Marketplace Learning Management System
Date signed: 8/31/2022
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-5907472-832911 |
| Name: | Marketplace Learning Management System |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Contractor |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 3/7/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. |
|
| Describe in further detail any changes to the system that have occurred since the last PIA. | The MLMS is migrating its content management software application from Saba (on-premises application) to Corner Stone On Demand (CSOD) (cloud application). This migration is being developed in the Amazon Web Services East (AWS) environment. No changes are being made to the AWS Virtual Private Cloud environment other than those necessary to accommodate the CSOD Software as a Service (SaaS) application. The changes do not add any privacy risks to MLMS. |
| Describe the purpose of the system | The CMS Center for Consumer Information and Insurance Oversight (CCIIO) Marketplace Learning Management System (MLMS) provides online training, testing and registration for agents, brokers and assisters. The training and testing requirements ensure agents, brokers and assisters are knowledgeable and adequately trained for their role aiding consumers. MLMS provides training services for the Center for Program Integrity (CPI) Data Analytics and Systems Group (DASG) for course administrators, instructors, and learners. The MLMS integrates with the CMS IT environment to provide seamless registration with the Federally Facilitated Exchange (FFE) such that upon completion for agents and brokers is able to immediately access the Marketplace. The MLMS also integrates with the CMS Enterprise Portal to allow user access, and the CMS Identity Management (IDM) for authentication. The MLMS provides a web service accessible to the IDM to provide training status for agents and brokers. The MLMS makes a web service request to the IDM to access user profile information for a user. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | MLMS provides a platform for Agent/Brokers and Assisters to complete all Marketplace training requirements and maintain training completion information. MLMS collects profile and training information from various types of users accessing the system. The profile doesn't include any system access information to access MLMS. The following information is collected, stored, shared, and retained within MLMS and is replaced or updated annually. Assister: Training Language How many years as Assister Last completed federal assister training Organization Type CAC(Certified Application Counselor) ID CAC Training Expiration date Organization Name Organization Street Address Organization City Organization State Organization Zip code Organization Phone# Health Insurance and Oversight System (HIOS) ID# Agent/Broker: Are you a Small Business Health Options Program (SHOP) Agent/Broker SHOP Agency Name SHOP Agency URL Business Street Address Business City Business State Business Zip Business Phone# Business Email Business URL National Producer Number (NPN) States of licensure From Hours of Operation To Hours of Operation Work Days All Users: CMS Portal UserID Course Name Course Progress% Course completion date Federally Facilitated Marketplaces (FFM) Role Status First Name Last Name Phone Address City State Zip |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | MLMS collects basic user profile information from IDM. IDM is the source of record for basic profile information. MLMS collects additional profile information specific for training. MLMS generates training completion information for users. Training completion information is shared with other systems such as HIOS, IDM, SHOP and potentially the Multidimensional Information and Data Analytics System (MIDAS). The data collected through MLMS is published in various formats such as reports, fact sheets, and other informational documents. MLMS is accessible only after a user account and ID is successfully generated via IDM where the authentication process occurs, www.portal.cms.gov. The Personal Identifiable Information (PII) that is collected via the IDM portal is subject to the IDM PIA. After authenticated/authorized by IDM, a user selects the MLMS application button and inputs their user credentials- user ID and password. These credentials are created and stored within the IDM system for the length of employment/need to access the MLMS system. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. | Other - FFM Agents, Brokers and Assisters, CPI Data Analytics and Systems Group (DASG) Course Administrators, Instructors, and Learners |
| How many individuals' PII in the system? | 100,000-999,999 |
| For what primary purpose is the PII used? | The primary purpose for collecting PII is for access to MLMS. PII is used only to display profile information in MLMS. Some PII such as Name will be used in printable certificates. MLMS is not the system of record for PII data. PII data cannot be modified and there is no disclosure of PII outside of the MLMS system. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | N/A |
| Describe the function of the SSN. | N/A |
| Cite the legal authority to use the SSN. | N/A |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Authority for maintenance, collection and disclosure of information is given under sections 2719, 2723 and 2761 of the Public Health Service Act and section 1321(c) of the Affordable Care Act. |
| Are records on the system retrieved by one or more PII data elements? | Yes |
| Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed. | Health Insurance Exchange (HIX) SORN: 09-70-0560, published February 6, 2013 and updated May 27, 2013, October 23, 2013, and February 14, 2018 |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources | Private Sector |
