CMS FISMA Controls Tracking System-Cloud
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/7/2022
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-3000442-504626 |
Name: | CMS FISMA Controls Tracking System-Cloud |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Agency |
Is this a new or existing system? | New |
Does the system have Security Authorization (SA)? | No |
Planned Date of Authorization | 3/8/2024 |
Describe the purpose of the system | The CMS FISMA Controls Tracking System (CFACTS)-Cloud application is a complete centralized system that is located within CMS Amazon Web Services (AWS) and tracks Centers for Medicare and Medicaid Services' (CMS') Federal Information System Management Act (FISMA) systems and their application security deficiencies, Plan of Action & Milestones (POA&Ms), Corrective Action Plans (CAPs), and automates the Certification & Accreditation (C&A) process through the System Development Life Cycle (SDLC). The reporting capabilities allow senior level management to have a clear view of the security posture of all of the applications within CMS. Also, the CFACTS-Cloud application provides a manageable mechanism to provide the Department and Office of Management and Budget (OMB) with required quarterly security posture updates as well as annual assessments for all FISMA applications |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The CFACTS-Cloud application stores sensitive information pertaining to specific CMS FISMA systems. FISMA security and privacy controls, data diagrams, and security and privacy plans, documents, and agreements are stored and maintained for each system. Personally Identifiable Information (PII) in the traditional sense, Personal Health Information (PHI), or Federal Tax Information (FTI) is not collected, maintained, or stored within CFACTS-Cloud. Only privileged users have access to the CFACTS-Cloud application. Information collected on users is point of contact (POC) information including full name, desk and work cell phone numbers, email address, desk and office location |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The CFACTS-Cloud application stores sensitive information pertaining to specific systems. System security and privacy controls, data diagrams, security and privacy plans, agreements and documents are only visible to personnel within CMS' Enterprise User Administration (EUA) user authorized roles. EUA is covered by its own separate Privacy Impact Assessment (PIA). This documentation and information tracks Centers for Medicare and Medicaid Services' (CMS') Federal Information System Management Act (FISMA) systems and their application security deficiencies, Plan of Action & Milestones (POA&Ms), Corrective Action Plans (CAPs), and automates the Certification & Accreditation (C&A) process through the System Development Life Cycle (SDLC). This allows senior management to have a clear view of the security posture and also provides OMB with required quarterly and annual security posture updates. Information collected on users is point of contact (POC) information including full name, desk and work cell phone numbers, email address, desk and office location. It is used in order to provide CMS system stakeholder contact information as well as user account creation. |
Does the system collect, maintain, use or share PII? | No |
Administrators Explanation: | N/A |
Developers Explanation: | N/A |