CMS Microsoft Azure Government Enclave
Date signed: 8/11/2025
| OPDIV: | CMS |
|---|---|
| PIA Unique Identifier: | P-3460782-811045 |
| Name: | CMS Microsoft Azure Government Enclave |
| The subject of this PIA is which of the following? | General Support System |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 9/28/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | No changes have occurred to the CMS MAG system since the last PIA was finalized. |
| Describe the purpose of the system | The purpose of the CMS Microsoft Azure Government Enclave (CMS MAG) General Support System (GSS) is to establish a multi-tenant Infrastructure as a Service (IaaS) model which will be used to facilitate CMS cloud-hosting services. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | CMS MAG GSS will collect, maintain/store PII (user first and last name, cellphone number and email address) to grant the users access to the Azure Portal component ONLY which will be operated and maintained by a small user group. For all other users, CMS MAG GSS will not collect, maintain (store), or share user credential PII directly. The CMS Enterprise User Administration (EUA) system will be used to manage enterprise User IDs and passwords. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The CMS MAG GSS will provide the infrastructure to host CMS Major Applications. The CMS MAG GSS does not directly collect, maintain, or disseminate information, but rather provides cloud support infrastructure for other CMS Major Applications to perform these functions. This PIA only considers the CMS MAG GSS. Separate PIAs will need to be evaluated for each Major Application to be hosted by the CMS MAG GSS. The CMS MAG GSS will collect, maintain/store PII (user first and last name, cellphone number and email address) to grant the users access to the Azure Portal component ONLY. CMS MAG GSS Applications/Services List:
|
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 100-499 |
| For what primary purpose is the PII used? | The CMS MAG GSS will not collect, maintain (store), or share user credential PII directly; the CMS Enterprise User Administration (EUA) system is a separate accredited system used by CMS to manage enterprise User IDs and passwords. The CMS MAG will use employee and contractor PII credentials granted via the CMS EUA system to grant users access to the system. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There are no secondary uses for which the PII will be used. |
| Describe the function of the SSN. | Not Applicable, SSN is not collected. |
| Cite the legal authority to use the SSN. | Not applicable, SSN is not collected. |
| Identify legal authorities governing information use and disclosure specific to the system and program. |
|
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not Applicable. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Individuals are notified that their personal information will be collected as part of the general onboarding/employment process within CMS and as a direct contractor with access to CMS systems; no other prior notice is given to notify individuals that their personal information will be collected as the system does not directly collect any personal information. Individuals requesting access to the CMS MAG must sign and submit an account access request form consisting of name, email, phone number and access level needed. This form will be reviewed and approved by the user's manager and/or System information Security Officer (ISSO) and CMS Access Administrator (CAA) prior to account creation. The account creation and management are then provided to the CMS Enterprise User Administration (EUA) system. The CMS EUA is a system used by CMS to manage enterprise User IDs and passwords. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The CMS MAG GSS will collect, maintain/store PII (user first and last name, cellphone number and email address) to grant a small user group of infrastructure operations and maintenance personnel with access to the Azure Portal component ONLY with no ability to opt-out. For all other users, the CMS Enterprise User Administration (EUA) system will be used to manage user credential PII. User login to the CMS MAG GSS environment is a voluntary task-driven driven and EUA Job Code action; therefore, there is no ability to opt-out of the indirect collection or use of their PII within the CMS MAG GSS environment. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Notifying individuals whose PII is in the system when major changes occur to the EUA system would be executed via CMS broadcast messaging as required, and only if those changes affect CMS MAG users. Typically, user credentials are managed by the CMS EUA system and EUA system administrators would initiate user notification when major changes occurring with EUA impact user credential PII data. Additionally, individuals requesting access to the CMS MAG must sign an account request form prior to account creation thereby submitting consent from individuals whose PII is in the EUA system. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The PII data is obtained from another CMS system, therefore, there is no process in place by MAG to address an individuals' concerns. However, complaints regarding the use of a system user PII can be sent to any MAG system administrators. These complaints will be given a corresponding ticket to ensure that the system administrators practice due diligence to review the issue, question or concerns of the individual. Data collection practices, privacy and security safeguards are of the utmost importance to the MAG system management and any concerns raised will be reviewed. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The CMS MAG maintains the integrity and availability of data by employing security technologies such as firewalls, encryption and system access logs. System users and administrators maintain data accuracy and relevancy by correcting/updating their own credential PII within the CMS EUA system. EUA is responsible for user account PII data which is monitored for activity and audited for usage. Accounts can be disabled for non-activity or terminated, depending on the usage auditing, which is done quarterly. System business owners, account managers and administrators are responsible for reviewing user accounts on a quarterly basis. