Cloud Content Management

PIA Unique Identifier:

P-2263675-209329

Name:

Cloud Content Management

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Agency

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

3/22/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

Updated: PIA-025 was updated to reflect the expiration date with 08/31/2025 and PIA-032 with additional job code for the Collaborative Application Lifecycle Tool (CALT) users: Enterprise Content Management (ECM) ECM_CALT_USER - User has access to all Collaborative Application Lifecycle Tool project-related data and documents stored in the Cloud Content Management platform.  

Please note that all systems named here are covered under its own Authority to Operate (ATO) and Privacy Impact Assessment (PIA). 

Describe the purpose of the system

The Cloud Content Management platform is a proposed Centers for Medicare & Medicaid Services (CMS) wide Content Management System built in combination of centralized content management services that exploits the advantages of the cloud computing delivery model. The Cloud Content Management Platform offers advanced security and governance designed for the storage and retrieval of documents, metadata, and facilitate content moderation/workflow for various business processes at the Centers for Medicare & Medicaid Services.
The Cloud Content Management Platform provides next-generation content-driven the Centers for Medicare & Medicaid Services applications to store, share, and access content by offering to govern, secure, audit, and enable workflows in the Centers for Medicare & Medicaid Services Amazon Web Services cloud. The platform offers lots of flexibility to integrated applications at the Centers for Medicare & Medicaid Services by providing an Application Programming Interface approach to communicate with the platform quickly and securely.
The Cloud Content Management platform is hosted on the Centers for Medicare & Medicaid Services' Amazon Web Services Cloud leveraging best-practices and Information Technology Operations and Service Security Tools and Services.

Please note that all systems named here are covered under its own Authority to Operate and Privacy Impact Assessment. 

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

The Cloud Content Management system currently does not collect or share but stores Personally Identifiable Information (PII)/Protected Health Information (PHI). The specific information that the Cloud Content Management system maintains in its database is based on the integrating application’s business need.

The Enterprise User Administration (EUA) and Identity Management (IDM) Okta is a system of Record for User credentials and following information’s (Username, User Role, Plan Contract Number, Email Address and Name) are collected and stored in the Cloud Content Management system during the authentication and authorization.

Following are the information currently stored in the Cloud Content Management system:

• Email Address

• Medical Notes

• Date of Birth

• Mailing Address

• Name

• Phone

• Medical Records Number

• Other - Prescription Drug Event Records, sex, Medical Notes, Pharmacy/ Prescriber National Provider Identifier, Drug Generic Name/ Identifier, User's Full Name, Centers for Medicare & Medicaid Services User Identification, etc.

The above information will be maintained in the system based on the integrating application’s records retention schedule. The Centers for Medicare & Medicaid Services has employed a records retention schedule referred to as a "Bucket Approach", or otherwise known as flexible scheduling. More about this approach, what it means, and how it is applied at Federal Agencies can be found on the National Archive's website at: https://www.archives.gov/records-mgmt/faqs/flexible-scheduling.html.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

The Cloud Content Management platform is a proposed Centers for Medicare & Medicaid Services wide Content Management System built in combination of centralized, content management services that exploits the advantages of the cloud computing delivery model. The Cloud Content Management platform offers advanced security and governance designed for the storage and retrieval of documents, metadata, and facilitate content moderation/workflow for various business processes at the Centers for Medicare & Medicaid Services.
The Cloud Content Management platform provides next-generation content-driven the Centers for Medicare & Medicaid Services applications to store, share, and access content by offering to govern, secure, audit, and enable workflows in the Centers for Medicare & Medicaid Services Amazon Web Service cloud. The platform offers lots of flexibility to integrated applications at the Centers for Medicare & Medicaid Services by providing Application Interface Programming approach to communicate with the platform quickly and securely.
The Cloud Content Management platform is hosted on the Centers for Medicare & Medicaid Services' Amazon Web Services Cloud leveraging best-practices and Information Technology Operations and Service Security Tools and Services. 
The Cloud Content Management platform adheres to all implementation, security and Technical Reference Architecture standards set by the Centers for Medicare & Medicaid Services to build an extensible and robust Enterprise grade system with a “low-code/no-code” design philosophy that integrating the Centers for Medicare & Medicaid Services applications can leverage to store, search, collaborate, archive, and moderate content.

