Privacy Act of 1974; Notice of a Modified System of Records

Issuing agencies

Abstract

Pursuant to the provisions of the Privacy Act of 1974, notice is given that the General Services Administration (GSA) proposes to modify an existing system of records, entitled GSA/PPFM-11, Pegasys. This system of records is directed to the records within GSA's financial management system. Pegasys is GSA's financial management system of record for financial transactions and reporting utilized for its main business lines including the Federal Acquisition Service (FAS), Public Buildings Service (PBS), and General Management and Administrative Offices.

Full Text

<html>
<head>
<title>Federal Register, Volume 91 Issue 7 (Monday, January 12, 2026)</title>
</head>
<body><pre>
[Federal Register Volume 91, Number 7 (Monday, January 12, 2026)]
[Notices]
[Pages 1188-1190]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2026-00358]


=======================================================================
-----------------------------------------------------------------------

GENERAL SERVICES ADMINISTRATION

[Notice-IEB-2026-01; Docket No. 2026-0002; Sequence No. 01]


Privacy Act of 1974; Notice of a Modified System of Records

AGENCY: General Services Administration (GSA).

ACTION: Notice of a modified system of records.

-----------------------------------------------------------------------

SUMMARY: Pursuant to the provisions of the Privacy Act of 1974, notice 
is given that the General Services Administration (GSA) proposes to 
modify an existing system of records, entitled GSA/PPFM-11, Pegasys. 
This system of records is directed to the records within GSA's 
financial management system. Pegasys is GSA's financial management 
system of record for financial transactions and reporting utilized for 
its main business lines including the Federal Acquisition Service 
(FAS), Public Buildings Service (PBS), and General Management and 
Administrative Offices.

DATES: Submit comments on or before February 11, 2026. This notice is 
effective upon publication; however, the new or modified routine uses 
of this action will be active on February 11, 2026.

ADDRESSES: Comments may be submitted to the Federal eRulemaking

[[Page 1189]]

Portal, <a href="http://www.regulations.gov">http://www.regulations.gov</a>. Submit comments by searching for 
GSA/PPFM-11, Pegasys.

FOR FURTHER INFORMATION CONTACT: Call or email Richard Speidel, Chief 
Privacy Officer at 202-969-5830 and <a href="/cdn-cgi/l/email-protection#e1869280cf91938897808298808295a1869280cf868e97"><span class="__cf_email__" data-cfemail="8deafeeca3fdffe4fbeceef4eceef9cdeafeeca3eae2fb">[email&#160;protected]</span></a>.

SUPPLEMENTARY INFORMATION: GSA proposes to modify a system of records 
subject to the Privacy Act of 1974, 5 U.S.C. 552a.
    As background, the General Services Administration re-acquired full 
ownership and responsibility of the Pegasys system from USDA in 2023. 
The records had previously been managed under USDA/OCFO-10 Financial 
Systems from 2016 to 2023 and have been managed under the previous 
version (October 2006, revised January 2014) of this SORN since then. 
The History section contains additional information related to the 
disposition of these records.
    GSA is adding three routine uses (h, i, and j) to include those 
uses related to both forwarding information to a member of Congress and 
breach investigation. GSA is also adding a routine use in accordance 
with OMB M-25-32 (k). Moreover, GSA is making minor grammatical changes 
to routine uses a, b, and g to clarify the intent of those uses. GSA is 
also making technical changes to GSA/PPFM-11 consistent with the 
template laid out in OMB Circular No. A-108. Accordingly, GSA has made 
technical corrections and non-substantive language revisions to the 
following sections: ``Policies and Practices for Storage of Records,'' 
``Policies and Practices for Retrieval of Records,'' ``Policies and 
Practices for Retention and Disposal of Records,'' ``Administrative, 
Technical and Physical Safeguards,'' ``Record Access Procedures,'' 
``Contesting Record Procedures,'' and ``Notification Procedures.'' GSA 
has also created the following new sections: ``Security 
Classification'' and ``History.''
SYSTEM NAME AND NUMBER:
    Pegasys, GSA/PPFM-11.

