# Privacy Act of 1974; Notice of a Modified System of Records
**AGENCY:**
General Services Administration (GSA).
**ACTION:**
Notice of a modified system of records.
**SUMMARY:**
Pursuant to the provisions of the Privacy Act of 1974, notice is given that the General Services Administration (GSA) proposes to modify an existing system of records, entitled GSA/PPFM-11, Pegasys. This system of records is directed to the records within GSA's financial management system. Pegasys is GSA's financial management system of record for financial transactions and reporting utilized for its main business lines including the Federal Acquisition Service (FAS), Public Buildings Service (PBS), and General Management and Administrative Offices.
**DATES:**
Submit comments on or before February 11, 2026. This notice is effective upon publication; however, the new or modified routine uses of this action will be active on February 11, 2026.
**ADDRESSES:**
Comments may be submitted to the Federal eRulemaking Portal, *http://www.regulations.gov* . Submit comments by searching for GSA/PPFM-11, Pegasys.
**FOR FURTHER INFORMATION CONTACT:**
Call or email Richard Speidel, Chief Privacy Officer at 202-969-5830 and *[email protected]* .
**SUPPLEMENTARY INFORMATION:**
GSA proposes to modify a system of records subject to the Privacy Act of 1974, 5 U.S.C. 552a.
As background, the General Services Administration re-acquired full ownership and responsibility of the Pegasys system from USDA in 2023. The records had previously been managed under USDA/OCFO-10 Financial Systems from 2016 to 2023 and have been managed under the previous version (October 2006, revised January 2014) of this SORN since then. The History section contains additional information related to the disposition of these records.
GSA is adding three routine uses (h, i, and j) to include those uses related to both forwarding information to a member of Congress and breach investigation. GSA is also adding a routine use in accordance with OMB M-25-32 (k). Moreover, GSA is making minor grammatical changes to routine uses a, b, and g to clarify the intent of those uses. GSA is also making technical changes to GSA/PPFM-11 consistent with the template laid out in OMB Circular No. A-108. Accordingly, GSA has made technical corrections and non-substantive language revisions to the following sections: “Policies and Practices for Storage of Records,” “Policies and Practices for Retrieval of Records,” “Policies and Practices for Retention and Disposal of Records,” “Administrative, Technical and Physical Safeguards,” “Record Access Procedures,” “Contesting Record Procedures,” and “Notification Procedures.” GSA has also created the following new sections: “Security Classification” and “History.”
**SYSTEM NAME AND NUMBER:**
Pegasys, GSA/PPFM-11.
**SECURITY CLASSIFICATION:**
Unclassified.
**SYSTEM LOCATION:**
The system's records are maintained on behalf of GSA by Amazon, whose headquarters is located in Seattle, Washington, US.
**SYSTEM MANAGER:**
Deputy Director, Office of Financial Management (BG), U.S. General Services Administration, 1800 F Street NW, Washington, DC 20405.
**AUTHORITY FOR MAINTENANCE OF THE SYSTEM:**
The Chief Financial Officers Act of 1990 (Pub. L. 101-576) as amended.
**PURPOSES OF THE SYSTEM:**
Pegasys is the GSA core financial management system to make payments and record accounting transactions. This includes funds management (budget execution and purchasing), credit cards, accounts payable, disbursements, standard general ledger, and reporting. The system provides financial transaction processing and financial analysis for its main business lines of Federal supplies and technology, public buildings, and general management and administration offices.
**CATEGORIES OF INDIVIDUALS COVERED BY THE SYSTEM:**
Individuals who appear in this system of records include GSA vendors (members of the public), other federal agency employees, and GSA employees.
**CATEGORIES OF RECORDS IN THE SYSTEM:**
Pegasys contains records pertaining to financial information. These records include, but are not limited to, one or more of the following information types: Name, Business Contact information (business email address, business phone number, etc.), Social Security Number (SSN), home address, banking information, and limited information related to GSA-issued credit cards.
**RECORD SOURCE CATEGORIES:**
The sources for information in this system are the individuals about whom the records are maintained as well as information assigned by GSA (such as credit card issuance information).
**ROUTINE USES OF RECORDS MAINTAINED IN THE SYSTEM, INCLUDING CATEGORIES OF USERS AND PURPOSES OF SUCH USES:**
In addition to those disclosures generally permitted under 5 U.S.C. 552a(b) of the Privacy Act, all or a portion of the records or information contained in this system may be disclosed to authorized entities, as is determined to be relevant and necessary, outside GSA as a routine use pursuant to 5 U.S.C. 552a(b)(3) as follows:
a. In a proceeding before a court or adjudicative body before which the agency is authorized to appear, when (a) the agency, or any component thereof; or (b) any employee of the agency in his or her official capacity; or (c) any employee of the agency in his or her individual capacity where the agency has agreed to represent the employee; or (d) the United States, where the agency determines that litigation is likely to affect the agency or any of -its components, is a party to litigation or has an interest in such litigation, and the agency determines that use of such records is relevant and necessary to the litigation.