The Cloud Content Management system currently does not collect or share but stores Personally Identifiable Information/Protected Health Information. The specific information that the Cloud Content Management system maintains in its database is based on the integrating application’s business need.

The Enterprise User Administration and Identity Management Okta is a system of Record for User credentials and following information’s (Username, User Role, Plan Contract Number, Email Address and Name) are collected and stored in the Cloud Content Management system during the authentication and authorization.

Please note that all systems named here are covered under its own Authority to Operate and Privacy Impact Assessment. 

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

• Name

• E-Mail Address

• Phone Numbers

• Medical Notes

• Date of Birth

• Mailing Address

• Medical Records Number

• Other - Other - Prescription Drug Event Records, sex, Medical Notes, Pharmacy/ Prescriber National Provider Identifier, Drug Generic Name/ Identifier, User's Full Name, Centers for Medicare & Medicaid Services User Identification, etc.: Username (User ID), User Role, and Plan Contract Number.  The EUA and IDM Okta is a system of Record for User credentials and following information’s (Username, User Role, Plan Contract Number, Email Address and Name) are collected and stored in CCM system during the authentication and authorization.

Indicate the categories of individuals about whom PII is collected, maintained or shared.

• Employees

• Vendors/Suppliers/Contractors

How many individuals' PII in the system?

500-4,999

For what primary purpose is the PII used?

The Personal Identifiable Information collected is strictly the Centers for Medicare & Medicaid Services User Identifications, Work Email addresses, User Role, Plan Contract Number and Name.

The Enterprise User Administration and Identity Management Okta is a system of Record for User credentials and following information: Username, User Role, Plan Contract Number, Email Address and Name is collected and stored in the Cloud Content Management  system during the authentication and authorization. 

The collection of this information is used for user authentication and authorization in the Cloud Content Management platform. This authentication and authorization data is maintained by Enterprise User Administration and Lightweight Data Access Protocol. The Cloud Content Management platform integrates with the Enterprise User Administration for authentication and authorization to support the business needs of the integrating application.
Additionally, the Cloud Content Management platform system meets the integrating application’s business need to monitor and address Medicare Part C and Part D Program Integrity, Vulnerability and to ensure compliance with regulatory requirements. Most of the Personal Identifiable Information/Protected Health Information is contained within the Prescription Drug Event Records file, Supporting Documentation and Deletion Check Report. This data is not extracted by or used in any other way by the system.

Please note that all systems named here are covered under its own Authority to Operate and Privacy Impact Assessment. 

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

There is no secondary use for which Personal Identifiable Information/Protected Health Information is used.

Describe the function of the SSN.

Not applicable.

Cite the legal authority to use the SSN.

Not applicable.

Identify legal authorities​ governing information use and disclosure specific to the system and program.

The Cloud Content Management application data is covered under the System of Record Notice of individual integrating business applications. Center for Program Integrity System of Record Notice National Claims History-09-70-0558 applies to the Cloud Content Management system. This system contains Protected Health Information as defined by the Department of Health and Human Services regulation "Standards for Privacy of Individually Identifiable Health Information" (45 Code of Federal Regulations parts 160 and 164, subparts A and E) 65 Federal Regulations 82462 (12-28-00). Disclosures of such Protected Health Information that are otherwise authorized by these routine uses may only be made if, and as, permitted or required by the "Standards for Privacy of Individually Identifiable Health Information." (See 45 Code of Federal Regulations 164-512(a)(1)).

Are records on the system retrieved by one or more PII data elements?