SECURITY CLASSIFICATION:
    Unclassified.

SYSTEM LOCATION:
    The system's records are maintained on behalf of GSA by Amazon, 
whose headquarters is located in Seattle, Washington, US.

SYSTEM MANAGER:
    Deputy Director, Office of Financial Management (BG), U.S. General 
Services Administration, 1800 F Street NW, Washington, DC 20405.

AUTHORITY FOR MAINTENANCE OF THE SYSTEM:
    The Chief Financial Officers Act of 1990 (Pub. L. 101-576) as 
amended.

PURPOSES OF THE SYSTEM:
    Pegasys is the GSA core financial management system to make 
payments and record accounting transactions. This includes funds 
management (budget execution and purchasing), credit cards, accounts 
payable, disbursements, standard general ledger, and reporting. The 
system provides financial transaction processing and financial analysis 
for its main business lines of Federal supplies and technology, public 
buildings, and general management and administration offices.

CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:
    Individuals who appear in this system of records include GSA 
vendors (members of the public), other federal agency employees, and 
GSA employees.

CATEGORIES OF RECORDS IN THE SYSTEM:
    Pegasys contains records pertaining to financial information. These 
records include, but are not limited to, one or more of the following 
information types: Name, Business Contact information (business email 
address, business phone number, etc.), Social Security Number (SSN), 
home address, banking information, and limited information related to 
GSA-issued credit cards.

RECORD SOURCE CATEGORIES:
    The sources for information in this system are the individuals 
about whom the records are maintained as well as information assigned 
by GSA (such as credit card issuance information).

ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES 
OF USERS AND PURPOSES OF SUCH USES:
    In addition to those disclosures generally permitted under 5 U.S.C. 
552a(b) of the Privacy Act, all or a portion of the records or 
information contained in this system may be disclosed to authorized 
entities, as is determined to be relevant and necessary, outside GSA as 
a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
    a. In a proceeding before a court or adjudicative body before which 
the agency is authorized to appear, when (a) the agency, or any 
component thereof; or (b) any employee of the agency in his or her 
official capacity; or (c) any employee of the agency in his or her 
individual capacity where the agency has agreed to represent the 
employee; or (d) the United States, where the agency determines that 
litigation is likely to affect the agency or any of -its components, is 
a party to litigation or has an interest in such litigation, and the 
agency determines that use of such records is relevant and necessary to 
the litigation.
    b. To officials authorized by GSA to conduct investigations, who 
are investigating or settling a grievance, complaint, or appeal filed 
by an individual who is the subject of the record.
    c. To a Federal agency in connection with the hiring or retention 
of an employee; the issuance of a security clearance; the reporting of 
an investigation; the letting of a contract; or the issuance of a 
grant, license, or other benefit to the extent that the information is 
relevant and necessary to a decision.
    d. To the U.S. Office of Personnel Management (OPM), the Office of 
Management and Budget (OMB), or the U.S. Government Accountability 
Office (GAO) when the information is required for program evaluation 
purposes.
    e. To an expert, consultant, or contractor of GSA in the 
performance of a Federal duty to which the information is relevant, to 
a board, committee, commission, or small agency receiving 
administrative services from GSA to which the information relates; or 
an expert, consultant, or contractor of a board, committee, commission, 
or small agency receiving administrative services from GSA to which the 
information relates in the performance of a Federal duty to which the 
information is relevant.
    f. To the National Archives and Records Administration (NARA) for 
records management purposes.
    g. To appropriate agencies, entities, and persons when (1) GSA 
suspects or has confirmed that there has been a breach of the system of 
records; (2) GSA has determined that as a result of the suspected or 
confirmed breach there is a risk of harm to individuals, GSA (including 
its information systems, programs, and operations), the Federal 
Government, or national security; and (3) the disclosure made to such 
agencies, entities, and persons is reasonably necessary to assist in 
connection with GSA's efforts to respond to the suspected or confirmed 
breach or to prevent, minimize, or remedy such harm.
    h. To a Member of Congress or staff on behalf of and at the request 
of the individual who is the subject of the record.
    i. To another Federal agency or Federal entity, when GSA determines 
that information from this system of records is reasonably necessary to 
assist the recipient agency or entity in (1)

