Metadata Management & Data Governance COTS Software Maintenance and Support Services
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services
Date signed: 2/10/2023
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-5950602-109044 |
| Name: | Metadata Management & Data Governance COTS Software Maintenance and Support Services |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Is this a new or existing system? | New |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 10/17/2024 |
| Describe the purpose of the system | The Metadata Management & Data Governance (DMDG) Software Maintenance and Support Services is utilized by Centers for Medicare & Medicaid Services (CMS) Center for Program Integrity (CPI) Data Analytics and Systems Group (DASG) to establish a comprehensive data catalog, corresponding metadata and establish an automated change management and data governance framework by using a commercial off-the shelf (COTS) Metadata Management and Data Governance software solution. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The DMDG information system, a commercial off the shelf installation of Alation Data Catalog, collects and maintains database management system metadata for CMS Center for Program Integrity (CPI) business systems. This includes listings of various database environments, schemas, tables, columns, business glossary, and queries executed against CPI systems database environments. The COTS software tool has the ability to collect limited non-confidential database table samples providing visibility into the data maintained by these structures. Further, the tool permits CMS Business teams the ability to directly query a CPI Systems source database. This data is collected to provide CPI visibility and governance oversight, into the data elements collected by various CPI systems (UCM, FPS, OnePI, NPPES, MED, esMD, APS, PECOS, and OPS) and to understand the data lifecycle as the data is ingested and flowed between systems. The email address, user id and name are used to identify a user in the system and prevent anonymous access. User access to the DMDG system is facilitated through CMS Enterprise User Authentication (EUA) identity management system and authenticated (with multi-factor authentication) through CMS Identity Management system (IDM). |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | The DMDG information system, a commercially available software installation of Alation Data Catalog, is hosted in CMS Microsoft Azure Government (MAG) and provides metadata management and governance capabilities for DASG systems. The DMDG system collects database management system metadata. This includes listings of various database environments, schema, tables, columns, and business glossary which make up that database environment. The tool allows data samples to be collected and permits authorized users to directly execute SQL queries into the CPI system database. These queries permit CMS Business units visibility into systems and provide a mechanism for responding to various CMS and HHS data requests. All metadata and data collected is temporary representing a point-in-time view of a CPI system. A users EUA user ID, email address, and name are used to identify a user in the system and prevent anonymous access. The metadata managed within the DMDG system reflects the current state of metadata from various source systems. Metadata managed by DMDG is shared between CPI and Application Development Contractors (Direct Contractors) responsible for DASG systems. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. | Employees |
| How many individuals' PII in the system? | <100 |
| For what primary purpose is the PII used? | The DMDG system collects database management system metadata from existing CMS CPI systems. PII information may exist in the DMDG system (Data Catalog). DMDG captures a user’s CMS EUA User ID, First Name, Last Name, and email address which is required for approved access to the Data Catalog. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | The secondary use of PII data is necessary for CMS to uniquely identify and track user activity. This information also permits correspondence between users, allowing them to work together to create documentation, ask and answer questions of other users, receive alerts and notifications, and respond to stakeholder needs.User information is necessary for CMS to uniquely identify and track user activity. This information also permits correspondence between users, allowing them to work together to create documentation, ask and answer questions of other users, receive alerts and notifications, and respond to stakeholder needs. Additionally, the Data Catalog provides two business offerings: “Data Sampling and Compose.” Data sampling (future state) allows the Data Catalog to retrieve approximately 100 unique rows from the database table and maintain this information within the catalog. This provides DMDG stakeholders a view into the data, which helps users better understand the data type and format. With sampling, any data that exists within 9-10 CMS DASG Business databases could be harvested from an existing source system and temporarily saved within the DMDG system. ADOs will be instructed to disable sampling for sensitive (PII/PHI) columns, however given the size of data sets and the need to manually identify data governance policy, it is possible that portions of PII/PHI information will be sampled. The Compose feature allows a subset of DMDG approved users a tooling capability to directly query other ADO databases. This access would provide business users the ability to explore, build, and share business queries on a systems database and help them respond to CMS, HHS, and Congressional data calls. Compose also provides a platform for CMS approved users to query ADO databases for any data types (PII, PHI, etc.) which exist in the source system. The Compose query results are temporarily cached in the DMDG Alation Data Catalog for 14 days, where users may save and publish queries so that other users may execute and see query results. |
| Describe the function of the SSN. | DMDG only collects SSNs from other CPI Information systems, and does not collect SSNs directly. Upstream systems are responsible for determining the data elements to share with the DMDG system. |
| Cite the legal authority to use the SSN. | Not Applicable |
