Electronic Security System
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 11/6/2024
| PIA Questions | PIA Answers |
|---|---|
OPDIV: | CMS |
PIA Unique Identifier: | P-7451413-074662 |
Name: | Electronic Security System |
The subject of this PIA is which of the following? | Major Application |
Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
Is this a FISMA-Reportable system? | Yes |
Does the system include a Website or online application available to and for the use of the general public? | No |
Identify the operator: | Agency |
Is this a new or existing system? | Existing |
Does the system have Security Authorization (SA)? | Yes |
Date of Security Authorization | 1/8/2025 |
Indicate the following reason(s) for updating this PIA. Choose from the following options. |
|
Describe in further detail any changes to the system that have occurred since the last PIA. | Since the last PIA, no changes affecting the PIA have been made. |
Describe the purpose of the system | The Electronic Security System (ESS) supports CMS physical security through information systems that govern video monitoring, electronic access to secure areas, visitor management, foreign travel reporting, occupant emergency organization, incident reporting, risk assessment, fleet vehicle management, headquarters building parking, and compliance with the requirements of Homeland Security Presidential Directive 12 (HSPD-12). |
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | Data collected includes full name, address, phone number, e-mail address, country, Personal Identity Verification (PIV) card data such as Federal Agency Smart Card-Number (FASC-N) and certificate data, Facial Photograph, video and vehicle information. Additionally, employees with disabilities information are being voluntarily collected from Federal Employees and direct Contractors for those requiring assistance out of CMS facilities in the event of an emergency evacuation. Additionally, foreign national status; organization; position; disability status; FASC-N; PIV card number may be collected and maintained. Information collected from users/system administrators in order to access the system consists of user credentials (username, password, and Personal Identity Verification PIV card data). Users/system administrators include CMS employees and direct contractors. |
Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Electronic Security System (ESS) is a General Support System (GSS) with Major Applications. It is comprised of four main subsystems: the General Support System (GSS), Physical Access Control (PACS), Closed-Circuit Television System (CCTV) and the Physical Access Management (PAM). The ESS is not a publicly available system. All users are either CMS employees, CMS contractors, or CMS visitors. Additionally, foreign national status; organization; position; disability status; FASC-N; PIV card number may be collected and maintained. These subsystems combine to support the Personal Identity Verification (PIV) process, control physical access to CMS facilities, visitor management, parking, physical security facility risk assessment, the occupant emergency organization, alarm monitoring, physical intrusion detection, video monitoring and post-incident response. Below describes that data used in each subsystem: PACS - full name, PIV Card FASC-N and certificate data as well as facial image. This information is used for physical access to CMS facilities and limited access spaces within CMS facilities. CCTV - This subsystem collects and stores video surveillance of CMS facilities and entrances to limited access spaces within CMS facilities. PAM - PAM consists of multiple modules, each of which collects and uses data for the following specific purposes: Parking - full name, Group, Position Title, email address, Building, Desk Location, Phone, Lot, Work schedule, and Vehicle information. All fields are optional unless the individual is requesting a medical, carpool or executive parking permit, in which case, all fields are required. Medical parking requests additionally collect affiliation, State Disability Soundex number and image of MVA disability parking certification card and expiration date all of which are required. Carpools additionally require the collection of the home address for each carpool member. Occupant Emergency Organization (OEO) - full name, phone number, email address, region, OEO Position, Assembly Area, Zone, Building, Location, and Office. All are optional fields. Individuals may also self identify as an Employee with Disabilities (EWD) to receive an EWD monitor for assistance in emergencies. This is optional. PACS Central - full name, facial image, email address, access level information, PIV Card FASC-N and PIV Card certificate data. This information is used for electronically requesting, approving and reviewing access to CMS facilities and limited access spaces. Welcome Center - visitor full name, visitor foreign national status, visitor organization, type of identification presented for access, date of visit, purpose of visit, building, escort, visitor badge number issued and date and time visit ended. This information is used to track visitors at CMS facilities. Security Assessment - This is a private module used by the Division of Physical Security and Strategic Information (DPSSI) for evaluating risk compliance at CMS