Enterprise Website Supporting Tool
Date signed: 5/22/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-6815566-324416 |
| Name: | Enterprise Website Supporting Tool |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 8/8/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | No changes within the PIA. |
| Describe the purpose of the system | The purpose of the Enterprise Website Support Tools (EWST) is to offer shared services to the Centers for Medicare and Medicaid (CMS) applications. EWST includes GitHub Enterprise Server; Jira Data Center; Confluence Data Center; Slack, MiniOrange and SonarQube. The EWST application is hosted in the CMS private cloud located in the Amazon Web Services (AWS) data center in the AWS East region (North Virginia). EWST depends upon AWS Infrastructure as a Service (IaaS) for its physical infrastructure and cloud components. On top of this, the CMS Office of Communication (OC) AWS Cloud Team provides AWS platform level management including providing security controls at the operating systems and Virtual Private Cloud (VPC) level. EWST offers shared services that are available over the public internet, but only from white listed IP addresses. Akamai acts as the webhost proxy system, providing a Domain Name System (DNS) and a web application firewall. EWST, inside of Amazon Web Services (AWS), connects to the Akamai proxy through the public internet, but both sides white list each other and require public key infrastructure (PKI) certificates signed by VeriSign and validating the certificates with the Symantec Certificate Authority (CA). |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | EWST collects login credentials passed through Enterprise User Administration (EUA), for both Centers for Medicaid and Medicare (CMS) employees and contractor support which consists of login user ID and password. Akamai and Amazon Web Services (AWS) also collect within EWST (Jira) user ID, full name, email address, and mobile phone number for users, along with name and user ID of CMS approvers. This information is required to create user accounts within the Akamai Control Center (ACC) and to create within AWS administrative accounts for testing. AWS also collects the full name, phone number and email address of each key point of contacts for operational reasons. Akamai, AWS and EUA have their own PIA that can be referenced for further information. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | EWST subsystems pass login credentials from their applications to Enterprise User Administration (EUA) for identification and authentication. Akamai and Amazon Web Services (AWS) also collect within EWST (Jira) user ID, full name, email address, and mobile phone number for users, along with name and user ID of CMS approvers. This information is required to create user accounts within the Akamai Luna administration panel, and to create AWS administrative accounts for testing. Public Website Shared Services (PWSS) collects within EWST (Jira), the user’s full name, email address, organization name, and Short Message Service (SMS) phone number to issue GEO Application Programming Interface (API) encryption keys. AWS also collects the full name, phone number and email address of each Key Point of Contact for operational reasons. Physical Security System personnel who access or use the system do not use any personal identifiers to retrieve records held in the system. This system does not retrieve records using Personal identifiable information (PII) on individuals, but instead obtains those credentials from Enterprise User Administration (EUA) and maintains them. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 10,000-49,999 |
| For what primary purpose is the PII used? | Personally identifiable information (PII) is required for user identification and authentication, for Geographic (GEO) API key administration, for Key Point of contact (POC) contact lists, for user registration to Luna and Amazon Web Services (AWS), and for other operational reasons. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | None |
| Describe the function of the SSN. | Social Security Numbers are not requested or stored by Enterprise Website Supporting Tool (EWST). |
| Cite the legal authority to use the SSN. | Social Security Numbers are not requested or stored by Enterprise Website Supporting Tool (EWST). |
| Identify legal authorities governing information use and disclosure specific to the system and program. | 5 U.S.C. 301 Department Regulations |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources | Private Sector |
| Identify the OMB information collection approval number and expiration date | N/A. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | All Tools are fronted by MiniOrange Identity Provider (IDP) and the IDP login page featuring a warning notice and the PII is collected by other CMS applications, which have other notifications in place such as AWS, Akamai and PWSS.
