CMA - DHS FEMA & HUD

Page 1 of 27

COMPUTER MATCHING AGREEMENT

BETWEEN

UNITED STATES DE

PARTMENT OF HOMELAND SECURITY (DHS)

FEDERAL EMERGENCY MANAGEMENT AGENCY (FEMA)

AND

UNITED STATES DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT (HUD)

I. INTRODUCTION

The DEPARTMENT OF HOMELAND SECURITY, FEDERAL EMERGENCY

MANAGEMENT AGENCY (DHS/FEMA) and the U.S. DEPARTMENT OF HOUSING AND

URBAN DEVELOPMENT (HUD) have entered into this Computer Matching Agreement (CMA)

(Agreement) pursuant to subsection (o) of the Privacy Act of 1974, (Privacy Act), 5 U.S.C. § 552a,

as amended by the Computer Matching and Privacy Protection Act of 1988, and the Computer

Matching and Privacy Protection Act Amendments of 1990; as well as Office of Management and

Budget Guidelines (OMB) pertaining to computer matching (e.g., 54 Fed. Reg. 25,818 (June 19,

1989); 56 Fed. Reg. 18,599 (April 23, 1991)). For purposes of this Agreement, DHS/FEMA and

HUD will serve as both source and recipient agencies, as defined in 5 U.S.C. § 552a(a)(9) and

(11).

II. PURPOSE AND LEGAL AUTHORITY

Pursuant to the Robert T. Stafford Disaster and Emergency Assistance Act (Pub. L. 93-288),

as amended at 42 U.S.C § 5121 et seq., DHS/FEMA and HUD may not provide duplicative disaster

assistance to individuals, businesses, including Private-Not-for Profits (PNPs), or other entities for

the same disaster or emergency losses. To accomplish this, DHS/FEMA and HUD will participate

in a Computer Matching program to share data and financial/benefits award decisions of

individuals, businesses, and/or other entities to prevent duplicative aid from being provided in

response to the same disaster or emergency. Pursuant to the Privacy Act’s subsection

552a(o)(1)(A) requirement, the purpose and legal authority for this computer matching program is

described below:

Purpose. This Agreement establishes the Computer Matching program between DHS/FEMA

and HUD. The Computer Matching program seeks to establish or verify initial or continuing

eligibility for DHS/FEMA disaster assistance; prevent duplicative disaster assistance payments; or

recoup duplicative payments and delinquent debts under the programs referenced in this

Agreement, which will result in individuals being quickly and effectively transitioned from

temporary relief programs administered by DHS/FEMA into long-term relief programs

administered by HUD. It also enables HUD’s Community Development Block Grant Disaster

Recovery (CDBG-DR) grantees, including states, local governments, and Indian tribes (as directed

by the applicable appropriations act), to use FEMA data to determine the correct award amount

for eligible program beneficiaries by identifying unmet needs of FEMA applicants; prevent the

duplication of benefits; implement the statutory requirement that CDBG-DR funds may not be

used for activities reimbursable by or for which funds are made available by FEMA; and

implement the statutory requirement to establish procedures to detect and prevent waste, fraud,

and abuse of funds. To accomplish this purpose, this agreement permits HUD to provide data to

CDBG-DR allocatees before the grant agreement is signed, so long as the state, local government,

or Indian tribe that is awarded the CDBG-DR allocation has entered an information sharing

agreement with HUD. For purposes of this agreement, the term “CDBG-DR grantee(s)” includes

CDBG-DR allocatees.

Legal Authority. This Agreement is executed in compliance with the Privacy Act and other

statutes discussed in this Agreement, their implementing regulations, and related notices and

guidance.

A. The Robert T. Stafford Disaster and Emergency Assistance Act, as amended (Stafford

Act), 42 U.S.C. § 5121 et seq., requires each federal agency that administers any

program that provides financial assistance as a result of a major disaster or emergency

to assure that no individual or entity receives duplicate financial assistance under any

program or from insurance or any other source, 42 U.S.C. § 5155(a). The Stafford Act

requires DHS/FEMA or HUD (whichever agency provided the duplicative assistance)

to recover all duplicative assistance from the recipient, when the head of such agency

considers it to be in the best interest of the Federal Government, 42 U.S.C. § 5155(c).

B. Section 408(i) of the Stafford Act, 42 U.S.C. § 5174(i), directs and authorizes

DHS/FEMA, in carrying out Section 408 (Federal Assistance to Individuals and

Households), to “develop a system, including an electronic database,” to:

1. Verify the identity and address of recipients of assistance to provide reasonable

assurance that payments are made only to an individual or household that is

eligible for such assistance by sharing personally identifiable information (PII);

2. Minimize the risk of making duplicative payments or payments for fraudulent

claims;

3. Collect any duplicate payment on a claim, or reduce the amount of subsequent

payments to offset the amount of any such duplicate payment;

4. Provide instructions to recipients of assistance regarding the proper use of any

such assistance, regardless of how such assistance is distributed; and

5. Conduct an expedited and simplified review and appeal process for an

individual or household whose application for assistance is denied.

C. Section 408(f) of the Stafford Act, 42 U.S.C. § 5174(f)(2), authorizes DHS/FEMA to

provide states impacted by disasters with access to DHS/FEMA’s electronic records of

individuals and households receiving assistance in order for the states to make available

any additional state and local assistance to the affected individuals and households.

1. Pursuant to Routine Use H.1 of the DHS/FEMA-008 Disaster Recovery

Assistance Files System of Records, 78 Fed. Reg. 25,282 (April 30, 2013)

(Routine Use H.1), DHS/FEMA may disclose applicant information to other

federal agencies and agencies of state, tribal, and local governments to prevent

duplication of benefits and/or to address unmet needs of eligible, ineligible, or

partially eligible FEMA applicants.

2. Pursuant to Routine Use R of the DHS/FEMA-008 Disaster Recovery

Assistance Files System of Records, 78 Fed. Reg. 25,282 (April 30, 2013)

(Routine Use R), FEMA may share information with other federal, state, local,

or tribal government agencies, and voluntary organizations under approved

computer matching efforts.

D. The Debt Collection Improvement Act of 1996, 31 U.S.C. §§ 3325(d) and 7701(c)(1),

which requires federal agencies to collect the taxpayer identification number (Social

Security Number (SSN)) of each person who receives payments from the Federal

Government; and each person doing business with the Federal Government is required

to furnish his or her taxpayer’s identification number.

1. For the purposes of 31 U.S.C. § 7701, a person is considered to be doing

business with the Federal Government if the person is:

i. A lender or servicer in a federal guaranteed or insured loan program

administered by a federal agency;

ii. An applicant for, or recipient of, a federal license permit, right-of-way,

grant or benefit payment administered by a federal agency;

iii. A contractor of a federal agency;

iv. Assessed a fine, fee, royalty, or penalty by a federal agency;

v. In a relationship with a federal agency that may give rise to a receivable

due to that agency, such as a partner of a borrower in or a guarantor of

a federal direct or insured loan administered by the federal agency.

Each federal agency must inform each person required to disclose his or her

taxpayer identification number of the agency’s intent to use such number for

purposes of collecting and reporting on any delinquent amounts arising out of such

person’s relationship with the Federal Government.

