insurance Program Information Technology Systems (NFIP ITS),
available at www.dhs.gov/privacy.
24
DHS/FEMA-003 National Flood Insurance Program Files, 79 FR 28747 (May 19, 2014).
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 28
Additionally, individuals that do not consent to FEMA’s storing of an electronic copy of
an online chat session can chose not to use the FMIX chat function and call the FMIX toll-free
number to discuss FEMA flood mapping products and services.
4.3
Privacy Impact Analysis: Related to Notice
Privacy Risk: There is a risk associated with FEMA’s flood mapping products and
services support systems that individuals may not be aware of FEMA’s collection, use, and sharing
of their information, specifically financial information.
Mitigation: FEMA mitigates this risk by providing notice to the public via FEMA’s
Privacy Policy, specific Privacy Notices before system registration, this PIA, and the SORN(s)
listed in Section 1.2.
Section 5.0 Data Retention by the project
5.1
Explain how long and for what reason the information is retained.
FEMA disposes of customer records in the MSC and the legacy MSC store application in
a manner consistent with the Flood Map Products and Services SORN. The day after FEMA inputs
personal information into the electronic database, FEMA destroys personal information stored on
paper, but keeps community public official/community government representative contact
information related to the CIS/Community Rating System (CRS) in accordance with the
DHS/FEMA-003 National Flood Insurance Program Files SORN. This information includes
updated contact, flood zone, or floodplain information received from communities during the
LOMC or map distribution process. The FEMA Information System Security Officer (ISSO)
moves and stores records to a secure location.
NARA authority N1-311-86-1, items 2A3 and 2A4 covers FEMA flood mapping products
and services. FEMA destroys digital preliminary flood maps five years after FEMA issues a flood
elevation determination or insurance rate map. As part of its current digitization effort, FEMA is
destroying paper-based preliminary flood maps. Effective FIRMs are permanent records and
FEMA currently retains both paper and digital copies, although FEMA may choose to destroy
paper records with a digital copy in the future.
FEMA stores FMIX chat session records indefinitely. FIMA is working with the FEMA
Office of the Chief Information Officer (OCIO), FEMA Records Management Division, and
NARA to develop the appropriate records retention schedule(s) for FEMA’s records created during
online chat sessions.
FEMA stores LOMC data in an active mode (retained online and accessible through the
web interface) for two years after which the information is retired to the Federal Records Center
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 29
(FRC). FEMA destroys the information 20 years after its final determination or map revision date,
in accordance with NARA authority N1-311-86-1, item 2A2c. FEMA maintains this information
to facilitate legal records of the classification of the flooding characteristics of specific parcels of
land as both its current and former classification under the NFIP. Changes to those classifications
affect the costs of insuring land under the NFIP, which requires that the program have the ability
to determine a floodplain classification at any point in the last 20 years to address potential disputes
and provide data for forward-looking insurance decisions. FEMA uses the same retention policy
regarding any additional copy of the LOMC data within the LOMA-LOGIC tool.
The MIP passes all collected financial payment information to Pay.gov. The screen only
retains masked financial information as long as required to facilitate the ordering of the map
product. The MIP only stores the last four digits of the credit card or bank account number. For
auditing purposes, FEMA only retains the confirmation information from Treasury and the last
four digits of the credit card or bank account information. The system deletes the last four digits
of the credit card or bank account number after two years.
5.2
Privacy Impact Analysis: Related to Retention
Privacy Risk: There is a risk that FEMA may retain data in the flood mapping products
and services support systems for longer than the approved record retention period.
Mitigation: FEMA mitigates this risk by keeping paper records in secure storage in
Alexandria, VA, and protecting all electronic records as described in the System Security Plans.
