Application Programming Interface Gateway
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 10/31/2023
OPDIV: | CMS | ||
---|---|---|---|
PIA Unique Identifier: | P-9663994-266073 | ||
Name: | Application Programming Interface Gateway | ||
The subject of this PIA is which of the following? | Major Application | ||
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate | ||
Is this a FISMA-Reportable system? | Yes | ||
Does the system include a Website or online application available to and for the use of the general public? | No | ||
Identify the operator: | Agency | ||
Is this a new or existing system? | Existing | ||
Does the system have Security Authorization (SA)? | Yes | ||
Date of Security Authorization | 12/11/2024 | ||
Indicate the following reason(s) for updating this PIA. Choose from the following options. |
| ||
Describe in further detail any changes to the system that have occurred since the last PIA. | External connectivity capability has been deployed in FY23Q1 following coordinated design details with TRB. Their 10/12/2022 recommendations were implemented. Access to the Investigative View in Tomcat (web) component was opened to CIDR 0.0.0.0 (all access allowed) using a distinct security group assigned ONLY for Investigative View. This was approved and documented via the Attestation process (JIRA ticket CLDSPT-38597) in accordance with the Exemption Policy Guide AWS Security Hub. | ||
Describe the purpose of the system | The CMS Center for Program Integrity (CPI) goal for Application Programming Interface (API) Gateway (APIGW) is to improve access to CPI provider and investigative data by providing application programming interfaces (APIs) using the MuleSoft Anypoint Platform as the full life-cycle API management tool that: | ||
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | APIGW facilitates the extraction of data from external data sources such as Advanced Provider Screening (APS), National Plan and Provider Enumeration System (NPPES), Provider Enrollment Chain and Ownership System (PECOS), and Unified Case Management System (UCM). Information respective to each of these are listed below. APIGW itself consists of Application Programming Interface (API) information about the connections that facilitate these extractions with the goal of providing the association of more accurate data from various sources.
| ||
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The CPI API Gateway will temporarily share but not store Personally Identifiable Information (PII) (e.g., Social Security Number (SSN), Taxpayer ID, Data of Birth, and Medicare Administrative Contractor (MAC) ID, Medicare ID). PII is visible only to users with unmasked rights which are controlled by Identity Management (IDM)/Okta for the Law Enforcement (LE) view and through API Governance in the API Portal for APIs. At a high level, the system is comprised of: 1. The MuleSoft Anypoint Platform Private Cloud Edition (PCE), a commercial off-the-shelf (COTS) full life-cycle COTS application programming interface (API) management tool and associated integrations. a. Advanced Provider Screening (APS) Services including IDM and Security information and event management (SIEM) are provided through Integrated Service Providers: 2. Salesforce to implement an API Portal for API Governance
| ||
Does the system collect, maintain, use or share PII? | No | ||
Other Federal Agency/ Agencies Explanation: | PII only traverses APIGW without being stored. PII data is restricted to authorized Law Enforcement personnel during their investigations. | ||
Others Explanation: | Users designated with the role of Law Enforcement will have access during the conduct of their investigations. | ||
Session Cookies - Collects PII?: | No |