| Identify legal authorities governing information use and disclosure specific to the system and program. | 5 USC 301, Departmental Regulations |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains | Online |
| Identify the sources of PII in the system: Government Sources | Within the OPDIV |
| Identify the sources of PII in the system: Non-Government Sources | Other - Not Applicable |
| Identify the OMB information collection approval number and expiration date | Not Applicable |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | Not applicable. |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | The DMDG receives all information from another system (source system) and that system is therefore responsible for the providing methods for individuals to opt-out of the collection or use of their PII, please state as such, provide the name of the source system and indicate whether or not the PII in this source system is covered by a separate PIA. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | The DMDG system uses Enterprise User Administrator (EUA) for Identification and Authentication. EUA is CMS Enterprise Service covered by a separate PIA. If there was a major change to the EUA system that affected the use and/or disclosure of system users' PII, the individuals would be notified by normal CMS methods: user-wide email alerts and notification within the EUA system welcome page. However, obtaining 'consent' isn't part of the process, because PII is required to access the EUA system. (If the system that the PIA is about receives information from another system (a source system): If this system receives all information from another system (source system) and that system is therefore responsible for the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system, please state as such, provide the name of the source system and indicate whether or not the PII in this source system is covered by a separate PIA). |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | If the concern was about inappropriate use, or disclosure, then the individual would also contact the CMS Information Technology (IT) Service Desk by telephone or email to report the issue. The CMS IT Service Desk will log the concern in the CMS Issue Tracking System. The issue would be investigated and further action would be taken as necessary. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | To maintain the accuracy and relevancy of the PII, EUA users may update their own accounts, and administrators can delete or de-activate accounts. Data integrity and availability is ensured by employing security technologies including firewalls, and encryption and system access logs. During login to the DMDG system with EUA Id, the DMDG application examines the users name and email address and if there’s a difference, will automatically update that information within the DMDG system. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | DMDG uses role-based assignments via EUA job codes to allow access to PII. The access is limited by a 'need to know and need to access' basis. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | Access to PII is limited by the principle of least privilege, which is based on each user assigned CMS approved job codes. |
| Identifying training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | The CMS Security Awareness and Privacy training is provided to each user on an annual basis. Users acknowledge successful training after passing a test at the end of training and the system verifies completion. This training is mandatory and is required for continued access to CMS systems. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Not Applicable. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The following processes and guidelines are adhered to in the retention and destruction of PII data: National Archives and Records Administration (NARA) Record Control Schedules N1-GRS-87-005, N1-GRS-92-002, N1-GRS-95-002, DAA-GRS-2013-0005, DAA-GRS-2013-0006. CMS retains records to facilitate the review of PII disclosures/access records for five (5) years. CMS ensures that audit information is archived for six (6) years to enable the recreation of computer related accesses to both the operation system and the application wherever PII is stored. CMS retains PII inspection reports, including a record of corrective actions, for a minimum of three (3) years from the date the inspection was completed. CMS retains electronic records for 1 year to provide support for after-the-fact investigations of security incidents and to meet regulatory and CMS information retention requirements. CMS record retention requirements are updated to meet the requirements of The National Archives and Records Administration (NARA) General Records Schedules. When PII is destroyed, CMS follows the guidance of National Institute of Standards and Technology (NIST) Special Publication 800-88 Rev. 1. CMS will disintegrate, pulverize, melt, incinerate, and/or shred PII data once it is no longer necessary to retain. Certificates of destruction are completed and retained whenever PII data is destroyed. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Access to PII is given based on a "need to know" and specific job responsibilities defined by EUA job codes. The administrative controls in place to secure the PII include role-based access and permissions, periodic review of users and deletion or revoking of user accounts. Only CMS can approve job code requests and there is a multi-tier process for some types of access. The technical controls in place are firewalls that prevent unauthorized access, encrypted access at log on, security scans, penetration testing, and intrusion detection and prevention systems (IDS/IPS) and computer system controls that prevent users without administrative or developer access to long into a test environment and the test environment and usable application are not joined together. DMDG is hosted in a secure data center that employs physical controls and monitoring to restrict physical access and ensure the security of doors with the use of security cards and pass codes; environmental controls that ensure the efficacy of heating, ventilation and air conditioning; smoke and fire alarms, and fire suppression systems; and by employing cameras, fencing and security guards. |