Contracted staff at Allegany Ballistics Laboratory (ABL) and the FEMA Engineering Library scan
paper records and the FRC receives copies of the scanned records on CD or DVD. The subset of
data center staff supporting these FEMA programs and accessing FEMA data are required to
complete standard onboarding, security in-processing, and badging processes consistent with all
other staff on the program. The facility has undergone formal assessments by the FEMA Chief
Information Security Officer (CISO) as part of the initial system authorization and subsequent
ATO renewals. FEMA destroys paper records by shredding or other NARA or FEMA-approved
method in accordance with FEMA’s records retention schedule. Digital records (excluding
scanned copies of paper LOMC records) stored on magnetic tape are destroyed by degaussing in
accordance with FEMA’s records retention schedule. The legacy MSC store system and MIP
retains credit card or electronic check information strictly for the time needed to facilitate the
ordering of maps. FEMA retains payment confirmation information and the last four digits of the
credit card or bank account number for transaction confirmation and auditing purposes. MIP and
MSC staff train on FEMA’s records retention policies and processes. Refresher training is
provided periodically or as deemed necessary by section heads. This risk is not currently mitigated
as it relates to FMIX. FEMA does not currently have a retention schedule in place for FMIX
records, which means that chat records are retained indefinitely.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 30
Section 6.0 Information Sharing
6.1 Is information shared outside of DHS as part of the normal
agency operations? If so, identify the organization(s) and how the
information is accessed and how it is to be used.
Yes. FEMA shares information with MRPs (State and local governments) pursuant to
signed agreements that allow them to make LOMC determinations on behalf of FEMA. MRPs
receive the same access to the MIP granted to FEMA staff to conduct the engineering review of
the information submitted in support of a LOMC request. The MRPs complete LOMC requests
for areas located within their governmental jurisdictions. Users receive access to the MIP via a
secure web interface requiring user authentication.
The Treasury’s Pay.gov system receives the MIP’s electronic payment information (credit
card or eCheck information). For Online LOMC payments, the individual or certifier submitting
the payment information never leaves the Online LOMC application or website. Instead, the
application opens a HTTPS session with Pay.gov and sends the relevant financial data. Pay.gov
then sends the results of the payment process back to the Online LOMC application. The HTTPS
session is closed and the transaction is complete. Any additional, external organizations do not
receive payment information.
6.2
Describe how the external sharing noted in 6.1 is compatible with
the SORN noted in 1.2.
Routine use C of the DHS/FEMA/NFIP/LOMA-001-National Flood Insurance Program
Letter of Map Amendment SORN allows FEMA to share information with its MRPs and other
contractors that are under agreement with FEMA to perform the engineering review on submitted
LOMC data on behalf of FEMA for properties within their respective jurisdictions. Revisions to
that SORN will reflect changes to NFIP’s Flood Insurance Rate Maps and reflect FEMA’s
collection of credit card information and its sharing payment information with Treasury. The
purpose of the SORN revision is to ensure accurate FIRMs and appropriate flood insurance
premiums. For consumers that wish to request changes to FIRMs, FEMA must share payment
information with Treasury to process payments to the Federal Government.
6.3
Does the project place limitations on re-dissemination?
Yes. FEMA limits re-dissemination of information within the LOMA-LOGIC tool using
an Interconnectivity Service Agreement that restricts sharing of information beyond the purposes
of that agreement.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 31
6.4
Describe how the project maintains a record of any disclosures
outside of the Department.
Disclosures of electronic records containing PII are stored in the log server for flood
mapping products and services support systems. The log includes the name of the individual
requesting the records, the purpose for the request, and the records provided.
The FEMA Engineering Library located at 847 South Pickett St., Alexandria, VA, 22034,
tracks disclosures of paper records that contain PII. FEMA’s Office of Chief Counsel and FEMA
Disclosure Office refers such requests for guidance. A tracking spreadsheet logs all requests for
such information that contain the name of the individual requesting the record, the date of the
request, and requests for that information. The FEMA Engineering Library maintains this log. In
addition, the FEMA Disclosure Office tracks Privacy Act and FOIA requests for the agency.
6.5
Privacy Impact Analysis: Related to Information Sharing
Privacy Risk: There is a risk that FEMA could share financial, mapping, or contact
information maintained by its flood mapping products and services support systems for a purpose
that is incompatible with the purpose for which it is collected.
Mitigation: FEMA mitigates this risk by only sharing information pursuant to the routine
uses of the system’s applicable SORN. FEMA reviews sharing requests and only shares
information that is necessary for the purpose of the sharing. Additionally, Information Sharing and
Access Agreements (ISAA) between FEMA and the information recipient limits further
dissemination of information beyond the recipient of the data.