b. To officials authorized by GSA to conduct investigations, who are investigating or settling a grievance, complaint, or appeal filed by an individual who is the subject of the record.
c. To a Federal agency in connection with the hiring or retention of an employee; the issuance of a security clearance; the reporting of an investigation; the letting of a contract; or the issuance of a grant, license, or other benefit to the extent that the information is relevant and necessary to a decision.
d. To the U.S. Office of Personnel Management (OPM), the Office of Management and Budget (OMB), or the U.S. Government Accountability Office (GAO) when the information is required for program evaluation purposes.
e. To an expert, consultant, or contractor of GSA in the performance of a Federal duty to which the information is relevant, to a board, committee, commission, or small agency receiving administrative services from GSA to which the information relates; or an expert, consultant, or contractor of a board, committee, commission, or small agency receiving administrative services from GSA to which the information relates in the performance of a Federal duty to which the information is relevant.
f. To the National Archives and Records Administration (NARA) for records management purposes.
g. To appropriate agencies, entities, and persons when (1) GSA suspects or has confirmed that there has been a breach of the system of records; (2) GSA has determined that as a result of the suspected or confirmed breach there is a risk of harm to individuals, GSA (including its information systems, programs, and operations), the Federal Government, or national security; and (3) the disclosure made to such agencies, entities, and persons is reasonably necessary to assist in connection with GSA's efforts to respond to the suspected or confirmed breach or to prevent, minimize, or remedy such harm.
h. To a Member of Congress or staff on behalf of and at the request of the individual who is the subject of the record.
i. To another Federal agency or Federal entity, when GSA determines that information from this system of records is reasonably necessary to assist the recipient agency or entity in (1) responding to a suspected or confirmed breach or (2) preventing, minimizing, or remedying the risk of harm to individuals, the recipient agency or entity (including its information systems, programs, and operations), the Federal Government, or national security, resulting from a suspected or confirmed breach.
j. To compare such records to other agencies' systems of records or to non-Federal records, in coordination with an Office of Inspector General (OIG) in conducting an audit, investigation, inspection, evaluation, or some other review as authorized by the Inspector General Act.
k. To the U.S. Department of the Treasury when disclosure of the information is relevant to review payment and award eligibility through the Do Not Pay Working System for the purposes of identifying, preventing, or recouping improper payments to an applicant for, or recipient of, Federal funds, including funds disbursed by a state (meaning a state of the United States, the District of Columbia, a territory or possession of the United States, or a federally recognized Indian tribe) in a state-administered, federally funded program.
**POLICIES AND PRACTICES FOR STORAGE OF RECORDS:**
All records are stored electronically in a database. Information is encrypted in transit and at rest.
**POLICIES AND PRACTICES FOR RETRIEVAL OF RECORDS:**
Information on individuals contained in Pegasys records are retrievable by name or other identifier.
**POLICIES AND PRACTICES FOR RETENTION AND DISPOSAL OF RECORDS:**
Records are retained in the system to support transactional integrity and will be retained according to the National Archives and Records Administration (NARA) General Records Schedule 1.1—Financial Management and Reporting Recording Records.
**ADMINISTRATIVE, TECHNICAL, AND PHYSICAL SAFEGUARDS:**
Access is limited to authorized individuals with passwords, and the database is maintained behind a certified firewall. Information on individuals is released only to authorized persons with a lawful government purpose and in accordance with the provisions of routine use. Additionally, vulnerability scanning, real-time intrusion detection, firewall monitoring and alerts, database monitoring, site protection monitoring, identity management monitoring, virus and compliance scans are performed on a scheduled basis to ensure adequate security measures are in place to prevent unauthorized access.
**RECORD ACCESS PROCEDURES:**
If an individual wishes to access any data or record pertaining to him or her in the system after it has been submitted, that individual should consult the GSA's Privacy Act implementation rules available at 41 CFR part 105-64.2.
**CONTESTING RECORD PROCEDURES:**
If an individual wishes to contest the content of any record pertaining to him or her in the system after it has been submitted, that individual should consult the GSA's Privacy Act implementation rules available at 41 CFR part 105-64.4.
**NOTIFICATION PROCEDURES:**
If an individual wishes to be notified at his or her request if the system contains a record pertaining to him or her after it has been submitted, that individual should consult the GSA's Privacy Act implementation rules available at 41 CFR part 105-64.4.
**EXEMPTIONS PROMULGATED FOR THE SYSTEM:**
None.
**HISTORY:**
The initial Notice in connection with this system of records was published on October 16, 2006 (71 FR 60710). Under GSA, a first updated Notice was published on April 25, 2008 (73 FR 22396) and a second updated Notice was published on December 31, 2013 (78 FR 79694). These records were then transferred to the US Department of Agriculture and administered under USDA/OCFO-10, which was previously published in the *Federal Register* on December 19, 2018 (83 FR 67712).
Richard Speidel,
Chief Privacy Officer, Office of Enterprise Data & Privacy Management, General Services Administration.