Akamai
Date signed: 3/16/2023
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-1454607-766817 |
| Name: | Akamai |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 5/19/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | No changes to the system have occurred since the last PIA review. |
| Describe the purpose of the system | The Akamai Content Delivery Network (CDN) is a globally-distributed computing platform that enables businesses, government agencies, and other enterprises to extend their web presence worldwide. Akamai Intelligent Platform (AIP) is the CDN service that CMS uses for many of its major web applications. CDN services enable CMS to deliver the large amount of publicly available information accessible to the public without a major investment in information technology infrastructure. By leveraging the AIP's ability to resize to a large volume based on user need and the capability to provide a stored or readily available website for faster served content, CMS is able to meet high internet traffic demand, and at the same time thwart malicious traffic by having the security perimeter at Akamai’s Web Application Firewall (WAF). CMS utilizes the Akamai Control Center (ACC) to manage their Akamai CDN and security configurations, as well as view security and traffic reporting. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | Akamai provides CMS administrators and security personnel access to the Akamai Control Center, an online command and control website that provides real-time reports on internet activity and information/network security attacks. The system user’s name, phone number and email are collected for user registration purposes. ACC is fronted by CMS's SSO system for authentication and is used to access the system. The system user's information is stored in the system indefinitely. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | CMS utilizes the Akamai CDN intelligent platform to manage the large volume of publicly available information on many of their major applications. CMS also uses the Akamai Control Center, an online command and control website to manage real-time security monitoring of the internet traffic to CMS websites. CDN services enable CMS to deliver the large amount of publicly available information accessible to the public without a major investment in information technology infrastructure. By leveraging the AIP's ability to resize to a large volume based on user need and the capability to provide a stored or readily available website for faster served content, CMS is able to meet high internet traffic demand, and at the same time thwart malicious traffic by having the security perimeter at Akamai’s Web Application Firewall (WAF). The Akamai Control Center has the ability to hide the true Internet Protocol (IP) address of a server, called web proxy/caching. CMS uses the web proxy/caching option where Akamai hosts CMS static web application content through their secure network. Akamai uses the actual application server IP address in order to host the application for CMS. This IP is not exposed to the general public. The public users see an Akamai created IP and static website. This will prevent CMS servers from getting attacked as the true IP addresses are unknown to end users. The system user’s name, phone number and email are collected for user registration purposes. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. | Employees |
| How many individuals' PII in the system? | 100-499 |
| For what primary purpose is the PII used? | PII is used to identify and authenticate users within the system. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not applicable |
| Describe the function of the SSN. | Not applicable |
| Cite the legal authority to use the SSN. | Not applicable |
| Identify legal authorities governing information use and disclosure specific to the system and program. | 5 USC § 301, Departmental Regulations |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources | |
| Identify the OMB information collection approval number and expiration date | N/A |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The information is used for registration and individuals are notified by CMS that their personal information will be collected; Individuals are notified by email to identify that they have been successfully registered. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | It is necessary to identify the user for identification and authentication to the system. There is no option to object to the information collection for this reason. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The process to notify individuals of major changes to the Akamai system would occur through the Akamai Control Center Portal log-in screen and the posted "Akamai Portal Terms of Use." Consent to changes to the system is not provided because the CMS users are essentially 'customers' of Akamai. The Akamai Control Center specific privacy policies and terms and conditions are a link on the portal are located at this URL: |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Within the Akamai Privacy Statement posted on the website is a section "Contact Akamai" that provides the methods by which a user may contact Akamai, if the individual has any concerns about the PII that Akamai collects and stores. The individual would contact the Privacy Department at either privacypolicy@akamail.com or by mail to: Akamai Technologies, Inc. 150 Broadway Cambridge, MA 02142 Attention: Chief Privacy Officer
The Akamai Privacy Statement: |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Because Akamai controls the access to their portal, CMS does not have a process to review the integrity of the PII collected by the system. The Akamai Control Center allows registered/authorized users to manage their user ID. This allows the authorized user to manage the accuracy and integrity of their own account information. Additionally, CMS Akamai system administrators periodically review the list of authorized users for relevancy and availability to supply to Akamai to allow the users to create user accounts. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Akamai uses role-based access controls to ensure that administrators are granted access on a ‘least privilege’ basis commensurate with their assigned duties. System administrators determine the role-based access rights of any other users. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Akamai uses role-based access controls to ensure that administrators are granted access on a ‘least privilege’ basis commensurate with their assigned duties. Job codes are assigned in order to grant appropriate levels of access. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS employees and direct contractors are required to take the annual Security and Privacy Awareness training, which includes an examination at the end to certify completion. Akamai has a code of ethics to which all users are required to abide, which includes safeguarding sensitive information: |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Not applicable. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Akamai follows the National Archives and Records Administration (NARA) record GRS 3.2, Item 30 and 31 which set a minimum length of time for retention as 'when business use ceases' and a maximum length of retention of 6 years, after which destruction is allowable if there is no further need for the records. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The administrative controls in place are that access to Akamai is highly restricted to a small set of users, role-based access for users and the users must be pre-approved by CMS in order to access the Akamai Control Center. The technical controls in place include encrypted log-on procedures, two-factor authentication of users for identification and authentication and system administrators review user accounts at least semi-annually. Additionally, activities of all users including system administrators are logged and reviewed by the Akamai Information System Security Officer (ISSO). The physical controls in place include servers located in a secured data center with surveillance, locked rooms, and a separate network operations center, and security guards and badging of personnel for access. |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services