Section 7.0 Redress
7.1
What are the procedures that allow individuals to access their
information?
Registered users of eLOMA and Online LOMC may access their information by logging
into the MIP. Individuals that interact with the FMIX, by chat function, can access a copy of their
chat session at the end of the session. FEMA retired the legacy PII management system for MSC
in August 2014. Legacy MSC customers can no longer access their information from the
application; however, FEMA retains customer data in accordance with FEMA’s records retention
schedule. Individuals may follow procedures outlined in the Agency’s SORNs mentioned in
Section 1.2. Requests for personal information must be made in writing, and clearly marked as a
“Privacy Act Request” for U.S. Citizens and Lawful Permanent Residents, or as “Freedom of
Information Act Request” for all other members of the public. Requests must clearly indicate the
name of the requester, the nature of the record sought, and the required verification of identity.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 32
Interested parties should send requests to: FOIA Officer, Office of Records Management, Federal
Emergency Management Agency, Department of Homeland Security, 500 C Street SW,
Washington, D.C., 20472.
Community officials whose information is stored in the MIP and MSC should follow
instructions in the NFIP ITS PIA and related SORN, DHS/FEMA-003 National Flood Insurance
Program Marketing Files, to update or correct their information.
Individuals that interact with the FMIX, whether by phone or online chat, can request
copies of their information by sending a Privacy Act or FOIA request, per the above paragraph.
Additionally, chat session participants can access a copy of their chat session at the end of the
session.
Additionally, individual’s information collected by Pay.gov is accessible in accordance
with the Treasury 009-Financial Management System SORN.
7.2
What procedures are in place to allow the subject individual to
correct inaccurate or erroneous information?
eLOMA users can edit their own account within the system or by mailing a written
statement to FEMA, identifying the information the individual believes is in error. If the error
involves information that requires certification (e.g., elevation data), the original certifier must
provide a statement that explains the cause of the original error and the steps taken to remediate
the error. Individuals may choose to send FEMA other information they deem necessary to
substantiate their statement. FEMA evaluates all requests against the original record. If FEMA
determines that there is an error, it will create a new LOMC request to correct the error and
supersede its previous determination. If no error exists, FEMA will contact the individual to
explain why FEMA determined no error exists and take no additional action.
U.S. Citizens and LPRs may use the procedures outlined in the Agency’s SORNs
mentioned in Section 1.2 or those noted in Section 7.1 of this PIA to correct erroneous information
using the DHS/FEMA Privacy Act request process. All other members of the public may request
information as stated in Section 7.1; however, individuals who may need correction of erroneous
information may go through FIMA RMD. Interested parties should send requests for corrections
to: Risk Management Directorate, Federal Emergency Management Agency, Department of
Homeland Security, 400 C Street, SW, Washington, D.C., 20472 or make a request using the
customer service options mentioned in this PIA.
Community officials who wish to correct their information should follow procedures
outlined in Section 7.2 of the NFIP ITS PIA (DHS/FEMA/PIA-011).
Additionally, individuals’ information collected by Pay.gov is accessible in accordance
with the Treasury 009-Financial Management System SORN.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 33
7.3
How does the project notify individuals about the procedures for
correcting their information?
FEMA notifies MIP users about change procedures in the MIP user guide/handbook. All
user guides and other documentation for the MIP are located online and are accessible from the
application’s home page. Additional help is available to users by calling the dedicated helpdesk.
FEMA also provides users of its flood mapping products and services support systems with
notice of procedures for correcting their information by way of this PIA and the SORNs outlined
in Section 1.2.
7.4
Privacy Impact Analysis: Related to Redress
Privacy Risk: There is a risk that an individual may not have an option to access or correct
their information maintain by FEMA’s flood mapping products and service programs.
Mitigation: FEMA mitigates this risk by using the existing federal information access
framework such as the PA and FOIA to gain access to their records. Additionally, FEMA may
allow property owners that may be foreign entities or persons, including undocumented
immigrants, a way to access and correct erroneous information about themselves or their property.