E. Fraud, waste, and abuse prevention efforts pursuant to the aforementioned statutory

authorities are also applicable to certain FEMA-administered pilot programs designed

to provide alternative or additional federal disaster assistance programs. 6 U.S.C. §§

776−777.

F. Section 904 of the Stewart B. McKinney Homeless Assistance Amendments Act of

1988 (the McKinney Act), 42 U.S.C. § 3544, authorizes HUD to require applicants or

participants in any HUD program involving review of an applicant’s or participant’s

income to sign a consent form authorizing HUD, the public housing agency, or the

owner to verify income information. Pursuant to section 239 of Public Law 111-8,

Omnibus Appropriations Act, 2009, 123 Stat. 981, March 11, 2009, the Disaster

Housing Assistance Programs administered by HUD are considered a HUD program

under section 904 of the McKinney Act for the purpose of income verification and

matching.

G. HUD’s system of records notices provide individuals with notice of HUD’s intended

uses of information contained within the following system of records:

1. Inventory Management Systems (IMS), also known as the Public and Indian

Housing Information Center (PIC), HUD/PIH.01, 77 Fed. Reg. 22,337 (April

13, 2012);

2. Enterprise Income Verification (EIV), HUD/PIH-5, 74 Fed. Reg. 45,235

(September 1, 2009); and

3. Tenant Rental Assistance Certification System (TRACS), HSNG/MF.HTS.02,

81 Fed. Reg. 56,684 (August 22, 2016).

Specifically, the system of records notices for IMS/PIC, EIV, and TRACS allow

disclosure of records contained in the aforementioned systems of records for the

purpose of preventing fraud, waste, and abuse within any federal program. HUD

may disclose records to federal agencies, non-federal entities, their employees, and

agents for the purpose of:

1) Detection, prevention, and recovery of improper payments;

2) Detection and prevention of fraud, waste, and abuse in major federal

programs administered by a federal agency or non-federal entity; and

3) Detection and verification of the accuracy and completeness of the data

provided.

The applicable routine use for IMS/PIC is routine use 6. The applicable routine use

for EIV is routine use 1. The applicable routine use for TRACS is routine use 6 of

HUD’s Routine Use Inventory notice published in the Federal Register at 80 Fed.

Reg. 81837 (December 31, 2015).

H. The appropriations acts that authorize and appropriate supplemental CDBG-DR

assistance lay out specific requirements, some of which may vary by appropriation.

These appropriations acts impose requirements related to the prevention of fraud,

waste, and abuse, order of assistance, and prevention of duplication of benefits on

CDBG-DR grantees. Legal authority for CDBG-DR assistance is derived from title I

of the Housing and Community Development Act of 1974 (42 U.S.C. § 5301, et seq.),

subsequent appropriations acts making available CDBG-DR assistance, the following

prior appropriations acts–Public Laws 115-72, 115-56, 115-31, 114–254, 114–223,

114–113, 113–2, 112–55, 111–212, 110–329, 110–252, 110–116, 109–234, 109–148,

108–324, 107–206, 107–117, 107–73, 107–38, 106–31, 105–277, 105–276, 105–174,

105–18, 104–134, 104–19, 103–327, 103–211, 103–75, and 103–50–and by the notices

published in the Federal Register that govern CDBG-DR grant assistance, including

the Clarification of Duplication of Benefits Requirements Under the Stafford Act for

Community Development Block Grant (CDBG) Disaster Recovery Grantees at 76 Fed.

Reg. 71,060 (November 16, 2011).

I. The HUD regulation at 24 C.F.R. § 982.352(c) prohibits a family from receiving the

benefit of Section 8 tenant-based assistance under the Housing Choice Voucher

Program while also receiving the benefit of any of the following forms of other housing

subsidy, for the same unit or for a different unit:

1. Public or Indian housing assistance;

2. Section 8 assistance (including other tenant-based assistance) under Section 8

of the U.S. Housing Act of 1937, 42 U.S.C. § 1437f;

3. Assistance under former Section 23 of the United States Housing Act of 1937

(before amendment by the Housing and Community Development Act of

1974);

4. Section 101 of the Housing and Urban Development Act of 1965, 12 U.S.C. §

1701s (Section 101 rent supplements);

5. Section 236 of the National Housing Act, 12 U.S.C. § 1715z-1, (Section 236

rental assistance payments);

6. Tenant-based assistance under the HOME Investment Partnerships program

authorized by Title II of the Cranston-Gonzalez National Affordable Housing

Act, 42 U.S.C. § 12701 et seq.;

7. Rental assistance payments under Section 521 of the Housing Act of 1949, 42

U.S.C. § 1441 et seq. (a program of the Rural Development Administration);

8. Any local or state rent subsidy;

9. Section 202 of the Housing Act of 1959, 12 U.S.C. § 1701q, as amended

(Section 202 supportive housing for the elderly);

10. Section 811 of the Cranston-Gonzalez National Affordable Housing Act, as

amended, 42 U.S.C. § 8013 (Section 811 supportive housing for persons with

disabilities);

11. Section 202 projects for non-elderly persons with disabilities (Section 162

assistance) authorized by section 162 of the Housing and Community

Development Act of 1987, 12 U.S.C. § 1701a note, amending section 202(h) of

the Housing Act of 1959; or

12. Any other duplicative federal, state, or local housing subsidy, as determined by

HUD. For this purpose, “housing subsidy” does not include the housing

component of a welfare payment, a Social Security payment received by the

family, or a rent reduction because of a tax credit.

III. SCOPE

The following programs are covered under this Agreement:

A. HUD rental assistance programs identified at 24 C.F.R. § 5.233 and the Disaster Housing

Assistance Program.

B. DHS/FEMA housing assistance provided through the Individual and Household Program

under Section 408(f) of the Stafford Act, 42 U.S.C. § 5174(f)(2) (IHP).

C. CDBG-DR assistance authorized and appropriated from time to time under various

appropriations acts.

IV. JUSTIFICATION AND EXPECTED RESULTS - COST BENEFIT ANALYSIS

Pursuant to the Privacy Act’s subsection 552a(o)(1)(B) requirement, the justification for the

program and the anticipated results, including a specific estimate of any savings, is described

below:

A. Justification

As required by law, DHS/FEMA will not provide continued temporary housing assistance

to individuals who are receiving duplicative housing benefits from HUD. However,

disaster survivors who already receive HUD assistance, but have had that assistance

interrupted due to the disaster may still be able to receive FEMA benefits until HUD

assistance can be reestablished. DHS/FEMA can only accomplish this by conducting

computer-matching with HUD to compare applicable disaster applicant data to ensure that

these individuals are not receiving DHS/FEMA housing assistance for a specific, declared

disaster that duplicates any rental housing assistance from HUD. Additionally, HUD’s

CDBG-DR grantees will only provide CDBG-DR assistance to individuals or entities for

recovery or resiliency needs that do not duplicate DHS/FEMA resources or any other

assistance.