| Identify the OMB information collection approval number and expiration date | OMB Control Number: 0938-1204. The collection approval has been submitted as of 7/29/2022. The expiration date is 8/31/2022. The expiration date is expected to be extended once the review is complete. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | MLMS does not directly notify individuals because it is accessed through IDM which has its own PIA. When a user logs into IDM, there is a Terms and Conditions statement that the user must click the "I Agree" button to move forward. It states that their information is being collected. Additionally, when someone creates a new user account, there is a "Consent to Monitoring & Collection of Personally-Identifiable Information" introduction displayed on the Terms & Conditions page. The person can elect to "Decline" the Terms and Conditions and then no account will be created. The users are also provided disclaimer notification once in the MLMS portal which also must be acknowledged by clicking "I agree". |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The registration process starts with IDM where there is the previously mentioned "I agree" acknowledgment, which if not checked will terminate the registration. There isn't an 'option to object,' in MLMS since the process is voluntary and necessary only if an account creation at IDM is desired. The person can elect to "Decline" the Terms and Conditions and then no account will be created. The MLMS is located behind the CMS firewall, thus all individuals seeking access to an application on the CMS Portal must submit required information attesting and verifying their identity. User of the MLMS will have Level of Assurance (LOA) 1, LOA 2 and LOA 3 with multifactor authentication (MFA) in place. IDM completes its own CMS privacy impact assessment. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | MLMS is a downstream of the IDM environment registration process. Notification of any major changes to the system related to PII would be done by IDM, in the form of online notices on portal.CMS.gov. Individuals will be notified, as they are now, about the changes to the use of their PII based on IDM procedures. MLMS is located behind the CMS Portal fire-wall. Consent is assumed when individuals complete access to obtain IDM password and userID to access CMS systems of which the MLMS is one. IDM completes its own CMS privacy impact assessment. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Within the MLMS portal there is a notice that individuals may contact the Exchange Operations Support Center (XOSC) at a toll free number or at the designated email address, if they have any questions or concerns regarding the use of their PII in MLMS. The XOSC would contact the individual and investigate the concern. If necessary, there might be changes made to the user's access or PII as per CMS guidelines. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | MLMS will undergo comprehensive and then annually for three years 1/3 test to ensure security, integrity, availability and accuracy and relevancy of al PII contained within the system. PII is submitted and managed (including any corrections) by the user. Incorrect data is corrected in the course of using the system by updating whichever element is incorrect, for example, a name change, new telephone number, or email address. MLMS administrators maintain the allowable/registered users by deleting, reactivating, and assigning users to modules. The availability of the user accounts is managed on the backend by IDM, since that is where the initial creation of the user account occurs. There are processes in place to review the current users and eliminate any inactive accounts such as user accounts of individuals are removed from the group or automatically disable inactive MLMS accounts within 60 days. Data integrity and availability is also managed by security technologies, including firewalls and encryption layers. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | All data retention and destruction of all data/remnants is required to be in accordance with the National Institute of Standards and Technology (NIST) Special Publication 800-88. Those with access to PII have only the minimum amount of information necessary to perform their job in accordance with the least privilege principle. There is a process in place for requesting, establishing, issuing, and closing user accounts and tracking access authorizations. The disabling of inactive accounts and auditing of user accounts allow those with access to PII to only access the minimum amount of information necessary to perform their job. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | There are various kinds of Administrators. Only few of the administrator roles will have access to PII data. This is controlled by roles in the product. MLMS users are granted the minimum access necessary to perform their job function. There are different levels of access depending on the role of the individual accessing MLMS, in accordance with role based privileges. All MLMS users are authenticated via the IDM system credentials. If an individual is removed from a module or automatically disabled, then the account is made inactive in MLMS within 60 days. There is also multi-factor authentication of the user for access. The direct contractor accounts are reviewed annually in order to determine if a user still requires access to the data. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | All CMS employees and direct contractors with access to CMS networks, applications, or data must complete mandatory annual Security and Privacy Awareness Training. Since MLMS is a CMS application, the system personnel must take the CMS Security Awareness training. Direct contractors also complete their own annual corporate security training.
|
| Describe training system users receive (above and beyond general security and privacy awareness training) | CMS employees and direct contractors with privileged access are required to complete role-based training and meet continuing education requirements commensurate with their role and participate in an annual contingency planning exercise. CCIIO relies on the HHS Computer Incident Response Center to monitor and respond to privacy and/or security incidents. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | MLMS complies with CMS Records Control Schedule (RCS) "Bucket 8, Public outreach and Engagement," DAA-0440-2015-0011. All PII data is persisted in MLMS database. When the database is deleted, PII can be destroyed. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | PII will be persisted in database. Database resides on a server in the Data Zone. PII is secured in the system using administrative, technical, and physical controls, in accordance with policies and regulations detailed in the CMS Information Security Acceptable Risk Safeguards- Minimum Security Requirements (ARS). Administrative controls include role-based permissions to access MLMS modules, request and authentication through the CMS IDM system, and periodic review of users and deletion of non-active accounts. Technical controls include: access is allowable through one of 3 internet gateways; limitation on the number of concurrent sessions two concurrent sessions, inactivity timeout, multifactor authentication and intrusion detection and prevention software. Physical controls include video monitoring of the data center where the system resides; controlled heating, air conditioning, smoke and fire suppression systems; and restricted access with fencing and security guards. |
| Session Cookies - Collects PII?: Yes |