CMS FISMA Controls Tracking System
Date signed: 2/8/2022
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-7381208-746169 |
Name: | CMS FISMA Controls Tracking System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Agency |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 7/26/2023 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | Last PIA was approved by CMS (2019), but did remained in Review status from HHS. Resubmission is needed to publish as approved for Final. |
Describe the purpose of the system | The CMS FISMA Controls Tracking System (CFACTS) application is a complete centralized system that is located within the Baltimore Enterprise Data Center that tracks Centers for Medicare and Medicaid Services' (CMS') Federal Information System Management Act (FISMA) systems and their application security deficiencies, Plan of Action & Milestones (POA&Ms), Corrective Action Plans (CAPs), and automates the Certification & Accreditation (C&A) process through the System Development Life Cycle (SDLC). The reporting capabilities allow senior level management to have a clear view of the security posture of all of the applications within CMS. Also, the CFACTS application provides a manageable mechanism to provide the Department and Office of Management and Budget (OMB) with required quarterly security posture updates as well as annual assessments for all FISMA applications. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The CFACTS application stores sensitive information pertaining to specific CMS FISMA systems. FISMA security and privacy controls, data diagrams, and security and privacy plans, documents, and agreements are stored and maintained for each system. Personally Identifiable Information (PII) in the traditional sense, Personal Health Information (PHI), or Federal Tax Information (FTI) is not collected, maintained, or stored within CFACTS. Only privileged users have access to the CFACTS application. Information collected on users is point of contact (POC) information including full name, desk and work cell phone numbers, email address, desk and office location. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The CFACTS application stores sensitive information pertaining to specific systems. System security and privacy controls, data diagrams, security and privacy plans, agreements and documents are only visible to personnel within CMS' Enterprise User Administration (EUA) user authorized roles. EUA is covered by its own separate Privacy Impact Assessment (PIA). This documentation and information tracks Centers for Medicare and Medicaid Services' (CMS') Federal Information System Management Act (FISMA) systems and their application security deficiencies, Plan of Action & Milestones (POA&Ms), Corrective Action Plans (CAPs), and automates the Certification & Accreditation (C&A) process through the System Development Life Cycle (SDLC). This allows senior management to have a clear view of the security posture and also provides OMB with required quarterly and annual security posture updates. Information collected on users is point of contact (POC) information including full name, desk and work cell phone numbers, email address, desk and office location. It is used in order to provide CMS system stakeholder contact information as well as user account creation. |
Does the system collect, maintain, use or share PII? | No |
Administrators Explanation: | The System Administrator (CFACTS) is assigned the responsibility, (privilege) for adding, updating, browsing and/or deleting users. |
Developers Explanation: | The Developer (System Maintainer) has access to PII in order to assist users in data uploads and for researching anomalies/issues as identified. |