No

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

Online

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

N/A

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Before users are allowed to logon to the Cloud Content Management Platform, they are required to select "Agree to our Terms & Conditions".
 This "Agree to our Terms & Conditions" button notifies the user of the following:
Office of Management Budget Number 0938-1236 | Expiration Date:  08/31/2025| Paperwork Reduction Act Updated Departmental Standard Warning Banner for the Department of Health & Human Services Information Systems, Memo dated July 14, 2016. This warning banner provides privacy and security notices consistent with applicable federal laws, directives, and other federal guidance for accessing this Government system, which includes (1) this computer network, (2) all computers connected to this network, and (3) all devices and storage media attached to this network or to a computer on this network. This information system is provided for Government-authorized use only. Unauthorized or improper use of this system is prohibited and may result in disciplinary action and/or civil and criminal penalties. Personal use of social media and networking sites on this system is limited as to not interfere with official work duties and is subject to monitoring. By using this system, you understand and consent to the following: The Government may monitor, record, and audit your usage, including usage of personal devices and email systems for official duties or to conduct the Department of Health and Human Services business. Therefore, you have no reasonable expectation of privacy regarding any communication or data transiting or stored on this system. At any time, and for any lawful Government purpose, the government may monitor, intercept, and search and seize any communication or data transiting or stored on this system. Any communication or data transiting or stored on this system may be disclosed or used for any lawful Government purpose.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

Individuals do not have the choice to opt-out of the use or collection of their Personal Identifiable Information/Protected Health Information. There is no method for users to opt-out in the Cloud Content Management system. Users are not allowed to log on and gain access to the system if they do not select the "I agree" button (to agree to terms) when signing on. The data in this system is based on the integrating application’s business need for storing them in the Cloud Content Management system and is covered by the application’s System of Record Notice.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

If there were any major changes, the Cloud Content Management Platform Application Development Organization will notify users using their work emails addresses via a disclosure after getting approval from the Cloud Content Management Business Owner.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

The Application Development Organization (ADO) team will work with the Cloud Content Management Chief Information Security Office immediately if a user's Personal Identifiable Information/Protected Health Information is obtained, used, or disclosed inappropriately. If a user's Personal Identifiable Information/Protected Health Information has been obtained, used, or disclosed inappropriately, the Cloud Content Management team will notify the Security Officer or Director of Operations to report the incident to the Centers for Medicare & Medicaid Services within 1 hour. A notification will go out to the Centers for Medicare & Medicaid Services Contracting Officer and the Centers for Medicare & Medicaid Services IT Service Desk at 410-786-2580, 800-562-1963 or CMS_IT_Service-Desk@cms.hhs.gov.
Any individual who has concerns should contact the Centers for Medicare & Medicaid Services through the Office for Civil Rights, which can be done by visiting https://www.hhs.gov/hipaa/filing-a-complaint/. Information about the ability to file a complaint is available at this same address.

If the Internet is not accessible, and you have questions about this topic, the Centers for Medicare & Medicaid Services can be reached by phone at 1-800-MEDICARE (1-800-633-4227). When calling, ask to speak to a customer support rep about Medicare’s Privacy Notice. Teletypewriter users may call 1-800-486-2048.

Individuals who wish to file a complaint directly without access to the Internet may directly call the Office of Civil Rights at 1-800-368-1019. Teletypewriter users may call 1-800-537-7697 to file their complaints.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

The Cloud Content Management platform is hosted on the Centers for Medicare & Medicaid Services Cloud in the Amazon Web Service.

The Cloud Content Management platform integrates with the Enterprise User Administration Enterprise User Administrative System to offer role-based access to Cloud Content Management system once user authenticated and authorized via the Enterprise User Administration job codes setup.

The Cloud Content Management Platform System Architecture maintains the data integrity and availability by employing security procedures including virtual firewalls and encryption layers.

User's Personal Identifiable Information/Protected Health Information is non-editable since the Enterprise User Administration Lightweight Directory Access Protocol integration is read-only and hence changes to the Personal Identifiable Information/Protected Health Information need to occur on the Enterprise User Administration and are later synced with the Cloud Content Management platform the next time the user logon happens.
Once a user access is no longer needed, the Business Owner will revoke user access from the Enterprise User Administration.