Executive Order 13,411, “Improving Assistance for Disaster Victims,” 71 Fed. Reg. 52,729

(August 29, 2006), calls on federal agencies to “reduce unnecessarily duplicative

application forms and processes for Federal disaster assistance,” which includes processing

benefits applications submitted by individuals, businesses, or other entities for the same

disaster. Executive Order 13,411 and this matching program are consistent with OMB

guidance on interpreting the provisions of the Computer Matching and Privacy Protection

Act of 1988, 54 Fed. Reg. 25,818 (June 19, 1989); OMB’s proposed guidelines on the

Computer Matching and Privacy Protection Amendments of 1990, 56 Fed. Reg. 18,599

(April 23, 1991); and OMB Circular A-130, Appendix I, “Responsibilities for Protecting

and Managing Federal Information Resources,” (July 28, 2016) instructions on Federal

agency responsibilities for maintaining records about individuals.

B. Expected Results - Cost-Benefit Analysis

Based on historical data, HUD and DHS/FEMA anticipate that computer matching will

help eliminate duplication of benefits. For example, DHS/FEMA received 2,160,284

registrations in response to hurricanes Katrina and Rita of which 5,140 were deemed

ineligible because of duplicate rental housing assistance. An estimated 27 percent of the

more than 160,000 recipients for HUD’s CDBG-DR grantee homeowner repair programs

had received IHP assistance from DHS/FEMA. The two forms of assistance may not be

duplicative, if together, they do not exceed total unmet needs. However, the risk of CDBG-

DR assistance duplicating IHP assistance exists if the homeowner received both forms of

assistance. In the Katrina/Rita example, since no CMA was in place and there was no

automated duplication of benefits check in place, the staff implementing the recovery

benefits could not allocate the funds in a timely manner, as there was a delay in checking

for duplication of benefits. Due to the delay caused by the manual method of checking for

duplication of benefits, half of those homeowners who experienced damage from

Hurricane Katrina did not complete rebuilding until 18 months or more after the event.

With a CMA and an automated duplication of benefits check in place, homeowners will be

able to rebuild faster as the funds can get allocated quickly, accurately, and efficiently by

eliminating the manual and error-prone duplication of benefits checks.

During Hurricanes Gustav and Ike, DHS/FEMA forwarded 51,774 survivor registrations

to HUD that showed a need for housing assistance, out of which 1,394 were deemed

ineligible by HUD because of duplicate rental housing assistance. The data illustrates that

the number of possible duplicates, while typically a low percentage of total survivor

registrations, could rise or fall based on a change in the volume of housing assistance

referrals. Historical data suggests that an average, 400,000 individuals will apply for IHP

assistance annually. However, it is difficult to quantify this number with significant

confidence as the number of survivor registrations is directly related to the number and

scale of disasters that occur in a given year.

In June 2009, DHS’s Office of Inspector General (OIG) issued a report titled “Management

Advisory Report: Computer Data Match of FEMA and HUD Housing Assistance Provided

to Victims of Hurricanes Katrina and Rita” (OIG-09-84). DHS-OIG concluded that there

was a significant potential risk of the waste of millions of taxpayer dollars during and after

the rebuilding/recovery efforts of Hurricane Katrina and Rita due to duplication of benefits.

DHS-OIG estimated that the average rental assistance payment amount was approximately

$800 per month and that a total of 3,743 payments were made during the time of housing

assistance for both disasters from August of 2005 to February of 2006, which resulted in

the issuance of nearly $3,000,000 per month in improper payments, when multiplying the

approximate $800 per month rental assistance by the estimated number of improper

payments (3,743) ($800 x 3,743 = 2,994,400). DHS-OIG determined that the housing

duplication of benefits was due to (1) the lack of accurate data about the survivors’

addresses, (2) DHS/FEMA and HUD paying the landlord at the same time for the same

rental unit, or (3) DHS/FEMA and HUD paying the landlord at the same time to live at a

different rental unit.

Preventing duplicative payments will primarily benefit FEMA, because FEMA will be able

to reduce its housing assistance awards for applicants already receiving HUD assistance.

However, HUD will also benefit from this Agreement. Access to FEMA data will enable

HUD to identify HUD-assisted households displaced by a disaster, and to help those

households return more quickly to a stable permanent home. FEMA data will also enable

HUD’s CDBG-DR grantees to accelerate recovery by quickly identifying unmet needs and

enrolling disaster victims into available CDBG-DR programs.

The overall number of IHP applicants is relative and fluctuates based on the size and impact

area of the disaster, which creates difficulties in estimating the number of potential

applicants. However, based on the aforementioned OIG report and DHS/FEMA-HUD

coordination, the expected results of this matching agreement will be to: (1) reduce

duplication of benefits for disaster survivors; (2) reduce confusion on available benefits

among survivors and implementing agencies; and (3) increase the speed of providing

benefits to survivors.

V. RECORDS DESCRIPTION

As required by the Privacy Act’s subsection 552a(o)(1)(C), the following is a description

of the records that will be matched:

A. Systems of Records and Estimated Number of Records Involved

System of Records

DHS/FEMA

The DHS/FEMA records reside in the National Emergency Management Information

System - Individual Assistance System (NEMIS-IA System). DHS/FEMA shares

information, pursuant to this CMA, included in records covered by DHS/FEMA – 008

Disaster Recovery Assistance Files System of Records, 78 Fed. Reg. 25,282 (April 30,

2013). Routine Use H.1 authorizes FEMA to share information with other federal

agencies for the purpose of preventing duplicate benefits and meeting unmet needs.

Routine Use R authorizes FEMA to share information with other federal agencies for

the purposes of conducting computer matching activities.

HUD

This Agreement authorizes the parties to match HUD records that are retrieved from

the Tenant Rental Assistance Certification System (TRACS) (HSNG/MF.HTS.02), 81

Fed. Reg. 56,684 (August 22, 2016); the Inventory Management System (IMS), also

known as the Public and Indian Housing (PIH) Information Center (PIC)

(HUD/PIH.01) 77 Fed. Reg. 22,337 (April 13, 2012); and the Enterprise Income

Verification System (EIV) (HUD/PIH-5) 71 Fed. Reg. 45,066 (August 8, 2006), which

was updated by 74 Fed. Reg. 45,235 (September 1, 2009). The results of the

information comparison are maintained within the IMS/PIC system (HUD/PIH.01).

Routine Use 6 of the IMS/PIC system of records notice allows HUD to share

information with federal, state, and local agencies to verify accuracy, completeness,

eligibility, and to identify and recover improper payments. Routine Use 1 of the EIV

system of records notice allows HUD to share information with federal, state, and local

agencies to verify accuracy, completeness, and eligibility and to identify and recover

improper payments. Routine Use 8 of the EIV system of records notice also allows

HUD to share information with FEMA to determine eligibility of assistance. Routine

Use 1 of the TRACS system of records notice allows HUD to use Routine Use (6) of

HUD’s Routine Use Inventory notice, 80 Fed. Reg. 81,837 (December 31, 2015) to

disclose records to federal agencies, non-federal entities, their employees, and agents

(including contractors, their agents or employees; employees or contractors of the

agents or designated agents); or contractors, their employees or agents with whom

HUD has a contract, service agreement for the purpose of preventing fraud, waste, and

abuse within any federal program. HUD’s Routine Use Inventory notice also contains

Routine Use 5 also allows for disclosure to federal, state, and local agencies, their

employees, and agents for the purpose of conducting Computer Matching programs.

