Skip to main content

Opportunity to Network and Engage

Date signed: 4/15/2025

PIA for the Opportunity to Network and Engage system
PIA QuestionsPIA Answers
OPDIV:CMS
PIA Unique Identifier:P-4815915-185726
Name:Opportunity to Network and Engage
The subject of this PIA is which of the following?Major Application
Identify the Enterprise Performance Lifecycle Phase of the system.Operate
Is this a FISMA-Reportable system?Yes
Does the system include a Website or online application available to and for the use of the general public?Yes
Identify the operator:Contractor
Is this a new or existing system?Existing
Does the system have Security Authorization (SA)?Yes
Date of Security Authorization11/12/2024
Indicate the following reason(s) for updating this PIA. Choose from the following options.PIA Validation (PIA Refresh/Annual Review)
Describe in further detail any changes to the system that have occurred since the last PIA.Drupal version has been upgraded from 9.x to 10.2 for the zONE application with no impact to privacy.
Describe the purpose of the systemMarketplace IT Group (MITG) is responsible for the collective coordination around, and integration with the Federal-facilitated Marketplaces (FFM) technologies. Since this responsibility involves the participation of a large amount of internal and external stakeholders (including, but not limited to state agencies, health insurance issuers, health insurance brokers, other federal agencies, and various other private sector partners), a need arose and persists for a dynamic platform to support the collaboration and coordination of the various communities and segments of stakeholders. The CMS zONE (Opportunity to Network and Engage) website was built & continues to evolve to serve this need. 
Describe the type of information the system will collect, maintain (store), or share. (Subsequent questions will identify if this information is PII and ask about the specific data elements)

zONE stores the following information passed by CMS' Identity Management (IDM) system after a user registers in that system and is authenticated/provided permission to access zONE: IDM ID and password, IDM user name (user's first and last name), and on-file email address. zONE may also store optional user-provided profile photos and organization names. The IDM system is covered under its own PIA.  

zONE collects and shares content such as documents, events, and Wikis (explained below) which are community related content. 

In addition, zONE may store information pertaining to the internal operations of a network or computer system, including: network and device addresses; system and protocol addressing schemes implemented at an agency; network management information protocols, community strings, or network information packets; or zONE may store security management information for SBM exchanges or the Federal-facilitated Marketplaces (FFM), including security information on protection during operations.

Provide an overview of the system and describe the information it will collect, maintain (store), or share, either permanently or temporarily.

zONE is a social platform for organizations and individuals partnering and working with the Centers for Medicare & Medicaid Services (CMS). It is a secure, collaborative venue for States, Issuers, business and technology teams to connect, communicate, and share information such as reuse documents, resources and best practices.

After a user registers in the IDM system and is authenticated/authorized to access zONE, zONE will access the IDM user name, IDM ID and password and email address. Other information a user may upload, as an option, are a profile photo and organization information. User information is retained/accessed by zONE for as long as the user requires or wants access or subject to employment.

As part of the content creation and sharing, users may: (1) upload standard files such as .doc, .xls, and .pdfs; (2) create text for title and description, and (3) enter Uniform Resource Locators (URL). Wikis are more complex documentation/ content that can be edited by multiple authorized members and revisions can be tracked.

All content within zONE is stored until a decision is made by the Business Owners to delete or remove. Any content that is posted in zONE is subject to removal if it does not abide by the HHS Rules of Behavior as explained in House Rules within zONE.

Does the system collect, maintain, use or share PII?Yes
Indicate the type of PII that the system will collect or maintain.
  • Name
  • E-Mail Address
  • Photographic Identifiers
  • Other - Organization Name, User Credentials: user ID and password, network and device addresses
Indicate the categories of individuals about whom PII is collected, maintained or shared.
  • Employees
  • Business Partners/Contacts (Federal, state, local agencies)
  • Vendors/Suppliers/Contractors
How many individuals' PII in the system?500-4,999
For what primary purpose is the PII used?

PII is used to:

Create/Register a user's zONE account.

Users are identified by their first name and last name to Create and maintain content within the zONE communities.

Communicate with one another within the collaborative application via user profiles.