Such individuals may contact FIMA RMD to correct erroneous information without providing
their citizenship status.
Section 8.0 Auditing and Accountability
8.1
How does the project ensure that the information is used in
accordance with stated practices in this PIA?
Only FEMA and its contractors have access to information collected in support of LOMC
requests and legacy MSC store orders. For electronic records contained within FEMA’s flood
mapping products and services support systems, user roles define what data a user can access.
FEMA constantly monitors audits of account modifications and security operations. Modifying a
record logs a security event. Administrators review logs on a monthly basis. Additionally, an
Intrusion Detection System/Intrusion Prevention System (IDS/IPS) warns when security
operations fail repeatedly. FEMA protects information contained in the application by assigning
user roles. Circumventing or attempting to circumvent the role-based user account privileges will
cause the IDS/IPS to flag the activity as an intrusion and appropriate actions will be taken by
administrative staff to terminate such illicit access. For paper forms/applications, FEMA has a
formal inventory of materials to facilitate a phase and control approach to the scanning and
digitizing of paper files. FEMA performs Quality Assurance (QA)/Quality Control (QC) reviews
prior to destruction. FEMA reviews the records against the FIMA records schedule as mentioned
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 34
in Section 5.1 of this PIA to ensure compliance with the Federal Records Management Framework.
Finally, in the case of information/collaboration web portals, FEMA has established policies to
protect users’ privacy. Specifically, FEMA staff periodically review user lists and document
libraries to make sure that users’ access is warranted and that sensitive PII (SPII) has not been
shared accidentally. FEMA provides details in its flood mapping products and services support
systems’ system security plans (SSP).
8.2
Describe what privacy training is provided to users either
generally or specifically relevant to the project.
FEMA provides initial and annual refresher privacy and security training. FEMA requires
employee and contractor staff to receive privacy and security training as conditions of obtaining
public trust access to FEMA information and facilities. Additionally, FEMA staff are required to
complete annual security awareness training, which includes training on privacy and the protection
of PII before accessing FEMA’s network and information systems. FEMA staff provides privacy
and security training to MRPs at least once annually. Refresher training may also be required or
provided to MRP staff and FEMA employees and contractors if deemed necessary by FEMA
management.
8.3
What procedures are in place to determine which users may
access the information and how does the project determine who
has access?
Generally, the public can access the publicly-available mapping information by providing
their information such as name and email address.
For FEMA Flood Mapping Products and Service SharePoint portals, a requestor enters
limited PII into a SharePoint account request form, which they email to the site administrator. The
RMD System Owner or designee reviews the request and grants the person permission to join the
SharePoint portal.
For MIP, FEMA RMD program management authorizes all access delegations (Mapping
Review Partners listed in Appendix B) and user role assignments. The FEMA System Owner or
designee reviews requests for access and creates the role-based access to the system based on user
responsibilities within FEMA. Each user account has specific privileges based on roles with access
controlled on a need-to-know basis, so that only data relevant to the specific user and role is
accessible. FEMA defines the user roles available in the SSP on file.
FEMA’s instance of LOMA-LOGIC requires users to have a valid MIP account. The
requestor provides his or her name, contact information, and supervisor, as well as an
acknowledgement of completion of FEMA Security and Privacy Awareness Training. FEMA
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 35
management approval allows the LOMA-LOGIC system administrator to create the account with
appropriate role-based access.
8.4
How does the project review and approve information sharing
agreements, MOUs, new uses of the information, new access to the
system by organizations within DHS and outside?
FEMA’s Privacy Officer, Office of Chief Counsel (OCC), information security staff, and
Office of the Chief Security Officer review all proposed Mapping Activity Statements,
Memoranda of Understanding, and Information Sharing Agreements prior to sharing data stored
within FEMA’s flood mapping products and services support systems.
Responsible Officials
William H. Holzerland
Senior Director for Information Management/Privacy Officer
Federal Emergency Management Agency
U.S. Department of Homeland Security
Approval Signature
Original, signed copy on file with the DHS Privacy Office.