|
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | There is no option for users to opt-out of PII information collection since it is necessary for users to register to access GEO API, Luna and Akamai. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The collection of PII (user credentials) is not done by EWST. EWST receives the PII via another CMS application, Enterprise User Administration (EUA). EWST also collects the user registration information for other systems which also have PIA in place and are responsible for the PII they collect: Amazon Web Services (AWS), Akamai and Public Website Shared Services (PWSS). |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | The login credentials, name, phone number and email address within this system are not collected by EWST. All EWST users are CMS organizational users. The PII is collected from the individual by another CMS system which is Enterprise User Administration (EUA). The EUA PIA describes the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. Individual's concerns involving their PII (user credentials), are addressed by the EUA team (a function of the maintenance contractor, Lockheed Martin) and this process is inherited by the EWST system. The PII is also collected from individuals for other systems that have PIAs in place that describe this process: Akamai, AWS, and PWSS. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | To maintain the integrity, availability, accuracy, and relevancy of the PII stored within the databases, regular synchronization between EUA, Lightweight Directory Access Protocol (LDAP) and EWST systems occurs daily. Under this process, outdated, unnecessary, irrelevant, and inaccurate PII is identified and deleted from EWST. The PII is available as needed and is sufficient (minimum required) for the purposes needed. The PII fields are locked and cannot be changed; The process to ensure that individuals who provide or modify PII cannot be repudiated since that action is done within the source EUA system. Users can request that their PII (access) be deleted, by contacting their CMS Access Administrator (CAA), who in turn would take the corresponding action via EUA. Data integrity is checked by the user when providing the information for user registration or by the system administrator when issuing accounts in Akamai Luna and AWS or when API keys are issued and distributed for PWSS. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Access to EWST is provided through EUA. Based on the user's role, prospective users must request a CMS ID which must be approved by the employees’ manager. After the CMS ID is received, the individual requests access through the EUA system. Access requests for User or Administrator roles for various tools are directed to the manager for approval. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | EWST uses the principle of least privilege as well as a role-based access control scheme to ensure administrators and users are granted access on a need-to-know basis (minimum necessary), commensurate with their assigned duties. CMS oversight and approval are required for a user to obtain an account in EWST. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Both employee and contractor staff are required to complete the annual CMS Security and Privacy Awareness training provided annually as a Computer Based Training (CBT) course. Individuals with privileged access must also complete role-based security training commensurate with the position they are working. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Direct contractors also complete their own annual corporate security training. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The retention and destruction of EWST data is governed by the CMS Records Schedule. This schedule is aligned with the National Archives and Records Administration (NARA) guidelines for data retention and destruction. The following CMS Records Schedule Items apply: CMS Records Schedule / Records and Information Management Policy Enrollment Records Beneficiary Records Provider and Health Plan Records Analytic and Research Files (restricted) Disposition Authority Number DAA-0440-2015-0009-0002 Research and Program Analysis: Supporting Records In addition, the EWST application follows the Data Destruction Standards prescribed in NIST Special Publication (SP) 800-88. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | The EWST system is located in a Tier-1 network data center (Amazon Web Services) which provides premier physical control protections. Physical controls are in place such as security guards ensure that access to the buildings is granted to authorize individuals. Identification of personnel is checked at the data center. The EWST system is built using industry best practices and independently reviewed against Federal Information Security Management Act (FISMA) and National Institute of Science and Technology (NIST) Security and Privacy controls to ensure technical, operational, and management controls are properly applied. Personally Identifiable Information (PII) on the EWST system is secured administratively by ensuring that the system goes through the Assessment and Authorization (A&A) process, and all documentation is submitted to the Information Security & Privacy Group (ISPG) that supports the system and comply with Federal Information Security Management Act (FISMA) regulations. The system is currently hosted at the Amazon Web Services (AWS) data center. The user identity data is stored in the centralized Lightweight Directory Access Protocol (LDAP) store managed by EUA. EWST sends user Identity information to EUA for user authentication and users are required to authenticate to establish their identity and role as an individual or system interacting with the target system. EWST applies the principle of least privilege as well as a role based view on granting rights. All access for the groups is requested and approved before being granted. All Production access requires Manager Approval. Each user is assigned a role and each role's rights are restricted to only the data and server resources needed to perform their job. Access requests are tracked via service request tickets. For planning, approving, and auditing, EWST utilizes a Roles and Responsibilities matrix to review and track what resources are accessible at the application level as well as the server level. A monthly audit is performed for system accounts and quarterly user driven validation of accounts is required. New EWST team members are processed through an on boarding process that defines their role and all information and approvals are archived in a service request. |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services