Records Estimate

HUD and DHS/FEMA intend to match records after any disaster in which FEMA

provides IHP assistance or HUD awards CDBG-DR assistance or administers a

Disaster Housing Assistance Program. The estimated number of records HUD and

DHS/FEMA will match following any disaster will depend on the size and impact area

of the disaster and the number of individuals that are affected. The damage type and

cost will be determined after the disaster, and cannot easily be estimated, as the scale

and impact of each disaster is unique.

B. Description of the Match

Once a survivor’s identity is verified through the Individual Assistance registration

process, FEMA will send the information to HUD in order to detect a potential match.

The information shared can also consist of the Temporary Shelter Assistance (TSA)

information provided by FEMA. The TSA information is critical to FEMA and HUD

in order to prevent FEMA from paying for an applicant’s hotel cost while the applicant

is also receiving housing assistance from HUD. If the applicant is receiving HUD

assistance, FEMA and HUD can work to provide permanent housing rather than TSA

and prevent duplication of benefits. The below data elements are the elements upon

which a potential match is predicated on. For the remaining information that FEMA

and HUD share, please see Appendix A:

• FEMA Registration ID.

• Disaster Number.

• Head of household’s SSN.

• First and Last Name and Middle Initial of the head of household.

• Damaged address

• Current address (including hotel/motel, shelter, or TSA)

• Current phone number

There are two scenarios for the HUD match process. The scenarios are:

1. If the information submitted by DHS/FEMA to HUD results in a match by HUD,

HUD sends the corresponding Housing Assistance Information to DHS/FEMA. The data

elements are defined in Appendix A.:

i. DHS/FEMA will use the information it receives from HUD to independently

evaluate and determine the applicant’s eligibility for housing programs under 42

U.S.C. § 5174(c)(1), according to Section VIII of this Agreement.

ii. DHS/FEMA will use the survivor’s SSN and unique registration ID to identify the

respective FEMA record for comparison with the HUD data.

iii. Once DHS/FEMA confirms that match, the complete data set for the potential

duplication of housing benefits is sent to FEMA’s Program Review process for

evaluation of any duplication of benefits. If FEMA review staff determine that

there is a duplication of benefits, the duplicative amount is deducted from the

eligible FEMA award. FEMA applicants receive a letter that indicates the amount

of their eligible award and their ability to appeal.

iv. HUD will store FEMA data, in the IMS/PIC system pursuant to the requirements

of the SORN (HUD/PIH.01), 77 Fed. Reg. 22,337 (April 13, 2012). HUD may

also share FEMA data via a secure web-service with CDBG-DR grantees, public

housing agencies, or other impacted assisted housing providers with whom HUD

has an existing information sharing agreement. CDBG-DR grantees may use

FEMA data to verify eligibility, avoid duplication of benefits, and/or to address

unmet needs of FEMA applicants, in accordance with HUD’s routine use 6 in the

IMS/PIC SORN, 77 Fed. Reg. 22,337 (April 13, 2012). This use of FEMA data

is consistent with the original purpose of collection, as stated in the DHS.FEMA

Disaster Recovery Assistance Files System of Records routine use H.1, 78 Fed.

Reg. 25,282 (April 30, 2013).

If the CDBG-DR grantees require targeted data from FEMA that is not part of

routine use H.1 or part of the duplication of housing benefits effort described in

this Agreement, FEMA and the CDBG-DR grantee will need to document this

information sharing via an information sharing agreement (ISAA) as per the

Secure Data Sharing policy 9420.1 Appendix B/C. Once the Information Sharing

Access Agreement (ISAA) is approved, the data sharing mechanism will

determine if a CMA is needed between FEMA and the CDBG-DR grantee, i.e.

automated system vs. manual data delivery.

2. If HUD does not find a match in their respective systems for the DHS/FEMA data

provided, FEMA will send the survivor’s valid registration to HUD. The data elements are

listed in Appendix A.

i. HUD will store FEMA data, as described in Section 2.2.2. and 2.2.3.1 in Appendix

A, in the IMS/PIC system pursuant to the requirements of the SORN

(HUD/PIH.01), 77 Fed. Reg. 22,337 (April 13, 2012). HUD may also share FEMA

data via a secure web-service with CDBG-DR grantees with which HUD has an

existing information sharing agreement. CDBG-DR grantees may use FEMA data

to avoid duplication of benefits and/or to address unmet needs of FEMA

applicants, in accordance with the HUD’s routine use 6 in the IMS/PIC SORN, 77

Fed. Reg. 22,337 (April 13, 2012). This use is consistent with the original purpose

of collection as stated in DHS/FEMA Disaster Recovery Assistance Files System

of Records routine use H.1, 78 Fed. Reg. 25282 (April 30, 2013). Public housing

agencies may use FEMA data to support implementation of the Disaster Housing

Assistance Program under a FEMA Mission Assignment.

ii.

If the CDBG-DR grantees require targeted data from FEMA that is not part of

routine use H.1 or part of the duplication of housing benefits efforts described in

this agreement, FEMA and the CDBG-DR grantee will need to engage in separate

information sharing agreement. Once the ISAA is approved, the data sharing

mechanism will determine if a CMA is needed between FEMA and the CDBG-

DR grantee.

3. Projected Starting and Completion Dates

This Agreement will take effect forty (40) days from the date copies of this signed

Agreement are sent to both Houses of Congress and OMB, or thirty (30) days from the date

the Computer Matching Notice is published in the Federal Register for public comment, at

which time comments will be addressed. Additionally, depending on whether comments

are received, this Agreement could yield a contrary determination (Commencement Date).

DHS/FEMA is the agency that will:

1. Transmit this Agreement to Congress;

2. Notify OMB;

3. Publish the Computer Matching Notice in the Federal Register; and

4. Address public comments that may result from publication in the Federal

Matches under this program will be conducted for every Presidential disaster declaration

on which IA/IHP assistance has been granted. The aforementioned matching processes

shall commence, as needed, following a disaster declaration, and shall last until

DHS/FEMA IA/IHP disaster assistance closes out, or until CDBG-DR grantees have

stopped processing applications, whichever is later.

VI. RECORDS USAGE, DUPLICATION AND REDISCLOSURE RESTRICTIONS

As required by the Privacy Act’s subsection 552a(o)(1)(H), HUD and DHS/FEMA agree to the

following restrictions on use, duplication, and disclosure of information furnished by the other

agency, and HUD agrees to pass on these requirements to CDBG-DR grantees when applicable:

A. The records obtained for this matching program will be used for purposes expressed in

this Agreement. DHS/FEMA and HUD will not use or share information concerning

individuals who are neither applicants for, nor recipients of, temporary housing assistance

for any purpose. DHS/FEMA and HUD will not use the data derivatively, or disclose the

data internally or externally, except as provided in this Agreement, without the written

consent of all Parties to this Agreement. Information concerning “non-matching”

individuals will not be used or disclosed by either the agency for any purpose outside of

this Agreement and shall be destroyed or returned to the originating agency, as required by

the Privacy Act’s subsection 552a(o)(1)(I).