facilities. Information collected is facility-related only and does not contain any information about individuals. Information includes facility security level, threat levels, comments, and uploads of supporting documentation. CMS Incident Management (CIMS) - Originator, originator phone, originator email address, duty station, method of reporting, event date and time, event type, and event location(s). Optional data includes property involved, first and last name of involved CMS employees or direct contractors, vehicle information and event summary/comments. Fleet Management - CMS government vehicle information, CMS employee Fleet Training Certificate. dates and times government vehicle is needed, destination, number of passengers, purpose of trip. Foreign Travel - Country traveling to, dates of travel, whether government furnished equipment (GFE) will be taken, CMS Employee's SEAD3 status. The ESS regularly use PII to retrieve system records including using the last name, employee ID number, contact information such as phone or email, vehicle information, of CMS employees, contractors, and members of the public authorized to access the main campus and satellite offices. |
Does the system collect, maintain, use or share PII? | Yes |
Indicate the type of PII that the system will collect or maintain. |
|
Other - Image of MVA Disability Certification for Medical Parking and HHS User Credentials; foreign national status; organization; position; disability status; FASC-N; PIV card number; username; and password. | |
Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
How many individuals' PII in the system? | 10,000-49,999 |
For what primary purpose is the PII used? | The PII is used in the following ways: - for the issuance of medical and carpool parking permits, - for contacting vehicle owners in the event of an emergency, - to support the assistance of self-identified employees with disabilities with evacuation from CMS facilities, - for the management of reporting foreign travel of SEAD3 CMS employees, - for the management and use of CMS government vehicles, - to control system access of system and subsystem users. |
Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | There are no secondary uses for the PII |
Describe the function of the SSN. | The ESS does not collect nor store the SSN. |
Cite the legal authority to use the SSN. | N/A |
Identify legal authoritiesā governing information use and disclosure specific to the system and program. | Homeland Security Presidential Directive-12 (HSPD-12); 5 USC 301, Departmental Regulations |
Are records on the system retrieved by one or more PII data elements? | Yes |
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | 09-70-0515 Record of Individuals allowed Regular and Special Parking Privileges at the CMS Building 09-70-0529 Employee Building Pass Files |
Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
Identify the sources of PII in the system: Government Sources |
|
Identify the sources of PII in the system: Non-Government Sources |
|
Identify the OMB information collection approval number and expiration date | Not applicable |
Is the PII shared with other organizations? | Yes |
Identify with whom the PII is shared or disclosed and for what purpose. | Other Federal Agency/Agencies: The ESS sends the minimum data required to access a physical access control system (PACS) to federal offices where CMS does not control the PACS system which grants access to CMS employees and direct contractors. This is a one-time file of data containing the employee's name and PIV Card data whenever a PACS system is installed or replaced by the agency controlling physical access to a CMS space (e.g., The Social Security Administration controls physical access to the CMS Dallas Regional Office. A listing of CMS Dallas employees was sent to populate the PACS system). |
Describe any agreements in place that authorizes the information sharing or disclosure (e.g. Computer Matching Agreement, Memorandum of Understanding (MOU), or Information Sharing Agreement (ISA)). | There is an Information Sharing Agreement (ISA) with HHS regarding the SCMS to ESS web services connection. |
Describe the procedures for accounting for disclosures | For individual requests of data, the ESS maintains the following information on the ESS Documentation SharePoint Repository in the Data Disclosure Log: Date, nature, and purpose of each disclosed record; and the Name and address of the person or agency to which the disclosure was made. |
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The ESS collects most PII information from the HHS Smart Card Management System (SCMS). For this information (Name, Photographic Identifiers, PIV Card Certificates, PIV Card FASC-N, PIV Card Number and Email), the SCMS provides notice to individuals. PII collected directly from an individual is completed via direct entry from the user electronically in the Physical Access Management (PAM) system. These fields are Phone Numbers, Visitor Names, Mailing Address, Vehicle Identifiers, foreign national status, organization, position, disability status and HHS User Credentials. Individuals entering data directly into the PAM web form are notified at the time of collection. In exception cases, when the PAM system cannot be used, an electronic PDF Form (CMS 745-A) may be used to collect physical access request information.
