Comprehensive Acquisition Management System
Date signed: 3/3/2025
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-4046976-656780 |
Name: | Comprehensive Acquisition Management System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Contractor |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 5/27/2022 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
Describe in further detail any changes to the system that have occurred since the last PIA. | Not Applicable |
Describe the purpose of the system | The Comprehensive Acquisition Management System (CAMS) is an automated, web-based, full procurement life-cycle tracking and reporting system powered by PRISM (not an acronym) software. Comprehensive Acquisition Management System (CAMS) is used by the Centers for Medicare and Medicaid Services (CMS) components to process requisitions, contracts and invoices electronically. |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The Comprehensive Acquisition Management System (CAMS) system collects and stores contract and solicitation information as well as vendor information. This will consist of vendor name, address, phone number, Taxpayer Identification Number (TIN), Employer Identification Number (EIN), and Data Universal Numbering System (DUNS) numbers. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | In regards to individual user’s PII only their CMS User ID is stored within the system. The vendor information that is collected is pulled from the System for Award Management (SAM), a Department of Health and Human Services (HHS) system, and is stored within Comprehensive Acquisition Management System (CAMS). The vendor information that is collected is the vendor name, address, phone number, Taxpayer Identification Number (TIN), and Data Universal Numbering System (DUNS). The contracts that are built in CAMS share the same TIN, EIN, and DUNS information with Federal Procurement Data System - Next Generation (FPDS)which is a General Services Administration (GSA) owned system. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 500-4,999 |
For what primary purpose is the PII used? | Comprehensive Acquisition Management System (CAMS) uses PII to authenticate users to the application and for user security privileges. The only Users include Federal staff and one direct Contractor (Unison) are authenticated to the system using Active Directory. To do this, Active Directory does collect Name and E-mail. This information is not shared and is only collected temporarily to authenticate users. The Name/Email authenticates a user and then that information correlates an individual to a security group with different privileges. Use of PII is not disclosed in the system because PII is only used to authenticate users and assign them security privileges. Users cannot see other users' PII. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | Not Applicable |
Describe the function of the SSN. | Not Applicable |
Cite the legal authority to use the SSN. | Not applicable, SSN is not used. |
Identify legal authorities governing information use and disclosure specific to the system and program. | Title 5 USC 301, Departmental regulations. |
Are records on the system retrieved by one or more PII data elements? | No |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
Identify the sources of PII in the system: Government Sources | |
Identify the sources of PII in the system: Non-Government Sources | |
Identify the OMB information collection approval number and expiration date | Not applicable |
Is the PII shared with other organizations? | No |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | No process exists because PII is not collected directly from the individuals. Information is collected from SAM.gov, and individuals are notified during their SAM account creation process. |
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | No option to opt-out exists because PII is not collected directly from the individuals. Information is collected from SAM.gov, and individuals are notified during their SAM account creation process. CAMS user information consists of PII elements name, phone, and email which are collected during the account creation process. There is no option to opt-out as this information is required for a CAMS account to be created. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The individual does not receive notification when changes occur in the system. PII is not collected directly from the individuals. Information is collected from SAM.gov, and individuals are notified of any changes to their PII within SAM.gov. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | PII is not collected directly from the individuals. Information is collected from SAM.gov, and an individual’s concerns regarding their PII will be addressed within SAM.gov. CAMS user information consists of PII elements name, phone, and email which are collected during the account creation process. All concerns regarding a user’s CAMS account are triaged by the CAMS Service Desk and any required changes are approved by a designed component official. |
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | PII is not collected directly from the individuals. Information is collected from SAM.gov. Any and all reviews of an individual’s PII will be addressed within SAM.gov. CAMS user information consists of PII elements name, phone, and email which are collected during the account creation process. CAMS user accounts are reviewed at minimum on a bi-annual basis for integrity, availability, accuracy and relevancy. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Direct contractor (Unison) and Federal Staff assigned to the System Administrators security group can access each users CMS User ID. All contractors designated as System Administrators are required to have this role to assist in maintaining the system and completing other job functions. New System Administrators must be approved by the business owner prior to being granted the System Administrators security group. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Based on user group assignments, Federal staff are granted read, write and execute privileges to specific assigned data elements. Additionally, two-factor authentication and encryption provide technical controls. Account access is monitored and logged. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | CAMS users are provided an annual CMS security awareness training prior to obtaining access to the system. This training advises the users of their security roles and responsibilities of utilizing the system. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Annually, users are required to take additional refresher security awareness training courses for CAMS. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | SAM is the data source for Vendor PII. Therefore, the responsibility for retention and destruction would fall beneath the purview of GSA who are responsible for SAM. CAMS User Accounts are permanently deactivated after 90 days of inactivity. If the individual returns using the application, it requires the new account request process to be followed for reactivation. Accounts records are maintained indefinitely for historical audit capabilities and are stored in compliance with the National Archives and Record Administration General Records Schedules (GRS) DAA-0440-2015-0002-0002, which states: Destroy/delete when 7 years after cutoff. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Administrative controls provide privileged access to the System Administration security group, which allows them access to the CMS User ID. New System Administrator must be approved by the business owner as per CMS policy. Technical controls include PIV cards, Multifactor Authentication, FIPS 140-2 for data protection to include data at rest, data in use and data in transit. Physical controls include door locks, personnel badges and security guards at the data center where the system resides. |