Companion Data Services LLC Virtual Data Center General Support System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 2/6/2024
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-2064943-639117 |
| Name: | Companion Data Services LLC Virtual Data Center General Support System |
| The subject of this PIA is which of the following? | General Support System |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 10/5/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | None. |
| Describe the purpose of the system | The Companion Data Services (CDS) Virtual Data Center (VDC) General Support System (GSS) provides infrastructure hosting services for CMS Major Applications (MA) that provide communications and other services for CMS. The CDS VDC is comprised of computer operating systems. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The CDS VDC collects and maintains the system support user credentials, which are the name, user ID and password. The system support staff is CMS employees and direct contractors. The CDS VDC does not directly collect, maintain, or share any other information but provides the infrastructure hosting environment for several CMS MAs. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The CDS VDC is an information technology infrastructure system that supports several CMS MAs. The system is comprised of computer operating systems. The MAs are communications and websites that CMS uses to communicate or provide services externally or internally. These MAs collect, maintain, and share a broad scope of information, which may include Personal Identifiable Information (PII). As such, each of these MAs are responsible for maintaining the security of the information within their boundaries. Each CMS MA maintains their own PIA to address the security of the information. The following CMS MAs are supported by the CDS VDC: CMS has issued a document entitled CMS Acceptable Risk Safeguards (ARS) which contains requirements that are referred to as controls taken from National Institute of Science and Technology (NIST) 800-53. Controls describe the implementation details in to meet the requirements to secure a security boundary. The ARS contains what is known as control families. The Audit and Accountability control family contains the AU-02 control that outlines the auditable events a system must produce and capture in the system logs. Auditable events would include, for example, user logon and logoffs, administrator user activities, account creation and modification and configuration changes. When configuring a system, CDS VDC ensures the required auditable events outlined in ARS control AU-02 are captured in the system logs which includes the recording of user account logins and associated activity performed by the user. The CDS VDC system support staff, CMS employees and direct contractors, must log into the system, with user credentials, to operate the functionality of the system. The user credentials consist of name, user ID and password. The credentials are stored for as long as necessary for the individual to access the system. If it is no longer required, then the user credentials are disabled or deleted. User IDs are recorded at the time of logon and all associated activity performed by the user as captured in the system logs as an auditable event. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. | Employees |
| How many individuals' PII in the system? | 500-4,999 |
| For what primary purpose is the PII used? | The primary purpose of the Personally Identifiable Information (PII) retained within the system is for providing system access to authorized users via their user credentials. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
| Describe the function of the SSN. | N/A |
| Cite the legal authority to use the SSN. | N/A |
| Identify legal authorities governing information use and disclosure specific to the system and program. | 5 U.S.C 301, Departmental Regulations |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | As part of the CMS employment onboarding process for access to CMS systems, individuals are notified that their personal information is being collected. As such, there is not a mechanism in the CDS VDC system itself to directly notify system users. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | To access the CDS VDC, collection of PII, user credentials, is necessary to perform their job function. Therefore, there is not a method for an individual to opt-out. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | If a major system change was implemented in the CDS VDC that affected the disclosure or use of the users’ credentials, PII, the system users would be notified by email or other CMS or CDS communications channels. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If a user believes their PII has been inappropriately obtained, used, or disclosed, the user must contact the CDS Help Desk who will assign an incident ticket to the CDS Computer Security Incident Response Team, who will investigate and determine any additional steps. The individual may also contact the CMS IT Service Desk by email or telephone. Details of the incident are logged and investigated to determine if further action is required to resolve the concern. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | The CDS VDC maintains the data integrity and availability by employing security technologies including firewalls, encryption and system access logs and external audits of security processes. The system users and administrators maintain data accuracy and relevancy by correcting/updating their own PII data within their own account. A user account isn’t validated but is monitored for activity and audited for usage. Accounts can be disabled for non-activity or terminated. Those accounts that have not been used at least once every 30 days are disabled and deleted if not used at least once every 60 days are deleted. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | The CDS VDC uses role-based access permissions to determine which system users have access to PII. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | The methods in place to allow only minimum access to PII are approval and monitoring of system access requests and role-based access controls, so that users are restricted to only the resources needed to perform their job functions. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | CMS employees and direct contractors are required to take annual training regarding the security and privacy requirements for protecting PII. In additional, role-based training is provided to individuals with significate access or security responsibilities. This annual role-based training is required by the CMS Chief Information Officer Directive 12-03. All training is modeled on and is consistent with training offered by the Department of Health and Human Services and CMS. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | None. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The CDS VDC follows the CMS records schedules, per the National Archive and Records Administration (NARA) General Records Schedule (GRS), specifically: GRS 3.2 Item 001 "FOIA, Privacy Act, and classified documents administrative records" Authority: DAA-GRS2019-00010001. Destroy when 3 years old, but longer retention is authorized if needed for business use. GRS 3.2 Item 160 "Records analyzing Personally Identifiable Information (PII)" Authority: DAA-GRS2016-00030003. Destroy 3 years after associated PIA is published or determination that PIA is unnecessary, but longer retention is authorized if required for business use. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The administrative controls in place to secure the PII include role-based access and permissions, periodic review of users’ access and deletion of non-active accounts. The technical controls in place include firewalls that prevent unauthorized access, encrypted access at log on, security scans, penetration testing, and intrusion detection and prevention systems (IDS/IPS). The physical controls in place include use of security cards and pass codes, video monitoring, security guards and a separately located backup system. In addition to use of an authorized security card and pass code, access also requires biometrics validation. |