CMS Acquisition Lifecycle Modernization
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 10/29/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-5222597-003798 |
| Name: | CMS Acquisition Lifecycle Modernization |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Agency |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 4/14/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe the purpose of the system | The purpose of the Centers for Medicare and Medicaid Services (CMS) Acquisition Lifecycle Modernization (CALM) system is to facilitate better collaboration between the CMS program offices that need to procure items or services, and the contracting offices that support them. The platform will enable the workforce to execute contracting activities efficiently and strategically. CMS will be able to quickly identify trends in data to the extent of understanding blind spots and can adapt to changes in the acquisition environment to include being able to add data fields to enrich reporting over data calls. CALM is a platform that is designed to support all the acquisition lifecycle for CMS. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | CALM collects and stores contract and solicitation information as well as vendor information. This will consist of vendor name, address, phone number, Taxpayer Identification Number (TIN), Employer Identification Number (EIN), and Data Universal Numbering System (DUNS) numbers not shared with any other system. Additionally, CMS user ID and email address will be stored for credential/role purposes. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The CMS Acquisition Lifecycle Modernization (CALM) system is a cloud-based Commercial off the Shelf (COTS) product built on an Appian Cloud Platform as a Service (PaaS) residing in the Amazon Web Services (AWS) GovCloud Region. Regarding individual user’s PII, only their CMS User ID and email address is stored within the system for authorized CMS user access with the use of Enterprise User Administration (EUA)/Enterprise Identity Management solution (EIDM) (maintained under its own ATO). The vendor information that is collected is pulled from the System for Award Management (SAM), a General Services Administration (GSA) system that will be integrated with CALM. The vendor information that is collected is the vendor's name, address, phone number, Taxpayer Identification Number (TIN). The contracts that are built in CALM share the same TIN, EIN, information with Departmental Contracts Information System (DCIS), owned by HHS, and Federal Procurement Data System (FPDS), owned by GSA. EIDM is currently in use at CMS and covered by its own PIA. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 500-4,999 |
| For what primary purpose is the PII used? | CALM uses PII to authenticate users to the application and for user security privileges. Users are authenticated to the system using EIDM (which is covered by its own ATO and PIA). To do this, EIDM collects Name and E-mail. This information is not shared and is only collected temporarily to authenticate users. Authentication credentials connect users to security groups, having different privileges. Use of PII is not disclosed in the system because PII is only used to authenticate users and assign them security privileges. Users cannot see other users' PII. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
| Describe the function of the SSN. | N/A, SSN is not captured. |
| Cite the legal authority to use the SSN. | N/A, SSN is not captured. |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Title 5 (TITLE 5—GOVERNMENT ORGANIZATION AND EMPLOYEES) USC 301, Departmental regulations. |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the sources of PII in the system: Non-Government Sources | Other - None |
| Identify the OMB information collection approval number and expiration date | N/A |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | No process exists because our application does not store PII data, it is only used to authenticate the user and the PII is not being retrieved by one or more PII elements. PII collection in CALM is not subject to the Privacy Act because it is only authenticating the user.
|
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | There is no option to opt out because the PII is used to authenticate to the application. The user can decide if they do not want to use the application. PII collection in CALM is not subject to the privacy act because it is only authenticating the user. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | CALM users are presented with an official CMS warning banner, which addresses privacy, prior to gaining access to log onto the system. The CALM warning banner comes from the EIDM integration. The banner can be reached via the following link: https://cmsoagmdev.appiancloud.com/suite/design |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | No process exists because our application does not store or disclose PII data, it is only used to authenticate the user. PII collection in CALM is not subject to the Privacy Act because it is only authenticating the user. If the user feels that the PII is inaccurate, they may contact the system administrator and revise the information within EIDM. However, if the name and email address were incorrect, access would not be possible to the system. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Under the process of requesting access via EIDM through a System Administrator, outdated, unnecessary, irrelevant, and inaccurate PII is identified and deleted from CALM. The PII is available as needed and is sufficient (minimum required) for the purposes needed. The PII fields are locked and cannot be changed; The process to ensure that individuals who provide or modify PII because that action is done within the system. The process to ensure PII is available when needed is by integrating with EIDM. Users can, at any time, request that their PII (access) be removed by contacting their System Administrator, who in turn, would take the corresponding action within EIDM. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Designated contractors and non-contractors assigned to the System Administrators security group can access each users CMS User ID. All contractors designated as System Administrators are required to have this role to assist in maintaining the system and completing other job functions. New System Administrators must be approved by the Business Owner prior to being granted the System Administrators security group. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Based on user group assignments, users are granted read, write, and execute privileges to specific assigned data elements. Additionally, two-factor authentication and encryption provide technical controls. Account access is monitored and logged. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | CALM users are provided CMS security and privacy awareness training prior to obtaining access to the system. This training advises the users of their security roles and responsibilities of utilizing the system. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Annually, CALM users are required to take refresher security awareness training. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | User accounts are monitored daily for activity. Accounts are permanently deactivated after 90 days of inactivity. If the individual returns needing access to the application, it requires the new account request process to be followed for reactivation. Accounts records are maintained indefinitely for historical audit capabilities and are stored in compliance with the National Archives and Record Administration General Records Schedules (GRS) DAA-0440-2015-0002-0002, which states: Destroy/delete when 7 years after cutoff. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative controls provide privileged access to the System Administration security group, which grants access to the CMS User ID. New System Administrator's must be approved by the Business Owner as per CMS policy. Technical controls include Personal Identity Verification (PIV) cards, Multifactor Authentication, Federal Information Processing Standard (FIPS) 140-2 for data protection to include data at rest, data in use and data in transit. Physical controls include door locks, personnel badges, and security guards at the service provider where CALM resides. |