Continuously Available CMS Hosting Environment

OPDIV:

CMS

PIA Unique Identifier:

P-3162708-614316

Name:

Continuously Available CMS Hosting Environment

The subject of this PIA is which of the following?

General Support System

Identify the Enterprise Performance Lifecycle Phase of the system.

Operate

Is this a FISMA-Reportable system?

Yes

Does the system include a Website or online application available to and for the use of the general public?

No

Identify the operator:

Contractor

Is this a new or existing system?

Existing

Does the system have Security Authorization (SA)?

Yes

Date of Security Authorization

9/28/2023

Indicate the following reason(s) for updating this PIA. Choose from the following options.

PIA Validation (PIA Refresh/Annual Review)

Describe in further detail any changes to the system that have occurred since the last PIA.

Deployment: Deploy BigFix Inventory solution in all CMS datacenters. This fulfills a contractual requirement to report all IBM software usage to IBM.
Kent, WA Mainframe Deployment: Disaster Recovery as a Service (DRaaS) has deployed new z/OS mainframe software, connectivity to Peraton current data center (Tulsa, Ok) back to DRaaS-CACHE and new Resource Access Control Facility (RACF) roles and accounts. This work is in support of migration of additional CMS application workloads that will be migrating into the DRaaS-CACHE General Support System (GSS).  The Peraton supported Workload A has been migrated to DRaaS-CACHE.  
DRaaS Internal Certificate Authority: DRaaS-CACHE has implemented an internal certificate authority to replace self-signed certificates for internal system-to-system communication within DRaaS boundary as well as communication over CMSnet for the purpose of management functions.  Management functions would include Vcenter Cloud Directory (vCD), DRaaS Control System (DCS) and Infoblox.  
Expansion of DRaaS-CACHE ATO Boundary:  ATO boundary has been extended to include ThirdPacket Equinix equipment and services.   ThirdPacket services include secure internet service, enterprise wireless, virtual private network (VPN), Zscaler and Unified communications (to include video teleconference (VTC), Voice over Internet Protocol (VoIP), Box, Webex, Zoom) services to CMS.  There will be some new platforms introduced into the DRaaS environment to include Cisco Wireless Anchor, Cisco Wireless Controller, Communication Devices Inc (CDI) Out-of-Band, Firepower Threat Defense (FTD) Firewall, Zscaler Private Zscaler Enforcement Nodes (PZEN), Zscaler load balancer (LB) and Digital Network Architecture (Cisco DNA) Center.   New software introduced is Winzip and Wireshark.  All new platforms and software have been placed under existing DRaaS compliance processes to include configuration baseline and vulnerability management.
Change in Internet Service: DRaaS-CACHE has changed from its previous internet provider to the ThirdPacket internet solution out of the Equinix Data Centers in Ashburn, VA and Kent, WA.  Driver was a CMS requirement to move to CMS provided internet service. Change to accommodate this change included deployment of isolated Palo Alto firewalls and network connections to ThirdPacket internet service. Integrated connections into high-availability architecture.   
Implement VMware Cloud Director: DRaaS-CACHE has implemented VMware Cloud Director (VCD).  VCD allows tenants of DRaaS-CACHE to self-serve and provision x86 virtual machines as needed.
DRaaS Kent, WA location in Production: DRaaS-CACHE Kent, Washington Data Center location has gone into production. Kent, Washington has become the backup site to DRaaS-CACHE Ashburn, VA data center. Kent is a replication of Ashburn, and the Disaster Recovery site for CMS workloads (Fee-for-Service (FFS), Provider, etc.).

Describe the purpose of the system

Continuously Available CMS Hosting Environment (DRaaS-CACHE) is the physical data center space, infrastructure components and enterprise services available for CMS systems and applications hosted in the DRaaS-CACHE General Support System.  There are two geographically disperse locations of DRaaS-CACHE, Ashburn, VA and Kent, WA.  These two locations act as disaster recovery sites for the other. 

Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

Employee and contractor credentials to include first name, last name, work physical street address, work phone number, work email address, User ID, user's hashed password is collected. The PII (user first and last name, cell phone number and email address) is collected and maintained to grant user’s access to the system. This information is collected to associate the username and password to an individual. The username and password are created and distributed by the system administrator to the individual user.

This PII is retained only if the individual has authorized access to the DRaaS-CACHE environment and/or systems. Once a user's access is no longer authorized, it is removed from the environment.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

Continuously Available CMS Hosting Environment (DRaaS-CACHE) is the physical data center space, infrastructure components and enterprise services available for CMS systems and applications hosted in the DRaaS-CACHE General Support System.  There are two geographically disperse locations of DRaaS-CACHE, Ashburn, VA and Kent, WA.  These two locations act as disaster recovery sites for the other. 
DRaaS-CACHE does not directly collect, maintain, or disseminate information, but rather provides support infrastructure for other CMS applications to perform these functions. The three entities supporting DRaaS-CACHE (Companion Data Services (CDS), ThirdPacket and Information Technology Operations (ITOps)) maintain appropriate PIA's in CMS FISMA Controls Tracking System (CFACTS) that are leveraged from the DRaaS-CACHE environment.

The description of PII collected includes first name, last name, work physical street address, work phone number, work email address, User ID, user's hashed password.

This PII is obtained through Lightweight Directory Access Protocol (LDAP) which is linked with Enterprise User Administration (EUA). The attributes are obtained from the EUA system.

The PII collected is necessary to manage authorized user credentials for access to the DRaaS-CACHE environment and these credentials are not shared with any other systems.
The first name, last name, work physical street address, work phone number, work email address, are obtained from the EUA system to identify/link a person with each User ID created to access the DRaaS-CACHE environment.  This data is also used to contact each user in relation to their access to provide user ids and passwords. 

Does the system collect, maintain, use or share PII?

No

Administrators Explanation:

Administrators require access to PII to maintain the system.