|
Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | While a response to the questions on ESS Forms is not required by law, individuals who do not provide this information for certain modules could see their privileges for physical access denied or delayed in processing. Individuals are informed of this on ESS Forms. There is no formal method to opt-out on the minimum set of data required to process ESS forms. System users cannot 'opt-out' of providing login credentials (user ID and Password). The login credentials are needed to grant access to ESS. |
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The ESS can send email notification to individuals whose data is stored in an ESS system should a disclosure occur or data use change. System users will be notified via email if any major changes were to occur to the use and disclosure of their PII. There is no process to consent as the information is necessary to perform their job. |
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Individuals may email ESS Administrators at PhysicalAccessManagement@cms.hhs.gov if they believe their PII has been inappropriately obtained, used, disclosed or inaccurate. ESS Administrators will work on a case-by-case basis to determine if the PII has been inappropriately obtained, used, disclosed or inaccurate and will escalate the issue to the appropriate CMS organizations and personnel.
|
Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Individual users are requested to review some of their ESS information on an annual basis. For physical access, records are reviewed on a quarterly basis by a designated official known as a Room Owner or their assigned Access Authorities. The ESS also receives real time event notification whenever a user's PIV record changes (e.g. name change, re-issued, renewed, revoked) and takes action according to the type of event. For authentication data, system logs are reviewed daily for suspicious activity and users are required to change passwords every 60 days. ESS back-up servers are in place to ensure information is readily available, even if a main server fails. |
Identify who will have access to the PII in the system and the reason why they require access. |
|
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to PII is based on the role that each system user must perform within the system. Each module supports these roles, and each role is customized based on its module to limit which PII data element(s) are accessible to that role. Users must complete a request form for access to all ESS system roles which is then reviewed and approved by the appropriate system administrator. |
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Users are assigned roles within the system and each role is associated with the minimum set of privileges required to carry out the tasks for that role. The system also audits and requires digital signatures for specific operations within the system. |
Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Each employee and contractor with access to CMS systems is required to take general CMS security and privacy awareness training annually. |
Describe training system users receive (above and beyond general security and privacy awareness training) | Training on user roles is performed whenever a new user is granted access to the ESS. Training is also provided to users whenever a system change warrants the need for training. This need is assessed during the change management process and performed prior to the system change taking affect. Additionally, Contingency Plan exercises and Incident Response training are performed annually. |
Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Data is retained in accordance with NARA and CMS guidelines as follows: Profile data. Delete an individual's profile 1 year after individual separates from agency. (N1-64-08-6, item 1) Disposition Authority DAA-GRS-2013-0006-0003 Badging and access control activity data. Cut off semiannually. Delete 6 months after cutoff. (N1-64-08-6, item 2) Disposition Authority DAA-GRS-2013-0006-0001 System documentation. Destroy when revised OR superseded. (N1-64-08-6, item 3) Disposition Authority DAA-GRS-2013-0006-0001. Disaster recovery backup files. Delete when 60 days old. (N1-64-08-6, item 4)" Disposition Authority DAA-GRS-2013-0006-0006 User Identification, Profiles, Authorizations, and Password Files, EXCLUDING records relating to electronic signatures. Destroy/delete inactive file 6 years after user account is terminated or password is altered, or when no longer needed for investigative or security purposes, whichever is later. (N1-GRS-03-1 item 6a) Disposition Authority DAA-GRS-2013-0006-0003 The Electronic Security Systems retains audit trail files for a minimum of one year. |
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The ESS system is housed in a limited access area of CMS. Only a limited number of people are authorized to enter this space and the list of authorized people is reviewed quarterly. Any visitors escorted into the space are required to sign the visitor's log which is also reviewed quarterly. The ESS PAM subsystem stores PII data on self-encrypted disks. So data at rest is encrypted. Additionally, data in transmit between the application server, PACS subsystem and database server are encrypted via SSL. There is a physical firewall between the ESS PAM application and database servers. |