CMS Amazon Web Services GovCloud
Date signed: 5/23/2022
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-6582938-027800 |
Name: | CMS Amazon Web Services GovCloud |
The subject of this PIA is which of the following? | General Support System |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | New |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 4/18/2025 |
Describe the purpose of the system | Amazon Web Services (AWS) is a cloud service provider (CSP) that provides Infrastructure as a Service (IaaS) for the Centers for Medicare & Medicaid Services (CMS). AWS GovCloud also provides Platform as a Service (PaaS) services to application development teams that deploy and operate their systems in the GSS. AWS GovCloud utilizes AWS GovCloud, a US government-only cloud computing environment that is FedRAMP authorized at the high-impact level. AWS GovCloud will be used as a cloud infrastructure environment to support system hosting for systems categorized as High or Moderate. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | AWS GovCloud collects and maintains employee and contractor credentials to include; user first and last name, cell phone number and email address from the CMS Enterprise User Authentication (EUA) (PIA P-2722934-005075). EUA is used to manage user IDs and other user profile information, with credentials replicated to AWS identity and access management (IAM) or locally maintained user directories such as Active Directory. The User information is maintained by the AWS GovCloud system until the individual leaves the project and no longer requires access to the system. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | AWS GovCloud is a GSS that provides the infrastructure to host CMS Major Applications. AWS GovCloud only contains information associated with CMS employees and contractors. The GSS only collects, maintains, or disseminates personal information from CMS employees and contractors. The function of the GSS is to provide a Cloud platform for other CMS Major Applications to conduct CMS Business operations. AWS GovCloud collects and maintains employee and contractor credentials to include; user first and last name, cell phone number and email address. The user information is collected and maintained in order to grant users access to AWS administrative/management tools and interfaces. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. | Employees |
How many individuals' PII in the system? | <100 |
For what primary purpose is the PII used? | The Personally Identifiable Information (PII) (user first and last name, cell phone number and email address) is collected and maintained in order to grant users access to AWS GovCloud. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There are no other uses for the PII collected outside of the primary use. |
Describe the function of the SSN. | Not Applicable, SSN is not collected. |
Cite the legal authority to use the SSN. | Not Applicable, SSN is not collected. |
Identify legal authorities governing information use and disclosure specific to the system and program. | 5 USC Section 301; Departmental Regulations |
Are records on the system retrieved by one or more PII data elements? | No |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Other - PII is not directly collected by AWS. The PII is from the Enterprise Identity Management (EIDM) application. |
Identify the sources of PII in the system: Government Sources | Within the OPDIV |
Identify the sources of PII in the system: Non-Government Sources | Other - CMS Direct Contractors |
Identify the OMB information collection approval number and expiration date | Not Applicable |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | No prior notice is given by AWS GovCloud GSS as the system doesn't directly collect any personal information. The information is provided by Enterprise Identity Management (EIDM) and EIDM gives notice. EIDM is separate FISMA system and is covered by its own PIA requirements. Individuals requesting access to AWS must sign an account request form. The account request form must also be filled indicating name, email, phone number and access level needed. This form is reviewed and approved by the System information Security Officer (ISSO) prior to account creation. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The PII that is collected in a separate application, which is the EIDM application, therefore there is no ability to opt-out. EIDM is separate FISMA system and is covered by its own PIA requirements. Potential user cannot 'opt-out' of providing his or her PII (email, name and phone number). The PII is needed to create a user account in order to access AWS GovCloud. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Notification is not provided by AWS GovCloud, because the PII is not directly collected from the individual. The PII that is collected in a separate application, which is the EIDM. EIDM is separate FISMA system and is covered by its own PIA requirements. However individual requesting access to AWS GovCloud must sign an account request form prior to account creation. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The PII data is obtained from another CMS system, therefore, there is no process in place by AWS GovCloud to address an individuals' concerns. However, complaints regarding the use of a system user PII can be sent to any of AWS GovCloud system administrators. These complaints will be given a corresponding ticket to ensure that the system administrators practice due diligence to review the issue, question or concerns of the individual. Data collection practices, privacy and security safeguards are of the utmost importance to the AWS GovCloud system management and any concerns raised will be reviewed. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | In order to maintain the integrity, availability, accuracy, and relevancy of the PII, System Administrators review user accounts annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Under this process, outdated, unnecessary, irrelevant, and inaccurate PII is identified and deleted. The PII is available as needed, and is sufficient (minimum required) for the purposes needed. Only system administrators can create or modify PII. Activities of all users including system administrators are logged and reviewed by System Information System Security Officer (ISSO) to identify abnormal activities if any. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Individuals requesting access to AWS GovCloud must first complete and submit an account request form to obtain a CMS EUA ID. The account request form must also be filled indicating minimal access required to perform one’s tasks. Prior to granting access, review and approval is required by the Contracting Officer Representative (COR) and/or CMS Access Administrator (CAA). Authorizations (i.e., permissions) to access PII are assigned as needed based on each user's role. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | AWS uses the principle of least privilege as well as a role based access control to ensure system administrators and other users are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. System Administrators review user accounts at least annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed to identify abnormal activities if any. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All AWS GovCloud users are required to take the CMS Information Security and Privacy training on an annual basis, or whenever changes to the training module have been made. This training includes details on the handling of PII. Completion of required annual training is mandatory in order to maintain a user's EUA account. |
Describe training system users receive (above and beyond general security and privacy awareness training) | CMS employees and contractors with privileged access are required to complete role-based training and meet continuing education requirements commensurate with their roles. The AWS GovCloud project makes several computer based training (CBT) and online courses available to administrators and other users to provide training on AWS services and operational capabilities. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The only PII maintained by AWS GovCloud is employee and contractor credentials. Retention and destruction of this information falls under General Records Schedule (GRS) 3.2 Item 030, "System access records", Disposition Authority DAA-GRS-2013-0006-0003, Destroy when business use ceases; GRS 3.2.Item 010, "Systems and Data Security Records", Disposition Authority: DAA-GRS-2013-0006-0001, Destroy 1 year(s) after system is superseded by a new iteration or when no longer needed for agency/IT administrative purposes to ensure a continuity of security controls throughout the life of the system; GRS 3.2 Item 020, "Computer Security Incident Handling, Reporting and Follow-up Records", Disposition Authority DAA-GRS-2013-0006-002, Destroy 3 year(s) after all necessary follow-up actions have been completed, but longer retention is authorized if required for business use; and GRS 3.2 Item 031, DAA-GRS2013-0006-0004, "System Access Records" for "Systems requiring special accountability for access", Destroy 6 years after password is altered or user account is terminated, but longer retention is authorized if required for business use. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | AWS West relies on cloud service provider environment distributed among multiple secured data center facilities. Physical controls are in place such as security guards to ensure access to the buildings is granted to only authorize individuals. Identification of personnel is checked at the facility. AWS uses the principle of least privilege as well as a role based access control to ensure system administrators are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. The information is protected using Access Control Lists (ACLs) defined for allowing only administrator access to the PII. This access is further protected by the system controls which enforce two-factor authentication into the AWS system. All user access is conditioned upon a formal request and approval process that ensures users are only provided access to the information assets and resources they need to perform their job functions. Technical controls for the AWS West GSS include but are not limited to firewalls, system information and event management software (SIEM), intrusion detection/prevention systems (IDS/IPS), antivirus management systems, vulnerability management systems, control compliance systems, and access log management and analysis. |