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Under this process, outdated, unnecessary, irrelevant, and inaccurate user credential PII is identified and deleted. Only system administrators can create or modify PII. Activities of all users including system administrators are logged and reviewed by the System Information System Security Officer (ISSO) to identify abnormal activities if any. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Individuals requesting access to CMS MAG must first complete and submit an account request form to obtain a CMS EUA ID. The account request form must also be filled in indicating minimal access required to perform one’s tasks. Prior to granting access, review and approval is required by the Contracting Officer's Representative (COR) and/or CMS Access Administrator (CAA). Authorizations (i.e., permissions) to access PII are assigned as needed based on each user's role. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | CMS MAG uses the principle of least privilege as well as a role-based access control to ensure system administrators, and users are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. System Administrators review user accounts at least annually. Any anomalies are addressed and resolved by contacting the user, and modifying their user data, or by removing their access if no longer required. Activities of all users including system administrators are logged and reviewed by MAG ISSO to identify abnormal activities if any. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS users (CMS personnel, system owners, managers, operators, contractors and/or program managers) with access to CMS information systems must complete the mandatory CMS Information Security and Privacy Awareness Training annually. The training is acknowledged by taking an exam at the end of the course and obtaining a certificate of completion. This training includes details on the required handling of PII and the responsibilities for protecting the information being collected and maintained. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Above and beyond general security and privacy awareness training required to gain system access and renewed annually; CMS personnel, system owners, managers, operators, contractors and/or program managers with privileged access to CMS information systems are required to complete role-based training annually and meet continuing education requirements commensurate with their role and responsibilities. Other training avenues such as conferences, seminars and classroom training provided by CMS/HHS are available apart from the regular annual training. In addition to the CMS provided trainings, SecOps personnel must complete company required user training including but not limited to User Conduct/Rules of Behavior training. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The only PII maintained by CMS MAG is employee and contractor credentials. Retention and destruction of this information falls under General Records Schedule (GRS) 3.2 Item 030, "System access records", Disposition Authority DAA-GRS-2013-0006-0003, Destroy when business use ceases; GRS 3.2.Item 010, "Systems and Data Security Records", Disposition Authority: DAA-GRS-2013-0006-0001, Destroy 1 year(s) after system is superseded by a new iteration or when no longer needed for agency/IT administrative purposes to ensure a continuity of security controls throughout the life of the system; GRS 3.2 Item 020, "Computer Security Incident Handling, Reporting and Follow-up Records", Disposition Authority DAA-GRS-2013-0006-002, Destroy 3 year(s) after all necessary follow-up actions have been completed, but longer retention is authorized if required for business use; and GRS 3.2 Item 031, DAA-GRS2013-0006-0004, "System Access Records" for "Systems requiring special accountability for access", Destroy 6 years after password is altered or user account is terminated, but longer retention is authorized if required for business use. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative Controls: SecOps employs administrative controls to secure user credential PII with written policies, procedures and guidelines. The CMS MAG is located at a secure facility. Physical Controls: Physical controls are in place such as security guards and video monitoring to ensure access to the facility is granted to only authorized individuals. Identification of personnel is checked at the facility and prior approval must be obtained. Technical Controls: System administrators are vetted prior to hiring and required to receive annual Security and Privacy awareness training in addition to role-based access and permissions, and periodic review of users and deletion of non-active accounts. The principle of least privilege ensures that system administrators are granted access on a "need-to-know" and "need-to-access" commensurate with their assigned duties. The information is protected using Access Control Lists (ACLs) defined for allowing only administrator access to the user credential PII. This access is further protected by the system controls which enforce two-factor authentication (i.e. Personal Identification Verification (PIV) cards) required to access the system. Furthermore, the technical controls for the CMS MAG include but are not limited to firewalls, system information and event management software (SIEM), intrusion detection/prevention systems (IDS/IPS), antivirus management systems, vulnerability management systems, control compliance systems, and access log management. The information is maintained in an encrypted manner. Access is provided based on an approved request by the Information System Security Officer (ISSO). Lastly, audit logs are reviewed for suspicious activity by the ISSO on regularly basis. |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services