Describe the secondary uses for which the PII will be used (e.g. testing, training or research)No Secondary Use
Describe the function of the SSN.Not Applicable. SSN is not collected and stored in the system.
Cite the legal authority to use the SSN.Not applicable. SSN is not collected and stored in the system.
Identify legal authorities​ governing information use and disclosure specific to the system and program.Affordable Care Act. Title 42 U.S.C. 18031, 18041, 18081—18083 and section 1414 and 5 U.S.C. 301, Departmental Regulations.
Are records on the system retrieved by one or more PII data elements?Yes
Identify the number and title of the Privacy Act System of Records (SORN) that is being used to cover the system or identify if a SORN is being developed.Published: HIX SORN 09-70-05660 
Identify the sources of PII in the system: Directly from an individual about whom the information pertains
  • Online
Identify the sources of PII in the system: Government Sources
  • Within the OPDIV
  • State/Local/Tribal
  • Other Federal Entities
  • Other - Contractors
Identify the sources of PII in the system: Non-Government Sources
  • Private Sector
Identify the OMB information collection approval number and expiration dateNot Applicable for CMS employee/direct contractor system user credentials.
Is the PII shared with other organizations?No
Describe the process in place to notify individuals that their personal information will be collected. If no prior notice is given, explain the reason.User access for CMS zONE is through the registration process of IDM, another CMS system. IDM informs the user that the Personally Identifiable Information (PII) is being collected in the "terms and conditions" page that describes the collection and use of PII. New and returning users are presented with this page and they must select "I agree" to move forward with system access. The information provided to IDM for registration is managed by IDM and subject to the IDM PIA. 
Is the submission of the PII by individuals voluntary or mandatory?Voluntary
Describe the method for individuals to opt-out of the collection or use of their PII. If there is no option to object to the information collection, provide a reason.To use the zONE collaboration website, a user’s IDM user credentials must be provided. Users do not have the option to opt out of providing this information based on the nature of the website to facilitate collaboration and information sharing. The information provided to IDM for registration is managed by IDM and subject to the IDM PIA.
Describe the process to notify and obtain consent from the individuals whose PII is in the system when major changes occur to the system (e.g., disclosure and/or data uses have changes since the notice at the time of original collection). Alternatively, describe why they cannot be notified or have their consent obtained.Since access to zONE is controlled by IDM access, zONE doesn't notify the users. IDM informs the user that the PII is being collected. The PII provided to IDM for registration is managed by IDM. There is a "terms and conditions" page, that describes the collection and use of PII, which both new and returning users are presented with, and they must click "I agree" to move forward with system access. The information provided to IDM for registration is managed by IDM and subject to the IDM PIA.
Describe the process in place to resolve an individual's concerns when they believe their PII has been inappropriately obtained, used, or disclosed, or that the PII is inaccurate. If no process exists, explain why not.

As a part of the community-based collaboration environment, users will only have access to PII provided in the user profiles. If a user believes this information has been accessed or used in an inappropriate manner, they have the ability to contact site administrators using the “Contact Us” form and reach out to the Federal Exchange Program System (FEPS) helpdesk: CMS FEPS Email, or 1-855-CMS-1515. The FEPS helpdesk will review the situation and create a ticket in Service Now system to track and resolve the individual's concerns. 

The FEPS helpdesk will work with IDM support team responsibility if user data has been compromised at the account level. 

The FEPS helpdesk will also work with the zONE system administrators and ensure that the user’s complaint is addressed accordingly.

Describe the process in place for periodic reviews of PII contained in the system to ensure the data's integrity, availability, accuracy and relevancy. If no processes are in place, explain why not.Authentication to zONE is managed via IDM. CMS zONE Business Owners grant and revoke users' zONE access. When a user successfully authenticates in IDM, the user's information is passed to zONE. When a user no longer requires access to zONE, CMS zONE Business Owners remove the access to the zONE application in the user's IDM profile. As a part of the community-based collaboration environment, users will only have access to PII provided in the user profiles. 
Identify who will have access to the PII in the system and the reason why they require access.
  • Users: Users have access to search and view other zONE user profile information, which includes name and organization and/or profile picture if provided, to communicate and share content.
  • Administrators: Users with administrator role may have access to the name, profile picture and email addresses of zONE users to support role-based authorization which is internal to the zONE.
  • Developers: Users with developer role may need access to troubleshoot user support tickets
  • Contractors: Users may be direct contractors that support the system by managing the software, hardware and other backend systems that support zONE.
  • Others: zONE access request approvers. 
Describe the procedures in place to determine which system users (administrators, developers, contractors, etc.) may access PII.The CMS zONE Business Owners have the approval authority for authorizing role-based access to zONE via IDM (Identity Management). Users of the zONE application may request access to desired communities within zONE and the Administrator will either approve or deny the requestor’s access to the community based on justification provided by the requestor. After users receive appropriate approval to access zONE, they can also request for community creation within zONE. The Business Owner reserves the right to create the community based on requestor’s justification. If the request is approved by the Business Owner, a community will be created, and the requestor will be assigned the Administrator role for that community. Access can also be granted as an Administrator based on the justifications identified by the CMS zONE Business Owners. 
Describe the methods in place to allow those with access to PII to only access the minimum amount of information necessary to perform their job.

