HIGLAS Hosting, Operations & Maintenance ServiceNow
Date signed: 7/11/2025
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-7902641-838082 |
| Name: | HIGLAS Hosting, Operations & Maintenance ServiceNow |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | New |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 9/19/2024 |
| Describe the purpose of the system | Healthcare Integrated General Ledger Accounting System (HIGLAS) Hosting, Operations & Maintenance ServiceNow (HOM SN) provides Information Technology Service Management (ITSM) through Incident, Problem, Change, Service Request and Knowledge functions. The Financial Management Systems Group (FMSG) uses IT Business Management (ITBM), now Strategic Portfolio Management (SPM) to manage the agile development teams System Development Lifecycle (SDLC), granular time recording using ServiceNow Resource Management (SNRM), and soon both program/project management using PPM (Project Portfolio Management) and strategy/goal management using the Strategic Planning Workspace (SPW). |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The system will collect and maintain the following PII elements: Names, CMS user IDs, user email addresses, organization/company , and phone numbers. User IDs and passwords are duplicated from the CMS Enterprise User Administration (EUA) tool. The EUA tool has its own Privacy Impact Assessment (PIA). Users who request access must first obtain a CMS user ID and password. They must then request "HGL_User" in EUA in order to have a HIGLAS Identity Management (HIDM) Account automatically created. Once the user's HIDM account is created, the user may then request access to the HOM SN application. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The Financial Management Systems Group (FMSG) uses the ServiceNow platform within ServiceNow's GovCommunityCloud (Federal Risk and Authorization Management Program (FedRAMP) High Department of Defense (DoD) IL-4) environment. FMSG refers to this as HOM ServiceNow (HOM SN). It is comprised of four (4) instances: Prod, Test, Dev and POC (Proof of Concept). These HOM SN instances are dedicated to FMSG and are not shared or multi-tenant. The HOM program depends on these instances as a single-pane-of-glass for observability and coordination of the HOM environments (key to the zero-trust program) and allows us to understand the changes and flow of HIGLAS and its operations, ensuring that HOM SN can quickly capture and react to atypical and anomalous activity. HOM SN provides IT Service Management (ITSM) through Incident, Problem, Change, Service Request and Knowledge functions. FMSG uses IT Business Management (ITBM), now Strategic Portfolio Management (SPM) to manage the agile development teams SDLC, granular time recording using SNRM, and soon both program/project management using PPM (Project Portfolio Management) and strategy/goal management using the Strategic Planning Workspace (SPW). HOM SN IT Operations Management (ITOM) plays a large role through an inventory of the HOM environments within the Configuration Management Database (CMDB), service maps that show which technical components support each application service, and multiple event management integrations to feed real-time component health data into HOM SN to auto-create Incidents and depict real-time service health. Additionally, the Security Operation (SecOps) module is securely leveraged for Security Incident and Vulnerability Response functions, including integrations with key security applications. ServiceNow will store the users' first and last name, CMS EUA ID, and email address upon account creation. This information is collected from the HIGLAS Identity Management (HIDM) system which gathers its user information from the CMS Enterprise User Administration (EUA) system. If a user is part of the ServiceNow "On Call" module (Federal employees (FEDs) and support contractors), then the user would submit their phone number to support off-hours situations. Otherwise, phone numbers are not routinely stored within HIGLAS HOM ServiceNow. User information is NOT shared with any other systems. User information is only maintained during the lifespan of the user account. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. | Employees |
| How many individuals' PII in the system? | 500-4,999 |
| For what primary purpose is the PII used? | User identification and authorization. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A. |
| Describe the function of the SSN. | N/A. HOM SN does not utilize Social Security numbers (SSNs). |
| Cite the legal authority to use the SSN. | N/A. HOM SN does not utilize SSNs. |
| Identify legal authoritiesā governing information use and disclosure specific to the system and program. | Budget and Accounting Act of 1950 (Pub. L. 81-784); Debt Collection Act of 1982 (Pub. L. 97-365); Debt Collection Improvement Act of 1996 (Pub. L. 104-134, sec. 31001); 5.U.S.C. Section 301 Departmental Regulations; Privacy Act of 1974; E.O. M-22-09 (Moving the U.S. Government Toward Zero Trust Cybersecurity Principles). |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | N/A |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources | |
| Identify the OMB information collection approval number and expiration date | |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | HOM SN does not collect Personal Identifiable Information (PII) directly from individuals. PII collected in the system is automatically generated from the CMS Enterprise User Administration (EUA) system. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | There is no option to opt out of PII collections. PII data is used to authenticate user access. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | HOM SN does not have an option for individuals to provide consent. The process to notify and obtain consent from individuals is the responsibility of CMS and the Enterprise User Administration (EUA) which directly collects the information used in HOM SN. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Any suspected or confirmed exposure of PII is reported to the CMS Help Desk and Incident Response Teams in accordance with federal and agency requirements and policies / within 60-minutes of identification. The CMS Privacy Office is responsible for addressing individual's concerns by providing the following: Breach notification as needed and without unreasonable delay, in coordination with HHS as well as individuals affected by the breach. The notification includes: the source of the breach, a brief description of the breach, the date it was discovered, and the type of PII involved. Also included is whether or not the information was encrypted, what steps individuals should take to protect themselves from potential harm, what the agency is doing to resolve the breach, and who to contact for any additional information or for questions. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | All changes to the data are logged to support audit review. Role-based access is strictly enforced and all transactions against the database are audited on a daily basis to ensure that specific Segregation of Duties (SODs) constraints are applied accurately to all HOM SN job functions, thus ensuring only authorized personnel can modify HOM SN data. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | Role-based access control within the application is used to identify user type and grant required access as authorized. Healthcare Integrated General Ledger Accounting System (HIGLAS) Access Control Procedures, HIGLAS Separation of Duties (SOD) Rules, HIGLAS Role-Based Access Control (RBAC) Procedure, and the Standard Operating Procedure (SOP) for HIGLAS PII & Protected health information (PHI) Management are used in granting users access to the system. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Role-based access controls within application is used to identify users and grant required access as authorized. Job mapping to standard roles and responsibilities were established with least privilege access. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Security awareness training is conducted as new hires join the team and it is also conducted on annual basis to ensure systems users are aware of the security requirements and their continued compliance. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Role-based security awareness training conducted on regular basis to ensure systems users are aware of the security requirements as part of their day-to-day job activities. Users complete The Department of Health and Human Services (HHS) Privacy Awareness Training annually. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | Per CMS Records Disposition Manual Bucket 1 Leadership and Operations Records. DAA-0440-2015-0001-0001. Transfer to the National Archives 15-years after cutoff. Bucket 3 Financial Program Records. Disposition Authority DAA-0440-2015-0004-0001. Destroyed no sooner than seven (7) years after cutoff. Bucket 5 Beneficiary Records. Disposition Authority DM-0440-2015-0007-0001. Destroyed no sooner than 10 years after cutoff. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Access request must be approved by the user's Manager before they can be granted access to the system. Users who no longer require access to the system are removed promptly. Some of the technological controls providing IT security services to this system include access control with denial by default implementation, multi-layer firewall architectures, the use of passwords, least privilege implementation of user access rights with only proven need to know as the approval criteria, and complete auditability of all sensitive transactions with individual accountability. Some of the physical controls include perimeter fencing, Closed Circuit TV (CCTV) monitoring, armed security guard patrolling, raised caged floors, required security clearances, and restricted access to server rooms. |
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services