Box Storage Solution
Date signed: 10/29/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-5739360-197386 |
| Name: | Box Storage Solution |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | Yes |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 2/26/2025 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | Not Applicable |
| Describe the purpose of the system | Box Storage Solution (BSS) allows CMS users to collaborate documents with other CMS users, contractors and other authorized third parties to collaborate files across multiple types of devices. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | BSS doesn't directly collect an individual's Personal Identifiable Information (PII). Employee and contractor credentials to include user first and last name, email address, phone numbers and CMS user IDs are sourced from the Enterprise User Administration (EUA) which has its own PIA. BSS does store files and documents containing various PII information types that employees, contractors and third parties have uploaded into the system. The function of the system makes it impractical to know all information types that users of the system will store. CMS has the requirement that data stored will follow the HHS rules of behavior and be limited to that which is necessary for the business purpose. BSS will retain data indefinitely if the CMS maintains an active contract with the BSS. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | BSS allows for the collaboration of documents with approved BSS users. Approved BSS users will be uploading/downloading and collaborating on documents containing various PII information types. The BSS user who creates the folder/file and uploads it grants permissions to read, write, save etc. to the documents/files/folders. BSS will retain data indefinitely if the CMS maintains an active contract with the BSS. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 5,000-9,999 |
| For what primary purpose is the PII used? | BSS system uses the PII for account creation and logon. The primary purpose of Users entering data into BSS is general business need and analysis. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There are no other uses for the PII collected outside of the primary use. |
| Describe the function of the SSN. | SSN will not be used. BSS does not require the use or collection of SSNs; however, the users of BSS may potentially upload the SSN. |
| Cite the legal authority to use the SSN. | E.O. 9397 |
| Identify legal authoritiesā governing information use and disclosure specific to the system and program. | The information in this system is collected, maintained, and disseminated pursuant the rules and regulations the Centers for Medicare & Medicaid Services enforces. In addition, given the varied nature of the data, PII may be maintained under several other statutes including, but not limited to, 5 USC, 301, 42 USC, 29 USC, 18 USC, and 26 USC. |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not applicable. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | BSS will be configured and deployed with system use banner notifying of small pieces of PII collected for account management use. Additionally, individuals are notified that their personal information is being collected when they apply for access to CMS systems. The application for access to CMS systems (Form CMS-20037) is completed and on page 3 there is a Privacy Act notice that informs individuals that their personal information is being collected. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The PII for login purposes is collected is from a separate application, EUA, therefore there is no ability to opt-out. All other PII collected is voluntary and as such, is at the discretion of the user to opt-in by uploading information. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Notification will not be provided by BSS. The PII is not directly collected from the individual. The PII that is collected is collected in a separate application, which is EUA. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The PII login data is obtained from EUA, therefore, there is no process in place by BSS to address an individuals' concerns. Standard CMS Incident handling Procedures will be used if PII/PHI has been inappropriately uploaded or disclosed. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Due to the nature of the BSS and the anticipated broad use of these services across CMS, it is the responsibility of the parties providing the data to ensure the completeness, accuracy, and currency of data at the time it is submitted. Continuous log analysis and review by administrators is standard practice as well as integration with CMS cyber security asset teams for auto log ingestion and review. Cloud Lock implementation monitors files and folders for PII information through CMS created policies. Cloud lock sends an alert to administrators and deletes PII information when a policy is violated. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Role based access control is in place to control access to PII account information. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Role based access control is in place to control access to PII account information, utilizing full admin and read-only admin access rights and privileges. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS users and those with elevated privileges are required to take CMS Information Systems Security and Privacy Awareness training and CMS Protecting Government Information and Preventing Cyber Breaches training yearly around protecting CMS business data. In addition to the CMS Training, Box engineers will also be training each site after migration is completed and will also have training for the Help Desk to troubleshoot any issues. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | No other training is mandatory for this system. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Box will retain customer data indefinitely if the customer maintains an active contract with Box. Box securely disposes of PII on its servers by deleting the files and database records so that they are unrecoverable. CMS will ensure that the following processes and guidelines are adhered to in the retention destruction of PII data: National Archives Records Administration (NARA) Record Control Schedules N1-GRS-87-005, N1-GRS-92-002, N1-GRS-95-002, General Record Schedule (GRS) 3.1, item 020, DAA-GRS-2013-0006. CMS retains records facilitate the review of PII disclosures/access for five (5) years. CMS ensures that audit information is archived six (6) years to enable the re-creation of computer related accesses to both the operation system and the application wherever PII is stored. CMS retains PII inspection reports, including a record corrective actions, for a minimum three (3) years from date the inspection was completed. CMS retains electronic records for 1 year to provide support for after-the-fact investigations of security incidents and to meet regulatory and CMS information retention requirements. CMS record retention requirements are updated to meet the requirements of the National Archives and Records Administration (NARA) General Records Schedules. When PII is destroyed, CMS follows the guidance of the National Institute of Standards and Technology (NIST) Special Publication 800-88 Rev. 1. CMS will disintegrate, pulverize, melt, incinerate, and/or shred PII data once it is no longer necessary to retain. Certificates of destruction are completed and retained whenever PII data is destroyed. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Any PII is safeguarded physically via Box.com for Government, a secure cloud storage solution that is compliant to standards like Box FedRAMP, ITAR, EAR, DoD SRG L4, ISO 27018, HIPAA, and IRS-1075 with a 3-year retention policy as per General Records Schedule (GRS) 3.1, item 020. Administrative controls used in this system include, but are not limited to, requiring users to acknowledge the usage conditions and take explicit actions to log on to or further access the information system. A technical control used in this system include, but are not limited to, requiring users to have a username and password or Smart (PIV) card to access their user account. Physical controls include, but are not limited to, the use of locked cabinets to store server hardware, which are housed in an access-controlled secure data center. All controls are documented fully in the Security Assessment Report (SAR). |