The system restricts access to PII depending on the role granted to the user. Users without the appropriate role cannot see the PII. Depending on the justification provided by the requestor, the Business Owner can grant the roles of Administrator or User from a drop-down menu.

The Administrator and User roles are created in zONE with a specific set of pre-approved permissions for each role. These approved permissions determine if the user can see first name, last name, and/or email address (PII). 

If the requestor is denied the requested Administrator role, then the requestor will have user level permissions selected from the drop-down menu and the system will restrict the user from viewing email addresses. System administrators have the ability to provide additional access within the zONE application if requested and authorized by the CMS zONE Business Owners.

Identify training and awareness provided to personnel (system owners, managers, operators, contractors and/or program managers) using the system to make them aware of their responsibilities for protecting the information being collected and maintained.The zONE team is provided with Annual Security Training, which includes computer-based training in their responsibility to protect sensitive information. This training is provided by CMS as well as the contractor organizations for compliance with CMS guidelines. The training, including annual and refresher Security and Privacy Awareness training and access re-certification, is provided on an annual basis and at start up for new hires. 
Describe training system users receive (above and beyond general security and privacy awareness training)

Once a user has access to zONE, they will be able to view the CMS zONE 101 training materials, "House Rules" documents and user manuals which provide Rules of Behavior and other guidelines for using CMS zONE.

All community managers have to sign the attestation form that defines zONE’s policy on PHI/PII. Per the attestation form, the community managers take responsibility for the content that is hosted within their communities, which includes training community members.

Do contracts include Federal Acquisition Regulation and other appropriate clauses ensuring adherence to privacy provisions and practices?Yes
Describe the process and guidelines in place with regard to the retention and destruction of PII. Cite specific records retention schedules.Any records containing PII will be retained and destroyed in accordance with published records schedules of CMS as provided by National Archives and Records Administration (NARA) General Record Schedule:
(GRS) DAA-GRS-2017-0003-0002 (GRS20 Item 2a4) Intermediary records disposition authority- GRS 5.2 item 20; disposition instruction: Temporary. Destroy upon verification of successful creation of the final document or file, or when no longer needed for business use, whichever is later.
(GRS) DAA-GRS-2017-0003-0002 PKI administrative records, N1-GRS_07-3, Item 13a1 (GRS24, Item 13a1)
disposition authority- GRS 3.2 item 60; disposition instruction: Temporary. Destroy/delete when 7 years 6 months, 10 years 6 months, or 20 years 6 months old, based on the maximum level of operation of the Certification Authority (CA), or when no longer needed for business, whichever is later. 
Describe, briefly but with specificity, how the PII will be secured in the system using administrative, technical, and physical controls.

The administrative controls in place to secure the PII include access control - request and authentication through the CMS IDM system, periodic review of users and deletion of non-active accounts, role-based access for developers and administrators. For example, if a user is granted the role of zONE user, then the controls embedded in the system allow him to see only information that is allowed for “User role”. If the user is approved to have “Administrator role”, then the user will be able to see the name and the email ID as intended by the system design.

The technical controls in place are firewalls that prevent unauthorized access, encrypted access when users obtain the IDM authentication (approval) to log into the application and a tiered system architecture which means users can only log into the application but not into any test environment and the testing and active applications are not joined together.

The physical controls in place are addressed by AWS (Amazon Web Services Inc.). The zONE system is hosted in the AWS, US-East Region. The data center is located in a special facility in Ashburn, VA. 

The zONE maintenance team accesses the zONE system by CMS authentication and access controls by using security tokens and user credentials.

Identify the publicly-available URL:zONE IDM Login
Does the website have a posted privacy notice?Yes
Is the privacy policy available in a machine-readable format?Yes
Does the website use web measurement and customization technology?No
Does the website have any information or pages directed at children under the age of thirteen?No
Does the website contain links to non-federal government website external to HHS?Yes
Is a disclaimer notice provided to users that follow external links to websites not owned or operated by HHS?No

Privacy Impact Assessment (PIA) published by CMS as an Operating Division of the U.S. Department of Health and Human Services

View all CMS PIAs