Please note that all systems named here are covered under its own Authority to Operate and Privacy Impact Assessment. 

Identify who will have access to the PII in the system and the reason why they require access.

• Users: Users can see other users Personal Identifiable Information/Protected Health Information (Centers for Medicare & Medicaid Services User Identification, Full Name, and Email Address, PHI) to communicate and collaborate with other users.  Access is restricted by user roles based on their job functions.

  Below is a list of the user roles:

  • CCM MEPSMAPD User
    CCM PMPP CMS BO User
    CCM PMPP MEDIC Data User
    CCM PMPP MEDIC Read User
    CCM PMPP CMS BO Read User
    CCM PMPP Admin User
    CCM PMPP CMS COR User
    CCM PMPP Plan User
    CCM PECOS API User
    CCM NPPES API User
    CCM CALT User
    CCM eRPT Plan User
    CCM eRPT RO User
    CCM eRPT CO User
    CCM eRPT Admin User
    CCM eRPT API User
    CCM ECHIMP API User
    CCM MAISTRO API User
    CCM KMP ICPG API User

• Administrators: Administrators can see user's Personal Identifiable Information/Protected Health Information (Centers for Medicare & Medicaid Services User Identification, Full Name, and Work Email address, Protected Health Information) because they are the stewards for the application. Administrators are responsible for ensuring the system is operating and being used appropriately.

• Developers: Developers can see user's Personal Identifiable Information/Protected Health Information (Centers for Medicare & Medicaid Services User Identification, Full Name, and Work Email address, Protected Health Information) for testing purposes only.

• Contractors: Contractors are "direct contractors" authorized by Enterprise User Administration to access the User Interface for view-only purposes. Administrators can see user's Personal Identifiable Information/Protected Health Information (Centers for Medicare & Medicaid Services User Identification, Full Name, and Work Email address, Protected Health Insurance) for testing purposes only.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

The Cloud Content Management platform implements a Role-Based Access Control. The roles are defined by the Cloud Content Management Platform System Administrator and Business Owners. There are job codes that define a user's access. These job codes are authenticated/provisioned through Centers for Medicare & Medicaid Services' Enterprise User Administrative System.
The following three job codes are currently being used on the Cloud Content Management platform:
 CCM_DRUPAL_ADMIN - To access the Cloud Content Management platform as Drupal Administrator. Granted only to the Application Developer Owner Admins:
 CCM_SITE_ADMIN - To access the Cloud Content Management platform as a Site Administrator. Granted only to the Cloud Content Management

Business Owner:
 CCM_MEPSMAPD_USER - To access the Medicare Enrollment & Payment System Medicare Advantage and Prescription Drug Electronic Change Information Management Portal change request data and documents stored in the Cloud Content Management platform.

ECM_CALT_USER - User has access to all Collaborative Application Lifecycle Tool project-related data and documents stored in the Cloud Content Management platform.

Please note that all systems named here are covered under its own Authority to Operate and Privacy Impact Assessment. 

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

The Cloud Content Management platform utilizes roles and permissions matrix of the underlying Drupal Content Management System to enforce those with access to Personal Identifiable Information/Protected Health Information to only access the minimum information necessary to perform their job functions.
After a user is successfully authenticated by the Enterprise User Administrative Lightweight Directory Access Protocol the user's job code is then mapped to an internal Cloud Content Management platform role and then permissions are applied to this role. Permissions are given to the roles to satisfy the minimum job functions of the role as per the business requirement.

Please note that all systems named here are covered under its own Authority to Operate and Privacy Impact Assessment. 

