OFM ServiceNow
Date signed: 5/2/2023
| PIA Questions | PIA Answers |
|---|---|
| OPDIV: | CMS |
| PIA Unique Identifier: | P-5946387-733594 |
| Name: | OFM ServiceNow |
| The subject of this PIA is which of the following? | Major Application |
| Identify the Enterprise Performance Lifecycle Phase of the system. | Operate |
| Is this a FISMA-Reportable system? | Yes |
| Does the system include a Website or online application available to and for the use of the general public? | No |
| Identify the operator: | Agency |
| Is this a new or existing system? | Existing |
| Does the system have Security Authorization (SA)? | Yes |
| Date of Security Authorization | 4/12/2023 |
| Indicate the following reason(s) for updating this PIA. Choose from the following options. | PIA Validation (PIA Refresh/Annual Review) |
| Describe in further detail any changes to the system that have occurred since the last PIA. | No major system changes, only software updates |
| Describe the purpose of the system | OFM's SNOW is a web-based application that provides a centralized service catalog and ticketing system used to track information technology (IT) service requests, incidents, problems, infrastructure change requests, work orders, tasks, assets, and other business service management data for CMS's OFM division to automate, orchestrate, and manage OFM efforts. |
| Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements) | The services that are provided are: Workflows, Software Development Life Cycle Tracking, and Project Management. The type of information that will be collected and maintained are: Names, Phone Numbers and Email Addresses. |
| Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily. | ServiceNow is the primary platform for tracking IT related requests for the Office of Financial Management (OFM) related to IT incidents, problems, change requests, assets, and other IT business service management data. ServiceNow is a single platform to automate business processes across the Enterprise. ServiceNow lets OFM consolidate fragmented tools and legacy systems while automating service management processes. ServiceNow applications are based on forms and workflow that run on ServiceNow Platform. ServiceNow forms are an interface to database tables and other data sources. ServiceNow IT Business Management allows OFM to track business correspondence and workloads in custom applications and track projects through the development and operations life cycles. Workflow objects include client-side and server-side workflow that manipulate data, enforce business rules, etc. Staff who access or use the system do not use any personal identifiers to retrieve records held in the system. |
| Does the system collect, maintain, use or share PII? | Yes |
| Indicate the type of PII that the system will collect or maintain. |
|
| Indicate the categories of individuals about whom PII is collected, maintained or shared. |
|
| How many individuals' PII in the system? | 100-499 |
| For what primary purpose is the PII used? | Authentication and Authorization. The users' credentials are collected to control user access. |
| Describe the secondary uses for which the PII will be used (e.g. testing, training or research) | None |
| Describe the function of the SSN. | Social Security Number is not collected. |
| Cite the legal authority to use the SSN. | The system does not collect or use Social Security Numbers |
| Identify legal authorities governing information use and disclosure specific to the system and program. | Authority for Maintenance of the System: Executive Order 9397, the Debt Collection Improvement Act, 31 United States Code (U.S.C.) § 7701(c)(1), and 5 U.S.C. 552a(b)(1) |
| Are records on the system retrieved by one or more PII data elements? | No |
| Identify the sources of PII in the system: Directly from an individual about whom the information pertains |
|
| Identify the sources of PII in the system: Government Sources |
|
| Identify the sources of PII in the system: Non-Government Sources |
|
| Identify the OMB information collection approval number and expiration date | Not Applicable. |
| Is the PII shared with other organizations? | No |
| Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason. | The system use banner on the login page notifies individuals that, "You are accessing a U.S. Government information system. Information system usage may be monitored, recorded, and subject to audit. Unauthorized use of this information system is prohibited and subject to criminal and civil penalties. Use of this information system indicates consent to monitoring and recording. You are required to manually lock or terminate this session when you will be inactive for 15 minutes or more and fully log out of this system at the end of your work period.” |
| Is the submission of the PII by individuals voluntary or mandatory? | Voluntary |
| Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason. | There is no option to object to the collection of users' PII. The information is needed to create login credentials and user profiles. If user does not provide the required information, they will not be granted access to the systems. |
| Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained. | Individuals are notified when OFM ServiceNow upgrades to a new release, i.e. Madrid to New York. |
| Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not. | Users can contact the CMS Service Desk by telephone at 410-786-2580 or 1-800- 562-1963 or by email: CMS_IT_Service_Desk@cms.hhs.gov to report known or suspected issues regarding their PII being inappropriately obtained, used, or disclosed. The Service Desk then contacts all the appropriate personnel within the OFM SNOW team. |
| Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not. | Periodic reviews are done in accordance with CMS ARS 3.1 AU-06; reviews of system audit records randomly on demand but no less often than once every thirty (30) days. |
| Identify who will have access to the PII in the system and the reason why they require access. |
|
| Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII. | All Users will have access to User contact information. Role assignment determines level of privilege to User information. |
| Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job. | OFM SNOW access is granted on an as-needed basis, using the Principle of Least Privilege, and only to those Federal staff and contractors who work directly with OFM SNOW with access managed by ServiceNow Role-Based access control systems. |
| Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained. | Annual security awareness training is required for all personnel. CMS supplies the training as part of employee orientation and is required annually for the length of employment/access to CMS systems. |
| Describe training system users receive (above and beyond general security and privacy awareness training) | Attending conferences, webinars and on/off campus trainings. |
| Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices? | Yes |
| Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules. | The following processes and guidelines are adhered to in the retention and destruction of data: CMS Record Schedules - N1-440-10-6, Item 1, N1-440-10-6, Item 2, N1-440-10-6, Item 3. The general disposition authority for correspondence within remedy can be aligned to the CMS Record Schedule dated April 2015, III. MEDICARE RECORDS-- PROGRAM RELATED, Item Q. Routine Inquiries/Correspondence. This type of information accumulates as a result of a wide-range of correspondence, inquiries and complaints from beneficiaries, providers, etc., that are received by CMS headquarters, regional offices, and Medicare contractors. DISPOSITION: 1. Inquiries/Correspondence - (Official Recordkeeping Copy). Response requires additional research staff or time. Destroy 5 years after the date of the response to the correspondence, or when no longer needed for Agency business, whichever is longer. (Disposition Authority: N1-440-10-6, Item 1) 2. Inquiries /Correspondence – (Official Recordkeeping Copy). Response requires little effort on the part of CMS staff for response. Destroy 2 years after the date of the response to the correspondence, or when no longer needed for Agency business, whichever is longer. (Disposition Authority: N1-440-10-6, Item 2) 3. Inquiries /Correspondence - No Response Required Destroy 3 months after the date of the incoming correspondence, or when no longer needed for Agency business, whichever is longer. (Disposition Authority: N1-440-10-6, Item 3) For potentially sensitive and/or security related information: CMS retains records to facilitate the review of PII disclosures/access records for five (5) years. CMS ensures that audit information is archived for six (6) years to enable the recreation of computer related accesses to both the operation system and the application wherever PII is stored. CMS retains PII inspection reports, including a record of corrective actions, for a minimum of three (3) years from the date the inspection was completed. CMS retains electronic records for 1 year to provide support for after-the-fact investigations of security incidents and to meet regulatory and CMS information retention requirements. CMS record retention requirements are updated to meet the requirements of The National Archives and Records Administration (NARA) General Records Schedules. When PII is destroyed, CMS follows the guidance of NIST Special Publication 800-88 Rev. 1. CMS will disintegrate, pulverize, melt, incinerate, and/or shred PII data once it is no longer necessary to retain. Certificates of destruction are completed and retained whenever PII data is destroyed. |
| Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls. | Security controls that protect OFM SNOW data include:
|
Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services