B. Records obtained for this matching program, or created by the match, will not be disclosed

outside of either agency, except as may be essential to conduct the matching program, or

as may be permissible or required by law or this Agreement. Each agency will obtain the

permission of the other agency, before making such disclosure (see Routine Uses in the

DHS/FEMA-008 Disaster Recovery Assistance Files, 78 Fed. Reg. 25,282 (April 30, 2013)

and HUD’s IMS/PIC system of records, HUD/PIH-1, 77 Fed. Reg. 22,337 (April 13,

2012). CDBG grantees will be bound by the terms of the respective information sharing

agreement with HUD and this Agreement.

C. Data or information exchanged will not be duplicated unless essential to the conduct of the

matching program (e.g., should the original file become damaged or for back-up

contingency purposes). All stipulations in this Agreement will apply to any duplication.

D. If required to disclose these records to any entity, including a government contractor, in

order to accomplish identification of duplication of benefits, each agency will obtain the

written agreement of that entity to abide by the terms of this Agreement.

E. Each agency will keep an account of disclosures from an individual’s record, as required

by 5 U.S.C. § 552a(c) and will make the accounting available, upon request by the

individual or other agency.

F. DHS/FEMA and HUD employees, contractors, and agents who access, use, or disclose

DHS/FEMA and/or HUD data for a purpose not authorized by this Agreement may be

subject to civil and criminal sanctions, pursuant to applicable federal statutes.

VII. NOTICE PROCEDURES

The Privacy Act’s subsection 552a(o)(1)(D) requires CMAs to specify procedures for

notifying applicants/recipients at the time of registration and other periodic notice, as

directed by the Data Integrity Board of such agency (subject to guidance provided by the

Director of OMB pursuant to subsection v), to applicants for and recipients of financial

assistance or payments under federal benefit programs.

As noted under Section V.A. of this Agreement, DHS/FEMA and HUD have both

published SORNs informing applicants/recipients that their information may be subject to

verification through matching programs per 5 U.S.C. § 552a(o)(1)(D). As further required

by the Privacy Act, DHS/FEMA and HUD shall make a copy of this Agreement available

to the public upon request and it shall be published on the agency’s public facing websites.

A. DHS/FEMA Applicants

DHS/FEMA Form 009-0-1 “Paper Application/Disaster Assistance Registration,”

DHS/FEMA Form 009-0-3, “Declaration and Release” (both contained in OMB ICR No.

1660-0002), and various other forms used for financial assistance benefits immediately

following a declared disaster, use a Privacy Act notice (5 U.S.C. § 552a(e)(3)) to provide

notice to applicants regarding the use of their information. The Privacy Act notice is read

to applicants by DHS/FEMA call center employees and is displayed and agreed to by

applicants applying over the internet. Also, DHS/FEMA Form 009-0-3 requires the

applicant’s signature in order to receive financial assistance.

Additionally, DHS/FEMA provides notice via the DHS/FEMA/PIA-012(a) Disaster

Assistance Improvement Program (November 16, 2012), the DHS/FEMA/PIA-027

National Emergency Management Information System Individual Assistance (NEMIS-IA)

(June 29, 2012), and the DHS/FEMA-008 Disaster Recovery Assistance Files System of

Records, 78 Fed. Reg. 25,282 (April 30, 2013), which includes Routine Use R that permits

DHS/FEMA to inform individuals that a computer match may be performed to determine

a loan applicant’s credit status with the Federal Government.

All individuals subject to data matching under this agreement shall first be provided written

notice (identifying relevant law requiring the data match, identifying the agencies involved

in the data match and the existence of this Agreement, the processes for contesting data

mismatches before adverse actions, and anti-discrimination protections).

B. HUD recipients

HUD Forms 50058 and 50059, which are used to collect the information contained in the

IMS and TRACS data systems subject to this Agreement, use a Privacy Act statement (5

U.S.C. § 552a(e)(3)) to provide notice to applicants regarding the use of their information.

All recipients of HUD assistance receive this notice and are informed that the information

they provide may be used to monitor compliance, participate in income matching, and

detect fraud.

HUD provides notice via the HUD/PIA – Tenant Rental Assistance Certification System

(April 2009), the HUD/PIA – Inventory Management System (August 2008), and the

HUD/PIA – Enterprise Income Verification (June 2011). HUD also provides notice via the

following SORNs: Inventory Management Systems (IMS), also known as the Public and

Indian Housing Information Center (PIC), HUD/PIH.01, 77 Fed. Reg. 22,337 (April 13,

2012); Enterprise Income Verification (EIV), HUD/PIH-5, 74 Fed. Reg. 45,235

(September 1, 2009); and Tenant Housing Assistance and Contract Verification Data, also

known as the Tenant Rental Assistance Certification System (TRACS), HUD/H-11, 62

Fed. Reg. 11,909 (March 13, 1997).

VIII. VERIFICATION PROCEDURES AND OPPORTUNITY TO CONTEST

A. General

The Privacy Act’s subsection 552a(o)(1)(E) requires that each CMA outline procedures

for verifying information produced in the matching program, as required by 5 U.S.C. §

552a(p). This subsection requires agencies to independently verify the information

produced by a matching program and to provide the individual an opportunity to contest

the agency’s findings, before an adverse action is taken against the individual, as a

result of the match. Subsequent amendments and regulations allow for an agency to

authorize a waiver of independent verification procedures when it finds a high degree

of confidence in the accuracy of the data. (See OMB “Final Guidance Interpreting the

Provisions of P.L.100-503, the Computer Matching and Privacy Protection Act”, Sec.

6.g. Providing Due Process to Matching Subjects, 54 Fed. Reg. 25,818 (June 19, 1989).

DHS/FEMA will be responsible for ensuring that DHS/FEMA data is current and

accurate at the time it is provided to HUD. HUD will be responsible for ensuring that

HUD data is current and accurate at the time it is provided to DHS/FEMA.

B. DHS/FEMA Verification Procedures:

1. A “DHS/FEMA Authorized user” is any person that has access to NEMIS-IA and

is able to view the data associated with duplication of benefits.

2. DHS/FEMA may not deny, terminate, or make a final decision of any temporary

housing assistance to an individual, or take other adverse action against such

individual as the result of the information produced by this matching program, until

an officer or employee of DHS/FEMA has independently verified such information

and the individual has had an opportunity to contest the agency’s findings (see

discussion below at VIII. D.).

3. Independent verification means, at a minimum, that DHS/FEMA: (1) validates the

automated match using FEMA’s eligibility determination process to verify

applicant identification, (2) analyzes the confirmed information, (3) determines the

period or periods when the individual actually received housing assistance

preventing receipt of the secondary assistance, and (4) contacts the housing

provider, DHS/FEMA or HUD as applicable, for additional information before

denying assistance based on judgment data received from this matching program.

Specifically, DHS/FEMA may ask the housing provider: (a) what form of HUD

assistance it provided to the applicant, and (b) whether the housing provider is

currently providing HUD or FEMA assistance to the applicant either directly or

indirectly.

4. As such, denial of benefits will not be predicated on the result of an initial match

between systems. Denial of benefits will be made upon a secondary validation

made by a federal employee or designated contractor validating the benefit

information in the DHS/FEMA or HUD systems, as applicable, and only after the

applicant has been provided notice and an opportunity to contest the DHS/FEMA

decision to deny benefits.

5. Individuals and users with questions regarding their data shall be referred to the

federal agency that served as the source of the data in the course of the matching.