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

All Users (Business Owners, Managers, Contractors and/or Program Managers) must complete the Centers for Medicare & Medicaid Services Annual Security Awareness Computer Based Training. In addition, the Information System Security Officer and Contractors attended and received the Centers for Medicare & Medicaid Services Information System Security Officer certification. The Information System Security Officer certification consists of a two-day (16 hours) training course and written exam. This certification is maintained in the Training Matrix of the Application Developer Owner Admins.

Describe training system users receive (above and beyond general security and privacy awareness training)

The Application Developer Owner Admins are also required to take the following mandatory trainings annually:

1. Role-Based Access Training 
2. Security Awareness Training
3. Rules of Behavior Training
4. Department of Health and Human Services Records Management Training  

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

The Centers for Medicare & Medicaid Services has employed a records retention schedule referred to as a "Bucket Approach", or otherwise known as flexible scheduling. More about this approach, what it means, and how it is applied at Federal Agencies can be found on the National Archive's website at: https://www.archives.gov/records-mgmt/faqs/flexible-scheduling.html. 

The Cloud Content Management platform contains archived information of the Change Management within the Medicare Enrollment and Payment Systems, the Personally Identifiable Information such as (Centers for Medicare & Medicaid Services User Identification, Full Name, and Work Email Address) are only retained for the purposes of authentication and/or Cloud Content Management platform audit logs. For the purposes of records retention, these are considered part of Bucket 9: Compliance and Integrity records schedule for the Centers for Medicare & Medicaid Services (DAA-0440-2015-0012). All files within this grouping are considered Temporary; they do not have to be transferred for Permanent storage at the National Archives once the amount of time they must be retained is complete. All files within this category must be destroyed after seven (7) years old or when no longer needed for agency business, whichever is later.

Additionally, the Part D Event Records and Supporting Documentation in the Medicare Part C and Part D audit packages stored within the Cloud Content Management database are used for reviewing the compliance and ensuring the integrity of Medicare programs and are considered part of Bucket 3: Financial Records within the records schedule for Centers for Medicare & Medicaid Services (DAA-0440-2015-0004). All files within this grouping are considered Temporary; they do not have to be transferred for Permanent storage at the National Archives once the amount of time they must be retained is complete. All files within this category must be destroyed after seven (7) years old or when no longer needed for agency business, whichever is later.

Please note that all systems named here are covered under its own Authority to Operate and Privacy Impact Assessment. 

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The Personal Identifiable Information (Centers for Medicare & Medicaid Services User Identification, Full Name, and Work Email Address) are stored in the encrypted MySQL Relational Database Service database in the Centers for Medicare & Medicaid Services Cloud.
Access to Amazon Web Service Management Console is controlled via Enterprise User Administration Job Code and roles in CloudTamer. The Cloud Content Management Application Development Organization must also get approved to logon to the Centers for Medicare & Medicaid Services Cloud Virtual Private Network before accessing CloudTamer.
Access to the Cloud Content Management platform via Enterprise User Administration Job Code and follows its approval process and verification before permission is granted.

All policies relating to information security are addressed in the Centers for Medicare & Medicaid Services organizational security and privacy policy and procedures, including the Centers for Medicare & Medicaid Services policy for Information Security Program and the Centers for Medicare & Medicaid Services Acceptable Risk Safeguards. Technical controls include access controls which are established to limit operations and maintenance user access to the data based on role-based design and assigned on a need-to-know basis. Physical controls include access controls which are established to limit data center access to the Cloud Service Provider team and are granted based on the principle of least privilege, where requests must specify to which layer of the data center the individual needs access and are time-bound. Requests are reviewed and approved by authorized personnel, and access is revoked after the requested time expires. Once granted admittance, individuals are restricted to areas specified in their permissions. The Cloud Content Management Team has no physical access to any of the datacenters or facilities.

The application is regularly assessed using the Centers for Medicare & Medicaid Services security policies and controls that include administrative, technical, and physical controls. All controls are tested using an Adaptive Capabilities Testing methodology within a 3-year period as part of annual Federal Information Security Management Act evaluations.

Please note that all systems named here are covered under its own Authority to Operate and Privacy Impact Assessment.