________________________________
Jonathan R. Cantor
Acting Chief Privacy Officer
Department of Homeland Security
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 36
APPENDIX A: FEMA FORMS
OMB ICR # 1660-0015: FEMA Form MT-1 “Application Forms for Conditional Letters
of Map Amendment (CLOMAs), Final Letters of Map Amendment (LOMAs), Letters of Map
Revision Based on Fill (LOMR-Fs), and Conditional Letters of Map Revision Based on Fill
(CLOMR-Fs),” includes:
FEMA Form 086-0-26, Property Information Form;
FEMA Form 086-0-26A, Elevation Form; and
FEMA Form 086-0-26B, Community Acknowledgement of Fill.
OMB #1660-0016: FEMA Form MT-2“Application Forms for Conditional Letters of Map
Revision (CLOMR) and Letters of Map Revision (LOMRs),” includes:
FEMA Form 086-0-27, Overview & Concurrence Form;
FEMA Form 086-0-27A, Riverine Hydrology & Hydraulics Form;
FEMA Form 086-0-27B, Riverine Structures Form;
FEMA Form 086-0-27C, Coastal Analysis Form;
FEMA Form 086-0-27D, Coastal Structures Form; and
FEMA Form 086-0-27E, Alluvial Fan Flooding Form.
OMB #1660-0130: “Flood Risk Awareness Survey,” which does not use a FEMA form.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 37
APPENDIX B: FEMA Mapping Review Partners
Below is a listing of FEMA’s Mapping Review Partners:
State of Alabama;
Denver Urban Drainage; Denver, Colorado;
Harris County, Texas;
State of Illinois;
Mecklenburg County, North Carolina; and
State of North Carolina.
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 38
APPENDIX C: Acronyms List
Below is a listing of all acronyms mentioned in this document:
ABL: Allegany Ballistics Laboratory
APA: Agency Participation Agreement
ATO: Authority to Operate
BFE: Base Flood Elevation
BFD: Base Flood Depths
CIS: NFIP Community Information System
CLOMA: Conditional Letters of Map Amendment
CLOMR-F: Conditional Letters of Map Revision Based on Fill
CNMS: Coordinated Needs Management System
DHS: Department of Homeland Security
eCheck: Electronic Check
eLOMA: Electronic Letter of Map Amendment
ESRI: Environment Systems Research Institute, Inc.
FAMIS: Financial Account Management Inventory System
FBFM: Flood Boundary Floodway Maps
FEMA: Federal Emergency Management Agency
FIMA: Federal Insurance and Mitigation Administration
FIRM: Flood Insurance Rate Map
FIS: Flood Insurance Studies
FMIX: FEMA Information Exchange
FMS: Treasury Financial Management Service
FOIA: Freedom of Information Act
HAZUS-MH: Hazards US—Multi Hazard
IDS/IPS: Intrusion Detection System/Intrusion Prevention System
ISSO: Information System Security Office
Privacy Impact Assessment
DHS/FEMA/PIA-043
FEMA Hazard Mitigation Planning and
Flood Mapping Products and Services Support Systems
Page 39
LDAP: Lightweight Directory Access Protocol
LOMA: Letter of Map Amendment
LOMC: Letter of Map Change
LOMR-F: Letter of Map Revision Based on Fill
LOMR: Letter of Map Revision
MAT: Mitigation Action Tracker
MIP: Mapping Information Platform
MRP: Mapping Review Partners
MOU: Memorandum of Understanding
MPP: Mitigation Planning Portal
MSC: Map Service Center
NARA: National Archives and Records Administration
NFDA: National Flood Determination Association
NFIA: National Flood Insurance Act of 1968
NFIP: National Flood Insurance Program
OCIO: FEMA Office of the Chief Information Officer
PIA: Privacy Impact Assessment
PII: Personally Identifiable Information
RMD: Risk Management Directorate
SFHA: Special Flood Hazard Area
SORN: System of Record Notice
SPII: Sensitive Personally Identifiable Information
File Type | application/pdf |
File Title | DHS/FEMA/PIA-045 Hazard Mitigation Planning and Flood Mapping Products and Services, 20170626 |
Author | U.S. Department of Homeland Security Privacy Office |
File Modified | 2017-06-26 |
File Created | 2017-06-26 |