Accordingly, matches based on data initially provided by HUD shall be handled by

HUD’s Real Estate Assessment Center (REAC) Office within the Office of Public

and Indian Housing. Matches based on data initially provided by DHS/FEMA shall

be handled by FEMA’s Individual Assistance office.

C. HUD Verification Procedures:

1. A “HUD Authorized user” is a HUD employee who needs access to the matched

data to perform their official duties in connection with the uses of the data

authorized in this Agreement.

2. HUD Authorized users will not make any benefit determinations based on the

results of this matching program. If an individual is found to be receiving benefits

through HUD rental assistance programs specified in Section III.B. of this

Agreement, and also receiving benefits through FEMA assistance programs

specified in Section III.A. of this Agreement, then FEMA will be responsible for

adjusting the level of assistance provided, in accordance with the procedures in

Section VIII.B. and VIII.D. If an individual is found to be receiving benefits

through HUD’s CDBG-DR program, and also receiving benefits through FEMA

assistance programs specified in Section III.A, then the CDBG-DR grantee will be

responsible for adjusting the level of assistance provided to ensure that no

duplication of benefits occurs (see Section VIII.E. for information about CDBG-

DR grantees).

D. DHS/FEMA Notice and Opportunity to Contest

As required by the Privacy Act’s subsection 552a(p), DHS/FEMA will not terminate,

suspend, reduce, deny, or take other adverse action against an applicant for or recipient

of temporary housing assistance based on data disclosed from DHS/FEMA records

until the individual is notified in writing of the potential adverse action, and provided

an opportunity to contest the planned action. “Adverse action” means any action

resulting in a termination, suspension, reduction, or final denial of eligibility, payment,

or benefit. The applicant will follow the current DHS/FEMA process for response as

detailed in the written notice or letter.

To enable rapid response and resolution, DHS/FEMA and HUD telephone numbers

will be provided to call in the event of a dispute, including contesting failed identity

verification through a commercial identity provider. DHS/FEMA and/or HUD will

respond to these calls as soon as reasonably possible, and when requested, in writing.

E. CDBG-DR Grantee Use of Data

CDBG-DR grantees will use the matched data to review applications for CDBG-DR

assistance, and to make benefit determinations that are not duplicative of assistance

already received through HUD programs, or from FEMA through a separate ISAA.

CDBG-DR grantees are required to present their plans to the public and to solicit public

comment. They are required to address any citizen complaints in a timely manner.

CDBG-DR grantees will establish their own procedures for verifying the matched data

provided by HUD and FEMA, and for allowing individuals to contest benefit

determinations. Those procedures must be consistent with the requirements of the

Computer Matching and Privacy Protection Act and OMB’s implementing guidelines.

Questions about a CDBG-DR grantee’s procedures to verify matched data should be

directed to the CDBG-DR grantee.

IX. DISPOSITION AND RECORDS RETENTION OF MATCHED ITEMS

As required by the Privacy Act’s subsection 552a(o)(1)(F):

A. DHS/FEMA will retain data it receives from HUD under this Agreement only for the

processing times required for the applicable federally-funded benefit programs to verify

data, and will then destroy all such data.

B. HUD and CDBG-DR grantees will retain data received from DHS/FEMA under this

Agreement only for the processing times required for the applicable federally-funded

benefit programs to verify data, and will then destroy all such data.

C. An exception applies if the information is required for evidentiary reasons, in which case,

the information will be destroyed upon completion of the criminal, civil, or administrative

actions and cases.

D. Any paper-based documentation used to determine whether a record was matched in the

other agency’s system and any documentation that was prepared for, provided to, or used

to determine final benefit status will be destroyed by shredding, burning, or electronic

erasure of the subject information according to the proper records retention schedules.

Other identifiable records that may be created by each agency during the course of the

investigation will be destroyed as soon as they have served the matching program’s purpose

pursuant to records retention requirements established in conjunction with the National

Archives and Records Administration (NARA). For electronic matches, electronic records

will be housed in DHS/FEMA’s NEMIS-IA System, and HUD’s IMS/PIC database,

retained with and according to the appropriate disaster recovery assistance records

determined by the NARA.

E. DHS/FEMA and HUD will retire their matched data in accordance with the Federal

Records Retention Schedule, 44 U.S.C. § 3303a.

X. RECORDS ACCURACY ASSESSMENTS

Information on assessments that have been made on the accuracy of the records are required

by the Privacy Act’s subsection 552a(o)(1)(J). In order to apply for assistance via the

online portal an applicant must provide his or her name, address, SSN, and date of birth,

which are sent to a commercial database provider to perform identity

verification. However, in the instances where the applicant’s identity is not verified online,

applicants must call one of the DHS/FEMA call centers to complete their

registration. After the application is completed, the identity verification process is

attempted again. The applicant may also choose to complete identity verification by

calling one of the DHS/FEMA call centers (rather than online). If an applicant fails identity

verification during the call to the DHS/FEMA call center, the operator can manually

override the failure in order to complete the applicant registration. However, the applicant

must provide proof of identity verification before any benefits eligibility can be

determined. The applicant will receive notification of failed identity verification from

DHS/FEMA either via mail or electronic correspondence if they have selected that form of

communication during the registration process. DHS/FEMA provides notifications as soon

as possible and does not have a fixed notice timeline or response time for the applicant. If

the applicant is able to provide proof of identity verification, the benefits eligibility process

continues. However, if the applicant cannot successfully resolve the identity verification

failure, the individual will be deemed ineligible to DHS/FEMA benefits.

XI. SECURITY PROCEDURES

As required by the Privacy Act’s subsection 552a(o)(1)(G), HUD and DHS/FEMA agree

to the following information security procedures:

A. Administrative Safeguards

DHS/FEMA and HUD will comply with the existing and future requirements set forth

by the Privacy Act, 44 U.S.C. §§ 3541-3549, related OMB circulars and memoranda such

as Circular A-130, Managing Information as a Strategic Resource (July 28, 2016); NIST

directives; and the Federal Acquisition Regulations (FAR), including any applicable

amendments published after the effective date of this Agreement. These laws, directives,

and regulations include requirements for safeguarding federal information systems and

personally identifiable information used in federal agency business processes, as well as

related reporting requirements. Specifically, Federal Information System Modernization

Act of 2014 (FISMA), (44 U.S.C. §§3501 – 3558), requirements apply to all federal

contractors, organizations, or entities that possess or use federal information, or that

operate, use, or have access to federal information systems on behalf of an agency. Both

DHS/FEMA and HUD will ensure that their authorized users will receive training to

ensure proper information security and privacy protections are adhered to in a manner

consistent with this Agreement.

Accordingly, DHS/FEMA and HUD will restrict access to the data matched and to any

data created by the match to only those users authorized under this Agreement. Further,

DHS/FEMA and HUD will advise all personnel and CDBG-DR grantees that have access

to the matched data and to any data created by the match of the confidential nature of the

data, of the safeguards required to protect the data. DHS/FEMA and HUD will also notify

such authorized users of the civil and criminal sanctions for noncompliance contained in

the applicable federal laws.