[[Page 1190]]

responding to a suspected or confirmed breach or (2) preventing, 
minimizing, or remedying the risk of harm to individuals, the recipient 
agency or entity (including its information systems, programs, and 
operations), the Federal Government, or national security, resulting 
from a suspected or confirmed breach.
    j. To compare such records to other agencies' systems of records or 
to non-Federal records, in coordination with an Office of Inspector 
General (OIG) in conducting an audit, investigation, inspection, 
evaluation, or some other review as authorized by the Inspector General 
Act.
    k. To the U.S. Department of the Treasury when disclosure of the 
information is relevant to review payment and award eligibility through 
the Do Not Pay Working System for the purposes of identifying, 
preventing, or recouping improper payments to an applicant for, or 
recipient of, Federal funds, including funds disbursed by a state 
(meaning a state of the United States, the District of Columbia, a 
territory or possession of the United States, or a federally recognized 
Indian tribe) in a state-administered, federally funded program.

POLICIES AND PRACTICES FOR STORAGE OF RECORDS:
    All records are stored electronically in a database. Information is 
encrypted in transit and at rest.

POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:
    Information on individuals contained in Pegasys records are 
retrievable by name or other identifier.

POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:
    Records are retained in the system to support transactional 
integrity and will be retained according to the National Archives and 
Records Administration (NARA) General Records Schedule 1.1--Financial 
Management and Reporting Recording Records.

ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:
    Access is limited to authorized individuals with passwords, and the 
database is maintained behind a certified firewall. Information on 
individuals is released only to authorized persons with a lawful 
government purpose and in accordance with the provisions of routine 
use. Additionally, vulnerability scanning, real-time intrusion 
detection, firewall monitoring and alerts, database monitoring, site 
protection monitoring, identity management monitoring, virus and 
compliance scans are performed on a scheduled basis to ensure adequate 
security measures are in place to prevent unauthorized access.

RECORD ACCESS PROCEDURES:
    If an individual wishes to access any data or record pertaining to 
him or her in the system after it has been submitted, that individual 
should consult the GSA's Privacy Act implementation rules available at 
41 CFR part 105-64.2.

CONTESTING RECORD PROCEDURES:
    If an individual wishes to contest the content of any record 
pertaining to him or her in the system after it has been submitted, 
that individual should consult the GSA's Privacy Act implementation 
rules available at 41 CFR part 105-64.4.

NOTIFICATION PROCEDURES:
    If an individual wishes to be notified at his or her request if the 
system contains a record pertaining to him or her after it has been 
submitted, that individual should consult the GSA's Privacy Act 
implementation rules available at 41 CFR part 105-64.4.

EXEMPTIONS PROMULGATED FOR THE SYSTEM:
    None.

HISTORY:
    The initial Notice in connection with this system of records was 
published on October 16, 2006 (71 FR 60710). Under GSA, a first updated 
Notice was published on April 25, 2008 (73 FR 22396) and a second 
updated Notice was published on December 31, 2013 (78 FR 79694). These 
records were then transferred to the US Department of Agriculture and 
administered under USDA/OCFO-10, which was previously published in the 
Federal Register on December 19, 2018 (83 FR 67712).

Richard Speidel,
Chief Privacy Officer, Office of Enterprise Data & Privacy Management, 
General Services Administration.
[FR Doc. 2026-00358 Filed 1-9-26; 8:45 am]
BILLING CODE 6820-AB-P


</pre><script data-cfasync="false" src="/cdn-cgi/scripts/5c5dd728/cloudflare-static/email-decode.min.js"></script></body>
</html>