CMS Connect

OPDIV:

CMS

PIA Unique Identifier:

P-4714674-587175

Name:

CMS Connect

The subject of this PIA is which of the following?

Major Application

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

6/28/2024

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

Since original PIA, the FedRAMP offering has gone from Moderate to High. CMS has stayed at Moderate Authorization.

Describe the purpose of the system

CMS ServiceNow, also known as “CMS Connect (CCN)", is a ticketing system used to track information technology (IT) service requests, incidents, problems, infrastructure change requests, work orders, tasks, assets, and other business service management data. CCN is a web based application used within Web browsers. CCN is the primary application for tracking IT related requests for the Centers for Medicare & Medicaid Services (CMS).

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

CCN collects, maintains and stores sensitive information technology data such as Internet Protocol (IP) addresses, operating system versions and patch levels, and personally identifiable (employment status, mailing address - if needed to mail Government Furnished Equipment) about CMS information system users; direct contractors and CMS government employees, including their employment status as a contractor or government employee. User names and passwords are passed through the CCN application to the Enterprise User Administration (EUA) system in order for users to authenticate and make use of CCN. EUA has its own separate PIA. Users may be associated to user names by their actual full names in order to open, track, and resolve incident tickets. While PII is not required for an issue to be logged, Point of Contact information (email address and phone numbers) may be requested for tracking progress of the issue being remediated. Users are able to enter or communicate to Service Desk personnel (direct contractors) any information pertinent to the incident, including PII or other data that may be sensitive.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

CCN collects, maintains and stores sensitive information technology data such as Internet Protocol (IP) addresses, operating system versions patch levels, personally identifiable information (employment status, mailing address - if needed) about CMS information system users. The data is used to create, track and monitor IT service requests, incidents, problems, infrastructure change requests, work orders, tasks, and assets.  The reporting environment enables authorized users; direct contractors and CMS government employees, to generate reports based on criteria fields about tickets stored within the ticketing system. This information is used for internal purposes only and is not shared with third parties. 

CMS Help Desk regularly use PII to retrieve system records by use of individual identifiers; e.g., last name, employee ID number, and/or work phone number of CMS employees, contractors, business partner, and individuals that contact the CMS Help Desk to report an issue or concern.

Does the system collect, maintain, use or share PII?

Yes

Indicate the type of PII that the system will collect or maintain.

• Name

• E-Mail Address
• Phone Numbers
• Mailing Address
• Employment Status
• Other - Usernames

Indicate the categories of individuals about whom PII is collected, maintained or shared.

• Employees

• Business Partners/Contacts (Federal, state, local agencies)

• Vendors/Suppliers/Contractors
• Other - Any person who calls into the CMS Help Desk to report an issue or concern has the option of providing PII, or any other information pertinent to an issue or incident, to a CMS Help Desk representative. It is not typical for individuals outside of CMS or its vendors, suppliers, or contractors to report issues, however, it is possible.

How many individuals' PII in the system?

5,000-9,999

For what primary purpose is the PII used?

PII is used to uniquely identify CMS information system users and to correlate their CCN ticket information. Mailing address is only requested and used to mail government furnished equipment.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)

None

Describe the function of the SSN.

The SSN is not requested or collected

Cite the legal authority to use the SSN.

The SSN is not requested or collected

Identify legal authorities​ governing information use and disclosure specific to the system and program.

5 U.S.C. 301, Departmental Regulation

Are records on the system retrieved by one or more PII data elements?

Yes

Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.

HHS Correspondence, Customer Service, and Contact List Records, system No. 09-90-1901

Identify the sources of PII in the system: Directly from an individual about whom the information pertains

• Online

• Hard Copy
• Email
• Other - Forms

Identify the sources of PII in the system: Government Sources

Within the OPDIV

Identify the sources of PII in the system: Non-Government Sources

Private Sector

Identify the OMB information collection approval number and expiration date

CCN does not require the collection of information which is subject to the Paperwork Reduction Act. Users, under their own discretion, may provide information for troubleshooting information technology issues.

Is the PII shared with other organizations?

No

Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.

Personal information is only collected at the time that the CMS employee, direct contractor, or affiliate applies for access to the system. Page 3 of Application for Access to CMS Systems informs individuals that there PII is being collected and the purposes for collecting the PII. Users are authenticated via the Enterprise User Administration (EUA) system, and as such, CCN does not collect PII directly from users for authentication purposes. EUA is covered by separate PIA.

Is the submission of the PII by individuals voluntary or mandatory?

Voluntary

Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.

In order for users to gain access to CCN, users must fill out the appropriate paperwork to receive an Enterprise User Administration (EUA) account with the correct job codes. The request for an EUA account states, "Furnishing the information on this form, including your Social Security Number, is voluntary. However, if you do not provide this information, you will not be granted access to CMS computer systems. EUA is covered by separate PIA.

Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.

Notification is not provided by CCN, because the PII is not directly collected from the individual. The PII that is collected is collected in the separate application, EUA which is covered by separate PIA. Individuals requesting access to CCN must use EUA and have an account created.

Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

Users can contact the CMS Service Desk by telephone at 410-786-2580 or 1-800-562-1963 or by email: CMS_IT_Service_Desk@cms.hhs.gov to report known or suspected issues regarding their PII being inappropriately obtained, used, or disclosed.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.

PII is used by Service Desk personnel to identify points of contact for return calls related to information system or information technology related issues. Point of contact information is verified during the issue remediation process by Service Desk personnel. Service Desk personnel ask for the user's contact information during each engagement, even if the information has already been provided in previous calls or engagements.

Identify who will have access to the PII in the system and the reason why they require access.

• Users: CCN users will have access to PII as a part of the verification process when processing incident tickets for resolution. PII is used to verify the identity of the individual submitting incident details. Users will have read access to their own PII, as well as the PII of other government employees and direct contractors.

• Administrators: CCN administrators may have access to PII due the level of privilege associated with their user accounts. These privileges are needed in order to maintain the application, so it can function properly and securely. Administrators will have read and write access to any PII stored in ServiceNow.
• Contractors: These contractors are direct contractors that function in capacities which require access to PII within CCN. Direct contractors can be administrators or non-privileged user of the CCN application, and require access to PII for the aforementioned reasons. Additionally, direct contractors may act in a security role to respond to and relay information about information security incidents whereby they must share this information with other direct contractors within HHS. The sharing of this information is for official investigation use only.

Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.

CCN uses a Role Based Access Control to limit access to PHI/PII to individuals who need such access because it’s necessary to perform their role. These built in role and permission schemes have been tailored to fit the needs of CMS. During that process, the use of PII was determined to be appropriate for internal business uses only, and for verification of identity. It was determined that only Administrators and specific user communities require access to PII. Service Desk Users need access to PII for verification purposes to reset other Users' passwords. Contractors are a part of the Administrator, Service Desk, and user communities.

Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

All activity within CCN is subject to audit logging and monitoring. Any modification of ticket data, including any PII information, is traceable back to an individual that last made a change to the ticket, via a user name and timestamp associated with the activity. Access by administrators are subject to a logging and monitoring process which details any user selection or modification of data by means other than the use of CCN. All other system and application user accounts do not have approval, authorization, or the logical permissions necessary to alter or manipulate the information within the database.

Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.

CMS Security Awareness and Privacy training is provided to each user on an annual basis. Users acknowledge successful training after passing a test at the end of training and the system verifies completion. Included in the training is education about how to properly handle sensitive data.

Describe training system users receive (above and beyond general security and privacy awareness training)

Not Applicable

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?

Yes

Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.

Retention and destruction of this information falls under General Records Schedule (GRS) 3.2 Item 030, "System access records", Disposition Authority DAA-GRS-2013-0006-0003, Destroy when business use ceases; GRS 3.2.Item 010, "Systems and Data Security Records", Disposition Authority: DAA-GRS-2013-0006-0001, Destroy 1 year(s) after system is superseded by a new iteration or when no longer needed for agency/IT administrative purposes to ensure a continuity of security controls throughout the life of the system; GRS 3.2 Item 020, "Computer Security Incident Handling, Reporting and Follow-up Records", Disposition Authority DAA-GRS-2013-0006-002, Destroy 3 year(s) after all necessary follow-up actions have been completed, but longer retention is authorized if required for business use; and GRS 3.2 Item 031, DAA-GRS2013-0006-0004, "System Access Records" for "Systems requiring special accountability for access", Destroy 6 years after password is altered or user account is terminated, but longer retention is authorized if required for business use.

Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

To ensure the security and privacy of sensitive information in Federal computer systems, the Computer Security Act of 1987 requires agencies to identify sensitive computer systems, conduct computer security training, and develop computer security plans. CMS maintains a system of records for use in assigning, controlling, tracking, and reporting authorized access to and use of CMS computerized information and resources. CCN is subject to the CMS Security Assessment and Authorization (SA&A) process. Security documentation describing how the Acceptable Risk Safeguard (ARS) controls are implemented is stored within the CMS FISMA Control System (CFACTS). CMS includes the privacy artifacts required in the CMS expedited Life Cycle (XLC) and highlighted in the Privacy-Enhanced System Design and Development section of the Risk Management Handbook for Privacy. The CCN platform development methodology includes privacy requirements considerations throughout the design and implementation process. Prior to logging into CCN, a system use notification message banner is displayed. This notification provides privacy and security notices consistent with applicable federal laws, Executive Orders, directives, policies, regulations, standards, and guidance. Once a user is logged into CCN, the PII in CCN can only be accessed by authorized personnel using their individually assigned account credentials (role-based access). The CCN platform uses column level encryption, which leverages AES-128, AES-256, or Triple Data Encryption Algorithm (TDEA) algorithms to encrypt. CCN is physically secured and hosted in the Cloud in two FedRAMP accredited data centers. They are located in Culpepper, VA and Miami, FL. Both data centers are mirrors of each other, and therefore act as both an active and a standby facility. Physical controls, such as access control lists, CCTV monitoring, locked cages, and hardware redundancies are in place to protect the CCN infrastructure. The network architecture conforms to federal security requirements and logical access to this network is protected using firewalls and intrusion detection systems.