B. Technical Safeguards

1. DHS/FEMA and HUD will process the matched data and any data created by the

match under the immediate supervision and control of the authorized users in a

manner that will protect the confidentiality of the data, so that unauthorized persons

cannot retrieve any data by computer, remote terminal, or other means. The

DHS/FEMA personnel will be trained on the new data and process as part of their

continued and regular training sessions. HUD will also ensure only authorized

CDBG-DR grantees have access to the data and will protect the confidentiality of the

data. HUD will provide training to the CDBG-DR grantees on the usage of the system

and the data.

2. Systems personnel will be required to enter personal identification numbers when

accessing data on the agencies’ systems. DHS/FEMA and HUD will strictly limit

authorization to these electronic data systems necessary for the authorized user to

perform their official duties. All data in transit will be encrypted using algorithms

that meet the requirements of FIPS 140-2, Security Requirements for Cryptographic

Modules.

3. Authorized system users will be identified by login credentials, and individually

tracked to safeguard against the unauthorized access and use of the system.

4. DHS/FEMA will transmit application data to HUD via a web services-based Simple

Object Access Protocol, Extensible Markup Language/Hypertext Transfer Protocol

Secure request. The data identified in section VI.B will be used to create records

inside EIV. For each record, a response will be sent back to DHS/FEMA to indicate

success or failure of transmission. The VI.B data will be used to create records inside

a CDBG grantee CDBG-DR database according to the information sharing

agreements with the grantees. For each record, a response will be sent back to

DHS/FEMA indicating success or failure of transmission.

C. Physical Safeguards

HUD and DHS/FEMA agree to maintain all automated matching records in a secured

computer environment that includes the use of authorized access codes (passwords and/or

PIV) to restrict access. Those records will be maintained under conditions that restrict

access to persons who need them in connection with their official duties related to the

matching process. It is the responsibility of the user’s supervisor to ensure that

DHS/FEMA or HUD, as applicable, are notified when a user has departed or duties have

changed such that the user no longer needs access to the system, to ensure timely deletion

of the user’s account and password.

D. On-Site Inspections

FIPS PUB 140-2, Security Requirements for Cryptographic Modules, (November 15, 2001). Available at

http://csrc.nist.gov/groups/STM/cmvp/standards.html.

HUD and DHS/FEMA may make on-site inspections of each other’s recordkeeping and

security practices, or make provisions beyond those in this Agreement to ensure the

adequate safeguarding of records exchanged.

XII. MONITORING AND COMPLIANCE

DHS/FEMA and HUD agree that each agency may monitor compliance with the terms

of this Agreement, including the non-discrimination provision. Both agencies have the

right to monitor and review (1) transactions conducted pursuant to this Agreement, (2)

the use of information obtained pursuant to this Agreement, and (3) policies, practices,

and procedures related to this Agreement. Both agencies have the right to make onsite

inspections to audit compliance with this Agreement for the duration or any extension of

this Agreement. DHS/FEMA and HUD will cooperate to ensure the success of each

agency’s monitoring and compliance activities.

XIII. NON-DISCRIMINATION

Any action required or permitted under this Agreement shall be conducted in a manner

that does not discriminate against an individual based upon his or her national origin,

race, color, sex, religion, or disability in accordance with Section 705 of the Homeland

Security Act of 2002; Section 504 of the Rehabilitation Act of 1973, and agency

implementing regulations at 6 C.F.R Part 15.

In fulfilling their obligations under Executive Order 13,166 (“Improving Access to

Services for Persons with Limited English Proficiency,” 65 Fed. Reg. 50,121 (Aug. 16,

2000)), DHS/FEMA and HUD will take reasonable steps to provide limited English

proficiency (LEP) persons with meaningful access to federally conducted programs and

activities, including services and benefits. Meaningful access includes providing timely

language assistance services to ensure effective communication with LEP persons and

providing language services that are sufficient to provide the same level of access to

services received by persons who are not LEP. Language assistance services may be oral

and written, and must be provided at no charge to the individual. Vital documents,

including notices relating to consent, verification of status, and contesting verification

failures should be translated.

In accordance with Section 504 of the Rehabilitation Act of 1973 (29 U.S.C. § 701) and

related agency implementing regulations, DHS/FEMA and HUD will provide

accommodations to individuals with disabilities to ensure effective communication;

including providing qualified sign language interpreters; providing accessible electronic

and information technology; and producing notices and publications in alternate formats,

at no charge to the individual. Persons with disabilities that may require accommodation

and provision of alternative communication methods to ensure effective communication

include persons who are deaf or hard of hearing, persons with vision impairments, and

persons with psychiatric and/or developmental disabilities.

XIV. INCIDENT REPORTING AND NOTIFICATION RESPONSIBILITIES

A. DHS/FEMA and HUD agree to report and track incidents in accordance with the most

current, final version of NIST Special Publication 800-61.

Upon detection of an incident

related to this interconnection, the agency experiencing the incident will promptly notify

the other agency’s System Security Contact(s) below:

• DHS/FEMA will promptly notify the following contact at HUD simultaneously:

REAC Office within the Office of Public and Indian Housing.

• HUD will promptly notify the following contact at DHS/FEMA simultaneously:

Information System Security Officer (ISSO), Recovery Technology Programs

Division (RTPD), Disaster Assistance Improvement Program (DAIP).

B. If the federal agency experiencing the incident is unable to speak with the other federal

agency’s System Security Contacts within one (1) hour, or if contacting the System

Security Contact is not practical (e.g., outside of normal business hours), then the following

contact information shall be used:

• FEMA Security Operations Center (SOC): (540) 542-4762 OR FEMA Helpdesk:

1-888-457-3362

• HUD Help Desk: (202) 708-3700

C. If either DHS/FEMA and HUD experience an exposure or of personally identifiable

information (PII) provided under the terms of this Agreement, the federal agency that

experienced the loss incident will also comply with the PII breach reporting and security

requirements set forth by OMB M-17-12 “Preparing for and Responding to a Breach of

Personally Identifiable Information” (January 3, 2017) and its agency breach response plan.

D. Neither HUD nor FEMA shall be liable for any cause of action arising from the possession,

control, or use of survivor/registrant PII by an entity other than HUD or FEMA, or for any

loss, claim, damage or liability, of whatsoever kind or nature, which may arise from or in

connection with this Agreement or the use of survivor/registrant PII.

Nothing in this Agreement shall be construed as a waiver of sovereign immunity against

suits by third persons against a state or local government.

Cichonski, P., Millar, T., Grance, T., & Scarfone, K. (2012, August). Computer Security Incident Handling Guide

(Unit, Department of Commerce, National Institute of Standards and Technology). Retrieved from

http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf.

Notwithstanding any rights that may be available under the legal authorities referenced in

this Agreement, this Agreement itself is not intended to, and does not, create any right or

benefit, substantive or procedural, enforceable at law or in equity by any party against the

United States, its departments, agencies, or entities, its officers, employees, or agents, or

any other person.

E. DHS/FEMA and HUD agree to notify all the Security Contact(s) named in this Agreement

as soon as possible, but no later than one (1) hour, after the discovery of a suspected or

confirmed breach involving PII. The agency that experienced the incident will also be

responsible for following its internal established procedures, including:

▪ Notifying the proper organizations (e.g., United States Computer Emergency

Readiness Team (US-CERT), the ISSOs, and other contacts listed in this

document);

▪ Conducting a breach and risk analysis, and making a determination of the need

for notice and/or remediation to individuals affected by the loss;

▪ Providing such notice and credit monitoring to the affected individuals at no

cost to the other agency, if the analysis conducted by the agency having

experienced the loss incident indicates that individual notice and credit

monitoring are appropriate.

F. In the event of any incident arising from or in connection with this Agreement, each

Agency will be responsible only for costs and/or litigation arising from a breach of the

Agency’s own systems or data; FEMA is responsible only for costs and litigation

associated with breaches to FEMA systems or data and HUD is responsible only for

breaches associated with HUD system or data.

FEMA shall not be liable to HUD or to any third person for any cause of action arising

from the possession, control, or use by HUD of survivor/registrant PII, or for any loss,

claim, damage or liability, of whatsoever kind or nature, which may arise from or in

connection with this Agreement or the use of survivor/registrant PII.

HUD shall not be liable to FEMA or to any third person for any cause of action arising

from the possession, control, or use by FEMA of applicant PII, or for any loss, claim,

damage or liability, of whatsoever kind or nature, which may arise from or in connection

with this Agreement or the use of survivor/registrant PII.

Nothing in this section shall be construed as a waiver of sovereign immunity against suits

by third persons.

XV. COMPTROLLER GENERAL ACCESS

The parties authorize the Comptroller General of the United States (the Government

Accountability Office), upon request, to have access to all HUD and DHS/FEMA records

that are subject to this agreement necessary to monitor or verify compliance with this

matching agreement, in accordance with 5 U.S.C. § 552a(o)(1)(K). This matching

agreement also authorizes the Comptroller General to inspect any records used in the

matching process that are covered by this matching agreement pursuant to 31 U.S.C. § 717

and 5 U.S.C. § 552a(b)(10).

XVI. INSPECTOR GENERAL ACCESS

By agreeing to this matching Agreement, DHS/FEMA and HUD authorize their respective

Offices of Inspector General to use results from data matches conducted under this

matching program, for investigation, audit, or evaluation matters, pursuant to 5. U.S.C.

App. §§1-13.

XVII. DURATION OF AGREEMENT

A. Effective Date of the Agreement

This Agreement shall become effective, and matching may commence, under this

Agreement on the later of the following dates:

▪ Thirty (30) days after notice of the matching program described in this CMA

has been published in the Federal Register, or

▪ Forty (40) days after a report concerning this CMA is transmitted

simultaneously to the Committee on Homeland Security and Governmental

Affairs of the Senate, the Committee on Oversight and Government Reform of

the U.S. House of Representatives according to 5 U.S.C. § 552a (o)(2)(A)(i),

and to OMB, unless OMB waives 10 days of this 40-day period for compelling

reasons, in which case 30 days after transmission of the report to OMB and

Congress.

The Parties to this Agreement may assume OMB and Congressional concurrence if no

comments are received within forty (40) days of the date of the transmittal letter of the

Report of the Matching Program. The parties may assume public concurrence if no

comment is received within thirty (30) days of the date of the publication of the Notice of

Matching Program. This Agreement shall remain in effect for a period not to exceed

eighteen (18) months.

B. Renewal of the Agreement

Pursuant to 5 U.S.C. §552a(o)(2)(D), this Agreement may be extended for one twelve (12)

month period upon mutual agreement by both Parties, if the renewal occurs within three

(3) months of the expiration date of this Agreement. Renewals are subject to the

requirements of the Privacy Act, including certification by the Parties to the responsible

DIB (as described in Section XV of this Agreement) that:

▪ The matching program will be conducted without change, and

▪ The matching program has been conducted in compliance with the original

Agreement.

C. Termination of the Agreement

This Agreement shall terminate when the purpose of the computer match has been

accomplished, or after eighteen (18) months from the effective date of the Agreement

without notice from either party (whichever comes first). This Agreement may also be

terminated, nullified, or voided by either DHS/FEMA or HUD, if:

▪ Either Party violates the terms of this Agreement; or

▪ HUD or its authorized users misuse or improperly handle the data provided by

DHS/FEMA; or

▪ DHS/FEMA or its authorized users misuse or improperly handle the data

provided by HUD; or

▪ The Parties mutually agree to terminate this Agreement prior to its expiration

after 18 months; or

▪ Either Party provides the other with 30 days written notice.

XVIII. DATA INTEGRITY BOARD REVIEW/APPROVAL

HUD and DHS/FEMA’s Data Integrity Boards (DIBs) will review and approve this

Agreement prior to the implementation of this matching program. Disapproval by either

DIB may be appealed in accordance with the provisions of the Computer Matching and

Privacy Protection Act of 1988, as amended. Further, the DIBs will perform an annual

review of this matching program. HUD and DHS/FEMA agree to notify the Chairs of each

Data Integrity Board of any changes to or termination of this Agreement.

This Agreement may be modified only by mutual consent of both Parties and approval of

the respective DIBs. Any modifications must be in writing and satisfy the requirements of

the Privacy Act and the requirements set forth in OMB Guidelines on the Conduct of

Matching Programs, 54 Fed. Reg. 25818.

XIX. POINTS OF CONTACT

HUD

U.S. Department Housing and Urban

Development

Todd Richardson,

DAS for Policy Development,

Office of Policy Development and Research,

U.S. Department of Housing and Urban

Development

451 Seventh Street, SW., Room 8106

Washington, DC 20410

Tel.: 202-402-5706

Email: [email protected]

DHS/FEMA

Department of Homeland Security

Federal Emergency Management Agency

Privacy Office

William Holzerland, Senior Director for

Information Management

500 C Street SW,

Washington, DC 20479

Tel: (202) 212-5100

Email: William.Holzerland@fema.dhs.gov

XX. APPROVALS AND SIGNATURES

FEDERAL EMERGENCY MANAGEMENT AGENCY

The signatories below warrant and represent that they have the competent authority to approve the

model of this Agreement, and enter into the obligations set forth in this Agreement, on behalf of

DHS/FEMA.

Keith Turi Date

Acting Assistant Administrator, Recovery Directorate

Federal Emergency Management Agency

DHS/FEMA’s Data Integrity Board has reviewed this Computer Matching Agreement and has

found it in compliance with the provisions of the Privacy Act, as amended by the Computer

Matching Privacy and Protection Act of 1988 and the Computer and Matching and Privacy

Protections Amendments of 1990:

Philip S. Kaplan Date

Chief Privacy Officer

Data Integrity Board Chair

U.S. Department of Homeland Security

U.S. DEPARTMENT OF HOUSING AND URBAN DEVELOPMENT

The signatories below warrant and represent that they have the competent authority to approve the

model of this Agreement, and enter into the obligations set forth in this Agreement, on behalf of

HUD.

Todd Richardson Date

DAS for Policy Development,

Office of Policy Development and Research,

U.S. Department of Housing and Urban Development

HUD’s Data Integrity Board has reviewed this Agreement and has found it in compliance with the

provisions of the Privacy Act, as amended by the Computer Matching Privacy and Protection Act

of 1988 and the Computer and Matching and Privacy Protections Amendments of 1990:

John Bravacos Date

Senior Agency Official for Privacy

U.S. Department of Housing and Urban Development